Here’s the bottom line about risk: It lurks in material processes, whether you’re a government agency, an NGO, or a multinational corporation.
And in most cases, all of your revenues and expenses are processed through your enterprise resource planning (ERP) system and, therefore, so reside many of your strategic risks. We’re talking purchase orders, business trips, the widgets you need to build your products or the services you provide—and much, much more.
Sure, the vast majority of organizations have implemented robust controls to ensure all those transactions flowing through the ERP are accurate and above-board. I’m betting your company has also built some pretty serious checks and balances into its processes to ensure full compliance with industry and government regulations. Watching revenue and staying compliant is a big deal, but if it’s your job, you also know that control breaches can occur in the blink of an eye.
For example, let’s say Company X travels to China to acquire a parcel of land for retail operations or a supply chain extension. It’s a pretty common scenario these days. Even if every legal and regulatory “i” has been dotted and every “t” crossed with care, did third-party facilitators receive gifts from your company? How, exactly, was the land acquired? The slightest slip (whether intentional or accidental) can lead to a painful FCPA violation. One-time vendors with high transaction values represent material risk—and fortunately, it’s one of the easiest things to test and mitigate.
When public companies receive government fines, it’s costly and, far worse, reputationally embarrassing. If shareholders subsequently punish those companies (with plummeting stock prices and shaky confidence reports), the reputation damage is often more costly than the fine. Customers, clients and shareholders alike are understandably wary of words like “fraud,” “embezzlement” and “corruption.”
How do you keep strategic risk in check?
Effectively managing your strategic risk requires two words: data analytics.
Yes, implementing a solid analytics program is not always a breezy walk in the park, but it’s no longer optional. It’s not a skill or a competency. It’s essential. Full stop. If you don’t have the analytic capacity to access and test 100% of your data set, you really don’t know what you don’t know. Your organization has major blind spots.
In today’s fast-paced, highly regulated and wildly competitive market, sampling data to test your controls just doesn’t cut it. The majority of strategic risks are extremely difficult to detect in a sample. Even if you have billions of transactions and your team manages to test a half-million of them with spreadsheet software, you’re still not going to capture fraud, waste, errors, corruption, non-compliance, or worse, inferior performance.
Let’s lower the numbers to hammer this point home (which is also what regulators will do, by the way, if your organization doesn’t have a strong framework in place to prevent and detect control breaches). Sampling 25 payables might turn up one questionable transaction, which you could use to extrapolate a 3% risk of fraud or errors. Not only is 3% not acceptable, you’re missing the opportunity to determine with complete certainty whether the material gaps are actually 5%, 1.1%, or a perfect 0.
And not only does all of your dataset matter, but the tool you use to analyze that data also matters. Half-baked analysis only skims the surface. Data analytics have been ACL’s bread and butter for 30 years. On the flipside, others are just starting to jump on board. For example, TeamMate just introduced analytic capabilities in the last 12 or so months, through a basic spreadsheet plug-in. ACL’s analytics are built on 29 more years of knowledge, experience and innovative technology we’ve developed for our global customers—and that just scratches the surface of what you’ll miss with half-baked data analytics.
Why system integrations are essential
Circling back to ERP systems, you probably know that SAP is the world’s most popular ERP, used by more than 70% of the biggest organizations and governments across the globe. Maybe your company or agency uses it, too. Whatever system your organization relies on, most of your revenues and expenses flow through that ERP—yet it’s unrealistic to think that all vulnerabilities can be assessed from within a single system.
In fact, large companies and government agencies often use hundreds or even thousands of additional systems, solutions and software applications to run their organizations. In order to fully test internal controls and assess strategic risk, it’s essential to compare ERP data with transactions that live in extended solutions and third-party systems. Sure, software tools like TeamMate could run your ERP data through a spreadsheet tool, but those types of tools can’t hook into all those disparate systems in order to extract, cleanse, reconcile and analyze the data and produce meaningful, actionable results.
For example, even if all of your company’s expenses run through SAP, you probably have another, third-party billing system that logs similar data. Want to check for mistakes and control breaches? You need to compare data from the two systems—and if you can’t, you are truly missing 80% of your risks.
The future is full-circle: creating a 360° risk monitoring program
Checking full data sets and measuring material risk (to the decimal point!) is critical, but 360-degree risk monitoring is where the magic starts to happen. It’s about being proactive and trying to prevent irregular transactions in the first place. It’s a matter of due diligence—and being exceptionally careful about meeting policy demands and following up after the fact.
For example, many companies rely on face-to-face client interactions that include entertaining, travel and business exposure to new cultural practices and local government regulations. Full-circle risk monitoring could mean creating a gift approval hotline where employees submit requests for vendor dinners before they even occur. A compliance expert would review the situation, the value of the “gift,” local regulations, and either approve or reject the request. Follow-up monitoring would also analyze expenses and P-card transactions to ensure employees don’t submit expense receipts for items pre-approved as gratuities or gifts.
Clearly, there are many variations on this pre-approval process, but 360-degree risk monitoring has the power to prevent serious regulatory breaches. The possibilities are endless.
Tapping the power of surveys and hotlines for analytics on human responses
Finally, keeping a close eye on ALL your risks means looking beyond financial controls. Retaining top talent is a strategic risk for many organizations and governments. If you think about your company or government portfolio, who are you most worried about losing? Whether it’s someone in the C-suite or a senior technical expert, people are a major resource—and ensuring they’re happy and productive requires dedicated effort.
Unlike other vendors like TeamMate, ACL’s solution suite includes flexible surveys that can be customized to meet your needs. Your organization can conduct regular staff or vendor surveys, test individual responses to controls and conditions, and then analyze the data and automate a simple workflow to assign for review, further investigation, response and remediation. From whistleblower hotlines to feedback systems to surveys, analytics on unstructured human data offer insights that would otherwise be impossible (or extremely time-intensive) to track and measure.
Don’t let 80% of your risks fly under the radar
It’s never been more important to keep a tight leash on strategic and human risks, protect your company’s reputation, and stay on the good side of regulators from government bodies to industry watchdogs. Clean business is profitable business, and data analytics are the only way to monitor all of your risks.
Don’t settle for a tool that kind of, sort of pulls and analyzes data in a spreadsheet infamously prone to silos, copy and paste or overwrite errors. It’s not enough. Your organization deserves a collaborative, cloud-based, data-driven solution to boost compliance and fully manage risk across the organization.