The inherent risk in subsidiary governance and how to tackle it
According to a 2021 Osterman Research study, most enterprises are overconfident and lack the proper visibility to manage subsidiary risk. Subsidiary risk is a growing issue associated with managing businesses across a range of industries, geographies, and jurisdictions.
Regulatory requirements are increasingly strict and increasingly disconnected internationally, making it imperative that holding companies have a firm grip on their subsidiaries, particularly their governance, risk, and compliance performance.
As companies grow in size, diversity, operations, and markets, the number of subsidiaries and corporate complexity increase. While reasonably comprehensive frameworks of good governance exist, companies face various challenges when it comes to the governance of subsidiaries. The primary challenges are:
- How to extend and ensure corporate governance processes and policies are spread to the subsidiaries and
- What governance structures of the subsidiaries best lend themselves to oversight
Subsidiaries present a unique set of corporate governance challenges because a delicate balance must be struck between:
- The amount of control exercised over the subsidiary by the parent company
- The degree of independence needed by the subsidiary from the parent company, and
- The standardization of systems and processes across the subsidiaries and locations while complying with local laws and regulations
Holding companies must balance and meet these demands while ensuring that systems and processes assure governance along the subsidiary structure to reinforce the parent company's values, ethics, controls, and processes. Ineffective oversight can result in subsidiary governance failures, which pose both reputational and economic risks for the parent company.
Managing process and systems requirements often requires keeping track of numerous compliance provisions. Depending on the organization's size and scope, meeting these requirements involves coordinating with management and service providers around the globe, increasing cost and administrative complexity.
Holding companies need governance solutions to manage global compliance risks and to provide real-time reporting and monitoring for their subsidiaries.
According to an EY report on entity governance, 62% of holding companies are "challenged by the inability to track governance activity status." These organizations cited that "technology does not allow them to track the status of governance activities, reflecting the limitations of some legacy systems." The report also highlighted the need for solutions that offer "automated workflows so all governance activities – from internal approval through local execution – follow a defined and optimized process" and the ability to "interface with a wide variety of corporate systems, providing a centralized location for data warehousing to building analytics tools."
Older inefficient solutions cause organizations to create and maintain parallel processes and data about compliance deadlines and other governance activities, driving risk from a lack of visibility and inaccurate data. To solve these challenges, the organization needs a single source of truth using parent company data to provide real-time governance insights.
Subsidiary governance challenges
Holding companies are responsible for designing controls and implementing them to protect shareholder value, company reputation, and safeguard assets.
Unlike the holding company, many subsidiaries still operate on manual processes and legacy systems, inhibiting their ability to enforce corporate policies and processes fully. As a result, subsidiary activities can potentially pose significant risks to the entity - risks to financial reporting accuracy, fines, losses, and reputational damage.
Other notable challenges in subsidiary governance are:
Uniform use and enforcement of policies and procedures - The same EY report found that 81% of holding companies extended policies and procedures, such as segregation of duties policies, to their subsidiaries. However, this can be problematic for smaller subsidiaries. Without the ability to flexibly apply SoD policy, staff may create risky workarounds to bypass a policy that does not apply to their size and business practices. To effectively uniform policies and procedures, holding companies need the ability to create and monitor compensating controls.
Need for actionable information, reduced false positives, and increased frequency - According to the Osterman study the three changes respondents would most like to make in their process are getting actionable information, reducing false positives, and increasing the process frequency.
Operational risks - Complex business structures make it challenging to rapidly and effectively respond to a governance failure. Operational risk management is crucial for the day-to-day execution of the business. Operational risk management requires a clear relationship between business processes and the internal control environment. A top-down risk framework can streamline business processes by enabling subsidiaries to apply standard control design to mitigate risks within the business.
Disparate data systems - The governance of subsidiaries increases the difficulty of obtaining the data and information required to investigate and remediate the issue or respond to regulators and other stakeholders. Without a single source of truth, reporting data consolidation can impact financial reporting and disclosure.
Data privacy - According to the Osterman study, half of the respondents reported they would not be surprised by a breach at a subsidiary tomorrow. Organizations require sustainable privacy and data protection solutions where carefully considered detailed regulatory requirements cannot provide the necessary protection. New and updated regulations pressure organizations to consider who at the company needs access to data and what data they are permitted to see.
Audit trail - Regulatory oversight and intensifying scrutiny from auditors on your company's data and records management now includes examining the integrity of your audit data to ensure your records' transparency, trustworthiness, and reliability. An audit trail that tracks all changes made to data, which user made the change, and at what time is now essential to satisfy auditor requests. An audit trail is a hard-and-fast record to trace back errors in the corporate and subsidiary record.
Control effectiveness - Technology and the high-volume capability of automated controls testing allows for testing the entire organization rather than a limited sample of data. Testing all data eliminates the risk of failing to identify abnormalities outside the sample. Unlike manual testing, automation can conduct control testing on real-time data, providing up-to-date insights on risks and providing confidence to stakeholders.
Compliance monitoring - Monitoring compliance guarantees that your subsidiaries follow corporate policies and procedures. Auditing and controls testing can only verify that the necessary controls are in place, but compliance monitoring determines whether subsidiaries follow those controls in their daily activities. This helps organizations guard against liability, data breaches, and regulatory fines.
Process standardization and automation - Hidden bottlenecks, repetitions, and loopbacks in business processes can now be tracked, exposed, analyzed, and addressed across the subsidiary structure quickly and effectively, which leads to increased efficiency. Exposing these problematic business activities within the processes also allows for a more effective business process optimization, reduces costs, and improves the bottom line.
