Five actionable steps to boost your finance department’s risk management strategy
March 2017 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
Risk is inevitable in all business decisions and operations, but can only be managed properly when the right strategies are put in place. Finance departments are particularly exposed to risk for any number of reasons, including but not limited to regulatory changes, security breaches and fraud.
Many companies are using large ERP systems, such as SAP, for governance, risk and compliance (GRC) to better manage risk and comply with highly complex financial, compliance and regulatory audits. However, with rapidly evolving audit requirements, merely implementing GRC solutions is not enough. Instead, organisations need to put a comprehensive risk management strategy in place that will protect themselves from future risk.
There are five critical elements that a successful risk management strategy should incorporate: (i) defined roles and responsibilities; (ii) established policies and procedures; (iii) transparency in reporting; (iv) optimised technology; and (v) documented retention policies.
Defined roles and responsibilities
While organisations generally understand and control financial risks, there are risks in other areas of the business that are sometimes overlooked. To mitigate these broader risks, organisations must ensure that the correct roles and responsibilities are in place. It is also important to ensure that all transactions adhere to organisational standards for approval hierarchies and separation of duties through well-defined roles and responsibilities. At a minimum, organisations should consult members of the finance, legal and IT departments to determine specific regulations and requirements. In the event of an audit, having established specific risk management roles and responsibilities will ensure that the required controls are not only put in place, but monitored over time.
Established policies and procedures
Articulate and accurate policies and procedures aid in reducing risk within finance departments but they must be aligned with government requirements, regulations and standards. Well-designed, automated procedures can help to reduce risk during key financial processes. Automating procedures using data validation and workflow rules can improve the speed of processing and reduce human error. For example, if an invoice has a three-way match – purchase order, invoice and goods receipt – then the invoice can be completed electronically within seconds because it meets all of the process requirements. Policies to manage exceptions must be established and understood to ensure compliance with organisational standards, such as levels of authority and separation of duties. Other procedures to manage the capture of orders, remittances, invoices or journal entries through portals or other electronic methods will increase accuracy and reduce risk due to rejections, handling errors and delays. Lastly, structured workflows ensure that processes are executed consistently, according to corporate policy, across distributed locations.
Digitisation improves transparency
Transparency reduces risk; therefore, digitised processes are less risky because users can immediately detect issues and resolve them. Digital processes are more transparent than manual or paper-based processes as users can view the real-time status updates on orders, invoices, access to online documents and transaction history. Issues can be resolved faster with digital processes and users can create real-time reports to detect fraud or potential issues or establish metrics to measure performance against departmental and corporate goals.
Besides eliminating risk, reducing paper remains a goal for companies that continue to receive a significant portion of orders, remittances or invoices sent to the mailroom. Newer solutions, such as portals and other electronic transmission methods, are faster and more accurate, and provide additional two-way communication capabilities that significantly improve processes. Reducing risk while simultaneously improving processes is a central goal to which every organisation should strive.
When putting together a comprehensive risk management strategy, it is important to consider available software options that can enhance what is available in enterprise systems such as SAP. Organisations should consider tools that capture information required for audit purposes, such as process diagramming solutions, which automatically document process steps and system integration points and optical character recognition (OCR), which automatically enters large volumes of audit documentation into the SAP system. Specialised solutions such as SAP GRC are also available to meet the audit needs of large enterprises. Audit regulations are constantly changing, so it is important to invest in flexible tools to meet current and future audit reporting requirements.
Data archiving is also an important consideration to reduce the cost and the risks associated with long-term data storage. Moving archived or infrequently accessed data to a secondary storage facility ensures that it is frozen and not vulnerable to hackers. Moving data to the cloud can reduce the cost of storing data.
Online document retention policies
Most companies have a good understanding of how to apply retention policies to paper-based documents, but find it difficult to ensure the same policies are applied to online documents. All electronic and scanned documents (such as invoices, orders and goods receipts) that are generated by online transactions and that reside in online systems must comply with the retention policies as paper-based documents. While the process of setting up the retention policies in online systems can be challenging for the business and IT teams, once the policies are established, following those policies is relatively easy as digitised processes generate a complete audit trail that includes user IDs and time stamps. It is important to ensure that information is organised so that it can be searched and accessed at a later date and that information, when it reaches the end of its useful life, is disposed of properly.
Risk management policies, once put into place, should be reviewed regularly. They should be updated when a business goes through a transformation, such as a merger or acquisition that adds new data or new responsibilities, or a divestiture that has legal rules governing how data is handled. Policies should also be reviewed and updated whenever new systems are added to the IT landscape (such as cloud applications) or when new laws and regulations are put into place (Brexit, for example, will impact companies doing business in EU/UP or General Data Protection Regulation). A regular review of policies will ensure that data is protected against any new threats that may emerge, such as increased threats from hackers going after personal or business data.
Building a risk management strategy which incorporates these five essential elements will enable organisations to mitigate risks and meet the challenges presented by financial, compliance and regulatory audits.
Brian Shannon is the chief strategy officer at Dolphin. He can be contacted by email: firstname.lastname@example.org.
© Financier Worldwide