Following an integrated risk management approach is increasingly necessary for organisations.
There has been tremendous progress in risk management over the past five years, with the concept of governance, risk and compliance as a separate stream transitioning to embedding risk management into the processes of an organisation.
This emerged during the CFO South Africa webinar, MTN case study: Risk and remediation, build a risk-intelligent culture in your organisation, a webinar run in partnership with Oracle.
Oracle director of risk and cloud strategy Aman Desouza said data shows that up to five percent of revenue is affected by fraud, data breaches and regulatory compliance matters.
“Data breaches happen frequently and it is not something IT can handle alone. It is a key risk for CFOs and the entire organisation has to rally around it. Currently, the organisations with the largest market capitalisations are all data-based organisations,” he said.
Regulatory compliance can be expensive, particularly when looking at the different compliance mandates. It is therefore critical for organisations to extract the full value of digital transformation.
Aman explained, “It is important to recognise that with every digital transformation there is an opportunity to use new functionality, like blockchain, robotics and AI. With that there are also threats like data leakage, security and privacy.”
This is why following an integrated risk management approach, of monitoring and auditing systems along the way, is becoming increasingly necessary for organisations.
“It used to be that the audit was retrospective and exception based, with the use of data and analytics. It is now about continuous monitoring of systems and processes and predictive analytics. Continuous automation and continuous control help organisations to move forward quickly,” he added.
Trying to manage risk to create value is the mantra when it comes to risk management, says Aman.
Best practice
In order to do this, it is worthwhile considering the best practices for creating a risk intelligent culture, viz.:
- Start by streamlining and integrating audit and compliance enterprise risk management and business continuity planning processes.
- Use native integrated risk-management to engage key stakeholders and build process owners,
- Automate the analysis of application security for initial design, operation, certification and evolution.
- Continuously monitor user activity to protect against fraud.
- Grant external auditors self-service access to required data.
It is worthwhile noting that organisations are at different levels of risk maturity. Identifying a company’s position on the risk maturity curve before taking action is therefore necessary.
Johan Oosthuizen, senior management: risk at MTN said, “MTN started an ERP standardisation project in 2012 and the solution went live in one country in 2014. In the following year, it went live in two more countries. Now, 11 countries are live, of which four are using the entire Oracle suite.”
“Segregation of duties is big on the agenda for MTN and this tool facilitates that as it is embedded in the product. It enables users to get onto the system quite easily and we can use a single app,” he added. Additional benefits included the customisation of roles, with Oracle roles transferred to MTN roles.
Johan noted that one role can have many elements for data action so remediation is straightforward. “We target zero violations in each country and are improving every month. There are constant discussions to provide inputs on each country for separation of duties. So the risk is being remediated and it is almost impossible for something to go wrong,” he added.
Johan further highlighted that an integrated risk management approach requires time and focus, and advised attendees to start early and adapt through the process. “Once you convert, people will remediate. Get some quick wins and make sure the product is shown and the results are true,” he said
