Analysing Loyalty Programs

The Situation

A large home appliance manufacturing client, having numerous own retail stores and franchise owned stores had an extensive loyalty program into which they had invested over the last 5 years. However, as a manufacturing firm, our client was primarily focused on building new products for homes. Their customers ranged from lower middle income to the very affluent class. The top management felt that the loyalty program was a failure and was looking to understand why their loyalty programs were not a major part of their revenue stream.

The Business Need

The loyalty program had significant investment done over the last 5 years and a large part of it was done to ensure a smooth and seamless customer experience. The ROI of the loyalty program was expected to show within a five-year period. There was negligible “repeat sales” through the loyalty program.

There were processes that tracked customer sales and sales associates were incentivised to enter data into their handheld and POS. Customers were sent messages on different platforms such as email, SMS and social media apps. To reinforce, the process and systems, there was training for all sales staff and regular intervals.

The question that was posed to us was whether the manufacturing client should discontinue the loyalty program initiative or recommend changes to the program.

Analysis

Our initial discussion with the client showed us that there was a significant disconnect between the different product lines with respect to the loyalty program. The rewards points that a customer could get did not match the cost of the appliance that they bought. Therefore, customers who bought two or more different appliances felt a bit awkward when the reward points were displayed on their invoice.

Another area that slowly revealed itself was that the “touch points” a customer can have with the manufacturer is not limited to the sale of a product. There is customer service “touch points” for installation, annual services, breakdown maintenance, and finally replacement with the same brand or another brand. All these “touch points” form an opportunity to interact with the customer and thereby build deeper relationships. We found that only a few service touch points had integrated with the loyalty program.

The Solution

Since the client had a siloed approach to the loyalty program, our first initiative was to look at the data each customer generated to understand whether there were any significant levels of interaction across all the different touch points. We were looking to ensure that a customer would receive the same level of attention, and satisfaction as they would at a sales interaction.

The loyalty program did have a monetary value to sales purchase for a customer, however, a majority of the customers did not feel they had the flexibility to use the value locked in their loyalty account. One of the customer’s we had a detailed interview mentioned, “So what if I have money in the loyalty account, the next time I buy a fridge will be 4-5 years from now. That’s too far off for me to even remember that I have a loyalty account”. Based on similar feedback, we recommended an aggressive education campaign for all loyalty program members to understand that there is a range of value that can be utilised. Small toasters, irons and many more products can be relevant to their needs. As part of the campaign, customers were guided to look for products that satisfy their wants through the loyalty program.

So what if I have money in the loyalty account, the next time I buy a fridge will be 4-5 years from now. That’s too far off for me to even remember that I have a loyalty account

Customer Interview

Another aspect of the loyalty program that was found lacking was the convenience of engagement by a customer. A customer had to produce the physical loyalty card to be tracked. Most customers forget they have a card or do not produce the card at all. We recommended to change the tracking from a card to a customer mobile number and using a physical address as a crosscheck to ensure the client is interacting with the right customer.
Overall, we recommended the client to continue with the loyalty program.

Results

Over a period of six months after the recommended changes were made, there was a significant increase in customer interactions across all the touch points.

The revenue increase was present and clearly showed an upward trend. The top management of the client was extremely confident that they are on the right path because of increased customer engagement. The client’s marketing team mentioned that there was an increased recall of the brand and therefore it was just a matter of time before revenues would show up.
The overall engagement took 6 months to complete.

10 ways Insurance Industry uses Data Analytics

Insurance industry has been going through a sea change in the way it handles data. Data has always been at the forefront of the insurance industry from the time it started (see Insurance History). Now, insurance companies have a heightened understanding of how data needs to be perceived as a distinct asset.

Here are a few ways we have helped insurance companies use their data :

Triaging claims and improving the claims process

Claims processing is the most cumbersome part of any insurance provider’s operations. Some providers have information systems that are able to pull the data from vendors, process the data and push back relevant data. However, most providers are not able to do this end – to – end in an automated, “no-touch” way. Most insurance providers have disconnected systems that lead to significant human interventions to upload claims, download claims and for payments. These disconnected systems or islands of processing are coalescing into large end-to-end systems and will reach a stage where claims processing will require no people.

