Research Series
A Top-Down Approach to Risk Management and Internal Control
Issue 1
Having A Business-Process Focus Tied to Business Planning
Published by Financial Executives Research Foundation
FERF Research Series
May 2006
A Top-Down Approach to Risk Management and Internal Control: Issue #1 Having a Business-Process Focus Tied to Business Planning By R. Malcolm Schwartz
Purpose This overall report presents a business-centric and cost-effective approach to internal control and risk management using systems thinking, and systems, to get value. This approach provides business benefits while enabling compliance with the SarbanesOxley Act of 2002 and other laws and regulations. This issue is the subject of the first installment in a four-part series that explores management priorities. This FERF Research Series is being sponsored by BWise B.V.
Executive Summary Efforts to date to apply risk management and internal control suggest that experience alone will not generate benefits. What is needed is an approach that specifically addresses business benefits while enabling compliance. The purpose of this four-part series is to suggest how to do that by considering both the technical and managerial tools. Selecting technical tools -- software -- is not the first step. First, have your managerial design in place. Otherwise, you will risk using software to make a marginal approach more efficient, but will lose the opportunity to become more effective as well. This is what has happened to a number of companies after their first Sarbanes-Oxley compliance cycle. Having a design that improves effectiveness includes addressing the four management issues of: 1. Having a business-process focus tied to business planning, to integrate management and governance with operations and transactions processes, 2. Beginning with an aggregated risk assessment, to reduce effort to what is important, 3. Using a process and not a financial accounts point of view, to integrate documentation and tools and to reduce the cost of documentation, and 4. Relying on ongoing monitoring to test the performance of controls, to reduce the scope of separate testing. By starting with such a management design, you can become more effective if you then undertake managerial actions that enable you to: • • • •
Prioritize -- to reduce the effort to what is necessary and valuable, Organize -- to use accountability as a key control, Integrate -- to avoid overlaps and redundancies, and Manage performance -- by using monitoring to control and improve performance.
These four management issues must be addressed first, and then the right projects and systems support can follow. Furthermore, if a template of a generic solution to the management design is used as the basis of this effort, then the work can focus on tailoring that generic design solution, and not on the larger effort of creating one from scratch.
1
In sum, to select systems and tools – and, for that matter, to take effective management actions regarding internal control and associated risk management -- begin with a management design that addresses risk management and internal control from a business-centric focus, and let audit activities follow as part of your business plans and operations.
2 | Financial Executives Research Foundation
Having a Business-Process Focus Tied to Business Planning, to Integrate Management and Governance With Operations and Transactions Processes Having a business-process focus tied to business planning enables you to see Sarbanes-Oxley compliance, PCAOB auditor standards, and accounting and management controls all in the context of business issues, and not as ends in themselves. This will save you time and money because you will have integrated teams developing integrated plans based on work content, instead of having overlapping and separate efforts that then have to be integrated continually. This “built in” and not “built on” approach enables you to: •
•
•
•
•
Deal with uncertainty in business planning, so that risk, and opportunity, and the underlying related assumptions are continually addressed for business purposes and not just for compliance purposes. Emphasize processes in business planning by starting with a business model that integrates control activities and risk management, so that the plans integrate and address the work to be done and the results to be expected, as well as the people doing the work. Use the framework established by the Committee of Sponsoring Organizations of the Treadway Commission (The COSO Framework) to extend and highlight transaction, management and governance processes, so that the interconnected principles are addressed for: - Control environment, - Risk assessment, - Control activities, - Information and communication, and - Monitoring. Use this bottoms-up design for top-down planning, so that no “disconnects” develop between what you intend to have done and the associated risks in doing it, and what people are able to do Integrate risk and controls management, and improvement opportunities into business planning, so that recognizing and addressing uncertainty in outcomes is part of both basic planning and performance management. Support business planning with software that integrates controls and risk management with business planning, and from a process perspective.
Each of these is discussed more fully in this Issue. In addition to saving you time and money, this integrated approach will improve business planning and risk management, because planners will consider risks, uncertainties and assumptions in their plans; and because it enables your people to know what is to be done, what could go wrong, and what is expected of them. This is important to becoming cost-effective, as recent research1 indicates that managers and their competencies and motivations -- basic principles of good control -- are more important to how a company performs than other structural factors. In other words, mediocre management and control go hand in hand with mediocre corporate results.
