What is a risk analysis?
A risk analysis is the process of identifying and evaluating potential issues that could negatively impact an individual or organisation. It involves calculating the probability of something going wrong, and the consequences. It also shows that appropriate actions will be taken to reduce that risk and its potential to do harm. A risk analysis is commonly used at the beginning of a project or event, however it is hugely useful to analyse how ongoing work is being completed.
THE RISK ANALYSIS PROCESS:
Identify potential threats.
Threats can come in a number of forms. Human, operational, financial, reputational, technical and so on. Making sure each of these is covered will develop a robust risk management plan.
Assess and define the risk level.
You will need to calculate the likeliness of the risk occurring and the severity if its effect on the business. Risks can be critical, medium or low-level. You can use a risk probability chart for this process.
Ensure each risk is prevented or detected with strong controls. Several controls can be in place for one risk. Then calculate again how likely the risk is to occur with these measures in place. You may also be able to avoid the risk altogether by taking certain actions.
Ensure each control is carried out and that staff are trained thoroughly.
Review and repeat.
Review how the controls are working and whether they are effective.
PROCURE-TO-PAY RISK MANAGEMENT BEST PRACTICES:
Review your risks regularly.
Ensuring you are regularly completing risk assessments to review evolving risks and identify new ones is extremely beneficial. It allows you to see if your Procure-to-Pay risk management plan is effective and keeps your entire plan up to date. You can then update your policies and procedures to reflect new risks and regulations.
The risk landscape is constantly changing, and fraudsters are getting smarter when it comes to infiltrating companies. Did you know that groups will send individuals to act as employees on a contract basis, and use that time to gather as much data as possible before a clean exit three months later?
The law is also changing, as the new Economic Crime and Corporate Transparency Bill legislation puts the onus on companies to show ownership and development of more watertight fraud controls.
Compile a Risk and Control Matrix.
Sharing the results of your risk assessment in a visual manner allows your team to be aware of their individual responsibilities and how they interact. A risk and control matrix is an excellent way to format this.
We’ve created a risk and control matrix template for your reference, detailing examples of risks in P2P. Download it here.
Organise your risks for simple prioritisation.
The first question to ask is what’s important to keep the business running? This will be different according to each company. Many companies will place an importance of compliance, while others will be preoccupied with keeping cash in the business and may place higher importance on fraud mitigation. It’s important to align with AP and finance objectives. A higher priority will also be those risks that don’t currently have controls attached to them.
You may also like to label your controls for those risks in categories, with those categories also having a priority value. Whether the control is for risk avoidance, spreading the risk, prevention, reduction or is a transfer of risk – ie: a security agency.
When adding these priorities and categories to your list, you will be able to clearly see which risk you need to act on first, allowing for stronger risk management.
Segregate duties in your processes.
When creating your action plan and subsequent procedures, ensure you separate and rotate responsibilities for among different individuals in your team. If actions are delegated across multiple individuals, you gain more visibility across the board and make it more difficult for someone to commit fraud, and allow for more errors to be caught. Internal controls such as dual authorisations and monthly transaction reviews from different members of staff will also add to your controls and enable higher level of excellence in your AP team.
Regularly check your master supplier file.
While you may have strong onboarding process with due diligence and credit checking, 37% of finance professionals say that’s where their checks end. Best practice would see you completing those checks daily, to really get ahead of the curve and plan accordingly. For example, monitoring your suppliers for their appearance on sanctions lists daily allows you to stop trading immediately and find a replacement supplier before it causes issues with your supply.
Our suggestion is to investigate enabling continuous credit score monitoring, sanctions monitoring and checks for adverse media.
Fraud can become easy when a supplier file is not regularly updated and cleansed. Keeping on top of duplicate suppliers and matching against employee records regularly can pay dividends here.
Monitor and analyse accounts payable data.
You can gain extremely useful insights when analysing transactional data, allowing you to identify anomalies, trends, and patterns that may indicate potential risks or fraud. Forensic data analytics tools, such as our own platform, will allow you to proactively address key issues, while reports and root cause analysis makes it simple to see where key issues lie.
Ensure fast and easily accessible reporting.
Reports are vital to know if your risk controls are working, and regular reviews are a must.
You’ll need a secure log of any breaches or issues that occur. Your staff will need to know where to submit this information so you can store it safely.
Your risk software should have integrated reports. Our risk management software features reports that let you know how many risks have been looked at and averted, and how much cash you’ve saved. You’ll be able to see at a glance.
Educate AP staff on risk awareness.
Provide regular comprehensive training to AP staff on identifying and mitigating various risks associated with their roles. Ensure each of them knows their own responsibilities and where other responsibilities lie in the team.
Maintain a strong control environment.
Foster a culture of accountability and ethical behaviour, and encourage employees to report suspicious activities or potential risks. Providing a mechanism for anonymous reporting will allow your employees to feel safe from potential repercussions.
Final Thoughts on Procure-to-Pay Risk Management
Implementing strong, secure risk management practices is critical for AP and P2P managers to mitigate risks. By following these best practices, you can safeguard your organisation against potential risks and enhance overall operational excellence.
Are you interested in seeing where your risks lie using our software?