One key aspect for claims processing is the triage to ensure compliance, completeness and other requirements. Significant use of data analytics can reduce the triaging time by understanding the different types of claims and their characteristics.

Detecting Fraud

A classic use of data analytics in insurance is detecting fraud. Though this is easier said than done because a top down approach is like “finding a needle in a haystack”. To comb through massive amounts of data and look for specific patterns is a time consuming process. Significant changes to the IT infrastructure are needed to ensure data processing is capable of achieving high levels of throughput.

An alternative is to look for proxies in the data, which can be used for quick identification of fraud patterns. Data analytics is used to ensure that these proxies are reliable and valid. Using proxy parameters reduces processing time and can be used for near-real time by customer service agents.

Detecting epidemics and outbreaks for health insurance

Insurance companies dealing with health and medical are at a vantage point of understanding diseases from a population. This advantage provides the ability for an insurance company to detect epidemics and disease outbreaks faster and help in containing the situation by sharing this information.

Drug interactions and drug efficacy for the pharma industry

Most insurance firms collect data about the patient’s diagnosis, treatment and prescriptions. There are openly available standards, such as ICD and other copyright standards such as CPT. Using a combination of diagnosis, treatment and prescriptions, an insurance company can provide drug interaction and drug efficacy based on a large population. This information would be valuable to the pharmaceutical industry to increase the pace of drug development.

Reduce risk for underwriting

Insurance underwriting is a demanding process whether actuarial experts set the policy premiums. There is significant data that is required to estimate these values. Even though actuarial sciences are a matured field, the foundation is based on analysing data. Using new data analytic techniques, the risk and tolerance for underwriting can be reduced and to a large extent the process of reviewing can be automated.

Countries where there is no unique person or citizen identifier

When insurance companies operate in countries which do not have national identifiers such as Aadhar (India) or Social Security Number (US), the insurance company is left to create its own identifier. Data mashing of different types of identifiers from each person, for example, driving license, municipal card, passport, etc would be required to ensure unique identification. Data mashing at the scale of a country would require a lot of data cleansing to obtain reliable data of a person’s identity.

Identifying Customers at the risk of cancellation

As part of customer service and customer retention processes, insurance companies can leverage data analytics to understand when customers will churn. Using historical data of customers who have left or asked for reduction of insurance premiums, a data model can be built to predict if and when customers may cancel or approach the risk of cancellation. The next step would be to bring this model close to the sales and customer service personnel so that preemptive changes to the customer approach is made.

Generation of Leads

Along the same vein as identifying customers at the risk of cancellation, the generation of leads also requires a predictive model that would point to which leads are most optimal to follow up. Since it would not be possible to follow through with all the leads that are present, a predictive data analytic model would reduce the sales fatigue and increase the chance of converting a lead to a customer.

Customized Policy Offerings

With increased competition, insurance companies are jostling to find their space in the minds of a customer. One possible approach is to customise the policy for each customer so that all the needs are met at a viable price point. For this approach, data analytics is required to understand the different clusters of customers and the costs and profit margins that are possible with each cluster. Also, multiple data sources such as social media, may be required to understand certain customer behaviours to fine tune a customised policy.

Improving Customer Satisfaction

Customer satisfaction is closely related to customer service. Getting the right data of a customer, in front of a customer service agent is critical to ensure that the agent can respond appropriately and offer alternate solutions. Using data analytics, it is possible to recommend services that similar customers have opted for. Using text analytics, it is possible to understand customer sentiments on a social media channel and armed with this information, it would be possible to initiate a new customer campaign or create a new product that alleviates this issue.

There are many more ways that are possible to help insurance companies use their data and help look for opportunities!

