Dead Rats in Risk Management: The Myth of Complexity

by Bruce McCuaig, Director, GRC Product Marketing

Recent research commissioned and published by SAP (Managing risk in an age of complexity) reveals a startling conclusion that seems to reinforce the notion that complexity is a problem for GRC professionals.

“GRC is characterised by increased complexity. This, alongside pressures from the business to prove effectiveness, is creating significant challenges for GRC professionals.”


Complexity is a Symptom Not a Problem

I have a contrarian view. Let’s look at this more carefully.

A couple of weeks ago I published a blog that introduced the notion of “control management”. (It’s rare to see those two words used together).In 2015, with the tools, skills, resources, and knowledge we have at our disposal, the idea that complexity makes business more challenging is silly. Complexity is not the problem. It’s a symptom.

Cars are more complex than ever with more regulations, higher speeds, and more traffic. Driving a modern automobile is simpler than ever.

Aviation is more complex. There’s more aircraft, more destinations, more congestion, more threats, and more regulations. Booking a ticket, getting a boarding pass, and flying to anywhere in the word is simple.  (Comfort is another matter).

The internet is complex. But finding and ordering a book, and getting it delivered the same or the next day, is simple.

Control Management Must Simplify GRC

Here’s another finding in the research mentioned above:

“Control failure is seen to be the second biggest risk to organizations over the next two years, behind competitive forces.

I think this finding proves my point.

In most business endeavors, complexity is being addressed and simplified. If business is more complex and managing a business is more difficult, my belief is that we have failed, not as risk managers but as control managers.

Let’s look at some simple examples I have seen in some companies. And these are really simple tasks we make complex. Examples are:

Selecting a vendor, and procuring and paying for goods and services requires so many sign-offs and steps that business opportunities, as well as discounts, are lost.

Employees spend hours inputting data in needlessly complex, error prone, expense account systems

Documentation, assessment, and testing of (bad) controls is a major and complex task, consuming scarce and expensive resources.

We have the notion that controls are supposed to be “effective”. It’s an abstract thought that does not bear close scrutiny. Many businesses with “effective” controls go bankrupt. Most businesses with “effective” controls complain about complexity.

Report Card on Control Management

The concept of control management is new.

My contention is that controls are simply not seen as a manageable dimension of the business. The outcome is the belief that more controls are always better, that controls all work the same way, and that only experts know enough to implement them. It’s quite similar to herbal medicine. Some of its good, some of its bad. Pick the expert you agree with and just believe.

Control Management Report Card Report Card Letter grade
Use the minimum , number of necessary controls to achieve an objective D
Automate controls wherever possible F
Consciously design controls to adapt to human behavior F
Push accountability for controls to the business D
Hold people accountable, don’t blame controls for human failure F
Manage controls strategically F
Design controls to reduce complexity F


One Last Research Finding

Wherever complex environments have been simplified, one factor stands out. In all cases controls have been automated.

What does our recent research tell us about control automation in GRC? Only 15% believe continuous control monitoring is extremely effective and 17% believe continuous risk monitoring is extremely effective.

I went back to the researchers for an explanation. They explained that the reason the results seemed low was not a reflection of the value of automation and continuous monitoring, it was a reflection of the fact that very few companies were using either technique.

Expect complexity to remain a big issue for GRC.

I’m always interested in your feedback. What is your experience with control automation and continuous monitoring of risks and controls? Do you think controls are a manageable dimension of the business? What’s your suggestion for reducing complexity?


Using Technology to Strategically Drive Holistic Risk Management

by Michael Diehl

A recent report from the Economist, sponsored by SAP, lays out the case for holistic enterprise risk management and why it’s a vital necessity for modern business. As you prepare your organization to implement this holistic approach to Governance, Risk and Compliance (GRC), the report’s insights into best practices can aid the process.


Breaking Silos to Enable Collaboration

One of the biggest takeaways of the Economist report is the need for your organization to figure out how to do away with fragmented risk management silos and enable genuine collaboration. The report profiles logistics powerhouse UPS and the efforts of its VP of corporate internal audits, Mohammed Azam, to find a way to bring together every group under his purview to address risk management. In his case, Azam chose to set up an enterprise risk council, bypassing the normal gatekeeper avenues for communication by holding regular meetings with representatives from 25 different areas of UPS’ operations.

