Dead Rats in Risk Management: The Myth of Complexity

by Bruce McCuaig, Director, GRC Product Marketing

Recent research commissioned and published by SAP (Managing risk in an age of complexity) reveals a startling conclusion that seems to reinforce the notion that complexity is a problem for GRC professionals.

“GRC is characterised by increased complexity. This, alongside pressures from the business to prove effectiveness, is creating significant challenges for GRC professionals.”


Complexity is a Symptom Not a Problem

I have a contrarian view. Let’s look at this more carefully.

A couple of weeks ago I published a blog that introduced the notion of “control management”. (It’s rare to see those two words used together).In 2015, with the tools, skills, resources, and knowledge we have at our disposal, the idea that complexity makes business more challenging is silly. Complexity is not the problem. It’s a symptom.

Cars are more complex than ever with more regulations, higher speeds, and more traffic. Driving a modern automobile is simpler than ever.

Aviation is more complex. There’s more aircraft, more destinations, more congestion, more threats, and more regulations. Booking a ticket, getting a boarding pass, and flying to anywhere in the word is simple.  (Comfort is another matter).

The internet is complex. But finding and ordering a book, and getting it delivered the same or the next day, is simple.

Control Management Must Simplify GRC

Here’s another finding in the research mentioned above:

“Control failure is seen to be the second biggest risk to organizations over the next two years, behind competitive forces.

I think this finding proves my point.

In most business endeavors, complexity is being addressed and simplified. If business is more complex and managing a business is more difficult, my belief is that we have failed, not as risk managers but as control managers.

Let’s look at some simple examples I have seen in some companies. And these are really simple tasks we make complex. Examples are:

Selecting a vendor, and procuring and paying for goods and services requires so many sign-offs and steps that business opportunities, as well as discounts, are lost.

Employees spend hours inputting data in needlessly complex, error prone, expense account systems

Documentation, assessment, and testing of (bad) controls is a major and complex task, consuming scarce and expensive resources.

We have the notion that controls are supposed to be “effective”. It’s an abstract thought that does not bear close scrutiny. Many businesses with “effective” controls go bankrupt. Most businesses with “effective” controls complain about complexity.

Report Card on Control Management

The concept of control management is new.

My contention is that controls are simply not seen as a manageable dimension of the business. The outcome is the belief that more controls are always better, that controls all work the same way, and that only experts know enough to implement them. It’s quite similar to herbal medicine. Some of its good, some of its bad. Pick the expert you agree with and just believe.

Control Management Report Card Report Card Letter grade
Use the minimum , number of necessary controls to achieve an objective D
Automate controls wherever possible F
Consciously design controls to adapt to human behavior F
Push accountability for controls to the business D
Hold people accountable, don’t blame controls for human failure F
Manage controls strategically F
Design controls to reduce complexity F


One Last Research Finding

Wherever complex environments have been simplified, one factor stands out. In all cases controls have been automated.

What does our recent research tell us about control automation in GRC? Only 15% believe continuous control monitoring is extremely effective and 17% believe continuous risk monitoring is extremely effective.

I went back to the researchers for an explanation. They explained that the reason the results seemed low was not a reflection of the value of automation and continuous monitoring, it was a reflection of the fact that very few companies were using either technique.

Expect complexity to remain a big issue for GRC.

I’m always interested in your feedback. What is your experience with control automation and continuous monitoring of risks and controls? Do you think controls are a manageable dimension of the business? What’s your suggestion for reducing complexity?


Using Technology to Strategically Drive Holistic Risk Management

by Michael Diehl

A recent report from the Economist, sponsored by SAP, lays out the case for holistic enterprise risk management and why it’s a vital necessity for modern business. As you prepare your organization to implement this holistic approach to Governance, Risk and Compliance (GRC), the report’s insights into best practices can aid the process.


Breaking Silos to Enable Collaboration

One of the biggest takeaways of the Economist report is the need for your organization to figure out how to do away with fragmented risk management silos and enable genuine collaboration. The report profiles logistics powerhouse UPS and the efforts of its VP of corporate internal audits, Mohammed Azam, to find a way to bring together every group under his purview to address risk management. In his case, Azam chose to set up an enterprise risk council, bypassing the normal gatekeeper avenues for communication by holding regular meetings with representatives from 25 different areas of UPS’ operations.

