Digitizing Governance Risk and Compliance

by Bruce McCuaig, Director, GRC Product Marketing


Most of our treasured concepts of control, and many of our accepted risk practices, will land in the digital boardroom with a thud and disappear, if they make it there at all.

The truth is, much of the information provided by GRC professionals is not digital and can’t be digitized usefully.

The outputs of most control and compliance assessments are subjective opinions on control effectiveness. Much of the output of risk professionals are informed guesses about the future. Insight is often lacking.

Why does this matter? It matters because digital Darwinism will not be kind to GRC if it does not evolve.

Understanding Control Ineffectiveness

I find it useful to step outside the business world and have a look at our practices through a real life lens. Some years ago my ophthalmologist prescribed eye drops to reduce the interocular pressure (IOP) in my eyes. He assured me the medication was “effective”. (Medical practitioners don’t make a distinction between “design” and “operating” effectiveness).

So I researched the medication and discovered the manufacturer, one of the words most distinguished pharmaceutical firms was so convinced of its “effectiveness” that in some jurisdictions they offered a money back guarantee if it did not deliver promised results.

I think in the world of GRC we would rate the design effectiveness of the eye drops as high.

Curious, I did some further research. It turns out that studies conducted by the manufacturer to secure regulatory approval revealed the following Issues:

  • Approximately 20% of patients stopped taking the medication because of its side effects.
  • Approximately 10% of patients studied forgot 20% of their doses.
  • A very small percent suffered severe and sometimes life threatening complications.

This kind of information provides insight, supports a risk acceptance decision, and should be reported in a digitized business environment.

No Control is 100% Effective all of the Time.

Control effectiveness decisions require knowledge of both a specific objective and related issues. In reality, there is no universal standard for the effectiveness of a control or for that matter a medication. The question is not “is the control effective” The question is how much risk does it leave us with and how is performance impacted?

Let’s digitize and report the data and let the effectiveness decision be made by the stakeholders.

What Does the Digital Boardroom Need to Know About Risks and Controls?

Frankly, boards are starving for useful information about GRC. Control effectiveness opinions aren’t digital, but the underlying data supporting control effectiveness and risk acceptance decisions can be digitized. Boards in my experience don’t find risk heat maps useful. They want digital data about key risk indicators, incidents, and issues.

Boards want visualization capabilities and analytical tools, and the data to feed those tools.

The Tools are Here Today

Tools exist now, and have existed for years, to digitize GRC. We have access to incredible technology that can monitor and report on almost any aspect of GRC. But, those tools are rarely used. The business case for using them, based on cost savings and extended coverage, has always been overwhelmingly compelling. Still they aren’t widely used.

The Case for Automating GRC

Here’s the real business case for automation in GRC. Automation produces digital information. Opinions must be supported by insightful data. Without the data GRC will have nothing useful to say to the digital board. Absent from the digital board room, GRC will not have a voice in performance, strategy, or resource allocation. GRC will not be managed strategically.

The real business case for digitizing GRC is survival. Fortunately, there is tremendous value to add by doing so. GRC won’t survive without digitizing.

Sorry, but Digital Darwinism is unkind.

Is GRC on your board’s agenda? What do you tell your board about GRC?

– See more at: http://blogs.sap.com/analytics/2015/11/24/grc-tuesdays-digitizing-governance-risk-and-compliance/#sthash.CqxPVVf9.dpuf

The Role of a Risk Committee

by Thomas Frenehard, GRC Solution Management

Young plant growing in sunshine(Shallow Dof)

Remember the dinosaurs from your history books? Extinct, right?

Well this is the way some companies are going because they focus all their efforts on looking backwards. And to me, this is precisely where Audit and Risk Committees  have a crucial role to play; not to focus on the same issues but have a different mind-set.

By nature, the Audit Committee will focus on the findings from the audit report, looking backwards at what’s already happened. I personally think that the Risk Committee should focus on forward-looking uncertainties… and how to best leverage potential opportunities.

This Risk Committee can then have a true advisory role to the Board. It should, of course, be able to discuss the most important threats that would prevent an organization from achieving its objectives and it should also be able to recommend a course of action to flip downsides into opportunities.

Most likely the Board is not the right instance to discuss and review the multiple risk scenarios, test new assumptions, and so on. But if it relies on a knowledgeable Risk Committee, it will be able to make the right decision for the business and increase value for the shareholders.

So, how can this work?

