Consider Outcomes before Benchmarking Internal Controls

When it comes to financial controls, it’s not about ROI. Effective benchmarking depends on clear outcome expectations.

Following my recent presentation at a conference of financial executives, a member of the audience asked “What is the typical cost of a program for internal control over financial reporting processes?” He continued, “Is there a way to benchmark these costs?”

Good question, and one that certainly can and should be asked about the full range of compliance and internal control processes across the enterprise.

We have a great guide on our site called the OCEG Metrics and Measurement Guide (MMG) which provides a ton of good information on how to measure an internal control and/or compliance program of any type. That said, there are some important things to remember.

Benchmarking. An often-uttered word. One that indicates we are serious executives. That we are doing what it takes to optimize our programs. But how does it really work and what does it really do for us?

The concept of benchmarking is great, but before we can benchmark we need to define the outcomes that we hope to deliver. By way of example, when evaluating call center metrics, the starting point is understanding customer satisfaction (or some similar indicator). Without this top-level indicator of the outcome we hope to generate, it is impossible to evaluate other indicators such as cost. In a vacuum, spending $100 to resolve a customer problem is superior to spending $200 to resolve the same customer problem. However, the “vacuum” does not exist. If the $200 resolution delivers 95% satisfaction and the $100 resolution delivers 50% satisfaction, most executives would choose the former.

So what does that mean for us? As financial professionals, we must define the outcomes that we hope to achieve through our internal control programs, as well as indicators of success. Only then can we even begin to benchmark our costs, cycle times and other program attributes in a meaningful way. To engage in a benchmarking effort without taking the time to first establish clear outcome expectations is putting the cart before the horse – the time and resources spent will be wasted.

While every organization is unique and therefore pursues unique objectives, most organizations strive to achieve growth, profitability, total shareholder return, and key value drivers such as workforce productivity, quality, customer loyalty, and innovation. In the same way, each of our programs for internal financial control will be unique and should strive to achieve unique objectives, but every program should deliver on these universal objectives:

• Promote business conduct in-line with business objectives
• Prevent noncompliance and weaknesses
• Prepare the organization to deal with noncompliance and weaknesses when (not if) they occur
• Protect the organization from negative consequences
• Detect noncompliance and weaknesses earlier rather than later
• Respond to noncompliance and weaknesses more quickly rather than slowly
• Improve the program so that similar noncompliance and weaknesses are not repeatedly encountered
• Reduce losses due to noncompliance including fines, penalties and investigation costs
• Enhance the culture so that, even in the absence of controls, the workforce is inclined to do business within defined boundaries of conduct

Now, undoubtedly, I will get a few emails (mostly from consultants) noting that the benefits of implementing a strong program of internal controls go beyond the outcomes listed above. Fine. Shareholders will be thrilled if our programs deliver more. But at the end of the day, if we cannot demonstrate that our programs deliver on the universal outcomes above, we need to get new day jobs.

Once we have a firm understanding of whether, and the degree to which, our programs are achieving top-level outcomes, we can discuss whether we have optimized the outlay of financial and human capital. In addition, we can thoughtfully analyze whether process improvement (e.g., reducing the cycle time to discover noncompliance of a particular type) is worth the investment.

GRC - More than Three Letters

To be clear, there are substantially more processes than governance, risk and compliance playing critical roles in GRC. But 13-letter acronyms rarely catch on. To understand the complete portfolio of processes related to GRC – processes that help an organization drive toward objectives while staying within boundaries – consider the following areas:

Governance. Processes typically executed by the board, corporate secretary and governance professionals including board management; staying qualified to do business; shareholder / stakeholder relations; setting and evaluating performance against enterprise objectives; vetting strategy; evaluating executive performance; risk oversight; etc.

Strategy. Processes typically executed by the chief executive officer, “c-suite” as a whole and strategy professionals including: setting strategy; designing balanced scorecards; managing corporate performance; merger and acquisition activity; etc.

Risk Management. Processes typically executed by the chief risk officer, business line and other executives including: identifying, assessing and managing all types of risk (strategic risk; financial risk; operational risk; compliance risk, etc.); buying insurance; etc.

Audit. Processes typically executed by the chief audit executive, internal audit, audit committee and external auditors including: managing internal audits; facilitating external audits; executing financial reporting; evaluating internal controls (e.g., internal controls over financial reporting (ICFR), internal controls over other risks); conducting investigations; etc.

Legal. Processes typically executed by the general counsel and legal staff including: defining legal strategy; investigations; litigation; assisting with due diligence for mergers and acquisitions; ensuring legal compliance (see next point); etc.

Compliance. Processes typically executed by the general counsel, chief compliance and ethics officer, compliance professionals and other legal staff including compliance in areas such as: employment; environmental; government contracts; global trade; anti-fraud; anti-corruption; information privacy and security; sales practices (antitrust issues); advertising and marketing; product quality and manufacturing; etc.

Information Technology. Processes typically executed by the chief information officer, privacy officer and/or security officer including: automating controls; managing electronic records; facilitating internal and external reporting; delivering electronic filings; securing information; ensuring privacy; etc.

Ethics & Corporate Social Responsibility. Processes typically executed by the chief ethics officer and chief responsibility officer including: managing the code of conduct; developing ethical leaders; promoting adopted principles and values; crafting public communications and reports; understanding socio-political-economic context; aligning incentives and human behavior; etc.

Quality Management. Processes typically executed by quality professionals throughout the organization such as: integrating “lean” thinking, Six Sigma or other techniques into all enterprise processes; conducting root cause analysis and process improvement projects; etc.

Human Capital & Culture. Processes typically executed by human resource professionals and organizational design and development professionals including: enhancing workforce capabilities; appraising individual and team performance; developing culture of performance, integrity, openness and accountability; etc.

Each of those areas plays a key role in helping an organization drive principled performance. And all of them can benefit from a shared strategy and operational approach and from cross-communication and shared technology.

When I talk about "integrated GRC," I do not mean that all of these processes and functions should be consolidated. Rather, management should take a step back and consider what they all have in common. Where practical, management should adopt a common language and approach to the meta-process that they all share.