Digitizing Governance Risk and Compliance

by Bruce McCuaig, Director, GRC Product Marketing


Most of our treasured concepts of control, and many of our accepted risk practices, will land in the digital boardroom with a thud and disappear, if they make it there at all.

The truth is, much of the information provided by GRC professionals is not digital and can’t be digitized usefully.

The outputs of most control and compliance assessments are subjective opinions on control effectiveness. Much of the output of risk professionals are informed guesses about the future. Insight is often lacking.

Why does this matter? It matters because digital Darwinism will not be kind to GRC if it does not evolve.

Understanding Control Ineffectiveness

I find it useful to step outside the business world and have a look at our practices through a real life lens. Some years ago my ophthalmologist prescribed eye drops to reduce the interocular pressure (IOP) in my eyes. He assured me the medication was “effective”. (Medical practitioners don’t make a distinction between “design” and “operating” effectiveness).

So I researched the medication and discovered the manufacturer, one of the words most distinguished pharmaceutical firms was so convinced of its “effectiveness” that in some jurisdictions they offered a money back guarantee if it did not deliver promised results.

I think in the world of GRC we would rate the design effectiveness of the eye drops as high.

Curious, I did some further research. It turns out that studies conducted by the manufacturer to secure regulatory approval revealed the following Issues:

  • Approximately 20% of patients stopped taking the medication because of its side effects.
  • Approximately 10% of patients studied forgot 20% of their doses.
  • A very small percent suffered severe and sometimes life threatening complications.

This kind of information provides insight, supports a risk acceptance decision, and should be reported in a digitized business environment.

No Control is 100% Effective all of the Time.

Control effectiveness decisions require knowledge of both a specific objective and related issues. In reality, there is no universal standard for the effectiveness of a control or for that matter a medication. The question is not “is the control effective” The question is how much risk does it leave us with and how is performance impacted?

Let’s digitize and report the data and let the effectiveness decision be made by the stakeholders.

What Does the Digital Boardroom Need to Know About Risks and Controls?

Frankly, boards are starving for useful information about GRC. Control effectiveness opinions aren’t digital, but the underlying data supporting control effectiveness and risk acceptance decisions can be digitized. Boards in my experience don’t find risk heat maps useful. They want digital data about key risk indicators, incidents, and issues.

Boards want visualization capabilities and analytical tools, and the data to feed those tools.

The Tools are Here Today

Tools exist now, and have existed for years, to digitize GRC. We have access to incredible technology that can monitor and report on almost any aspect of GRC. But, those tools are rarely used. The business case for using them, based on cost savings and extended coverage, has always been overwhelmingly compelling. Still they aren’t widely used.

The Case for Automating GRC

Here’s the real business case for automation in GRC. Automation produces digital information. Opinions must be supported by insightful data. Without the data GRC will have nothing useful to say to the digital board. Absent from the digital board room, GRC will not have a voice in performance, strategy, or resource allocation. GRC will not be managed strategically.

The real business case for digitizing GRC is survival. Fortunately, there is tremendous value to add by doing so. GRC won’t survive without digitizing.

Sorry, but Digital Darwinism is unkind.

Is GRC on your board’s agenda? What do you tell your board about GRC?

– See more at: http://blogs.sap.com/analytics/2015/11/24/grc-tuesdays-digitizing-governance-risk-and-compliance/#sthash.CqxPVVf9.dpuf

CFOs: Get Ready For Instant Boardroom Insight

by Colin Sampson, Senior Vice President and SAP Ambassador,

Successful businesses have a need for speed. To outrun competitors, decision makers want faster results, quicker access to data, and rapid answers to all of their questions. And the boardroom is no different.

Board members and executives like CFOs and COOs expect prompt information about everything from revenues to headcount and products to customers. Yet the most effective board meetings generate additional questions, some of which cannot be answered by prepared presentations or reports.

When the information isn’t on hand, knowledge is delayed. On the boards where I serve, the financial team often promises to research the issue and deliver answers within a few days. It’s not the ideal response, but it certainly is a common one.

But in this high-velocity economy, that kind of delay doesn’t cut it. At SAPPHIRE NOW, SAP co-founder and chairman Hasso Plattner made it clear:“We cannot solve these problems with green-and-white-striped lists anymore. We cannot do this [by] flipping through hundreds of pages. We need people to be in one room and talk to each other with real facts, not PowerPoints.”


Coming soon: the boardroom of the future

Executives and board members need a new way to interact with data and analyze issues in the moment. They want to be able to dig down into the data, visualize details, and predict what may happen next – right away, not a week from now. And if the first round of answers stimulates additional ideas, they want to ask more questions and instantly hear those responses.

