Today’s Chief Financial Officer (CFO), Chief Risk Officer (CRO) and Chief Audit Executives (CAEs) are under ever-increasing pressure to maintain a strong control environment by setting a positive “tone at the top” with compliance to policies, processes and regulatory requirements. A business is not just expected to demonstrate consistent top line growth and profitability but also to ensure a healthy control environment. In effect, some of the key challenges senior management tend to face include:
- Increased use of new technologies that may introduce new risks
- Globalization and the related multiplication of regulations, data and risks
- Increasing pressure for transparency and compliance
- Zero tolerance attitude towards ethical and regulatory non-compliance
- Reducing the cost of compliance
- Maintaining brand image and avoiding any damage to the reputation of the company
- Improving control environment
- Proactively identifying any financial leakage and building mechanisms to prevent financial loss.
Having understood the key challenges, it is imperative to have a strategy on risk management and a unified GRC framework. In the absence of a clear strategy and framework, organizations tend to perform ad hoc or patch work to meet compliance and regulatory requirements. We see many organizations deploying a team of internal and external professionals to conduct periodic internal audits, control self-assessments and concurrent audits to identify potential control failures. But does management get adequate assurance on key risks through such ad hoc mechanisms? Clearly not!
For executives facing these challenges, I believe the best place to start is with a strategy on risk management that addresses the key risks within a unified GRC framework. A framework that considers operational risks, financial risks, IT risks, fraud risks and compliance risks. Further, the framework should provide assurance to management on operations across the geographies and related underlying systems and processes.
We see many organizations performing enterprise-wide assessments to identify the potential risks and mitigating controls as to how risks can be addressed. Organizations generally rely on application controls as key preventive controls and multiple detective controls through data analysis to identify potential errors or frauds. These combinations of preventive and detective controls provide near real-time visibility to management on potential risk and focus areas where controls need to be strengthened. Despite these, there have been multiple accounting scandals and frauds. This clearly indicates that there is a need to have a uniform and integrated GRC solution which can provide near real-time monitoring thereby helping management to reduce risk and improve their control environment.