The State of GRC: Should We Manage Controls?

by Bruce McCuaig, Director, GRC Product Marketing

Surveys suggest that more and more things seem to be going wrong. Either there are more risks than ever, or there are more “things.”

If there are more risks, then we need to examine our risk management practices.

If the risks are the same, but they’re happening in more places, then we need to examine our control management practices.

Managing GRC

The art of successful governance, risk, and compliance (GRC) management is looking in the right places for risks and doing the right things to respond to them.

In a recent blog on the Three Lines of Defence, I discussed the Three Value Questions. That discussion was intended to focus GRC professionals on the right “things.” Or in other words, finding the things that matter.

So let’s turn our attention to control management and away from risk management. Let’s assume we know where to look for important things that can go wrong and let’s examine our ability to respond to them. My working hypothesis is that we don’t respond well.

Is There Such a Thing as Control Management?

The first clue is the phrase “control management.” Is there such a thing in the professional literature? I have not found any reference to the concept of “control management” in either the Institute of Internal Audit Professional Practice Framework (IPPF) or the Public Company Accounting Oversight Board Audit Standard no. 5 (PCAOB AS5). Plenty of literature exists on “risk management,” little or nothing on “control management.”

Is this a mere oversight or is it a fundamental flaw? Let me ask it another way. Are internal controls a manageable dimension of the business and do we understand how to manage them? Among the questions we need to know (vs. believe) are:

  • How many controls are enough?
  • In any situation, which kinds work best?
  • What unintended consequences must be anticipated?
  • What is the impact of a set of controls on business performance?
  • How will technology help improve control effectiveness and drive down cost?

A New Perspective on Effective Control

Here’s an example of what I mean. For a number of years I was required to take daily doses of powerful prescription eye drops. Were the eye drops “effective” I asked myself? The manufacturer of the eye drops actually offered a money back guarantee (in jurisdictions where it was allowed) if a specific outcome was not achieved. That sounded reassuring. But looking further into the research that supported the approval of the medication I found some interesting statistics.

According to the research required to get approval for the drug, the side effects of the medication caused about 30% of users to miss 15% of their required doses. A small number, about 10%, stopped taking the medication entirely. A very small percent suffered severe side effects and were hospitalized.

Question: Was the medication effective? Yes or no please. No “opinions.”

Whenever I visited my ophthalmologist, he invariably said, ”Remind me what eye drops I have prescribed for you?” Eventually I figured out he was “testing” the control. If I couldn’t remember he would conclude I had stopped taking the drops.

I struggle to think of any internal control effectiveness opinion I have ever written or read that contained such an analysis.

My point is that when we can answer these questions, we will be “managing” controls.

What does the future hold? How will technology help?

Shifting to a Fact-Based View of Controls

Technology should enable a shift from a belief-based approach to control management to a fact-based approach. Continuous monitoring of all the variables we need should begin to provide a precise measure of how controls work, individually and in combination, what “adverse” reactions occur and why, and should tell us the number, location, and nature of controls we need.

I can’t imagine precisely the impact of technology on controls but I do foresee we will be managing controls, not just adding and testing them.

Imagine in your business an SAP HANA-based, cross-system analysis of all invoices processed last month anywhere in the world to scan for duplicate payments, coding errors, or other anomalies. Imagine getting the results in 30 seconds. What controls would you be able to eliminate in a procure-to-pay process? How would it impact on vendor selection and payment terms?

Apply the same tools to customer invoices and inventory management.

What “controls” can be eliminated? How will business performance be improved?

SAP HANA’s benefit is not just speed. SAP HANA allows fundamental change to take place.

That change will take place over time, but for now let’s turn to the 4 Quadrant diagram I introduced in my blog on the Three Lines of Defence. Let’s imagine the roles each Line of Defense will play in managing controls in the future.


– See more at: SAP

What’s a Predictive Indicator?

by Thomas Frenehard, GRC, SAP

Originally posted on SAP Analytics, June 16, 2015. Reposted with permission.

For those of you who have been following these blogs, you know that I’m going to address the specific topic of key risk indicators (KRI).

Analyst drawing out strategy on glass wall.