That’s the boardroom of the future, and it’s a little closer than you may think. New technology solutions are about to bring real-time data, intuitive visualizations, and powerful predictive analytics to the fingertips of board members and executives alike.

Sneak peek: the digital boardroom

The SAP board of directors recently began testing this technology in board meetings, and the results are striking. We call it our digital boardroom. Attendees see agenda items appear on giant touch screens. When executives ask questions, presenters can click on different areas of the screens and then dig for detail, display historical information, change parameters, and update results with current data.

The solution allows users to display line-item data, slicing and dicing it according to various dimensions. Users can filter data, change criteria, and update the entire view in real time, using data from operational systems. They can also use a powerful predictive analytics engine to show the future – replete with dependencies and correlations.

I’ve demonstrated the digital boardroom solution to companies, and executives are excited about the value it can deliver. By supporting real-time, fact-based management, this digital boardroom technology will create massive change in how companies use information to accelerate the success of their businesses.

Stay tuned. As additional details become available, we’ll continue the discussion about how this innovative technology can deliver insight that helps companies thrive in the digital economy.

To learn more about how finance executives can empower themselves with the right tools and play a vital role in business innovation and value chain, review the finance content hub, which offers additional research and valuable insights.

Are You Seeing the Signals? How Finance Analytics and KPIs Can Help CFOs Guide the Way

by Henner Schliebs, Head of Finance Audience Marketing 

Have you ever taken a close look at your dashboard when the car computer displays key performance indicators (KPIs)? No? Yes, but not really? I am confident in saying that 99.9% of you will answer with a “not really” type of response, as there are many misleading, so-called KPIs that don’t provide guidance to make the right decision. I can’t understand why customers/drivers of cars have not yet complained about being misled. And I’m surprised they haven’t sued manufacturers for astronomical amounts of money in countries like the U.S. where this is a practice that can get downright bizarre (like this case about a toilet paper injury). Here’s some rules to follow to keep your KPIs from going wrong.


Make Sure That Your KPI Is Sufficient to Guide a Decision

I recently took a look at the mileage on my truck and was surprised how the MPG rocketed up when I took my foot off the gas. So if I see MPG as a leading indicator to optimize my trip, I would never arrive at my desired destination, as I’d stop to max out on MPG. (See the picture of my car’s computer display showing above-average mileage – Italian Trucks rule!)

So, in financial taxonomy this would translate into something like a famous saying, “Zero budget is not an option.” Don’t focus on cost exclusively without having the broader goal (like margins improvement) in mind. You can’t cannibalize outcome with cost reduction—at least you’d have to achieve the same outcome at reduced costs.

Your analytics have to provide insight into the root cause for your indicators to optimize. In this case, it’s margins in the means of a decision tree, a value map, or the like so you can see the immediate outcome of any planned action. Simulation and prediction would be needed, combined with visualization of the context, in order to make it understandable for your executives and stakeholders.

Make Sure Your KPI Is Taking All Known Information into Consideration

To stick with the road trip example, I don’t understand the GPS producers being so ignorant of the value of including some kind of data mining into their offerings. The GPS knows the distance, the type of roads followed, the time of the day, and the season you’re in (like wintery conditions that might influence the trip).

It could know how many miles in which conditions you can go per gallon—or even pull this information from the car computer if it’s an integrated system. It could measure how much time you’d take to fill your car up at the gas station. Since it can measure how long you’re there, it can even deduce if your stop is for gas or just to pick up a six-pack on your way home from office.

So, assuming you want to go on a longer trip, say from San Francisco, CA to Austin, TX, why can’t the GPS guide you to the optimal speed to arrive at your next stop as soon as possible? This would take typical “bio breaks” into consideration (info available when you usually stop besides the freeway), gas stations to fill the car, projected traffic jams due to rush hour in metropolitan areas (Los Angeles!!!!) and the like. It could even run simulations like “If you go 70 mph instead of 85 mph you’d manage to get to your stop with this one tank…”

Sound familiar? So, let’s translate this into finance, using the planning process for example. You have all long-term planning information available, including the company’s strategic plan and the related KPIs (hopefully clear and leading ones as mentioned before), and all good information from any kind of ERP-like system. Also, you might have the plans from other areas like product sales plans, workforce plans, production plans (if applicable) and cost center plans. This would all be needed to arrive at an integrated business plan, driven by the long term financial plan.

