While there are several challenges in managing corporate spend effectively, the one common thread that ties them is ‘risk’. It is the ‘risk of spend leakage’, the ‘risk of business disruption’, the ‘risk of non-compliance’, the ‘risk of fraud’ that keeps Enterprise Procurement and Finance Teams on their toes. As mentioned by Nikolaas Vanderlinden, Executive Director Advisory (Risk) at EY, it is estimated that 1 to 5% of EBITA of an organization flows out as leakage due to lack of proper contract management and payment follow-up processes. Of this huge leakage, organizations were unable to detect approximately 90% of it. According to a Report by the Association of Certified Fraud Examiners there was a 5% loss of revenue across organizations due to various frauds in 2020. In one of the insights shared by AuditNet it said that up to 2% of the average Company’s invoices are duplicates. These points give an indication of the magnitude of ‘risk’ in any spend or procurement process.
To address this, organizations put in place systems that digitalize not just the spend process but also have several in-built controls to manage ‘risk’. While these systems do serve as a First Line of Defense against ‘risk’, it is not enough. Why? This is because manual overrides in the first line often go unchallenged causing breaches and irreversible damage. Organizations should actively consider digitizing a Second Line of Defense to assess the effectiveness of controls in the first line and ensure nothing anomalous slips through. As per the 2021 Global CPO Survey conducted by Deloitte, 76.4% of the CPOs are considering reducing cost amongst the top priorities followed closely by 76.1% willing to go for any digital transformation. An exclusive spend monitoring system that works 24×7 and screens 100% of transactions to detect and intercept anomalies could serve as a digitalized Second Line of Defense against spend ‘risk’.
The Three Lines of Defence is an industry accepted model that represents an approach to providing structure around ‘risk’ management and internal controls within an organization.
The first line involves Risk Takers who own and manage spend ‘risks’ on a day-to-day basis. These are people who manage spend on the ground using various systems that log and analyze different types of spend. As this is the line that takes all the business ‘risk’, there are several controls (checks and balances) put in place to ensure that the decisions and actions are validated. However, the primary purpose of these systems is to ensure that all types of spend get logged and processed with minimal inconvenience to business operations.
That’s where the need for manual overrides comes in creating an opening for different kinds of ‘risk’ to creep in. Did we choose the right vendor? Was it the best price? Is there a ‘risk’ of delay? Was the transaction compliant with company policy? As processing the spends and meeting the immediate business requirement is primary, manual overrides go unchallenged resulting in leakages and non-compliance. While spend analysis does exist as a mechanism to introspect performance, it is too little too late. Any observations from spend analysis can help tune spend strategy post-facto however it cannot reverse the damage incurred or recapture lost opportunities.
To address any ‘risk’ that passes undetected through the first line, enterprises set up a Second Line of Defense through people who act as Risk Monitors. Their job is to own the ‘risk’ process and monitor it constantly. This is largely a manual activity done by the Governance Teams using a combination of Risk Registers to track ‘risk’ and a sample-based transaction validation approach to monitor ‘risk’. The Third Line of Defense provides a final check through Risk Assurers who perform independent audits (internal and external) to ensure that ‘risk’ is being managed effectively. The frequency with which these audits are done is lower than the frequency of checks in the second line, while the approach remains the same. A sample-based validation of a small percentage of transactions is done using a set of rules. Anomalies detected at this stage is a tad too late as the damage is already done and irreversible. Also, this approach cannot detect emerging patterns of anomalous behavior that are hidden in large volume of transactions.
There is a solution however that can be a win-win for stakeholders across the Three Lines of Defense. A digitized Second Line of Defense that monitors 100% of transactions on a 24×7 basis to detect and intercept problems and opportunities.
While the First Line of Defense constitutes one/more Systems of Record, the Second Line of Defense is a unified System of Intelligence. The first line focuses on establishing primary spend channels for different business functions with standard processes and providing spend visibility through on-demand reporting. The second line focuses on continuously monitoring spend across channels using a judicious blend of machine & human intelligence with automation. Such a system has the capability to learn from historical spend behavior guided by a Subject Matter Expert and then leverage this learning to screen live spend to detect and predict exceptions. The key is to decouple spend monitoring (2nd line) from spend processing & analytics (1st line) to ensure that this happens independently and has a good chance of detecting whatever slips through the first line.
For Management, which is responsible for both taking and monitoring risks there is increased value:
- For Risk Takers, this would mean that anything slipping through the net in the first line is detected almost immediately providing an opportunity to correct or prevent issues at the source. To top it, there could be multiple systems through which purchases flow. A unified Spend Monitoring system would screen and reconcile everything across sources. This translates to reduced spend leakage, business disruptions, and non-compliance. This would also enable Risk Takers to address two key questions that get asked every time an issue is detected by an auditor. (1) How did this happen? (2) How will you ensure that it will not happen again? A spend monitoring solution will leave behind an audit trail providing evidence on who allowed the transaction to go through and why. It would also enable them to put in place additional controls in the first and second line to avoid a repeat occurrence.
- For Risk Monitors, this would mean a continuous monitoring of ‘risk’ across 100% spend transactions. This translates to a significant jump in efficacy and allows them to focus on more complex issues that may require human experience and intuition. A spend monitoring solution would enable them to correlate spend information flowing through multiple systems to detect spend integrity issues. Such a system would also enable them to go beyond simple rule-based checks to analyze emerging trends and track them before they cause any damage.
- For Auditors (Risk Assurers), this would mean a continuous auditing of ‘risk’ across 100% of spend transactions. This would mean more focus on person audits to analyze performance through the lens of integrity and value. A spend monitoring solution would analyze machine generated trends and observations based on experience and intuition to recommend a suitable course of action.
There are several kinds of risk that can be managed better through a 2-step verification of purchases offered by a Spend Management and a Spend Monitoring system. For example, enterprises can save more money through various levers such as:
- Detecting and resolving purchase prices variances across items/contracts / catalogues
- Detecting and curtailing excessive freight charges
- Detecting and consolidating bulk purchases or repairs
- Detecting and preventing duplicate purchases and payments
- Detecting and claiming early payment discounts
- Detecting and reducing payment term mismatches
- Predicting and preventing delays in approvals, fulfilment, and payouts
- Predicting and preventing business disruptions from low quality goods
Overall, the digitalization of a Second Line of Defense through a Spend Monitoring solution alters the approach of managing spend from a reactive to a proactive one. It increases the element of trust across Risk Takers, Risk Monitors and Risk Assurers by providing an objective and unbiased way of scrutinizing every spend in an automated manner.