We have been talking non-stop about the impact of COVID on our businesses and financials since March. But where we were focused on what COVID was doing to our businesses on a day-to-day basis, we are now examining it’s longer term impact and the need to digitize risk management and control post-COVID.
COVID has forced a lot changes and accelerated others. Organizations are hastening digital transformation efforts and are embracing the “post-modern” hub and spoke applications landscape. The ‘New Normal’ has encouraged businesses to take proactive approaches rather than rely on the usual stance of defending and responding. Now more than ever we are seeing a greater need for speed, agility and digital connectivity within our businesses – but how can we sustain this and make it a success?
With a mandate for digitization and the reality that remote working is the new norm, businesses need to examine their fitness levels. There’s a demand for greater; Stamina, Strength, Agility, Control and Speed. COVID has highlighted flaws across business processes as well as within our risk and compliance approaches, and as a result we are understanding risk better.
It’s fair to say that a new risk and control landscape is coming, the need for change and the drivers for change are already making themselves known. Yet, before we get ahead of ourselves it’s worth considering 5 Big Change Impediments that we need to navigate;
- Scope – risk management as a process
- Stakeholders (not just the 3 Lines of Defence – now the 3 Lines of Management & Assurance)
- Impact – from the Financial Statement, through business processes to the applications and technology stack and related controls.
- Complexity – the new hub & spoke ERP reality is supporting transformation and business flexibility, but at a cost
- Misconceptions – the need to challenge some of the reality rather than the mythology within your business
But it’s not all negative, far from it actually. Companies such as Arlanxeo and Starbucks have achieved digitization success and shared their stories on recent webinars with us. Both organizations highlighted the need for ownership and accountability from the very top as well as strong internal collaboration, managing cmplexity and building a roadmap that supports an agile working approach.
We can use the Arlanxeo and Starbucks case studies as great examples of accelerating risk management and control digitization. ERP led Digital Transformation can be a massive undertaking and one that used to take years (in some cases, decades!) to complete. But COVID has forced us to approach such projects in totally different ways. Risk and control always featured towards the end of such projects BUT not now. In a recent KPMG study it was noted that focusing on risk and control after ERP migration can cost up to 30 times more than starting ahead of time.
Hans van Nes, COO at Consider Solutions, showed a 3 cornerstone approach when it comes to risk management and control digitization.
- Thinking: Fact to Act
- Managing: Plan to Result
- Deployment: Sprint to Value
This unique approach helps achieve project success in this new and unprecedented era. And, whilst many of the typical roadblocks (ownership, resource, old-habits and IT hesitation) may still remain the key is to now design and implement a PROCESS, not just a project.
The past four months have certainly created many talking points for us and how organizations have been operating versus how COVID has forced us to adapt. Unintentionally, risk and compliance have been brought to the forefront of conversations and caused us to review how they have been previously managed. If we can take anything away from COVID it has to be that this new digital and remote working era is making businesses more agile and is pushing them out of their comfort zones to achieve the impossible.
If you would like to watch the full recording of the webcast, you can find it here
Thanks for reading…
We were delighted to be sent numerous engaging questions from those who attended the session. We thought the answers might be of interest to the wider audience, so we have collated the ones with common themes with greatest relevance below:
- How has COVID changed our risks?
- COVID has changed our working practices, staffing, process execution, policies and even methods of supervision due to remote working, furloughs etc. Many organisations have found this has exposed previously hidden weaknesses in existing processes, risks they were not aware of and policies that no longer work effectively. This has highlighted that we need to both regularly update our risk understanding and have a more agile method of incorporating changes to risk, policy and control into our operating model and monitoring capabilities.
- We are upgrading from an on-premise SAP ERP to a cloud based SAP ERP. Why does this change our needs?
- The new generation of cloud based ERPs all recognise that the central ERP is not a monolithic support for all business processes. The marketing, Sales, E-Commerce, Procurement and Supply Chain requirements are best served by best in class applications, many of which are cloud based. Further, some automation of key business processes, such as electronic invoicing, requires a cloud-based network that suppliers can participate in. So, the architecture fundamentally changes and how we approach it from a risk and control perspective changes also.
- Can you explain what you mean by “3 Lines”?
- The 3 lines of risk management are;
- Operational management in the business that manage risk and opportunity every day in our dealings with customers, suppliers, products, projects etc.
- The risk management professionals in IT, finance and business that define, manage and monitor the risk management processes, such as those leading the SOX program for example.
- The independent assurance provided by internal and external audit.
- The 3 lines of risk management are;
- In the past 15 years there has been an overwhelming focus on the 2nd line although effective and efficient risk management process requires the 1st line to be enable and engaged.
- What is different about your “Digitization Sprints” from what we have traditionally done with our GRC tools?
- Most GRC tools have traditionally been focussed on detection OR prevention OR attestation. The new normal requires an approach that encompasses all 3 modes, can be deployed rapidly and can be easily modified in flight to enable agile risk management and risk informed decision making.