Steps like this go a long way toward combating the “same goal, different page” phenomenon that so often plagues the adoption of a holistic approach to risk management. That phenomenon leads to situations like nearly 70 percent of technology executives reporting that their organization doesn’t view IT security as a strategic priority. The root of that problem is poor communication, so it’s vital that you find a way to make sure everybody in your organization is reading from the same page.

Maximizing Vigilance Through Organizational Unity

A unified approach to risk management also helps you adopt the “beneficial paranoia” that’s vital to survival in today’s ultra-competitive global marketplace. Steve Lucas described this practice at a recent SAPinsider conference, using the animal world to contrast “head-in-the-sand” ostrich organizations and “follow the leader” fish with a more successful “lemur” approach.

In contrast to the other businesses, a “lemur” adopts a state of healthy strategic paranoia, always scanning the horizon for potential threats and sources of disruption. In this case, many eyes are better than one, and a unified approach ensures that you’ll hear the danger alarm as soon as it’s called, no matter where it originates within the organizational chart.

Understand Risk in the context of organization’s Strategy

Effective and holistic risk management also requires you to be able to prioritize risks within the context of your business strategy. This prioritization allows business leaders to make decisions more effectively, “At the end of the day, this is not about risk professionals, but about executive teams making sure that they understand risks,” says PwC’s Brian Schwartz, US performance leader for governance, risk and compliance. It requires robust follow-through, enabled by rigorous auditing procedures and C-suite oversight. You need to be able to assess how your risk management procedures are aligning with your strategic objectives, both to identify problems before they occur, and to ensure that your processes are as efficient as possible.

Tying this together, the Economist’s report lays out four key objectives for crafting your risk management framework:

  • Implement proactive identification of risks
  • Enable effective ownership of strategic priorities to boost monitoring and audit management
  • Ensure senior management and corporate leadership is actively engaged in oversight of strategic risk management priorities
  • Use standardized terminology and measurement processes for risk priorities

How SAP Technology Solutions Can Help

To meet these four objectives, you’ll need to adopt robust, highly capable technology tools. SAP’s GRC solutions let you quickly adapt to changes in business, technology and regulations to strengthen your business and simplify your approach to GRC. With GRC solutions, SAP empowers you to make better decisions by visualizing your own data to predict how risks might impact your performance.

Adopting a unified technology platform lets you integrate key GRC activities into your existing processes to reduce complexity and boost your insight capabilities. To find out how technology can help you improve GRC to protect your company’s reputation and financial well being, visit SAP today.



Why It’s Time to Implement Holistic Risk Management

by Michael Diehl

In partnership with SAP, the Economist and its Intelligence Unit discuss the pressing need for businesses to improve their enterprise risk management systems in the white paper, “Holistic Risk Management: Organizational measures to create a strategic view of risk” available now. With first-hand accounts from key players in several international organizations, it provides insight into how they revolutionized their organizations’ risk management, and offers a compelling argument for the need to adopt a truly holistic, strategic approach to governance, risk and compliance (GRC).

The Heightened Role of Strategic Risk in the Modern World

While risk management has always been a fact of life for business, leaders are increasingly aware of the need to manage new strategic risks driven by rapidly changing marketplaces and unparalleled global connection. With the rise of tech-enabled disruption, the potential for a seismic shift in your sector is always right around the corner, and it could come from anywhere around the world.

Faced with such wide-ranging and potentially catastrophic avenues for risk, you’ll need to start treating risk management as a truly strategic concern—one that becomes a core mission for every layer of your organization, instead of being confined to an isolated silo of Chief Risk Officers or audit management. In that regard you’ll be in good company, as 91 percent of organizations reported plans for revamping their risk management procedures in a 2014 CEB survey.


