Modernizing the GRC Environment

by Bruce McCuaig

In the modern business environment, companies are often required to do more with less, while also navigating constantly shifting regulatory and technology frameworks. Given that reality, the need for a comprehensive solution for governance, risk management and compliance has never been greater. Such a solution can improve business performance, protect your company’s reputation and financial well being, while reducing GRC complexity. If you’ve hesitated to implement a next-generation solution for your GRC procedures and infrastructure, you’re missing out on a variety of opportunities for boosting GRC optimization, oversight and accuracy.

The Unification of GRC

Next-generation solutions like SAP’s GRC aim to holistically integrate every facet of effective GRC. This task often involves coordinating hundreds of departments and employees, and requires a robust, dependable software framework to support the effort. However, the dividends are wide-ranging and dramatic, with the potential for performance boosts in every entity tied to GRC.

With a focus on operating from unified central databases, SAP’s GRC solutions let your entire organization collaborate with unparalleled accuracy, seamlessly integrating efforts for everything from access governance to audit management and fraud detection. By jettisoning obsolete, fragmented workflow silos that can make it impossible to form a unified GRC picture, SAP’s solutions let your organization work from the same page while contributing to the overall GRC effort.

SAP Embodies Its GRC Solutions

SAP uses its own GRC solutions to manage its operations around the world. Miriam Kraus, senior VP of GRC at SAP, said, “We wanted to achieve the benefits of integration and automation throughout our worldwide GRC landscape, as well as accurate risk data produced in real time at a lower cost.”

At face value, the task was monumental for an organization as large as SAP, involving support for more than 68,000 users across 580 separate organizations in 100 countries over two years. But working with a team of in-house consultants, SAP was able to complete the implementation on time and under budget, garnering it a prestigious GRC 20/20 Value Award.

Because of the new SAP GRC solutions framework, SAP saw significant improvements in GRC metrics, including the following:

  • A 100 percent accuracy rate for control testing and remediation
  • Control testing that is 90 percent faster than before
  • A 20 percent gain in data maintenance efficiency
  • A 30 percent increase in report generation efficiency
  • Three FTEs now able to be redeployed to higher value activities

SAP GRC solutions enable your business to simplify its approach to GRC and make better business decisions by visualizing and predicting how risk may impact performance. To find out how SAP can help you unify and modernize your organization’s GRC, visit SAP GRC Solutions.



5 Top Tips for Vegas

By Chris Grundy, Director Product Marketing, SAP

As you know from my earlier blog, for many months now I and my colleagues here at SAP, along with a team from conference organizers TA Cook, have been preparing for our next event, the SAP Conference for Financial Planning, Consolidation and Controls. This is the new name for what was previously known as the SAP Conference for enterprise performance management (EPM), because this year we’ve expanded our content to not just focus on EPM, but also upon GRC (governance, risk and compliance). So, with just seven weeks to go until the event starts on 10 November in Las Vegas, I thought it was about high time I wrote a little something about what attendees might look forward to seeing and hearing this year, especially given the fact that we’re going to be joined by a number of industry analysts and thought leaders, along with many SAP customers ready to tell us about their experiences in implementing and using software solutions.

Illuminated Light Bulbs

So here are my tips for 5 top tips for sessions and speakers to see (and hear) at the conference in Las Vegas this November:

