Skip to main content

Realising the Future of Controls - Three steps for financial services organisations to take right now

Over the past two years, the financial services industry has experienced an accelerated transition to digitalisation of its businesses. This transition had been underway, but movement to remote work for employees and increased use of digitalised services by customers further accelerated the pace of change. While largely successful, this overall transition has highlighted overly complex, cumbersome and costly control environments.

Financial Services executives recognise this is a problem: Deloitte’s 2021 global risk management survey of financial institutions found that 63 per cent of respondents said that controls optimisation, simplification and co-ordination will be an extremely high or very high priority for them over the next two years.

Well before the pandemic, the industry had been adopting digital processes and mobile banking models. Throughout this adoption, as new technologies were integrated with legacy systems, new controls have often been implemented in ways that leave gaps or create redundancies, leaving many control environments in need of attention.

At the same time, the industry faces an increased focus on nonfinancial risks. These include security, cyber, reputational, regulatory, and environmental, social and governance (ESG) risks. Financial services executives also see addressing these risks as a priority. In that same survey, 47 per cent of respondents said it will be an extremely or very high priority for their institutions to improve their management of ESG risk over the next two years. (Only 33 per cent of respondents considered their institutions to be extremely or very effective at managing ESG risks.) The right controls are essential to addressing ESG and other nonfinancial risks.

So, this is the time to consider whether your controls remain adequate to manage the organisation’s risks and to take steps to address issues of cost, complexity and coverage in the control environment.

Deloitte has conceptualised the Future of Controls to assist you in this endeavor.

Step into the future

The Future of Controls presents an approach to controls that will support the business going forward in today’s risk and regulatory environment. It also presents three steps to implement that approach: harmonising controls, rationalising controls and automating controls.

The first two steps are not strictly sequential. As an organisation proceeds, certain controls may have to be rationalised as they are harmonised or vice versa, a process that can continue into the automation phase. That said, thinking of these activities as steps enables us to examine them separately and to proceed in an orderly manner.

entails getting disparate components to work together. This addresses situations where controls have been added to pre-existing controls, when new reporting demands have emerged, or when controls reside in both new and legacy systems. Harmonisation calls for identifying common requirements—and overlapping or redundant requirements—then defining a common set of controls capable of meeting those requirements.

starts with identifying the most effective and efficient controls needed to achieve compliance objectives. You can then streamline controls to reduce process, labour and reporting burdens. Given that there will always be new compliance, governance, and reporting demands, rationalisation amounts to a continuous risk-based programme to assess controls for efficiency and effectiveness and integrate them into the control environment.

applies intelligent technologies such as robotic process automation (RPA) and artificial intelligence (AI) to controls, for example, to monitor processes, perform testing and ascertain that processes remain “in-control.” Automation substitutes technology for manual labour while enabling real-time or near real-time reporting via dashboards. Although automation can dramatically reduce costs, not every control should be automated, nor should automation begin until the first two steps have been largely completed on a set of controls.

Together, harmonisation and rationalisation simplify controls. Once controls have been simplified, they can be automated. This is key, because if you automate controls before you simplify them you may automate inefficient or inadequate controls while forgoing enhanced visibility into processes and analytics that generate insights. Also, manual controls may be preferable when human judgment is applied to a limited number of transactions versus a high volume of digitally executed transactions.

Controls automation reduces costs in each line of defence. Initial savings accrue in the first line—in the business, which owns and manages the risks—because people can do their jobs and meet compliance demands more efficiently and effectively. Savings in second-line risk functions result from enhanced adherence to control standards and timelier monitoring. The third line’s auditing and assurance activities also become easier, simpler and faster thanks to automation.

The Future of Controls enables people in each line of defence to move from time-consuming, repetitive, manual tasks, such as gathering, reviewing and formatting data, to higher value, more analytical and innovative work. This helps the organisation to make the best use of its talent while more effectively addressing compliance demands.

Digitalise responsibly

As transactions, relationships and business models become more digitalised, financial services organisations need to address the risks inherent in automating processes and controls. As they address those risks in the context of the Future of Controls, organisations should pursue—and expect to see—the benefits of continuous controls monitoring, more automated assurance and delivery of real-time insights to support risk-based decision making.

The conversation about the Future of Controls should be going on in every financial services organisation. If that conversation is not happening, this is the time to make it happen. If it has been happening, it may be time to move from discussing issues in the control environment to addressing them.