- Point of view
Controllership: Five pillars for a safe global enterprise
Expanding far and wide can be risky business. Adopt these five elements to strengthen controllership for a safe global enterprise.
Business leaders need an end-to-end view of enterprise risk. But with compliance ownership shared across many functions, senior executives often settle for incomplete insights. A Global Controls Hub (GCH) can provide a single source of truth by embedding five key elements – including an integrated framework, digital technology, and visualization – to generate insights and empower a new era of controllership.
Large companies are expanding operations into emerging markets. But these countries can present greater risks if their controllership oversight and compliance regimes are weak. Meanwhile, regulators are extending their reach. To date, from about 150 prosecutions, businesses have paid nearly $10 billion in penalties for not complying with bribery regulations, including those of the US Foreign Corrupt Practices Act and the UK Anti-Bribery Act.
Corporations are also getting hit for billions of dollars for bad third-party risk management (TPRM), such as when poor supply chain practices or questionable partners come to light. The wrong associates can lead to information security lapses, deceptive selling, environmental health and safety violations, or the use of child labor.
To make effective decisions in this environment, business leaders need a comprehensive understanding of—and visibility into—enterprise-level risks. But because many functions share ownership of compliance—legal, controllership, internal audit, procurement, finance, and IT, for example—companies struggle. They struggle to get an integrated or complete view of risks in near real-time.
Enterprises often look to the corporate internal controls function to maintain operational effectiveness, reliable reporting, and compliance. Too often, however, internal controls has poor access to consistent transaction data. Disparate processes and systems across geographies and business units hamper the work, too. And even when this data is available, the teams may not have the technology, advanced analytics, or skills for generating insights.
When addressing these challenges, leadership wants common practices across the organization. And it wants those practices supported by an integrated internal controls framework, a comprehensive risk library, and advanced analytics. The control team can’t add value, make informed, forward-looking decisions, or manage risks effectively if it can’t generate insights by managing large volumes of risk data. That wastes resources and undermines competitiveness.
Recognizing the need for an integrated controls framework is a good first step, but it won't take you too far. Why? Because many organizations have non-standardized business records, processes, systems, and controllership activities.
As we've pointed out, many functions, such as legal, compliance and others, own processes that generate risk data. But these teams have different objectives and use different formats and approaches to meet audit, reporting, and compliance requirements. It complicates matters even further when companies make changes to their organization.
Overcoming these challenges can be daunting. Some companies try to implement and monitor internal controls with applications they have on hand using existing ERP platforms or standalone global risk and compliance systems. But these systems are large, hard to customize, and difficult to use at scale. These solutions also often involve work-arounds to deal with localization and business-specific issues, making customization even harder. The roll-out process can be time-consuming, too.
The result is an array of techniques that don’t deliver a single source of the truth. For example, a company might use separate platforms—or even Excel—for SOX compliance, TPRM, or internal audits. That might work for individual needs, but these approaches duplicate effort, aren’t collaborative, and don’t identify exceptions or inconsistencies. So companies don’t address end-to-end risks effectively with reliable, robust risk management across functions and geographies. And the time it takes for internal controls and external auditors to sort this out costs a lot of money.
Establishing a single source of the truth can resolve these issues, but it’s difficult to deliver. The good news: Powerful, new digital technologies can help. They can support decision-making with sophisticated data analytics, rapid process automation, and smart workflow.
An effective approach to standardizing and integrating internal controls is to create a Global Controls Hub (GCH). Delivered through a technology platform it has embedded analytics and workflow, with a dashboard offering advanced visualization for customizable controls. In this way it offers a consolidated, end-to-end view of risks so companies can assess, monitor, and demonstrate operational and financial reporting controls. The hub also monitors other areas of compliance, such as segregation of duties, anti-bribery, anti-corruption, and third-party risk.
Establishing a GCH requires five key elements (figure 1):
Technology and process go hand in hand. Cloud computing, machine learning, intelligent automation, and advanced analytics all play a growing role in managing internal controls through a GCH.
Cloud-based systems of engagement optimize efficiency by integrating with existing systems and interfaces to pull together data and provide results. Advanced analytics are also transforming risk management with real-time insights that improve decision-making
Figure 1: Five key elements to establishing a global controls hub
A process framework is equally important, because every risk has a potential control. Systems must reliably match controls with risks, people, and skills. You can redesign control organizations by adapting roles and responsibilities to leverage technology and make human effort more productive. Digital technologies play a major role in pulling this together.
A global, integrated approach to internal controls can have solid impact on controllership. Here are some of the ways:
A GCH delivers this impact with the technology, advanced analytics, and skills that generate insights. Decision-makers have access to critical information through tailored visual interfaces that shine a spotlight on exceptions for rapid management responses. All this is consistent across the enterprise, enabling a new era of controllership.
The challenge: Streamline risk monitoring and cut out redundancies
After a series of mergers and acquisitions, a leading global consumer goods company had a fragmented control framework that focused only on Sarbanes-Oxley compliance and did not address end-to-end risks effectively. A decentralized internal controls team duplicated effort between the control monitoring and management functions. The result was costly control monitoring and little awareness of internal controls. The company recognized the need to realign its global internal controls environment to match its expanded risk profile.
Our solution: Lean DigitalSM for risk management
Lean Digital combines design-thinking methods and Lean principles to reimagine business outcomes. Using this approach, the company realized its vision to create a best-in-class risk management and control function. A center of excellence allows the company to extend internal controls beyond auditing. Business teams can now proactively identify and manage risks.
The impact: Reduced risks, better insights, happy auditors—and savings
Today, the company enjoys standardized processes, a risk and controls taxonomy, enhanced control automation, and a rationalized, riskbased controls testing regime. All this delivers faster and better insights for decision-making. In addition, external auditors have greater confidence in work from the GCH. The consumer packaged goods giant has greater risk assurance coverage and learns quickly about risk and control failures so it can take timely, corrective action. What’s more, it has saved nearly 50% on the overall cost of controllership.