_______ 1 Conducted in 2005 by McKinsey and the Center for Economic Performance, at the London School of Economics. Financial Executives Research Foundation |
3
Our research found that in studying a set of 18 management practices: •
•
•
One company used monitoring only when output dipped, to spur action, and then discontinued the monitoring when output rose; so there was no way to track performance with business objectives. A second company monitored performance indicators continually, but did not share this information with the operating personnel, thus depriving the personnel and the company of improvement efforts. A third company set up display screens to show personnel where their performance ranked with daily targets and other goals. Managers met with operating personnel every morning to discuss the previous day’s performance and today’s agenda; provided a monthly overview and summary; and used lunch breaks as opportunities for feedback on performance, achievements, and improvement opportunities.
There are several lessons from this research, which indicated a statistically supportable correlation in performance among these companies. First, good people enable good performance. Secondly, good management techniques provide a setting for good people to perform better. Third, control as envisioned in the principles of The COSO Framework -beginning with a control environment of, among other components, competent people, welldesigned policies and procedures, effective communications, and the reinforcement of human resources policies -- is built in to those good management techniques. Fourth, these good management techniques provide a focus for goals, performance in the context of current practices, and the improvement of current practices. The result, from the research, is a premium on working smarter, not working harder Working smarter, and those good management techniques, begins with a good, and integrated, approach to planning -- for setting goals, setting priorities, allocating effort and committing resources. However, too often companies treat risk management and controls as separate programs that are not well linked to their business planning process. This leads to overlapping and redundant efforts, and to less-effective plans.
4 | Financial Executives Research Foundation
Exhibit 1 illustrates how these objectives fit with a management design for planning and monitoring, through a continual management process of planning, setting priorities, assigning resources to programs, and monitoring, which leads to updating the planning. This approach relates to “Systems Thinking,” as developed by Peter Senge2. To show how activities link together in cause-and-effect relationships with associated uncertainties, or risks.
Exhibit 1. Management Design and Actions for Internal Control and Risk Management
Assess Risks • In monetary terms • Prioritize • Aggregate Business Planning • Strategy, structure and process • Design, execute and monitor
Focused documentation
Focus on Processes • Organize • Connect • Integrate
• Train • Manage information • Manage change
Operational risk Diagnose • Cost–benfit analysis • Business case Minor risks
• Balanced controls • Remediation programs
Improvement opportunities
Improve • Assess opportunity • Select approach • Apply Operational risks
Business improvement program Control risks
Manage Performance • Monitor • Evaluate, test and oversee
Addressing these management issues is not easy because, strangely enough, to simplify and improve plan execution, you need a more complex, comprehensive and elaborate plan design. But, elaborate design is much less costly than elaborate execution; an analogy often stated about quality control is that $1 spent on quality design will save $10 in quality inspection, or $100 in quality correction. In other words: • • •
Improving prioritization depends on a top-down, business-focused risk assessment, which in turn depends on a granular, bottoms-up business design, Organizing to simplify depends on comprehensive business-process design, which can enable reduced documentation, Connecting the business-process design, and the ensuing analysis, depends on segmenting the process steps to their component activities; and then relating these activities to specific programs, such as the various financial statement accounts for Sarbanes-Oxley compliance, or the various selling and supply chain activities for launching a new product,
_____ 2 Systems thinking views the output of a process as more dependent on its design than on the diligence of the people performing the work. This being the case, the design of the work is of utmost importance, including the design of the competencies to be applied to the work.
Financial Executives Research Foundation |
5
• •
Integrating documentation depends on having detailed insights to the information contained in business documents in order to understand how to integrate them, and Measuring performance depends on having accountable ongoing monitoring in place at the activity level, so that testing can rely largely on ongoing monitoring.
So, let’s start, by dealing with uncertainty in the business planning process. Dealing With Uncertainty in Business Planning If this is done, then risk, and opportunity, and the underlying related assumptions, are continually addressed as part of business planning, and not just as a compliance exercise. Businesses often use a single value to estimate the future (for example, “our projected sales for the next quarter are $125 million”), when in reality: • • •
There is uncertainty in the projected result, which is likely to be a possible array of outcomes, with different likelihoods of occurrence, Improving the likelihood of achieving the target result depends on understanding and addressing the underlying assumptions, and Addressing uncertainty – risk -- about the business performance objectives is the same as addressing uncertainty about financial reporting objectives.
