• Marina Krumbholz, Director |
  • Chris Corless, Senior Manager |
5 min read

Just as World War II accelerated the production line methods of the industrial revolution, so too has COVID-19 accelerated our use of technology in business. Automated processes, cloud computing and artificial intelligence have become de rigueur across industries - not only for customer facing channels, but in business processes too.

Automation will change the way finance and risk functions support the business – faster, leaner and more accurate.  Unsurprisingly, digital transformation tops the agenda for many CFOs and CROs as we cautiously emerge from the pandemic and businesses seek competitive advantage and to accommodate a more agile workforce. 

The automation of controls

As automation accelerates, controls cannot afford to be left behind. Many companies report that controls have already become a burden, particularly those in highly regulated industries. In the absence of a strategy to manage, optimise and rationalise controls, we often see ever increasing volumes of controls come into scope and eventually they are seen as purely a compliance measure.

We hear all the time that the way to fix this is to “automate processes and controls”, especially in the context of the broader strategy to digitise. But a bottom up automation approach isn’t enough to implement an efficient, resilient and scalable controls frameworks, nor to maximise efficiency gains.

Another common refrain, often from the risk community or from SOx teams is that automation should be centred on reducing manual effort when testing controls.  And whilst this is an important part of automation, it is not the whole story. More benefits and value can be realised if automation is also implemented  in the design of the processes themselves. For example, if a manual detective control, such as a maker checker control, can be transformed into an automated preventative control, such as a system configuration, this both reduces risk and reduces cost.

So, the key to successful automation is threefold:

  1. Being clear on what you are automating and why. A strategy is needed to cover the whole lifecycle:  from automation of controls themselves (A and B in the table below) to automation of monitoring and oversight programmes over controls (C and D in the table below)
  2. There is no point automating controls if the process is poorly designed! Controls automation should be part of broader process rationalisation, redesign and transformation programmes.
  3. Selecting the right areas to automate - selecting low-risk controls which are performed infrequently or which will be replaced won’t give bang for the buck

 

Control Lifecycle

A) Identifying Controls

B) Operating Controls  

C) Monitoring Controls

D) Testing Controls

Current approach

Performed via manual risk management processes including surveys, interviews, top-down self-assessment.

Controls designed as a bolt-on to the processes and mostly manually operated via reconciliation, spreadsheets and emails.

Controls manually monitored or on an ‘wait to see’ basis.

Control assessment manually performed with evidence collated into a report.

Current pain points

Reactive and unable to keep pace with dynamic changes in risk, highly subjective with potential blind spots and errors in judgement.

Controls are often designed unable to prevent risks from occurring and require intensive effort and cost and are prone to manual error.

Too slow in detecting failures, duplication of effort across the three lines of defence and seen as disruptive.

Labour intensive, high cost, risk of manual error, fragmented reporting and dwindling relationships with key stakeholders.

How automation can help

Re-designed processes which utilise the enterprise wide architecture more comprehensively or which utilise new platforms (eg replacing EUCs with systems based controls)

 

Dynamic Risk Assessment tools to scan the horizon and provide a holistic view of enterprise risks.

 

Process Mining tools to identify and quantify hidden or underestimated risks using a data-based approached.

 

 


A “control-by-design” approach – building upfront automated preventative controls into digital processes rather than relying on manual detective (after the event) controls, particularly for high risk or high cost controls.

Continuous Control Monitoring (CCM) solutions check the integrity of systems and controls and provide real-time reporting.

 

Use of RPA to automatically monitor systems against set policies and controls.

 

Automation combined with Artificial Intelligent, can go beyond the “if this, do that” logic and continually learn and develop.

Where controls cannot be automated or CCM implemented – use bots to automate controls testing based on predefined key performance indictors and risk indicators.

 

Integration with Governance, Risk & Compliance (GRC) systems to insightful and timely reporting on risk and control.

Getting alignment on how to automate

To get the best outcomes Finance, IT, Risk and the business owners all need to collaborate to achieve the optimal design – this is often culturally challenging. 

With UK SOx on the near horizon, more collaboration will be needed across these functions and across the three lines of defence:

Line

Benefit of a collaborative end-to-end approach and automation

First line - process owners and control operation

  • Less time, effort and cost operating controls and managing risks and more focus on value-add activities (rather than basic administrative tasks and data and evidence collation to support control testing). 

 

  • Real-time data which enables real-time risk management so that risks can be responded to in a timely manner.

 

  • Less time spent on manual time intensive risk reporting and more time spent doing their day job.

 

  • Ability to more effectively deliver UK SOx

Second line – risk management and control oversight

  • Increased reliance on Continuous Controls Monitoring (CCM) solutions to drive timeliness, consistency, predictability and reliability.

 

  • More reliance can be placed on the first line of defence meaning that control testers of today could become the business analysts and solution architects of tomorrow which increases their business value.

 

  • Better insights of end-to-end risk through integration of data sources and self-service reporting (emails, spreadsheets and manual reports are becoming obsolete).

 

  • Reduced regulatory risk.

Third line – risk and control assurance

  • Increased focus on strategic and emerging risks.

 

  • Increased testing coverage (from limited samples to full populations) to provide more complete and accurate assurance.

 

  • Less time, effort and cost re-testing controls given a ‘test of one’ approach can be utilised for automation controls (rather than large manual samples). This could also apply to external audits.

 

This integrated approach breaks down silos and provides a clear end-to-end view of risks across organisations – from Finance to IT, Tax, Cyber, HR, Supply Chain, ESG, third parties and other key areas. This in turn leads to improvements in customer outcomes, business outcomes and enterprise resilience and security.

If you’d like to understand more about why control automation is a no brainer, please read our blog.

For further information on how we can help please refer to the Controls Transformation Homepage.