Change in Business Strategy

The Situation

The client was an industrial valve manufacturer that catered to large oil and gas firms in Asia. They specialised in custom designed valves that controlled a variety of fluids ranging from water to crude oils and gases. They had a committed and talented R&D facility to simulate and test fluid dynamics within the valves they built. 

The Business Need

The client’s valve manufacturing provided sufficient profit margins and they were comfortable with their market share. However, over the last few years, the top management has clearly noticed a steady decline in sales volume. One of the reasons for this was because of the top management’s adamant hold on profit margins. On one hand, if they had reduced margins to increase sales, the reality of declining sales volume would not be very evident in a few years. The sales volume would have been propped up by less profitable sales. On the other hand, since they held onto the profit margins, the increasing competition that was causing the loss of sales became quickly evident.

The question that was posed to our consultants was this: should the client change their stand on holding onto current profit margins or should they reduce profit margins to increase sales volume and therefore compensate for revenue loss.

Analysis

Our initial discussion with the client, showed us that their market awareness was quite limited. As a first step, we conducted a market study of the valve industry for the Asian region. The results of the market study presented the fact that the price of the custom designed valves had dropped in the region. Purchasers of these valves also had new manufacturers in the region to procure from. One obvious step was to get into a price war with the new entrants in the valves industry.

The other aspects that came out of our structured analysis of the client’s strengths was their maturity in tool and die manufacturing. Though the client did not have expertise in materials other than steels, their basic engineering capability for working with homogeneous and composite materials was evident. Our analysis also pointed to the client manufacturing process needing significant improvements that can be made, to reduce product costs. For example, advanced software simulations can be used to reduce or avoid physical testing to a large extent and improve quality related failures.

Our market study in India pointed to a burgeoning residential and commercial plumbing market for valves. This was an eye opener for the client’s management.

The Solution

The solution that was proposed was a two-pronged approach to change the overall business strategy. One was to look at the collapsing profit margins and the other was into new product development.

As a stop-gap, a revision of profit margins could be done, however a clear minimum was to be determined upfront by the management. Our consulting team guided the management through a pricing exercise to come up with these profit margins. 

A new product development was started to look at plastic and composite plastics-based valves for the retail market, especially for residential homes and commercial buildings. The client’s capability in tool and die manufacturing was quickly realised with plastic mold and plastic forming dies. 

Results

The client got a revenue boost by gently reducing the profit margins. This boost helped with the product development of retail plastic valves. The product development took a few months because the R&D in plastics had to be done. They initially released 3 valves into the market and achieved better market acceptance than the existing plastic valves because of their higher quality standards they brought to the manufacturing process. 

Our team had pointed out that the client sales teams were not capable of doing retail sales and an entire sales restructuring had to be done to approach the new retail market. 

The market research and strategy change for the client took 3 months to complete. The retail sales team creation and restructuring of the sales effort took another engagement of 6 months.

Introduction to After Sales (Webinar)

A free webinar introducing Aftersales as an important process for customer retention and loyalty.

Join us at 4pm IST, Saturday 4th April 2020

In this introductory webinar on Aftersales, the topics that will be covered are:

  • What is after sales service?
  • Maintenance contracts
  • Costs associated with aftersales
  • Product improvements

Duration: 30 minutes
Time: 4pm IST
Date: 4th April, 2020
Location: Online link or paste this in browser https://meeting.zoho.in/meeting/register?sessionId=1372142262

Panel Speakers:

Dr John Mathew (Principal Consultant)

Jacob George (Principal Consultant)

Aligning IT Systems

The Situation

The client was a food manufacturer based in Western Europe. They were a third generation, family owned business, that was very interested in expansion. With this focus they acquired a logistics company to scale up their capability to deliver to a larger geography.

The Business Need

One of the reasons for acquisition of the logistics company, was to cater to a larger geography. The other reason was to respond to changes in demand in a more flexible manner. After the acquisition of the logistics company, the parent manufacturing company, found that the market changes were more pronounced and therefore could not keep up with the rapid changes in demand. The demand changes caused more issues within the parent company than before the acquisition of the logistics company.

