Risk, Control & Audit
- Enterprise Risk Management (ERM)
- Project Assurance
- Programme Management Office (PMO)
- SAP Risk
- Operating Online
- Contract, Risk & Compliance (CRC)
- Internal Audit Effectiveness
- Co-source & Outsource
- IT Internal Audit
Successful companies use a risk management framework that focuses not only on risk avoidance but also on risk-taking as a means to value creation. An effective risk management framework helps tackle not only the readily apparent business risks, such as security and privacy, regulatory compliance, technology and fraud - but also the risks that threaten business strategy and future growth. In retail operational risks are often considered to be dispersed and therefore rank lower by virtue of their multi-site, low value, high volume transactional structure. In addition a number of potential financial risks are often considered to be adequately mitigated through robust and granular oversight of results. Consequently retail organisations frequently focus on key strategic or project related risks. Given the increasing pressure on cost, globalisation and their international nature CPG organisations currently tend to focus on the risks associated with significant projects and change programmes together with the raft of local and international legislation and regulation.
Why is it an issue?
- The rapid pace of change in today’s economic environment has accelerated the shift in consumer behaviours. In order to fully understand their strategic risks, organisation’s must be willing to challenge the fundamental assumptions that underlie the business strategy. Leaders need to understand the significance of the ‘unexpected’ and develop a portfolio of strategic options which allow the business to be resilient against threats and agile in seizing opportunities
- The complex and interconnected nature of operations within most consumer businesses can make it difficult to see how one set of events can affect another. Yet managing these connections is key to being prepared
- The updated provisions in the UK Corporate Governance Code, state that ‘The Board should maintain sound risk management and internal control systems’. As Boards respond to new guidance they also need to recognise that globalisation and the increase in outsourcing have significantly changed the profile for risk management
- Effective risk management requires far more than an annual ‘tick the box’ exercise. Whilst the Board and senior management should set the tone, risk management processes and risk related activities; culture and behaviours must be shared by the whole organisation
Through our pragmatic and workable approach to risk management, we can:
- Develop a framework to manage risk that is consistent with business risk appetite and culture
- Facilitate definition and implementation of risk appetite and metrics using our risk appetite methodology (e.g. risk KRIs, targets and tolerances)
- Support the identification of key risks including risk context, key risk themes and mitigations
- Assist you to clearly articulate your organisation’s risk-taking capacity, risk appetite and current risk profile
- Support the improvement of risk governance through monitoring risk metrics
- Consult on the selection and development of risk management tools and applications
For a project to succeed it must deliver on time, to budget and to the required level of quality. However, the successful achievement of these objectives is threatened by numerous risks.
Why is it an issue?
- As the world emerges from recession, many CB organisations are beginning to re-initiate change programmes that were delayed when the economic outlook became uncertain. This, combined with the revival of the merger and acquisition market, has meant that the success of many high-profile change and integration programmes are of fundamental importance to the business
- The business, IT and internal audit functions are now faced with the prospect of providing assurance over these change programmes. This is challenging in an environment in which risks are continually evolving with significantly more volatility than during business as usual. This is particularly challenging for CB organisations who have historically under invested in capability in this area.
- With focus on delivery, the early identification and management of these project risks is often overlooked, with risks and issues which could have been identified prior to critical decision points, having a negative impact on the project.
Whilst we cannot guarantee the success of a project, we do have a track record of reviewing complex business critical programmes and projects at CB organisations, and successfully identifying risks and issues prior to critical decision points. These can be addressed before the project progresses. We can:
- Define and implement focused reviews aligned to the programme/project lifecycle and the activities critical to success
- Focus quickly on the key risk areas, allowing us to dive deeper into the underlying causes of risk
- Identify issues in real-time, enabling the programme/project to respond before delivery is impacted or critical programme/project decisions are made
- Provide pragmatic recommendations for management to action
- Evaluate current programme/project activity against our own experience of good practice, relevant industry standards and your own requirements
- Work collaboratively with your Internal Audit function to report to the Audit Committee or assist in the design of a project assurance methodology
- Work within a project as an independent internal assurance function to provide guidance to the project management team or directly for the Board or on behalf of the project sponsor
Projects are unique offerings where very often you are: breaking new ground, implementing new technologies or fundamentally changing the way you do business. Is your PMO up to the challenge of managing the project management control framework to ensure your projects stay on track? As the world emerges from recession, many CB organisations are beginning to re-initiate projects that were delayed when the economic outlook became uncertain.
Why is it an issue?
- More often than not you are trying to do all the above at once, whilst managing a variety of other projects and programmes with competing priorities and occasionally conflicting objectives
- To manage these challenges, the right approach is to implement a pragmatic project control framework, supported by an effective Project Management Office (PMO). The PMO is critical to maintain adherence to the established framework and to provide centralised governance and control
- We perform many project and programme health checks on behalf of our clients, and frequently find that although a PMO may be in place, the basic disciplines of good project management control are misunderstood or poorly implemented
We have a team of experienced, Prince 2 accredited staff with a proven track record of assessing and implementing Project Management Office controls (PMOs) across multiple industry sectors.