Last week I was lucky to attend a workshop on this specific topic, Risk Committees, that sparked many discussions and exchange of opinions amongst participants. Here are my summarized thoughts from the event.

  • A clearly defined mandate is needed

A Risk Committee can only be successful if it is given a clear mandate by the Board. Its roadmap and mission statement, if you wish. Here, I would suggest that the Board define expectations for the Risk Committee that would be relevant to supporting true business decision making.

In association with the mandate, and for the Risk Committee to be realistic in its assumptions, I would expect the Board to share its risk appetite and how it reached this conclusion, as this will guide most of the scenario work.

  •  On-board knowledge

To have an active Risk Committee, I think it has to embed a risk culture. This might happen because the committee is at least partially composed of risk experts or because it’s engrained in the DNA of its members.

I would also suggest involving industry experts in the Risk Committee as this is the only way to have realistic – and probable scenarios.

  • Sufficient tools and information

The role of this committee will be to review risks and to simulate potential negative and positive outcomes. If its participants are not given sufficient risk information, how can they do that?

In addition to providing risk information, I would also recommend authorizing this committee to interview Risk Owners when necessary, as they are the business experts that can shed light on business contexts.

  • Report to the Board and then, take action on their recommendations

To my mind, if such a process is defined, then the Board needs to set some time aside to debate on the recommendations from the Risk Committee. And here, it can’t be a passive presentation from the committee to the Board, it has to be a two-way street with some questioning. The Board needs to challenge the assumptions and needs to provide feedback on whether expectations have been met or the Risk Committee won’t be able to adjust its next reporting.

Also, the Board needs to take action on the recommendations. And keep in mind that deciding to wait until more information is gathered or that events start to unfold is already a decision, provided it is documented and agreed on.

How does this sound to you? Would you agree that immobility is a great threat to many of our organizations?

Three Lines of Defense: Claiming a Seat in the Digital Boardroom

by Bruce McCuaig, Director, GRC Product Marketing

SAP recently announced SAP Cloud for Analytics, a planned software as a service (SaaS) offering that aims to bring all analytics capabilities into one solution for an unparalleled user experience (UX). The intent is for organizations to use this one solution to enable employees to track performance, analyze trends, predict, and collaborate to make informed decisions and improve business outcomes.

To me this sounds a lot like the mandate of governance, risk and compliance.

The Digital Boardroom

At SAP we’ve already begun to imagine a digital boardroom. As part of our Analytics business, my colleagues and I in governance risk and compliance (GRC) are keenly aware of the contribution our solutions can make to improving business decisions and business outcomes. But is the world of GRC ready for the digital boardroom?

And if the Three Lines of Defense is the framework we are advocating, what can we digitize for the digital boardroom? There is plenty of literature on implementing the Three Lines of Defense. I am basing much of this blog on the IIA’s guidance. However, this does not provide guidance on what to report or how to report it.

Five Requirements for Claiming a Seat at the Digital Board Room

  1. Reporting by the first line of defense – operating management

Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. How can this be reported? One of my colleagues mocked up the report below. It illustrates a possible report on the management of controls in a particular area. It’s a useful beginning. But if the digital boardroom is supposed to drive better outcomes, we need to find a way to illustrate the impact of controls on performance.

Figure 1


  1. Reporting by the second line of defense – risk management and compliance

Management establishes various risk management and compliance functions to help build and/or monitor controls for the first line of defense. What would it take to understand the effectiveness of first line of defense controls? A few years ago, I mocked up a simple app that aggregated losses and incidents by risk category. The best way to understand control effectiveness is to understand the losses and incidents that occurred. If the second line of defense classifies the root cause of the issues and losses, the Board can make intelligent decisions and come to sound conclusions. Right now the Board gets subjective opinions on control effectiveness from assurance providers. Control effectiveness opinions are not comforting to me. They make sense only when objective information is not available. I would prefer the facts and I believe the Digital Board wants its facts digitized.

Figure 2


  1. Reporting by the third line of defense

Internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization. So how do we digitize “assurance”? I have asked myself this question for years. In my view internal audit can add value by “painting a picture” of the world of governance, risk and compliance. One way to do this is by showing how the organization conforms to a set of criteria.

There are many criteria. The Committee of Sponsoring Organizations (COSO) provides one. The International Standards Organization (ISO) provides others. OCEG provides yet another, specifically the GRC Capability Model, a detailed set of criteria designed to help organizations achieve principled performance.Figure 3

The Role of Analytics

Reporting to the digital boardroom will require classifying and tagging information and then slicing, dicing, and visualization. That is what analytics tools and BI solutions do. It is close to the opposite of reporting on control and risk effectiveness. It is reporting on control and risk facts. Nothing less will do.

