It is very common that day-to-day activities and issues in your workplace consume most of your time and usually don’t leave you with time to really consider what practices are value-added for achieving your objectives. As finance professionals, we get engaged in how to make cost reductions, how to implement a resolution to an audit finding, or just how to support the operation of the company. I want to share some of the best practices that have worked for me in the risk and controls management area. My experience has been mainly working on manufacturing companies, but some of those practices can be applied to other industries as well.
1. CREATE A RISK AWARENESS CULTURE
It is important to stay educated about risk and controls management concepts across all levels of the organization, but it is critical to make an extra effort to get your senior management and executives on board with your strategies and tactical plans. Similarly, as your company has a corporate vision that directs the resources and efforts on the day-to-day operations, you also need to define your vision regarding risk is and controls management. What do you want your organization to be known for in this area? The best way to promote and continue growing this culture is through communication campaigns, where you ask your executives to deliver the tone from the top and you can demonstrate the good behaviors that promote it…remember, people relate more to what you do than what you say.
2. CONSTANTLY DO ENVIRONMENTAL SCANS
This is a highly connected world nowadays, so your company is no longer unique in the ecosystem. Therefore, you need to constantly monitor what is happening in the industry, in the economy, the political environment, changes in labor and accounting policies, and the latest on environmental regulations or even potential natural disasters. These factors are all important and relevant to any operation. It is important to do this environmental scan at least twice a year and to include not only the finance organization but the leadership group across the company as well.
3. FOCUS ON HIGH AND MEDIUM RISKS WITHOUT LOSING SIGHT OF THE LOW ONES
Like in any organization, resources are not unlimited, and you need to focus the energies and strategies on the activities that represent the major risk for your company. There are several different ways to do this; one of which is by creating a risk heat map or risk matrix (or any name you have for it) and classify the risks based on the likelihood and potential impact. From there, define the strategies for those defined as high and medium risks and start implementing tactics to address each of them.
4. ELIMINATE THE “ZERO AUDIT FINDING” CULTURE
One of the most common mistakes I have seen in organizations is the culture of being afraid of audit findings, people being “punished” because there was a control gap identified in their process, or simply being under the pressure that senior management cannot afford a single audit finding in their area. This creates a culture where people are afraid of speaking up about process or controls problems, they tend to hide issues in the day-to-day operations and delay the resolution of them until the issues explode as a bigger problem and cause major damage to the organization.
It is important that you influence management and the different operational areas of your company or organization and let them know that identifying those problems is part of the process of the improvement evolution. It is almost impossible to pretend to have a “perfect” organization or process. What is important is to rapidly identify and implement an action plan to address the issues.
5. SET UP A NETWORK OF COLLABORATORS ACROSS ALL GROUPS IN THE COMPANY
The finance role is usually more effective if it is woven throughout the organization, rather than coming from a single business unit. This will help to ensure successful project implementations and the creation of plans that will support the adoption of a strong risk and controls management culture.
There is no magical formula detailing how to organize your network of risk and controls contacts, coordinators, champions or any name you have for them, but it is important that you cover at least the critical areas like engineering, manufacturing, human resources, logistics, information technology and finance. Most of the companies try to manage their financial risk and controls activities from a centralized location, but you need to extend your network, so they can help you implement the defined activities as part of your overall strategy.
I know that applying financial risk and controls management practices in other industries or companies can be different, so I would like to hear your opinion and experiences about it. Which best practices do you recommend?