PwC’s guide to making your controls landscape more effective and efficient front to back

Within the financial services industry, one of the conventional wisdoms since the global financial crisis goes like this: Regulators imposed new regulations that forced financial institutions to introduce policies, controls and other risk-management-related activities to minimise risk and be compliant. Having lived through a few of these major exercises ourselves, we know first-hand how dominant this topic has been in the past. Financial institutions instantly responded to every new regulatory requirement or major industry incident by layering on yet more controls, policies, governance and other rules – without considering the impact across the business or what was already in place.

Internal controls became the critical component of risk and regulatory projects and a major investment in themselves. Budgets were allocated generously and transferred from strategy- and business-related projects.

These days, the same institutions are going through tough cost-cutting exercises touching all aspects of the bank and its business, with risk and compliance no longer exempt. Improving the efficiency and effectiveness of controls without increasing the risk profile is now one of the greatest challenges and opportunities a financial institution has to face. The key to success is to respond to escalating regulatory demands wisely by optimising the necessary controls while reducing or at least containing costs.

The first hurdle to overcome when addressing this topic is a reticence when it comes to reducing or re-engineering control activities. Despite the high pressure to reduce the cost of controls, the cost of non-compliance is still prohibitively high in many cases. A key success factor to any control streamlining exercise is to demonstrate that you’re able to do so safely and within your risk appetite. We recommend opening the narrow focus of a division or risk taxonomy and concentrating on a broader front-to-back view of controls. The goal is to establish an efficient separation of duties, determine and invest internal control resources in top priority issues, and increase reliance on automated and system-supported controls.

We encourage everyone to dive deep into the topic right now, starting by asking…

Some key questions related to controls:

  • Does your control landscape reflect your current risk appetite?
  • How can the effectiveness and efficiency of controls be measured and made transparent?
  • Have you struck the right balance between preventive, detective and reactive controls?
  • Are there too many control layers?
  • Are controls performed by the right resources, functions and locations?
  • What controls-related activities can be automated or outsourced?

The drivers for a control review vary, but typically include improving client experience by shortening lead and lag times, and streamlining the effort that goes into controls-related activities in all parts of the organisation while remaining within risk appetite. The key is to determine the right balance between the cost of controls and the cost of being non-compliant − or in other words the cost of execution, monitoring and testing, and the frequency of events and their financial impact. The following four-step approach will give you some guidance once you’re ready to start improving your controls efficiency and effectiveness:

Objectively analyse and score the current state

The first step is to identify the controls that are currently in place and understand how they map to the underlying front-to-back process selected for review. This is not always easy, as many institutions organise their controls by other dimensions such as risk taxonomy or regulatory requirement. The controls identified are then assessed and scored based on their importance, efficiency and effectiveness. On the basis of this analysis you can identify the opportunities for improvement and state the case for change.

Design the future state and work out opportunities for improvement

One key aspect has to be considered before starting with the design: As soon as the various opportunities have been identified, the respective stakeholders should be involved to recognise the opportunities as such. Only once you have a common understanding of the opportunities does it make sense to start designing the future state and analysing the cost/benefit relation by including the current baseline and the expected benefits case. As a result, every opportunity gets its own ‘mini initiative business case’, to be considered when follow up decisions are made the opportunities are finally prioritised.

Define the necessary measures and activities

When preparing descriptions of the initiatives, you need to clearly define ownership and responsibilities right at the beginning. As every control streamlining initiative is a little project in itself, the underlying goals and KPIs for measuring the initiative’s success have to be confirmed by its owner. After this step, the activities and the corresponding timeline, as well as any change-management-related activities and communication, can be planned, and the immediate next steps initiated.

Implement the changes

Implementation should follow a roadmap that considers the prioritisation of activities and divides delivery into the short and medium term. Typically, a tight timeline will be chosen to ensure that any improvements in control efficiency and effectiveness are rapidly visible. Obviously you have to differentiate between mandatory changes or quick wins and more complex, long term improvements that contain technical adjustments or the automation of manual procedures.

Last but not least, there must be enough time to lead the people involved through the improvement- related transformation phase and ensure that they start acting according to the new standards and procedures.