You now would have almost all the ingredients to simulate outcomes based on different distributions of funds available for the current planning period. You won’t get trapped into pitfalls like having to pull additional funds into this planning period although served for later period use (having to stop at the gas station). You’d see how budgetary decisions would influence achievement of your company’s targets and would uncover potential correlations between driving indicators and outcomes (like HR development vs. hiring ofexternal people going through the value chain arriving at optimized investment in your workforce).


Don’t omit these factors, since they’re contributing to your KPIs. Even worse, there are correlations between factors that you can’t easily figure out but would have to use statistical algorithms. For example, what makes a certain customer pay on schedule vs. being an “overdue receivable”? This is not as easy to understand as the famous “There is a correlation between sales of ice cream and shark attacks” example. But to find a causation and guide the way, you need tens or even hundreds of dimensions correlated.

What Does this Mean for You?

Things that are obvious for you as a driver of a car and that you take into consideration when planning your road trip are not as easy to uncover in your professional life as a finance expert, as many more dimensions are affecting business performance. Given that the additional charter of any mature finance organization is to provide excellent service to the other business functions within your organization, it’s your duty to support the cost center manager, the sales executive, and last but not least, every employee by providing them with relevant and contextual finance data that enables better and fact-based decisions.triangle

In addition, sophisticated finance analytics uses the support of visualization and predictive functionality to guide the way through the core finance tasks around financial planning and analysis, accounting, treasury, operations, and even risk management, compliance and audit functions. It helps achieve more with less—operational excellence at reduced cost by supporting every finance function to deliver on the promise of simple data and intelligence provision for the whole organization.

This means that the finance function of tomorrow has a new credo: Be a partner to the company and support to differentiate from your peers, add value to the bottom line, and strategically consult the executive leadership team of your company to achieve sustainable growth.

Three Lines of Defense: Claiming a Seat in the Digital Boardroom

by Bruce McCuaig, Director, GRC Product Marketing

SAP recently announced SAP Cloud for Analytics, a planned software as a service (SaaS) offering that aims to bring all analytics capabilities into one solution for an unparalleled user experience (UX). The intent is for organizations to use this one solution to enable employees to track performance, analyze trends, predict, and collaborate to make informed decisions and improve business outcomes.

To me this sounds a lot like the mandate of governance, risk and compliance.

The Digital Boardroom

At SAP we’ve already begun to imagine a digital boardroom. As part of our Analytics business, my colleagues and I in governance risk and compliance (GRC) are keenly aware of the contribution our solutions can make to improving business decisions and business outcomes. But is the world of GRC ready for the digital boardroom?

And if the Three Lines of Defense is the framework we are advocating, what can we digitize for the digital boardroom? There is plenty of literature on implementing the Three Lines of Defense. I am basing much of this blog on the IIA’s guidance. However, this does not provide guidance on what to report or how to report it.

Five Requirements for Claiming a Seat at the Digital Board Room

  1. Reporting by the first line of defense – operating management

Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. How can this be reported? One of my colleagues mocked up the report below. It illustrates a possible report on the management of controls in a particular area. It’s a useful beginning. But if the digital boardroom is supposed to drive better outcomes, we need to find a way to illustrate the impact of controls on performance.

Figure 1


  1. Reporting by the second line of defense – risk management and compliance

Management establishes various risk management and compliance functions to help build and/or monitor controls for the first line of defense. What would it take to understand the effectiveness of first line of defense controls? A few years ago, I mocked up a simple app that aggregated losses and incidents by risk category. The best way to understand control effectiveness is to understand the losses and incidents that occurred. If the second line of defense classifies the root cause of the issues and losses, the Board can make intelligent decisions and come to sound conclusions. Right now the Board gets subjective opinions on control effectiveness from assurance providers. Control effectiveness opinions are not comforting to me. They make sense only when objective information is not available. I would prefer the facts and I believe the Digital Board wants its facts digitized.

Figure 2


  1. Reporting by the third line of defense

Internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization. So how do we digitize “assurance”? I have asked myself this question for years. In my view internal audit can add value by “painting a picture” of the world of governance, risk and compliance. One way to do this is by showing how the organization conforms to a set of criteria.

There are many criteria. The Committee of Sponsoring Organizations (COSO) provides one. The International Standards Organization (ISO) provides others. OCEG provides yet another, specifically the GRC Capability Model, a detailed set of criteria designed to help organizations achieve principled performance.Figure 3

The Role of Analytics

Reporting to the digital boardroom will require classifying and tagging information and then slicing, dicing, and visualization. That is what analytics tools and BI solutions do. It is close to the opposite of reporting on control and risk effectiveness. It is reporting on control and risk facts. Nothing less will do.

