Continuous Controls Monitoring, Transaction Monitoring and Data Analytics are all related terms for techniques that help assure the operation of core business processes and identify exceptions to policy or expected norms to help drive incremental improvement. Some organisations have had great success with these approaches and driven substantial benefits, but the majority of organisations still struggle to build a sufficiently robust plan and business case to get executive buy-in. This is, in part, due to the fact that transactional data analytics have multiple applications in the areas of risk management, compliance, control and process improvement.
So what is the way forward?
Awareness of significant exceptions in the execution of business processes is key to managing risk, assuring the effectiveness of internal controls, assuring compliance and identifying opportunities for process improvement. Continuously monitoring what’s happening in the business at a detailed level and having timely notification of deviations from the regular path means management have substantive evidence to take corrective action. This is as valid for control or policy exceptions as it is for effort- and cost-sapping process efficiency breakdowns.
It is a common misconception that the implementation of best in class ‘machinery’ such as a new Enterprise Resource Management (ERP) system negates the need to such analytics. Even the best machines in the world need to be monitored for potential control failure and to ensure optimal operation. Business processes are no different.
Key processes such as Procure to Pay, Order to Cash, Record to Report and Human Capital Management are typically supported and automated through use of IT systems such as ERP. All transactions are recorded in a database representing a ‘bread-crumb trail’ of business activity. Automated approaches can be used to monitor and alert for anomalies in the data that represent anomalies in the execution of the underlying business process.
Ultimately the goal is to identify, in areas where it matters most, the difference between ‘what is meant to happen’ and ‘what actually happens’.
Business processes are complex, transaction volumes can be very substantial, exception criteria are often difficult to nail down and specific roles and responsibilities are needed for the management of the monitoring process itself. Many initiatives to implement transaction monitoring have failed due to insufficient consideration of all elements needed to achieve success. Often the primary focus is on implementing a tool. A tool is needed but without due consideration for the end to end process, oversight, clear focus on business outcome and related analytic targets, a practical implementation plan, the tool alone will not deliver the desired value and the initiative will become peripheral or fall into disuse. As the saying goes ‘a fool with a tool is still a fool!’.
A considered assessment and a practical plan aligned to the organisation is needed to ensure a transaction monitoring approach is implemented in a way to deliver the desired value.
The key business drivers for such an assessment typically fall into 4 categories:
- Reputation protection
- Recent fraud, waste or error event
- Recent or recurrent Audit finding
- Perceived gaps in performance, effectiveness and efficiency in business processes
Such an approach needs to:
- Engage key stakeholders across the organisation typically including those in Internal Controls, Finance and Operations, HR, Internal Audit and IT.
- Assess the specific business scenarios that may be relevant for transaction monitoring and rate each scenario based on business priority and applicability for monitoring.
- Assess the organisation structure and recommend roles, responsibilities and oversight for a successful implementation.
- Assess any relevant approaches already in place, review lessons learnt and how those experiences can be best used going forward.
- Assess available technology options to implement transaction monitoring, considering the business and technical landscape of the organization.
- Provide an outline implementation plan with indicative costs and benefits.
- Achieve cross-functional buy-in to the approach.
Key steps in such an assessment and planning process are as follows:
- Agree scope and identify stakeholders and participants
- Assess current situation and needs through workshops, interviews and hands-on reviews
- Identify and prioritise candidate scenarios for transaction monitoring with indication of value at risk
- Explore the nuances of the organisation and stakeholder environment to understand what will actually work and deliver value in the specific context
- Develop draft oversight and operating model aligned to the organization with appropriate resourcing recommendations
- Agree conclusions and recommendations with stakeholders.
- Finalise objectives and plan
The plan should include a business case for any agreed streams of activity. The Case for Action – the essence of the Business Case needs to consider the following elements:
- The vision and rationale
- A comprehensive process monitoring environment for optimised risk and performance management
- Tangible benefits of Transaction Monitoring
- Cost savings AND Cost avoidance
- Internal Audit Effort
- External Audit Effort
- Finance Effort (centrally and locally (often disguised!))
- IT Effort
- Other External effort
- Fraud and misappropriation
- Improved risk management
- Improved process efficiency – eliminating variance & waste
- Better decision support for management
Experience suggests that potential stakeholders across the organisation can have wildly different perceptions of the current state of performance monitoring and control, different vested interests and different beliefs on what ‘must be done’ and even different semantic understanding of the terms used.
Recent such engagements that Consider Solutions have performed show that one of the biggest benefits of such an assessment and planning exercise is gaining consensus on the issues and potential for addressing them. This is achieved, in part, by education and the sharing of clear examples from other organisations, and through an independent business-focussed approach to facilitation that has no vested interest in the outcome. By exploring objectives, targets and specific business outcomes required, the process landscape and priority areas for better management insight become clear.
Ultimately, this assessment and planning process must be led by that rarest of species, a business focused, process oriented risk and performance specialist, with a strong understanding of the capabilities and constraints of IT systems.
Isn’t this just ‘Business Intelligence’, I hear you ask?
This is a form of business intelligence focused on exceptions, and whilst it is common sense, it is not yet common practice for all organisations.
Thanks for reading. . .