Steps like this go a long way toward combating the “same goal, different page” phenomenon that so often plagues the adoption of a holistic approach to risk management. That phenomenon leads to situations like nearly 70 percent of technology executives reporting that their organization doesn’t view IT security as a strategic priority. The root of that problem is poor communication, so it’s vital that you find a way to make sure everybody in your organization is reading from the same page.

Maximizing Vigilance Through Organizational Unity

A unified approach to risk management also helps you adopt the “beneficial paranoia” that’s vital to survival in today’s ultra-competitive global marketplace. Steve Lucas described this practice at a recent SAPinsider conference, using the animal world to contrast “head-in-the-sand” ostrich organizations and “follow the leader” fish with a more successful “lemur” approach.

In contrast to the other businesses, a “lemur” adopts a state of healthy strategic paranoia, always scanning the horizon for potential threats and sources of disruption. In this case, many eyes are better than one, and a unified approach ensures that you’ll hear the danger alarm as soon as it’s called, no matter where it originates within the organizational chart.

Understand Risk in the context of organization’s Strategy

Effective and holistic risk management also requires you to be able to prioritize risks within the context of your business strategy. This prioritization allows business leaders to make decisions more effectively, “At the end of the day, this is not about risk professionals, but about executive teams making sure that they understand risks,” says PwC’s Brian Schwartz, US performance leader for governance, risk and compliance. It requires robust follow-through, enabled by rigorous auditing procedures and C-suite oversight. You need to be able to assess how your risk management procedures are aligning with your strategic objectives, both to identify problems before they occur, and to ensure that your processes are as efficient as possible.

Tying this together, the Economist’s report lays out four key objectives for crafting your risk management framework:

  • Implement proactive identification of risks
  • Enable effective ownership of strategic priorities to boost monitoring and audit management
  • Ensure senior management and corporate leadership is actively engaged in oversight of strategic risk management priorities
  • Use standardized terminology and measurement processes for risk priorities

How SAP Technology Solutions Can Help

To meet these four objectives, you’ll need to adopt robust, highly capable technology tools. SAP’s GRC solutions let you quickly adapt to changes in business, technology and regulations to strengthen your business and simplify your approach to GRC. With GRC solutions, SAP empowers you to make better decisions by visualizing your own data to predict how risks might impact your performance.

Adopting a unified technology platform lets you integrate key GRC activities into your existing processes to reduce complexity and boost your insight capabilities. To find out how technology can help you improve GRC to protect your company’s reputation and financial well being, visit SAP today.



Can Running in Real Time Make Finance a Major Player?

by Chris Grundy, Director Product Marketing, SAP

In a constant quest for maximum efficiency, much of finance is now automated. The new challenge facing finance professionals is becoming a more valuable and essential part of proactive decision making. Many wonder if real-time processes can help expedite reporting and analysis that give innovative thinkers a competitive edge.

Panelists Celina Rogers, VP and editorial director for CFO Publishing; Tony Rogan, senior manager from Accenture; and Birgit Starmanns, senior director for product marketing with SAP discussed all this and more on a recent SAP Game-Changers radiocast.

Near-real time doesn’t cut it anymore

If you think the difference between real time and near-real time comes down to just a few seconds here and there, think again. According to Starmanns, it can actually be a matter of days, especially where batch processes are concerned. Those are run overnight and typically require adjustments – which then require another night to register.

Rogers understands the importance of real-time processes and sees data integrity as a concern directly tied to the quest for real time. She asserts that finance teams need to focus on how to interact with and use that data more analytically and wisely to make better-informed decisions.

“This sort of transition in finance technology will create a different kind of feedback. One that rewards the manipulation and analysis of data rather than the processing of data,” she concludes.

Personalization quickens and simplifies finance

What’s one of Google’s greatest features, aside from instantaneous search results? The personalization it provides. Over time, it actually knows your preferences. Rogers sees workers looking for the same convenience in their professional lives. Run in real time to drill down to:

  • Tax jurisdiction
  • Customer
  • Profit center
  • Country

You can pick and choose any combination to see or exclude. And business users can configure it all without having to rely on IT.

