Professional Documents
Culture Documents
January 2013
Smart Control
Transforming controls to reduce cost, enable growth and keep the business safe
Contents
Introduction. ........................................ 1 Value of Smart Control. ........................ 2 Discovering pain points in your control environment. ............................ 4 Our approach to achieving Smart Control...................................... 6 Risk and Controls Analysis Platform (RiCAPTM)............................ 10 Want to learn more about Smart Control?.................................. 12
Companies that align risk management with strategy protect and enhance shareholder value. Companies in the top 20% of risk maturity generated three times the level of EBITDA as those in the bottom 20%. Financial performance is highly correlated with the level of integration and coordination across risk, control and compliance functions.
Source: Turning risk into results, Ernst & Young, 2012.
iii
Introduction
There is a common failure to recognize controls as foundational to all business processes and a key contributor to process costs. Our experience indicates that up to 30% of process cost relates to controlling activities including reviewing, approving and reconciling process activities as well as securing access and data. In addition, there are significant testing and assurance costs associated with control-related activities. Despite this significant spend, todays control environment is not fit for purpose. A companys control environment should support the execution of a profitable growth strategy. However, many organizations view their control environment as expensive, of limited value and, in some cases, a hindrance to the agility needed to respond to a dynamic economic environment. The following are common trends in controls for large multinational companies: Companies spend increasing amounts on control without any real ability to quantify the outflow or gain certainty that they are achieving the expected return on investment. Despite these expenditures, companies still experience significant control deficiencies and, as a result, are still exposed to risks. As companies have allocated material resources in response to years of growing regulatory pressures, they have accumulated layers of redundant, ineffective and misaligned controls. Moreover, attempts to optimize these controls have primarily focused on reducing the level of testing and monitoring, forfeiting any real opportunities to drive efficiencies in the operation of controls. Companies have developed control systems that are complex, duplicative, manual and disconnected from business operations. Instead of addressing the root cause of deficiencies, many organizations respond by installing controls in duplicate or even triplicate. We frequently find that up to 40% of controls are duplicative or can be removed because they are misaligned with the risks deemed most important to the business. E RP systems are generally underutilized. While companies have invested heavily in ERP systems, which often have built-in features to monitor financial or business controls, most only harness a fraction of their value. A 2011 Ernst & Young survey on risk management (Turning risk into results, 2012) revealed that only 3% of the executives surveyed have fully automated more than half of the key controls available through the system, while only 22% had automated more than a quarter of the key controls. Organizations also have to contend with a lack of transparency and confidence. Despite the significant investment weve mentioned, many stakeholders still report that they are not confident that controls will mitigate unforeseen risks from internal influences (e.g., operational deficiencies, employee turnover) or external influences (regulations, economy, customers and suppliers). In addition, strategic initiatives such as process transformation, shared service and outsourcing, offshoring, enterprise cost reduction, and mergers and acquisitions often change the risk profile of an organization, including risk tolerance, likelihood and impact. Organizations often fail to consider the impact of these initiatives on controls and often do not realign controls with the new strategic focus of the organization. This can and does strain performance and drive up execution costs.
Organizations have been reluctant to consider opportunities to remove excessive costs from controls. There is a common fear that streamlining controls would reduce quality and expose the enterprise to risk. Even where organizations recognize there is an opportunity to improve their approach to controls, we believe they often adopt a suboptimal response that does not realize the full potential benefit. For example: Deploying a monitoring tool on top of the existing controls rather than addressing the root cause of control deficiencies Retrofitting instead of integrating controls to an existing transformation program such as an ERP implementation or shared services program Not considering the changes needed in organizational design, technical proficiencies and behavior to reduce risk Using compliance or assurance requirements as a lever to enforce change instead of motivating change as a business imperative
We have challenged these paradigms by helping our clients simplify their process and controls to be efficient (optimal costs and timely) and effective (preventive and detective) and focused on the risks that matter most. Ernst & Young has developed a Smart Control approach that helps companies realize reductions in the cost of controls, enable growth and keep the business safe by creating an integrated, streamlined and dynamic control environment. Our Smart Control solution can deliver the following: Reduced controls spend considers the key drivers for controlling spending, calculating the costs, and comparing financial outlay to risks and acceptable levels of risk exposure. This approach identifies any spend on controls that is not aligned with the companys risk profile and initiates an effort to transform or overhaul the process.
Improved accountability for risk supports the assignment of key risk assessment and mitigation activities to key people throughout the organization, empowering employees to manage risk through ongoing communication, training and reporting. Accelerated process execution eliminates or automates labor intensive, duplicative or unnecessary process and control activities. Alignment with strategy to confirm how well strategic objectives are supported by clearly defined and prioritized risks, as well as risk management effort/resources. When strategies, risks and controls are misaligned, the organization needs to look for ways to transform processes and realign workflows as necessary.
Balancing value, cost and risk in their processes and controls helps companies create a competitive advantage.
An integrated, streamlined and dynamic control environment provides the agility to anticipate and respond to changes.
We help companies realize 20% to 40% reductions in the cost of controls by creating an integrated, streamlined and dynamic control environment.
