Modern companies face a serious conundrum when it comes to growth and risk. The wider the market opportunities, the more regulatory regimes must be mastered. Increasingly sophisticated technologies are being countered by ever-more-clever fraudsters. Sticking to the conventional combination of on-site reviews, periodic audits and local policy can put a company at serious competitive disadvantage. Much better compliance and coverage are being achieved at much lower cost by companies that incorporate remote monitoring and related analytics into their operating models for risk assessment and management.
A clear, end-to-end view of each material process across the enterprise is crucial to understanding current risk levels and how to mitigate them. Without it, executives cannot see where risk lies or how decisions made for one function or location will impact the rest of the business.
The quality of internal and external data is crucial for sound risk assessment and subsequent decision-making. Timely, accurate data requires the right technologies to obtain it, the appropriate operating model to manage it, and detailed analytics to properly assess and use it.
Remote monitoring and analytics capabilities offer powerful countermeasures to threats. Enterprises today can track every part of their operations in real-time to spot fraud, noncompliance, bottlenecks and information gaps, and then correct deficiencies quickly and appropriately. Well-targeted technologies and an effective operating model provide the means to institute an analytics program that drives greater compliance, visibility and productivity.
Better Risk Management Begins with Better Technologies
New technologies enable companies to monitor and continuously assess more than they ever imagined. Excellent strategies for improving risk management tools include:
• Leveraging collaborative technologies such as Webex, dashboards and risk modeling.
• Using tools for mining, analyzing and presenting data to create actionable business intelligence. These can be deployed for the same—or less—cost than most current risk management programs.
• Partnering with an experienced provider to leverage the partner’s broader experience with global risk models in various environments, geographies and industries. Partners can also ensure that the right technologies are deployed along with comprehensive, standardized policies, deeper analytics capabilities and experienced staff.
These strategies can help reduce resource requirements while simultaneously providing the business with mechanisms to continuously assess risk and the company’s own efforts to mitigate it. One U.S.-based business with a turnover of more than $20 billion performs controllership reviews for nearly 50 countries using a remote controllership team, with less than 10% needed for on-site travel by team members from the global controller’s organization.
Continuous Compliance Comes from Effective Operating Models
For all their advantages, new tools alone are not enough. Complying to the vast web of regulations worldwide requires a controllership framework that provides coverage across the entire organization. Maximizing technological capabilities requires a more effective target operating model to ensure ongoing compliance with the new processes and policies.
The best way to obtain the necessary end-to-end view of current operations and policies is through:
• Industrialized operations and an agile, global target operating model;
• Standardized processes;
• A unified delivery structure that allows the company to easily spot and mitigate changing regulatory and other risks in smaller markets as well as in the company’s perceived “top ten.”
The new model must address four lines of defense that all have distinct roles in the overall effort and must be taken into account when building a comprehensive program. These are:
1. Process owners
3. Internal audit teams
4. External audits
The components of the most effective risk management models work together to address each player’s needs.
Industrialized processes: These cut across business lines and operational silos and clearly show how each process impacts the rest. This in turn highlights each player’s needs as well as the processes, data and technologies that both create and mitigate risk. It also provides the deep process understanding necessary to identify which policies are working, where improvements should be made, what metrics can be tracked to ensure compliance, and which technologies will best support new, more effective processes.
Standardization: Ideally, the new tools will support standardized workflows and rule-based governance and control structures. These will enforce global standards and drive ongoing compliance with internal policies as well as external regulatory requirements.
Real-time risk assessment and reporting: Remote monitoring provides continuous access to real-time data across the enterprise and enables:
• Automated or specialized reporting for assessing the effectiveness of risk management efforts in all locations;
• Detailed analytics that can spot performance gaps and behavioral trends, flag fraud and missed deadlines, and identify the proper intervention points for effective action;
• More frequent audits, overcoming the problem of quarterly or yearly audits that can allow risk to grow unseen in between;
• Lower risk of the new policies losing their effectiveness and leaving companies battling the same problems alongside new ones that arise as the business grows.
One major U.S. conglomerate with revenues of more than $150 billion achieved markedly enhanced assurance coverage by building state-of-the-art audit analytics. The program supports all the company’s distinct business lines as well as some of its regulatory compliance needs.
Analytics Drive Visibility, Productivity and Compliance
With the proper technologies and operating structures in place, the enterprise is now prepared to reap the benefits of continuous remote monitoring.
Visibility: Platform-agnostic analytics tools capable of pulling data from all of the company’s disparate legacy systems worldwide provide continuous control and transaction monitoring that gives CXOs visibility into global operations in near real-time.
Productivity: The scripts that drive analysis operate 24/7 across the entire universe of data available to the enterprise, increasing coverage and reducing controls gaps.
Compliance: Regulators are not driven by materiality, being more focused on evidence of fraud, corruption and non-compliance. Good, rule-based analytics scripts not only spot deficiencies faster, but also reduce false positives requiring human intervention because the rules for acceptable deviations have been well established.
Evolving Risks Require a New Approach
Quarterly risk assessments and on-site audits can no longer keep increasing regulations and fast-evolving fraudsters at bay. The new technologies that remotely monitor and mitigate risk enable continuous coverage of a broader scope of operations and at a lower cost than before. CFOs should reevaluate their current risk management mechanisms and consider leveraging an experienced partner when performing initial risk assessments, choosing tools, and building new target operating models. An unbiased view of current operations and policies is crucial to building an effective model going forward—one that not only ensures the business is keeping up with changing risks, but that prevents backsliding into non-compliance and a false sense of security.
Assessing risk is only the first step toward protecting the business. Remote monitoring lets companies continuously find—and mitigate—risk before it impacts the bottom line.
Subhashis Nath is the global senior partner for corporate governance and controllership & solutioning at Axis Risk Consulting, a 100% subsidiary of Genpact. He has over 20 years of experience advising large global corporations, including Fortune 500 companies, regarding enterprise, operational and regulatory risk management, principally across the manufacturing, services and consumer goods sectors.