The Compliance Journey - Balancing Risk and Controls with Business Improvement

Rate this:
Total votes: 0

Vince Sumpter has over 20 years of experience in Performance Management, data warehousing, and related areas and sees a synergy between process management, performance management, and controls transformation. The new regulatory environment demands compliance, but most of the present efforts are manual and specific only to the rules with little regard to how the changes could improve the business. Sumpter sees process, performance, and controls all coming together to give new value to the enterprise.

Sumpter says there is a lot of buzz now about Sarbanes Oxley (S-O). The fundamental issue with the intent of the law was to drive more transparency into corporate America to make investors and consumers more comfortable. C-level management is telling their internal auditors that S-O costs too much, about 1% of the cost of doing business. The main questions are how much will initial compliance cost and how much will it cost to maintain over time? But the important question is how can you get business value from compliance?

Corporations use a process analysis template to document the financial controls processes in their business. This template is a treasure trove for performance improvement and this fact is being lost in the mad dash to manually document the controls.

All companies are going through the process of controls transformation now, usually through simple spreadsheets. Rather than approaching it as a specific, one-time government requirement, controls transformation needs to seen as a multi-year program for change. The drivers are different for each industry and regulatory position so there isn't a band-aid or a cookie-cutter approach that can be used. Instead of being a handicap, this helps create the business case for change and process improvement.

A typical Fortune 1000 company has thousands of processes, hundreds of systems, and tens of thousands of controls. The controls are either detective or preventive, and are handled manually or automatically. The goal is to move from manual (spreadsheets) to automated controls (processes). There is always a finance function that goes with every process.

Controls cost money. The upfront costs include:

  • Internal costs within the company
  • Upfront costs to scope and launch projects
  • Outside S-O advisors
  • Ongoing testing and monitoring
  • External audit fees
  • But there are also hidden costs that affect the total cost of controls that includes ongoing testing and auditing, and the effects on business performance and this cost is higher. The goal is to balance the finance need to control the business and the operations need to improve the business.

    The documented controls need to become a new lens for evaluating the business, according to Sumpter. He says one of the best things you can do in your own company is to introduce yourself to your company's internal auditor and ask him to see the work he is doing with S-O with regards to your part of the business. You will be enlightened by the experience.

    "Controls are nothing more than information points that set a context for action that cut across all parts of the business," Sumpter said.

    In the rush to comply, businesses view their projects in isolation and manage them disparately. Compliance efforts are mainly manual and separated from the flow of business. There are problems whenever key people leave, when processes are improved or new systems implemented, or when the business is sold or acquired. Compliance needs to become a dynamic and action-oriented way to do business, integrated into all the processes, data centric and automated. The question you need to ask your CFO and your finance organization is how do we use the financial controls process to help sustain and drive business improvement?

    To achieve compliance, there is a top-down and a bottom-up approach. Top down includes:

  • Confirm business goals and initiatives
  • Establish priorities
  • Identify key dependencies
  • Bottom-up include:

  • Portfolio analysis
  • Qualitative analysis
  • Cost of control analysis
  • The process is to define and analyze, then evaluate the opportunities and build the business case. The results of the top-down and the bottom-up analysis will help the business to:

  • Improve the quality of controls and better manage risk
  • Improve business performance
  • Reduce the ongoing cost of compliance over time
  • Develop better business insights
  • Identify and prioritize the opportunities for immediate and future initiatives based on the strategic needs of the business and make the business case for change.

    Vince Sumpter spoke on this topic at a recent BrainStorm Business Process Management Conference. For more information, visit

    To hear the archived audio file of this presentation, visit:

    Jon Huntress

    Special Events Correspondent


    Join the Discussion

    Remind me later

    If you wish to make a purchase today and experience an error with the shopping cart, you can place your order over the phone. Please contact us at (508) 475 0475 x15 or toll-free within the U.S. at (855) 300-2686 x15.