Embedded ITGC controls - Controls secure business process integrity, and control automation ensures the proper functioning of your business processes and ITGCs. Controls can be automated or partially automated with workflow solutions. For example, applications with workflow notifications enable manual approval processes, like access requests.
Control automation can significantly reduce the costs of maintaining compliance over time because the initial effort is a one-time cost. Automating internal controls tends to demystify the external auditor's control testing process and shorten audit cycles. The efficiency of control automation delivers businesses three significant avenues of cost savings:
Reduced cost associated with maintaining internal controls
Fewer billable hours incurred by external auditors
Fewer hours allocated by internal resources supporting compliance requirements
How SafePaaS supports subsidiary governance strategy
The problem of subsidiary governance is not about resources, staff, or data. Many organizations don’t have the advanced analytics required to arrange the data and identify suspicious patterns and weaknesses, at least not fast enough. There’s too much data and not enough analytics. Holding companies need a better way of knowing what the information means and interpreting the data to discover unknown business risks.
Applying governance, policies, and practices across the subsidiaries
SafePaaS can onboard multiple subsidiaries under a completely separate multi-tenant structure, allowing holding company management to design policies and make them available to each subsidiary as the governance standard. For example, each subsidiary can view the segregation of duty policy templates and import them into their environment without the cost of going through a risk analysis because the holding company sets the risk guidelines globally.
The subsidiaries can use their autonomy to decide how they want to control their business. But the guidelines and framework come from the holding company. SafePaaS enables your policies and procedures; these could be rules that conduct your segregation of duty policies as well as your operations, processes, and procedures. For example, in your procurement process, if your standard is that you want to follow a three-way match, that can be enforced through an approval hierarchy workflow in the systems used by the subsidiaries to enable the Procure-to-Pay process.
Consolidated reporting of system risk and controls
Holding companies' organizational structure and system architecture are unique, creating challenges in financial reporting. Holding companies perform consolidated reporting for their auditors, where the financial reporting of the subsidiaries rolls up under the holding company.
SafePaaS can generate results representing a risk in which policy or process violations have occurred. These violations can be consolidated by the subsidiary for management automatically using advanced analytics. This consolidation of risk provides corporate audit staff with a unified and comprehensive view of risk and controls at the consolidated level without having to visit each subsidiary to gather that information manually. SafePaaS can consolidate the risk and control information occurring through these subsidiaries and provide roll-up reporting at the central level, thereby reducing the errors, cost, and waste of time that goes into consolidating results for external audit review.
Maintaining operational effectiveness across subsidiaries
Holding companies provide subsidiaries with strategic objectives and financial goals, and subsidiaries must maintain operational efficiency to meet those objectives and goals. For example, revenue growth, gross margins, and net income goals ensure that the subsidiaries operate within the given financial parameters and that their results align with senior management's expectations.
SafePaaS can monitor key activities within each subsidiary's processes that impact the financial results. By monitoring these processes, like the financial close process, you post certain liabilities and expenses every time you do a month-end immediate process in your general ledger. SafePaaS can help you monitor those against your threshold values. If the liabilities or expenses exceed the threshold, those incidents will notify management in the subsidiary or the holding company as violations of the overall covenants.
Delegation of authority
Delegation of authority in holding companies is complex and is a growing area of focus for auditors. Delegation of authority is a critical control in all companies. Still, in the case of holding companies, it's even more challenging because the holding company must validate that the principles of delegation are enforced within and between subsidiaries.
Holding companies must monitor and enforce the delegation of authority throughout their subsidiaries. An example of delegation of authority is the purchasing authority within the subsidiaries. If the delegation of authority is violated, it can affect financial statements leading to penalties and a lack of confidence in stakeholders. The delegation of authority within your enterprise systems should be well-defined and controlled to address that risk.
SafePaaS mitigates this risk by monitoring the delegation of authority in your ERP, and if changes are made, management is notified. Changes in the delegation of authority are not always the result of human intervention and can occur after a system upgrade or a technical setup.
Holding companies face growing threats from governance risks, from compliance and control failures to operational errors. Holding companies need tactical and adaptive solutions to manage these risks.
Any organization that has failed to manage its operational risks knows that the impact can be even more severe than financial risks. The effects can encompass direct losses, fines, litigation, and remediation expenses from compliance lapses or indirect damage to reputation.
Today's operational risks cut across the subsidiary structure, often requiring enterprise-wide solutions. SafePaaS is uniquely positioned to help our clients develop these solutions, with unparalleled knowledge and deep experience across all risk disciplines and a broad impact record with corporate transformations. We employ classical enablers combined with advanced analytics and proprietary methodologies and tools.
Ready to learn more about how SafePaaS can transform your subsidiary governance?
Governance in the Digital Age
Digital transformation should include a corporate governance transformation to minimize risks; by implementing the right technology solutions, relevant policies and procedures that can be rapidly embedded and continuously monitored, allowing organizations to identify and address any corporate governance deficiencies quickly.
Advanced Access Analytics
Access Analytics is a key component of an enterprise access governance solution as it can improve the effectiveness of controls and provide real-time insight to mitigate emerging threats. SafePaaS customers use access analytics in many ways and rely on results to safeguard their business against cyber security risks and insider threats from access policy violations.
Data integrity for Effective Audit
With the rapid adoption of digital transformation, more companies have transitioned to maintaining records and submitting information electronically. Regulatory oversight and intensifying scrutiny from auditors on your company's data and records management now include examining the integrity of your audit data to ensure your records' transparency, trustworthiness, and reliability.