Dead Rats in Risk Management: The Myth of Complexity

by Bruce McCuaig, Director, GRC Product Marketing

Recent research commissioned and published by SAP (Managing risk in an age of complexity) reveals a startling conclusion that seems to reinforce the notion that complexity is a problem for GRC professionals.

“GRC is characterised by increased complexity. This, alongside pressures from the business to prove effectiveness, is creating significant challenges for GRC professionals.”


Complexity is a Symptom Not a Problem

I have a contrarian view. Let’s look at this more carefully.

A couple of weeks ago I published a blog that introduced the notion of “control management”. (It’s rare to see those two words used together).In 2015, with the tools, skills, resources, and knowledge we have at our disposal, the idea that complexity makes business more challenging is silly. Complexity is not the problem. It’s a symptom.

Cars are more complex than ever with more regulations, higher speeds, and more traffic. Driving a modern automobile is simpler than ever.

Aviation is more complex. There’s more aircraft, more destinations, more congestion, more threats, and more regulations. Booking a ticket, getting a boarding pass, and flying to anywhere in the word is simple.  (Comfort is another matter).

The internet is complex. But finding and ordering a book, and getting it delivered the same or the next day, is simple.

Control Management Must Simplify GRC

Here’s another finding in the research mentioned above:

“Control failure is seen to be the second biggest risk to organizations over the next two years, behind competitive forces.

I think this finding proves my point.

In most business endeavors, complexity is being addressed and simplified. If business is more complex and managing a business is more difficult, my belief is that we have failed, not as risk managers but as control managers.

Let’s look at some simple examples I have seen in some companies. And these are really simple tasks we make complex. Examples are:

Selecting a vendor, and procuring and paying for goods and services requires so many sign-offs and steps that business opportunities, as well as discounts, are lost.

Employees spend hours inputting data in needlessly complex, error prone, expense account systems

Documentation, assessment, and testing of (bad) controls is a major and complex task, consuming scarce and expensive resources.

We have the notion that controls are supposed to be “effective”. It’s an abstract thought that does not bear close scrutiny. Many businesses with “effective” controls go bankrupt. Most businesses with “effective” controls complain about complexity.

Report Card on Control Management

The concept of control management is new.

My contention is that controls are simply not seen as a manageable dimension of the business. The outcome is the belief that more controls are always better, that controls all work the same way, and that only experts know enough to implement them. It’s quite similar to herbal medicine. Some of its good, some of its bad. Pick the expert you agree with and just believe.

Control Management Report Card Report Card Letter grade
Use the minimum , number of necessary controls to achieve an objective D
Automate controls wherever possible F
Consciously design controls to adapt to human behavior F
Push accountability for controls to the business D
Hold people accountable, don’t blame controls for human failure F
Manage controls strategically F
Design controls to reduce complexity F


One Last Research Finding

Wherever complex environments have been simplified, one factor stands out. In all cases controls have been automated.

What does our recent research tell us about control automation in GRC? Only 15% believe continuous control monitoring is extremely effective and 17% believe continuous risk monitoring is extremely effective.

I went back to the researchers for an explanation. They explained that the reason the results seemed low was not a reflection of the value of automation and continuous monitoring, it was a reflection of the fact that very few companies were using either technique.

Expect complexity to remain a big issue for GRC.

I’m always interested in your feedback. What is your experience with control automation and continuous monitoring of risks and controls? Do you think controls are a manageable dimension of the business? What’s your suggestion for reducing complexity?


Using Technology to Strategically Drive Holistic Risk Management

by Michael Diehl

A recent report from the Economist, sponsored by SAP, lays out the case for holistic enterprise risk management and why it’s a vital necessity for modern business. As you prepare your organization to implement this holistic approach to Governance, Risk and Compliance (GRC), the report’s insights into best practices can aid the process.


Breaking Silos to Enable Collaboration

One of the biggest takeaways of the Economist report is the need for your organization to figure out how to do away with fragmented risk management silos and enable genuine collaboration. The report profiles logistics powerhouse UPS and the efforts of its VP of corporate internal audits, Mohammed Azam, to find a way to bring together every group under his purview to address risk management. In his case, Azam chose to set up an enterprise risk council, bypassing the normal gatekeeper avenues for communication by holding regular meetings with representatives from 25 different areas of UPS’ operations.

Steps like this go a long way toward combating the “same goal, different page” phenomenon that so often plagues the adoption of a holistic approach to risk management. That phenomenon leads to situations like nearly 70 percent of technology executives reporting that their organization doesn’t view IT security as a strategic priority. The root of that problem is poor communication, so it’s vital that you find a way to make sure everybody in your organization is reading from the same page.