To illustrate, in Exhibit 2, a company is considering how to achieve its strategy.
Exhibit 2. Looking at Strategy and Risk Options 100 Approach B: preferable only if 90 losses are approach C potential unacceptable 80
Probability in %
Approach A: not preferable since not as good as approach C
70 60
Approach C: clearly preferable unless potential losses are unacceptable
50 40 30 20 10 0 -60
-40
-20
0
20
Net Present Value
6 | Financial Executives Research Foundation
40
60
80
100
First, note that there are three different approaches to the strategy. Each approach provides a different curve with its own array of expected results. Secondly, asking why there are three curves, each having an array of possible results, leads to asking why the expected results differ. This causes management to deal with underlying assumptions and their impacts. Third, this can be used to question the variability in the prospective results for business performance, for compliance, or for financial reporting; so it encompasses both controls and business management. In the example, and at the 50% probability point -- which many people consider and use as the targeted outcome when they are dealing with a single-point estimate -- Approach C offers the highest net present value; it also offers the relative risk, albeit low, of somewhat greater losses, while at the same time it offers the opportunity of greater upside. If the company has a low tolerance for risk -- a low risk appetite -- it might prefer Approach B, which offers less risk as well as less opportunity. Approach A, compared to Approach C, offers greater risk, less opportunity, and a lower expected result at the 50% probability point. Whether the company chooses Approach C or B, it is avoiding the use of a single-point estimate, is considering an array of outcomes, and as a consequence is getting its management team to focus on business assumptions, and their effects on risk and opportunity. In one example of a management focused on business assumptions, a consumer products company wanted to use activity-based costing principles to tailor the services included in its product pricing. Customers who chose a basic service package would get the most favorable prices. Customers who chose difficult services -- short timing for order placements (causing higher inventories and special order processing), complex deliveries (in terms of delivery timing and locations), special pallet patterns, and so forth -- would be charged accordingly. As the program was designed, it appeared to offer economic benefit to both the company and its customers, but not under all sets of assumptions. These assumptions included the number and kind (those with straightforward or those with complex service needs) of customers who took the program, whether salespeople would present the program correctly, whether customers would act consistently with their agreements, whether their failure to do so would be caught, and so forth. The management team addressed the more critical assumptions by changing the design of the program and how it would be monitored and enforced. This narrowed the uncertainty in possible results, and also increased the likelihood of an economically beneficial result. Dealing with uncertainties -- and the underlying assumptions -- is just as relevant for achieving financial reporting objectives as it is for achieving operating objectives. So, treating both as part of an integrated approach to planning has to simplify, and reinforce, the effort to deal with uncertainty. Whether it is salespeople presenting a new program correctly or financial personnel calculating reserves correctly, or whether it is monitoring customers’ behaviors and actions or monitoring employees’ behaviors and actions, the planning is the same. And, the planning is more cost-effective if integrated.
Financial Executives Research Foundation |
7
Emphasizing Processes in Business Planning Emphasize processes in business planning by starting with a business model that integrates control activities and risk management, so that the plans integrate and address the work to be done and the results to be expected, as well as the people doing the work. When planning is integrated, then you can focus on what is done to produce the results that you plan to have. You really do not control results, you control what people do. You control the processes that people undertake. And, when you control the processes, then you continually address results in terms of risks and controls. The value in looking at controls, and risks, from the process point of view and in the context of business planning can be illustrated by looking at a piece of what many auditors and systems people call the “order to cash cycle.” But, let’s look at a process, and not at a cycle. The idea is that a cycle has a beginning (in the case of “order to cash,” the placing of an order by a customer) and an end (in this case, the receipt of cash). But, cycle thinking is neither systems thinking nor process focused, and does not necessarily support cost-effective controls. This is because an effective process usually involves activities that are not linear, sequential or cyclical, and a process crosses different but interconnected cycles that are not related to transactions as such. This can be illustrated by looking at the part of the “order to cash” cycle that deals with maintaining the accounts receivable reserves. 3 First, let’s locate this process component. To avoid the narrow focus on control activities for transaction processes, let’s start with a business model. The COSO Report4 did, and The COSO Framework has a strong process basis.
