acca cfo forum final presentation
TRANSCRIPT
Improving Business Performance: Transforming GRC program ACCA CFO Workshop Troutbeck Resort, 16-17 May 2015
Presentation by Tagarira Mutenga, Associate Director
Page 2
Discussion Points
1. What is business performance?
2. What is Business Performance Management?
3. How leading companies enable business performance
4. What does GRC mean?
5. Overview of Business Performance Management
6. Today’s GRC environment
7. Transforming GRC Program
8. Conclusion
Page 3
What is business performance?
► A measure of how well a company is meeting its strategic
targets.
► Deviation from budget.
► Process of delivering on strategic priorities and goals.
► Forms of performance data include:-
► Key Performance Indicators (KPI)
► Variance Reports
► Customer Feedback Reports
► Management Dashboards of all kinds
► It is a fact that many managers are drowning in data, and
are thirsty for real insightful reports for decision making.
► Decision making feeds into management action/failure to
act and that impact business performance.
Page 4
What is Business Performance Management
► Business Performance Management is a comprehensive
governance and performance management system.
► Like the central nervous system of a human body, it
senses the environment for changes and sends a signal
for reaction.
► It does so by providing rapid and easy access to
actionable information about the health of the organization
and internal and external influences affecting the
ecosystem.
Page 5
• Identify and understand the “risks that matter”
• Differentially invest in the risks that are “mission critical” to the organization
• Effectively assess risks across the business and drive accountability and ownership
• Demonstrate strength of risk management to investors, analysts and regulators
• Utilize a new risk operating model to materially improve the cost structure
• Reduce cost of control spend through improved use of automated controls
• Eliminate duplicative or overlapping risk activities
• Improve process efficiency through automated centers, business activities and continuous monitoring
• Obtain superior returns from your risk investments
• Accept and “own” the right risks to achieve competitive advantage
• Improve controls around key processes
• Use analytics to optimize the risk portfolio and improve decision-making
• Use risk management savings to fund strategic corporate initiatives
Survey Results: The importance of GRC
82% of institutional investors are willing to pay a premium for effective risk management
(Source: Ernst & Young study)
3x “Companies in the top 20% of
risk management maturity delivered four times the level of EBITDA than the bottom 20%.”
(Source: Turning risk into results, Ernst & Young,)
Companies are overspending on risk and controls; most are
overspending by approximately
30%
How leading companies enable “business performance”
Where companies are looking to drive results
Cost Reduction
Value Creation
Risk Mitigation
Cost Reduction
Value Creation
Risk Mitigation
Cost Reduction
Value Creation
Risk Mitigation
Page 6
Ernst & Young’s GRC point of view- what does it mean?
Governance Risk and Control (GRC) is
► an integrated, sustainable, holistic approach to
organisation-wide governance, risk and control
► ensuring that an organisation acts ethically correct and in
accordance with its risk appetite, internal policies and
external regulations,
► through the alignment of strategy, processes, technology
and people,
► thereby improving the organisation’s efficiency and
effectiveness and increasing shareholder value, and
► enhancing overall business performance.
Page 7
Why business performance management is critical
Key challenges
Organizations often struggle to manage priorities, due to impediments of timely and
accurate decision support information.
Some of the key challenges influencing performance management include:
► Lack of performance management processes and systems to support collection
and reporting of management information
► Limited understanding and appreciation of performance management
► Poor linkages between strategic and operational objectives and further cascading
to value drivers and KPIs leading to impairment of organizational focus
► Insufficient visibility into actionable information leading to slow decision making
► Capturing the volatility in strategies, international competition,
► Access technological capabilities and global best practices in R&D and reflecting
them in performance management processes
► Monitoring sales and profitability management and reporting for both product
and services sales channels
Driver-based Performance Management Solution
► Improve decision-making across the
company through Driver-based insight
and scenario testing
► Integrate planning across multiple
outcomes, including market share,
income statement, balance sheet, cash
flow, and shareholder value
► Reallocate time spent on planning,
budgeting, and forecasting from
administration to real decision support
► Shorten cycle times and enable rolling or
continuous planning
► Integrate strategy, long-range planning,
annual budgeting, forecasting and
management reporting with a common set
of Drivers
► Manage detail in an explicitly hierarchical
design
Page 8
Business Performance Management in action
Strategic Planning
Business Planning, Budgeting & Forecasting
Business Performance
Reporting ► Refinement of
assumptions and drivers
► Resource allocation
► Business plan validation ► Operational planning ► Re-forecasting and re-
direction of resources
► Performance reports to provide feedback
► Price / cost optimisation ► Customer
targeting/retention ► Predictive modelling ► Strategic, operational and
tactical initiatives
► Product/customer profitability
► Segment analysis ► Validation of strategic
initiatives
Decision Analytics
There needs to be effective interplay between the different analytical processes of the BPM eco-system.
