I have had a lot of interesting (and some amusing) discussions and experiences this year, related to the topic(s) of performance, risk and compliance. I thought I would share them here in no particular order;
1) Risk - Are we getting the right balance?
2) The CFO Agenda and relationship to Performance, Risk & Compliance
3) The 'GRC' term, eGRC, CCM et al - what is the difference?
4) Evolution of Continuous Controls Monitoring and some great case studies of making it work in practice.
5) Anti-Corruption and FCPA - keeps coming up!
6) Segregation of Duties - Evolution of SoD and my dentist . . .
7) Preventive vs Detective controls - what is the right balance?
8) Independence of control testing, prevention and detection - independent or ERP embedded?
9) Making my guitar - performance, risk and compliance in practice?
10) What does 2011 hold in store?
1) Risk - Are we getting the right balance? There is a lot of talk and discussion on risk, risk management and ERM these days. We talk about risk mitigation, risk reduction, risk avoidance etc. But risk in business is a good thing. In fact, business would not exist without risk. There would be no markets and no innovation. There is no performance without risk. There is a lovely thought provoking short article on this at; http://www.managementtoday.co.uk/features/1042678/Dont-believe-it-Risk-bad-thing/
2) The CFO Agenda and relationship to Performance, Risk & Compliance. I am reading an excellent book by Jeremy Hope entitled 'Reinventing the CFO' (http://www.amazon.co.uk/Reinventing-CFO-Financial-Managers-Transform/dp/1591399459/ref=sr_1_1?s=books&ie=UTF8&qid=1292578362&sr=1-1 ) . The book challenges some long held assumptions about centralisation, planning, budgetting and forecasting as well as the role of the finance function as real business partner. The chapter headings really encapsulate the focus, but I recommend this book to anyone looking for breakthrough approaches to business as a whole, not just finance. Here are just a few;
- The CFO as Freedom Fighter
- The CFO as Analyst and Advisor
- The CFO as Warrior against Waste
- The CFO as Master of Measurement
- The CFO as Regulator of Risk
- The CFO as Champion of Change
Jeremy Hope - Reinventing the CFO (Part 1)
Jeremy Hope - Reinventing the CFO (Part 2)
Performance and Risk are two sides of the same coin. In the world of Continuous Monitoring, we continue to see that 'Key Risk Indicators' (KRIs) are just another perspective on 'Key Performance Indicators' (KPIs). It is all about managing business exceptions. This creates some interesting insights for the financial controls profession. Hackett Group reported that world class Finance functions with effective controls operate with 51% lower costs. This years IBM Global CFO Study reported some interesting conclusions also. Performance and Risk were the top 2 priorities. You can get their report at http://www-935.ibm.com/services/us/gbs/bus/html/gbs-2010cfostudy.html
3) The 'GRC' term, eGRC, CCM et al - what is the difference? Rightly or wrongly, the 'GRC' term relates to technology in most peoples minds. Whilst organisations like OCEG are trying to define a broad based definition, perhaps too broad, I am constantly meeting organisations who tell me they want to 'do GRC'. When probing into this comment, the initiatives they are considering usually fall into two camps; either risk and control frameworks or Segregation of Duties (SoD) for ERP applications. I guess this is largely because the tools that use the "GRC' label in their naming focus heavily on these topics. GRC is a small label for a BIG area, but I see common confusion in the areas of 'eGRC' and 'CCM'. Gartner Group have produced some good definitions and market analyses for these domains, but in summary my view is as follows;
- 'eGRC' tools (the 'e' refers to 'Enterprise' apparently) are those that enable the documentation and publication of a risk and controls framework, allow the capture of working papers etc and, importantly, record and track the results of testing key controls, often based on a manual, sample based testing approach. Quite often these capabilities are provided by intranet applications such as provided by Microsoft Sharepoint.
- Entirely complementary with 'eGRC' is CCM, or Continuous Controls Monitoring. CCM perhaps should be called just CM, as in the 'Continuous Monitoring' of Risks, Controls and Performance, or 'CA' when applied to the narrower 'Continuous Audit' perspective. The focus of CCM is the COMPLETE, CONSISTENT, CONTINUOUS monitoring of systems and processes, and is a major step forward in management assurance and exception reporting from traditional sample based approaches. The results from CCM technologies can be presented in the 'eGRC' tools through standard interfaces, although often summarised. CCM typically stimulates some change to the way risks and controls are viewed by management, as it contributes to 'management by fact' rather than 'management by opinion'.
