Deloitte Shared Services Conference 2018 Extended lab 4: Internal controls managing risk in the age of digitalisation Ani Sen Gupta and Edward

Transcription

1 Deloitte Shared Services Conference 2018 Extended lab 4: Internal controls managing risk in the age of digitalisation Ani Sen Gupta and Edward Litchfield, Deloitte

2 Industry context and direction of travel

3 Industry context Industry 4.0 Advances in robotics, cognitive automation and data science are reshaping industries, creating new business models, posing both an opportunity and a challenge for incumbents in the sector The future Increased use of utility functions Risk management by design 1 st Industrial Revolution 1784: First mechanical weaving loom Introduction of mechanical production facilities with the help of water and steam power 2nd Industrial Revolution 1870: First assembly line Through introduction of mass production with the help of electrical energy 3rd Industrial Revolution 1969: First programmable logic control system Through application of electronics and IT to further automate production BPM Systems Early Stage RPA Early Stage Cognitive Capable RPA Solutions Deployed Widespread Cognitive Augmentation and Automation 1700s

4 Risk and control management is at an inflection point Despite massive spending to meet regulatory based risk requirements, risk management activities often do not meet stakeholder expectations and the challenges and opportunities arising from Industry 4.0. Re-regulation New risk types Regulation Stakeholder expectations Cost and complexity Three lines of defence Delivery models and capabilities Delivery models Disruptive technologies

5 Common internal challenges for risk and control functions Common internal challenge faced by risk and control functions add additional pressure to the already complex macro environment, but also offer the opportunity to transform the function Regulation driving structural change Structural changes to business models and functions Technology becoming ever more foundational Roles and responsibilities across the lines of defence model New and evolving risk landscape Unprecedented pace of change Greater business unit engagement required Specialised skills needed and not common place Current state Complexity And legacy processes High cost to operate and fragmented architecture Reducing opportunities to realise efficiencies Need to increase automation Disruptive technologies & Data Meeting cost challenges Pressure to reduce headcount and duplication of effort Challenge to demonstrate value and do more with less Drive continues for off-shore/near-shore, sourcing strategy, and automation Need for greater transparency, flexibility and accuracy Underutilisation of disruptive technologies across risk management activities

6 Fundamental questions to address

7 These pressures demand that risk and control functions ask fundamental questions The answers to these questions will shape the transformation journey to address the challenges Is the function doing the right things? Is there a clear service definition? Should additional activities and services be performed? Is the function able to plan, assess, and manage increased demands? Balance of admin vs value added? How should the function be organized to deliver effectively? What is the optimal organizational structure? Resourcing optimized between the lines of defense? Shared services or centres of excellence? Lower cost locations or outsourcing? Can transformation be achieved through a digitally enabled risk management ecosystem? Application of robotics Application of cognitive Increase use of big data, advanced analytics, and visualization Partner with external ecosystems

8 How should risk and control functions be organized to deliver effectively?

9 How should risk management be organized to deliver effectively? An example three-part operating model structure with key components to drive consistency and understanding across the organisation Key component parts of the target operating model Key considerations to successfully embed a target operating model Service model Culture Talent agenda Momentum Quick wins Organisation model Value creation Service mind-set Buy-in Activity balance Governance mode Technology solution

10 Digitally enabled risk and control ecosystems

11 Digitally enabled risk management ecosystems Industry leaders are moving to a digitally-enabled risk management ecosystem NOW Drowning in data, lacking in insight Highly manual processes Reactive risk management Silo d activities Limited inbuilt workflow Identify This is a journey that can be tackled in stages organisations should define the pace at which they want to move and consider the priority initiatives to demonstrate business value Assess FUTURE Integrated & automated processes Leveraging data to drive risk decisions Proactive & predictive Interconnected risk activities Workflow built into cycles Assess Control Report & Monitor Identify Remediate Control Report & Monitor Remediate GRC platform Existing GRC remains the golden source Disconnected processes, managed via / ppt Interconnected workflow if this then that Reduction in manual overhead and duplication, increased time for proactive business insight

12 Digitally enabled risk management ecosystems The business case can be positioned around clear benefits that will be achieved through the use of automation, visualisation and other digital technologies Increased Efficiency Thought Leadership Improved Quality Scalability Manageable Costbase Faster Processing Proactive risk management not administration Increased Employee Engagement Enhanced Governance & Decision-Making