As Starmanns points out, “It’s not just making it faster for the sake of being faster, but being able to analyze other business scenarios. Because you’re done faster with the transactional piece, which is never going to go away for finance. But all the sudden you have this extra capacity to analyze other things that you could not analyze before.”

Even more exciting, you can run in real time with external information as well as your own internal data.

Scale and strategize in real time

Rogan highlights the importance of real-time capabilities for large projects and enterprises. For example, nuclear power plants need to run critical what-if analyses at their facilities to prepare for possible outages.

He details the types of questions his clients expect him to answer: “‘What if we start on this day? What if we add more people to it?’ That is getting much easier with the information we’re now able to get.”

The consensus is that a shift is occurring in finance – one that relies on real-time processes to push analytics to the forefront and make finance a true partner to the business. Listen to the full radiocast to find out more.

Clock in train station, Liege, Belgium

Why It’s Time to Implement Holistic Risk Management

by Michael Diehl

In partnership with SAP, the Economist and its Intelligence Unit discuss the pressing need for businesses to improve their enterprise risk management systems in the white paper, “Holistic Risk Management: Organizational measures to create a strategic view of risk” available now. With first-hand accounts from key players in several international organizations, it provides insight into how they revolutionized their organizations’ risk management, and offers a compelling argument for the need to adopt a truly holistic, strategic approach to governance, risk and compliance (GRC).

The Heightened Role of Strategic Risk in the Modern World

While risk management has always been a fact of life for business, leaders are increasingly aware of the need to manage new strategic risks driven by rapidly changing marketplaces and unparalleled global connection. With the rise of tech-enabled disruption, the potential for a seismic shift in your sector is always right around the corner, and it could come from anywhere around the world.

Faced with such wide-ranging and potentially catastrophic avenues for risk, you’ll need to start treating risk management as a truly strategic concern—one that becomes a core mission for every layer of your organization, instead of being confined to an isolated silo of Chief Risk Officers or audit management. In that regard you’ll be in good company, as 91 percent of organizations reported plans for revamping their risk management procedures in a 2014 CEB survey.


The Core Tenets of Strategic Holistic Risk Management

As outlined in the Economist white paper, PwC surveys have revealed that top corporate performers have consistently found success by marrying strategic concerns with truly holistic risk management. The steps they’ve taken in meeting that goal are varied, but several core tenets can be used to guide your own efforts in this area:

  • Involve your entire organization. Risk management can’t be holistic if it’s limited to isolated silos in your company. Risk arises from multiple angles, and will invariably involve the whole organization. From cyber security concerns to legal and governance issues, there’s no such thing as risk that’s limited to a single team or department. Accordingly, you’ll need to find a way to bring every player into the enterprise risk management conversation.
  • Adopt a simultaneous top-down, bottom-up approach. In keeping with a holistic perspective, you need to make risk management a mission priority for everybody in your organization. Rather than being a meta-concern limited to the C-suite, ERM should be a fact of life for everybody on the organizational chart, at every level.
  • Equip yourself appropriately. Holistic risk management requires an adaptable, highly responsive organization. This means that sluggish or outdated core operations are now a genuine threat to your very existence. Outmoded paper-driven practices won’t cut it any longer, so it’s time to ensure you’re equipped with technology tools that will allow you to position yourself for managing risk.

The Future of Risk Management

Achieving holistic risk management can help your organization preserve and grow its value, reduce the financial impact of risk, and help you optimize the impact of high-value processes and strategic goals. Truly holistic risk management can also cut your costs by giving you a sound footing to reduce unanticipated risks like compliance violations and supply chain inefficiencies, and will ensure that best practices are embedded in your core business operations. To find out how your organization can reap the benefits of a strategic approach to holistic risk management, read the Economist Intelligence Unit report today.



