Automatically synchronize Controls and Processes across Process Modelling and Assurance
I’ve written a couple of blogs on the topic of processes and controls already: one asking whether in GRC we miss the significance of the business processes because we focus a lot of attention on control compliance and control testing, and another asking why we don’t put the process definition under an internal control process.
In this blog I want to progress the theme using two SAP solutions covering this topic: SAP Signavio Process Manager and SAP Financial Compliance Management. I’m talking about the exciting benefits resulting from to their recently developed integration, where elected processes and related controls are automatically synchronized between the two solutions.
By way of a short introduction, SAP Signavio Process Manager (as part of Signavio’s Process Transformation Suite) is an intuitive and comprehensive modelling platform that captures, unifies, and maintains process models. It supports multiple use cases such as process excellence, digital transformation, process compliance, and process education.
SAP Financial Compliance Management (as part of SAP’s GRC and Security solution suite) is an internal controls execution, monitoring, reporting and management solution, running on SAP Business Technology Platform. It provides a centralized view across SAP S/4HANA Cloud Private and Public Editions and ECC, for internal control status and adequacy.
Managing controls in a harmonized way across the company is essential to stay compliant. Furthermore running controls as “frictionless” in-process checks on front office business activities supports financial assurance, agility, and resilience for the modern digital first customer.
For a business to actually be in control, controls need to be well documented and appropriate to actual business process flows – as opposed to designed process flows – as well as assigned to the relevant process steps within the process.
Organizations can benefit greatly from visually laying out and documenting how business processes function in a GRC context, and to be able to inform decision-making at any step of the process. They can easily, quickly, visually identify where a process might be impacting the business and enable the organization to determine where it needs to make changes.
Process: Organizations want to understand their actual existing processes, which in a modern business is complex:
- Delta between designed and actual operational processes
- Employees don’t always follow designed processes
- Organizations have operational change, mergers etc.
Control: Managing controls across the company is essential to stay compliant but also to deliver agility and resilience:
- In-process checks on front office activities drives performant financial and non-financial processes
- Controls ensure processes are being carried out as per regulations and policies, corporate values
Organizations today are facing a world of constant change, more so than before, from both internal factors (human capital management, delivering on programs of work) and external factors (competition, exchange rate changes), elected change (transformation to S/4HANA, acquisitions, restructuring) or unexpected change (pandemic, cascading inter-related risks lead to unexpected results, natural disasters).
The nature, speed and scope of change places several often painful burdens on organizations to respond ‘gracefully’. One of the critical and common interfaces where this impacts the business is in processes, and controls over processes and risks. Disjointed, misunderstood or ineffective processes results in poor response, poor performance and sometimes chaos. Missing, incorrect, ineffective or over-engineered controls results in unnecessary costs, wasted effort, frustrated employees, losses, thefts, fines, reputational damage and sometimes business failure.
Increasing regulatory requirements and the increasing number of regulations have a direct impact on financial accounting processes, operational performance, and reporting of financial statements. It requires business processes to be more accurate as well as efficient. But without control automation and process synchronization this will:
- become very resource intensive and cumbersome for an organization
- increasing the likelihood of mistakes and omissions
- lead to reputational damage and even fines
Growth in speed and accuracy of tax compliance reporting, burden of proof of ethical & responsible business conduct internally and through all partner relationships, and joint disclosure of financial and sustainability data are just three examples of this.
Putting some quantification to these paints points, an Accenture study last year found that 90% of compliance leaders expect evolving business, regulatory and customer demands will lead to an increase in compliance related operating costs of 30%.
Achieve the opposite of Fragile
In quite a few of my blogs I return to Nassim Nicholas Taleb’s concept of antifragile because I find it fascinating and at the same time a bit opaque to understanding and operationalization.
If I were to ask my colleagues and peers what the opposite of fragile was, they would most likely use words like “robust” and “resilient.” However Taleb argues that’s not the right answer. He suggests a better answer is that if fragile items or systems break when exposed to stress, then something that’s the opposite of fragile wouldn’t simply not break when put under pressure – in other words ‘weather the storm’ with existing defenses (i.e. staying the same); rather, it should actually evolve, get stronger, and bounce back.
As far as I know there isn’t an English word for this, Taleb created one: antifragile.
An exciting and somewhat scary consequence of being antifragile is that there are more upsides than downsides from volatility. To me, synchronizing processes and controls across business and assurance, and automating where possible, as a really good practical and achievable step to becoming antifragile.
Automatically synchronizing business process and assurance worlds:
- Protects the business during normal operations, and change
- Provides transparency into where controls fit in the business, and their impact, to grow and get stronger from volatility
- Ensures the exact same process and control view for business operations & assurance functions, also helping deal with complexity
- Drives decisions based on consistent, up to date & accurate processes and control effectiveness data, also helping deal with ambiguity and uncertainty
- Dramatically increases and improves the quality and precision of automation, highlighting process anomalies and delays
- Increases digitalization of processes and controls (digital twin concept) leading to better business & compliance engagement, and improved compliance
- Reduces errors & manual work, rationalizes risks and controls leading to significant cost efficiencies and lower ‘cost of compliance’
- Reduces cost and impact of internal and external audit
Overall this provides the ability to document a better and stronger, consistent, control and risk driven framework embedded in key business processes. In fact leading to a visibly better control and risk based ERP.