The traditional way of managing risks through periodic audits is fast becoming obsolete.
I see a lot of organizations that run a calendar of so-called risk-based audits, which are increasingly proving to be inadequate for a number of reasons. First, routine audits often fail to provide the right information mostly due to lack of skilled resources and insufficient testing methodologies. Furthermore, in many organizations, audits are carried out by multiple functions with questionable coordination amongst functions. As a result stakeholders may end up with a flawed view of risks and at excessive cost.
A more holistic approach to risk and compliance is clearly the way to go. However, even organizations that are moving towards an Enterprise Risk Management approach may struggle to find the right starting point.
In my view, Risk Officers can reduce the cost of compliance and minimize financial loss by following these seven steps:
Invest in the right automation technologies to gather data from multiple applications across the organization and apply algorithms to identify the right population of data for transaction/control testing. This helps you gain assurance on mass data rather than just a sample of transactions and controls.
Continuously monitor key risks and controls thereby ensuring accuracy in transaction processing while monitoring exceptions on an almost real-time basis. This helps you as a Risk Officer take timely action thereby reducing the probability of errors and frauds.
Continuously monitor critical transactions to manage process compliance thus managing financial loss and reputational damage in a timely manner.
Assess fraud risks and embed anti-fraud controls. Risk Officers should also test critical anti-fraud controls on a continuous basis to identify fraudulent transactions in a timely manner and take corrective action.
Identify and implement automated controls as opposed to manual ones, as far as possible. This provides the twin benefits of reducing effort as well as providing a more robust control environment: when controls are automated, a single check is sufficient to ensure compliance.
Apply GRC technology solutions to provision access rights in line with the company policy and minimize instances of conflicting access rights being provided to a single user.
Increase focus on assessing Cybersecurity threats and address through strong policies and processes not just on paper to ensure implementation and increased awareness across teams. The effectiveness of policies and processes can be assessed through regular audits.
As regulatory requirements exert increasing pressure on CxOs to maintain a strong control environment, the move away from a periodic to holistic audit approach is gaining momentum.
At Capgemini we apply these principles to help clients reduce the cost of compliance, minimize risk and produce meaningful dashboards that drive a more proactive enterprise risk management strategy.
What trends are you seeing in your organization? Do share your thoughts in the comments.