Analysis

The client mentioned that the systems of the logistics company were integrated to the parent company. However, a closer look at how the parent company had envisaged the workflow to serve the market was significantly different from what the systems in the logistics company was set up to do. The logistics company had a variety of controls in place to understand the flow of materials through its systems but there was no need for the company to understand actual market demand. Market demand and in turn, the rate of flow of materials through its systems was always determined by an external firm, such as the parent company. 

The demand measurement was added to the logistics firm and the parent company expected demand management to be met by the newly acquired logistics firm.

The Solution

The solution was a compromise between the decision making in the logistics company and the decision making in the manufacturing company. ACPL decided to segregate certain functions of demand management to the logistics firm and certain functions to the parent manufacturing firm. Based on this segregation the processes had to be slightly changed, and there were significant changes to the IT systems.

Some of the functions were automated and the upper and lower bounds of operations were set using historical data from the both the firms. This automation helped remove the pressure points between the two IT systems that had caused numerous errors and issues during rapid demand changes.

Results

The alignment of the two IT systems was the key to success for this client. Throughout the engagement, there were significant ups and downs because of the disparate systems of the two firms. The data flow could only be corrected once the workflow of how the materials moved through both the firms were understood, and how the decisions were supposed to be made were understood. Both the IT systems had to work as a cohesive system along with all the people who were responsible to ensure that demand changes were being catered to. Though our engagement took nearly 18 months, the end result was quite satisfying.

Customer Segmentation

The Situation

The client was a printing firm based in Kerala, India. Their focus was on outdoor media, mainly in flexible hoardings, and signages. They catered to a wide variety of clients, ranging from walkins, to large corporate clients. Anyone who needs signage could approach them. For the last five years, their turnover has slightly increased however, their profit margins have dropped considerably.

The Business Need

The client mentioned that they were not able to increase price margins, however, they were able to get reductions in purchases because their volumes had increased. The client is worried about losing clients as the competition is increasing.

Analysis

The analysis of the client environment pointed to the large range of clients that they were catering to. Most of the interactions to each type of client had a different approach and requirements. For example, walkin customers did not have a price issue however, they usually had a strong delivery time requirement. This meant that the client had to reschedule any current manufacturing orders and even break running orders to free up the printing machine for the walk-in customer’s order. 

On the other hand, large corporate customers had long deliberations on pricing and delivery dates were well into the future. Since corporate customers needed tight pricing, the discussions were more specific and technical in nature, such as print quality, use of eco-solvents, print media quality, packaging, delivery and many more.

The Solution

Looking at each type of customer, we found that the requirements were spread quite broad and therefore, we could afford to price the services differently. We used a couple of customer profiling methods to cluster the different types of customers into approximate homogeneous segments. There were six customer segments that were identified and for each segment, we suggested a baseline pricing and an additional pricing for the range of additional services that were included for the final delivery. We created a customer feedback service and aftersales support service to ensure that pricing adjustments did not create a backlash to the client in the long run.

Results

Our engagement, from initial discussion to signoff took 6 months. There was a 1.5x increase in turnover and the profit margins were significantly increased. The customer feedback was initially mixed, as the new pricing and delivery took a few months to streamline. A majority of customers enjoyed the pricing as the additional services were clearly specified. There was significant client handholding that was required to ensure the pricing changes were accepted to the end customer. The client’s staff was quite eager to help customers as the process became simplified based on the customer segment. Once the staff identified the segment the customer was in, the rest of the process was to follow a standard script. 

Towards the end of the engagement we found that one customer segment could be divided into two more segments! The client was confident to build the pricing and related services for these new segments based on our training.

