Between the accelerating momentum of digitization and shifts in geopolitical and financial landscapes, enterprises all over the world face increasing cybersecurity threats. As a result, companies are focusing on internal controls and corporate resilience in both finance and cybersecurity.
In addition to the disruptions cyberattacks inflict on operations, they also undermine the reliability of financial statements. Finance leaders are under pressure from regulators, shareholders, customers and other stakeholders to deliver a reliable picture of their organizations’ risk resilience, accountability and transparency.
Where many Chief Financial Officers (CFOs) have historically perceived cybersecurity as IT’s responsibility, they are now seeing the benefit of developing their own measures to secure the finance function. These leaders are automating process controls to ensure reporting accuracy and strengthen cybersecurity for finance in particular. Businesses are at risk when CFOs disregard finance-specific vulnerabilities — but CFOs don’t have to go it alone.
The VoiceAmerica Business Channel hosted a podcast episode of Financial Excellence with Game Changers presented by SAP. The topic was Cyber Resilience and Control Automation for Finance. I had the opportunity to participate in a panel moderated by Bonnie D. Graham, along with Dr. Neil Patrick from SAP. This post sums up much of that discussion.
Finance’s evolution as a strategy driver
With more than two decades in cybersecurity, I remember the days when finance was decidedly a back-office function. But I’ve seen the finance function’s evolution as a strategic driver for organizations. Consequently, finance leaders can make more of a difference by considering how to build in controls as they transform financial functions to gain market advantage.
Finance leaders can stay ahead of the changing threat environment by automating controls as part of their transformations. Consider control automation as a way to take certain risks out of the equation. Let’s look at how automation of controls can accelerate response time.
Where once control initiatives were seen broadly as excess overhead, leaders now recognize that building in controls as part of the transformation carries strategic advantages:
- The experts who are carrying out the transformation have the freshest and most complete knowledge to build in process-appropriate controls.
- Intrinsic controls are more effective – from a cost, as well as value driver, standpoint – than controls retrofitted later, by which time implementing controls has become someone else’s job.
- The core tenet of customer retention is the trust they have in the organization. A fundamental pillar of building that trust is showing how their data is handled in a secure and ethical manner.
Of course, there are risks associated with failing to build controls into financial transformations:
- Shareholders lose faith that the business is handling security conscientiously.
- Customers, initially impressed with transformations, lose faith if their data gets exposed through breaches.
I like to equate automated financial controls to the brakes of a car: “If I know that my brakes are good, it allows me to take a little bit more risk because I know those brakes will save me.”
Managing third-party risk
Leaders also need to consider and manage risks related to the third parties with which they do business. When leaders consider the strategic advantage of controls for a business, they think beyond their own security posture and assess their third parties including cloud security risks as well. Evaluating third-party risk includes the security of each party’s operations, understanding how accountability is shared for security in case of cloud providers and the controls they’ve implemented (and automated). As I said on the podcast, “Sometimes, companies lose business and consumer trust because they didn’t have sufficient security controls in place.” These third parties would do better to think of security and control automation as strategic advantages – and build these principles into their operations as they transform them – to secure their own futures.
Risk quantification and controls
Whereas an initial level of maturity consists of knowing your risks –and having a way to assess them – there is another level of maturity that organizations can work towards: quantifying risk in financial terms.
It used to be that risks were described as high, medium or low. Now, leaders are strapped for resources all around and want to focus on the biggest threats. Risk quantification identifies the risks with the greatest potential to impact the organization — and in some cases, to justify headcount and other expenses to manage that risk. Consider a scenario whereby the cost of hiring two people might be three hundred thousand dollars, but their work would fend off a risk potential of five million dollars. Quantification helps finance leadership make those changes in investment.
New threats, new controls
Controls address risks and risks are not static. Continuous risk assessment — and building new risks into the set of controls — keeps organizations secure. As hackers get more sophisticated, organizations must keep ahead. We are seeing more and more customers use AI as a powerful way for finance leaders to build data into risk assessment models and develop effective controls.
As enterprises face increasing cybersecurity threats, finance and cybersecurity leaders alike are focusing more on internal controls and corporate resilience. CFOs are recognizing the value of instilling controls to secure the finance function specifically.
It’s always going to be a dynamic concept for organizations. Keep looking; be vigilant.