Skip to main content

Future of Controls

A daring and positive vision

Economic trends and disruptions make addressing risks an ongoing focus for organisations. In other words, when it comes to controls, the risk landscape constitutes a moving target, which means that addressing risk is never a one-off exercise. “You could describe the risk landscape as a swinging pendulum,” says Joris Bulens, Partner at Deloitte Belgium. “As such, we require a more pragmatic approach to risk management. Implementing a bold and positive Future of Controls (FoC) vision to make controls more effective and efficient, which at the same time provides added value, and therefore offers a clear win-win scenario.”

In business, nothing is without risk. To keep organisations risk-aware requires constant vigilance, while at the same time allowing them the space to pursue value creation. However, existing control frameworks are not always equipped to respond to the fluid landscape in which they are meant to operate. They are often rigid, reactive, and inefficient. While constant readiness may not necessarily be the answer, remaining inactive is certainly not a viable alternative either... “Deloitte has developed a strategic vision and pathway for Future of Controls (FoC), providing the opportunity to rethink what controls can and should be, both today and tomorrow.”

What is Future of Controls?
 

We live in a time of unprecedented uncertainty, driven by the confluence of new technologies, increased market and price volatility, ever-tightening regulation, as well as mergers and acquisitions. Consequently, organisations need to work on developing more agile and efficient internal controls.

Organisations want to design and implement controls that help them carry out their mission, creating added value for both the organisation, its employees, and wider society. This future of controls involves three key levers.

The optimisation and rationalisation of internal control environments is often based on assumptions, influenced by a few key figures defining the process. Controls represent the ideal process flow, without having a real view of the exceptions and process deviations, which is precisely where the biggest risks lie. “Through better access to data, organisations should develop a data-based view free from intuition, biases or assumptions.”

Example: The use of process mining can reveal both potential control deficiencies, and potential areas for efficiency gains and automation. Whereas typical process and control deficiencies tend to focus on observations around function segregation conflicts, missing authorisations, or differences in the ‘three-way-match’, smart controls can also identify potential efficiency gains such as, for example, insights into invoices being paid too early or too late, the number of manual interventions needed in a process that is considered automatic, the number of order documents reworked, the average processing and turnaround time of a transaction, etc.

This new perspective can provide insights based on the entire population of end-to-end transactions, related exceptions, changes and work arounds. “This would not only help identify risks but also prioritise them based on current transactions. Moreover, with the help of AI and other analytical tools, this could inform us about future risks.” A robust monitoring system based on this framework could also provide meaningful performance insights to help inform the decision-making process, thereby supporting organisational growth, as well as helping respond to the speed of change.

Companies often do not realise how valuable controls can be for them. The internal control environment should mitigate risks, but also improve business performance. Integrating risks and opportunities into processes should help companies understand and assess their willingness to take risks and design controls in line with this approach.

Deciding which process elements are critical, but also where companies can accept taking risks, can help in developing an optimal framework.

A technological ecosystem
 

Companies need to deploy different technologies with complementary features and characteristics to achieve their goals. They can unite the best ideas from across the organisation to develop tailored digital assets, creating a harmonised ecosystem that enables insightful risk management, while also providing quality insights into the effectiveness of internal controls.

Every technology can have multiple use cases, each showing new ways organisations can increase productivity, improve accuracy, reduce non-compliance and gain better insights into financial, regulatory and operational risks—or identify focal points.

The technological ecosystem should provide for the integration and optimal use of these various technologies. It must ensure that any knowledge and information gathered from the various tools is centrally available and usable within the organisation of the various business and control functions, such as a governance, risk and compliance (GRC) platform.

Example: For a public institution, the grants process was overhauled through building a model based on AI-driven automation, combined with human controls at critical points. The objectives were to speed up the entire process, reduce the error rate, and improve the quality of reporting. The model took into account both structured and unstructured data, calculating a risk score using an advanced and evolving risk model for each individual grant application. Manual assessments were still needed to analyse high-risk requests.

The complex, uncertain and changing risk and business environment requires a reappraisal of the control operating model. Organisations need to reimagine the key principles of the operating model, as well as which factors will help change mindsets and enable businesses to embrace, apply, and embed these controls into the DNA of their organisation.

Having a shared ambition and access to uniform data throughout the organisation, as well as the three lines of defence, contributes to the effective embedding of controls. This helps break taboos and unite business functions to harness insights and unlock value. The first line of defence must demonstrate a clear understanding, as well as accountability, for the managed risks and controls. It is often observed that second-line functions absorb tasks and/or controls that should typically be performed by the first. Establishing a clear allocation of roles and responsibilities using an RACI matrix can help organisations attain the next level of maturity within the control environment.”

Technology is accelerating both traditional and innovative digital platforms in building, operating, and managing day-to-day operations. Organisations should leverage this digital transformation and maximise automation of control operations and management. Automation can relieve some of the pressure on internal control functions by reducing costs, increasing efficiency, and managing risks and opportunities more effectively. This also builds trust, insights and performance.

—three key elements of any successful Future of Controls journey. From our experience, it is generally possible, through digitising and automating internal controls, to save 30% on the overall ‘cost of control’.

To make the most of the opportunities in technological developments, a fundamental shift is needed in the way technology is used to support control environments, taking into account the operation and monitoring of said controls. Organisations need to set priorities based on their vision, ambitions, and challenges. These, in turn, will help determine which technological solutions would be most beneficial.