Organisations are tackling external threats - but what about internal risks?
As businesses fight to maintain viability in the face of COVID-19, their initial focus has been – quite rightly – on external threats.
Yet with change occurring at breakneck speed, losing control of what’s happening internally will greatly increase risk in three critical areas: fraud, regulatory compliance, and business performance and reporting.
Having the mechanisms in place to control these risks will be key to protecting enterprise and operational resilience.
Change is the underlying factor that’s intensifying fraud, compliance and performance and reporting risks. It is happening in three ways:
And all this is going on at lightning pace. As result, important governance processes and internal controls may be neglected, or relaxed to enable agile decision-making.
Such controls include:
Let’s take a look in turn at why relaxing these controls means greater fraud, compliance and performance and reporting risk.
To sustain enterprise resilience, management is preoccupied with making business, resource and technological change happen. With their focus on day-to-day survival, there’s an increased likelihood of:
This weakens an organisation’s defences against fraud and theft. Meanwhile, significant financial pressures on organisations and individuals may lead to:
In this context, it’s important to investigate any suspected fraudulent activity, rather than pushing it down the priority list under the pressure to focus on the day to day.
Key questions to ask:
2. Regulatory compliance
In the current climate, some regulators are relaxing reporting requirements and deadlines - but not the obligations they impose on organisations. Now is not the time to loosen your grip on compliance.
Businesses’ fundamental responsibilities won’t change. They’ll still be expected to obey the rules, behave ethically, and implement robust control systems and compliance mechanisms.
In other words, they’ll still need to:
And of course, sector-specific regulations will still need to be observed.
You’ll therefore need to maintain robust levels of internal control over key aspects of compliance. Knowing your critical obligations, and adhering to them as changes are made to the business, will be vital when everybody’s focus is elsewhere.
You must also understand the implications of changes to the regulations affecting your business, and put measures in place to comply with them. Don’t assume everything has altered; make sure you know what has, and what hasn’t. As always with compliance, the devil will be in the detail.
At the same time, reminding people how and when to report regulatory issues, challenges and near-misses internally will be imperative. And making this easy for employees has to be a priority.
Compliance will be especially important if your company is seeking government support. Understanding the terms of this support, and having the controls in place to abide by them, could prove critical.
Key questions to ask:
3. Performance and reporting
When grappling with far-reaching change, it is easy to assume the basics can be paused. Yet monitoring, measuring and reporting on the financial and operational health of the organisation will be crucial not just during the crisis, but also as we emerge from it.
Management will still be expected to manage and report on the underlying performance of the business. Investors, lenders, regulators and customers won’t forgive you for lapses in your fundamental controls.
It will therefore be more important than ever to maintain accurate, complete and valid records of areas such as:
Without understanding these, you can’t assess their effects on your operational and financial performance now or in the future. And if you don’t know that, you won’t be able to report on it further down the line.
Key questions to ask:
In times of crisis, management must emphasise the importance of prioritising key control activities. They must task the relevant functions with ensuring that internal control arrangements, resources and management systems are fit for current demands.
Following this five-step process will enable you to stay in control of rapid and fundamental business change:
1. Define and prioritise the critical controls required to reduce fraud, compliance, and performance and reporting risks
2. Check these controls are in place, and implement them as necessary.
3. Establish an assurance framework to monitor critical controls, and ensure that they’re operating effectively
4. Identify who has responsibility for monitoring critical controls in each of the three risk areas
5. Put contingency plans in place for the absence of those responsible for monitoring critical controls
The ideal control environment will of course be different in each sector, and for each organisation. But the essential elements will generally include:
As well as preventative controls such as these, firms should enable the early detection of issues – with measures like exception reporting, and maintaining logs to support analysis. Use of data and analytics techniques should be enhanced and fast-tracked. The benefits to effective monitoring of critical controls will be substantial.
Changing risk profiles will drive a need to revise your internal audit plan. This will mean making quick, tactical adjustments in the first instance; followed by more strategic actions as life returns to normal.
We’ve underlined the need for greater vigilance around fraud risk, regulatory compliance and performance and reporting capabilities. Other areas for close consideration will include:
A health-check of these activities will assess whether they’re still operating as they should, or being significantly disrupted. It will highlight vulnerabilities in real time, and help you to develop viable solutions.
As conditions stabilise, you’ll need to develop a plan for the transition to more sustainable operations. This should be built around three pillars:
1. The impact of change on internal control
Review the changes made to the business during the heat of the pandemic. Were any important priorities neglected in the race to maintain viability? Have you strayed from your regulatory obligations? If so, where and how far?
2. What you can learn from the crisis
Don’t just return to the previous status quo. Identify the changes that will continue to make your business more resilient in the future, and embed them into your internal control environment.
3. The risks emerging in the aftermath
Consider the threats to enterprise resilience as economic activity resumes. How quickly will demand bounce back? How will you restore your supply chain to meet changing demand patterns? How accurately can you forecast cash flow?
Ultimately, your aim should be to understand your new risk backdrop; assess whether your internal controls are suited to it; make the right adjustments; and monitor the situation as it evolves.
That’s how to protect your business today, and prepare to meet the challenges and opportunities of the future.
Find out more about protecting your business from the disruption caused by COVID-19.
© 2020 KPMG LLP, a UK limited liability partnership, and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.