Uncharted Territory

The digital boardroom will take the Three Lines of Defense and GRC generally into uncharted territory. If we as GRC professionals have anything to say, it had better be digital and it had better be useful.

As always, I am interested in your comments. The Three Lines of Defense concept is far from perfect but as I have suggested in my earlier blogs it is a sound basis for collaboration and a fine starting point.

How do you report on GRC topics to your Board today? Do they read your reports? Are they visual? What do you see in the future?


SAP America’s CFO says finance execs need to embrace technology or they’ll get left behind

originally by James Kosur, Business Insider

If you adopt technology and make it an integral part of your business, “you will gain a much deeper level of understanding to benefit your organization.” That’s the message delivered by SAP North America CFO Arlen Shenkman.


SAP is a multinational software company that specializes in enterprise software used to manage business operations and customer relations.

The company has a front-row view of how far behind many CFOs are on the tech front.

Business Insider spoke with Shenkman about the increasing importance of technology in the finance function. “The amount of data that businesses have should be enormous — if you aren’t able to pull specific information or don’t have visibility into a specific area within your company, this should be a red flag that you are behind in some way,” Shenkman says.

“The world is changing quickly and business model shifts are relevant to everyone,” he adds. “Technology needs to be in a position to address this shift or you will get left behind.”

Shenkman discusses some of the major impacts technology is having on the CFO role and the finance function in general.


Business Insider: What is the single biggest impact technology is having on CFOs?

Arlen Shenkman: There is an exponential amount of data available that is associated with running a business, and today technology is giving CFOs access to that data. CFOs have always been playing with data so to speak, in the sense of watching over numbers and information. Now, however, technology has provided them with the ability to make it actionable.

CFOs know that in order to be successful, they need to translate data in real time, and technology is helping them do just that. Technology is making it possible for CFOs to do more than translate data into business insights — they can use technology to analyze data, understand where the company has been because of it, and use it to control where it is going.

How is big data affecting transparency in the CFO role?

The rise of data has made it possible for people to understand their business more generally across all lines of business. For CFOs, data provides them with more opportunities to gather and analyze financial results.

To succeed in today’s business world, CFOs must go beyond typical finance functions to deliver a focus on leadership to the business.

Implementing a data-driven approach provides CFOs with more transparency into the business model. These additional, valuable perspectives will help CFOs make profitable decisions.

What are other major impacts technology is having on the CFO role?

One that comes to mind is in regard to real-time reporting. Technology has made it possible for companies to close their books every day, as opposed to just monthly or quarterly. Having accurate, timely financial information is critical to supporting decision-making, and technology has really taken that capability to the next level.

Compliance is another major area where technology is making a significant impact for CFOs. Due to the increased risk of security and compliance liabilities we experience today, CFOs are now taking a more active role, shifting toward taking on responsibilities that have traditionally been those of IT.

What should CFOs be doing to prepare for the future tech shift?

To best shape their technology investments, CFOs need to have a clear understanding of two things: First, they must understand where their business is going in the future from a business model standpoint.

Second, they need to have a keen understanding of where the competitive landscape is headed. For a company to succeed, its CFO needs to know what their competitors are offering. That way, they can determine what investments make the most sense to match or stay ahead of competition.

A recent study found that technology is the biggest stress factor for CFOs. Can you offer some advice for mitigating that stress?

In my opinion, part of the reason CFOs are stressed about technology is because technology is having a fundamental impact on the role of the CFO. As a result, a company’s expectations of the CFO are changing.

A key area where we see this shift is in the number of CIOs who are reporting to CFOs directly, which has grown exponentially over the last 10 years.

In order to mitigate stress, CFOs should spend some time educating themselves on the technology landscape. One way to do this is to find trusted advisors who can help teach them about what is happening in the marketplace. This can be anyone from another CFO to a CIO to a vendor.

What is the biggest mistake SAP has seen CFOs committing on the technology front?

The biggest mistake I have seen is not having a common platform that controls the books and business matters of a company. CFOs really underestimate the benefits that come with having a single platform in terms of how they control that business and understand the risk behind it.

Today, many companies still have a patchwork of technologies that are responsible for various parts of the business. By allowing the platforms to remain separate, CFOs actually end up having a lot less control than they think, which can impact financials negatively in the long term.

What advice would you give to CFOs looking to implement tech changes at small-to-midsize businesses?

