Skip to main content

Realizing the Future of Controls - Three steps for financial services organizations to take right now

Over the past two years, the financial services industry has experienced an accelerated transition to digitalization of its businesses. This transition had been underway, but movement to remote work for employees and increased use of digitalized services by customers further accelerated the pace of change. While largely successful, this overall transition has highlighted overly complex, cumbersome, and costly control environments.

Financial Services executives recognize this is a problem: Deloitte’s 2021 global risk management survey of financial institutions found that 63 percent of respondents said that controls optimization, simplification, and coordination will be an extremely high or very high priority for them over the next two years.

Well before the pandemic, the industry had been adopting digital processes and mobile banking models. Throughout this adoption, as new technologies were integrated with legacy systems, new controls have often been implemented in ways that leave gaps or create redundancies, leaving many control environments in need of attention.

At the same time, the industry faces an increased focus on nonfinancial risks. These include security, cyber, reputational, regulatory, and environmental, social, and governance (ESG) risks. Financial services executives also see addressing these risks as a priority. In that same survey, 47 percent of respondents said it will be an extremely or very high priority for their institutions to improve their management of ESG risk over the next two years. (Only 33 percent of respondents considered their institutions to be extremely or very effective at managing ESG risks.) The right controls are essential to addressing ESG and other nonfinancial risks.

So, this is the time to consider whether your controls remain adequate to manage the organization’s risks and to take steps to address issues of cost, complexity, and coverage in the control environment.

Deloitte has conceptualized the Future of Controls to assist you in this endeavor.

Step into the future

The Future of Controls presents an approach to controls that will support the business going forward in today’s risk and regulatory environment. It also presents three steps to implement that approach: harmonizing controls, rationalizing controls, and automating controls.

The first two steps are not strictly sequential. As an organization proceeds, certain controls may have to be rationalized as they are harmonized or vice versa, a process that can continue into the automation phase. That said, thinking of these activities as steps enables us to examine them separately and to proceed in an orderly manner.

entails getting disparate components to work together. This addresses situations where controls have been added to pre-existing controls, when new reporting demands have emerged, or when controls reside in both new and legacy systems. Harmonization calls for identifying common requirements—and overlapping or redundant requirements—then defining a common set of controls capable of meeting those requirements.

starts with identifying the most effective and efficient controls needed to achieve compliance objectives. You can then streamline controls to reduce process, labor, and reporting burdens. Given that there will always be new compliance, governance, and reporting demands, rationalization amounts to a continuous risk-based program to assess controls for efficiency and effectiveness and integrate them into the control environment.

applies intelligent technologies such as robotic process automation (RPA) and artificial intelligence (AI) to controls, for example, to monitor processes, perform testing, and ascertain that processes remain “in-control.” Automation substitutes technology for manual labor while enabling real-time or near real-time reporting via dashboards. Although automation can dramatically reduce costs, not every control should be automated, nor should automation begin until the first two steps have been largely completed on a set of controls.

Together, harmonization and rationalization simplify controls. Once controls have been simplified, they can be automated. This is key, because if you automate controls before you simplify them you may automate inefficient or inadequate controls while forgoing enhanced visibility into processes and analytics that generate insights. Also, manual controls may be preferable when human judgment is applied to a limited number of transactions versus a high volume of digitally executed transactions.

Controls automation reduces costs in each line of defense. Initial savings accrue in the first line—in the business, which owns and manages the risks—because people can do their jobs and meet compliance demands more efficiently and effectively. Savings in second-line risk functions result from enhanced adherence to control standards and timelier monitoring. The third line’s auditing and assurance activities also become easier, simpler, and faster thanks to automation.

The Future of Controls enables people in each line of defense to move from time-consuming, repetitive, manual tasks, such as gathering, reviewing, and formatting data, to higher value, more analytical and innovative work. This helps the organization to make the best use of its talent while more effectively addressing compliance demands.

Digitalize responsibly

As transactions, relationships, and business models become more digitalized, financial services organizations need to address the risks inherent in automating processes and controls. As they address those risks in the context of the Future of Controls, organizations should pursue—and expect to see—the benefits of continuous controls monitoring, more automated assurance, and delivery of real-time insights to support risk-based decision making.

The conversation about the Future of Controls should be going on in every financial services organization. If that conversation is not happening, this is the time to make it happen. If it has been happening, it may be time to move from discussing issues in the control environment to addressing them.