In summary, the scope of 'eGRC' is typically broader than CCM but penetration into processes and controls is shallow, whereas CCM is narrower (typically 75% as above) but much deeper, monitoring detailed exceptions to real business processes.
4) Evolution of Continuous Controls Monitoring and some great case studies of making it work in practice. The topic of continuous monitoring has been much discussed over the years, but there are few really good large scale examples out there. I have to commend Philip Morris International and their journey and achievements. A very large scale, global consumer goods business, you can hear some of their experiences at
There is also a good webcast on 'Transforming Financial Control Practices using CCM' which is worth a watch while you are recovering from the holiday period. http://event.on24.com/eventRegistration/EventLobbyServlet?target=lobby.jsp&eventid=244800&sessionid=1&key=BAC93AA5F28EC38A62F8523FB0C934EC&eventuserid=41377509
6) Segregation of Duties - Evolution of SoD and my dentist . . . Yes, an odd thought, I know. We all understand the concept of conflict of interest where money or items of value are concerned. This concept is well embedded in principles of accounting and associated controls under the term 'Segregation of Duties'. Good corporate governance practice is to ensure that 'four eyes' are needed on any activities where there is a risk of fraud, significant error or waste (fraud, of course, always gets top billing in the press!). I was a little concerned recently, while visiting the dentist, to be advised that the treatment I needed involved 3 or 4 visits to the same dentist, some very expensive filling material (gold) and various other procedures. As I sat there uncomfortably with dentists tools in my mouth, I considered this a major 'SoD' issue. I want to have the right treatment, but wouldn't it be better to have the diagnosis and proposed treatment plan conducted by someone who didn't have a financial interest in performing the treatment? I have no idea whether I am being quoted a fair price, but it seems very high. My colleagues suggest I take a trip to one of the very good dentists in Hungary. Whilst Budapest is a beautiful city, I can't really afford the time. I guess I have to perform my own mitigating control and validate the proposed treatment plan. Of course, I have to pay for that too!
All of this brings me nicely to the issue of mitigating or compensating controls. SoD programmes in business (rather than dentistry!) are now realising that there are always unresolvable SoD issues in business and systems. The requirement here is to have a compensating control, where a third party (usually the manager or process owner) reviews the specific situations to establish that there has been no funny business. Of course, most organisations suggest that a report will be run monthly so that the relevant manager can review and confirm appropriateness of the activity. The reality is these reports often don't get run, they are run too late after the event to be useful or frankly just get signed off after a cursory glance, because we are all too busy. The problem is that after clearing the expensive audit issues associated with the original SoD findings, the next audit issue is compensating controls, and we are back to square one!
Keeping compensating controls to a minimum by ensuring that the functional leader owns them is a good start. The other part of the solution is to have automated compensating controls, provided through continuous monitoring so that every time, for instance special pricing for a customer is set by the same person that approves the sales order for that customer, a specific alert is sent to the responsible manager. The manager doesn't have to review a substantial report at the end of the month. Instead, they get specific information by exception and their approval is auditable.
I just need to work out this process for my dentist!
7) Preventive vs Detective controls - what is the right balance?
What is wrong with this picture?
The entrance to the car park facility in this photograph has a state of the art control system, an automatic gate that opens only when you swipe your employee badge on the reader and only lets one car through at a time. This way, it is clear that only authorised people can use the facility and that a record is kept of each visit. The automated control works perfectly and as designed. However, the tyre tracks in the snow illustrate how people get round the control, and that the real risk isn't fully addressed. This is a great analogy for controls monitoring and the role of the preventive control (the automated barrier) and the detective control (snow and a sharp pair of eyes, in this case).
Automated, embedded configuration controls in systems such as ERP are very important and should be used to an appropriate level for the business. But every preventive control has 'workarounds' and, because they are complex, are not always set where management think they are. The effective combination for management assurance and efficient exception management in the business is to use the configured preventive controls in ERP to support the process as far as possible (recognising geographic differences in process, policy and culture). It is impossible to run a business on purely preventive controls. Business is about exceptions and if no exceptions are allowed the business grinds to a halt or the systems are by-passed. To complement the appropriate preventive controls, effective detective monitoring should be applied to key risk areas and key performance areas. Detective monitoring, as in Continuous Controls Monitoring (CCM), should monitor the ERP configuration controls themselves (are they set where we think they are, for all vendors/materials etc, have they been changed?). Detective monitoring should also alert to Segregation of Duties issues, as well as core static data (Master Data) and transactions that fall outside expected norms.