The Core Tenets of Strategic Holistic Risk Management

As outlined in the Economist white paper, PwC surveys have revealed that top corporate performers have consistently found success by marrying strategic concerns with truly holistic risk management. The steps they’ve taken in meeting that goal are varied, but several core tenets can be used to guide your own efforts in this area:

  • Involve your entire organization. Risk management can’t be holistic if it’s limited to isolated silos in your company. Risk arises from multiple angles, and will invariably involve the whole organization. From cyber security concerns to legal and governance issues, there’s no such thing as risk that’s limited to a single team or department. Accordingly, you’ll need to find a way to bring every player into the enterprise risk management conversation.
  • Adopt a simultaneous top-down, bottom-up approach. In keeping with a holistic perspective, you need to make risk management a mission priority for everybody in your organization. Rather than being a meta-concern limited to the C-suite, ERM should be a fact of life for everybody on the organizational chart, at every level.
  • Equip yourself appropriately. Holistic risk management requires an adaptable, highly responsive organization. This means that sluggish or outdated core operations are now a genuine threat to your very existence. Outmoded paper-driven practices won’t cut it any longer, so it’s time to ensure you’re equipped with technology tools that will allow you to position yourself for managing risk.

The Future of Risk Management

Achieving holistic risk management can help your organization preserve and grow its value, reduce the financial impact of risk, and help you optimize the impact of high-value processes and strategic goals. Truly holistic risk management can also cut your costs by giving you a sound footing to reduce unanticipated risks like compliance violations and supply chain inefficiencies, and will ensure that best practices are embedded in your core business operations. To find out how your organization can reap the benefits of a strategic approach to holistic risk management, read the Economist Intelligence Unit report today.



Can Internal Control be the Key to Longevity

Back in the 1920s the average longevity of companies in the S&P 500 index was 67 years, compared to just 15 years in 2012, according to Professor Richard Foster from Yale.  There’s much to bet that this has reduced even more since then.  The question is then: how can you ensure that your company is here for the long run?

Internal Control Journey – From Pure Compliance to Delivering Performance

In most companies, internal control is still addressed in much the same way as it was many years ago, using the same business structures and approach. Shouldn’t this change to focus more on performance?

Yes, I understand that there have never been so many regulations, and considering the increase in these last few years, I assume this isn’t going to slow down any time soon. But I think companies need to be proactive rather than reactive in order to stay on top of things.

Picture this. You’re already doing internal control, so why not leverage all these controls that are assessed manually or automatically, and shape them with a more performance-orientated intent?

Easier Said Than Done, Right?

Actually, I believe that progressing step by step can make this journey a lot easier than you would think. Of course a big revamp will make this happen quicker, but the cost and resources required to do so might be too much in these economically challenged times.

My suggestion, therefore, is the following. During the regular internal process review, whenever creating or updating a control, try to associate it to an objective – not a control objective – a corporate objective. Ask yourself, what company value does this control relate to: deliver constant quality of service, release reliable financial communication to stakeholders, etc.

This is the first step but not the most complex, and it’s a great step on this journey. Once this step is achieved then comes the prioritization phase.

Select the corporate objectives that give you a competitive edge and collect all their associated controls. You will know precisely what controls can help you achieve your corporate objectives and what controls have a more regulatory focus. The great thing now is that you can follow your performance using controls that are regularly assessed. Like key risk indicators these can feed you information on how well each department is doing, even allowing for a benchmark across divisions.

This means that you can investigate when one area is not performing as planned, and you can also focus your attention – or ask internal audit to do it – on the high performing organizational units. These indeed might have implemented processes that are more efficient and you might want to consider applying them to the rest of the group!

Combining a sound internal control process and linking it to strategy, means that you’re not only ensuring that your current processes are running as designed but that you are sustainable in the short/medium term. Also, these processes are supporting your overall strategy and laying the path to a long term viability.

So, is this the key to longevity? Unfortunately, I don’t have the answer, but to me protecting the value drivers of the company seems like a good starting point.

Co-workers working in computer room

ORM vs ERM, the Battle that Should Not Have Started

by Thomas Frenehard, GRC Solution Management

I recently had dinner with friends who all work in the environmental, health and safety (EH&S) area and we’ve all reached the same conclusion. Instead of breaking-down risk management silos, many companies going up the risk maturity curve build new walls.

This seems to originate from a battle that, to my mind, has no real grounds: enterprise risk management (ERM) vs operational risk management (ORM). And here, I’m not referring to the ORM for financial institutions framework that addresses Basel II-III or Solvency II type regulations, but the act of managing risks associated to an operation or an asset. Many companies have decided for separate approaches on ERM and ORM based on the thought that these require different methods.

I hope I’m not going to alienate the GRC community  by saying this, but personally I strongly disagree with this conclusion.