► Financial reporting ► Variance analysis ► Compete analysis
► Business vision
► Strategy development ► Initiatives
prioritisation ► Capital allocation ► Desired outcomes
Drivers are the connective tissue connecting all planning and management reporting processes
Page 9
Elements that constitute the core of any business performance management process
Enablers
‘GRC Elements’
• Also referred to as long range planning
• Strategic directions setting of the organization over the next long term period (typically 3-4 years)
• Setting of goals which are quantified in the form of certain high level metrics and which realization becomes the objective of the organization
• Decision on allocation of the organization’s resources to pursue this strategy
Strategic Planning
• Orientation of the organization towards meeting the objectives set in the strategic plan
• Comprehensive and all encompassing plan, with both financial and non-financial metrics
• Translation of financial metrics into the budget
• Cascading of financial as well as non-financial metrics down the operational levels to form the performance measurement for individuals.
Annual Planning
• Proactive support of the decision making process
• Usage of driver trees fed by rich and relevant datasets to gain insights based on past performance
• Employment of a combination of simulation and optimization analytics to support iterative exploration and improve future planning
• Efficient and effective management of large data sets to improve the quality of decisions
Decision Analytics
• Utilization of business performance reports to track the progress against the plan
• Focus on monitoring the drivers, which are lead indicators (e.g. to be defined for respective industry) to provide a forward looking view towards the businesses’ development and facilitate decision making performance
• Review lag indicators (e.g. market share) to get a summary of performance based on past decisions
Business Performance Reporting
Page 10
Key drivers of revenue and cost
Cost
Cost of goods sold
Sales & Dist. Expense
Other overheads
Variable Expenses
Fixed Expenses
Distribution Expense
Marketing & Promotions
Warehouse
Promotion Type
Promotion Frequency
Personnel Expenses
Administrative Expense
R&D Expense
Salaries
Other Expenses
Legal Expense
Travel Expense
Rent Expense
Rent
Personnel Cost
Repair Cost
Power & Fuel
Other Expenses
Direct Material Cost
Direct Labor Cost
Other Var. overheads
Power Cost
Testing Expense
Royalty Expense
Other Expenses
Material cost
Inbound freight
Loss, pilferage
Component Sales
Operating Margin
Outcome Metric Level 1 Drivers Level 2 Drivers Level 3 Drivers Additional Drivers
Average price
Number of Units Sold
Market Share
Market Demand
Promotion spend
Product Quality
Other Expenses
Service and other sales
Transportation
Market size & growth
Page 11
Operational efficiency drivers and link to KPIs
Supply Chain Efficiency
Outcome Metric
Preferred supplier spend
Outbound freight cost
Purchase order cycle time
Contract compliance
Inventory Turnover
Forecasting accuracy
Inventory obsolescence
Sourcing/Procurement
Drivers KPIs
Warehouse Management
Inventory
Transportation Management
Forecasting
Transaction Processing System
Average lead time
Order delivery accuracy rate Order picking accuracy rate
Supplier delivery cycle time
Customer delivery cycle time
Delivery Accuracy
Material handing efficiency
Total costs as % of sales
Employee output
Employee turnover
Efficiency
Output as % of cost
Supply Chain
Information Management
Capital Efficiency
Operational Efficiency
Employee Productivity
Transforming GRC Program
Page 13
Today’s GRC environment is not fit for purpose …
GRC has become significantly more important as a result of continued corporate failures, increased globalisation resulting
in companies operating in remote geographies with a significant increase in organisational and risk complexity, advances
in technology and global financial crises.
► Overly complex, layers of historical control
► Duplication of risk mitigation and assurance activities
► Highly manual control environment
► High cost of control
► Controls disconnected from risks the business cares
about
► Controls are disconnected from business
performance
► Awareness and response lags behind real world
events
► Lack of real time risk and control effectiveness
visibility and transparency at senior management
level
► Increased span of control through emerging market
growth.
