Controllership: Five pillars for a safe global enterprise

Business leaders need an end-to-end view of enterprise risk. But with compliance ownership shared across many functions, senior executives often settle for incomplete insights. A Global Controls Hub (GCH) can provide a single source of truth by embedding five key elements – including an integrated framework, digital technology, and visualization – to generate insights and empower a new era of controllership.

Large companies are expanding operations into emerging markets. But these countries can present greater risks if their controllership oversight and compliance regimes are weak. Meanwhile, regulators are extending their reach. To date, from about 150 prosecutions, businesses have paid nearly $10 billion in penalties for not complying with bribery regulations, including those of the US Foreign Corrupt Practices Act and the UK Anti-Bribery Act.

Corporations are also getting hit for billions of dollars for bad third-party risk management (TPRM), such as when poor supply chain practices or questionable partners come to light. The wrong associates can lead to information security lapses, deceptive selling, environmental health and safety violations, or the use of child labor.

To make effective decisions in this environment, business leaders need a comprehensive understanding of—and visibility into—enterprise-level risks. But because many functions share ownership of compliance—legal, controllership, internal audit, procurement, finance, and IT, for example—companies struggle. They struggle to get an integrated or complete view of risks in near real-time.

Enterprises often look to the corporate internal controls function to maintain operational effectiveness, reliable reporting, and compliance. Too often, however, internal controls has poor access to consistent transaction data. Disparate processes and systems across geographies and business units hamper the work, too. And even when this data is available, the teams may not have the technology, advanced analytics, or skills for generating insights.

When addressing these challenges, leadership wants common practices across the organization. And it wants those practices supported by an integrated internal controls framework, a comprehensive risk library, and advanced analytics. The control team can’t add value, make informed, forward-looking decisions, or manage risks effectively if it can’t generate insights by managing large volumes of risk data. That wastes resources and undermines competitiveness.

Recognizing the need for an integrated controls framework is a good first step, but it won't take you too far. Why? Because many organizations have non-standardized business records, processes, systems, and controllership activities.

As we've pointed out, many functions, such as legal, compliance and others, own processes that generate risk data. But these teams have different objectives and use different formats and approaches to meet audit, reporting, and compliance requirements. It complicates matters even further when companies make changes to their organization.

Overcoming these challenges can be daunting. Some companies try to implement and monitor internal controls with applications they have on hand using existing ERP platforms or standalone global risk and compliance systems. But these systems are large, hard to customize, and difficult to use at scale. These solutions also often involve work-arounds to deal with localization and business-specific issues, making customization even harder. The roll-out process can be time-consuming, too.

The result is an array of techniques that don’t deliver a single source of the truth. For example, a company might use separate platforms—or even Excel—for SOX compliance, TPRM, or internal audits. That might work for individual needs, but these approaches duplicate effort, aren’t collaborative, and don’t identify exceptions or inconsistencies. So companies don’t address end-to-end risks effectively with reliable, robust risk management across functions and geographies. And the time it takes for internal controls and external auditors to sort this out costs a lot of money.

Establishing a single source of the truth can resolve these issues, but it’s difficult to deliver. The good news: Powerful, new digital technologies can help. They can support decision-making with sophisticated data analytics, rapid process automation, and smart workflow.

An effective approach to standardizing and integrating internal controls is to create a Global Controls Hub (GCH). Delivered through a technology platform it has embedded analytics and workflow, with a dashboard offering advanced visualization for customizable controls. In this way it offers a consolidated, end-to-end view of risks so companies can assess, monitor, and demonstrate operational and financial reporting controls. The hub also monitors other areas of compliance, such as segregation of duties, anti-bribery, anti-corruption, and third-party risk.

