Operational Controls in scope for controls opinion; unwelcome surprise or huge opportunity?
BEIS announced its plans for internal control requirements for public interest entities (the evolution of the UK SOx proposals) at the end of May. Whilst previously, the mooted preferred scope of UK SOx was financial reporting internal controls, this latest response paper has clarified it will also cover operational controls and compliance systems. Whilst there will be further consultation, there is a very clear intent to increase the scope of internal controls, including an expectation of an explicit statement from the Board about their opinion on the effectiveness of the internal control systems (financial, operational and compliance) and the basis for that assessment.
Are operational controls fit for purpose?
Operational controls have developed linked to operational risks. The risk side has typically had more focus from regulators and boards and our industry experience has shown that operational controls are often less mature than financial controls. Many businesses have lost control of their controls – with some organisations having thousands of controls, often manual and sometimes duplicative - and the cost of control has spiralled. Often an iterative, siloed and ad-hoc tactical approach has been taken to tackle this and controls have been layered on top of controls in response to new risks, regulations, and technology changes.
This means that current operational control frameworks are complex, inefficient, and ineffective.
Added to this has been the perceived overlap with financial controls frameworks and sometimes “doubling up” on documentation, systems and testing across frameworks.
Unsurprisingly, the market reaction to the inclusion of operational controls in an effectiveness has sparked strong feelings because there are many more of them and they are less likely to be well documented and properly monitored and tested.
So, what is the opportunity?
The ownership for the operational risk framework is often in the second line risk function and the controls themselves are run by operational teams, many of whom are very removed from financial reporting activity. Yet many of those controls directly impact financial and non-financial reporting. This shift in tone really highlights that linkage and gives an impetus for the Board, to drive conversations across the business in terms of setting common standards. This is a real opportunity to align finance and risk objectives, frameworks, approaches, compliance mechanisms and assurance approaches to deliver a more standardised and streamlined enterprise-wide controls framework that the Board can stand behind.
No regrets actions
Whilst we await the full details this has cast light on an area we know is challenging and it should act as a catalyst for those no regrets actions in terms of controls transformation:
- Optimise – Ensuring the right controls link to the right risks, in the right way, breaking down silos and removing duplication/redundancy and improving the design of controls (such as more preventive and less detective controls) to enhance Operational Resilience. Our experience has shown that significant benefits can be achieved through optimisation alone (up to 50% time and effort savings), which provides in year return on investment and unlocks resources and investment for future technology focused phases.
- Automate – seeking opportunities to automate the operation, monitoring and testing of controls to reduce risk and cost, by leveraging existing technology solutions or with others including Robotic Process Automation (RPA), Data Analytics and Artificial Intelligence (AI).
Practical Next steps
- Reviewing your Risk and Finance controls frameworks to identify potential to align further.
- Scoping exercise to determine a risk-based prioritisation for operational controls and systems.
- Developing a phased roadmap for the documentation and transformation of operational controls, and securing a mandate from your Board and Audit Committee to deliver against it.
- Assessing your technology needs to ensure you can optimise and automate your controls as part of your programme.
- Documenting your operational control framework in a standardised and consistent manner.
- Designing the foundations of your BAU operating model, including roles and responsibilities across the three lines of defence and estimated capacity requirements.
- Assessing the control culture in the business and creating a change & learning strategy.
- Developing training on enterprise-wide control standards.