  1. Keynote panel day 1. Not one, not two, but three special guests join for what should be a hugely informative informative panel discussion during the day 1 keynote. Guests include Doug Henschen of Constellation Research, Scott Mitchell of OCEG and Brian Kalish of AFP Online. I’m really looking forward to hearing the opinions of this panel of industry experts and thought leaders on the topic of what’s driving Finance and the role of the CFO.
  2. Ray Wang day 2 keynote. I almost need say no more, as Ray is such a well-known observer, researcher and thought leader in the technology arena, being Principal Analyst & Founder of Constellation Research. Ray’s keynote “The secret to the future of planning” is sure to be topical, insightful and one might even hope he’ll throw in a few surprises to really get us thinking. A great reason to get back to the conference center and grab a good seat for this early session on day 2!
  3. Gary Cokins day 1 presentation. I had the pleasure of meeting Gary last year at the EPM Conference in Chicago, when he presented one of the keynotes, and since that time we’ve worked together on a number of projects, mostly related to blogging. An experienced practitioner, consultant, author speaker and prolific blogger, Gary has a vast experience in the area of performance management. I’m always impressed with Gary’s ability to express complex issues in interesting and thought-provoking ways, and the session at this year’s conference towards the end of day 1, where he will examine performance and risk should really get the brain-cells working again. And to top it off, straight after Gary’s session we have a networking reception where Gary along with other conference speakers will be happy to chat with conference attendees in a more relaxing atmosphere.
  4. Bjarte Bogsnes of Statoil day 2…and many other customers too! It’s terrific to see Bjarte on the conference agenda this year, ready to tell the Statoil experience around performance and risk. He’s a great conference speaker, very articulate and engaging and sure to give a great presentation. But of course he’s not the only customer speaker at the conference, and I’m also eager to hear presentations from Sysco, ServiceNow, Maxim Integrated, Southern California Edison as well as SAP over the two days of conference.
  5. Workshops. For those of you who like to dive deep into your solution areas, three workshops topics are on offer at the event this year; FP&A, Integrated Planning and GRC. Led by solution and domain experts, these sessions are intended for attendees who want to absorb a more detailed understanding of solution strengths and capabilities – but be ready to get your thinking caps on as you’re likely to be challenged with practical examples to work through at some point!

And of course many SAP-led sessions and excellent networking opportunities throughout the event and into the evening of the first day of the conference.

I am truly looking forward to the event this year, and to the opportunity to meet and speak with the many people attending the conference. Of course I shall be reporting back to you from the event – so if I don’t see you there, you’ll be sure to hear from me afterwards!


SAP Conference for Financial Planning, Consolidation and Controls_Twitter


Be A High-Performing Finance Department, Part 2: Help Your Employees Succeed With Essential Capabilities

By Nick Castellina, Research Director, Aberdeen Group

In my last blog in this series, I illustrated the reasons that successful finance functions must transform as they become even more integral to overall business success. This week I’d like to show you how this transformation can actually be accomplished.

01 Feb 2013, Houston, Texas, USA --- Businesswoman holding tablet computer with pie chart --- Image by © Terry Vine/Blend Images/Corbis

I mentioned that in top-performing organizations, executives commit to financial transformation and push that down through the organization. It is their job to communicate these strategies and to provide the technologies and capabilities I have outlined below.

Financial transformation requires a strategy that will lead to changes to the business. But where to start? The number-one strategy of Best-in-Class (50%) is to conduct an internal investigation of financial processes and technologies. This is why organizations that commit to financial transformation are more likely to implement technologies that improve the organization’s ability to execute on its financial goals. This starts with an end-to-end business suite, but extends to individual functionality tailored to handle individual finance disciplines. For example, organizations that commit to financial transformation are 2.5 times as likely to have a financial controls solution. Note that a majority of organizations that commit to financial transformation have implemented business analytics. These tools enable users to interact more effectively with data and use it to make transformative decisions.

Table 1: Key Technologies


Unfortunately, simply having a solution that can help to record and share financial data while automating processes may not be enough in the current environment. My report “In-Memory and Social Business: Coming Soon to your Large Enterprise” found that leading large enterprises are already 27% more likely than followers to have in-memory analytics technology, with another 42% planning to implement this technology in the near future (Figure 1). In-memory analytics is a way for organizations to consume the increasing amount of data that they are exposed to. Querying large data sets can be handled in random access memory (RAM), resulting in quicker access to reports and analysis. This is important to large organizations with millions of transactions and interactions as they attempt to analyze data and processes in real time to react to trends and monitor compliance. It is also important for individual business functions as they attempt to transform their operations to become more effective.

Figure 1: Consider In-Memory


For organizations that are focused on financial transformation, in-memory analytics can provide some interesting benefits. There are process improvements to be gained as well as a better ability to provide information for decision-making. These benefits could include:

  • Centralized financial data for ease of access
  • Improved compliance monitoring on a real-time basis across a larger enterprise
  • More dynamic, agile, and accurate plans and budgets
  • A better ability to take advantage of available cash
  • Quicker financial close
  • Ability to connect financial and operational data for more valuable insights

This environment is perfect for introducing transformation across an organization. In fact, my research has proven that organizations that commit to financial transformation are more likely to have implemented a variety of capabilities. As shown in the chart below (Figure 2), the most essential capabilities fall into a few main categories.

Figure 2: Transformative Capabilities


  • Real-time data repositories. In order for organizations to report effectively, remain compliant, and support the line of business it is important to provide an easily accessed, sharable, and accurate picture of financial information. Organizations that commit to financial transformation are 3.2 times as likely to have real-time updates to financial metrics. Further, 72% of those organizations store this information in a centralized repository.
  • Collaboration. Finance is morphing into an essential source for organizational decision-making. Additionally, transformative organizations understand that communicating with the extended enterprise (including regulatory bodies) is essential for business success. Transformative organizations enable collaboration both inside and outside of the organization with finance.
  • Streamlined processes. In a modern environment, finance must be a well-oiled machine. Aberdeen’s research finds that transformative organizations have tools in place that ensure compliance, automate financial processes such as tax calculations, introduce emerging technology such as mobile, and enable the individual functions within finance to succeed.
  • Support for change. Innovation and change are, of course, core components of transformation. Organizations that commit to financial transformation are 2.2 times as likely to have business solutions that can be easily tailored to reflect business change.

By  implementing these capabilities and technologies, top-performing finance executives provide a platform for their finance department. If your organization implements them, you will be amazed by the improvements you will see in a variety of essential metrics. In fact, my research has uncovered quantifiable benefits as a result of a financial transformation strategy (click here to see an infographic highlighting this research). To learn what I found, check back soon for a blog where I will reveal those benefits and give you some final tips to achieve them.

high-performing finance


What Top Execs Are Saying about Managing Risk in the Age of Complexity

by Babak Ghoreyshi, Global Marketing Program manager at SAP

Finance executives know that risk is inevitable, but there is a significant debate over how an organization can make the best business decisions to seize opportunities while avoiding the risk. Businesses need to be agile enough and proactively deal with external risks as well as potential risks as they develop. Market leaders consistently find a way to contain risk and comply with regulations while leading the organization in identifying more profitable ventures.

In the spring and summer of 2015, a survey of more than 1,000 finance executives with responsibility for governance, risk and compliance (GRC) was conducted by Loudhouse and sponsored by SAP. The resulting report on GRC best practices is titled “Managing risk in the age of complexity.”

This white paper revealed that a combination of increasing risk and regulation complexity comprises the number one largest pressure felt by GRC professionals around the world today. As that pressure grows, these executives have sought to establish reliable methodologies for strategically balancing risk and opportunity.

Key insights

Just 10 percent of the participants of the survey were satisfied with their GRC tools and technologies and were stating that they have adequate GRC tools, technologies, and processes in place. The same goes in terms of keeping pace with future growth. Only 10 percent are fully satisfied these tools, technologies and processes will keep pace with future growth. As a result, companies are leaving themselves open to risk. The report found that the biggest problems arising from GRC failures are loss of business or revenues, business disruption and damage to the company reputation. That means that the companies which are most vulnerable to risk are those where brand value is a central component of the company’s valuation. For all businesses, the core message is that risk has to be contained more quickly than ever before.


The GRC Landscape

Compliance and regulatory requirements have become more complex over the past five years for 81 percent of the respondents. Finance executives participating in the survey identified the top five risk centers as the primary sources that will be growing over the next two years:

  1. Competitive forces (42 percent)
  2. Control failures (41 percent)
  3. Financial and economic issues (36 percent)
  4. Employee performance (36 percent)
  5. Consumer behavior (35 percent)

Another fascinating observation was the emerging split in what GRC experts see as their top concerns. Just over half (57 percent) are more concerned with external risks while 43 percent look into the internal risks as more crucial. Organizations in Europe and the U.S., tend to consider the main risks as external, while South African and Japanese companies expressed a greater concern for internal risks.


GRC Pain points

The main pain points associated with GRC have to do with a fragmented vs. a more unified approach, which leads to a lack of visibility if there is no integration of risk and control, reporting, accessing and using necessary data. Access to a single source of truth can enable enterprises to reach the goal of turning data into knowledge in planning at the highest levels.

Although issues related to GRC are more closely now across all departments, only 10 percent say that GRC practices are embedded throughout the business. The US leads the world in siloed systems for approaching GRC problems, with three out of four companies pursuing a fragmented approach. Japan is close behind at 73 percent of companies and UK is in third place with 72 percent. More intelligent unified platforms are widely accepted in Brazil at 43 of companies and Germany close behind with 42 percent with centralized approach to GRC.

The most surprising statistic of all is that two out of three companies worldwide (65 percent) are not even able to quantify or qualify their current risk exposures. That is a perilous place to operate and the majority of companies are simply unprepared for current risks, let alone what’s coming next.

Moving Forward with GRC

GRC needs to evolve now and add more value to the business. That statement found agreement among three out of four companies in the survey. The way to do that is to standardize processes, reduce costs and bring greater strategic value to the bottom line. Here are the top priorities, fairly evenly split, that companies identified as areas GRC must address over the next twelve months:

  • For 42 percent it’s “improving consistency”
  • For 41 percent it’s “earlier identification and management of risks
  • For 39 percent it’s “improving GRC efficiency”
  • For 37 percent it’s “improving GRC performance and strategic value”


A 5 Point Plan for GRC Practices

Here are the best practices that have emerged as a result of the survey:

Point 1. Make a case for the strategic value of GRC. – Don’t wait for CEOs to see the strategic value of GRC.

Point 2. Make a decision about who’s responsible. – Award ownership of the process and make someone accountable.

Point 3. Seek a holistic, future-proof solution. – Create a scalable architecture for addressing GRC in the future.

Point 4. Drive cultural change. — The entire organization must respect the importance of GRC in commercial success.

Point 5. Do it now – The consequences of delay are too serious to ignore.

Get the Report

The most advanced GRC tools today can deliver confidence, drive better performance and expand accountability within your organization. Download “Managing risk in the age of complexity,” for a detailed analysis of all these issues and assure that your organization is deploying the best practices in managing GRC for the future.


Be A High-Performing Finance Department Part One: The How’s And Why’s Of Financial Transformation

By Nick Castellina, Research Director, Aberdeen Research

We’ve reached a new era for top performing finance departments. No longer is finance solely viewed as an operational function that serves the specific purpose of managing transactions,finance reportingreporting, and compliance. Instead, the role of finance is now as a valued partner in strategic decisions as well as a potential source of efficiency, cost savings, and profitable growth. With this enhanced role comes a variety of challenges. Finance organizations must step it up in order to meet the needs of the rest of the organization while continuing to run effectively. But don’t take my word for it. Let’s take a look at some of the how’s and why’s of financial transformation that organizations report.

My recent Excellence in Financial Management study asked survey takers to indicate the top challenges facing them today (Figure 1). Finance is under significant pressure to deliver financial information to key stakeholders both internally and externally. On the one hand, many employees outside of finance finally understand the importance of its function and the information it can provide. Unfortunately, enabling collaboration while completing financial processes is easier said than done. Due to changing regulations, increased amounts of data, and organizational complexity, varying financial processes are too long and resource intensive. This brings increased cost and puts the organization at risk for inaccurate information and the negative effects of noncompliance. Clearly, more importance than ever is being put on the finance function. In order to keep up, this function needs to improve the way it operates. There is an opportunity to make intelligent changes that will make these challenges into attributes.

Figure I: Top Challenges in Finance


In response to these pressures, 86% of Best-in-Class organizations have ensured that they have executive commitment to financial transformation (Figure 2). This commitment needs to come from the top of the organization in order to ensure that it is driven down and executed both inside and outside of finance. But what does financial transformation mean? It means altering the processes and technology that typically make up finance. This transformation must address the pressures noted above in order to induce collaboration, enable data reporting and sharing, and facilitate and remove the costs from financial processes. Ultimately, top performers accomplish transformation by changing the way things work today.

Figure 2: Best-in-Class Commit to Transformation


Aberdeen has uncovered a series of best practices that help organizations to completely transform their finance departments (click here to see an infographic highlighting this research). This blog is the first in a series that will help you to determine the best course of action as your finance department embarks on this journey. Next time, we will uncover the technologies and capabilities that organizations that commit to financial transformation have implemented. In the third entry, I will illustrate some of the tangible benefits that organizations have experienced as a result of transformation and summarize a series of recommendations. Check back here throughout this series, and share it with the rest of your department to encourage and embrace financial transformation.

Managing Risk in a Tsunami of Complexity

The uncertain financial times of the past few years have had a major effect on companies operate these days. Companies that used to operate effortlessly with the help of forecasts and projections now resist making business decisions that are set in stone and as a result companies have a new focus: to manage risk.

Managing risk is as important and difficult as it has always been. New Global research commissioned by SAP reveals that today’s complex business environment severely challenges companies.


The survey of 1000+ executives with responsibility for governance, risk and compliance (GRC) in their organizations found increasing risk and regulation complexity is now the biggest pressure on organizations’ GRC functions.

There is no real business opportunity without risk. Yet according to the research, companies are dropping the ball.  In simple terms, the way to balance risk and opportunity is to look at both as two sides of the same coin. Obviously one is looking for the opportunity side to be bigger than the risk side. Great entrepreneurs have learned how to realistically assess and manage both sides of the coin in the following business opportunity and risk categories.

SAP’s research findings reveal that one in ten organizations are fully satisfied that they have adequate GRC tools, technologies and processes in place. Similarly, only one in ten are fully satisfied these tools, technologies and processes will keep pace with future growth. As a result, companies are ill prepared and may get nailed for lax controls.

While the research reveals different levels of preparedness among companies, the message from GRC professionals is clear: companies are not managing risk properly and should prepare for black swans, meaning an incident that occurs randomly and unexpectedly, and has a major effect on operations.  Black swans may be game-changing, but they are not all that rare and businesses can mitigate against them with GRC tools, technologies and processes. The consequences of delay are serious.

GRC specialists face serious internal pressures to cut costs and prove effectiveness. Within, GRC professionals have to stay on top of changing business environments that introduce a range of operational risks such as employees, third party relationships, mergers & acquisitions, processes, strategy, and technology.


At the same time, GRC technology and processes can only work if it is respected within the company. It should become a key part of business processes and thinking, helping the firm achieve its business goals.

Regulatory environments in all industries are a constant shifting sea of requirements at local, regional, and international levels. The turbulence of thousands of changing laws, regulations, enforcement actions, administrative decisions, rule making and more has organizations struggling to stay afloat.  81% of GRC professionals surveyed say risk and regulation has become more complex in the last five years and without the right GRC tools and mythologies, businesses will be inadequately protected from risk. Read the full report here.


3rd Party Risks? Treat Them Like Your Own, Because That’s What They Are!

By Thomas Frenehard

In today’s economy, all companies operate in an increasingly complex network of actors that represent both a threat and an opportunity. As a result, 3rd-party risk management is broader than pure supplier risk management. Yes, supplier risk is crucial as a disruption in your supply chain will in turn lead to a global disruption in your business. But 3rd-party risk is much more than your suppliers – it’s your investors, distributors, counsels, advertisers… and of course, your customers!


The traditional approach, consisting of performing due diligence, is no longer sufficient, to my mind. Not only does it only cater to the present moment and not any future evolutions, but most of all your degree of control is very different from one party to another.

Take your suppliers. Relying on them often helps you be more agile as it can be a quicker and sometimes more affordable way to increase delivery capability or reduce direct costs. For this type of 3rd party you can have some type of control and you can define indicators to ensure all goes well: service level agreements, quality controls, etc.

Now, let’s take your customers, the ultimate 3rd party. If they disappear, so does your business. Again, you have some degree of control: payment terms for example, and you can also access publicly available financial information if you’re concerned about their health.

Businessman Looking at Computer Monitor

Outsource responsibility, but not accountability

In both cases, the conclusion is identical. If they’re part of your strategy and help you achieve your objectives, then they need to be taken into account in your overall enterprise risk management strategy and as such, included in your risk profile and reported to the board.

Leaving these risks to your procurement department is not sufficient.

Indeed, your company will ultimately be fully accountable for actions carried out by 3rd parties on your behalf. This includes manufacturing of goods or delivery of services but also goes beyond to compliance and reputational risks as well.

Should one of your agents carry out an illegal activity on your behalf, you might be facing prosecution. Even if this is not the case, if the name of your company or product is associated to irregularities, your brand and image will be affected.

Adopt a risk-based approach for continuity of operations

Treat these 3rd parties like your own departments. By including 3rd parties in your risk and control process, you will increase your oversight and reactivity.

To start, I suggest focusing on the most “risky” 3rd parties. To identify them, as for any critical asset or process, start by performing a risk analysis. What would be the impact on your business of a 3rd-party misbehaviour?

For those 3rd parties that could seriously threaten the continuity of your operations, include them in your business continuity plan. This also means having the right dedicated contacts within these companies – an account manager might not be the right stakeholder during a crisis.

Also, when possible, carry out preventative actions, such as source backup suppliers, diversify your customer base, etc.

Personally, I don’t believe managing 3rd party risks should be a very different approach to managing other strategic risks. Yes, there is an additional complexity in how to mitigate them, but for their identification and assessment, I believe they should be treated as your other value-added activities.

Would you agree with this candid opinion?