Yes, it’s true that some EH&S-type risks require a very specific analysis technique (such as HAZOP for instance) and that an executive will most likely not be interested in all the details of every EH&S recorded incident. But this same executive will be very interested in understanding the risk level his company faces on this risk category. Why? Because an environmental type risk can trigger a non-compliance issue, a legal action, a reputational crisis, etc.

Separating the two risk worlds means that this executive will not benefit from a global view for a risk profile that’s the final intent of any ERM program. But this doesn’t just stop at EH&S type risks. I’m seeing many companies having separate risk registers for legal risks, IT risks, quality risks and many other typologies.

I understand that most of the time, they do so to comply with specific frameworks: ISO27xxx for Information Security, ISO14xxx or ISO26xxx for EH&S and sustainability, ISO31xxx for risk management, etc.  But all these contribute to one objective – providing a realistic risk profile of the business and the obstacles it has to overcome – or at least keep an eye on it for steady growth.

Can you imagine a plane where you would have the fuel indicator, the altimeter, and the speedometer on three different parts of the plane? Well, I would say that it has to be the same for ERM. If an executive doesn’t have this combined risk information, his decision making process will be impaired. That being said, you may think that I’m stating the obvious and not helping much but I actually believe there is a simple solution: consolidation.

If your company requires these separate silos – and it may have very valid reasons to do so – make sure that the risk categories managed in these silos are consolidated and reported in your overarching ERM program.

If you have detailed environmental risks in an EH&S risk register, use them to feed an “EH&S” risk category in your ERM framework. If more than x number of environmental incidents are reported in the quarter, then use key risk indicators in ERM to notify the appropriate stakeholder of a negative trend.

Similarly, if you have IT risks in a separate register, then aggregate them to a high level risk category (i.e.: IT disruptions) and notify the CIO only if the aggregation of all underlying risks reaches a certain threshold.

This way, you still keep your very detailed risks registers, but you’re able to report on a global risk profile. And this will help executives steer the business with more confidence.

Does your company have separate risk registers per topic? If so, would you agree with my suggestions above?

increasing returns

How Does Integrated Business Planning (IBP) Support Change Management

By Gary Cokins, Founder of Analytics-Based Performance Management LLC

In my initial blog in this series related to integrated business planning (IBP) I described IBP as seamlessly integrating user interfaces and workflows. IBP links strategic, operational, and financial objectives and plans to improve employee alignment with the executive team’s strategy and financial performance. In my second, third and fourth blogs I discussed, respectively, how IBP is part of the solution for issues and needs related to strategy execution and next to product, channel, customer profitability and operations, processes and productivity improvement and then in my fifth blog of the series to driver-based budgeting.

In this final blog I will discuss issues, needs and solutions related to behavioral change management and how IBP is part of the solution.


What are the barriers slowing the adoption rate of IBP?

Organizations seem hesitant to adopt IBP. Is it evaluation paralysis or brain freeze? Most organizations make the mistake believing that applying IBP is 90% math and 10% organizational change management with employee behavior alteration. In reality it is the other way around – it is more likely 5% math and 95% about people.

With hindsight, we now realize that past barriers impeding the adoption rate are easily removable. That is, technical barriers such as disparate data sources or low quality “dirty” data now have software solutions like extraction, transform, and load (ETL). Problems like insufficient data are also not insurmountable with a little effort. We also now realize that poor implementation of IBP methods can be knocked down with experienced consultants or better training courses.  Other barriers are misperceptions that IBP methods are too complex or from initial failures with prior pilot projects. But these are not show-stoppers, and they too can be overcome.

What other barrier continues to obstruct the adoption rate of IBP? That barrier category is social, behavioral and cultural. These obstacles include people’s natural resistance to change; fear of knowing the truth (or of someone else knowing it); reluctance to share data or information; and “we don’t do that here.” Never underestimate the magnitude of resistance to change. It is natural for people to love the status quo.

The need for IBP

I have learned that ambiguity and uncertainty should be a business analyst’s friend. Why? If getting answers were easy, a business analyst’s salary would probably be lower!

However, a problem with removing behavioral barriers to deploy IBP is that almost none of us have training or experience as organizational change management specialists. We are not sociologists or psychologists. However, we are learning to become like them. The challenge is how to alter people’s attitudes.