Simplified Financial Planning, Part III: The Future of Financial Planning and Analysis is Closer Than You Think

by Babak Ghoreyshi, Global Marketing Program manager at SAP

In the previous posts in this series, we reviewed survey data from a report by the CFO Research and SAP titled “The Future of Financial Planning and Analysis.” This detailed report covered what finance executives are saying about their current FP&A mandate and the role of data, technology and right solutions in making quicker, better and more accurate business decisions. In this final installment, we look at three of the top priorities for CFO’s and other finance executives.

New IT Systems That Can Handle the Flood of Data

The demands for real-time, ad-hoc analysis in FP&A are overwhelming existing IT systems. Finance leaders suggest that that current systems will fall even further behind as these demands grow. A majority have been unable to plan as they would like due to short turnaround times. Nearly all agree that they need faster and more responsive infrastructure for the next wave of big data. In the CFO Research study, the results show that:

  • Over half (56 percent) of finance executives are not satisfied with the scope and granularity of data due to system constraints and time pressure.
  • Just over 53 percent admit to jettisoning some complexity during “what-if” projections and risk modeling to get actionable advice quick enough to be effective.
  • A full 93 percent say that focusing on increasing speed and responsiveness will have the biggest impact on their bottom line.

Businesswoman touching digital tablet in office

Tighter Integration of Financial Planning Software with Core ERP

Instinct and experience can only take you so far in a turbulent environment. Data-based decision making software is becoming a critical tool. Financial execs report that they rely heavily on decision support software that already integrates their financial planning systems with their enterprise resource planning (ERP) systems. From the CFO Research survey data, it’s clear that the majority of financial leaders recognize the significance of ERP integration:

  • 82 percent of financial leaders who say their financial planning systems are already integrated with core ERP systems confirm that they rely on this tech to support their decisions.
  • In comparison, only 41 percent of those with financial-planning systems that are “fairly well integrated with core ERP systems, requiring some data migration” say that their systems substantially contribute to decision-support abilities.

The companies that have already integrated their financial planning systems with core ERP systems are winning in that they are better able to support effective decision making.

More Flexible and Responsive Systems

Looking into the future, financial leaders expect business users to demand greater contributions from high-value FP&A projections through 2017. Decision makers will want to dive into the numbers themselves with interactive reports and projections that reach further into the future.

Providing that level of depth in planning, analysis and reporting will grow in importance as a business need that requires higher and more effective contribution from the finance function. Here are two more fascinating predictions from financial executives that have emerged from the CFO Research survey:

  • In the near future, information and analysis systems will need to be simpler to use, but also more sophisticated and interactive with longer-range validity.
  • 88 percent of financial leaders say that decision makers in their enterprise want a better understanding of the analysis they receive and they want finance to simplify it for them.

Finance executives are already striving to help other business users make the best decisions with the analysis that they provide. In results from this survey, finance leaders expect that this trend will expand across the enterprise in the future.

How to Build on Financial Success

Success in this turbulent new economic landscape depends on access to higher quality data and analysis tools. Finance experts need more far-reaching projections that can be presented simply and clearly to their colleagues for better decision making. Start now from Finance Solution content hub, and find more details on EPM in the cloud, collaborative analytics and advice on how to best communicate reporting data. The right financial planning places a CFO in the position of a trusted adviser who can see beyond the chaos in the marketplace.


Can Internal Control be the Key to Longevity

Back in the 1920s the average longevity of companies in the S&P 500 index was 67 years, compared to just 15 years in 2012, according to Professor Richard Foster from Yale.  There’s much to bet that this has reduced even more since then.  The question is then: how can you ensure that your company is here for the long run?

Internal Control Journey – From Pure Compliance to Delivering Performance

In most companies, internal control is still addressed in much the same way as it was many years ago, using the same business structures and approach. Shouldn’t this change to focus more on performance?

Yes, I understand that there have never been so many regulations, and considering the increase in these last few years, I assume this isn’t going to slow down any time soon. But I think companies need to be proactive rather than reactive in order to stay on top of things.

Picture this. You’re already doing internal control, so why not leverage all these controls that are assessed manually or automatically, and shape them with a more performance-orientated intent?

Easier Said Than Done, Right?

Actually, I believe that progressing step by step can make this journey a lot easier than you would think. Of course a big revamp will make this happen quicker, but the cost and resources required to do so might be too much in these economically challenged times.

