Looking to cut operating costs ?
There are often big savings to be made from moving, redesigning and / or automating your controls.
- A new strategy for 2021 could mean there's been a change in your key risks. So review your control framework to check that you have resources focussed in the priority areas. With restricted budgets, you may well need to move resources around rather than invest in new ones.
- Has your organisation's risk appetite increased ? If so then there could well be controls that can be removed, particularly at your second line of defence (ie your head office 'checking' functions). This could be more palatable if you have RCSA (Risk Control Self Assessment) in place at your first line. Or you may want to consider replacing some preventative controls with detective controls if that fits with your risk exposure and risk appetite.
- Were you forced to make headcount cuts at the year end ? With a new strategy and possible change in risk appetite, take a fresh look at what gaps were created in your control framework from those cuts, and check that you are focussing control resources where they are most needed
- Often controls at the point of a risk first entering a business process will be cheaper to operate than controls at a much later stage. A good example is suppliers overcharging your organisation as they are hit hard by the economic repercussions of the pandemic. So strong due diligence controls for appointing new suppliers and automated order/ invoice matching controls with automated limits on pricing variations could well be cheaper than operating a plethora of controls at the payments stage. So review where your risks are in the business processes and check that your controls are well placed.
- Well designed automated controls may need more up front investment than a manual process, but they will usually pay for themselves in a very short space of time and will be far more reliable than relying on humans to perform checks. This is particularly true for any organisations that moved into the digital arena to help protect the business in the economic downturn. Not investing in automated controls, and instead relying on human checks for fraudulent customers for example is a false economy in my experience.
All of these steps come with the health warning of 'proceed with caution'. Make sure you look at the whole risk / control chain and understand any connections with other risks before make changes. What is the scale and likelihood of the risk that you are exposed to compared to the cost of managing that risk (be it via controls, insurance, outsourcing etc).
The '3 lines of defence' model doesn't necessarily mean you need all 3 lines in every area of your operations. So if there is appetite to live with higher risk, or indeed your external environment has changed in a way that reduces your risk profile, then consider changing your control framework and reap the benefit of any cost savings.
And obviously this all needs to be done within the appropriate governance framework and be carefully executed.
Please send me a message via LinkedIn or call me on 07456 933 334 if I can help you with any plans that you have in this area and provide a fresh set of eyes on your proposals.