______ 3 One process example -- “Maintain accounts receivable reserves” -- will be used throughout this Research Series, so that a great deal of specifics about the selected process can be shown and discussed. “Maintain accounts receivable reserves” was selected because it involves: (1) both operations and financial reporting objectives, so it helps to explain the value of integrating business and compliance planning and management; (2) judgments and estimates, so it relates to the area of major risk regarding accurate financial statements; (3) transaction, management and governance processes, so it illustrates how these different types of processes can be integrated; and (4) a number of different forms of documentation, so it illustrates how they can be integrated. 4
Internal Control - Integrated Framework, Committee of the Sponsoring Organizations of the Treadway Commission, September 1992, AICPA [spell out American Institute of Certified Public Accountants]Publications Division. Sarbanes-Oxley requires that a complying company use a framework, and identified characteristics that a framework must have. The SEC in turn cited The COSO Framework, and the PCAOB in its Auditing Standard 2 used it extensively. As a consequence, most complying companies claim that they are using The COSO Framework, but many have confused it with the attached illustrative evaluation tools. This has led to its being misunderstood and misused. Too often, the focus for compliance has been on transaction processes and their controls; and on separate checklists, or spreadsheets, for management and governance – so-called company-level and entity-level – controls.
8 | Financial Executives Research Foundation
The COSO Framework used the value-chain model developed by Michael Porter for competitive strategy analysis. 5 Exhibit 3 positions this value-chain model in the context of outside parties.
Exhibit 3. The Generic Business Model in Context Generic Business Model – Context Level
Other Sources of Consumption
Public Bodies & Other Parties
Shareholders Investors & Financial Institutions
Collaborators Compliance & Persuasion Shared Ventures
Revenue Opportunities & Threats
Candidates
Vendors
Staffing Needs Skills & Experience
Market Threats & Opportunities
Reports
Admin
Funds
Run the Enterprise Available Technology Capabilities Specifications Purchase Orders Purchased Goods & Services
Competitors
Human Resources Technology Development
Purchase Requests Shipped Product
Procurement
Inbound
Operations
Outbound
Marketing & Sales
Services
Service
Buyers & Distributors
The value chain comprises the groups of inbound activities, operations, outbound activities, marketing and sales, and services processes. These process groups are not key to SarbanesOxley compliance, but they contain activities that are the sources of information for controls related to Sarbanes-Oxley compliance -- such as receiving reports coming from inbound activities to the accounts payable process -- but the bulk of compliance is in the infrastructure activities of administration, human resources, technology development, and procurement, so it is useful to work with this interdependent and connected view of processes. Also, the sources of information often become the focus for improvement and remediation projects. This “context diagram” also helps to position outside parties -- some of whom, and some of the information flows to and from them -- have Sarbanes-Oxley compliance implications.
________ 5 Competitive Advantage: Creating and Sustaining Superior Performance, Michael E. Porter, The Free Press, A Division of Macmillan, Inc., New York, 1985.
Financial Executives Research Foundation |
9
Most of the control activities for effective financial reporting can be found by digging deeper into the “administration” (or, more commonly, “run the business”) process set. • Manage finance -- control, treasury, tax and audit - Record and present plans - Record, monitor and present results o Process accounts payable o Process accounts receivable o Process funds o Process fixed assets and leaseholds o Process benefits and retiree information o Process payroll o Process tax compliance o Process standard costs o Analyze and reconcile o Provide financial and management reporting o Maintain financial policy, schedules and procedures - Safeguard assets • Manage the enterprise • Manage external relations • Provide administrative services • Manage information systems • Manage risks • Manage legal affairs • Plan Within this administration process group, the three areas that are key to Sarbanes-Oxley compliance are: • “Manage Finance,” which includes, within “Record, Monitor and Present Results,” the accounting transaction processes, the processes for closing and reporting, and the processes for maintaining accounting policy and procedures, schedules and forms. • “Manage Information Systems,” which aligns with the Control Objectives for Information and related Technology (COBIT) framework, and includes planning, governance, operations and control processes. • “Manage the Enterprise,” which includes The COSO Framework and its components -Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring -- in the context of the general management process that begins with planning and leads to actions. Many of these processes and their process components are not completed cycles, because they feed, or are fed by, other processes; for example, the accounts receivable process feeds the funds process. Also, an activity might be part of several processes, as can be seen by looking within “Process accounts receivable” more fully at “Maintain accounts receivable reserves,” which has a number of activities, including: • Review economic trends, • Maintain and communicate credit policies, • Calculate accounts receivable reserves, • Approve accounts receivable reserve calculations, • Post accounts receivable reserves to the general ledger, • Approve accounts receivable reserves posted to the general ledger, and • Certify accounts receivable reserves maintenance process.