Uncharted Territory

The digital boardroom will take the Three Lines of Defense and GRC generally into uncharted territory. If we as GRC professionals have anything to say, it had better be digital and it had better be useful.

As always, I am interested in your comments. The Three Lines of Defense concept is far from perfect but as I have suggested in my earlier blogs it is a sound basis for collaboration and a fine starting point.

How do you report on GRC topics to your Board today? Do they read your reports? Are they visual? What do you see in the future?


Strike Just the Right Balance in Enterprise Risk Management

by Chris Grundy, Director Product Marketing, SAP

What do CEOs need most right now? According to a recent survey mentioned on a Game-Changers radiocast with panelists Elvia Novak, director of cyber risk services at Deloitte; and Bruce McCuaig, director of solution marketing for governance, risk, and compliance solutions at SAP, CEOs require more – and more reliable – information on enterprise risk management. And they expect this information to come from the office of the CFO.


Novak addresses the gap between what the CFO is delivering and what the CEO needs. The focus is currently on financials and regulations, with risk residing in the background. “But have we taken a step back [to] say what really matters to us from a risk perspective? What’s critical to my business? And how am I protecting that?” The panelists go on to detail three major concerns in the current risk landscape.

1. Dealing with reason in an evolved threat landscape

The face of risk has mutated in the last decade. Network systems today run online in real time. Even more significant, hackers are determined to penetrate these networks and access your information. For example, a consumer products company might be concerned with people gaining access to its materials or formulas. An entertainment company needs to protect information on how much it pays its actors.

Of course, you must protect your data. But Novak cautions against overprotection – creating so many checkpoints that coworkers within the company can’t see what their colleagues are doing. You never want caution to turn into paranoia and completely disrupt your business.

2. Appointing risk arbiters and developing a consistent framework

McCuaig outlines what he believes to be the biggest challenge to improving risk management: “I don’t think we have any consistency in methodology – we don’t have any consistency in tools. I think, generally, people in the business are conscientious and responsible and they want to do the right thing. But it seems to be very difficult to put consistent framework around the business of managing risks in a way that is comprehensible.”

Both he and Novak agree that the CFO cannot be the sole voice and decision maker in risk management policies. A committee of leadership is necessary to create the best possible policies.

“You look at risk management and it’s all over the map,” McCuaig observes. “There isn’t any one set of standards. There isn’t any one set of capabilities. There is no consistent reporting framework. What I think we need is [to] introduce the kind of discipline and framework and rational approach that CFOs have developed over the years in financial management, and apply that to the risk management business.”

3. Relying on the human firewall

All the regulations and preparations in the world won’t mitigate risk if your staff isn’t fully on board. This means providing them with proper training. It’s a strategy McCuaig calls the people factor: “We have to make sure that people understand how to do their job and are motivated to do so.”

When workers view themselves as the first line of defense against major intrusions, you’re ahead of the curve. A mix of trained, passionate employees, common sense policies, and cutting-edge technology can go a long way in delivering the kind of risk management your CEO expects.

Want to learn more about strengthening risk management for your business? Listen to the full radiocast.

Modernizing the GRC Environment

by Bruce McCuaig

In the modern business environment, companies are often required to do more with less, while also navigating constantly shifting regulatory and technology frameworks. Given that reality, the need for a comprehensive solution for governance, risk management and compliance has never been greater. Such a solution can improve business performance, protect your company’s reputation and financial well being, while reducing GRC complexity. If you’ve hesitated to implement a next-generation solution for your GRC procedures and infrastructure, you’re missing out on a variety of opportunities for boosting GRC optimization, oversight and accuracy.

The Unification of GRC

Next-generation solutions like SAP’s GRC aim to holistically integrate every facet of effective GRC. This task often involves coordinating hundreds of departments and employees, and requires a robust, dependable software framework to support the effort. However, the dividends are wide-ranging and dramatic, with the potential for performance boosts in every entity tied to GRC.

With a focus on operating from unified central databases, SAP’s GRC solutions let your entire organization collaborate with unparalleled accuracy, seamlessly integrating efforts for everything from access governance to audit management and fraud detection. By jettisoning obsolete, fragmented workflow silos that can make it impossible to form a unified GRC picture, SAP’s solutions let your organization work from the same page while contributing to the overall GRC effort.

