You are currently browsing the tag archive for the ‘Corporate Governance’ tag.
Back-office operations in commercial and investment banks are among those critical functions that are underappreciated until they stop working well. This includes transaction reconciliations and the related exceptions management. Reconciliations are necessary to achieve a reasonable assurance of complete and accurate record of trading activity. The process is especially challenging now, partly because of today’s high and growing volumes in the wide range of asset classes in which all larger financial institutions trade. Reconciliation is a necessary accounting function that has to be completed before external financial statements can be published.
I recently received an update on SunGard’s IntelliMatch Solution Suite, an application for handling reconciliation, exception management, financial governance and archiving processes that is used mainly by large financial institutions. While the software’s basic function is to manage reconciliations, two aspects of IntelliMatch – financial governance and trending and analytics for rules optimization – are worth noting because of their potential to increase the effectiveness and efficiency of a financial institution’s back-office operations.
Ideally, every entry in a financial institution’s transaction system will match up with its trading partners’ data and be internally consistent as well. In practice, this never happens because people make mistakes or omit information. To achieve the appropriate financial governance capabilities in a high-volume setting, reconciliation software must quickly and automatically identify where there are issues. When it finds these, IntelliMatch supports the follow-on actions by providing workflows and supplemental information users need to make the right decisions as well as preserve narratives and commentary about those decisions. Workflows automate the chain of reviews, approvals and attestations needed to complete the process. SunGard has added an option for a lightweight visual workflow management system so that non-IT people can easily configure (and reconfigure) these workflows to meet the dynamic requirements of the markets without having to wait for the IT department to do it. Although the bulk of reconciliation work is still done at the end of a period in batches, some financial institutions are using the process as a way to promote greater transparency of transactions, which can be used as a higher-level control to manage risk more effectively. Another benefit of the governance process is being able to speed up the end-of-period, post-close activities. SunGard expects its largest customers to be able to reduce this process from four to eight weeks to two to three weeks.
Analytics are important capabilities of IntelliMatch, and SunGard is adding to the suite on an ongoing basis. With any application designed to collect data, there is considerable value for users to be able to analyze what’s there. General ledgers, for example, became more useful when business intelligence and analytics were added to provide dashboards and scorecards that help improve performance management. In the case of IntelliMatch, being able to look at, for example, the matching logic used in the reconciliation process can help determine if there are better methods or useful tweaks that can be applied to achieve a faster, higher-quality process. These sorts of analytics can be used to create alerts, assess individual and business unit performance faster and more accurately, improve the accuracy of plans and forecasts and, ultimately, fathom even complex trends in business flows.
One of the drawbacks of being underappreciated is that it seems to take a long time for back-office operations to get the kind of tools they need to improve performance, reduce costs and provide better information to executives. Over the decades, only a few senior executives have used their back offices strategically (for example, Citicorp’s John Reed and, with Peter Cohen, Sandy Weill) to build their business. Money saved in operations (in this case, by eliminating swaths of hidden costs) flows directly to the bottom line, rather than having to be shared with highly compensated bankers. And tighter governance will continue to pay dividends. Banks should regularly examine how to reduce the full life-cycle cost of processing transactions. IntelliMatch should be on their list of tools to consider when they do that.
Robert D. Kugel – SVP Research
When the term “governance, risk and compliance” (GRC) was introduced almost 10 years ago, software for this purpose was not a real category but a loose grouping of disparate applications that had something to do with meeting the requirements of the recently passed Sarbanes-Oxley Act. (You can find my perspective on the GRC category from a couple of years ago here. Now, with the release 10.0 of SAP BusinessObjects GRC, SAP is taking another step toward making the software category a real, comprehensive one that addresses the business and IT requirements of risk and compliance management efforts. This is the first platform that enables companies to efficiently provision risk and compliance management at an elemental level (for example, to manage individual access controls and process controls) and – over time – to gain effectiveness benefits from having the ability to comprehensively manage compliance and risk.