One way to remove cultural barriers is to acknowledge a problem that all organizations suffer from their imbalance for how much emphasis they should place on being smart rather than being healthy. Most organizations over-emphasize trying to be smart by hiring MBAs and management consultants with a quest to achieve a run-it-by-the-numbers management style. These types of organizations miss the relevance of how important is to also be healthy – assuring that employee morale is high and employee turnover is low. To be healthy they also need to assure that managers and employees are deeply involved in understanding the leadership team’s strategic intent and direction setting. Healthy behavior improves the likelihood of employee buy-in and commitment. IBP is much more than numbers, dials, pulleys, and levers. People matter – a lot.

When organizations embark upon applying or expanding its use of IBP, I believe they need two plans: (1) an implementation plan and (2) a communication plan. The second plan is arguably much more important than the first. There are always advocates for a new project, but there are also nay-sayers. Knowing in advance who the nay-sayers are is critical to either win them over or avoid them.

Why does shaken confidence reinforce one’s advocacy?

Here is some disturbing research[1] from the field of psychology that relates to the social barrier. It deals with why people actually hang on stronger to their ideas even after they learn their ideas are proven wrong. Using tests with a control group, the researchers, Gal and Rucker, revealed that the more that people doubt their own beliefs, then paradoxically the more they are inclined to support and lobby for them. The test subjects who were confronted with evidence that challenged and disproved their beliefs subsequently advocated them even more aggressively compared to the control group.

This finding is bothersome because applying fact-based quantitative statistics and logical improvement methods are superior than making decisions based on intuition and gut feel. How can we transform people who are a “Dr. No” into a “Dr. Know”? Shouldn’t executives and managers desire to gain insights or know something about the future before their organization gets there? How valuable should it be to them to know things that their competitors do not know?

Early adopters and laggards

Another barrier involves organizations that are too distracted with problems and prefer to search for quick fixes. The urgent crowds out the important. They do not take the time to solve problems with a better way. In our personal lives, many of us have no problem making everyday decisions, such as whether or not to purchase a smart phone or join a social network. How can we as individuals make decisions so quickly, while organizations often struggle and are slow to react?

The field of marketing scientifically examines influences on the rate of adoption of products, services and technology. Everett Rogers, a business researcher, developed his Diffusion of Innovations model with five categories of adoption: innovators, early adopters, early majority, late majority and laggards. Which category best describes many organizations with respect to adopting analytical methods? My observation is that most fall in the laggards category.

I believe there is the explanation for the laggards is not simply due to resistance to change but rather they are too distracted. There is no doubt that increasing volatility is part of the problem. Examples include changes in consumer preferences, foreign currency exchange rates, and commodity prices. The Internet, global communications, social networks and relaxation of international trade barriers has introduced vibrations and turbulence. But is increased worldwide volatility a good enough reason to not adopt IBP methods?

Organizations that want to move beyond the laggards category must take on the mentality of the early adopters, who understand the importance of IBP to enhance decision making and align employee behavior and priorities to execute the executive team’s strategy. They must be proactive, not just reactive. Most importantly, remember that it’s never too late to go from being in the middle of the pack to taking a commanding lead over your competitors. Organizations that achieve competency with analytics are able to sustain a long-term competitive advantage.   

IBP for value creation

Always remember that in the absence of facts, anybody’s opinion is a good one. And usually the biggest opinion wins – which is likely to be that of your boss or your boss’ boss. So to the degree your executives and work colleagues are making decisions on intuition, gut feel, flawed and misleading information or politics, then your organization is at risk. Does your organization know, or do they think they know? By creating doubt one can overcome resistance to change.

Until an organization gains mastery over validly answering questions and managing its operations with IBP, it will plod along and muddle through improving its performance rather than accelerate value creation.

[1]  David Gal and Derek Rucker; Northwestern University’s Kellogg School of Management; “When in Doubt, Shout”; Psychological Research; November, 2010.