Building a robust Marketing and Sales Capability – Part 2

This is 2 part post. See the first part here

Confirmed Information

Once the marketing team or the sales team identifies the lead to be a potential customer, and the sales team does have an interest to pursue a particular lead, it is then converted. This conversion has a few of different categories of information; a contact, an account, an opportunity:

  1. A contact is a person within a company. It is possible to have multiple contacts within a company. Most interactions with a company is to a contact
  2. A company is also referred to as an account. Some systems have the capability to have parent and child accounts. This relationship is to ensure that head office and branch offices are maintained under the same account.
  3. The third aspect is the opportunity. An opportunity is a clear potential to make a sale. The opportunity in many systems are gauged by a timeframe within which the sale can be conducted and the value of a sale that can be done.
  4. There are other optional aspects such as events, notes and campaign logs that can be maintained for a converted lead. The reason behind these optional aspects is maintain a history of interaction with the customer. For example, for which marketing campaign did our company first meet with this customer or when was the email campaign sent.

The confirmed information about a contact and the company that she works for is a static data point that usually does not change over time. Contacts and account details can be used for a variety of activities such as sending proposals sending quotations, sending invitations to events or for specialised discounts and promotions.

People moving

One thing to note about a contact is that, the person may choose to work for another company in due course of time. In such a case, usually I would recommend that you mark the current contact as terminated or change the status to dead. It is very rare that you would transfer the contact data to the new company that she works for. However, you would create a new contact and the new company and keep a reference note under this contact mentioning that she had work previously for another company.

Duplicate data

Most systems will be able to detect duplicates within the contact database using fields like email, primary phone number or a combination of name and address. Duplication must be seriously looked at during this phase of the sales cycle.

The Sales Cycle

We had discussed about targets and is being part of the marketing campaign and everything  beyond leads to be part of the sales cycle. The sales cycle has numerous steps and depending on the complexity of the product or service that is being sold, the length of the cycle can drastically change.

Qualification

Qualification is usually the first step in the  sales cycle. Once the lead, or contact is qualified,  it means there is a clear need for the product or service that is being sold. The exact need would be identified in the next step of the cycle.

Needs Analysis

Based on the information that is received about the qualified lead which is converted to a contact and also an account, the exact pain point is identified. A single product or service may not address all the pain points, however, so long as there is sufficient number of pain points a value can be found.

Value Proposition

Understanding the value that the product or service will deliver to the customer is important because this value has to be clearly expressed to the customer. Before a sale, the customer has to believe that the product or service will deliver what is expected. Most of the value proposition will have to be built around solving the pain points that the customer has exhibited during the need analysis. This is a stage where the mapping of the product features to the pain points of the customer takes place.

Identifying Decision Makers

When selling a product or service to a large firm, there are usually multiple people who will be using the product and therefore, it will be necessary to identify all those who will influence the purchasing decision.

Perception Analysis

There could be other components that is required to ensure the sale can be closed. The perception of the customer is understood to incorporate the additional requirements to satisfy all the possible needs of the customer

Proposal/Price Quote

A detailed proposal is presented along with the price of the product/ service

Negotiation/Review

Most cases for large contracts, there will be negotiations that are conducted. There could be specifications that are changed or general price negotiations

Closed (Won/Lost)

This is the final stage where, the sale is closed and result is either a win or a lose. If customer is won, then the next step is to bill the customer. If the customer is lost then there could be a assessment to understand the reasons why this customer was lost.

Maintenance/Recycle

In most cases, the customer contacts are maintained for future business, whether the sale was won or lost.

Not all sales cycles follow this exact pattern. The type of product or service will determine the length of the cycle. For example, the sale of a chocolate bar to person would last a few minutes, while the sale of a large commercial oil tanker may take a few months. This difference is not because of the physical size of the product but rather the time taken to make the decision to buy or not. Most individual buyers tend to be much faster in their decision making as compared to a large corporate entity. Therefore all the phases of the sales cycle mentioned above may not pertain to the sale of a chocolate bar!

Now that we have explore the different stages of a sales cycle, do let us know how you conduct the sales cycle in your firm. Please provide your comments below!