SAP Embodies Its GRC Solutions

SAP uses its own GRC solutions to manage its operations around the world. Miriam Kraus, senior VP of GRC at SAP, said, “We wanted to achieve the benefits of integration and automation throughout our worldwide GRC landscape, as well as accurate risk data produced in real time at a lower cost.”

At face value, the task was monumental for an organization as large as SAP, involving support for more than 68,000 users across 580 separate organizations in 100 countries over two years. But working with a team of in-house consultants, SAP was able to complete the implementation on time and under budget, garnering it a prestigious GRC 20/20 Value Award.

Because of the new SAP GRC solutions framework, SAP saw significant improvements in GRC metrics, including the following:

  • A 100 percent accuracy rate for control testing and remediation
  • Control testing that is 90 percent faster than before
  • A 20 percent gain in data maintenance efficiency
  • A 30 percent increase in report generation efficiency
  • Three FTEs now able to be redeployed to higher value activities

SAP GRC solutions enable your business to simplify its approach to GRC and make better business decisions by visualizing and predicting how risk may impact performance. To find out how SAP can help you unify and modernize your organization’s GRC, visit SAP GRC Solutions.



5 Top Tips for Vegas

By Chris Grundy, Director Product Marketing, SAP

As you know from my earlier blog, for many months now I and my colleagues here at SAP, along with a team from conference organizers TA Cook, have been preparing for our next event, the SAP Conference for Financial Planning, Consolidation and Controls. This is the new name for what was previously known as the SAP Conference for enterprise performance management (EPM), because this year we’ve expanded our content to not just focus on EPM, but also upon GRC (governance, risk and compliance). So, with just seven weeks to go until the event starts on 10 November in Las Vegas, I thought it was about high time I wrote a little something about what attendees might look forward to seeing and hearing this year, especially given the fact that we’re going to be joined by a number of industry analysts and thought leaders, along with many SAP customers ready to tell us about their experiences in implementing and using software solutions.

Illuminated Light Bulbs

So here are my tips for 5 top tips for sessions and speakers to see (and hear) at the conference in Las Vegas this November:

  1. Keynote panel day 1. Not one, not two, but three special guests join for what should be a hugely informative informative panel discussion during the day 1 keynote. Guests include Doug Henschen of Constellation Research, Scott Mitchell of OCEG and Brian Kalish of AFP Online. I’m really looking forward to hearing the opinions of this panel of industry experts and thought leaders on the topic of what’s driving Finance and the role of the CFO.
  2. Ray Wang day 2 keynote. I almost need say no more, as Ray is such a well-known observer, researcher and thought leader in the technology arena, being Principal Analyst & Founder of Constellation Research. Ray’s keynote “The secret to the future of planning” is sure to be topical, insightful and one might even hope he’ll throw in a few surprises to really get us thinking. A great reason to get back to the conference center and grab a good seat for this early session on day 2!
  3. Gary Cokins day 1 presentation. I had the pleasure of meeting Gary last year at the EPM Conference in Chicago, when he presented one of the keynotes, and since that time we’ve worked together on a number of projects, mostly related to blogging. An experienced practitioner, consultant, author speaker and prolific blogger, Gary has a vast experience in the area of performance management. I’m always impressed with Gary’s ability to express complex issues in interesting and thought-provoking ways, and the session at this year’s conference towards the end of day 1, where he will examine performance and risk should really get the brain-cells working again. And to top it off, straight after Gary’s session we have a networking reception where Gary along with other conference speakers will be happy to chat with conference attendees in a more relaxing atmosphere.
  4. Bjarte Bogsnes of Statoil day 2…and many other customers too! It’s terrific to see Bjarte on the conference agenda this year, ready to tell the Statoil experience around performance and risk. He’s a great conference speaker, very articulate and engaging and sure to give a great presentation. But of course he’s not the only customer speaker at the conference, and I’m also eager to hear presentations from Sysco, ServiceNow, Maxim Integrated, Southern California Edison as well as SAP over the two days of conference.
  5. Workshops. For those of you who like to dive deep into your solution areas, three workshops topics are on offer at the event this year; FP&A, Integrated Planning and GRC. Led by solution and domain experts, these sessions are intended for attendees who want to absorb a more detailed understanding of solution strengths and capabilities – but be ready to get your thinking caps on as you’re likely to be challenged with practical examples to work through at some point!

And of course many SAP-led sessions and excellent networking opportunities throughout the event and into the evening of the first day of the conference.

