Part 2 of a 2-part series. Read Part 1.
Risk may be an inherent part of running a business, but recent corporate meltdowns suggest that many organizations are still failing to tame it and use it to their advantage. “Even companies with controls in place fail,” said Kevin McCollom, group vice president of solution management, governance, risk, and compliance, at SAP. “They documented their controls copiously and showed their auditors all the right stuff, but they weren’t doing enough. Their processes were still manual and done intermittently – which is like having no controls at all,”
Kevin’s observation was one of many insights provided during a “Coffee Break with Game Changers Radio” episode presented by SAP on May 2, 2017, and produced and moderated by Bonnie D. Graham (follow on Twitter: @SAPRadio and #SAPRadio). He was featured along with Susan Stapleton, vice president of the customer advisory office at Greenlight, and Toni Lastella, managing director of ERP solutions at Protiviti Inc., to discuss how businesses can mature their understanding of the origins of risk to control and mitigate it proactively.
Maturing controls through automation and people
In certain industries and organizations, decision makers are starting to ask the right questions, but they are only scratching the surface. According to Toni, “They might not know how to elaborate or work with what they see from other experiences. But they’re starting to ask questions that can help them pinpoint exposures and where they are happening.”
However, the ability to determine the root cause of such situations is even harder to achieve. Toni added that proper controls start at the top and filter down to lower-level management “Most management teams don’t have visibility into what’s going on in the organization, forcing them to address issues after the fact,” she remarked.
Susan agreed with Toni’s assessment, further elaborating on the vulnerability of manual controls. “A business can have best-of-breed manual processes that are documented end to end, but it really only takes a couple of people who ‘forget’ to perform those controls for internal fraud to happen across several months or years,” she warned. The company may lose millions without any insight into those fraudulent activities.
With automated controls, organizations can enable continuous monitoring and create a holistic process around risk mitigation. “Because financials cannot be tightened so much that exceptions don’t happen, it’s critical to identify, quantify, and control them. Businesses absolutely need to consider automating – or even continuously monitoring – those controls,” Kevin advised.
Exceptions and vulnerabilities still happen; automated controls can help prevent them
Based on her experience working with enterprises worldwide that are managing operational controls, Susan illustrated the advantage of centralized oversight: “When everyone can see what’s happening, the people who are supposed to perform the controls know that they are responsible. Automated solutions help companies manage compliance and manage their risk in an automated way to provide the transparency that the business needs to run a fast-moving operation.”
If decision makers understand those risks and plan in advance, controls can be established to help ensure that the business stays on target. Kevin commented that it is impossible to anticipate risks with “me too” moves. If executives can visualize, for example, the geopolitical risks of investing in a new market, new concept, or new product introduction, they have a “greater chance of succeeding than a competitor that makes a knee-jerk reaction.”
Toni also underscored the need for a risk-based approach to continuously monitor every aspect of the environment. She noted, “It’s imperative to perform enterprise-wide risk assessment and take a deeper dive into IT risks. Organizations can then manage a high-risk model that can be monitored on a continuous basis and empower strategic planning for exceptions and vulnerabilities.”
Predictions: Will businesses finally take a proactive approach to mitigating risk?
Considering the current pace of innovation, it’s possible that automation of financial controls and risk mitigation could be within reach for all organizations. But does this mean that they will finally avoid the wrong front-page headlines?
Looking forward to the technological innovations that are emerging, Toni foresaw some exciting changes. For example, biometrics, as an addition to fingerprinting, will soon authenticate veins in our hands to support dual password settings. “There are intersections and ways that companies can use such innovations to deliver a foundation for reliable financial reporting and processes to minimize fraud,” she said.
With all of this innovation, Kevin predicted that risk mitigation will become a critical factor in achieving business growth. “The inevitability of digital transformation will help more companies jump into the leader category as they treat risk mitigation like performance management. With the insurance that risk is mitigated appropriately, they will accelerate their strategy to achieve market leadership,” he said.
Susan forecast that business success will depend on “running lean and mean.” As a result, people will wear multiple hats, which can introduce risk. “Organizations that automate manual processes are going to win,” she added. “When people are not doing tedious manual controls, they are more focused on running the company better operationally and financially.”
Listen to the SAP Radio show “Financial Impact of Risk: Don’t Become That Bad Headline!” on demand.