Shifting Controls To The Right Of Launch

Bruce McCuaig

I recently blogged about “shifting GRC to the left of launch,” focusing on the need to predict and manage extreme risks before they occur. But a strong case can be made for managing infrequent or lower-level risks in mature business processes using a “right of launch” strategy.

The current paradigm for managing controls seems to call for controls focused on prevention of risk events, even inconsequential ones. The very definition of control effectiveness seems to suggest a left of launch paradigm. I would even venture that COSO’s control frameworks* seem to be based on a left of launch control philosophy and may stifle technological innovation (but that’s another blog).

There are reasons for a left of launch control paradigm, but it’s time for a second look.

Many risk events today could be managed very effectively from the right of launch. Controls using GRC tools built into a strong digital core can be structured very differently to permit this. Let’s compare a traditional approach with a right of launch scenario.

Reimagining procure to pay

Two recent but unrelated events offered a sharp contrast in how the procure-to-pay (P2P) process is managed in different environments.

  • Traditional P2P. Recently, I messed up in hiring a vendor to provide some services for a recent SAP GRC Insider conference. The contract was for less than $2,000, but I didn’t get the proper approvals in advance and found myself dealing with three or four people in our procure-to-pay team to set things right. It took several weeks and many phone calls and e-mails.
  • P2P for merchant reimbursement for credit/debit card transactions. A few weeks ago, I received a call from my credit card provider alerting me to a purchase transaction. Someone pretending to be me and using my credentials was making a credit card purchase in a distant city. My bank correctly predicted that it was a fraudulent transaction and blocked it even before speaking with me.

Comparing “left of launch” to “right of launch” in P2P

If I had to guess, I would estimate that most P2P processes (heavily loaded with numerous documents, segregation of duties, approvals, and other controls) cost businesses about 3%-5% of the transaction value. Even more, they inhibit spending and slow down the spending process enormously. That can be a problem. Businesses spend to make money. Spending quickly should mean benefiting quickly.

But banks and credit card companies also run a P2P process for reimbursing merchants for consumer purchases. The volumes are huge in both value and transactions, but the P2P process seems much simpler. Here is a simplified comparison.

Predictive controls to enable “right of launch”

Credit card companies have placed the key controls after the purchase transaction, not before the transaction. The sheer volume of credit card and debit card transactions make SOWs, POs, and invoices impossible. Technology today allows after-the-fact predictive controls. Banks and credit card companies shift some of the risk to the merchants and perhaps a little risk to customers. But speeding transactions is critical.

Even the credit card approval process is streamlined. Cards are preapproved and customers notified.

Why is streamlining procurement important?

I believe the multiple controls, documentation, and approvals in typical P2P processes are a significant but hidden cost. But there is more to it than that.

In most companies, a substantial amount of general ledger postings are driven from the P2P process. Financial statements are driven from payment information. Delays in processing payments leads to the need for accruals and inaccurate, delayed financial reporting. Companies that know their costs and have accurate, up-to-date financial information can make better decisions.

Even worse, I believe accountability for left of launch controls is seldom with the owner of the process. I believe right of launch controls would align better with management accountability.

I know there is a fear of fraud, and certainly the merchant reimbursement process is susceptible to fraud. The difference is that instead of slowing down the process and incurring costs to prevent fraud and error, they detect them after the fact.

What technologies exist to support predictive controls?

Technology exists today to continuously monitor controls to ensure that both vendors and customers are properly authorized and configured. But what makes a right of launch approach possible are powerful tools that monitor controls, and detect anomalous patterns in high volumes of transactions along with predictive capabilities, machine learning, and audit capabilities. It is feasible to detect, assess, and stop a bad transaction before it is completed.

I walked into a store a few weeks ago and qualified for a $10,000 bank-issued credit card by showing ID and providing a phone number. I didn’t need or want the card, but it shows that by using powerful right of launch instead of left of launch tools and capabilities, merchants and credit card providers can grow their business even faster. How can we harness this capability in our businesses?

Who is doing this now?

My knowledge of P2P processes, as well as credit and debit card processing, is from a consumer perspective. I am certain others have already thought this through and have probably even tested changes in the P2P process.

But I do know a little about GRC, and I do know that control practices in businesses seem to rely heavily on preventing fraud or error. The power of GRC tools and SAP S/4HANA should allow massive streamlining and rethinking of many business processes. Preventive controls may be useful in some situations. But if it’s possible to detect and block fraud or errors after the fact at the speed of light, it makes sense to do so.

Looking forward

Today’s technology combined with a right of launch control strategy has significant implications. I would argue that embedded in the COSO internal control frameworks, and certainly in Sarbanes Oxley, is a left of launch control paradigm. That needs to change. Extreme risks need to be managed with a left of launch approach, as I described in my earlier blog. But risks and compliance in mature business processes can now be managed effectively with a right of launch strategy.

Has COSO recognized the power of technology?

*Committee of Sponsoring Organizations of the Treadway Commission, developing frameworks and guidance on enterprise risk management, internal controls, and fraud deterrence.

Learn how organizations are gaining instant financial insights and using them to make better decisions—both now and in the future. Register now for the 2017 Financial Excellence Forum, Oct. 10-11 in New York City.

This article, Shifting Controls to the Right of Launch, originally appeared in the SAP BusinessObjects Analytics blog and is republished by permission.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.