Just as World War II accelerated the production line methods of the industrial revolution, so too has COVID-19 accelerated our use of technology in business. Automated processes, cloud computing and artificial intelligence have become de rigueur across industries - not only for customer facing channels, but in business processes too.
Automation will change the way finance and risk functions support the business – faster, leaner and more accurate. Unsurprisingly, digital transformation tops the agenda for many CFOs and CROs as we cautiously emerge from the pandemic and businesses seek competitive advantage and to accommodate a more agile workforce.
The automation of controls
As automation accelerates, controls cannot afford to be left behind. Many companies report that controls have already become a burden, particularly those in highly regulated industries. In the absence of a strategy to manage, optimise and rationalise controls, we often see ever increasing volumes of controls come into scope and eventually they are seen as purely a compliance measure.
We hear all the time that the way to fix this is to “automate processes and controls”, especially in the context of the broader strategy to digitise. But a bottom up automation approach isn’t enough to implement an efficient, resilient and scalable controls frameworks, nor to maximise efficiency gains.
Another common refrain, often from the risk community or from SOx teams is that automation should be centred on reducing manual effort when testing controls. And whilst this is an important part of automation, it is not the whole story. More benefits and value can be realised if automation is also implemented in the design of the processes themselves. For example, if a manual detective control, such as a maker checker control, can be transformed into an automated preventative control, such as a system configuration, this both reduces risk and reduces cost.
So, the key to successful automation is threefold:
- Being clear on what you are automating and why. A strategy is needed to cover the whole lifecycle: from automation of controls themselves (A and B in the table below) to automation of monitoring and oversight programmes over controls (C and D in the table below)
- There is no point automating controls if the process is poorly designed! Controls automation should be part of broader process rationalisation, redesign and transformation programmes.
- Selecting the right areas to automate - selecting low-risk controls which are performed infrequently or which will be replaced won’t give bang for the buck
Control Lifecycle |
A) Identifying Controls |
B) Operating Controls |
C) Monitoring Controls |
D) Testing Controls |
Current approach |
Performed via manual risk management processes including surveys, interviews, top-down self-assessment. |
Controls designed as a bolt-on to the processes and mostly manually operated via reconciliation, spreadsheets and emails. |
Controls manually monitored or on an ‘wait to see’ basis. |
Control assessment manually performed with evidence collated into a report. |
Current pain points |
Reactive and unable to keep pace with dynamic changes in risk, highly subjective with potential blind spots and errors in judgement. |
Controls are often designed unable to prevent risks from occurring and require intensive effort and cost and are prone to manual error. |
Too slow in detecting failures, duplication of effort across the three lines of defence and seen as disruptive. |
Labour intensive, high cost, risk of manual error, fragmented reporting and dwindling relationships with key stakeholders. |
How automation can help |
Re-designed processes which utilise the enterprise wide architecture more comprehensively or which utilise new platforms (eg replacing EUCs with systems based controls)
Dynamic Risk Assessment tools to scan the horizon and provide a holistic view of enterprise risks.
Process Mining tools to identify and quantify hidden or underestimated risks using a data-based approached.
|
|
Continuous Control Monitoring (CCM) solutions check the integrity of systems and controls and provide real-time reporting.
Use of RPA to automatically monitor systems against set policies and controls.
Automation combined with Artificial Intelligent, can go beyond the “if this, do that” logic and continually learn and develop. |
Where controls cannot be automated or CCM implemented – use bots to automate controls testing based on predefined key performance indictors and risk indicators.
Integration with Governance, Risk & Compliance (GRC) systems to insightful and timely reporting on risk and control. |
Getting alignment on how to automate
To get the best outcomes Finance, IT, Risk and the business owners all need to collaborate to achieve the optimal design – this is often culturally challenging.
With UK SOx on the near horizon, more collaboration will be needed across these functions and across the three lines of defence:
Line |
Benefit of a collaborative end-to-end approach and automation |
First line - process owners and control operation |
|
Second line – risk management and control oversight |
|
Third line – risk and control assurance |
|
This integrated approach breaks down silos and provides a clear end-to-end view of risks across organisations – from Finance to IT, Tax, Cyber, HR, Supply Chain, ESG, third parties and other key areas. This in turn leads to improvements in customer outcomes, business outcomes and enterprise resilience and security.
If you’d like to understand more about why control automation is a no brainer, please read our blog.
For further information on how we can help please refer to the Controls Transformation Homepage.