About the Author: Gary Cokins, CPIM


Gary Cokins (Cornell University BS IE/OR, 1971; Northwestern University Kellogg MBA 1974) is an internationally recognized expert, speaker, and author in enterprise and corporate performance management (EPM/CPM) systems. He is the founder of Analytics-Based Performance Management LLC .  He began his career in industry with a Fortune 100 company in CFO and operations roles. Then 15 years in consulting with Deloitte, KPMG, and EDS (now part of HP). From 1997 until 2013 Gary was a Principal Consultant with SAS, a business analytics software vendor. His most recent books are Performance Management: Integrating Strategy Execution, Methods, Risk, and Analytics and Predictive Business Analytics.

The State of GRC: Should We Manage Controls?

by Bruce McCuaig, Director, GRC Product Marketing

Surveys suggest that more and more things seem to be going wrong. Either there are more risks than ever, or there are more “things.”

If there are more risks, then we need to examine our risk management practices.

If the risks are the same, but they’re happening in more places, then we need to examine our control management practices.

Managing GRC

The art of successful governance, risk, and compliance (GRC) management is looking in the right places for risks and doing the right things to respond to them.

In a recent blog on the Three Lines of Defence, I discussed the Three Value Questions. That discussion was intended to focus GRC professionals on the right “things.” Or in other words, finding the things that matter.

So let’s turn our attention to control management and away from risk management. Let’s assume we know where to look for important things that can go wrong and let’s examine our ability to respond to them. My working hypothesis is that we don’t respond well.

Is There Such a Thing as Control Management?

The first clue is the phrase “control management.” Is there such a thing in the professional literature? I have not found any reference to the concept of “control management” in either the Institute of Internal Audit Professional Practice Framework (IPPF) or the Public Company Accounting Oversight Board Audit Standard no. 5 (PCAOB AS5). Plenty of literature exists on “risk management,” little or nothing on “control management.”

Is this a mere oversight or is it a fundamental flaw? Let me ask it another way. Are internal controls a manageable dimension of the business and do we understand how to manage them? Among the questions we need to know (vs. believe) are:

  • How many controls are enough?
  • In any situation, which kinds work best?
  • What unintended consequences must be anticipated?
  • What is the impact of a set of controls on business performance?
  • How will technology help improve control effectiveness and drive down cost?

A New Perspective on Effective Control

Here’s an example of what I mean. For a number of years I was required to take daily doses of powerful prescription eye drops. Were the eye drops “effective” I asked myself? The manufacturer of the eye drops actually offered a money back guarantee (in jurisdictions where it was allowed) if a specific outcome was not achieved. That sounded reassuring. But looking further into the research that supported the approval of the medication I found some interesting statistics.

According to the research required to get approval for the drug, the side effects of the medication caused about 30% of users to miss 15% of their required doses. A small number, about 10%, stopped taking the medication entirely. A very small percent suffered severe side effects and were hospitalized.

Question: Was the medication effective? Yes or no please. No “opinions.”

Whenever I visited my ophthalmologist, he invariably said, ”Remind me what eye drops I have prescribed for you?” Eventually I figured out he was “testing” the control. If I couldn’t remember he would conclude I had stopped taking the drops.

I struggle to think of any internal control effectiveness opinion I have ever written or read that contained such an analysis.

My point is that when we can answer these questions, we will be “managing” controls.

What does the future hold? How will technology help?

Shifting to a Fact-Based View of Controls

Technology should enable a shift from a belief-based approach to control management to a fact-based approach. Continuous monitoring of all the variables we need should begin to provide a precise measure of how controls work, individually and in combination, what “adverse” reactions occur and why, and should tell us the number, location, and nature of controls we need.

I can’t imagine precisely the impact of technology on controls but I do foresee we will be managing controls, not just adding and testing them.

Imagine in your business an SAP HANA-based, cross-system analysis of all invoices processed last month anywhere in the world to scan for duplicate payments, coding errors, or other anomalies. Imagine getting the results in 30 seconds. What controls would you be able to eliminate in a procure-to-pay process? How would it impact on vendor selection and payment terms?

Apply the same tools to customer invoices and inventory management.

What “controls” can be eliminated? How will business performance be improved?

SAP HANA’s benefit is not just speed. SAP HANA allows fundamental change to take place.

That change will take place over time, but for now let’s turn to the 4 Quadrant diagram I introduced in my blog on the Three Lines of Defence. Let’s imagine the roles each Line of Defense will play in managing controls in the future.


– See more at: SAP

%d bloggers like this: