If you receive errors when attempting to view this white paper, please install the latest version of
"SAP Americas is a subsidiary of SAP AG, the world's largest business software company and the third-largest software supplier overall.
SAP Americas' corporate headquarters is located in Newtown Square, PA, a suburb of Philadelphia."
Source : SAP
Managing Risk through Financial Processes: Embedding Governance, Risk, and Compliance
Financial Processes is also known as :
Looking for Financial Processes,
Speeds Financial Process,
Financial Process Automation,
Financial Processes Increases,
Improving Your Financial Processes,
Audit of Key Financial Processes,
Explore Financial Practices and Processes,
Managing Financial Processes,
Financial Management Solutions,
Benchmarking Improving Major Financial Processes,
Consolidated and Efficient Finance Processes,
Webcast Financial Process Automation,
Optimising Your Financial Processes,
Future of Financial Processes,
Pay and Financial Management Solutions,
Connection Financial Processes,
Ease Financial Processes,
Discover Easy-to-Use Solutions,
Financial Processes to Extend,
Efficient Finance Processes,
Financial Processes Applications,
Standardizes and Integrates Financial Processes,
Organize Your Financial Processes,
Finance Department Processes,
Major Financial Processes,
Financial Processes Deliver Transparency,
Accelerates Financial Processes,
Integrate Administrative and Financial Processes,
Better Manage Financial Processes,
Continuous Process Improvement,
Process Improvement Qualifications,
End-to-end Processes for Financial.
- About the survey
- What the executives are saying
- Impact on decision-making
- What to keep in mind
Managing risk through financial processes is an Economist Intelligence Unit report sponsored by SAP.
The Economist Intelligence Unit bears sole responsibility for this report. The Economist Intelligence
Unit?s editorial team conducted the interviews and wrote the report. The findings and views expressed
in this report do not necessarily reflect the views of the sponsor. Jan Fedorowicz was the author of
the report and Dan Armstrong was the editor. Our thanks are due to all of the survey respondents and
interviewees for their time and insights.
Most companies have tried at some point to automate and streamline financial processes.
But these initiatives often focus more on reducing costs than on adding value. This may be
a mistake. The most valuable processes do not simply stream money and data between different
functions, departments and business entities; they also feed reports, tests and controls that help
managers become more proactive. Are sensitive transaction processes properly segregated and
monitored? How flawless is the revenue recognition process? Will business decisions still make sense
after a spike in oil prices, a bank failure or a drop in demand? The best processes flag these and other
risks, helping managers to make informed decisions and ensuring compliance both with the law and
with corporate policy.
Adding this kind of value to financial processes stands at the heart of a broader initiative known as
governance, risk and compliance (GRC). Governance is the collection of board and C-suite approved
policies that guide the company; GRC refers to the way those policies are put into operation as a set of
rules, processes and controls. When the components of GRC are embedded within financial processes,
they not only track financial flows but also alert management when things are in danger of going awry.
In this way, GRC can help companies modify their processes over time in order to adapt continuously
to emerging risks. Companies that fail to use their financial systems in this way may be missing an
opportunity to manage risks more efficiently while improving the quality of decisions.
To find out how senior executives view their financial processes, the Economist Intelligence Unit
surveyed a global sample of mostly financial executives in September 2008. Some respondents focused on
the importance of developing processes that reduced costs and improved efficiency. Others acknowledged
the importance of cost and efficiency, but also recognised that automated financial processes could be
used to control risk, improve decision-making and enhance control.
About the survey
In September 2008, on behalf of SAP, the Economist Intelligence
Unit surveyed 446 senior executives from nine industries about
their views on their financial processes and their attempts to
improve them. Survey respondents came from the finance, risk,
general management, strategy/business development and
information technology (IT) functions. They answered the survey
from locations around the world, with one-third from Western
Europe, 20% from North America, 27% from Asia-Pacific and the
rest from Eastern Europe, the Middle East, Latin America and
Africa. Seventy percent of the companies had annual revenue over
US$500m, and 28% had revenue over US$10bn. Over one-third were
at the board level or chief officer level, and another 15% were at the
senior vice president level. The industries covered were chemicals,
consumer goods, energy, financial services, the public sector, life
sciences, IT and retailing.
What executives are saying
In 1998 CFO magazine published an article on how Case Corporation, a US-based manufacturer,
was working to automate, simplify and harmonise its financial processes. A decade later, financial
executives are still at it. When asked about issues with financial processes, survey respondents cited
manual processes, inconsistent methodologies and complex procedures as the major problems (see
Figure 1). Incompatible legacy systems, awkward handoffs of data, the lack of institutional knowledge,
poor visibility and accountability, the need to spend time reconciling inconsistent and redundant data all
continue to plague many chief financial officers (CFOs).
One thing has changed, however: the prevalence of risk and the consequences of failing to control
it. Now, as in 1998, CFOs often defer decisions to re-engineer financial processes because of the upfront
cost. But costs need to be balanced against risks, and the risks arising from out-of-date, incomplete,
inaccurate or easy-to-manipulate data have increased. For instance:
- The economic downturn is expected to increase the motivation for individuals to commit fraud, distract
the CFOs and regulators charged with guarding against it, and reduce the resources needed to fight it.
- Not only has credit become difficult to obtain, but lenders now focus on the ability of potential borrowers
to anticipate risk events and mitigate their impact. To evaluate borrowers, lenders are scrutinising financial
controls and visibility into business processes. And starting in the third quarter of 2008, a rating agency,
Standard & Poor?s, began to roll out a programme requiring companies to provide evidence of a ?formal and
effective risk management program? in order to receive a positive rating on their debt.
- Globalisation and higher levels of mergers and acquisitions (M&A) activity have prompted many
companies to become more complex and fragmented across functions, business lines and geography. This
complexity increases the odds of inaccurate or out-of-date information.
- Regulations that did not exist a decade ago require companies to ensure the integrity of data,
processes and controls. This is a global trend, from Sarbanes-Oxley Section 404?which mandates internal
financial controls and procedures for publicly-traded US companies?to Japan?s so-called JSOX, Canada?s
Bill 198 and changes in EU Directives 4, 7 and 8.
- Restatements of financials among US companies?mostly owing to poor documentation, lack of
transparency and weak internal controls?have become more prevalent, rising from 116 in 1997 to 1,270
in 2007, according to a proxy research firm, Glass Lewis & Co.
- The number of fraud schemes identified in US Securities and Exchange Commission Accounting and
Auditing Enforcement Releases doubled between 2000 and 2007. Moreover, the companies cited experienced
stock price drops, restatements, delistings, litigation and bankruptcies at a rate far higher than the norm.
- ! A decade of investments in emerging markets has exposed companies to more potential for corruption.
In Ernst & Young?s 2008 global fraud survey, the Middle East, India, Africa and the Far East indicated
substantially higher levels of corruption (although the highest level was reported in Japan).
Just over one-half of the executives who responded to the survey did acknowledge that automating
financial processes would reduce risk, and almost three-quarters said that automation would lead to
fewer bad decisions. But many survey respondents did not link automated processes to reductions in the
specific risks of fraud, restatements and errors. And relatively few recognised that automation could also
be harnessed to improve monitoring, compliance and controls.
As Figure 2 demonstrates, many executives remain more focused on cost than risk. If respondents
had any hesitation about moving forward with automation, it was because they feared that the costs of
the change would be prohibitive. They also feared the challenges of modelling complex or idiosyncratic
processes across diverse business lines, all of which might make it difficult to secure support from senior
executives and business line heads. Ironically, the very complexity of existing processes becomes an
argument against committing resources to simplification.
Only one-quarter of the executives cited ?reducing costs? as a reason for standardising and automating
financial processes. But savings do accrue from eliminating manual processes, unifying multiple systems
and embedding controls into financial processes. This lower overhead can be quantified and compared
to implementation costs to develop a return on investment. Other advantages of automation?better
business decisions and risk management, more robust processes and fewer instances of noncompliance
?are harder to quantify.
Impact on decision-making
Survey respondents certainly pointed to reductions in headcount, speedier execution and fewer errors
as a result of financial process initiatives. But, perhaps more importantly, the initiatives also reduced
the number of poor decisions. Prioritising controls by the level of risk had an especially significant
impact on decisions. So did automation. Even the segregation of duties led to significant improvements
in decision-making. Executives clearly saw both bottom-line and less tangible benefits to improving
Furthermore, the executives surveyed are starting to embed risk assessments into financial processes.
About seven in ten said that they had added risk evaluations to their processes. And 73% reported that
when risk evaluations were included, the quality of decision-making improved. Six out of ten reported
that process efficiency improved, and 72% said that the prioritisation of controls was enhanced when risk
A holistic approach
One way of reading the survey results is that a growing number of executives are going beyond the narrow
goal of simply automating processes. They are beginning to see that these initiatives can yield additional
benefits in areas of risk and compliance.
For instance, Anglo-Dutch consumer goods multi-national Unilever has adopted a holistic approach
to the upgrading of its financial processes. According to Khalid Noor, who improved financial processes
as CFO of Unilever (Pakistan), the company used the redesign to improve governance and manage risk. It
also enhanced speed, transparency and efficiency, as well as increasing the depth of analytics available to
managers as part of a strategic focus on customer service.
