Moving ahead in my four-part series on Jeremy Hope’s Re-inventing the CFO, is how the CFO can be a Regulator of Risk and emphasize regulatory compliance.
Security of information has become an exceedingly critical boardroom issue, given the recent corporate financial scandals. As a result, regulatory compliance is one of the top business drivers in companies today. Companies expect far more from their CFOs and want them to move from just ‘managing numbers’ to ‘managing by numbers’. Financial managers are expected to provide support and performance insights to increase bottom-line growth. This growing need for business insight is the main point on the CFO’s agenda in the WNS Annual CFO Survey 2010.
Companies can employ three 'Lines of Defense' or safeguards that are recognized by regulatory authorities in a corporate governance model.
First Line of Defense (Frontline of Business)
These checks are embedded in the client engagement unit, so that the employees understand their roles and responsibilities, and carry them out correctly and completely. Controls are set in place for day-to-day risk management - Standard Operating Procedures (SOP), Control Processes and Administrative Instruction.
Second Line of Defense (Risk and Compliance)
These safeguards ensure that there is no oversight with regard to staff functions embedded in the industry vertical and the horizontal service line. These functions set and police policies, define work practices and oversee the business frontline. For instance, checks to ensure that the human resources team has conducted all background checks before hiring or making sure the Quality department has conducted all necessary internal audits before certification.
Third Line of Defense (Auditors and Directors)
Keeping in line with best Practices globally, the business frontlines and the oversight functions are regularly reviewed by internal and external auditors to ensure that tasks are being carried out as per the required levels of competency. Directors receive audit reports and ensure that the three lines of defense are operating effectively. This line of defense can also involve compliance and ethics ombudsman, and whistle blower tools.
The old ‘paper and pencil’ approach to regulatory compliance is not a viable long-term solution. New regulations such as those from the Securities and Exchange Commission (SEC) and the Financial Accounting Standards Board (FASB) do not prescribe specific technologies that have to be employed to achieve compliance. Using the services of a BPO Service Provider to regulate risk through the use of technologies is a valuable weapon in a CFO’s arsenal. WNS, for example, has an Enterprise Risk Management Division that drives the ‘three lines of defense’ provided to their clients. WNS has invested in automation of activities to support online process knowledge management, data driven insight, alerts and pro-active decision-making in consultation with clients. The recently launched internal audit portal at WNS called AuditPro, is specially designed for the internal audits carried out in WNS. The portal acts as a central repository of the information generated during the audit and also automates the issue implementation status tracking mechanism. This makes the audit process automated, more efficient and increases transparency in the tracking mechanism of audit issues.
I believe that by donning the role of a 'Regulator of Risk', CFOs can move away from being confined to budgeting and transaction-processing systems, to becoming a business partner, providing performance insights that can improve bottom-line results.