One of the key requirements of implementing a comprehensive GRC environment in a company is integrating the IT and business elements necessary for compliance and risk management. Without a secure IT environment, companies’ efforts at preventing threats such as financial fraud and loss of proprietary intellectual property (among other issues) can be undermined easily. Without the ability to collect, assess and communicate the data necessary for measuring risk, the effectiveness of risk management efforts will be limited. Moreover, maintenance of a secure IT environment and handling of the details of compliance management (defining and maintaining controls, logging, auditing and reporting) must be as efficient as possible, since these efforts are almost never strategic.
SAP GRC 10.0 is a comprehensive update, one that applies a common look and feel to the various elements, embeds SAP’s business intelligence (BI) assets (such as SAP Xcelsius charts) throughout the application, and provides controls for comprehensive GRC management. In addition, I want to highlight what I think are two of the most important aspects to the release. One, a higher-level aspect, is the development of a partner ecosystem that will be able to use GRC 10 as a platform on which to develop solutions; the other, more detailed element is its “bow tie” approach to defining and configuring risk and risk metrics.
A key issue with using GRC as a software category is that purchasing decisions are fragmented. Nobody currently implements GRC as such. Typically companies undertake, for example, some focused compliance effort or implement unified access controls or centralize credit risk management or automate their separation of duties (SOD) monitoring process, to name a few among a wide variety of efforts. Until now, there has been little reason for companies or (more to the point) the consultants who often do this work to prefer one software product over another. By making it possible to incorporate their intellectual property into a common platform, GRC consultants can execute a land-and-expand strategy, selling their specific compliance and/or IT governance capabilities. Moreover, multiple compliance efforts deployed broadly across an organization using GRC 10.0 can make ongoing maintenance and deployment more efficient, giving the integrators or consultants an added benefit to offer in incremental deployment. I think that SAP’s positioning should give it and its partners a market advantage compared to vendors offering one-off solutions.
The bow tie is a method of creating common methodologies for risk definition, management and remediation. (You can find an example of an SAP compliance bow-tie diagram here. The bow-tie approach is a seemingly small but important user interface design that can greatly improve how a company executes its risk identification and management process. It provides a framework within which individuals can more readily construct risk definitions and assessments. It enables people to work collaboratively using a common language. It enforces consistency where it’s needed yet allows for ongoing flexibility when it’s called for. And it can simplify the process of automating the links between risks, the metrics associated with measuring those risks, the data used for the measurement process and the context in which a risk is to be assessed.
As companies develop libraries of risk definitions, I expect it will facilitate the collection and coordination of risk metrics. I believe the difficulty of accessing risk metric data in the proper context is the single largest barrier to the incorporation of risk as part of an organization’s balanced scorecard effort. In particular, effective risk management is necessary to overcome the agency issue in corporate management.
We still have a long way to go to eliminate wasted time and effort in GRC efforts, and an even longer way to go to incorporate risk in performance management. However, with SAP BusinessObjects GRC 10.0, SAP has taken significant steps to enhance the long-term efficiency of how organizations manage their compliance and risk management efforts. Supplemented by partners’ offerings built on the platform, GRC 10 can provide organizations with a more cost-effective approach to automating compliance efforts. Another significant (albeit long-term) benefit that the platform approach can provide is to lower the barrier that currently prevents companies from incorporating risk into broader performance management assessments. By establishing a common platform for building individual compliance and risk management processes, companies should be able to facilitate the establishment of the data infrastructure necessary to support an integrated risk and performance management approach. Defining the data elements related to risk drivers and outcomes as well as establishing the processes to which these drivers and outcomes apply should substantially reduce the effort required to map the individual risk metrics in a scorecard to where the data needs to be collected. In all, I think GRC now offers companies some real improvements for the short and the long term – greater efficiency today and increasing effectiveness for years to come.
Robert Kugel – SVP Research