GRC Tuesdays: Shifting Controls to the Right of Launch
Those of us in the GRC team at SAP are trying to reimagining risk and compliance in an SAP S/4HANA world.
I recently blogged about “Shifting GRC to the Left of Launch.” That blog focused on the need to predict and manage extreme risks before they occurred.
But a strong case can be made for managing infrequent or lower level risks in mature business processes using a “Right of Launch” strategy.
The current paradigm for managing controls seems to call for controls focused on prevention of risk events, even inconsequential ones. The very definition of control effectiveness seems to suggest a Left of Launch paradigm. I would even venture that COSO’s control frameworks seem to be based on a Left of Launch control philosophy and may stifle technological innovation. (But that’s another blog.)
There are reasons for a Left of Launch control paradigm, but it’s time for a second look.
Many risk events today could be managed very effectively from the Right of Launch. Controls in an SAP S/4HANA world can be structured very differently to permit this. Let’s compare a traditional approach with a Right of Launch scenario.
Reimagining Procure to Pay
Two recent but unrelated events offered a sharp contrast in how the Procure to Pay (P2P) is managed in different environments.
- Traditional P2P
- Recently I messed up in hiring a vendor to provide some services for a recent SAP GRC Insider conference. The contract was for less than $2,000, but I didn’t get the proper approvals in advance and found myself dealing with 3-4 people in our procure to pay team to set things right. It took several weeks and many phone calls and e-mails.
- P2P for Merchant Reimbursement for Credit/Debit Card Transactions
- A few weeks ago, I received a call from my credit card provider alerting me to a purchase transaction. Someone pretending to be me and using my credentials was making a credit card purchase in a distant city. My bank correctly predicted that it was a fraudulent transaction and blocked it even before speaking with me.
Comparing “Left of Launch” to “Right of Launch” in P2P
If I had to guess, I would estimate that most P2P processes (heavily loaded with numerous documents, segregation of duties, approvals, and other controls) cost businesses about 3%-5% of the transaction value. Even more, they inhibit spending and slow down the spending process enormously. That can be a problem. Businesses spend to make money. Spending quickly should mean benefiting quickly.
But banks and credit card companies also run a P2P process for reimbursing merchants for consumer purchases. The volumes are huge in both value and transactions, but the P2P process seems much simpler. Here is a simplified comparison.
Predictive Controls in an SAP S/4HANA Environment Enable “Right of Launch”
Credit card companies have placed the key controls after the purchase transaction, not before the transaction. The sheer volume of credit card and debit card transactions make SOWs, POs, and invoices impossible. Technology today allows after-the-fact predictive controls. Banks and credit card companies shift some of the risk to the merchants and perhaps a little risk to customers. But speeding transactions is critical.
Even the credit card approval process is streamlined. Cards are pre-approved and customers notified.
Why Is Streamlining Procurement Important?
I believe the multiple controls, documentation and approvals in typical P2P processes are a significant but hidden cost. But there is more to it than that.
In most companies, a substantial amount of general ledger postings are driven from the P2P process. Financial statements are driven from payment information. Delays in processing payments leads to the need for accruals and inaccurate, delayed financial reporting. Companies that know their costs and have accurate, up-to-date financial information can make better decisions.
Even worse, I believe accountability for Left of Launch controls is seldom with the owner of the process. I believe Right of Launch controls would align better with management accountability.
I know there is a fear of fraud, and certainly the merchant reimbursement process is susceptible to fraud. The difference is that instead of slowing down the process and incurring costs to prevent fraud and error, they detect them after the fact.
What Technologies Exist to Support Predictive Controls?
Technology exists today to continuously monitor controls to ensure that both vendors and customers are properly authorized and configured. But what makes a Right of Launch approach possible are powerful tools that monitor controls, detect anomalous patterns in high volumes of transactions along with predictive capabilities, machine learning and audit capabilities. It is feasible to detect, assess, and stop a bad transaction before it is completed.
I walked into a store a few weeks ago and qualified for a $10,000 bank-issued credit card by showing ID and providing a phone number. I didn’t need or want the card, but it shows that by using powerful Right of Launch instead of Left of Launch tools and capabilities, merchants and credit card providers can grow their business even faster. How can we harness this capability in our businesses?
Who Is Doing This Now?
My knowledge of P2P processes as well as credit and debit card processing is from a consumer perspective. I am certain others have already thought this through and have probably even tested changes in the P2P process.
But I do know a little about GRC, and I do know that control practices in businesses seem to rely heavily on preventing fraud or error. The power of GRC tools and SAP S/4HANA should allow massive streamlining and rethinking of many business processes. Preventive controls may be useful in some situations. But if it’s possible to detect and block fraud or errors after the fact at the speed of light it makes sense to do so.
Today’s technology combined with a Right of Launch control strategy has significant implications. I would argue that embedded in the COSO internal control frameworks and certain in Sarbanes Oxley is a Left of Launch control paradigm. That needs to change. Extreme risks need to be managed with a Left of Launch approach as I described in my earlier blog. But risks and compliance in mature business processes can now be managed effectively with a Right of Launch strategy.
Has COSO recognized the power of technology?