Given the nature of their business, CFOs at small-to-midsize businesses, rightfully so, are very concentrated on costs. At the end of the day, it should really be more about return on investment as opposed to which offering is the most affordable.

Technology is a big decision, and can be costly, so it is easy to get caught up in the numbers. In order to make the best decision, it’s important to look at the bigger picture and determine the ROI as opposed to focusing all efforts on cost.

The Integration of Enterprise Risk Management (ERM) and Enterprise Performance Management (EPM)

by Gary Cokins

Businessman analyzing pie chart on digital tablet

Governance and compliance awareness from government legislation such as Sarbanes-Oxley in the US and Basel II is clearly on the minds of all executives. Accountability and responsibility can no longer be evaded. If executives err on weak compliance, they can go to jail. As a result internal audit controls have been enhanced. The popular acronym that addresses this is GRC for governance, risk, and compliance. From the perspective of enterprise performance management, one can consider governance (G) as the stewardship of executives to behave in a responsible way, such as providing a safe work environment or formulating an effective strategy; and consider compliance (C) as operating under laws and regulations. Risk management (R), the third element of GRC and often referred to as enterprise risk management (ERM), is the element more associated with enterprise performance management (EPM).

Some organizations are beginning to integrate ERM and EPM. In a little under two weeks’ time I will be presenting this topic as a keynote speaker on November 10 in Las Vegas at the SAP Conference for Financial Planning, Consolidation and Controls. I shared some of my thoughts about technology and reasons for speaking at this conference in an interview recently, but as I shall be covering a broad topic area in my conference presentation concerning the integration of ERM and EPM, I decided to write a little more about this now, before heading to Las Vegas, as a scene-setter in many ways for what I’ll speak about there.

You may think that this theme is a little out of step with the themes running through my recent blog series, as this blog is the final one of 8 blogs in the 2015 Summer/Fall series of my SAP blogs. I hope you’ll see however that there is merit for bringing this topic to the forefront of thought again, as to my mind there’s a very clear link between innovations in planning and analytics in the Cloud and how these might be integrated with an approach to risk management. A limitation to this integration to date has not necessarily been owing to a lack of interest, understanding or willingness to do this, but rather that the actual methods have been cumbersome and sometimes complex, especially when viewed from a technology standpoint. But that’s changing. Technology is becoming easier, simpler to use and the once distinct disparity between functional capabilities in Analytics, EPM and ERM are starting to blur and fade away, to be replaced by clear lines of vision, collaboration and unison. So if we can remove the “how” as a barrier to integration, let’s consider the “why”, because this is how we’ll stimulate businesses to invest serious time and energy in taking risk informed planning decisions as a part of their normal business processes. For this let’s go back to basics.

The integration of ERM and EPM

EPM is now more correctly being defined as a much broader umbrella concept of integrated methodologies – much broader than its previously misperceived narrow definition as simply being dashboards and better financial reporting. What could possibly be an even broader definition? My belief is the EPM methods are only a part – but a crucial, integral part – of how an organization realizes its strategy to maximize its value to stakeholders, both in commercial and public sector organizations. This means that enterprise EPM must be encompassed by a broader overarching concept – enterprise risk-based performance management – that integrates EPM methods with enterprise risk management (ERM).

The “R” in GRC has similar characteristics with EPM methods. The foundation for both ERM and EPM share two beliefs:

  1. The less uncertainty there is about the future, the better.
  2. If you cannot measure it, you cannot manage it.

The premise here is to link risk performance to business performance. Whether EPM is defined narrowly or ideally more broadly, for most organizations it does not embrace risk governance. It should. Risk and uncertainty are too critical and influential to omit. For example, reputational risk caused by fraud (e.g., Tyco International), a terrifying product-related incident (e.g., Tylenol), or some other news headline grabbing event can substantially damage a company’s market value.

Is risk an opportunity or hazard?

ERM is not about minimizing an organization’s risk exposure. Quite the contrary, it is about exploiting risk for maximum competitive advantage. A risky business strategy and plan always carries high prices. For example, what investment analysts do not know about a company or they have uncertainty or concerns will result in adding a premium to capital costs and discounting of a company’s stock value. Uncertainty can include accuracy, completeness, compliance, and timeliness in addition to just being a prediction or estimate that can be applied to a target, baseline, historical actual (or average), or benchmark.

Effective risk management practices counter these examples by being comprehensive in recognizing and evaluating all potential risks. ERM’s goal is less volatility, greater predictability, fewer surprises, and arguably most important the ability to bounce back quickly after a risk event occurs.