10 | Financial Executives Research Foundation
The activity of reviewing economic trends can be part of a number of planning and evaluating processes. Updating credit policies might be driven by business planning, and it in turn might drive sales planning and other processes. So, each of these activities has a distinctive importance to the accounts receivable reserves process component, but several of these activities have other business purposes as well, and must be considered as parts of processes and not as steps in a cycle. Three of these activities are important to this accounts receivable reserves process component because they are control activities, and are of high or moderate importance as controls. Also, they involve approvals built in at two key points in the process, and the review and resulting certification built in at the end of this process component. So, by beginning with a generic business-process model template, Sarbanes-Oxley compliance can be positioned as part of an overall business design, which also can reduce the incremental documentation work. Furthermore, by looking at processes and their components, as well as the activities that comprise processes, the work of the organization can be integrated, and understood. This becomes an important feature of business planning, as what has to be done right is so important to defining achievable business plans. Using a Bottoms-Up Design for Top-Down Planning Having a process framework in place, it then becomes easy to integrate top-down goal setting with bottoms-up planning. Many organizations start their business planning from the top and work down. Smart ones set top-down goals, but then look to their organizations to build bottomup plans for achieving those goals-- so that no “disconnects” develop between the high-level plans and achieving them. A company that has a clear sense of its business model, described in process terms, can set top-down goals and then have them confirmed -- and eventually realized -- through bottom-up planning and action. Let’s look at the ramifications of this, continuing with the accounts receivable reserve illustration. A company has set a growth target as a top-down goal. This growth is to come from goals set for both current customers carrying new product lines and new customers in new channels of distribution. The planning process includes a bottom-up review of the effects of the goals on activities and processes. This review shows that the credit policy will have to change, to reflect added volume through current customers and ensuing higher credit lines. It will also have to be adjusted for dealing with new customers who have no credit history with the company. Part of the bottoms-up planning process then involves planning for a credit policy review, considering changes in the reserve calculation, and retraining credit analysts, among other steps. Many people do not understand the idea of linking top-down goal-setting with bottoms-up planning, and that it is cost-effective to do this. For example, when it comes to Sarbanes-Oxley compliance, the PCAOB suggests starting with a top-down risk assessment. This works fine if the company understands the underlying details of its bottoms-up structure of processes and activities. If not, then top-down, broadly-stated risks will lead to broadly-documented controls. Knowing the activities will enable the top-down risk assessment to focus on the activities that are truly at risk, in this case in regard to effective financial reporting. Starting with a generic and bottoms-up model in place also enables you to be selective in your design and documentation. You can refine and elaborate those template portions that relate to your business objectives, among which are the objectives for effective financial reporting. From
Financial Executives Research Foundation |
11
the general design -- in a generic template that you have tailored to reflect your practices -- you can selectively deepen the process design in the areas that are key to achieving your objectives, in such areas as financial, management, information and human resources processes, as shown in Exhibit 4. Exhibit 4. Selectively Deepening a Contextual Design
Depth of Analysis and Design
Scope of Business Process Framework Infrastructure Value Chain Adm HR Tech Proc In Opns Out M & S
Svc
Design major business processes in context Selectively deepen process design for areas related to financial reporting objectives
FM I
Selectively deepen process design further, to include monitoring and testing of control activities
And, by drilling down selectively, the effects of the five components of The COSO Framework can be better understood. They are not separate from accounting transaction processes, but instead provide the rules for, and the monitoring of, these transaction processes. Effective process design and documentation also reinforces this. To illustrate this integration across The COSO Framework, consider the issue of staff competency. This is part of the control environment component of The COSO Framework. So, in order to certify the overall accounts receivable process, for example, the competencies of the staff performing the process -accounts receivable clerks, and the controller -- need to be assessed, by considering: • • •
The position descriptions -- which should include control accountabilities, The current appraisals, to assess performance as compared to the requirements identified in the position descriptions, and The development plans, to determine that any gaps in competencies are not only identified but also being addressed.
