In 2020, The Risk Management Association and FCInsight conducted a survey of risk management, compliance, audit, and other business and GRC leaders on the state and maturity of integrated risk management (IRM). 272 risk management, compliance, audit, IT, GRC and business professionals qualified for the survey. Of those, 180 were in banking and financial services and 171 or those were members of the Risk Management Association. 92 respondents were from industries other than banking and financial services.
Key takeaway: Connecting financial close and compliance can help to relieve congestion in the last mile of finance, saving days or even weeks in producing financial disclosures.
Workiva Amplify was a hands-on summit. The majority of sessions in this 17-parallel-tracks summit were hands-on sessions with Workiva, and they were packed. And the attendees were younger than other conferences I’ve participated in over the years — not counting Scouting jamborees. I’ve been to conferences with a lot of buzz, but a conference of auditors, financial managers and compliance professionals with so much energy — I haven’t experienced that before.
Throughout the summit, attendees were reminded of connected reporting, connected sheets, connected data, and linking. To get a handle on what Workiva means by “connected,” I attended a Workiva hands-on session on 10-K reporting.
For their 10-K preparations, some companies lock up the key members of the accounting staff on the entire floor of a hotel room for a week as they make the final changes of this critical report. Senior execs run room to room to make sure that everyone is in sync, and that changes made in one part of the report are also captured in other parts of the report. It’s a nightmarish week, and it’s also repeated on a smaller scale each quarter with the 10-Q reports.
In the the hands-on 10-K session, the instructor took us through how to create hyperlinks throughout the document, like between the table of contents and various headings — ho, hum – I can do that in Word, right? Now, here’s what I can’t do so easily in Word — connected data. There are data links throughout the 10-K, and if I change the source data, it changes anywhere that data is used – and it keeps a record of those changes. So, let’s say I find an ERP error in data entry in the accounts receivable of a measly $10million. I correct that, and then it ripples through to anywhere that piece of data is used –perhaps in 15 different spreadsheets (Workiva calls them “connected sheets”), the 10-K, and even the presentation to the board.
No more do senior managers and executives chase down dozens of people to make sure they incorporate the change, and no more having to take out an annual lease of a couple of floors of a mid-town hotel for their sequestered accountants. Plus, with all of this connectedness, data transfer errors are greatly reduced, thus reducing the chance of a misstatement. I later attended a SOX reporting hands-on session – same thing. This connected data and reporting made me think of the promises of robotic process automation (RPA), though, in the case of Workiva, the data and documents are either in the Workiva system or are connected through APIs, rather than an RPA tool. Still, the benefits — removing highly educated humans from boring, trivial data transfer and manipulation tasks with cheap, smart integrations between enterprise applications — are the same.
A good friend at Gartner with whom I worked on several research projects, John Van Decker, called reconciliation, close and disclosure at end of the fiscal year the “last mile of finance.” Running parallel to reconciliation and close in this last mile are the SOX and financial statement audits. It reminds me of the most horrendous last mile on the Capital Beltway around Washington, DC, where the express lanes dump into the regular lanes just a mile short of the American Legion bridge crossing the Potomac from Virginia to Maryland. It’s this last mile that Workiva is helping to run smoother.
And Workiva is not alone on the last
mile challenge. At Amplify, Deloitte
announced a new strategic partnership with Workiva. Speaking with Deloitte representatives, I
learned that they are investing in building a number of targeted
Deloitte-branded solutions on Workiva’s platform that they believe will further
speed up the close process.
I’ve puzzled for years on why more
GRC vendors have not invested in developing solutions for the last mile of
finance, but for now, Workiva’s capabilities to link SOX compliance and audit
to reconciliation, close and disclosure reporting, along with connected sheets
and connected reporting are a solely Workiva differentiator in the GRC
market. Workiva would do well to invest
in expanding its GRC capabilities beyond its basic SOX and audit solutions, and
a very basic ERM application. With a broader GRC portfolio, Workiva’s internal
linking capabilities could enable better connections between risk management,
compliance, audit, third party management, IT security and other GRC
functions. And the linking capabilities
to enterprise financial and performance management solutions could advance
integrated risk management. For
instance, connecting performance management and risk management by linking KPIs
and KRIs could bring critical insights to decision making on both the planning
and execution of strategic business initiatives.
Note: Workiva did not pay for this article; nor did anyone else. The opinions and observations in this article are mine alone and not necessarily the views of Workiva.
On 27 and 28 March 2019, at PwC’s Risk Summit in Boston, PwC senior leaders and consultants in the risk assurance and consulting practices shared with their clients and over three dozen industry analysts their vision of how digital technologies are transforming both risk management and business performance.
Third party risk management is not just for suppliers, IT vendors and service providers. In many cases, subsidiaries or other organizations within your enterprise, and even well-known business customers should be brought into the third party management program.
The problems at Deutsche Bank and Danske Bank reminded me of an inquiry I had with a CISO at a large high tech equipment manufacturer. We were discussing best practices in third party risk management. I asked him what types of companies he was monitoring and he told me they were subsidiaries. He was putting these subsidiaries through the same hoops as he would any other third party vendor, classifying them into three risk categories, doing deep dives and continuous monitoring on the higher risk ones, and documenting certification and accreditation on all of them.
The Financial Times today recounted Deutsche’s current regulatory rows — money laundering by a former subsidiary Regula that it had acquired in the British Virgin Islands and Deutsche’s role as a corresponding bank processing over €160billion in suspicious payments for Danske Bank Estonia. And of course Danske Bank Estonia was a subsidiary acquired by Danske.
Being “in the family,” it is apparent that Regula and Danske Bank Estonia did not get enough scrutiny by their parents. Had they been treated as high risk third parties, the risks and lack of effective controls to prevent money laundering may have been discovered earlier, avoiding the heavy supervisory presence and regulatory investigations that the parents now enjoy.
Also, Danske Estonia’s use of Deutsche Bank instead of its own parent to transfer money out of Estonia could have helped to bypass parental scrutiny. Should Deutsche have raised a red flag — like a neighbor who lets the neighbor kid smoke pot in her backyard? Deutsche didn’t raise a red flag, instead stating they weren’t the ones responsible for validating the source of the funds — that was Danske’s problem.
Yet, now it’s all come back on Deutsche, and the lesson learned for the rest of us — when a lot of money is on the line, treat your family and your friends as acquaintances.
1 — Bring high risk subsidiaries into your third party risk management program
2 — High risk customers should also be included in your third party risk management program