A simple view of risk is that more things can happen than will happen. If we can devise probabilities of possible outcomes, then we can consider how we will deal with surprises – outcomes that are different from what we expect. We can evaluate the consequences of being wrong in our expectations. In short, ERM is about dealing in advance with the consequences of being wrong. Risk can be viewed as having an opportunity that can be beneficial in the future in addition to risks viewed as hazards. For example, a rain shower may be a disaster for artists at an outdoor art fair while being a huge break for an umbrella salesperson. What risk and opportunity both have in common is they are concerned with future events that may or may not happen, their events can be identified but the magnitude of their effect uncertain, and the outcome of the event can be influenced with actions.

Problems quantifying risk and its consequences

Risk is usually associated with new risk mitigation expenses because they may turn into problems. In contrast, opportunity can be associated with new economic value creation, such as increased revenues, because they may turn into benefits.

Most organizations cannot quantify their risk exposure and have no common basis to evaluate their risk appetite relative to their risk exposure. Risk appetite is the amount of risk an organization is willing to absorb to generate the returns it expects to gain. The objective is not to eliminate all risk, but rather to match risk exposure to risk appetite.

ERM is not simply contingency planning. That is too vague. It begins with a systematic way of recognizing sources of uncertainty. It then applies quantitative methods to measure and assess three factors:

  1. The probability of an event occurring
  2. The severity impact of the event
  3. Management’s capability and effectiveness to respond to the event

Based on these factors for various risks, ERM identifies the triggers and drivers of risk (measured as key risk indicators or KRIs), and then it evaluates alternative actions and associated expenses to potentially mitigate or take advantage of each identified risk. These actions should ideally be included during the strategy formulation and re-planning process and reflected in financial projection scenarios – commonly called “what if” analysis.

The three types of risk

There are three categories of risk. EPM is involved the second category as described next.

Preventable Risks – These are unauthorized employee actions or breakdowns in standard operating procedures. This category of risk can be reduced by:

  • Communication of “Codes of Conduct” and mission and vision statements
  • Strong compliance practices (e.g., internal controls like “segregation of duties,” internal audit, standard operating procedures, whistle blowing promotion)

Strategy Execution Risks – In this category risks are taken to execute the CXO executive team’s strategy to generate superior returns. Examples are: credit risk, R&D programs, and hazardous environments. These types of risk cannot be reduced to zero. Their likelihood of occurring can be reduced or effectively contained should they occur.

External Risks – This category of risk is caused from uncertain, uncontrollable external events that cannot easily be predicted or influenced. Managers often “don’t know that they don’t know.” Scenario exercises can identify risks. However, if these types of risks can be envisioned, then risk mitigation actions can be taken. Examples are: building earthquake or flood-proof structures; backup data centers in distant locations; and insurance, hedging, and diversification.

Risk managers – friend or foe to profit growth?

Unfortunately this topic has a dark edge. A report of The Economist Intelligence Unit sponsored by ACE, a global insurance company, and KPMG is titled, “Fall guys: Risk management in the front line.”[1] In the report, a risk manager claims he was fired for telling his company’s board of directors that too much risk was being taken. Did management want to ignore a red flag of caution to pursue higher profits? The broader question involves how strategy planners view risk managers. Are they profit optimizers or detractors?

The Economist report was a result of extensive surveys and interviews. The impact of the 2009 global financial sector meltdown was clearly top of mind for the respondents. The report highlighted that risk management and governance policies and structures require increased authority, visibility and independence. However, planned increases in investment and spending for them are typically modest, if any. This is not a good sign. The reality is that the natural tension and conflict between the risk functions and a business’ aspirations for higher profit growth remains present.

Invulnerable today but aimless tomorrow

Will increasing interest in including to integrate ERM with EPM methods continue or be a temporary phase? Hopefully, the interest will be permanent, but there are impediments. Business line managers may continue to view the risk function as a mechanical brake slowing the gas pedal of sales and profit growth. Also, technical knowledge and experience by boards of directors and executives may be inadequate to fully understand how to integrate ERM with EPM.

On a positive note, risk management is gaining influence and using more structured modeling and analytics software. Managers are creating a richer organizational culture for metrics and risk awareness that considers opportunities, not just threats.

I continue to be intrigued by the fact that almost half of the roughly 25 companies that passed the rigorous tests listed in the once-famous book written in 1982 by Tom Peters and Robert Waterman, In Search of Excellence, today either no longer exist, are in bankruptcy, or have performed poorly. What happened in the 32 years since the book was published? My theory is that once an organization becomes quite successful, it becomes averse to risk taking. Taking risks, albeit calculated risks, is essential for organizations to change and be innovative.