Complete the following questionnaire to evaluate key indicators of maturity for your control environment controls spend, accountability for risk, process execution and strategic alignment.
Elements assessed below 3 (agree) may be indicative of an opportunity for improvement to confirm your control environment is well designed, understood and operating effectively. Leading control environments affirm agreement to strong agreement with each of the elements presented in this questionnaire.
Ernst & Youngs Smart Control approach is a well-defined work plan that leverages normative process and control models and data analysis to help clients build a business case, design and implementation plan for controls transformation. In the same way that shared services have driven the efficiency of finance functions, the ultimate goal of this approach is to provide controls as a service to realize efficiencies, embed new working practices and create a sustainable operating model for controls.
Controls are not well aligned with the risks that matter
A study by the Economist Intelligence Unit found that half of those responding had gaps in their coverage of risks even though a majority had seven or more risk and control functions across the business. Only 55% of respondents plan to use a formal risk management methodology when they upgrade their ERP system.
Source: The future of risk, Ernst & Young, 2009.
Develop strategy
2
Understand the opportunity
Create clarity, alignment and commitment in the business Understand the current state of the control environment including the prociency of risk management functions Understand control cost drivers and compare to benchmarks Align business case to overall enterprise strategy
Create a business case and execution plan Design a zero-based controls framework aligned to process objectives Evaluate technology enablers and integrate into existing technology infrastructure
Create a functional operating model Execute new control capabilities applying a cost-effective operating model Document revised control model Execute, monitor and remediate new controls Measure return on investment
Zero-based controls framework a single, global, streamlined set of controls aligned to risks that matter, leveraging technology and implementing continuous monitoring capabilities
D esign and build zero-based control set that is aligned to and supportive of business and strategic objectives Challenge and justify every control in alignment with risk tolerance levels Eliminate unnecessary manual activities
Risk management and governance organizational design that defines accountability for risks and controls Control environment maturity assessment Process, risk and controls mapping and automated process control playbook Control automation and optimization advice
Key steps
3. Leverage existing or invest in new technology enablers
I mplement automated prevent controls within existing IT systems and processes Make better use of out-of-the-box systems capability to turn on prevent controls Review master data standards and processes Embed control operation into the fabric of the business process and governance structure Target the most labor-intensive areas first to drive efficiency Select and implement relevant GRC tools to automate control execution and monitoring activities P romote transparency through dynamic dashboards and reporting Accelerate benefits delivery through insightful analytics
Design the operating approach, consolidating Organizational design control monitoring and reporting activity to Change management a single controls shared services function Service implementation guidance Implement new ways of working Benefits realization advice Continuously improve and automate controls life cycle (design, operate, monitor, remediate and report)
Top-performing organizations use analytics five times more than lower performers. Leading companies were twice as likely to use analytics to guide future strategies as well as to guide their day-to-day operations as lower performers.
Source: Turning risk into results, Ernst & Young, 2012
Ernst & Young has developed a technology platform called RiCAPTM to evaluate an organizations control environment and identify opportunities for Smart Control. This platform evaluates key inputs, such as enterprise objectives, risks, controls, cost drivers and acceptable risk levels. The results provide insight on areas that are over- and under-controlled.
Controls
IT impact
Collect process, risk and control data (including cost of controls)
Degree of risk
(risk tolerance)
Analyze risk and control data Identify gaps and improvement opportunities
RiCAP
TM
Needs improvement
Over/under controlled
10
Continuous monitoring
RiCAPTM provides actionable data and reports that can be shared with multiple stakeholders and used to support a business case for transformation. The output helps organizations to: Align control expenditures to meet organizational objectives Compare spend to the risk profile and degree of risk Identify potential process inefficiencies and risk exposure Identify controls that are unmapped to any risk resulting in immediate cost savings
The following risks are included in the current risk listing but do not directly correlate to the <Organizations Name>s strategic/business (select one) objectives:
Description of Risk Process Name Estimated cost of controls Other impacts Improvement Opportunity
Other impacts
Improvement Opportunity
Manual depreciation entries for fixed assets are not accurately calculated and recorded.
Page 9
Evaluate current risk management function at a process level Consider automating manual controls
RiCAPTM and our overall Smart Control approach are designed to accommodate the unique needs of more than 16 principal sectors. We combine our industry-specific perspectives and deep risk and controls experiences to create tailored solutions for our clients.
11
12
Areas Americas
Michael L. Herrinton Bernard R. Wedge +1 703 747 0935 +1 404 817 5120 michael.herrinton@ey.com bernard.wedge@ey.com
EMEIA
Jonathan Blackmore Manuel Giralt Herrero +44 20 795 11616 +34 91 572 7479 jblackmore@uk.ey.com manuel.giraltherrero@es.ey.com
Asia-Pacific
Jenny S. Chan Rob Perry +86 21 2228 2602 +61 3 9288 8639 jenny.s.chan@cn.ey.com rob.perry@au.ey.com
Japan
Yoshihiro Azuma Haruyoshi Yokokawa +81 3 3503 1100 +81 3 3503 2846 azuma-yshhr@shinnihon.or.jp yokokawa-hrysh@shinnihon.or.jp
ED 0114