I am truly looking forward to the event this year, and to the opportunity to meet and speak with the many people attending the conference. Of course I shall be reporting back to you from the event – so if I don’t see you there, you’ll be sure to hear from me afterwards!


SAP Conference for Financial Planning, Consolidation and Controls_Twitter


Be A High-Performing Finance Department, Part 2: Help Your Employees Succeed With Essential Capabilities

By Nick Castellina, Research Director, Aberdeen Group

In my last blog in this series, I illustrated the reasons that successful finance functions must transform as they become even more integral to overall business success. This week I’d like to show you how this transformation can actually be accomplished.

01 Feb 2013, Houston, Texas, USA --- Businesswoman holding tablet computer with pie chart --- Image by © Terry Vine/Blend Images/Corbis

I mentioned that in top-performing organizations, executives commit to financial transformation and push that down through the organization. It is their job to communicate these strategies and to provide the technologies and capabilities I have outlined below.

Financial transformation requires a strategy that will lead to changes to the business. But where to start? The number-one strategy of Best-in-Class (50%) is to conduct an internal investigation of financial processes and technologies. This is why organizations that commit to financial transformation are more likely to implement technologies that improve the organization’s ability to execute on its financial goals. This starts with an end-to-end business suite, but extends to individual functionality tailored to handle individual finance disciplines. For example, organizations that commit to financial transformation are 2.5 times as likely to have a financial controls solution. Note that a majority of organizations that commit to financial transformation have implemented business analytics. These tools enable users to interact more effectively with data and use it to make transformative decisions.

Table 1: Key Technologies


Unfortunately, simply having a solution that can help to record and share financial data while automating processes may not be enough in the current environment. My report “In-Memory and Social Business: Coming Soon to your Large Enterprise” found that leading large enterprises are already 27% more likely than followers to have in-memory analytics technology, with another 42% planning to implement this technology in the near future (Figure 1). In-memory analytics is a way for organizations to consume the increasing amount of data that they are exposed to. Querying large data sets can be handled in random access memory (RAM), resulting in quicker access to reports and analysis. This is important to large organizations with millions of transactions and interactions as they attempt to analyze data and processes in real time to react to trends and monitor compliance. It is also important for individual business functions as they attempt to transform their operations to become more effective.

Figure 1: Consider In-Memory


For organizations that are focused on financial transformation, in-memory analytics can provide some interesting benefits. There are process improvements to be gained as well as a better ability to provide information for decision-making. These benefits could include:

  • Centralized financial data for ease of access
  • Improved compliance monitoring on a real-time basis across a larger enterprise
  • More dynamic, agile, and accurate plans and budgets
  • A better ability to take advantage of available cash
  • Quicker financial close
  • Ability to connect financial and operational data for more valuable insights

This environment is perfect for introducing transformation across an organization. In fact, my research has proven that organizations that commit to financial transformation are more likely to have implemented a variety of capabilities. As shown in the chart below (Figure 2), the most essential capabilities fall into a few main categories.

Figure 2: Transformative Capabilities


  • Real-time data repositories. In order for organizations to report effectively, remain compliant, and support the line of business it is important to provide an easily accessed, sharable, and accurate picture of financial information. Organizations that commit to financial transformation are 3.2 times as likely to have real-time updates to financial metrics. Further, 72% of those organizations store this information in a centralized repository.
  • Collaboration. Finance is morphing into an essential source for organizational decision-making. Additionally, transformative organizations understand that communicating with the extended enterprise (including regulatory bodies) is essential for business success. Transformative organizations enable collaboration both inside and outside of the organization with finance.
  • Streamlined processes. In a modern environment, finance must be a well-oiled machine. Aberdeen’s research finds that transformative organizations have tools in place that ensure compliance, automate financial processes such as tax calculations, introduce emerging technology such as mobile, and enable the individual functions within finance to succeed.
  • Support for change. Innovation and change are, of course, core components of transformation. Organizations that commit to financial transformation are 2.2 times as likely to have business solutions that can be easily tailored to reflect business change.

By  implementing these capabilities and technologies, top-performing finance executives provide a platform for their finance department. If your organization implements them, you will be amazed by the improvements you will see in a variety of essential metrics. In fact, my research has uncovered quantifiable benefits as a result of a financial transformation strategy (click here to see an infographic highlighting this research). To learn what I found, check back soon for a blog where I will reveal those benefits and give you some final tips to achieve them.

high-performing finance