GRC Tuesdays: Internal Controls = External Credibility
Just to warn readers, this blog is subliminally about a new GRC cloud solution SAP Financial Compliance Management (check out the video here), which I return to at the end.
But we start with Internal Controls. Let’s face it, discussions around Internal Controls is not captivating. Doesn’t get the C-suite’s “that’s cool” reaction.
But Resilience on the other hand – that gets attention. I’ll borrow PwC’s description of Operational Resilience “Operational resilience is the embedding of capabilities, processes, behaviours and systems which allows an organisation to continue to carry out its mission, in the face of disruption regardless of its source.” Modern enterprises need this capability, especially in an increasingly interconnected and disruptive business environment.
Which is also really close to Nassim Taleb’s outline of what an Antifragile system should exhibit (a concept I frequently return to): they benefit from disorder because they grow & strengthen, they are more likely to be able to deal with volatility in business, and importantly as a business are also more likely to innovate during change and disruption.
Good for business, right?
Operational Resilience is not just some business fashion either (though it has been adopted as a poster banner by all manner of organisations so might unfairly feel like one). It pops up as a governance requirement in the UK’s financial regulators Prudential Regulation Authority and Financial Conduct Authority. The USA SEC alludes to it with guidance to business leaders to consider whether COVID-19-related circumstances such as remote work arrangements might adversely affect an organization’s ability to maintain operations.
And here we start to see the really tight link between Operational Resilience and Internal Controls emerging.
The SEC continues with advising companies to consider what challenges they anticipate in their ability to maintain systems and controls.
In Germany, a new regulation as of 1st July 2021 for financial market integrity strengthening in response to the Wirecard case requires capital market oriented German companies to strengthen their balance sheet control and the auditing of the financial statements, in order to ensure the correctness of these balance sheet and accounting documents.
And there are other examples around the world covering many domain areas (e.g. anti-bribery, human rights, ESG & emerging carbon accounting).
Which leads us to a description of internal controls (over financial reporting in the example below) as covering the need to:
- provide evidence that financial statements are accurate and being prepared reliably
- that adequate controls are in place to safeguard financial data and the possibility of an error
- and that corporate financial objectives are being achieved.
Which starts to create a dysfunction in my opinion. Because internal controls appears to originate from and exist in regulations and risk frameworks it is seen as a compliance task. And that tends to pigeonhole it as (a) a cost to the business and (b) something to be handled by compliance as cheaply as possible – probably using Excel. And something that is ‘un cool’.
And yet the UK’s FCA / PRA outline for Operational Resilience talks about:
- Identifying important business services by considering how disruption to these services could impact beyond a firm’s own commercial interests
- Set impact tolerances for each, quantifying the amount of disruption that could be tolerated during an incident
- Understand and map systems and processes needed to support the services
- Set measures to keep those systems and processes within the defined impact tolerances
- Test them using plausible scenarios, including outsourcing and supply chain in the scenarios
I believe the only pragmatic way the above bullet points can be achieved is using a materiality-based Internal Controls framework via an enterprise software solution. It also allows this to be done reliably, repeatedly, cost-effectively, to associate and track mitigation, and is suitable to be audited.
But more importantly for the board and C-suite, it provides the quantitative body of ‘primary source’ information, is linked to the relevant risks, processes and owners, has operational levers & leading indicators, and mitigation strategies, to “allow an organisation to continue to carry out its mission, in the face of disruption regardless of its source.” In other words, Internal Controls is a core part in achieving ongoing Operational Resilience. And that leads to a reputable, trustworthy organisation. One that will have credibility with the external revenue-enabling world e.g. customers, investors, partners, lobby groups, auditors.
The effective use of Internal Controls should be one of the key leadership discussions, not as a compliance outcome and cost to the business, but as the way of delivering real time and pro-active actionable information to Operational Resilience for an ongoing strategic ‘business as usual’ value-add to the business.
Coming back to the new solution. SAP has just released a new cloud GRC solution called SAP Financial Compliance Management (video here). It’s an Internal Controls over financial reporting system for SAP S/4HANA (for now – others later). It has all the benefits of a cloud solution including ready to use content, and helps execs attest that a quarterly or annual financial report does not contain any untrue statement of a material fact or an omission. And being part of SAP’s Business Technology Platform, it is a core part of the Intelligent Enterprise.