Most risk and compliance leaders recognize the challenge: the risk landscape is in a constant state of flux, making it a moving target for controls efforts. Consequently, addressing risk is never a “one-and-done” job. It requires constant vigilance to keep organizations safe as they strive to drive value.
However, many existing controls environments may not be equipped to respond to the agile landscape they operate in, meaning their responses often are too rigid, reactive, and inefficient. Though absolute preparedness is not possible, to attain or maintain inaction is not a viable alternative. One way to address the challenge is to rethink what controls can and should be, both for today and tomorrow, and develop a future of controls (FoC) strategy informed by relevant trends that provide insight into a rapidly changing business environment.
Understanding how trends might affect an FoC strategy is an important first step to developing leading practices and a supportive framework that includes expected outcomes. Following are five trends that risk and compliance leaders can consider as they help to reshape internal controls to address marketplace uncertainty and capture rewards such as efficiency, insights, and the ability to take advantage of opportunities that are just around the corner.
Data as an asset. As organizations increase their technological maturity and gather more data, the added volume may expose insufficient controls and potentially lead to unreliable outputs. Shifting to a “data as an asset” mindset can help enhance data integrity and quality, and generate more comprehensive, value-adding outputs to inform business decisions.
The benefits of quality data are significant. Such data can help predict risks before issues occur and implement improved controls to reduce the cost and likelihood of potential non-compliance. Meanwhile, big data efforts focused on velocity, variety, and volume can enable companies to monitor controls in real-time. Conversely, companies that miss the opportunity to improve their data management could risk falling behind their competitors.
Digital transformation. Companies are rapidly adopting emerging technologies to enhance customer experience and capture market share, but the same pace of adoption has eluded many controls programs. While significant investment in internal controls continues, ROI doesn’t seem to be increasing. That might be because investment in technology is supporting the highly manual nature of many programs that depend on legacy, rather than advanced systems.
Going forward, companies can consider using technology to be more efficient and effective with respect to risk management, operations, and controls. At the outset of the transformation process, teams can implement digital assets, such as insight-laden, data-driven analytic-based controls that go beyond singular purpose controls broadening their application across the three lines—the business, risk management function, and internal audit. In the future, the controls environment will likely move from hindsight to foresight as controls supported by automation, AI-enhanced technology, or both improves monitoring and focuses efforts in non-compliance areas, including workforce transformation.
Risk-based regulations. Regulators are migrating to a risk-based approach as they issue new and update existing rules. The shift provides organizations with an opportunity to lower the cost of compliance if they can demonstrate a comprehensive risk assessment and prioritization approach supported by a strong compliance controls environment.
Quality data can support real-time regulatory monitoring, and improved technology can help predict potential indicators of non-compliance. Consistency in compliance also may reduce related costs for mature organizations that have in the past responded primarily to one-off instances of non-compliance.
Responsible business. Sustainability often is viewed as a competitive advantage to help companies stand out from the crowd. But for a truly responsible business, sustainability has become a stakeholder expectation, and companies that ignore this imperative could face internal and external challenges.
Organizations soon may be required to report on environmental, social, and governance (ESG) factors, and will likely be governed by related regulation and disclosure requirements. To thrive against this backdrop, leaders should consider refocusing priorities away from traditional financial risks to a new environment where controls substantiate a company’s commitment to sustainability and social programs.
The era of the consumer. Historically, customers have chosen what is most accessible to them, and accepted limited choices and input from suppliers and manufacturers about their needs. Going forward, consumers likely will increasingly expect organizations to anticipate their needs to create new levels of convenience through technology. As consumer choice increases, companies can expect customers to shop elsewhere if their needs are not met.
Controls can be viewed as a differentiator to improve the consumer experience by meeting expectations for higher standards and quality, and a focus on social consciousness. Ultimately, consumers are reshaping how organizations behave and run their businesses.
The role that the risk and controls community played during the pandemic should renew any waning confidence that a strong internal controls environment can help organizations become more agile, resilient, and support accelerated digital transformation. To build on these positive outcomes and the myriad challenges ahead, leaders would do well to consider developing an FoC approach that clearly aligns to the wider business strategy.
For example, the strategy could link to an organization’s underlying business purpose and goals and, if executed judiciously, can assist in embedding a comprehensive controls environment that thrives in a volatile and complex business environment. This new breed of insight-laden controls can help mitigate downside risk, accelerate how potential risks are addressed in real time, and—when paired with AI—generate future-focused business and operational insights.
Consider a traditional account reconciliation control. At the end of each month or quarter, the control likely checks several items, such as whether the reconciliation included the correct accounts; was completed in accordance with established thresholds and in a timely manner; was performed and reviewed by authorized individuals; if the general ledger’s ending balance agreed with the supporting documents; and that all reconciling items and required adjustments were identified, tracked, and resolved within the proper timeline.
However, an FoC reconciliation control, through evaluation of 100% of the transactions, provides greater transparency over the effectiveness of the controls and richer trends and insights not available through traditional, manual approaches. In addition to identifying reconciliation issues related to timeliness, unauthorized personnel, and adjustments not tracked and resolved, FoC provides insights into the control function’s performance.
For instance, data-driven analytics might reveal: incorrect linking of associated accounts that could lead to inappropriate auto certifications; how the workload is disbursed among the team; whether reconciliation volume among various preparers can lead to repeated missteps; which individuals are more likely to rubber stamp approvals; and inconsistent and inefficient use of reconciliation tools—such as inappropriate templates and a failure to share leading practices.
What’s more, an FoC strategy incorporates AI and machine learning (ML) models to shift from a reactive, look-back control to a control that is proactive and predictive. Indeed, according to Deloitte experience, some AI/ML models are close to 99% accurate in predicting which account reconciliations would result in required adjustments or late completions.
There are several FoC strategy goals leaders can consider as they work to transform their organization’s controls function, including:
―Build a risk-based controls framework that is driven by data.
―Maximize the use of technology in operating and monitoring controls.
―Embed the controls framework in the first-line day-to-day business.
―Establish an integrated smart reporting framework.
―Introduce a positive controls culture to guide the business to achieve its goals.
Driving such goals as part of an internal controls transformation also may require leaders to tug on certain “levers” to enhance planning, such as: Reconstructing an internal controls framework, designing a next generation controls operating model, and establishing a controls technology ecosystem. Such planning enables senior executives to review and reflect on leading-practice examples and industry trends as they reimagine their FoC strategy.
For more information, contact Adam Berman, Stuart Rubin or one of our contacts below.
Adam Berman | Partner Deloitte, Risk & Financial Advisory
E: aberman@deloitte.com
Stuart Rubin | Managing Director, Deloitte & Touche LLP
E: stuartrubin@deloitte.com