In this kind of exercise it’s important to make sure that interests are aligned across divisions, the people affected are involved early on, and that everything is communicated properly. This way you’ll be able to generate demand, be in a position to replicate the approach, and establish a systematic and continuous process of improving controls efficiency and effectiveness.

Contact

Dr. Milena Danielsen
Advisory Director
+41 58 792 44 47
milena.danielsen@ch.pwc.com

Alexandra Burns
Assurance Director
+41 58 792 46 28

Are public projects doomed to failure from the start? – Transformation Assurance

Public projects have a bad reputation. Is it deserved, or more a matter of expectations and the way success and failure are defined? In this critical review we take a close look at what makes public-sector IT and transformation projects different from those in other areas, the specific challenges they face, and tried-and-tested approaches to making them a success. Read more…

Contact

Marc Lahmann
Director and Leader Transformation Assurance
+41 58 792 27 99
marc.lahmann@ch.pwc.com

SWIFT Customer Security Programme – mandatory specifications to protect your local SWIFT infrastructures

The growing number of cyber-attacks, including those on the local infrastructures of SWIFT participants, has prompted SWIFT to create a security programme for its participants in order to fight together against cyber threats.

SWIFT published its Customer Security Programme in April 2017. It defines specific requirements to be met by all connected participants. The programme aims to improve the exchange of information within the SWIFT community, to ensure a high level of security for the local SWIFT infrastructure of participants, and to put in place an assurance framework to counter the ever growing number of cyber threats and strengthen the ability of SWIFT participants to combat cyber-attacks.

SWIFT Customer Security Programme

The programme calls upon all SWIFT participants to implement a control and assurance framework. The control framework consists of a set of 16 mandatory and 11 advisory security controls. The controls are based on existing SWIFT security guidelines, and are in line with good practice standards such as NIST, ISO/IEC 27002 and PCI-DSS. The mandatory controls establish a security baseline for the entire SWIFT community. SWIFT also recommends implementing the advisory controls to provide optimal protection for local SWIFT infrastructures.

Demands placed on SWIFT participants

The SWIFT Customer Security Programme will come into force on 1 January 2018. As well as applying to financial service providers, it is also valid for all companies that participate in the SWIFT network. Before the introduction of the programme, each SWIFT participant must conduct a self-assessment and notify SWIFT of its status regarding compliance with the controls (by the end of 2017). From 2018, all participants must confirm their compliance with controls on an annual basis. This confirmation can be provided via a self-assessment (self-attestation), internal audit (self-inspection) or external audit (third-party inspection). Participants are free to choose the type of confirmation they wish to submit. SWIFT will however also carry out regular spot checks of confirmations via internal or external audits for quality assurance purposes.

SWIFT participants must consider the following points in particular:

  • Should only the mandatory controls be implemented, or also the advisory ones?
  • How should the assurance framework be structured? Is self-assessment sufficient, or should an internal or external audit be conducted on a regular basis?
  • Should the status regarding compliance with controls be made public to other SWIFT participants?
  • How can it be ensured that controls continue to be adhered to in the future?

The support we offer you

SWIFT Readiness Assessment

We can help make sure you comply with the SWIFT requirements by 1 January 2018 by assessing your current status and highlighting any gaps.

SWIFT control support

We can provide support for the implementation of controls by means of a post-implementation review.

SWIFT compliance confirmation

We can assist you with your annual confirmation of compliance with SWIFT requirements.

Please feel free to contact our experts if you are interested in the topic.

More information

Contacts

Jens Probst
Director, Systems & Process
Assurance
+41 58 792 29 59
jens.probst@ch.pwc.com

Claudia Hösli
Senior Manager, Specialist Cyber Security
+41 58 792 14 85
claudia.hoesli@ch.pwc.com

Marco Schurtenberger
Senior Manager, Specialist Cyber Security
+41 58 792 22 33
marco.schurtenberger@ch.pwc.com

Auditing Corporate Culture

Recent ethical scandals have put corporate culture in the spotlight. They reveal that a weak or toxic corporate culture may encourage inappropriate behavior across the organization. PwC held an Internal Audit Roundtable in Geneva to take on this topic. Here are some pieces of advice and best practices from the roundtable to help you achieve a healthier and stronger culture.

