Part 1 in a two-part series. Read Part 2.
Warren Buffett famously observed, “It takes 20 years to build a reputation and 5 minutes to ruin it.”
This was a lesson learned the hard way during the 2017 Academy Awards when the Best Film Oscar was inadvertently presented to the wrong production team. While the error was quickly discovered, the ensuing press coverage was immensely embarrassing for all concerned.
“This was a classic example of a manual control failure,” says Kevin McCollom, global solution owner for SAP government, risk, and compliance (GRC) solutions.
Along with the reputational hit, manual controls failures can hurt an organization’s ability to meet financial obligations, comply with laws and regulations, and maintain operational performance. Financial control problems are particularly worrisome for public companies since they can undermine the confidence of stockholders and potential investors.
Susan Stapleton, vice president of the customer advisory office at Greenlight Technologies, a provider of automated risk management solutions, says failures suggest a material weakness in financial reporting and invite scrutiny from external auditors.
“Deficiencies could cause you to be a headline in the news,” she says. “On top of that, company valuations often drop an average of 15 percent and as much as 20 percent over night. Your audit fees can also increase as much as 65 percent.”
Letting the fox control risk
Most organizations rely on manual controls to mitigate risk. This approach is problematic since people sometimes fail to follow process steps or to apply the controls each time they are required.
“You have to execute those controls,” McCollom says. “Not doing so is the kind of negligence that will end up in the headlines of the Wall Street Journal.”
Organizations can help to mitigate risk and human misbehavior by adopting a culture of risk management. “It starts with tone at the top,” Toni M. Lastella, ERP solutions managing director at Protiviti, Inc., a global consulting firm, says. “Senior leadership must impart a control-conscious way of thinking.”
Organizations also need automated monitoring running in the background and serving up exceptions that can be easily reviewed by the organization’s CFO and other financial managers. Without automated monitoring, Stapleton says control often becomes the fox guarding the hen house.
“What we have found is that the folks who are responsible for control are also the ones committing fraud,” she says. “When you don’t have centralized oversight where everyone can see the activity, these folks can do a lot of damage to a company.”
Getting ahead of critical risk
Ramping up a risk monitoring and control strategy requires time and effort and an investment in specialized technology. To avoid losses, organizations need to assess their exposure proactively rather than waiting for issues to surface or be uncovered by external auditors.
“You don’t need to know the ‘how’ of fraud or lack of control,” Lastella says. “But you need to know where the exposures might be.”
To gain those insights, organizations must take the initiative and implement preventative and detective controls. They can accelerate this process by partnering with external auditors and internal control consultants who have experience with risk mitigation and control automation. Not taking these steps increases risk and delays the hard work of building a control-conscious workforce.
“If you fail an audit, it is all hands on deck,” Stapleton says. “Then you are paying for this issue through the next two or three audit cycles. If you are a company of any size, your material weakness is also going to make the headlines.”
Leveraging purpose-built technology
Automated controls and continuous monitoring are essential for mitigating risk and improving financial reporting, McCollom says. By gaining an in-depth understanding of these issues and investing in appropriate technologies, organizations can plan for risk mitigation when introducing new product programs or entering new markets.
“You can jump way out in front of that competitor because you have anticipated risk and you have mitigation plans in place,” he says. “You have built risk management into your budget and processes and have the controls and continuous monitoring to keep the business on track with that strategic objective.”
Organizations need automation and a calculated approach to controlling risk because they cannot monitor everything. Balancing these needs and objectives is necessary to ensure resilience in today’s volatile financial markets. An enterprise-wide risk assessment is usually a good starting point for this type of initiative.
Interested in learning more? Watch the Facebook video or listen to the SAPRadio show: “Financial Impact of Risk: Don’t Become That Bad Headline.” And follow @SAPPartnerBuild on Twitter.