Is the today’s risk manager going to continue to be the fall guy? Not if those responsible for strategic planning appreciate that they are not gamblers using investors’ money, but rather stewards of the company’s – and investors’ – financial futures.



[1]  http://www.businessresearch.eiu.com/fall-guys.html


Join us at the SAP Conference for Financial Planning, Consolidation and Controls in Las Vegas 10-11 November, where I’ll be delivering a presentation on performance and risk management. I hope to see you there!  

SAP Conference for Financial Planning, Consolidation and Controls_Twitter

About the Author: Gary Cokins, CPIM


Gary Cokins (Cornell University BS IE/OR, 1971; Northwestern University Kellogg MBA 1974) is an internationally recognized expert, speaker, and author in enterprise and corporate performance management (EPM/CPM) systems. He is the founder of Analytics-Based Performance Management LLC www.garycokins.com . He began his career in industry with a Fortune 100 company in CFO and operations roles. Then 15 years in consulting with Deloitte, KPMG, and EDS (now part of HP). From 1997 until 2013 Gary was a Principal Consultant with SAS, a business analytics software vendor. His most recent books are Performance Management: Integrating Strategy Execution, Methods, Risk, and Analytics and Predictive Business Analytics.

Linkedin contact:


Should Analytics (and EPM) be redefined?

by David Williams, ‎VP Global Product Marketing, Analytics at SAP

SAP Redefines Analytics in the Cloud” – that was the headline for the press release announcing SAP Cloud for Analytics which was formally unveiled during the keynotes at SAP TechEd Las Vegas . SAP Cloud for Analytics brings together the ability to analyze, predict and plan in one product. So whether you’re a business analyst that needs to do data discovery and visualization; a business operations person who needs to do reporting and planning; an FP&A pro who needs to do planning, profitability modeling, and forecasting; a data scientist that needs to build predictive models for the aforementioned to leverage; or a manager consuming key metrics and performance indicators in a report or dashboard, there’s now one interface to do it with the ability to collaborate with your colleague’s in context.

Bernd Leukert

Bernd Leukert, Member of the SAP Executive Board, Products & Innovation at SAP, introduces SAP Cloud for Analytics during SAP TechEd Las Vegas Keynote

To date these capabilities have been delivered in a siloed product approach – you can buy this planning tool here but it doesn’t do data discovery; you can buy this BI tool there if you want to do in depth analysis but it doesn’t do planning; and you can buy this predictive analytics product if you want to do predictive modeling. All separate products- all separate product categories. But here’s the kicker, and here’s why we designed SAP Cloud for Analytics – Finance professionals, business analysts, board members – anybody who is involved with decision making, needs a combination of these capabilities to do their jobs.

Why should they have to buy and integrate a patchwork of point cloud solutions? This question is what inspired us to build SAP Cloud for Analytics.

SAP Cloud for Planning becomes SAP Cloud for Analytics

SAP Cloud for Analytics was born out of SAP Cloud for Planning (generally available since February 2015), our built for SaaS application targeted at Financial Planning and Analysis (FP&A) professionals. SAP Cloud for Analytics is the new name for SAP Cloud for Planning reflecting the additional capabilities of data discovery and visualization, and predictive analytics. When we designed SAP Cloud for Planning, we rethought how an FP&A person would want to use a planning application and where current cloud offerings from planning and Enterprise Performance Management (EPM) vendors were missing the mark. That’s the advantage of being a late entrant to a space – you get to see where others are not solving current problems and bring to market an innovative solution that does. What we noticed were 3 key things:

  • current cloud solutions only solved part of the problem requiring people to stitch together multiple products to do their jobs
  • most current cloud offerings were based on old technologies and paradigms (some well over 10 years old) with performance limitations that restricted what questions could be asked
  • many current cloud EPM offerings were just too difficult to use limiting adoption

Something that only solves part of the problem is not a solution

From a Finance perspective, FP&A’s job involves, “acting as the analytical engine of the company to provide insights and support optimal decision making”. This includes planning/modeling, budgeting, forecasting, and variance analysis, “to provide accurate and timely recommendations” (that’s where predictive analytics and in-memory computing come into play).  To date, no product provides these capabilities in one interface, so most finance teams are using a hodgepodge of tools to try and do this or worse, just using standalone spreadsheets. It’s been virtually impossible to pry Excel out of the hands of Finance because they like the formula driven modeling capabilities and flexibility which they aren’t getting in current tools.