What is the role of Internal Audit in restoring trust in and within the organization?

There is an increasing expectation from the Board and Senior Management for Internal Audit functions to provide cultural assurance to the organization. Indeed, Internal Audit functions are well positioned to provide an independent assessment of corporate culture, while leveraging on their understanding of the organization.

How should it be performed?

As there is no “one size fits all” approach to auditing culture, Internal Audit plays a key role in helping the Board define the scope of the assessment (e.g. culture, risk culture), the framework to assess against (e.g. corporate values, behaviors, strategic priorities, etc.) and design the approach. To get a good coverage across high cultural risk areas, Internal Audit will likely use a combination of approaches including discrete culture reviews, thematic reviews and/or incorporating a cultural component into regular audits. It can also draw on a variety of data from different sources such as focus groups, employee surveys, desktop reviews and behavioral observations.

What value does it bring to the organization?

Culture assessments help the Board identify how the ‘intended’, ‘expressed’ and ‘actual’ culture is aligned within the organization. The ultimate value delivered to the business is the identification of behaviors having positive or detrimental impact and the drive for embedding positive behaviors across all layers of the organization.

In short, auditing corporate culture is not so much a one-time audit but rather a tool to assess the existing corporate culture and to start the journey for a healthier and stronger culture.

What Internal Audit Leaders in Switzerland think about it:

“ Our corporate culture is not strong enough. However, the organization is not yet ready for this type of assessment. ”

“ When I audited this local entity, I could feel that people wanted to talk to me about something that was wrong. ”

“ In my organization, this could work if we do not call it an audit, but rather an assessment. ”

“ We already started this type of cultural audit through a thematic review on fraud. ”

“ This type of assessment would probably highlight that our intended culture (purpose, vision, values) is not aligned with our expressed culture (leadership action, objectives, etc). ”

What are the top 3 questions you may ask yourself if you want to further explore this topic within your organization?

  1. Where is there cultural risk in my organization?
  2. What criteria do I assess against and what is in scope?
  3. How do I get Management buy-in and establish the mandate?

In our Internal Audit roundtable in Geneva, it was noted that not very many Internal Audit functions in Switzerland have actively addressed culture within their audit plans. At the same time, Chief Audit Executives recognize the value of culture and how it can play a key role in fostering good governance and a healthy control environment. A diverse array of approaches and techniques can be used by Internal Audit to assess culture and provide additional value add for Management and Boards.

Download the PDF version of this article here:

To learn more about this topic, please feel free to contact our Internal Audit Services team.

Dominique Perron
Partner, Internal Audit Services, PwC Geneva
dominique.perron@ch.pwc.com / +41 58 792 94 48

Richard Thomas
Partner, Internal Audit Services, PwC Zurich
richard.j.thomas@ch.pwc.com / +41 58 792 27 82

Nicolas Gaillard
Director, Internal Audit Services, PwC Geneva
nicolas.gaillard@ch.pwc.com / +41 58 792 98 52

Céline Hartenberger
Manager, Internal Audit Services, PwC Geneva
celine.hartenberger@ch.pwc.com / +41 58 792 96 23

Adapt your SAP authorisation concept to S/4HANA

S/4HANA is SAP’s next-generation business suite that is built on SAP’s proprietary operational database system and in-memory computing platform called SAP HANA. S/4HANA is intended to be easier to use and administer while helping to solve more complex problems and handle vastly larger amounts of data than ist predecessors. S/4HANA is available in on-premises, cloud and hybrid deployment models.

With the release of S/4HANA SAP consolidates the integration and harmonisation of functionalities and processes and further reduces barriers between SAP modules facilitating system integration. New technologies, such as Fiori, enhance the user interface for both desktop and mobile devices. The in-memory HANA database lets you collect, store, and process high volumes of operational and transactional data in real time.

Implementation of S/4HANA will affect your current environment, and not just technologywise because processes are also subject to change. Both – the new technology and the change in processes – will result in new requirements for your current authorisation concept. Whereas parts of your existing authorisation concept can be easily transformed and implemented 1:1 in the SAP S/4 HANA system, other parts need to be changed and adapted to meet the new requirements.

