Shining a light on business risk
Why process visibility is key to enterprise risk management.
How transparent is your business? Do you know what you’re doing well, what isn’t working, where the bottlenecks are and – especially in today’s climate of rising economic crime – where your points of vulnerability and leakage are?
If you answered “no” or “not sure” to any of these questions, your business is probably not operating as efficiently as it should, which means it’s unlikely to be as profitable as it could be. It is also at greater risk of becoming a victim of fraud: PWC’s 2018 Global Economic Crime and Fraud Survey revealed that South Africa had the dubious honour of being the economic crime capital of the world, with a frightening 77% of South African organisations admitting to having fallen victim to some form of economic crime during the previous 24 months. Kenya follows closely with 75%, Uganda 66%, and Zambia at 65%; clearly companies in sub-Saharan Africa are vulnerable to financial crime.
Perhaps more troubling, a further 6% of executives admitted they didn’t know whether their organisations had been affected by economic crime or not.
The survey also found that the true cost of this economic crime scourge was difficult to accurately gauge, as 19% of organisations exhausted more funds on investigating the crime than what was lost as a result of the original crime.
What makes matters more complicated is that the nature of risk-facing organisations is also no longer predominantly external. According to Trevor White, Partner, Forensic Services PwC South Africa, and Global Economic Crime and Fraud Survey Leader, there is as much risk of fraud emerging from within an organisation as from outside. Fighting this threat, he said, required a new and innovative approach as “the conventional arsenal is no longer going to cut it, and a more holistic and collaborative view of your organisation is necessary”.
White believes organisations that are unburdened by legacy processes or poorly integrated systems are better positioned to, for example, embed contemporary fraud data analytics systems that would help to identify fraud as it occurs.
Denis Bensch, CIO of FlowCentric Technologies, agreed, but pointed out that few organisations have that legacy-free luxury. In addition, he emphasised, before implementing new systems to detect fraud after it occurs, it was essential that organisations return to basics, with the objective of preventing incidents from occurring.
“What is needed is business process visibility,” he said.
Business process visibility is the ability an organisation has to accurately and fully view all its processes, transactions and other activities. Visibility issues include unshared information, fragmented processes and poor forecasting abilities.
Bensch explained that without visibility, it is difficult for a company to improve its processes. Without efficient processes, errors occur and the company can expose itself to unnecessary risk and compliance failures.
The main goal of process visibility is to enable a clear view into every business process, to monitor performance and ensure processes align with the business’s strategic and operational goals.
“Organisations are like living entities, they change strategies and management; add new products and services; and implement different policies and technologies. All these changes can result not only in contradicting policies and the use of conflicting tools, but also hard to find data and unshared information; opaque, fragmented or even redundant processes; and poor forecasting abilities,” Bensch explained.
“Most people acknowledge that poor processes will result in a significantly higher cost of operating, but what many fail to recognise is that disparate and opaque processes increase an organisation’s risk of unauthorised activities and failure to meet compliance requirements,” he added.
Bensch pointed out that while the PWC survey listed asset misappropriation as the most common crime suffered by responding South African organisations, this was closely followed by procurement fraud, bribery and corruption, business misconduct, human resources fraud and accounting fraud – all issues that likely involve an element of process failure, possibly resulting from a lack of process visibility.
How can an organisation improve business process visibility?
Bensch recommends a three-step approach: document, automate, monitor.
A significant challenge to business process visibility is that business processes are often largely invisible. Processes evolve over years, with individual or departmental modifications being made along the way, yet few, if any, of these processes and their changes are ever documented.
It is therefore essential to document – in words or diagrams – each process in the business.
Once this has been done, it will be possible to evaluate each process and see which are working well versus which are inefficient or carry the greatest probability of compliance risk.
Documenting the process will reveal out-of-date, redundant or unnecessarily complicated processes as well as areas where data has been duplicated as a result of being captured in multiple systems (increasing the risk of there being no single source of accurate data from which to make decisions).
Finally, documenting processes will enable the identification of time-consuming manual, repetitive tasks that could be automated; paper or e-mail-based tasks that could be digitised and centrally managed; policies that could be enforced through digitised systems; and areas where the consequences of non-compliance could be dire.
Simply documenting business processes won’t ensure that employees consistently follow the steps, which is why business process automation is key for any company intent on improving visibility and enforcing a structure of governance.
When business rules and process flow are embedded into a digital process, it becomes very difficult for employees to change the process without some sort of managerial approval. As a result, process changes tend to be more mindful and in line with the strategic objectives of the company.
Process automation makes it difficult for employees to shirk responsibility or take shortcuts because the process automation software tracks exactly who performed each step in the process and when it was completed – reducing the risk of employees going “off script” to potentially perpetrating fraud of some kind.
In addition, workflow automation software makes it easier to identify and address bottlenecks in processes, to fine-tune business rules, to identify if steps are being duplicated or reworked due to errors, and to trace the root cause of errors.
When things go wrong – as they will – it is important that corrective interventions occur as quickly as possible. Without central process automation, operational data is generally gathered from various sources and compiled into a spreadsheet report, which is then circulated on a need-to-know basis. This approach is time-consuming and, invariably, operational responsiveness is slow.
Today’s process automation tools allow managers to quickly locate critical, real-time information when they need it, allowing them to obtain vital data about a task or business process and intervene before a situation deteriorates further. This includes the identification of suspicious, potentially fraudulent activity.
In an age of deepfake fraud, ransomware attacks and abundant economic desperation, companies need to get the basics of risk and process management right before they become another depressing statistic.