13 CLARA Automation of control library quality management Remediate control issues and embed a sustainable automated solution to manage controls documentation Context to the CLARA control library management solution The most critical controls in an organisation are often well understood and managed, but many organisations suffer from having a long-tail of poorly designed and duplicative controls These are at best onerous to manage and maintain, and at worst do not address all risks faced Recent advances in machine learning have enabled us to develop an efficient and effective solution to this problem What CLARA does CLARA will quickly and efficiently: CLARA control standards 1. Identify where there are gaps in control coverage across the organisation 2. Improve the quality and readability of control documentation 3. Act as a quality gateway to reduce manual effort required in the control management process Client control objectives Client control activities

14 CLARA Automation of control library quality management Remediate control issues and embed a sustainable automated solution to manage controls documentation What a typical CLARA engagement looks like CLARA will quickly and efficiently help identify and remediate control design and documentation issues Over time the machine learning capability will suggest the best fix for these issues. Once these have been remediated, CLARA will act as a gateway to sustain control improvements Use CLARA to fix current issues with control design (coverage and quality) Control coverage (module 1) Quality (module 2) Sustain the improvements with the ongoing CLARA service Client control objectives and control activities (collectively: the control library ) Assess control objectives vs. CLARA good practice Assess control activities vs. CLARA good practice Use to identify & resolve gaps in the control library Identify duplicate controls Fix control documentation quality Service-based solution to maintain the coverage and quality of controls in the library CLARA machine learning Subject Matter Experts Reduced resource overhead over time Machine learning scripting to analyse coverage and quality of control data and frameworks Deloitte s industry-leading risk and control specialists augmented with data scientists Reduction in manual input over time as CLARA learns your control environment Automatic Manual Time

15 CLARA Automation of control library quality management Remediate control issues and embed a sustainable automated solution to manage controls documentation

16 CMP Control Monitoring Platform Automating control monitoring The Deloitte Control Monitoring Platform (CMP) automates the collation, aggregation and reporting of key control indicators (KCIs) into an operations-style monitoring dashboard. The platform is designed to deliver value by facilitating timely and effective risk based decision making, simplifying the process of collating data for committee reporting, and provide a sustainable platform to embed enhancements made to control monitoring processes and key control indicators, into business as usual operations. Continue monitoring and MI Accurate pinpointing of root-cause through customisable drill-down view of the control environment by business and/or technology areas Plug and play integration and automation Integration with existing monitoring solutions using APIs and automation software Dynamic and static views Ability to query into data dynamically as well as support the production of static offline reports for governance reporting and across different audiences Action led Workflow remediation of identified control failures through integration with your chosen infrastructure i.e. service desks and GRC platforms Future proof Single metric repository aligned to agreed data definitions The CMP user interface, will support KCI reporting in line with the control metrics and reporting requirements such as a KCI view by global business, function and region.

17 CMP Control Monitoring Platform Automating control monitoring

18 Managing risk in a digital organisation

19 Managing Risk in a Digital Organisation How well equipped is your organisation to manage digital risks? Managing Risk in a Digital Organisation In the new world of digital, operations that were local are now global, manual processes are automated, organisations have constant integration with their supplier and customers and bad news travels fast. The speed of a digital risk emerging and becoming an issue is accelerated. New risks need to be predicted, identified, managed, and mitigated in an agile way

20 Managing Risk in a Digital Organisation A flexible and consistent approach to identifying and managing risks posed by new digital concepts and technologies How the toolkit works in practice Cloud computing Agile & DevOps Automation & Robotics AI & Machine Learning Blockchain Internet of Things Omni Channel & Social Media AI & Machine Learning- An example of the risk and control toolkit Risk categories Key Risk Considerations Key Control Considerations Model Technology Supplier Use & Quality of Algorithms Change Management Cyber Security Higher Reliance on Start-ups Statistical model analysis Feedback mechanisms Model limitations approval Access controls Security vetting End-to-end change management policy Supplier management framework Business Impact Analysis People Skills, knowledge & competencies Talent strategy AI centre of excellence Training requirements Legal Data Privacy (Incl. Impact of GPDR) Data protection Market Impact on Market Stability Business continuity planning Manual process back out plans

21 This publication has been written in general terms and we recommend that you obtain professional advice before acting or refraining from action on any of the contents of this publication. Deloitte LLP accepts no liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC and its registered office at 2 New Street Square, London, EC4A 3BZ, United Kingdom. Deloitte LLP is the United Kingdom affiliate of Deloitte NWE LLP, a member firm of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NWE LLP do not provide services to clients. Please see to learn more about our global network of member firms.. All rights reserved.