This highlights exceptions to expected business practice, whether in areas of risk, fraud, waste, error, performance deviation or even process transformation/harmonisation exceptions. This is powerful decision support information for management.
Gartner Group produced an excellent report and 'Magic Quadrant' on CCM which you can access at http://www.gartner.com/technology/media-products/reprints/approva/article3/article3.html
8) Independence of control testing, prevention and detection - independent or ERP embedded? Another interesting topic of discussion this year. As organisations attempt to standardise and simplify onto a common set of processes supported by a common ERP system, there is often the question 'should I use independent controls monitoring solutions or ones that are embedded into the ERP platform?'. The answer to this relates a little to the previous point about preventive and detective controls. It is clear that wherever possible, preventive process controls should be implemented in the appropriate business process in the ERP system using configuration settings/tools in that system. But we must accept the practical limitations in such controls!
Detective monitoring, however, is a different animal. There two reasons to take a different approach to this;
- Complexity - setting configuration settings in ERP systems is a technical job and is subtly complex. I regularly meet companies who believe they have the simple 3-way match (PO, GR. IR) implemented in their processes and systems. Following some detective monitoring, it becomes apparent that these controls were only implemented for 20% of vendors! The challenge is that this is a business control and needs to be monitored by the responsible business function. It is not, nor should it be, an IT responsibility.
- Independence or 'Four-Eyes' principle - the principles of accounting and control have long espoused 'checks and balances' since the invention of double-entry book-keeping in the 15th century (http://www.canhamrogers.com/HDEB.htm) . The idea of independent checking has a lot going for it, both by using an alternative route to confirm accuracy and to separate the duties of 'control implementor' and 'controls tester'.
9) Making my guitar - performance, risk and compliance in practice? I spent 3 weeks in the summer building a guitar from two blocks of mahogany wood on a beautiful Mediterranean island. I learned some interesting things about myself as well as guitars. Primarily, despite believing 'I am not good at wood-working', I found that if you really want the outcome, you tend to focus on the process. It worked!
- Performance, Risk & Compliance? OK - this is a bit of fun, but I had 21 days in the guitar workshop with the professor. There was no extra time - I had to be back at work! That focussed the mind. Long days . . . . Efficient performance required regular control checks to ensure I was on track. Risk - Every day that went by raised the potential impact of any mistake significantly. In fact, Day 10 was the 'point of no return' where any serious mistake would have left me with no chance of completing the guitar in the available time period. We became more and more focussed on quality of workmanship to mitigate the risk of disaster. Another student had the misfortune to suffer an 'exploding guitar', which was a lesson to us all. Compliance - There are some basic laws of nature that apply to musical instruments, strings, resonance and electromagnetics. You can't make it up. If you are 'non-compliant' you end up not with a guitar, but a lifeless lump of wood . . .
10) What does 2011 hold in store? Despite the dire economic conditions of 2008-2009, 2010 has definitely turned the corner. Obviously, different countries and economies are faring to different degrees. Here are a few things I think we will see in 2011;
- The US, European and so called 'Emerging Markets' (they seem prety well 'emerged' already!) are progressing at different paces and in different ways. It will be an interesting couple of years
- Risk and compliance issues will remain important for organisations and is growing in some markets.
- There will be a growing acceptance of the synchronicity of business performance and risk. Two sides of the same coin.
- Rate of adoption of Continuous Monitoring will continue to accelerate, both stimulated by FCPA and other compliance and audit issues as well as driven by Finance Transformation and harmonisation initiatives
- Sadly, IT organisations will continue to be left with the 'controls issue' in some organisations, although it is not their responsibility or expertise. We will continue to help these organisations drive better dialogue and education between all stakeholders. For the organisations where that exists already, we have an even better foundation to drive improved business performance, optimised risk and effective and efficient compliance.
If you have read this far, you need a break!
Happy Christmas and all the best for 2011
Dan