Maximizing Vigilance Through Organizational Unity

A unified approach to risk management also helps you adopt the “beneficial paranoia” that’s vital to survival in today’s ultra-competitive global marketplace. Steve Lucas described this practice at a recent SAPinsider conference, using the animal world to contrast “head-in-the-sand” ostrich organizations and “follow the leader” fish with a more successful “lemur” approach.

In contrast to the other businesses, a “lemur” adopts a state of healthy strategic paranoia, always scanning the horizon for potential threats and sources of disruption. In this case, many eyes are better than one, and a unified approach ensures that you’ll hear the danger alarm as soon as it’s called, no matter where it originates within the organizational chart.

Understand Risk in the context of organization’s Strategy

Effective and holistic risk management also requires you to be able to prioritize risks within the context of your business strategy. This prioritization allows business leaders to make decisions more effectively, “At the end of the day, this is not about risk professionals, but about executive teams making sure that they understand risks,” says PwC’s Brian Schwartz, US performance leader for governance, risk and compliance. It requires robust follow-through, enabled by rigorous auditing procedures and C-suite oversight. You need to be able to assess how your risk management procedures are aligning with your strategic objectives, both to identify problems before they occur, and to ensure that your processes are as efficient as possible.

Tying this together, the Economist’s report lays out four key objectives for crafting your risk management framework:

  • Implement proactive identification of risks
  • Enable effective ownership of strategic priorities to boost monitoring and audit management
  • Ensure senior management and corporate leadership is actively engaged in oversight of strategic risk management priorities
  • Use standardized terminology and measurement processes for risk priorities

How SAP Technology Solutions Can Help

To meet these four objectives, you’ll need to adopt robust, highly capable technology tools. SAP’s GRC solutions let you quickly adapt to changes in business, technology and regulations to strengthen your business and simplify your approach to GRC. With GRC solutions, SAP empowers you to make better decisions by visualizing your own data to predict how risks might impact your performance.

Adopting a unified technology platform lets you integrate key GRC activities into your existing processes to reduce complexity and boost your insight capabilities. To find out how technology can help you improve GRC to protect your company’s reputation and financial well being, visit SAP today.



Why It’s Time to Implement Holistic Risk Management

by Michael Diehl

In partnership with SAP, the Economist and its Intelligence Unit discuss the pressing need for businesses to improve their enterprise risk management systems in the white paper, “Holistic Risk Management: Organizational measures to create a strategic view of risk” available now. With first-hand accounts from key players in several international organizations, it provides insight into how they revolutionized their organizations’ risk management, and offers a compelling argument for the need to adopt a truly holistic, strategic approach to governance, risk and compliance (GRC).

The Heightened Role of Strategic Risk in the Modern World

While risk management has always been a fact of life for business, leaders are increasingly aware of the need to manage new strategic risks driven by rapidly changing marketplaces and unparalleled global connection. With the rise of tech-enabled disruption, the potential for a seismic shift in your sector is always right around the corner, and it could come from anywhere around the world.

Faced with such wide-ranging and potentially catastrophic avenues for risk, you’ll need to start treating risk management as a truly strategic concern—one that becomes a core mission for every layer of your organization, instead of being confined to an isolated silo of Chief Risk Officers or audit management. In that regard you’ll be in good company, as 91 percent of organizations reported plans for revamping their risk management procedures in a 2014 CEB survey.


The Core Tenets of Strategic Holistic Risk Management

As outlined in the Economist white paper, PwC surveys have revealed that top corporate performers have consistently found success by marrying strategic concerns with truly holistic risk management. The steps they’ve taken in meeting that goal are varied, but several core tenets can be used to guide your own efforts in this area:

  • Involve your entire organization. Risk management can’t be holistic if it’s limited to isolated silos in your company. Risk arises from multiple angles, and will invariably involve the whole organization. From cyber security concerns to legal and governance issues, there’s no such thing as risk that’s limited to a single team or department. Accordingly, you’ll need to find a way to bring every player into the enterprise risk management conversation.
  • Adopt a simultaneous top-down, bottom-up approach. In keeping with a holistic perspective, you need to make risk management a mission priority for everybody in your organization. Rather than being a meta-concern limited to the C-suite, ERM should be a fact of life for everybody on the organizational chart, at every level.
  • Equip yourself appropriately. Holistic risk management requires an adaptable, highly responsive organization. This means that sluggish or outdated core operations are now a genuine threat to your very existence. Outmoded paper-driven practices won’t cut it any longer, so it’s time to ensure you’re equipped with technology tools that will allow you to position yourself for managing risk.