As briefly mentioned in a previous blog (Key Risk Indicators in a Sound Risk Management Process: What Are They Really?), key risk indicators are supposedly forward looking so that they can act as an early warning system. OK, that’s good. But what makes them forward looking?

To me, there are two ways of looking at this and both end at the same result – they need to ensure you receive the information that will help you make the right decision before the risk occurs.

Leveraging Predictive Models

These types of KRIs make use of mathematical models to provide a future value. For instance, some companies have created their own models to enable digging out a trend on the price of a commodity based on macro and micro-economic indicators.

Consider oil. Some organizations are specialised in providing indicators relative to potential demand per zone based on their production activities, planned extraction volumes, and so on. Combined these could be used to forecast a global trend on prices.

Now let’s take the example of airline carriers. These companies consume a great amount of fuel and this is an important part of the flight ticket price.

Should a company be able to have an indicator related to oil price (like the one mentioned above), it could optimize its tickets’ fare by raising or lowering its price on the forecasted period.

This could not only be a good risk management process because it would reduce the impact of a potential financial loss due to oil price increase, but it’s also a fantastic opportunity management tool as its prices could be more competitive without reducing any of its usual services.

Leveraging Current Information

It’s not because the key risk indicator doesn’t give you a forecasted value that it means the risk has already occurred. Some indicators can use current information to predict the impact on a risk.

Let’s look again at airline carriers. These companies need to ensure that each flight is profitable or they lose money, which would obviously cast doubt on their business model. One way of preventing this is by calculating the revenue of each flight 24 hours before it departs. Taking into account only the number of seats occupied wouldn’t be sufficient as, if they were all sold at the lowest price, the break-even point might not have been reached.

Now, if the operations manager receives the revenue information 24 hours before take-off, he might make the decision to keep the flight if cancelling it would be more costly. But he could also decide to automatically re-book travellers on flights before or after and give them the option to opt out. This way, the company would only have to refund travellers that can’t – or don’t want – to take the option of leaving earlier or later than planned but for the others, this might not be an issue.

This type of indicator doesn’t leverage predictive models, but only the risk owner’s expertise and experience. Still, it truly supports decision making as the total impact of the risk of cancelling a flight would be documented, and the cost of the different responses would also be known.

Of course, the point of my short post today is not to say that one type of indicator is better than the other – or that airline companies should cancel flights 24 hours in advance! But I am trying to illustrate that both options can be complimentary.

Do you currently use key risk indicators? If so, what type do you leverage most?


Key Risk Indicators in a Sound Risk Management Process: What Are They Really?

by Thomas Frenehard, GRC, SAP

Originally posted on SAP Analytics, March 25, 2014. Reposted with permission.


For many people, risk management helps companies make sure that their compliance risks are monitored and that they have controls in place to take care of them.

Personally, I strongly believe that risk management is much more than that – it helps companies really steer their business, avoid roadblocks, seize opportunities, and react appropriately.

Key Risk Indicators (KRIs) are indicators of the possibility of a future adverse impact on the organization. They serve as an early warning system to the stakeholders and enable preventive action to be taken directly on the risks and opportunities flagged.

In that sense, they can be any value that is worth tracking in relation to a risk:

  • a date (like the date of last review of the risk)
  • a number (number of near misses)
  • a percentage (percentage increase in customer returns)

And they can vary from risk to risk.

Most often, it is the trend and changes that will be monitored because these can indicate a deterioration of a situation or can point out that the mitigation strategy in place is no longer effective.

To my mind, there are no restrictions on when to use KRIs. As soon as a risk event is identified and considered sufficiently critical to be followed, then an indicator can be defined to monitor it.

This will also help the risk owner to focus on the risks that require extra attention.

Now that this has been said, comes the “not so easy” part – how do we design them so that they’re effective?

Designing an Effective KRI

Here I believe that a combined effort between the business users and the IT experts proves the most effective. The business users know best what information indicates that additional action is required on a risk, and IT experts often know best what information is available (or can be made available) and at what frequency it can be refreshed. The question of the frequency is crucial and should really be discussed between the business and IT: a KRI that isn’t refreshed periodically might give a false indication.