These are outputs of human resources processes. The design of the forms and the procedures for generating and maintaining approved position descriptions, appraisals and development plans also are outputs of human resources processes. The sub-component of control environment, in The COSO Framework, that deals with the matter of competency includes a management process that identifies the accountability for the design and operation of these Human Resources processes and a governance process that oversees that these processes are in place, and leads to a monitoring activity. This illustrates the connectedness of the transaction, management and governance processes involved in providing a well-controlled accounts receivable reserve process and enabling its certification. Because these various types of processes are connected, this also shows why a cycle view or a linear, free-standing, depiction of a process is very limiting, and why disconnected checklists lead to neither effective -- nor cost-effective -- controls. The human resources processes in this case provide outputs that become inputs for a number of transaction processes -- all of which depend on competent staff performing them -- and in turn
12 | Financial Executives Research Foundation
depend on the evaluation of staff and the ensuing development plans. These complex process flows are difficult to capture in checklists and spreadsheets, so they lead to more effort and cost, while at the same time reliance on them can cause control risk. Using a well-developed, bottoms-up business-process model improves the ability to analyze work flows and methods – and related resources – for operational improvements and for controls remediation. This model clearly supports such business objectives as process and productivity improvement, because it connects activities and their controls to their sources. For example, many accounts payable departments spend an inordinate amount of time obtaining and correcting source documents -- such as approved purchase orders, receiving reports, and vendor invoices. This effort can lead to acceptable controls over accounts payable processing; but this effort can distract from primary efforts and hence increase risk; and this effort clearly increases cost. Even though correcting source difficulties in this case might not be remediation of control deficiencies as such, it is an improvement opportunity that can reduce costs, and that would be more difficult to address without a process-based, bottoms-up business-process model in place. Another value of using a business-process model is its help in dealing with end-to-end process controls. Many companies have difficulty managing compliance efforts because they organize them functionally and then complain about the inordinate costs and uncertainties “at the handoffs.” A business-focused process design is independent of the functional boundaries in an organization. It encourages management to think of an owner of the end-to-end process, and hence an accountable person for simplifying the functional hand-offs that occur within that process, as well as for certifying that process. This approach worked well for a multi-division manufacturer, who wanted to maintain control while integrating the operations of its several business units. The appointed process owners enabled integration and control, end-to-end and across organization boundaries, as illustrated in Exhibit 5. This bottoms-up process focus not only improved control and saved time and money, but it also led to improved customer service. Exhibit 5. Illustrative Organization-Process Matrix Organization Functions Business Process Sets and Informatio Human Illustrative Processes/Activities Finance Legal Procurement Operations Marketing Sales Engineering n Resurces Administration Maintain Accounts Payable n x x x x x x x x Maintain Accounts Receivable n x x x x x x Produce Financial Reports n x x x Human Resources x n x x x x x x x Technology Development x x x x x x n Purchasing x x x x n x x x x Inbound x x x x n Operations x x x x n x Outbound x x x n x Marketing & Sales x x x x x x Service x x x x x x x
In sum, use this bottom-up process design for top-down planning, so that no “disconnects” develop between what you intend to have done and the associated risks in doing it, and what people are able to do.
Financial Executives Research Foundation |
13
Integrating Risk and Controls Management Into Business Planning Having such a bottoms-up, process-based plan enables risk and controls management to be built in to planning. Take the accounts receivable reserves process once again. Each activity has a distinctive risk profile. In the generic template, these activities and their risks are as shown below.