- We can work with you from the outset, assessing your current PMO capabilities, strengths and weaknesses. This helps us identify any problems at an early stage, which could lead to later project failure. We can then provide you with pragmatic recommendations to implement
- We can help you set up your PMO with the right monitoring and control processes from the start. We will help you define project goals, objectives and determine the right delivery and governance models to put you on track for success.
- We can provide you with specialists to either manage your PMO or work alongside your team to support you with key disciplines; from planning and budgeting, to change control and stakeholder management. We can advise on risk management, from designing an effective risk and issues log to implementing quantitative ‘Monte Carlo’ risk modelling for complex programmes
- Reviewing previous projects and programmes can lead to insights on strengths and weaknesses in your organisation, which can impact on the success or failure of future projects. By undertaking post implementation reviews of the PMO practices deployed on your key projects and programmes, we can help you evaluate your critical success factors and ensure your PMOs have the right focus on your future projects.
Enterprise Resource Planning (ERP) projects represent some of the largest investments that CB organisations make, both in terms of cost and ongoing resource commitments. Successful SAP implementations can significantly reduce future ongoing costs through efficiencies and represent an opportunity to streamline and standardise processes globally.
Measuring return on investment is a complex process. Developing a sustainable mechanism to continually assess risk, compliance, system usage and drive improved performance is the key to increasing return on investment and user satisfaction.
Why is it an issue?
- Limited visibility of the risks associated with SAP for key business processes, and limited oversight relating to the compliance of SAP
- Due to the complexity of the system, the volume of transactions and the material nature of account balances, there is a high risk that material misstatement of the account balances could occur
- Management and internal and external Auditors review and place reliance on appropriateness of controls in SAP. If irregularities are found, reliance on the control environment for the integrity of financial accounts is reduced, which may result in additional costs to manually substantiate the business financial accounts and low confidence in the control environment.
Our solutions cover all components of SAP including:
- Process and control design - creating efficient processes and robust control frameworks and designing strong controls, by effectively utilising system configuration and reporting controls
- Security and role design – remediating and redesigning security and role design to minimise segregation of duties (SoD), sensitive access & privileged access issues
- Optimisation – monitoring deviation from the original business case and business needs, to ensure efficient use of SAP, allowing clients to maximise the functionality of their SAP landscape
- Business change and system embedding – performing risk assessments, creating business governance, designing processes and controls and business training to ensure embedding and realisation of SAP projects
- Implementation healthcheck – provide a complete picture of system upgrades and implementations throughout the project lifecycle by performing an independent rigorous top down and bottom view across the programme
- Use of 3rd party tools (i.e. GRC/ArcSight/ACL) – identifying and quantifying audit and compliance risks, and enabling clients to effectively monitor and react to business and SAP risks.
An online presence for consumer led companies is the expectation and has moved beyond corporate websites to include social media and mobile apps. With online purchases predicted to achieve 10.5% of total sales during 2011, organisations who can manage the risk and build trust with their customers will gain a bigger share of consumer spend.
Why is it an issue?
- Poor online security can be damaging both financially to the organisation and to a brand’s reputation
- Shoppers are more concerned than ever about their privacy
- Organisations operating online must comply with Payment Card Industry (PCI) regulation
- People are shopping online more than ever and using online as part of the overall shopping experience
- Organisation are collecting more and more information on their customers, but they must comply with the data privacy requirements
- With the shop front always open, resilience within a business, becomes an issue
- Competitors will be connecting with their target market. An effective online presence is crucial, as is knowing where your target market are spending their time online
- Emerging technologies – choosing and managing technologies that are appropriate to your brand/organisation
- Integration – having your online presence integrate with your high street presence and your web applications integrate with your store applications
- Operating online often requires new and bespoke solutions to meet unique client challenges and needs. We have a strong team across a number of competencies which can be brought together to develop and deploy the required solution to achieve the right outcome
- Our competencies include security, controls and data. We can help CB clients manage their risk while operating online by building a strong understanding of their risk appetite, operating environment and business goals. The types of services including:
- Systems and website resilience
- Website security
- New product launch through online
- Managing the regulatory environment
- Data and web analytics
- Data privacy
Ensuring that business partners deliver on their obligations can maximise revenue, protect your brand, improve operational efficiency and reduce cost. Third party relationships are prevalent and important in the value chain, but have frequently escaped validation and verification. Often third parties such as suppliers, joint venture partners, distributors and licensees, agents, franchisees, outsourcers tend to self report their performance. We are seeing organisations increasingly wanting to verify, as well as trust, their business partners.
Why is it an issue?
- Third parties bring risks to the organisation that impact on brand reputation, customer safety and experience, revenues and costs, as well as regulatory risks
- From capital projects, distribution contracts, licensee relationships each third party has a specific set of risks that need to managed and governed
- Assessing and managing contract and third party risks provides positive assurance and can generate incremental value
- Developing an internal governance framework and assessing existing process and controls is proven to yield cost savings in the long run.