Building a robust Marketing and Sales Capability

Most companies are aware that revenue is of utmost importance to ensure growth and sustenance for the company. This is a 2 part post. Read the second part here

The two vital components of revenue are marketing and sales. Though most firms are well aware that marketing and sales functions are important aspects, very rarely do they look at marketing and sales as a capability not as an end goal  for generating revenue. This article does not downplay the importance of sales and marketing goals, but it does show that companies with systems and procedures can sweep up more opportunities than those firms with random or incomplete processes with goals at the end.

Another aspect is that, at times, companies fail to understand the boundaries of marketing and boundaries of sales.This creates an overlap of tasks and activities thereby causing loss in effective revenue management. The separate tasks and activities of revenue management as part of marketing and sales are described next.

Sales and marketing process has a variety of tasks and activities that can be sequenced in a linear fashion. This process is quite generic and can be adopted to a variety of industries and categories of companies. The following sequence shows the overall process of a typical sales cycle:

A typical sales cycle

Target → Lead → Confirmed Information (Contact, Account, etc) → Opportunity Exists → Understanding the pain point → Proposal → Negotiation → Closing → Maintenance or Recycle

What are targets?

Targets are pieces of information about a person or a set of persons from a particular source of marketing activity. For example, if a company has conducted a seminar, then all the attendees of the seminar would be potential targets for future marketing activities. There is no potential impact on the marketing or sales activities if targets change or have incorrect data. Target are quickly changed, deleted or modified depending on the type of information that is obtained about the target. There could be additional activities done on targets such as data cleaning or a call centre based verification. In some cases email subscriptions are requested to ensure targets are real. The most cost effective method is used to ensure targets are cleaned and moved to the next stage of qualification.

A target is just the starting point to a more personalised communication to a person or a company.

The next stage of activity in the sequence is to convert a target to a lead.

What are leads?

Leads are targets that have been qualified based on an email confirmation or a phone call. Since leads have origins in the target list, their conversion depends on the campaign activity.

Each campaign activity may have different types of qualifications and therefore not all targets get converted into leads. Targets which do not get converted, may not be important for the current campaign. In some cases, a marketing campaign starts from existing leads, that were used before or were those that would never converted in previous campaigns.

The stage of leads in the sequence of marketing and sales activities represents the boundary between marketing and sales.

A lead has sufficient information  about a person or a company to to have an effective communication. However a lead does not have all the information required to make it a sustainable data point for future interaction. This is because leads can appear as duplicates or may appear across different companies with different names.

Not all leads come from targets. Some are created directly in  the system based on the Information that is received by the company. These created leads are sometimes created by the marketing department and in some cases done by the sales department. Usually the volume entries for new leads are done by marketing department and lead corrections and data scrubbing is done by the sales department.

The conversion from targets to leads, exposes a level of efficiency that the marketing campaigns are able to achieve.

Why is this lead necessary?

In most companies the sales department may feel that marketing departments waste a lot of budget with no direct return on investment. A marketing department can use the ratio of targets to leads conversion to show a clear value of the different marketing campaigns that were conducted.

Usually leads have the same data that is in the target and therefore, most sales and marketing tools are not able to distinguish unique leads within their system. In the next stage of activity, the leads are changed to a more static data point and hence duplicates can be identified more easily.

Now, as a company, we are quite sure that the customer exists and the person we are talking to exists. The information about the lead has a significant level of confirmation. The next stage of activity in the sequence is to convert a lead to a contact.

Read part 2 of Building a robust marketing and sales capability

Revenue Management

Situation

The client was a rapidly growing food chain based in a metro city in South India. They are focused on the premium cafe customers who are looking for a/c, beautiful interiors and a South Indian menu.

The rapid expansion throughout India has caused their revenues to drop in 3 successive quarters. Most of the newly opened locations have not broken even after 3 months of operations.

Business Need

The client has done a thorough study on the viability of their shop at each new location so they are confident that the location has potential. The client needs to know what changes to make so that their overall revenue per location is increased.

Analysis

The initial knee jerk reaction of the client to the current situation was to increase the advertising budget and start localised advertising, such as flyers and local newspaper and TV channels. Our team had to convince the client’s management to pull back on all the advertising spend and evaluate the entire source of revenue before committing to an advertising budget.