In Unilever?s case, risk management was focused on issues such as currency exposure, brand health,
customer service levels, cash management, inventory management and stock obsolescence, as well as the
collection of receivables. Unilever viewed the enhancement of its financial processes as part of a larger
initiative to put new tools into the hands of managers, which pushed GRC responsibilities into the ranks
and gave managers the ability to act on risk and compliance issues.
A holistic approach to GRC can also be used to support initiatives mandated by the board of directors.
For example, the board may decide to promote women entrepreneurs by favouring them in procurement,
or to position the company as a ?green? organisation. These decisions may have the side effect of
increasing exposure to smaller or newer suppliers with higher credit risk. To fulfil the board?s mandate
while controlling risks, a company might track and report credit criteria on suppliers and alert finance
staff once a certain number of suppliers fail to meet the criteria. Then it would be up to the staff whether
to take action or to make an exception, which would have to be approved by a more senior executive.
What to keep in mind
The order of words in the acronym GRC is no accident. Governance comes first because the first step
in defining a GRC approach is determining the organisation?s strategic direction and constraints,
including its risk appetite. Next comes risk assessment, which involves identifying areas of exposure,
quantifying their potential impacts and prioritising them by importance. The final and most tactical piece
is compliance?not just the traditional definition of obeying regulatory mandates, but also the mechanics
of ensuring that day-to-day actions address the company?s risk priorities. Steps often taken when
implementing risk and compliance systems include:
Identify the full range of risks. The dangers of credit risk have been seared into the consciousness of
every business executive. But most risks are more mundane: excessive inventory, high levels of returns,
or over-reliance on a handful of customers or suppliers, for instance. Although many of these risks do not
fall under the purview of the finance department, their measurement and reporting usually do.
Establish a risk management culture. The most efficient way to mitigate risks is often to take advantage
of existing processes. By identifying risks, setting up escalation thresholds, and building in alerts and
procedures to be triggered when thresholds are breached, companies can become more systematic and
proactive in managing risks.
Align controls with risks and embed into processes. When risks are prioritised, controls
should follow. Excessive alerts resulting from unnecessary controls or low risk thresholds can be
counterproductive. According to Luca Pighi, CFO of GE Capital Finance (Italy), too many red flags can
introduce confusion, not clarity. Similarly, fragmented, redundant and manual GRC processes often
result in too much data, leading to delays in recognising and acting on risks. Mr Pighi points out
the need to align risks and controls properly at the outset and then refine them continuously as the
Devise procedures for manual interventions. No matter how much automation is introduced, there is
always the need for manual intervention, with its attendant risk of mistakes or fraud. According to Mr
Pighi, GE Capital Finance solved the problem by introducing a structured system of authorisation in which
line staff could only make manual journal entries with the approval of senior managers. No system can
be completely automated; all require the ability to accept exceptions via carefully designed and tracked
Consolidate and track controls to ease the auditing process. Having auditors evaluate the effectiveness
of thousands of controls across multiple business units can be a time-consuming and expensive process.
By identifying and tracking the risks of control violations and consolidating this information in a single
place, companies can help auditors prioritise and streamline their recommendations for corrective action.
The result can be lower costs and faster audits.
A decade ago, most companies needed to be persuaded of the benefits of financial process automation,
which was seen largely as a way to reduce headcount and cut costs. Now automation is more widely
accepted, and there is an understanding that automation helps with better decision-making, but the
implication of automation for risk and compliance are still not fully understood.
In a holistic implementation of GRC, governance, risk and compliance are consistently defined, closely
linked, and manifested in end-to-end processes and controls. Well-designed GRC processes are robust
and repeatable. They efficiently integrate financial reporting, compliance and risk monitoring into
daily operations. Moreover, automated processes tend to be easier than manual processes to modify,
which helps organisations to adapt quickly to changes in business conditions, regulations or corporate
policy?many of which carry risks that are not immediately obvious. Companies can be more proactive in
addressing potential risks and more quickly mitigate existing risks, leading to less volatility and greater
sustainability in financial results.
No system eliminates the need for judgment. Senior executives still need to articulate policy;
managers still need to set the parameters that will drive risk management and compliance. Even a highperformance
automobile still needs a good driver. And as Warren Buffett once observed, the rear-view
mirror is always clearer than the windshield. Integrating GRC into financial processes can help to keep
that windshield clean and allows the company to drive into the future with confidence.
Whilst every effort has been taken to verify the
accuracy of this information, neither The Economist
Intelligence Unit Ltd. nor the sponsor of this report can
accept any responsibility or liability for reliance by any
person on this white paper or any of the information,
opinions or conclusions set out in the white paper.