Our CRC professionals have experience of hundreds of third party reviews across a range of partners and sectors:
- In respect of outsourcing, supply arrangements and joint ventures, we can establish whether third parties are compliant and delivering expected benefits. We can also help organisations understand if they are managing their own obligations effectively
- In the distribution channel rebates, special pricing, discounts and other complexities can result in errors or value leakage. Routine monitoring of business partners can result in improved visibility and value for both parties
- In licensing and royalty bearing arrangements, certainty over the accuracy of reporting is crucial as brands are developed, markets explored and products are distributed. Across the spectrum of third party relationships we have the tools, experience and knowledge to deliver value
Heads of Internal Audit face a difficult time balancing the demands of their stakeholders, the job market and regulators when they define their assurance plans. Internal audit functions need to provide balanced and objective assurance over the organisation's key risks and responses to the issue driven requirements of its key stakeholders. In CB organisations, where cost pressures remain, the need for effective, efficient, valuable and insightful internal audit activity is imperative.
Why is it an issue?
- Unprecedented levels of regulation and market expectation are driving Audit Committees to place increasing reliance on Internal Audit functions to deliver high quality assurance over current and emerging risks across financial, operational, IT, regulatory and strategic business processes
- Directors are becoming increasingly concerned about their own personal liability in relation to control failures and unforeseen risks impacting results. This is leading to increasing demands for reliable business intelligence to be able to give early warning areas of potential risks and deal with them before they arise.
Deloitte has the skills and extensive experience to help CB organisations to carry out a robust and independent review of the Internal Audit function and assist in the implementation of improvement recommendations. Our reviews typically go beyond the IIA standards and also focus on how to improve the strategic positioning and effectiveness of the audit function. Our Internal Audit team can:
- Perform a robust and independent review of the Internal Audit function focusing on five key themes: purpose and remit, position and organisation, processes and technology, people and knowledge, performance and communication
- Interview key assurance stakeholders, review key documentation and benchmark results against our knowledge base of internal audit best practice, CB industry good and best practice standards and the IIA’s Global Auditing Information Network (GAIN) database
- Provide concise and useful feedback and work collaboratively with the Head of Internal Audit and the Audit Committee to develop realistic action plans to improve the strategic positioning and effectiveness of the Internal Audit function.
The role of Internal Audit is expanding, both in scope and the need to deliver tangible value to the business. The ability of Internal Audit to mobilise the right resources at the right time is critical to delivering a robust, risk focused and respected service which provides trusted assurance to both management and the Audit Committee. With many consumer business organisations operating across the country, continent and globe, balancing the geographical footprint, culture and language represent a constant challenge.
Why is it an issue?
- Expansion into new markets, new channels and new technology requires an Internal Audit team with different skills and experience
- In the current economic climate, many consumer businesses are looking for operational cost savings and efficiencies. Internal audit budgets are coming under increasing pressure at a time when a strong control environment is more important than ever
- Control failures are costly; not only in terms of the direct financial impact of penalties or lost revenue, but the cost to reputation and brand
- Regulatory developments have, and will continue, to require directors to sign-off on statements with regards to their internal controls. Directors, in turn, are increasingly looking to internal audit to provide support of the right depth and quality.
Deloitte’s partnership model offers scalable and flexible internal audit support to suit the needs of your business. Our team of Internal Audit professionals can provide an organisation with access to subject matter experts to satisfy specialist requirements, expand existing staff with individuals of the level and skill set required or provide a fully outsourced Internal Audit function. Advantages include:
- Access to resources when needed, so that auditor down-time is eliminated
- Access to a global network of audit resources with local knowledge and language skills wherever required
- Insight and ideas for improving the business, based on experience with other consumer product organisations
- No in-house training cost or time commitment to keep staff up-to-date with regulatory or technical developments
- Access to specialist business, risk, regulatory and technology professionals.
The business environment is growing more complex by the day with rapidly changing technologies, increasing demand for IT services among business units, and the continual expansion of the “extended enterprise” translating into greater IT risks for most organisations which require specific audit expertise in order to provide appropriate and valuable assurance.
Why is it an issue?
- Many new emerging technologies and ways of working are arising in the industry, which will require significant technology and business change projects to be undertaken. Internal Audit are often asked to perform independent assessments over such projects. The ability for IA functions to be able to mobilise the appropriate specialist resource to ensure the right risks are focused upon and a robust review is performed, are essential given the reliance Audit Committees and senior management place on such reviews
- The increasing regulatory focus on internal audit and their capabilities, including the use of data analytical techniques to both review entire populations of data and provide insights into an institutions' data, provides a further challenge for Internal Audit functions in terms of the development of such capability. This is an area we see as becoming far more prevalent in the industry in the coming year.
- Deloitte is able to offer flexible resourcing options to clients ranging from complete outsourcing of IT IA to partial co-sourcing arrangements
- Deloitte is able to assess the end-to-end effectiveness of internal audit functions including IT
- Our specialist project risk professionals are experienced at reviewing significant change programmes and the common pitfalls to successful implementation
- Drawing upon our specialist business, risk, regulatory and technology professionals we are able to significantly enhance the capability of IA functions for specific one-off reviews.