An alignment between these two profiles means that the KRI can benefit from the best design and, when possible, can be automated to reduce the effort by avoiding duplication, should the value already be available in a system.

Food for Thought

Here are a few best practices that I‘ve seen implemented across different organizations and that I think can be applicable to many:

  • KRIs need to be simple to be understood by every stakeholder – there should be no need to be an expert to understand the resulting value as actions might be required based on it
  • To truly support the decision making process, one must ensure that KRIs are quantifiable so that they can be used in threshold monitoring and therefore trigger appropriate escalations
  • Most of all – there’s no need to create more KRIs than necessary. Too many false positives will dilute the true notification and weaken the overall monitoring process

GRC 2015 – One Week On!

By Thomas Frenehard, GRC Solution Management

Originally posted on SAP Analytics, 23 June 2015

Steve Lucas delivering the keynote address at SAPinsider 2015 Nice

Steve Lucas of SAP delivering the keynote address at SAPinsider 2015 Nice

Last week, SAPinsider held its GRC 2015 event in Nice, France and it was energising and fast paced! For those who couldn’t attend, I thought I’d share with you some of the great discussions I had with customers and also one of the announcements made that should be of interest to SAP’s GRC community.

Do More With Less

Of course this has been top of mind for many companies with the recent economic turmoil where resources are scarce and investments most often reduced to vital activities. But every customer I spoke with mentioned that their management is now asking them to increase their regulatory and operational efficiency coverage with “optimized options”. In essence, to do more controls with less resources.

It was motivating to hear feedback from customers who have already taken this path and leveraged their internal audit department to help. This showed that a true collaboration between the compliance team and the internal auditors can lead to the set-up of a sound and very efficient internal control system.

Three Lines of Defense

The three lines of defense was definitely THE hot topic at the event. And I could see the acronym 3LOD gain more and more traction, day by day. Many companies were interested in discussing how to align their operations, compliance, and audit departments. Interestingly, IT and business departments both mentioned this as a key (process) roadmap item for them in the near future. For business, the intent is to achieve the assurance level required by their executives and for IT departments the rationalization of the software landscape that would be brought with this approach was a definitive winner.

Operational Risk Management

Here I’m not referring to the banking Operational Risk Management (ORM) approach, but the intent to do risk management (identification, analysis and mitigation) at the operations or asset level. Having the ability to still be able to integrate the results in a wider Enterprise Risk Management framework so that a unique reporting of the company risk profile can be displayed at any time – without requiring lengthy manual risk consolidation.

It was interesting to hear the different opinions on what ORM is for each sector as there doesn’t seem to be a single – widely adopted – definition or approach. This is definitely one of the key points I took home that I’ll need to think about this summer!

Congratulations are In Order!

Last but not least, congratulations to EY and Integrc, two of our great partners in the area of GRC who have decided to combine forces. I wish them all the very best in the process! In conclusion, if you’ve never been, Nice is a lovely city, filled with history, beautiful landscapes, and delicious food. Associated with a great event, I have to admit that my week was far from being a punishment.


Note from the editor:

Thank you Thomas for this succinct wrap-up of GRC focus topics and discussions at the recent SAPinsider event in Nice.

Should readers of CFOKnowledge want to learn more about the GRC or Financials events, here are a few links to some excellent blogs from my colleague Derek Klobucher. I think you’ll enjoy them!

ŸHow Real-Time Analytics Will Kill a Financial Tradition

ŸWhy Paranoia Is Good for Business

ŸScreen Your Partners or Risk Guilt by Association




Nice and Simple – 6 Super Sessions for SAPinsider






Fully refreshed and recharged after a slight break in event-related activity (see my earlier post regarding the SAPPHIRE NOW event), attention now turns to Nice in France, where the SAP solutions for Finance teams shall be heading soon to attend our next “major” of the season with the SAPinsider conferences. While containing a number of topic areas, my attention will be focused on two areas in particular, the Financials and GRC events.

I don’t know about you, but when attending business conferences I like to do a little bit of forward planning, so that I can get the most out of my time spent at the event – a little bit like planning a route around the Disney theme parks I guess, but with more time spent seated, rather than queuing and without all those people walking around in character outfits. But planning takes time, which many of us don’t have in abundance during our working hours, and so to help provide some focus I want to share my “ super six” sessions to see at SAPinsider, to give you a nice and simple start towards your event agenda.

6 Super Sessions to See in Nice

In selecting 6 sessions, I’ve kept things as simple as possible, focusing exclusively on customer case study sessions rather than the Keynote, or the Simple Finance, EPM and GRC roadmaps sessions which are all available too. But you can select these at your discretion at the SAPinsider website. Rather, I’ve chosen customer sessions because these are where you’ll get the inside scoop about implementing software solutions, from your industry peers who want to share their experiences with you. And in my opinion, customer stories like these are the most valuable of all the event sessions. So here they are my 6 customer stories for Nice:

  1. 16 June, 2.00pm: Cargill – large-scale finance transformation project
  2. 17 June, 8.30am: GlaxoSmithKline – rolling out SAP Risk Management across the organisation
  3. 17 June, 10.30am: Sonae Indústria – revamping controlling and corporate management reporting
  4. 17 June, 2.30pm: Gazprom Neft – using SAP BPC 10.0 to align consolidated and mgmt reporting
  5. 17 June, 4.45pm: Airbus – faster, simpler integrated financial reporting and planning
  6. 18 June, 10.30am: VCEAA – reducing segregation of duties conflicts

But of course that’s not all, and you certainly don’t need to follow the above sessions if you don’t fancy them – there are many more to choose from. But whether you’re interested in SAP Simple Finance, EPM or GRC customer stories, or want to hear from SAP on any of these topics, then you can build your own agenda to suit your needs.

If you’re in Nice this year, then I wish you a very successful and informative trip. I’ll be there too, so say “hello” if you see me. And I hope that my cross-Finance customer session suggestions in some way help to make your planning that bit more Nice and Simple.

A New Approach to Risk Oversight: A Lens to Look Through and Levers to Pull

By Bruce McCuaig, Director, GRC Product Marketing, SAP

Originally published on SAP Analytics. Reposted with permission.

Risk management continues to fall short of expectations. Surveys show boards and senior executives believe risk management is important, but also reflect an overwhelming dissatisfaction with the ability of boards and senior executives to effectively oversee risk management.


According to recent research by the NC State Enterprise Risk Management Initiative in a survey of companies: “68% indicate that the board of directors is asking “somewhat” to “extensively” for increased senior executive involvement in risk oversight. That is even higher for large companies (86%) and public companies (88%).”

Recently, with my GRC colleagues at SAP, I’ve been experimenting with a new approach to risk oversight and strategy. Our approach provides a new lens to look though that allows companies to manage risks strategically.

We believe risks can be divided into four broad categories, each of which requires a unique primary strategy. This is the first in a series of blogs, building on comments and feedback we received over the past 18 months as we developed this concept.

With this blog we’re introducing a new iOS app we have developed to categorize risks. Download your early version of the app. It contains a number of embedded videos that expand upon our conclusions about risk management and provides examples of a lens to look through and levers to pull.

In the next few weeks, we’ll introduce an updated version of the app, expand on the ideas and tools we’ve developed, and solicit your comments.

Beyond Heat Maps: A New Lens For Risk Oversight

The diagram below outlines the basic concepts of the approach. The horizontal axis captures risk level as depicted on a traditional heat map. We suggest that risk levels can only be lowered to a finite degree by traditional controls. Beyond that point, risk management strategies must focus on avoiding the risk.

A simple example is that if one relies on fire extinguishers as a primary strategy for fire prevention, then implicitly fires are an acceptable risk. If fires were spontaneous, unpredictable, and unpreventable because of that belief then such a strategy may make sense. But controls are a bad approach for fires and any other similar risk where the necessary precursor events and conditions are known and discernable. If a major risk can be predicted, it must be averted, not controlled.

Similar examples will be provided for each quadrant in future blogs in this series.

The vertical axis captures management’s willingness to accept a risk. Assessing Risk Level and Risk Acceptance Willingness results in risks being placed in an appropriate quadrant. Each quadrant requires specific risk management practices and specific information and solution capabilities.


Risk Management Strategy Today: One Size Fits All

Risk oversight requires the ability to differentiate risks in a meaningful way and to develop responses appropriate to the nature of the risk. Risk management practices today don’t make sufficient distinctions to provide the necessary diversity in responses.

Most risk management strategies today rely on the use of controls as a primary strategy. Heat maps just don’t tell you what to do. In fact, they are a major source of frustration to boards and many senior executives.

My Questions to Our Readers

I will be exploring and explaining this concept in the next few weeks in this blog, and I’d love to hear from you. My questions to readers are:

  • Does it make sense?
  • Does it make clear how technology can be used?
  • Is it possible to use these concepts to guide risk management practices and to drive an integrated GRC strategy based on risk?
  • Is it useful from a board-oversight perspective?
  • What improvements can you suggest?
  • What are the flaws in this approach?

Interested in pursuing these ideas further? Join the SAP GRC team at SAPinsider GRC in Nice. I will be presenting the latest version of the GRC Strategy Selector app as a tool to bring the Three Lines of Defence to life as well as presenting an approach to using SAP Audit Management to drive costs down and add value. Register here and receive a €300 discount.


6 Stories to Give You the Finance Buzz at SAPinsider

SAPInsider Financials Logo

It’s going to be a busy time this week for many of my colleagues and the visitors to SAPinsider Financials 2015 in Las Vegas, so I decided to give you my thoughts on some interesting sessions to see, if you’re attending, given that you’re spoilt for choice with such a comprehensive agenda. And I’m bucking the trend with this blog post – because instead of talking about products, I ‘m talking about customers and thought leaders, and in particular the stories that you’ll be able to see and hear at the event this week.

Excited yet? I am! And with good reason, because many valued SAP customers have decided to make the trip to Las Vegas to give an account of their experiences with SAP solutions for Finance…stories of implementation approaches, best practices, and where they have found business benefits.

So for anyone embarking on a software implementation project, or even just considering approaches to solving some of their finance department and process issues, these are key SAPinsider Financials 2015 sessions to attend.

Six in Focus – But Don’t Forget the Rest!

My six focus sessions are chosen not because I know the customer stories particularly well, but rather because they’ll give attendees a good flavor across a range of finance topics. And my apologies to the many other customers not listed here – whose sessions are equally as valuable – but I just couldn’t fit you all into one short blog post.

I would, however, encourage readers attending Financials 2015 to take a look at the many other customer-led sessions at the event this week, as well as those detailed here, just so that you select sessions that will be most relevant to you.

Ready to learn about some of the exciting sessions ahead? Then let’s go:

  1. Keynote address, TODAY, Tue 17 March at 8:30 am – Okay, it’s strictly an SAP-led session, but there’ll be a panel discussion in which thought leaders will be asked to give their view about challenges and opportunities facing CFOs. It’s sure to be an interesting discussion – and let’s face it, no-one wants to miss the keynote!
  2. Sun Products, Wed 18 March at 8:30 am – A session where you should learn some best practice advice on implementing credit, dispute, and collections management.
  3. Velux, Wed 18 March at 10:30 am – I really like the sound of this session, in which you’ll hear how Velux moved from a traditional to “beyond budgeting” approach.
  4. McKesson, Thu 19 March at 8:30 am – For anyone seeking advice on implementing SAP ERP Financials then this is a session for you!
  5. Bentley Systems, Thu 19 March at 1:00 pm – Hear how Bentley Systems automated and shortened the payment processing lifecycle with SAP Bank Communication Management.
  6. Telephone and Data Systems, Thu 19 March at 4:30 pm – This is one for those of you interested in financial consolidations, with particular focus on project planning.

Don’t Be Shy – Get Networking!

All of these customers are attending the event to share their knowledge and experience with you, and I know that if you have questions for them after hearing their sessions that they’ll be delighted to speak with you…so do take advantage of this in the event networking sessions.

And remember to also take a look at the full agenda, so that you can plan your sessions and make the best use of your time. I hope you have an interesting and informative week, and that you return to work buzzing with the excitement of the potential to put in practice what you have learned at the event.

Have a great week!