Today’s business environment is complex. Exponential growth and change in risks, regulations, globalization, employees, distributed operations, competitive velocity, technology, and business data encumber organizations of all sizes. Keeping this risk, complexity, and change in sync is a significant challenge for boards, executives, and GRC management professionals throughout all levels of the business. Organizations need to understand how to design effective compliance controls, implement them, and review whether the risks they were designed to control are effectively mitigated continuously.
Compliance control management in the modern organization is:
- Distributed. Even the smallest of organizations can have distributed operations complicated by a web of interrelated transactions, processes, and relationships. The traditional brick-and-mortar business with physical buildings and conventional employees has been replaced with an interconnected mesh of relationships and interactions which define the organization. Complexity grows as these interconnected roles, relationships, and processes move to an increasing number of systems.
- Dynamic. Organizations are in a constant state of change as distributed operations and systems grow and evolve. At the same time, the organization is trying to remain competitive with shifting employees, business strategies, technologies, partners, and processes while also keeping pace with changes to risk environments that impact internal controls. Managing controls and business change on numerous fronts has buried many organizations.
- Disrupted. Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, transactions, processes, roles, and relationships to see the big picture of risk and controls. The velocity, variety, veracity, and volume of control data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.
- Accountable. There is a growing awareness among executives and directors that control management needs to be taken seriously. It is part of their fiduciary compliance obligations to oversee controls as an integrated part of business strategy and execution. Furthermore, regulations that increase personal liability within these roles emphasize business leaders taking greater interest and accountability for risk, control, and compliance.
Internal control management is often misunderstood, misapplied, and misinterpreted due to scattered and uncoordinated approaches that get in the way of sharing data. This is particularly true when internal control management is a set of manual processes encumbered by documents, spreadsheets, and emails when it could be continuously monitored and enforced.
Controls aid the organization in reliably achieving objectives, controls manage uncertainty by mitigating risk, and controls are a critical part of meeting compliance obligations and enabling the organization to act with integrity. Good internal controls result in predictable business behavior, transactions, access, and processes.
Organizations are best served to take an enterprise approach to compliance/internal control management. This can be done through a common control management strategy, process, and technology architecture that supports overall internal control management activities and automated continuous monitoring and enforcement. This can then roll into enterprise and operational risk management and reporting that supports business objectives and is integrated with decision-making processes.
The primary directive of a mature control management program is to deliver effectiveness, efficiency, and agility to business operations and processes. This is in the context of managing the breadth of controls across organizational systems, processes, and roles. This requires a strategy that connects the enterprise systems, business units, processes, users, transactions, and information to enable transparency, discipline, and control of the ecosystem of controls across the enterprise.
An integrated view of controls enables an organization with a real-time, integrated view of enterprise risk and performance to proactively automate and address emerging risks in systems and processes as they happen. It also enables the organization to reduce the cost of compliance by eliminating the need to manually collect, aggregate, analyze, and report on controls in documents, spreadsheets, emails and other manual control processes.
There should be a central core technology platform for compliance/internal control management that connects the fabric of the control processes, information, and other technologies across the organization. The right internal control management and automation technology choice for an organization facilitates the integration and correlation of control information, analytics, and reporting. Organizations suffer when they take a myopic view of control management technology that fails to connect all the dots and provide context to business analytics, performance, objectives, and strategy in the real-time that a business operates in.
The organizations should have a complete view of what is happening with controls in the context of risk and compliance. Contextual awareness requires that control management have a central nervous system to capture signals found in business processes so the organization knows control status and issues and can quickly and effectively remediate risk and improve performance.
Compliance/internal control management enables organizations to understand and automate controls in the context of risk. Successful internal control management requires the organization to provide technology for control automation that enables the organization to identify, analyze, manage, and monitor controls and capture changes in the organization’s risk profile.