The Future of Risk Management

Achieving holistic risk management can help your organization preserve and grow its value, reduce the financial impact of risk, and help you optimize the impact of high-value processes and strategic goals. Truly holistic risk management can also cut your costs by giving you a sound footing to reduce unanticipated risks like compliance violations and supply chain inefficiencies, and will ensure that best practices are embedded in your core business operations. To find out how your organization can reap the benefits of a strategic approach to holistic risk management, read the Economist Intelligence Unit report today.



Can Internal Control be the Key to Longevity

Back in the 1920s the average longevity of companies in the S&P 500 index was 67 years, compared to just 15 years in 2012, according to Professor Richard Foster from Yale.  There’s much to bet that this has reduced even more since then.  The question is then: how can you ensure that your company is here for the long run?

Internal Control Journey – From Pure Compliance to Delivering Performance

In most companies, internal control is still addressed in much the same way as it was many years ago, using the same business structures and approach. Shouldn’t this change to focus more on performance?

Yes, I understand that there have never been so many regulations, and considering the increase in these last few years, I assume this isn’t going to slow down any time soon. But I think companies need to be proactive rather than reactive in order to stay on top of things.

Picture this. You’re already doing internal control, so why not leverage all these controls that are assessed manually or automatically, and shape them with a more performance-orientated intent?

Easier Said Than Done, Right?

Actually, I believe that progressing step by step can make this journey a lot easier than you would think. Of course a big revamp will make this happen quicker, but the cost and resources required to do so might be too much in these economically challenged times.

My suggestion, therefore, is the following. During the regular internal process review, whenever creating or updating a control, try to associate it to an objective – not a control objective – a corporate objective. Ask yourself, what company value does this control relate to: deliver constant quality of service, release reliable financial communication to stakeholders, etc.

This is the first step but not the most complex, and it’s a great step on this journey. Once this step is achieved then comes the prioritization phase.

Select the corporate objectives that give you a competitive edge and collect all their associated controls. You will know precisely what controls can help you achieve your corporate objectives and what controls have a more regulatory focus. The great thing now is that you can follow your performance using controls that are regularly assessed. Like key risk indicators these can feed you information on how well each department is doing, even allowing for a benchmark across divisions.

This means that you can investigate when one area is not performing as planned, and you can also focus your attention – or ask internal audit to do it – on the high performing organizational units. These indeed might have implemented processes that are more efficient and you might want to consider applying them to the rest of the group!

Combining a sound internal control process and linking it to strategy, means that you’re not only ensuring that your current processes are running as designed but that you are sustainable in the short/medium term. Also, these processes are supporting your overall strategy and laying the path to a long term viability.

So, is this the key to longevity? Unfortunately, I don’t have the answer, but to me protecting the value drivers of the company seems like a good starting point.

Co-workers working in computer room

The State of GRC: Should We Manage Controls?

by Bruce McCuaig, Director, GRC Product Marketing

Surveys suggest that more and more things seem to be going wrong. Either there are more risks than ever, or there are more “things.”

If there are more risks, then we need to examine our risk management practices.

If the risks are the same, but they’re happening in more places, then we need to examine our control management practices.

Managing GRC

The art of successful governance, risk, and compliance (GRC) management is looking in the right places for risks and doing the right things to respond to them.

In a recent blog on the Three Lines of Defence, I discussed the Three Value Questions. That discussion was intended to focus GRC professionals on the right “things.” Or in other words, finding the things that matter.

So let’s turn our attention to control management and away from risk management. Let’s assume we know where to look for important things that can go wrong and let’s examine our ability to respond to them. My working hypothesis is that we don’t respond well.

Is There Such a Thing as Control Management?

The first clue is the phrase “control management.” Is there such a thing in the professional literature? I have not found any reference to the concept of “control management” in either the Institute of Internal Audit Professional Practice Framework (IPPF) or the Public Company Accounting Oversight Board Audit Standard no. 5 (PCAOB AS5). Plenty of literature exists on “risk management,” little or nothing on “control management.”

Is this a mere oversight or is it a fundamental flaw? Let me ask it another way. Are internal controls a manageable dimension of the business and do we understand how to manage them? Among the questions we need to know (vs. believe) are:

  • How many controls are enough?
  • In any situation, which kinds work best?
  • What unintended consequences must be anticipated?
  • What is the impact of a set of controls on business performance?
  • How will technology help improve control effectiveness and drive down cost?