From our expertise in the food and retail industries, we selected a range of parameters to collect data. Most of the parameters that we had selected, such as customer age range, frequency, etc. were available with the client. Some of the parameters such as local events, tourism related customers, etc were not available and therefore we had to setup the collection for the same. Most of the analysis pointed to weak product-market fit for the entire range of menu that was presented.

Solution

The client was instructed to cut back on all menu items to just the ones that were not present in the locality of each cafe. The remaining items on the menu formed the base framework to understand the taste palate of the local customer. We were quite surprised to see the difference between the menu items from location to location. This cut back was held for a few weeks before offering customers additional menu range as a free sample. All new items were provided free for a couple of months until there were some customers who specifically asked for the new menu item. We recommended this ‘ask’ as a trigger to place the item on the menu permanently.

Results

The results were significant to the client as they did not expect the variation in menu items from location to location. The assumption was that the local cafe from a particular location could thrust the opinion of taste to another geographic region and maintain the revenue. 

The client was aware of the taste requirements at their original location but refused to accept that their taste would not be accepted in its native form to another location. 

Once we had shown the client the cut back menu item and only when a customer ‘asked’ for a new item, the results were rather evident to the client. The revenues bounced back to healthy numbers and they have now become a well known eatery in nearly all their locations.

From Risks to Audits

Risk management and audit management are distinctly separate in terms of personnel involved and the techniques used. Most organisations that have ventured into assessing risks, have found that moving from risk assessment to audit (control and test creation) is quite a daunting task. Conceptually, moving from risk assessment to audits is the ideal and logical step to take, but there has be considerable hesitation from numerous organisations.

The GRC Envelop tool has a risk management module for the enterprise version. Risk registers, associated risks, stakeholders, risk opinions/scoring, risk treatments and many more features are present in the risk module. However, there is no connection between the risk management module and audits module.Why is this left out?

Once there is a decision by the business management as to which risks exist and which are to be assessed, the next step is vague for most of the clients. Here are some of the approaches that have been noticed when we implement GRC Envelop at organisations who have started risk-based auditing:

  • create a new audit and define a “relatively” new set of controls that will assess the risks
  • map the risks to a department or division and create a new set of controls
  • modify existing controls and tests to cover the new risks, but later realise there are control gaps

Over time we have observed two aspects that should help overcome the hesitation while moving from risks to audit creation; first, the understanding that risks are part of a process that exists in the organisation and second, the overlap between existing controls/tests and the new ones has to be taken care of.

Risk as a part of a process

Risks do not exist independently within an organisation.

The recommendation is to attach a risk that needs to be handled, to an existing process. This existing process forms the basis of the risk based audit. Attaching the risk to a process is the most efficient mechanism to track where the risk would fall within the entire organisation.

However, attaching risks directly to a process may not be the ideal situation because risk exists with reference to an objective. A risk is the situation when an objective fails to achieve the desired output of a process. Therefore, attaching the risk to an objective is a much better alternative. This results in the overall structure being: Process (at the top), having numerous objectives, and each objective having numerous risks.

Do keep in mind that risks may span multiple objectives.

Control and test overlap

Though it is true that newly identified risk may need a new set of controls and tests to capture the assurance that business management needs, it is not true that these controls and tests have to be new completely new. Most large organisation have quite stable processes and keeping this assumption means that the newly identified risks may have been implicitly captured in some other control.

Understanding control overlap caused by the newly identified risk is a painful process of weeding out controls and tests that are no longer needed. This also maintains an optimised number of controls and tests for each process (not to mention control owner satisfaction).

Not so easy to find a common path

To conclude, I agree that moving from risk assessment to audit execution is not a straight forward task, but the framework of using the process/objective hierarchy will help ease the transition and help manage the ever growing risk control matrices in large organisations.

One aspect that I’d like to throw in is, the feedback from audit results back to risk assessment, but I think I’ll keep it for another post.

I look forward to your feedback on how you move from risk assessment to audit definition!