Risk reset: How CFOs can help drive more effective system transformations

The stakes are high, and major transformations should be carefully planned. Still, business leaders often underestimate the complexity involved and may overlook the importance of addressing risks and controls. As a result, companies may struggle to complete projects on time and on budget. When asked about transformation challenges in PwC’s latest Pulse Survey, most executives (88%) pointed to achieving measurable value from new technology. With cloud technology in particular, getting the technical and operational foundation right can be important to regulatory and risk management, as well as to financial and business success.

To help achieve value from system transformations — including migrating from legacy apps to the cloud or implementing foundational systems like enterprise resource planning (ERP) or customer relationship management (CRM) — CFOs should work with leaders across the business, including chief information or technology officers (CIO/CTO), chief information security officers (CISO) and relevant business unit leaders. They may also need to involve the board.

Collectively, leaders should address new risks that come with these transformations. The risks can include those related to data, systems security and controls, issues that crop up when certain business processes are not updated or automated and skills gaps resulting from the transition away from legacy systems. Inadequate or incomplete change management overall can pose a notable risk, particularly managing changes to the internal control environment. There are financial risks too, such as cost overruns and “technical debt,” suboptimal systems that are costly to maintain.

Why executive teaming matters

Mitigating these risks starts with establishing the “why” behind transformations — the business case and expected outcomes such as enhancing operational efficiency, as well as other fundamentals like timeline, resourcing, rollout plans and so on. When transformations go forward without execs on the same page, there can be serious consequences. These can include a “new” system that performs just like the old one, system integration challenges, more onerous business processes that could negatively impact customers and Sarbanes-Oxley (SOX) or other serious compliance issues.

While you may be working with a system integrator (SI) on an ERP or system transformation (or if you’re having custom or cloud-native apps developed), your in-house team should concentrate on four key areas. Projects have unique risks, but this early effort in the planning phase of a major system transformation can better position your company for success.

Align on business value — and be specific

Agree on what value — that is, specific business outcomes — you expect your new ERP or other system to achieve. This can include identifying and tracking program benefits and developing a holistic, outcomes-based definition of success aligned with corporate strategy that includes planned benefits for key stakeholders. Clear goals help you establish appropriate risk and controls frameworks.

Consider an example of a global company that initiated a $100 million enterprise-wide ERP transformation guided by the loosely defined business objective of “enabling cross-selling and driving efficiencies.” Lacking detailed value metrics and priorities, the team struggled to make scoping decisions. They initially greenlighted so many user requests that double the approved funding would be needed to deliver them all. The company also relied on advice from its SI to simplify certain aspects of the configuration, resulting in a solution that wasn’t well integrated and required employees to manually enter the same data into multiple systems. This, in turn, required more headcount than the original system and was more costly to operate.

Agree on organizational impacts and risks

The example above also illustrates the importance of establishing a shared understanding about how required process changes could impact your desired outcomes. Often the move to a new ERP or other system requires business change alongside the technology implementation. When moving to cloud in particular, simply “lifting and shifting” existing applications and processes likely won’t be sufficient. Instead you’ll likely need true application modernization.

Take, for example, a service provider that wanted to improve billing efficiency by migrating from a decades-old custom mainframe system to a cloud-based solution. To control costs, the company opted to use only out-of-box configurations when implementing the new system. But during user acceptance testing, which took place after more than a year of design and integration testing, it was revealed that the new system would have negative impacts on customers and the service representatives trying to help them. To head off operational disruption and employee dissatisfaction, the team had to redesign and retest the solution. This resulted in a six-month delay — along with significant cost overruns.

What’s more, controls testing should account for process and workflow modifications needed for a new system. It can be a good idea to identify other system implementations in progress and how they can complement — or clash with — one another.

Focus on data security and integrity

When it comes to security and controls, addressing data-related risks can be key — and another area where you should have alignment among functional leaders, as well as the steering committee. Agree on data security and quality assurance requirements, including any access management protocols or add-ons that will likely be required.

In addition to safeguarding data, you should also address data quality. A new system may require data to be processed or treated to maintain its integrity. Lifting and shifting data from an old system to the new one can introduce errors, missing data and other data-related risks, such as data sitting in functional silos that should be more generally (but securely) accessible to the new system.

Taking a hands-off approach to data can be costly. When a global company replaced a legacy system, for example, its leaders were not as involved in the data-transfer planning and execution phases as they had been during earlier parts of the project. As a result, the cleansing and transfer of data was not thoroughly reviewed.

Compounding that problem, mock data was used for user acceptance testing, which obscured data issues that should have been identified and remedied prior to go-live. The data problems were so significant that they required manual intervention to process every transaction, causing shipping and billing delays. In addition to the negative impact on customers, the data problems forced the company to extend the post go-live support period, increasing project increased costs.

Align across functions for stronger security and controls

Security and controls can be foundational to the success of a system implementation, and you may find that you need additional help to get them right. While many SIs have a solid understanding of system functionality, it’s likely less common that they will have a deep enough background in controls and compliance requirements to be able to adequately advise your organization on leading practices. For example, your SI may not be equipped to help you design security and controls and integrate them into your new environment. Or they may not have experience mapping to controls and designing test cases to assess those controls.

A controls mindset helps you assess your future state end-to-end processes, so they can be aligned on business value and established in the context of organizational impacts and risks. This in turn helps you more effectively identify system functionality that may be enabled (for example, three-way matching, credit limit holds or others). Likewise, you may want to consider opportunities to customize the environment to align with strategic priorities — such as building a custom guardrail in the cloud tenant to monitor compliance.

Addressing security risks includes forming a holistic and thoughtful upfront design. This considers not only what employees will likely need to do their job and what data should be segregated, for example, but also any backdoor or default access that could introduce unnecessary risk.

Using out-of-the-box roles with minimal customization might seem like a straightforward course of action — and may even appear to segregate functionality correctly. Similar issues may arise with business process configuration, which in some cases may be overridden to keep customization costs down.

Once you look deeper into security, typically by leveraging a governance, risk and control (GRC) tool, it often becomes evident that there are numerous conflicts and improperly controlled access to sensitive functionality. The resulting control deficiencies may require remediation that involves an extensive post-implementation redesign effort.

A proactively designed, thoroughly tested controls integration can help strengthen controls and identify gaps where new ones may be needed. A journal approval workflow, for instance, might be implemented to segregate access to create and approve a journal. However, introducing a new workflow may also require you to reconfigure the system to enforce the intended controls.

By having a workstream dedicated to controls during the project and making controls a focal point throughout design and testing, you can curtail problems that may come up after the system goes live.

Assess outcomes — and learn from mistakes

As CFO, you may not be the person pressing all the buttons, but you can drive transformation value. Just as you would measure success by evaluating outcomes against the business case for other finance-related transformations, you should do the same for a major system implementation. Identify risks early so you can build mitigation into the project plan. Learn from setbacks you experience so you can avoid them in the future.

When the only constant is change, businesses should transform to stay competitive. Successful system transformations can help you fortify your tech foundation so you can more easily integrate new systems that you have likely already been exploring, such as those for tracking environmental, social and governance (ESG) data or supporting Pillar Two compliance.