• • • • • • •
Review economic trends Maintain and communicate credit policies Calculate accounts receivable reserves Approve accounts receivable reserve calculations Post accounts receivable reserves to the general ledger Approve accounts receivable reserves posted to the general ledger Certify accounts receivable reserves maintenance process
Control Importance M L L
Risk Exposure L L M
H
L
L
M
M
L
M
L
If the three control activities -- the two approvals, and the certification -- are designed well and perform as designed, then the risk in this sub-process should drop to a low level. In turn, the risk profile for each activity has been expressed as high, moderate or low risk (of course, all of this can be tailored to fit the characteristics and operations of your company); and could be expressed in terms of the magnitude and the length of exposure, or even in terms of quantitative or monetary values. So, by using a process focus, risks can be identified with specific activities that are parts of each process, and can be managed accordingly. This leads to a cost-effective focus on documentation and monitoring, which will be discussed later. A focus on processes, activities and their risks during business planning also can help management focus on those risks that make a difference in regard to the goals and objectives. This can be illustrated by looking at the risks that affect the accounts receivable reserve process component, as shown below. •
•
Risks affecting business performance - Credit lines -- and resulting receivables reserves -- are not aligned with the appetite for risk. - Credit review and approval is not consistent with policy and procedure. - Credit review and approval is not concurrent with order entry. - Credit information uses customer and product master files inefficiently. - The system/procedure for updating receivables and related reserves is inefficient. Risks affecting financial reporting - Valuation of accounts receivable reserves is inaccurate. - The calculation and posting of the accounts receivable reserves are inaccurate, untimely, and/or not compliant with policy and procedure. - Protection from collusion/fraud -- by failing to remove inactive accounts, for example -- is ineffective. - Segregation of duties is insufficient.
14 | Financial Executives Research Foundation
-
Personnel performing the duties are insufficiently trained/motivated. Expected changes in the level or kind of accounts receivable are not anticipated.
Some of these risks relate to financial reporting objectives -- to Sarbanes-Oxley compliance -as they involve fraud prevention, and misstatement of financial results, as well as the capability of the organization to prevent fraud, to safeguard assets and to deliver effective financial reports. Others of these risks relate more to business performance, such as the alignment of credit lines with the company’s appetite for risk, and the timing of credit review and approval. And, still others of these risks relate more to Sarbanes-Oxley Section 409 than to Section 404 compliance, as they deal with the company’s ability to project -- and affect -- future positions from current trends and conditions. In any regard, by starting with an overall business planning view, then all risks can be identified at the design stage; but a priority can be set and a focus established by only analyzing further those objectives and their risks that are important to the business. In this example, this undoubtedly will include risks related to asset and customer management as well as those that relate to Sarbanes-Oxley compliance. The important processes, controls and risks can be addressed during business planning activities. Further effort can be on those risks that are worth the effort. This approach should provide a focus on what is important while involving less work. As an example of how a corporation can integrate bottoms-up risk and controls management into its business planning, a multinational consumer products company includes risk assessment in every planning cycle and update, and it expects each business unit to consider risks, and the overall portfolio of risks, in developing its planned activities and its expected results. The business units assess risks by reviewing intended results from their business processes. The business units’ risk portfolios are aggregated – by business group, by region, and by product line – to enable senior management to set priorities and to make trade-offs. In addition to this integration from business to management processes, the risk committee of the board also reviews this effort from the standpoint of its governance processes. Some companies, to date, are ignoring this integrated approach. Some are beginning to recognize the potential, but because they started with separate programs, they are solving the problem in reverse, through what has been coined “exploiting convergence opportunities.”6 Clearly, this is better than ignoring these opportunities, but starting with an integrated, or convergent, design simply eliminates the need to find how to converge programs that should never have been separated. The place to start with an integrated design is in the planning process.
