Over the past two years, the financial services industry has experienced an accelerated transition to digitalization of its businesses. This transition had been underway, but movement to remote work for employees and increased use of digitalized services by customers further accelerated the pace of change. While largely successful, this overall transition has highlighted overly complex, cumbersome, and costly control environments.
Financial Services executives recognize this is a problem: Deloitte’s 2021 global risk management survey of financial institutions found that 63 percent of respondents said that controls optimization, simplification, and coordination will be an extremely high or very high priority for them over the next two years.
Well before the pandemic, the industry had been adopting digital processes and mobile banking models. Throughout this adoption, as new technologies were integrated with legacy systems, new controls have often been implemented in ways that leave gaps or create redundancies, leaving many control environments in need of attention.
At the same time, the industry faces an increased focus on nonfinancial risks. These include security, cyber, reputational, regulatory, and environmental, social, and governance (ESG) risks. Financial services executives also see addressing these risks as a priority. In that same survey, 47 percent of respondents said it will be an extremely or very high priority for their institutions to improve their management of ESG risk over the next two years. (Only 33 percent of respondents considered their institutions to be extremely or very effective at managing ESG risks.) The right controls are essential to addressing ESG and other nonfinancial risks.
So, this is the time to consider whether your controls remain adequate to manage the organization’s risks and to take steps to address issues of cost, complexity, and coverage in the control environment.
Deloitte has conceptualized the Future of Controls to assist you in this endeavor.
The Future of Controls presents an approach to controls that will support the business going forward in today’s risk and regulatory environment. It also presents three steps to implement that approach: harmonizing controls, rationalizing controls, and automating controls.
The first two steps are not strictly sequential. As an organization proceeds, certain controls may have to be rationalized as they are harmonized or vice versa, a process that can continue into the automation phase. That said, thinking of these activities as steps enables us to examine them separately and to proceed in an orderly manner.
Together, harmonization and rationalization simplify controls. Once controls have been simplified, they can be automated. This is key, because if you automate controls before you simplify them you may automate inefficient or inadequate controls while forgoing enhanced visibility into processes and analytics that generate insights. Also, manual controls may be preferable when human judgment is applied to a limited number of transactions versus a high volume of digitally executed transactions.
Controls automation reduces costs in each line of defense. Initial savings accrue in the first line—in the business, which owns and manages the risks—because people can do their jobs and meet compliance demands more efficiently and effectively. Savings in second-line risk functions result from enhanced adherence to control standards and timelier monitoring. The third line’s auditing and assurance activities also become easier, simpler, and faster thanks to automation.
The Future of Controls enables people in each line of defense to move from time-consuming, repetitive, manual tasks, such as gathering, reviewing, and formatting data, to higher value, more analytical and innovative work. This helps the organization to make the best use of its talent while more effectively addressing compliance demands.
As transactions, relationships, and business models become more digitalized, financial services organizations need to address the risks inherent in automating processes and controls. As they address those risks in the context of the Future of Controls, organizations should pursue—and expect to see—the benefits of continuous controls monitoring, more automated assurance, and delivery of real-time insights to support risk-based decision making.
The conversation about the Future of Controls should be going on in every financial services organization. If that conversation is not happening, this is the time to make it happen. If it has been happening, it may be time to move from discussing issues in the control environment to addressing them.