Managing financial controls effectively is no walk in the park. Global organizations struggle to ensure that financial controls are defined, monitored and managed effectively across end-to-end processes, functions, regions and operating units.
Due to the obvious impact of audit opinion on financial control effectiveness, especially under regulatory umbrellas such as Sarbanes-Oxley, many organizations are in a vicious cycle of reactive fire-fighting rather than focusing their efforts on managing the process proactively.
On June 11th Jennifer Gettmann, Director Global Financial Policies and Controls at Starbucks shared her story as to how they have recently streamlined their approach to financial risk management and control.
For a $26.5bn company, streamlining any business process can be a major undertaking. Starbucks used known challenges with Segregation of Duties (SoD) in their core ERP, Oracle e-Business Suite, as a catalyst for a change in approach across all processes and systems.
Within eight months, they had achieved more than they could have imagined at the start.
Early on it became clear that it was about changing the mind-set of “controls” across the company, addressing the key issues of governance and ownership, complexity and collaboration.
Jennifer and the team revamped their entire approach, with a focused and disciplined “Get Clean” (which included identifying and implementing key policies that would govern their approach, such as eliminating the need for “compensating controls”) followed by a comprehensive process for “Stay Clean” which addressed all the dimensions of risk response.
Of course, we are all comfortable with the idea of “projects” such as “Get Clean”, that have a start and an end and a clear outcome.
Much more challenging is the creation of a new order, a new sustainable process such as for “Stay Clean”, that has no start and no finish. A new process requires understanding, collaboration, governance, discipline, policies, and a new set of habits for those across the organization, not just the classic “2nd Line of Defense” but for operational management (“1st Line of Defense”) in the business too”.
“Stay Clean” is all about creating a holistic, sustainable, preventive control environment as opposed to a more detective approach. Like a lot of things, it sounds hard to do, but with the right leadership, expertise, commitment and effort, the new process pays off handsomely and saves time and money.
But the “Stay Clean” process is complex, and the usual high level diagrams we often see are great to communicate the outcomes and to encourage collaboration across stakeholders and participants. But they don’t help in the detail of explaining the “Why, What, How, Who, When” that is needed for the process detail and task execution.
This is where the concept of “Journeys” came in and proved a powerful mechanism to drive understanding, collaboration and the management of complexity. These “journey maps” were used to understand the As-Is activity, the strengths, weaknesses, opportunities and threats and are the baseline to creating a To-Be definition that all participants could understand and align around.
Accountability and collaboration go hand in hand. No-one in a complex organization has all the knowledge and skills to address every component of the risk and control framework. Jennifer tackled this head-on. Is it IT? Is it Finance? Is it Audit? Is it the Business? With a new CFO and Controller, a much needed impetus was provided and governance proved a powerful platform with a Steering Committee that got the buy-in needed early on across all business functions and operating units.
After only 8 months the results for Jennifer and Starbucks have been stellar, and this success is now paving the way for broader business process changes across Starbucks. Global Process Owners are taking greater accountability, Automation is being targeted using the new “Journeys” and the momentum has reassured that no-one wants to go back to the old ways .
Jennifer’s leadership and the Starbucks experience highlights the need for organizations to not be disheartened by the “shock of realization” of the apparent scale of the task, when it comes to streamlining Internal Controls over Financial Reporting (ICFR).
Sometimes it is easier to “kick the can down the road” than take what seems like a hard path and face tricky issues head-on.
The evidence of this experience is that leadership and commitment can be the catalyst to deliver outcomes that are highly valuable to the business. At Starbucks, the “Stay Clean” and “Get Clean” processes and journeys are now being applied to wider set of processes supported by applications including SAP, JDA, WMOS, Ariba and SuccessFactors.
Few of us like the prospect of the upheavals associated with process change, Rather like the route to personal fitness, a focus on the outcome can make the short term pain and discomfort disappear into the rear view mirror surprisingly quickly!.
You can see the recording of the webcast here
Thanks for reading…
Q&A Session with Jennifer
We were delighted to be sent numerous engaging questions from those who attended the session. We thought the answers might be of interest to the wider audience, so we have collated the ones with common themes with greatest relevance below:
- I notice on the stay clean process there was no periodic validation of control. Does this mean that the confidence in the joiners, leavers and movers controls is so high that a periodic validation is not required?
- We didn’t show all the detail, but each of the ten journeys includes a periodic validation component and there is a specific journey for user access review and attestation.
- When Jennifer and Martin talked about the “get clean” and “stay clean” journeys. Which one do you consider more challenging and why?
- They are both challenging in different ways. “Get Clean” had an awe-inspiring volume of issues to address and a steep learning curve but “Stay Clean” is challenging because it is implementing a new process, with cross functional participation, new governance model, new policies and procedures that need to be institutionalized. This has a lot more moving parts than running an individual “Get Clean” project. It is also easier to have the organisational “stamina” to complete a finite project than sustain a ongoing process
- Jennifer – Would you say you created more new roles or modified access in current roles in order to correct the SoD issues?
- The effort was mostly in refinement of existing roles with some new roles created. The effort was approximately 80% role refinement.
- Explain the experience a little more please on the AS-IS journey slide
- We started with a Journey template and ran workshops with those who execute current tasks in the journeys to get clarity on WHY, WHAT, WHO, HOW, WHEN, and also the effectiveness, efficiency and ease of undertaking the tasks and to clarify missing control points. We then used these insights to create the “TO-BE” journey map and test it with stakeholders and participants.
- Hi, Migrating from detective controls to preventive, do you intend to implement automated detection controls in Oracle for deviation like customer invoice more than credit limit with alert management for instance.
- This specific example is typically a preventive control embedded in the ERP order to cash process, as the credit risk should be addressed before order approval. But in general, doing specific transaction lookbacks (transaction exception monitoring) is part of our roadmap for known high risk activities or policy exceptions.
- Now that Starbucks is moving to a new delivery format and close out the in-store experience, how does this square with the webinar as presented today?
- There are changes to the mechanisms of retail sales and service due to social distancing measures, but the core processes have remained stable. Even if we went to 100% drive through, the financial risks have not changed.
- Jennifer, what has been the hardest part of this undertaking?
- The sheer scale and complexity of the problem and subject matter was daunting. But with clarity, executive support and expert advice, the actual experience was not as hard as we expected. Taking ownership for activities that you have no expertise in, such as IT related tasks, is uncomfortable at first, but over time it helps reinforce the need for the collaborative approach.
- Martin, what is the key reason you think Starbucks have been so successful in this endeavour ?
- We quickly formed a bond of trust and collaboration which was a massive help in guiding a cross functional community down a road they had never travelled before. Executive leadership’s active support and accountability drove the momentum. Showing weekly progress was a big factor in maintaining visibility and support of executives. The approach to end-to-end processes and the “journeys” was embraced so we made rapid progress, without diversions”
- I would love to hear how the mind set and culture to embed controls and compliance evolved and what were the key trigger points or learnings to get the business on board? How do we ensure its proactive and not deprioritised to other conflicting needs?
I think the core of what you are describing is essentially what most organizations face when it comes to compliance – simply mandated requirements. This line of thought usually translates into what is the bare minimum I could do to get by. As such, it can be challenging to get commitments beyond what is absolutely necessary for us to “get by.”
For us to “get by,” there actually is quite a bit of alignment that needs to happen between all 3 lines of defense as well as the external auditors. In the past, we have packaged our control environment in a certain fashion that was sufficient, especially if you are reviewing at a high level as opposed to diving into details and asking “why” do we have these controls. We were able to present the controls and processes well, and support walk-throughs with our auditors without issues with design effectiveness or significant control gaps.
Since we were passing SOX certifications as is, who would really ask what more do we need to do? In FY19, Starbucks hired a new CFO and some other leadership changes provided an opportunity for new perspectives within the internal audit department. Three things came into play:
- New leadership came in with a fresh mindset and really challenged the finance and accounting org to think critically about what constitutes a strong control environment.
- New Internal Audit perspectives that devoted time into the “why?”
- Focus on elevating the overall SOX Program at Starbucks
Two common questions/attitudes exist in a number of organisations:
- “This is how we have always done things, why do we need to change?”
- “We were able to pass testing before, why can’t we anymore?”
Experienced finance and accounting teams can be quite territorial when it comes to controls – often challenging the need for change. With new leadership in place and a renewed focus on controls the overall mindset had to change. This provided my team the opportunity to step in and work closely with the business on reshaping mindset. As the 2nd line of defense, it was essential that we are not just asking questions, but also providing a pathway to solutions. This allowed us to gain victories and eventually shift the overall mindset. Teams were able to see the benefit and started to find ways to improve controls and processes.
However, auditors even with best practices/standards defined, can be quite subjective. The same control could look fine and pass testing from one auditor but failed by another. The new Internal Audit team members really challenged the status quo. This same experience is true of external auditors.
Going beyond control environment in general, a very good and specific example to give here is Segregation of Duties (SOD).
SOD related issues existed for many years here at Starbucks, however it wasn’t until FY19 where you had Internal Audit focus on the SOD issues and new management agreeing that our process needs to be re-examined and refined, that really allowed us to put some solid resources behind enhancing access management.
As we partnered with Consider, we had a solid phased approach in addressing SOD issues. The first part of this effort is really reactive, but it essentially entailed spending the better half of 3 months examining the conflicts close up and addressing root causes for each conflict. This allowed us to clearly identify an isolated group of users with SOD conflicts in the system and ensure we had the proper guard rails in place to address the risks. Our overarching goal was to eliminate compensating controls.
With a clean environment, our mindset then shifted to how do we avoid the never-ending clean up cycles we had in the past. By clearly articulating what success looks like and creating a plan to get there, we had the necessary support from leadership to take a proactive approach to re-defining old processes. Leadership support was instrumental in shifting from a reactive approach to a proactive and preventative approach. It is critical that you have a way to measure progress and clearly show what success looks like to the right audience – they champion your cause.
Our experience with SOD just manifested itself across the board in terms of how we partner with different teams across the business. This partnership with business is really anchored on strong collaboration and securing wins in the control space which creates goodwill and relationships that can be leveraged long term.