______ 6 ”The Unexpected Benefits of Sarbanes-Oxley,” Wagner and Dittmar, Harvard Business Review, April 2006.
Financial Executives Research Foundation |
15
Supporting With Software That Integrates Risk Management With Business Planning, and From a Process Perspective The result of taking this approach is an integrated business plan that addresses business, reporting and compliance objectives; by looking at the way work is done to achieve those objectives; by considering the uncertainties in the results of doing that work; and by addressing ways to deal with those uncertainties. Taking this approach treats compliance as a businesscentric issue, and not as an off-to-the-side compliance matter. The problem is that most approaches, and most software, do treat compliance as a distinctive process. This leads to added effort to develop separated programs and then to integrate them, and then to maintain that integration and connectivity as one or another program changes. You can overcome this by looking for software that will support an integrated solution that begins with business planning and relies on a process perspective. Today there are some advertised best-practices for requests for proposals for systems to support Sarbanes-Oxley compliance.7 However, they tend to focus on technical and operational features, and either do not include managerial features or treat them in a very high-level way. It would be better to consider the management design issues more directly when considering software to support your compliance program. To summarize from a technical perspective what has been discussed in this issue, when evaluating software as a tool to support Sarbanes-Oxley compliance, consider the management design as well as the technical and operational design features. In sum, consider its capability to support business planning, and from a businessprocess perspective, for: • • • • •
Recording operations processes and activities, and their controls -- end-to-end, hierarchical, and connected -- during the planning process and as part of the planning framework, Identifying outcomes as an array and not just a single-point estimate; as well as estimating the sizes and the probabilities, or likelihoods, of the outcomes, Aggregating outcomes, by process and eventually by business, into a summary of expected performance, Aggregating “what if’ outcomes for different assumptions and conditions, and Providing a generic solution that can be tailored.
If the software you are considering or using does not have some of these capabilities, then at least look for ease of uploading to and downloading from that software to a system that has these features. Whatever the software selected, make sure that it includes a developed, generic, connected and integrated model of activities (both operating and control activities) and their risks, so that your focus can be on tailoring that model and not having to create it.
___________ 7 SOXRFP.com, “The 2006 Sarbanes-Oxley RFP Template.”
16 | Financial Executives Research Foundation
About the Author Malcolm Schwartz is one of the principal contributors to The COSO Report (“Internal Control Integrated Framework”), and has been on the recent COSO task force providing simplified guidelines for Sarbanes-Oxley compliance. He currently is COO of CRS Associates LLC. He recently retired from PwC, where he was a senior management consulting partner. Prior to that, he had been a senior vice-president and CFO of Booz, Allen & Hamilton; and had held general, financial and operations management and staff positions at Insilco, Westinghouse Broadcasting, and Procter & Gamble. Malcolm can be reached at
[email protected] or 908-2736967.
About the Sponsor, BWise B.V.
BWise is an enterprise risk management (ERM), corporate compliance, and internal control software provider. BWise delivers solutions to help organizations become “in control” by increasing corporate accountability; strengthening financial, strategic and operational efficiencies; and maximizing performance and ROI. More than 1,000 companies with more than 125,000 users rely on BWise solutions, including VNU, TNT, Connexxion and Crucell. For more information, please, go to: www.bwise.com
About FERF Financial Executives Research Foundation (FERF) is the non-profit 501(c)(3) research affiliate of Financial Executives International (FEI). FERF researchers identify key financial issues and develop impartial, timely research reports to FEI members and non-members alike, in a variety of publication formats. FERF relies primarily on voluntary tax-deductible contributions from corporations and individuals. For more information, visit http://www.fei.org or http://www.ferf.org. The views set forth in this publication do not necessarily reflect those of the Financial Executives Research Foundation Board as a whole, individual trustees, employees or the members of the Research Advisory Council. Financial executives Research Foundation shall be held harmless against any claims, demands, injuries, costs or expenses of any kind or nature whatsoever except such liabilities as may result from misconduct or improper performance by the Foundation or any of its representatives. This and more than 80 other Research Foundation publications can be ordered by logging onto http://www.ferf.org.
Financial Executives Research Foundation, Inc., would like to thank and acknowledge BWise B.V. for their generosity and support in underwriting this report.
Financial Executives Research Foundation |
17
Copyright © 2006 by Financial Executives Research Foundation, Inc. All rights reserved. No part of this publication may be reproduced in any form or by any means without written permission from the publisher and the author. International Standard Book Number 1-933130-28-8 Printed in the United States of America First Printing. Authorization to photocopy items for internal or personal use, or the internal or personal use of Specific clients, is granted by Financial executives Research Foundation, Inc., provided that an appropriate fee is paid to Copyright Clearance Center, 222 Rosewood Drive, Danvers MA 01923. Fee inquiries can be directed to Copyright Clearance Center at 978-750-8400. For further information please check Copyright Clearance Center online at: http://www.copyright.com.
18 | Financial Executives Research Foundation