► Significant investments in ERP systems that only
harness a fracture of their value
Reduced control costs
► Automated – Exploiting existing technology investment
► Standardized – One global set of controls
► Simplified – A smart set of controls
► Preventative – fix the problems at source
Alignment to the risks that matter
► Alignment of controls to real enterprise risks
► Accountability at the point of control
► Prepared for realisation of unknown risks
► Controls are cost justified and have clear ownership
► Resources free to focus on risks that matter
Challenges:
Agility to respond
► Timely information at the right level for rapid decisions
► Transparent view of risks and control effectiveness
► Speed to remediate
► Establishment of a defensible information environment
► Reduced complexity and increased confidence accountability at
point of control
Page 14
Roadmap for transforming GRC
Before an organization can align the functions responsible for risk management
and enable a more successful GRC program, it must clearly understand risk
types.
► Preventable risk-Risks arising from within the company that generate no
strategic benefits. These risks only cost money when an event occurs.
► Strategic risks-Risk arising from within the company and are taken for
superior strategic returns. No reward without risk taking.
► External risks-Risk originating outside the company. These risks are
uncontrollable.
Once an organization understands its risk types, it can adequately manage them
by designing risks responses and control models.
Page 15
Simplifying GRC processes
To simplify GRC processes, align and standardize the multiple functions responsible for risk
to facilitate quicker decision-making avoid unnecessary costs. Consider the following:-
1. Enterprise-wide risk and control governance model
► A formal governance model that sets the risk culture tone at the top.
► Risk culture permeates through all levels of the organization.
2. Risk building blocks focused on risk strategy, identification, assessment and governance
► Formal risk strategy addressing vision and appetite.
► Formal risk identification process.
► Risk assessments to establish an aggregated view of risks aligned to strategy and
performance.
► Risk governance practices that promotes ownership and oversight.
3. Convergence of GRC functions and activities
► Consolidating and standardizing activities under internal audit, internal controls,
legal compliance, and ERM to reduce costs, drive integration, and maximize the
value.
► Standardizing enables the organization to build a more integrated GRC
ecosystem with standardized GRC data and fosters a common language.
Page 16
ERM Culture - ‘Integrated Governance model’
Internal
audit
Inte
rnal
co
ntr
ol
External
audit
Business unit 1
Business unit 2
Business unit 3
Business unit 4
Aligned mandate and scope
Coordinated infrastructure and people
Consistent methods and practices
Common information and technology
Board oversight
Audit
committee
Remuneration
committee
Risk
committees
Other
committees
Executive management
CEO CFO CRO COO
Level I
Level II
Level III
Level IV
Page 17
Evolving state of controls
Desirable state Leveraging risk management for a strategic advantage
Current state Complying with regulatory requirements
GRC model
Information and Communication
Monitoring Control activities Risk assessment Control
environment
Financial Compliance Operational Strategic
Detect Prevent Automated Manual IT Dependent
GRC model
Information and Communication
Monitoring Control activities Risk assessment Control
environment
Financial Compliance Operational Strategic
Control activities tailored and applied to all risk
types
• Companies are overspending on risk
• Companies are over-controlled on compliance and financial risks
• Companies are not fully leveraging automated controls
• Companies are making limited use of continuous monitoring and data analytics
• Controls are not well aligned with the risks that matter
Transforming your controls environment to provide coverage of all risk types (financial, compliance, operational and strategic) will help your organization:
• Lower control costs
• Expedite decision making
• Increase speed of process execution; and
• Align risks and controls with strategic objectives
Detect Prevent
Automated Manual IT Dependent
risk
ty
pe
s
risk
ty
pe
s
Page 18
The Power of Technology
GRC technology enhances risk management, controls and processes execution
by:
► Enabling continuous process and controls monitoring
► Providing reports and dashboard to enhance visibility to leadership,
facilitating rapid response to risk events
► Consolidating risk management activities across the organization
For example
► ERP-Deployment of global ERP has ensured that underlying processes and
data are available centrally.
► eGRC- Tools provide a standardized platform and work-flow engine to capture
all the activities undertaken by risk, control and compliance
► Analytics — Companies are moving toward continuous control monitoring,
designing algorithms to obtain and test data in real time from ERP. Tools such
as SAP Approva.
Page 19
Conclusion
► Think about these companies and answer the following
questions:
► AIG, Merrill Lynch, Enron, Worldcom, Kingdom Bank,
Barbican Bank, Unibank, and First Building Society.
Questions
1. Do you think these companies did not have bright managers?
2. Do you think their internal auditing processes were not effective?.
3. Were their compliance teams not providing red-flags?
4. Did their risk managers undertake industry prescribed quantitative risk models?
5. Where their boards, audit and risk committees not carrying out their mandates?
As professionals we need to rethink effective risk
management !!!!
Questions?