Dead Rats in Risk Management: The Myth of Complexity

by Bruce McCuaig, Director, GRC Product Marketing

Recent research commissioned and published by SAP (Managing risk in an age of complexity) reveals a startling conclusion that seems to reinforce the notion that complexity is a problem for GRC professionals.

“GRC is characterised by increased complexity. This, alongside pressures from the business to prove effectiveness, is creating significant challenges for GRC professionals.”

Cloud1

Complexity is a Symptom Not a Problem

I have a contrarian view. Let’s look at this more carefully.

A couple of weeks ago I published a blog that introduced the notion of “control management”. (It’s rare to see those two words used together).In 2015, with the tools, skills, resources, and knowledge we have at our disposal, the idea that complexity makes business more challenging is silly. Complexity is not the problem. It’s a symptom.

Cars are more complex than ever with more regulations, higher speeds, and more traffic. Driving a modern automobile is simpler than ever.

Aviation is more complex. There’s more aircraft, more destinations, more congestion, more threats, and more regulations. Booking a ticket, getting a boarding pass, and flying to anywhere in the word is simple.  (Comfort is another matter).

The internet is complex. But finding and ordering a book, and getting it delivered the same or the next day, is simple.

Control Management Must Simplify GRC

Here’s another finding in the research mentioned above:

“Control failure is seen to be the second biggest risk to organizations over the next two years, behind competitive forces.

I think this finding proves my point.

In most business endeavors, complexity is being addressed and simplified. If business is more complex and managing a business is more difficult, my belief is that we have failed, not as risk managers but as control managers.

Let’s look at some simple examples I have seen in some companies. And these are really simple tasks we make complex. Examples are:

Selecting a vendor, and procuring and paying for goods and services requires so many sign-offs and steps that business opportunities, as well as discounts, are lost.

Employees spend hours inputting data in needlessly complex, error prone, expense account systems

Documentation, assessment, and testing of (bad) controls is a major and complex task, consuming scarce and expensive resources.

We have the notion that controls are supposed to be “effective”. It’s an abstract thought that does not bear close scrutiny. Many businesses with “effective” controls go bankrupt. Most businesses with “effective” controls complain about complexity.

Report Card on Control Management

The concept of control management is new.

My contention is that controls are simply not seen as a manageable dimension of the business. The outcome is the belief that more controls are always better, that controls all work the same way, and that only experts know enough to implement them. It’s quite similar to herbal medicine. Some of its good, some of its bad. Pick the expert you agree with and just believe.

Control Management Report Card Report Card Letter grade
Use the minimum , number of necessary controls to achieve an objective D
Automate controls wherever possible F
Consciously design controls to adapt to human behavior F
Push accountability for controls to the business D
Hold people accountable, don’t blame controls for human failure F
Manage controls strategically F
Design controls to reduce complexity F

 

One Last Research Finding

Wherever complex environments have been simplified, one factor stands out. In all cases controls have been automated.

What does our recent research tell us about control automation in GRC? Only 15% believe continuous control monitoring is extremely effective and 17% believe continuous risk monitoring is extremely effective.

I went back to the researchers for an explanation. They explained that the reason the results seemed low was not a reflection of the value of automation and continuous monitoring, it was a reflection of the fact that very few companies were using either technique.

Expect complexity to remain a big issue for GRC.

I’m always interested in your feedback. What is your experience with control automation and continuous monitoring of risks and controls? Do you think controls are a manageable dimension of the business? What’s your suggestion for reducing complexity?

 

The State of GRC: Should We Manage Controls?

by Bruce McCuaig, Director, GRC Product Marketing

Surveys suggest that more and more things seem to be going wrong. Either there are more risks than ever, or there are more “things.”

If there are more risks, then we need to examine our risk management practices.

If the risks are the same, but they’re happening in more places, then we need to examine our control management practices.

Managing GRC

The art of successful governance, risk, and compliance (GRC) management is looking in the right places for risks and doing the right things to respond to them.

In a recent blog on the Three Lines of Defence, I discussed the Three Value Questions. That discussion was intended to focus GRC professionals on the right “things.” Or in other words, finding the things that matter.

So let’s turn our attention to control management and away from risk management. Let’s assume we know where to look for important things that can go wrong and let’s examine our ability to respond to them. My working hypothesis is that we don’t respond well.

Is There Such a Thing as Control Management?

The first clue is the phrase “control management.” Is there such a thing in the professional literature? I have not found any reference to the concept of “control management” in either the Institute of Internal Audit Professional Practice Framework (IPPF) or the Public Company Accounting Oversight Board Audit Standard no. 5 (PCAOB AS5). Plenty of literature exists on “risk management,” little or nothing on “control management.”

Is this a mere oversight or is it a fundamental flaw? Let me ask it another way. Are internal controls a manageable dimension of the business and do we understand how to manage them? Among the questions we need to know (vs. believe) are:

  • How many controls are enough?
  • In any situation, which kinds work best?
  • What unintended consequences must be anticipated?
  • What is the impact of a set of controls on business performance?
  • How will technology help improve control effectiveness and drive down cost?

A New Perspective on Effective Control

Here’s an example of what I mean. For a number of years I was required to take daily doses of powerful prescription eye drops. Were the eye drops “effective” I asked myself? The manufacturer of the eye drops actually offered a money back guarantee (in jurisdictions where it was allowed) if a specific outcome was not achieved. That sounded reassuring. But looking further into the research that supported the approval of the medication I found some interesting statistics.

According to the research required to get approval for the drug, the side effects of the medication caused about 30% of users to miss 15% of their required doses. A small number, about 10%, stopped taking the medication entirely. A very small percent suffered severe side effects and were hospitalized.

Question: Was the medication effective? Yes or no please. No “opinions.”

Whenever I visited my ophthalmologist, he invariably said, ”Remind me what eye drops I have prescribed for you?” Eventually I figured out he was “testing” the control. If I couldn’t remember he would conclude I had stopped taking the drops.

I struggle to think of any internal control effectiveness opinion I have ever written or read that contained such an analysis.

My point is that when we can answer these questions, we will be “managing” controls.

What does the future hold? How will technology help?

Shifting to a Fact-Based View of Controls

Technology should enable a shift from a belief-based approach to control management to a fact-based approach. Continuous monitoring of all the variables we need should begin to provide a precise measure of how controls work, individually and in combination, what “adverse” reactions occur and why, and should tell us the number, location, and nature of controls we need.

I can’t imagine precisely the impact of technology on controls but I do foresee we will be managing controls, not just adding and testing them.

Imagine in your business an SAP HANA-based, cross-system analysis of all invoices processed last month anywhere in the world to scan for duplicate payments, coding errors, or other anomalies. Imagine getting the results in 30 seconds. What controls would you be able to eliminate in a procure-to-pay process? How would it impact on vendor selection and payment terms?

Apply the same tools to customer invoices and inventory management.

What “controls” can be eliminated? How will business performance be improved?

SAP HANA’s benefit is not just speed. SAP HANA allows fundamental change to take place.

That change will take place over time, but for now let’s turn to the 4 Quadrant diagram I introduced in my blog on the Three Lines of Defence. Let’s imagine the roles each Line of Defense will play in managing controls in the future.

Print

– See more at: SAP

Nice and Simple – 6 Super Sessions for SAPinsider

GRC

Financials

 

 

 

Fully refreshed and recharged after a slight break in event-related activity (see my earlier post regarding the SAPPHIRE NOW event), attention now turns to Nice in France, where the SAP solutions for Finance teams shall be heading soon to attend our next “major” of the season with the SAPinsider conferences. While containing a number of topic areas, my attention will be focused on two areas in particular, the Financials and GRC events.

I don’t know about you, but when attending business conferences I like to do a little bit of forward planning, so that I can get the most out of my time spent at the event – a little bit like planning a route around the Disney theme parks I guess, but with more time spent seated, rather than queuing and without all those people walking around in character outfits. But planning takes time, which many of us don’t have in abundance during our working hours, and so to help provide some focus I want to share my “ super six” sessions to see at SAPinsider, to give you a nice and simple start towards your event agenda.

6 Super Sessions to See in Nice

In selecting 6 sessions, I’ve kept things as simple as possible, focusing exclusively on customer case study sessions rather than the Keynote, or the Simple Finance, EPM and GRC roadmaps sessions which are all available too. But you can select these at your discretion at the SAPinsider website. Rather, I’ve chosen customer sessions because these are where you’ll get the inside scoop about implementing software solutions, from your industry peers who want to share their experiences with you. And in my opinion, customer stories like these are the most valuable of all the event sessions. So here they are my 6 customer stories for Nice:

  1. 16 June, 2.00pm: Cargill – large-scale finance transformation project
  2. 17 June, 8.30am: GlaxoSmithKline – rolling out SAP Risk Management across the organisation
  3. 17 June, 10.30am: Sonae Indústria – revamping controlling and corporate management reporting
  4. 17 June, 2.30pm: Gazprom Neft – using SAP BPC 10.0 to align consolidated and mgmt reporting
  5. 17 June, 4.45pm: Airbus – faster, simpler integrated financial reporting and planning
  6. 18 June, 10.30am: VCEAA – reducing segregation of duties conflicts

But of course that’s not all, and you certainly don’t need to follow the above sessions if you don’t fancy them – there are many more to choose from. But whether you’re interested in SAP Simple Finance, EPM or GRC customer stories, or want to hear from SAP on any of these topics, then you can build your own agenda to suit your needs.

If you’re in Nice this year, then I wish you a very successful and informative trip. I’ll be there too, so say “hello” if you see me. And I hope that my cross-Finance customer session suggestions in some way help to make your planning that bit more Nice and Simple.

6 Stories to Give You the Finance Buzz at SAPinsider

SAPInsider Financials Logo

It’s going to be a busy time this week for many of my colleagues and the visitors to SAPinsider Financials 2015 in Las Vegas, so I decided to give you my thoughts on some interesting sessions to see, if you’re attending, given that you’re spoilt for choice with such a comprehensive agenda. And I’m bucking the trend with this blog post – because instead of talking about products, I ‘m talking about customers and thought leaders, and in particular the stories that you’ll be able to see and hear at the event this week.

Excited yet? I am! And with good reason, because many valued SAP customers have decided to make the trip to Las Vegas to give an account of their experiences with SAP solutions for Finance…stories of implementation approaches, best practices, and where they have found business benefits.

So for anyone embarking on a software implementation project, or even just considering approaches to solving some of their finance department and process issues, these are key SAPinsider Financials 2015 sessions to attend.

Six in Focus – But Don’t Forget the Rest!

My six focus sessions are chosen not because I know the customer stories particularly well, but rather because they’ll give attendees a good flavor across a range of finance topics. And my apologies to the many other customers not listed here – whose sessions are equally as valuable – but I just couldn’t fit you all into one short blog post.

I would, however, encourage readers attending Financials 2015 to take a look at the many other customer-led sessions at the event this week, as well as those detailed here, just so that you select sessions that will be most relevant to you.

Ready to learn about some of the exciting sessions ahead? Then let’s go:

  1. Keynote address, TODAY, Tue 17 March at 8:30 am – Okay, it’s strictly an SAP-led session, but there’ll be a panel discussion in which thought leaders will be asked to give their view about challenges and opportunities facing CFOs. It’s sure to be an interesting discussion – and let’s face it, no-one wants to miss the keynote!
  2. Sun Products, Wed 18 March at 8:30 am – A session where you should learn some best practice advice on implementing credit, dispute, and collections management.
  3. Velux, Wed 18 March at 10:30 am – I really like the sound of this session, in which you’ll hear how Velux moved from a traditional to “beyond budgeting” approach.
  4. McKesson, Thu 19 March at 8:30 am – For anyone seeking advice on implementing SAP ERP Financials then this is a session for you!
  5. Bentley Systems, Thu 19 March at 1:00 pm – Hear how Bentley Systems automated and shortened the payment processing lifecycle with SAP Bank Communication Management.
  6. Telephone and Data Systems, Thu 19 March at 4:30 pm – This is one for those of you interested in financial consolidations, with particular focus on project planning.

Don’t Be Shy – Get Networking!

All of these customers are attending the event to share their knowledge and experience with you, and I know that if you have questions for them after hearing their sessions that they’ll be delighted to speak with you…so do take advantage of this in the event networking sessions.

And remember to also take a look at the full agenda, so that you can plan your sessions and make the best use of your time. I hope you have an interesting and informative week, and that you return to work buzzing with the excitement of the potential to put in practice what you have learned at the event.

Have a great week!

Simplifying Finance in an increasingly complex world – outlook on Financials / GRC 2015

SAPInsider Financials Logo

By Henner Schliebs, SAP. Originally posted on SAP Business Trends, 17 February 2015. Reposted with permission.

We all have read the new mantra multiple times: if we simplify everything – we can do anything. This holds true for the finance department more than ever, considering that the use of technology is key to enabling a real-time business process environment. There were some threatening results revealed in a recent study that the CFO magazine has published, like “80% of respondents would need easier to use technology if they’d wanted to meet their growth targets”. So, this latest shift in technology enabling true real-time processes will be the focus topic of this year’s Financials 2015 / GRC 2015 event hosted in Las Vegas in March (Wynn Hotel, 3/17-3/20, follow the discussion #Financials2015).

As there will be hundreds of sessions that show customer success stories, the latest and greatest in financial management, EPM, Analytics, GRC and Ariba solutions I would like to highlight the Simple Finance sessions so that you can build your agenda around those, especially given that any S4/HANA journey will start with Simple Finance:

  1. start with the keynote where Thack Brown will elaborate on the need for speed (aka real-time finance processes) and introduces some external thought leaders to the panel discussions around a modern finance organization. I won’t tell too much when mentioning that Thack will launch another important mile stone of Simple Finance to the public…
  2. one of the most compelling use cases of Simple Finance is the central journal, so this session lead by Carsten Hilker shows you how to non-disruptively start your Simple Finance implementation arriving at one source of the truth
  3. for those in need of a high-level introduction to Simple Finance I’d highly recommend Martin Naraschewski’s session about the roadmap to Simple Finance, where he will elaborate on the needs of a typical finance transformation initiative
  4. one thing that was highly anticipated by you all is more insight into Integrated Business Planning – your unique opportunity to natively connect EPM with your Simple Finance ERP system to allow planning, simulations and scenario modeling directly on your transactional data. Pras Chatterjee off course will show integration to the new Cloud for Planning solution as well
  5. new to the game is the Simple Finance Cash Management solution that is introduced by Christian Mnich, where he will give insights into how to better plan and forecast liquidity based on an integrated process leveraging your ERP / S4HANA system
  6. a dedicated session on the new Accounting solution will provide better understanding of the concepts of the greatest innovation since R/3 building the base for S4HANA. Stefan Karl will guide you through this
  7. want to learn how to get to Simple Finance? Join charming expert Birgit Starmanns and understand what to consider if you want to adopt Simple Finance including advanced predictive finance analytics
  8. join our partner John Steele at Deloitte when he talks about real-time finance processes and the role that HANA plays in this highlighting finance use cases like fast close, financial risk management or finance operations
  9. the experts from TruQua will deliver a thrilling session around the analytics that Simple Finance can provide in form of HANA Live content or via integration of SAP Analytics and EPM solutions. Dave Dixon’s presentation is a good example
  10. finally you’d want to learn about the fast close capabilities of Simple Finance where Stefan Karl walks you through how to become a world’s fastest closing company like SAP

Note there are many “hands-on”-like sessions on the Monday (3/6) as part of the Pre-Conference Workshops that deliver tremendous value for practitioners.

Please be sure this is just the Simple Finance top 10 – please be sure you also learn from customers how SAP Financial Management solutions helped them achieve targets.

Follow the discussion on twitter or facebook or SCN and please share your thoughts.

10 Things to See and Do at SAPinsider Financials 2015

SAPInsider Financials Logo

By David Williams, Head of EPM and GRC Product Marketing, SAP

We’re already well into 2015 and the first key event for the SAP EPM (Enterprise Performance Management) team, partners, and most importantly, our customers, is just about upon us. SAPinsider Financials 2015, hosted by Wellesley Information Services, and co-located with SAPinsider GRC 2015, runs from March 17 – 20 in Las Vegas. It’s one of the key annual events that features EPM-related content. Given there’s so much to see and do at the event, and I often get asked for an agenda of EPM content, I thought why not put together a list of 10 things to see while attending the event. Think of it as a checklist of don’t miss items/sessions. Here we go:

  1. Cloud for Planning, Cloud for Planning, Cloud for Planning. The latest and greatest cloud-based planning and analysis application has been available since February. Make sure to check out one of the many SAP Cloud for Planning sessions and demos to see why it sets a new standard for planning in the cloud
  2. SAP Business Planning and Consolidation 10.1, version for SAP NetWeaver. “BPC” continues to be one of the most widely deployed planning and consolidation applications on the planet. Discover what’s new in the latest release and see how BPC fulfills integrated business planning for Finance capabilities as part of Simple Finance
  3. Close to Disclose. Closing the books and disclosing results continues to be a highly-manual task for many. Discover how you can accelerate/automate the financial close to disclose in one of the presentation or demo sessions including a Jumpstart deep dive on March 16th
  4. Speaking of Jumpstarts, there are 6 Finance ones and these are a good way to get up to speed on subjects such as SAP Simple Finance, simplifying plan and report deign in SAP Business Planning and Consolidation, and the impact of big data on Finance and GRC security among others
  5. EPM solution center. Go deep into product demos with our solution experts across a range of topics including planning, consolidation and profitability analytics, while not forgetting of course the new SAP Cloud for Planning application
  6. Show floor demos. Have a seat and take a well-earned rest from all that walking around the show floor, while watching one of the EPM solution experts show you the latest and greatest product features
  7. Customer delivered sessions. For many the key attraction of SAPinsider is hearing our customers’ financial transformation stories, in their own words. In 2015 you can hear from Lexmark, Velux, Delicato, IDEXX, Telephone and Data Systems and Applied Materials among others
  8. Simple Finance. It’s bound to be a big draw, and so there’s a number of SAP Simple Finance focused sessions. But of course don’t miss the keynote address to hear about the SAP vision to help simplify finance
  9. Visit our partners. Why not take the opportunity to speak with some of our business partners at the event? This year you’ll find the event global sponsor PwC, premier sponsors EY, KPMG and Z Option, as well as Deloitte, itelligence and BlackLine among others
  10. Say hi to the SAP team. Really please do – we’d be delighted to meet you. There will be a number of our subject matter experts at the event that can discuss topics such as planning and financial consolidations

The complete agenda is available here. Safe travels to Las Vegas and if you’d like to meet send me a tweet @daveswilliams!

Is Your Company Ready to Tweet About Its Internal Audit?

Coffee-break with GameChangers

The role of internal audit is shifting by the second. No longer just a step in an overall business sanity check, this department is ready to become your company’s command center for risk – thanks to cutting-edge technology. During a recent SAP Game-Changers radiocast, panelists Paul Sobel, VP and chief audit executive for Georgia-Pacific LLC; Carey Oven, partner and leader for the internal audit transformation market offering in Deloitte and Touché LLP; and Bruce McCuaig, director of solution marketing for SAP solutions for governance, risk, and compliance discuss this burgeoning trend.

Move from manning your post to seeking opportunities

Sobel immediately tries to debunk the myth of the bean-counting auditor with no imagination, and Oven agrees. “I actually think internal audit can be very entrepreneurial. It can be very insightful and value driven because we have a very wide purview on business and what’s going on within our organizations.”

The need for innovation is definitely present. McCuaig describes a survey he conducted of about 150 auditors at the IIA International Conference in London. 54% of respondents believe that technology will fundamentally change how audit services are performed and measured – but only 14% said that the current audit management and analysis tools meet their needs.

So what types of tools could fill this gap? According to Sobel, it’s visual analytics in the form of dashboards. Instead of focusing on pure numbers, auditors must focus on ways to unleash the data and make it a powerful tool for management.

McCuaig concurs. “I haven’t seen anyone getting on a corporate jet reading a 13-page audit report. It’s important to distill down the information to a dashboard to help them drive insights. But simplicity takes a huge amount of work.” Such work can’t be completed without tech-enabled systems in which management must be willing to invest.

Outlining the responsibilities of management vs. the audit

As the role of the audit morphs, it becomes ever more important to make the distinction between what role the audit plays and what role management must play.

McCuaig believes it’s time to stop counting the number of audits performed and start measuring the amount of knowledge they create. As the role evolves into a command center for risk, he looks forward to redefining the role of the auditor as one that can be proactive rather than simply reactive.

Sobel emphasizes that management must determine the organization’s risk tolerance in order for the audit to provide maximum value. No company’s risk can be completely eradicated, so how much risk can a business tolerate? Management owns risk and must answer this question so auditors can focus on aspects other than risk – adding more value to their role and the company.

If risk tolerance is increased, “We start to pull away from the lengthy and laborious text-based audit reports and start to get into those quicker messages – whether it’s literally Twitter or something else,” says Sobel. “I think our value will come to fruition more quickly than perhaps it does even today.”

To learn more about how audit is becoming a command center for risk, listen to the full radiocast.