With SAP Cloud for Planning we strategically decided to embed analytics into the planning interface so that FP&A wouldn’t have to integrate multiple products and flip between products/screens to do their jobs of supporting optimal decision making. We also made the modeling environment formula driven vs the traditional OLAP approach. Building this on the SAP HANA Cloud Platform removed performance barriers from the equation. This allowed us to give Finance the benefits of Excel without the downside of using Excel spreadsheets.

But the plan was never to stop at just planning and analysis for Finance. We realized that the same issue for Finance was being experienced in lines of business – artificial disconnect between planning and analysis, disconnected business planning processes, and difficult to use tools again fostering the use of Excel. In fact, some of our first opportunities for SAP Cloud for Planning were not for financial planning requirements but in lines of business for sales planning and headcount planning.

EPM is more of a process than a product category

At the same time that we built SAP Cloud for Planning, we started to question the separation between the product categories of Business Intelligence (BI), EPM, and predictive analytics. Do these really need to be separate products/categories? I’ve spent the last 12 years in the analytics space (5 years in BI and the last 7 years in EPM) so I’ve seen the market from both the EPM and BI perspective. The real difference between BI and EPM is the audience not the technology. In the past, BI was typically sold to IT/developers to create reports consumed by others, and EPM to Finance as “applications” for monitoring KPIs, financial planning, and consolidations/disclosure.

But these “stereotypes” of BI and EPM are already being challenged. Self-service agile data discovery and visualization has replaced IT driven “production reporting” as the predominant form of BI. Business operations analysts also do planning. Finance teams build reports in addition to planning and forecasting models. In fact, I’d argue that EPM is more a process than a software category – the process of managing business performance using BI tools, methodologies (ex. balanced scorecard), and processes (ex. annual budgeting). Only one of these elements is pure technology – BI tools. Methodologies and processes are best practices that make their way into technology as content (formulas, logic, reports, KPIs, etc.) and that’s what gets delivered in the form of “EPM applications”. In other words, EPM to date has been about selling analytic applications with prebuilt content to Finance and pretty much finance only.

SAP cloud for analytics

SAP Cloud for Analytics for planning provides an intuitive interface for planning, visualization, and reporting.

Cloud for Analytics looks beyond Finance to serving the entire analytics needs of the organization

Driving better decision making and business performance requires cross-organizational participation and EPM application adoption has never broken out of Finance. Many analysts are recognizing this and rethinking how they define EPM. For example, Gartner is splitting their Corporate Performance Management (CPM) category into “Strategic CPM” and “Finance CPM” – the former more oriented towards business planning and analysis and the latter at purely Finance functions (consolidations, close, and disclosure mgmt.). In, “the Breakup of the CPM Suite[1]”, Gartner states, “Management reporting has evolved past traditional responsibility reporting. Organizations are expecting more robust visualizations and an integrated performance perspective from their applications, bringing together KPIs/metrics, results and forecasts for operational areas linked to financial reporting (the flip side of IFP) into consistent playbooks and performance reports. For many organizations, these capabilities are a combination of disclosure management, BI and traditional CPM capabilities, yet extended beyond traditional accounting walls.”

The siloed approach to EPM has also been challenged by Ovum’s Surya Mukherjee who states, “The SAP Cloud for Analytics announcement is noteworthy because it is the harbinger of a unified analytic future across departments and an end to the ‘data myopic’ mentality that has long affected finance. For too long, EPM has existed as an analytic silo, isolated from the rest of enterprise in every sense – in data, analytics, and skills. This means that line-of-business professionals have never properly understood the rationale behind financial planning and haven’t been able to contribute meaningfully to finance processes.”

With SAP Cloud for Analytics we deliver embedded finance functions, formulas and other content for finance today and also plan to deliver packaged application extensions for sales, marketing, and HR. IT can still build reports if required and even embed SAP Cloud for Analytics in other applications. The difference is all this is done in one experience/platform across capabilities and across all users which not only makes it easier for you as a user to do your job but easier for you as a company to buy, manage and roll out a solution to drive better decision making across your entire organization.

Because SAP Cloud for Planning has been available since February, you can already start using the planning capabilities of SAP Cloud for Analytics today. New data discovery and visualization capabilities are planned to be available soon (you can request a trial here) and embedded predictive analytics in early 2016. Beyond that we look to bring risk management into the equation continuing to redefine analytics and to further enhance your ability to drive better, fact-based decision making and results.



[1] “The Breakup of the CPM Suite”. John E. Van Decker, Christopher Iervolino. Gartner Inc. 28 July 2015