My suggestion, therefore, is the following. During the regular internal process review, whenever creating or updating a control, try to associate it to an objective – not a control objective – a corporate objective. Ask yourself, what company value does this control relate to: deliver constant quality of service, release reliable financial communication to stakeholders, etc.

This is the first step but not the most complex, and it’s a great step on this journey. Once this step is achieved then comes the prioritization phase.

Select the corporate objectives that give you a competitive edge and collect all their associated controls. You will know precisely what controls can help you achieve your corporate objectives and what controls have a more regulatory focus. The great thing now is that you can follow your performance using controls that are regularly assessed. Like key risk indicators these can feed you information on how well each department is doing, even allowing for a benchmark across divisions.

This means that you can investigate when one area is not performing as planned, and you can also focus your attention – or ask internal audit to do it – on the high performing organizational units. These indeed might have implemented processes that are more efficient and you might want to consider applying them to the rest of the group!

Combining a sound internal control process and linking it to strategy, means that you’re not only ensuring that your current processes are running as designed but that you are sustainable in the short/medium term. Also, these processes are supporting your overall strategy and laying the path to a long term viability.

So, is this the key to longevity? Unfortunately, I don’t have the answer, but to me protecting the value drivers of the company seems like a good starting point.

Co-workers working in computer room

Want to Be a CFO? You’ll Need More Than an Accounting Degree

by Chris Grundy, Director Product Marketing, SAP

If you’ve reached a position as prestigious as CFO, you must be finished with formal education, right? Actually, nothing could be further from the truth. As the technological landscape has evolved with in-memory technology, visualization, plus the ability to integrate forecasting and planning with the ERP system, CFOs must use of a whole new set of tools.

Panelists at a recent SAP Game-Changers radiocast, John Steele, principal with Deloitte Consulting LLP and head of the U.S. SAP finance transformation practice at Deloitte; David Dixon, partner principal at TruQua Enterprises; and Henner Schliebs, head of finance audience marketing at SAP, discussed the need to adapt to a rapidly evolving role and what characteristics define a successful CFO.

SAP's current range of mobile solutions for Finance

SAP’s current range of mobile solutions for Finance

Fulfill the many purposes of CFO

Being CFO is now a balancing act that requires tending to the traditional post of information steward and business advisor while heralding a new vision for the finance department.

According to Steele, finance is the “Rome” of a business – all roads lead to it. Every other department relies on information held by the CFO. And as finance moves further toward the back end of an organization, CFOs need a greater handle on technology so they can drive analytics in a highly mobile and social world.

Dixon adds that this critical role has reached a tipping point – you can’t just crunch numbers and expect to get the job done. If the office of the CFO can’t step up and fulfill all the organization’s needs, it will have to start sharing leadership space. This new trend is on the rise with positions such as chief information officer and other digital executives gaining in popularity.

Ideally, less is more in global leadership. It’s easier to unify an organization under one solid viewpoint. That’s where the idea of continuing education arises. Steele says, “The CFO really should think about learning more about the technology. If the CFO can rely on the CFO team to get a little bit deeper and educate the CFO, I think that’s beneficial.”

Master a Technology-Driven Finance Function

One of the key topics is data security. Schliebs explains the double-edged sword that comes with bringing a world of information to the masses: “We need to make sure that we bring the people to data, that we go away from the area of bringing data to the people, but have the service arrangement.”

He also suggests that one of the CFO’s top priorities is guaranteeing a single source of truth. Instead of spending half of planning and analysis time wondering where data came from and if it’s reliable, you can get down to brass tacks and truly run in real time.

Imagine the CFO of the Future

Dixon asserts that it’s paramount for a CFO to keep up with what’s happening in technology and the market – and that means going outside the four walls of the company. Schliebs takes this idea a step further, saying that the CFO is evolving into the true leader of an organization.

Essentially, we’re moving from a CPA-type CFO to an MBA-type CFO. More than chief bean counters, they need to be business managers who can lead and inspire an entire organization. To learn more about the characteristics and market forces that are shaping the role of CFO, listen to the full radiocast.

%d bloggers like this: