GRC Tuesdays: Governance, Risk and Compliance securing the Lead-to-Cash process
As a refresh, at SAP we tend to talk about 4 key ERP processes for the Intelligent Enterprise:
This blog looks at the last of these, Lead-to-Cash, and is in fact the last in the series that me and my colleague Thomas Frenehard have been writing. You can find blogs for the first three here: Source-to-Pay process, Recruit-to-Retire process, and Design-to-Operate.
What is Lead-to-Cash?
Lead-to-Cash manages all aspects of customer experience and business process chain. This covers the initial interaction, to order fulfilment, to service delivery, and revenue. The SAP Intelligent Enterprise approach provides adaptable process templates based on best practices, which vary depending on industry type, customer type, and sales channel (direct sales or e-commerce).
SAP visualises the Lead-to-Cash process as comprising of the 5 main stages below:
Lead-to-Cash is one of the most business-critical processes as it moves from customer contact to sales to ordering to contract to fulfilment to money! If this is delayed, disrupted, or damaged, the effectiveness, profitability, and possible viability of the business will be severely impacted. Furthermore, while the details and complexity of the process are largely hidden from end customers, being at the effect of a poor Lead-to-Cash process is all too visible and will permanently affect their impression of the business they are dealing with.
Each of the 5 stages are complex in themselves as is the technical integration and handover between them, and they span the entire SAP Customer Experience solution portfolio. The many stages and steps deal with personal data, financial data, contract terms and conditions, revenue & profitability, and ultimately brand perception and reputation.
Any new business models or offerings or innovations has to be supported by and realised through the Lead-to-Cash process. It therefore needs to remain flexible and agile, and yet robust and secure. In addition, the end customer’s experience needs to be seamless and frictionless.
This makes Lead-to-Cash an ideal beneficiary of GRC and cybersecurity controls, assurance, protection, and pro-active risk management.
Contact to Lead
A marketing expert creates a campaign to generate sales leads, and targets existing or new customers via mechanisms such as email, social media, personalised recommendations, or relationships. Based on the customer’s consent and interaction, the customer is converted to a lead.
Adherence to privacy laws, ensuring personal data protection, not dealing with sanctioned countries, organisations or individuals, not dealing with bad debtors, and not violating the businesses’ conduct risk policy, are important priorities during this stage.
Lead to Opportunity
A marketing expert retargets the customers if needed, to encourage them to proceed with the marketing offer. Analytics tools can be used to assess the potential of the lead and determine if it is worth pursuing. The lead is converted to an opportunity based on the lead scoring.
As with the previous stage, data privacy and protection, sanctioned parties and business ethics are key. In addition, from a business operational risk perspective, incorrect or biased analytics can lead to missed opportunities, inappropriate contacts, or skewed outcome based KPI’s leading to inaccurate performance analysis and future strategy setting.
Opportunity to Quote/Cart
The sales representative assessed the readiness of the opportunity to be offered a quote. The customer can request a quote for example via the web, a physical outlet, or by phone/email. The sales rep or system creates the quote and sends it to the customer.
I would anticipate that in the near future the greenhouse gas emissions loading for goods or services quoted for will also need to be included.
There is business risk associated with the quote value a sales rep can prepare and offer, and thresholds are frequently attached to an approval process. There is the opportunity for collusion, bribery and fraud within this stage. Appropriate disclaimers and offer conditions should also be reviewed before being communicated with the quote so there is potentially a legal process, and the suitability of the end customer should be re-confirmed (in case for example the party the quote is sent to is different to the end customer, is in a high-risk country, or is on a sanction list).
Accurate and defensible greenhouse gas emissions will also have to be ensured in the near future.
Quote to Order
The quote is presented to the customer and can be negotiated, until a final agreement is reached. Once the quote is accepted by the customer it gets converted to an order. Customer feedback on the order creation process is collected, and the feedback can be used to improve the quote and order creation process.
As with the previous process there is risk of collusion, bribery and fraud. It can also include approvals bypass or delays, process shortcuts, credit check errors, delays in issuing quotes, and errors in the quote (e.g. payment terms, currency conversions, tax).
Order to Cash
Based on the different types of items in the order, the order gets split into physical, subscription or service products, and are sent to the back-end systems for further processing. The order status is marked as complete only when all order types and steps are complete. On confirmation of delivery, billing and invoicing tasks are initiated and when received, revenues are booked (posted) for the business unit.
This is a key financial process that converts potential to recognisable revenue. It is at risk from fraud and collusion, dealings with sanctioned parties or high-risk countries as above, but also for example posting errors due to system errors, incorrect manual postings or manual overrides of preventive controls; inaccurate or incomplete customer master data leading to incorrect or out of policy orders; segregation of duties errors; delays in cash collection; currency and tax errors.
Days Sales Outstanding (DSO)
DSO is a useful performance indicator for a business, used to estimate the size of their outstanding accounts receivable (i.e. legally enforceable claims for payment). Measured in average sales days, it represents the number of days of (average) sales that you currently have outstanding. It is an important tool in measuring liquidity and ultimately cash flow. High DSO could indicate inadequate analysis of customers, incorrect terms and conditions (e.g. to close the deal), poor collection, less credit-worthy customers.
The Lead-to-Cash process is the primary process impacting DSO and therefore the company’s liquidity and cash flow, and therefore financial stability. Keeping this process well managed and consistent is critical for a successful viable business.
SAP Cloud solutions for GRC to the rescue!
Below is a representation of the examples of vulnerabilities and risks related to various steps in the Lead-to-Cash process, which can lead to errors and delays.
The individual (or worse cumulative) impact through the process can lead to the end-to-end process being ineffective or even broken, with the potential for significant damage to financial performance, investment potential, reputation and future viability. Luckily there are cloud Governance, Risk, and Compliance & Cybersecurity and Data Privacy solutions from SAP ready to be deployed, to help prevent these risks from becoming damaging events.
Companies can use these solutions to help develop a pro-active risk management and internal controls approach to support the Lead-to-Cash process, thus safeguarding the marketing, conversion to quote, cash collection, and revenue recognition processes, and through these, overall business viability.
SAP Watch List Screening ca be used in the Contact to Lead step can screen for high risk or sanctioned parties, entities and individuals. It can also be used to assess suitability of supplying goods or services to partners who in turn supply to the public sector.
In the Contact to Lead and Lead to Opportunity stages, SAP Privacy Governance helps companies document and manage the risk of improper processing of personal data during the staffing process, for example is ‘privacy by design’ in place for both your organisation and third parties involved in staffing, accountability duties of the data controller and data processor, data retention and deletion requirements, and which are lawful processing activities during staffing.
Spanning from Opportunity to Quote, to Order to Cash, SAP Identity Access Governance helps companies detect, document and manage segregation of duties risk. This includes both removal of and controlled management of SOD occurrences. To Cash
As the more finance heavy steps of Quote to Order and Order to Cash are reached SAP Financial Compliance Management helps implement and automate internal controls. This allows companies to implement in-process business controls to deal with posting errors, process bypassing, fraud, master data errors, financial errors, delays, actual SOD occurrences. It will also help minimize the risk of misstatements in their quarterly and annual reports. The solution will help monitor the most important business processes and proactively protect the business from exposure. Companies can also monitor and document inconsistencies in operating procedures and policy.
I see the Lead-to-Cash process as a core process for the Intelligent Enterprise – and thanks Thomas for explaining it in your Design-to-Operate blog. With the proposed integration between SAP Financial Compliance Management and SAP Signavio, customers will soon have visibility and assurance over core processes like Lead-to-Cash, and all its sub-processes, as well as a synchronised view on the adequacy and strength of controls. Audit will love this!
SAP Data Custodian enables companies to demonstrate and deliver controls over the public cloud resources and applications which are fundamental to the Lead-to-Cash process. In parallel SAP Enterprise Threat Detection, a high volume real time security information and event management tool, helps companies proactively identify, analyse, and neutralize cyberattacks at a business level in their SAP applications – before for example serious breaches occur.
Note again that the same SAP cloud GRC solutions apply to all 4 of the core processes covered in this blog series! Business and IT investment in these solutions will have multiple benefits within the organization.
- Borrowing Thomas’ definition of the Intelligent Enterprise in his Design-to-Operate blog: organizations “that apply advanced technologies and best practices within agile, integrated business processes to run at their best” (link)
- also acknowledging the business-wide move towards automation and ‘doing more with less’
- and the increasing trend towards creating ‘digital twins’ of physical processes & assets in a digital representation…
it is clear from these 4 blogs that SAP’s GRC and Cybersecurity solutions can contribute significantly to a safe, secure, reliable, resilient, agile, ethical, efficient and effective, financially stable and financially viable business.
For your information, you can find all 4 blogs in this GRC and Intelligent Enterprise processes series listed below:
- GRC Tuesdays: Governance, Risk and Compliance securing the Source-to-Pay process (released on 11/10/2022)
- GRC Tuesdays: Governance, Risk and Compliance securing the Recruit-to-Retire process (released on 25/10/2022)
- GRC Tuesdays: Governance, Risk and Compliance securing the Design-to-Operate process (released on 08/11/2022)
- GRC Tuesdays: Governance, Risk and Compliance securing the Lead-to-Cash process (released 22/11/2022)