Establishing a GCH requires five key elements (figure 1):

1. An integrated control framework: To get a holistic perspective, you need to define and create a common risk and controls taxonomy for the control organization that covers financial, operational, and compliance risks. With the right policies, procedures, guidelines, and governance model in place, one team of validators can provide relevant information to auditors and compliance specialists. Currently, however, few companies are in a position to achieve this.
2. An inventory of data sources: A systematic inventory identifies what data to digitize, standardize, and centralize—regardless of its source. You can then optimize this data to create an integrated data lake that’s easy to access in a structured way.
3. The right mix of technology and skills: In addition to controllership specialists, essential resources include expertise in data science to optimize, standardize, and centralize data. Business and technical proficiency help organizations understand the relevance of data and relationships among datasets. Skilled people can also design algorithms to reliably detect irregular patterns. Business knowledge and analytical capabilities are key to interpreting the results, identifying issues, and planning responses. And machine learning can eliminate redundant activities, expedite repetitive tasks, and reduce false exceptions.
4. Visualization to enable actionable findings: Internal controls stakeholders such as CFOs, compliance officers, CPOs, and internal auditors all have specific needs. That calls for tailored front-end visualization services that presents information to support different types of decision-making and quick action. The platform allows users to slice and dice data to meet specific needs. But, just as importantly, it also provides the leadership team with a global view— and transaction-level detail—in a couple of clicks.
5. Process and control integrity index: By adopting a GCH, organizations can increase the overall integrity and reliability of controllership processes. They can do this by mapping and comparing the results of monitoring activities for inconsistencies across Sarbanes-Oxley, control analytics, control self-assessments (CSA), and anti-bribery and fraud controls. For example, through algorithms on control taxonomy tags, firms can compare the response from a control owner in the CSA program against the results from internal control analytics or the SOX team to see if results are consistent.

Technology and process go hand in hand. Cloud computing, machine learning, intelligent automation, and advanced analytics all play a growing role in managing internal controls through a GCH.

Cloud-based systems of engagement optimize efficiency by integrating with existing systems and interfaces to pull together data and provide results. Advanced analytics are also transforming risk management with real-time insights that improve decision-making

Figure 1: Five key elements to establishing a global controls hub

A process framework is equally important, because every risk has a potential control. Systems must reliably match controls with risks, people, and skills. You can redesign control organizations by adapting roles and responsibilities to leverage technology and make human effort more productive. Digital technologies play a major role in pulling this together.

A global, integrated approach to internal controls can have solid impact on controllership. Here are some of the ways:

• Reduced risk exposure through more systematic identification of exceptions that need management intervention
• Better governance and transparency across the board through near real-time data analytics and metrics presented on dynamic dashboards. These provide actionable insights
• A more robust control environment because firms can collaborate with internal controls, internal audit, and process excellence teams to track key issues globally and resolve root causes
• Reduced controllership costs of 25% to 30% from automation, advanced analytics, and the elimination of redundancies
• Savings of at least 10% of external audit costs because high-quality automation cuts the need for auditors to do tests manually

A GCH delivers this impact with the technology, advanced analytics, and skills that generate insights. Decision-makers have access to critical information through tailored visual interfaces that shine a spotlight on exceptions for rapid management responses. All this is consistent across the enterprise, enabling a new era of controllership.

The challenge: Streamline risk monitoring and cut out redundancies

After a series of mergers and acquisitions, a leading global consumer goods company had a fragmented control framework that focused only on Sarbanes-Oxley compliance and did not address end-to-end risks effectively. A decentralized internal controls team duplicated effort between the control monitoring and management functions. The result was costly control monitoring and little awareness of internal controls. The company recognized the need to realign its global internal controls environment to match its expanded risk profile.

Our solution: Lean Digital^SM for risk management

Lean Digital combines design-thinking methods and Lean principles to reimagine business outcomes. Using this approach, the company realized its vision to create a best-in-class risk management and control function. A center of excellence allows the company to extend internal controls beyond auditing. Business teams can now proactively identify and manage risks.

The impact: Reduced risks, better insights, happy auditors—and savings

Today, the company enjoys standardized processes, a risk and controls taxonomy, enhanced control automation, and a rationalized, riskbased controls testing regime. All this delivers faster and better insights for decision-making. In addition, external auditors have greater confidence in work from the GCH. The consumer packaged goods giant has greater risk assurance coverage and learns quickly about risk and control failures so it can take timely, corrective action. What’s more, it has saved nearly 50% on the overall cost of controllership.