PwC has a proven track record in Switzerland and globally in implementing and transforming SAP authorisation models in the SAP S/4HANA environment. Our GRC Technology Team in Switzerland led and executed the authorisation implementation part of the ninth S4/HANA implementation worldwide from the authorisation concept, to implementation and operation. Our experts have the required skill-set, tools, techniques and experience to discuss your challenges with you, and to actively support you throughout the whole project.

Download the PDF by clicking the image below:

Please contact our team for more details:

Dominik Götz
Senior Manager
dominik.goetz@ch.pwc.com
+41 58 792 28 93

Erik Trouillet
Manager
erik.trouillet@ch.pwc.com
+41 58 792 23 64

PwC Actuarial Services Newsletter – March 2017

This will mark the third year of our European collaboration on our Actuarial Newsletter. We want to take this opportunity to look back on an interesting year for actuaries and as well as take a glance at what awaits actuaries in the months and years ahead. New regulatory requirements have confronted European insurers in the past year. We take a closer look at how our clients deal with this paradigm shift.

Key points in brief:

  • Article #1: Model Validation
  • Article #2: Solvency II after Year One: Snapshot of the current status
  • Article #3: ORSA – “Never hate your enemies, it affects your judgment.” – The Godfather


Download the PwC Actuarial Services Newsletter here.

Good, but could do better – Key learnings from the FAFT AML&CFT Mutual Evaluation Report of Switzerland

On 7 December 2016, the Financial Action Task Force (FATF) published the results of the Mutual Evaluation Report on Switzerland, concluding their assessment performed from 25 February to 11 March 2016. The results, extending to 245 pages, make interesting reading for AML practitioners and compliance officers.

FAFT concluded,Overall, Switzerland’s Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) regime is technically robust and has achieved good results. It would still benefit from some improvements in order to be fully effective.”

PwC  analysed the key findings and identified learnings for regulated firms together with options for regulatory development. The key learnings concern:

  1. Suspicious Transaction Reporting (“STR”)
  2. Due diligence on longstanding customers
  3. AML&CFT customer risk classification
  4. AML&CFT Risk Assessment
  5. Penalty Sanctions

Read our findings and perspective here

For more information please contact our experts

Michèle Hess
Assurance Director
michele.hess@ch.pwc.com
+41 58 792 46 67

Daniel Cicetti
Assurance Senior Manager
daniel.cicetti@ch.pwc.com
+41 58 792 23 92

Alister Smith
Advisory Senior Manager
alister.smith@ch.pwc.com
+41 58 792 47 96

Are large-scale transformation initiatives doomed by default?

megatrends_730x240

Against a backdrop of ubiquitous change, successful transformation is essential for survival in a highly dynamic and competitive environment. However, there is overwhelming evidence that most such initiatives end in some degree of failure. We examine the trends and forces driving these processes and the factors crucial to their success.

Read more …

Redefining the risk management and internal control system requirements – the new FINMA circular on corporate governance

The new requirements should not be underestimated

The Swiss Financial Market Supervisory Authority FINMA published on 1 November 2016 its new circular 2017/1 ‘Corporate governance – banks’, consolidating the FINMA’s requirements relating to corporate governance, risk management and internal control systems.

Read more…

Contacts:

Andrin Bernet
Partner
andrin.bernet@ch.pwc.com
+41 58 792 24 44

Yousuf Khan
Senior Manager
yousuf.khan@ch.pwc.com
+41 58 792 15 62

Alena Nicolai
Senior Manager
alena.nicolai@ch.pwc.com
+41 58 792 27 28

Alexandra Burns
Senior Manager
alexandra.burns@ch.pwc.com
+41 58 792 46 28

Can AGILE enable a full scope transformation approach and realise expected benefits more successfully?

Agile project and programme delivery might be perceived as a silver bullet. However, while some organisations have achieved good results adapting agile practices, others have been struggling to cope with the multiple challenges related to agile delivery – especially at scale. Making it a success requires rethinking the way an organisation manages inevitable change, and above all, it means embedding agile practices in a full scope organisational transformation approach. If an organisation can get it right, the rewards are potentially immense: reduced time to market and rapid realisation of outcomes with highest value and benefits for your customers.

Read more…