In my earlier blog, I categorized risk as strategic business risk, execution risk and fraud risk based on intent. Out of these, the most common and ongoing risk that enterprises have focused on for decades is execution risk – the risk inherent in any process in the normal course of business. The traditional methods focus on assessing all the risk areas, having the right controls, periodically testing the controls and doing internal and statutory audits based on samples.
I mentioned Analytics being a game changer for managing execution risk, enabling both prevention and detection. Here is how:
- 100% Transactions: Unlike traditional sampling methods, Analytics pulls 100% of the data available in ERP and other systems and converts it into readable information. This enables a holistic view of all risk data in the enterprise.
- Ongoing assessment: Since data can be pulled on a scheduled basis depending on the process, there is ongoing assessment and problems are identified early rather than through the auditing cycle. The audit team can thus focus on outliers and investigation rather than problem identification.
- Heat Maps: Countries, geographies, processes that are non-compliant or that are most at risk can be automatically highlighted through heat maps to draw the attention of executives and provide early warning signals. These can be customized by company, geography, process by defining a variety of threshold limits.
- Prioritization: Heat maps and analysis of 100% transactions throws out outliers – be it at a macro geography/BU/process level or at a micro transaction level for each risk, thus enabling prioritization and focus of GRC energies.
- Executive view meets execution view: Analytics enables a marriage of executive view with actionable view, to drill down all the way from a heat map to a KPI to a transaction. E.g. if Brazil shows up as below threshold, the automated root cause analysis can highlight the processes causing this – invoicing process and within that the specific risks of GRIR open items and potential duplicate invoices. This can then point to the exact open items and the invoices that need to be investigated.
- Action orientation: Constant assessment enables identification and follow up of actions – were certain transactions that were highlighted as outliers previously acted upon. E.g. Purchase Orders (POs) that were unapproved >180 days – were they deleted or released subsequently or do they continue to lie in that category. This increases accountability on actions.
- Building connections: Apart from high level and detailed visibility, problem identification and action tracking, Analytics most importantly draws connections between diverse data sets and KPIs. E.g. inactive vendors can be matched with open purchase orders. Creating this analytical network is highly significant since it leads to preventing events, re-examining controls and identifying potential fraud risk.
A recent study showed that the top 20% of companies that manage risk well perform three times better on earnings before interest, taxes, depreciation and amortization (EBITDA) than companies in the bottom 20%. Further, 82% of institutional investors pay a premium for organizations with strong risk management functions. CFOs and CROs are slowly embracing Analytics to give their organizations that competitive edge.
In my next blog, I will discuss 10 commonly used analytical techniques for risk management.