A New Perspective on Effective Control

Here’s an example of what I mean. For a number of years I was required to take daily doses of powerful prescription eye drops. Were the eye drops “effective” I asked myself? The manufacturer of the eye drops actually offered a money back guarantee (in jurisdictions where it was allowed) if a specific outcome was not achieved. That sounded reassuring. But looking further into the research that supported the approval of the medication I found some interesting statistics.

According to the research required to get approval for the drug, the side effects of the medication caused about 30% of users to miss 15% of their required doses. A small number, about 10%, stopped taking the medication entirely. A very small percent suffered severe side effects and were hospitalized.

Question: Was the medication effective? Yes or no please. No “opinions.”

Whenever I visited my ophthalmologist, he invariably said, ”Remind me what eye drops I have prescribed for you?” Eventually I figured out he was “testing” the control. If I couldn’t remember he would conclude I had stopped taking the drops.

I struggle to think of any internal control effectiveness opinion I have ever written or read that contained such an analysis.

My point is that when we can answer these questions, we will be “managing” controls.

What does the future hold? How will technology help?

Shifting to a Fact-Based View of Controls

Technology should enable a shift from a belief-based approach to control management to a fact-based approach. Continuous monitoring of all the variables we need should begin to provide a precise measure of how controls work, individually and in combination, what “adverse” reactions occur and why, and should tell us the number, location, and nature of controls we need.

I can’t imagine precisely the impact of technology on controls but I do foresee we will be managing controls, not just adding and testing them.

Imagine in your business an SAP HANA-based, cross-system analysis of all invoices processed last month anywhere in the world to scan for duplicate payments, coding errors, or other anomalies. Imagine getting the results in 30 seconds. What controls would you be able to eliminate in a procure-to-pay process? How would it impact on vendor selection and payment terms?

Apply the same tools to customer invoices and inventory management.

What “controls” can be eliminated? How will business performance be improved?

SAP HANA’s benefit is not just speed. SAP HANA allows fundamental change to take place.

That change will take place over time, but for now let’s turn to the 4 Quadrant diagram I introduced in my blog on the Three Lines of Defence. Let’s imagine the roles each Line of Defense will play in managing controls in the future.


– See more at: SAP

Nice and Simple – 6 Super Sessions for SAPinsider






Fully refreshed and recharged after a slight break in event-related activity (see my earlier post regarding the SAPPHIRE NOW event), attention now turns to Nice in France, where the SAP solutions for Finance teams shall be heading soon to attend our next “major” of the season with the SAPinsider conferences. While containing a number of topic areas, my attention will be focused on two areas in particular, the Financials and GRC events.

I don’t know about you, but when attending business conferences I like to do a little bit of forward planning, so that I can get the most out of my time spent at the event – a little bit like planning a route around the Disney theme parks I guess, but with more time spent seated, rather than queuing and without all those people walking around in character outfits. But planning takes time, which many of us don’t have in abundance during our working hours, and so to help provide some focus I want to share my “ super six” sessions to see at SAPinsider, to give you a nice and simple start towards your event agenda.

6 Super Sessions to See in Nice

In selecting 6 sessions, I’ve kept things as simple as possible, focusing exclusively on customer case study sessions rather than the Keynote, or the Simple Finance, EPM and GRC roadmaps sessions which are all available too. But you can select these at your discretion at the SAPinsider website. Rather, I’ve chosen customer sessions because these are where you’ll get the inside scoop about implementing software solutions, from your industry peers who want to share their experiences with you. And in my opinion, customer stories like these are the most valuable of all the event sessions. So here they are my 6 customer stories for Nice:

  1. 16 June, 2.00pm: Cargill – large-scale finance transformation project
  2. 17 June, 8.30am: GlaxoSmithKline – rolling out SAP Risk Management across the organisation
  3. 17 June, 10.30am: Sonae Indústria – revamping controlling and corporate management reporting
  4. 17 June, 2.30pm: Gazprom Neft – using SAP BPC 10.0 to align consolidated and mgmt reporting
  5. 17 June, 4.45pm: Airbus – faster, simpler integrated financial reporting and planning
  6. 18 June, 10.30am: VCEAA – reducing segregation of duties conflicts

But of course that’s not all, and you certainly don’t need to follow the above sessions if you don’t fancy them – there are many more to choose from. But whether you’re interested in SAP Simple Finance, EPM or GRC customer stories, or want to hear from SAP on any of these topics, then you can build your own agenda to suit your needs.

If you’re in Nice this year, then I wish you a very successful and informative trip. I’ll be there too, so say “hello” if you see me. And I hope that my cross-Finance customer session suggestions in some way help to make your planning that bit more Nice and Simple.

A New Approach to Risk Oversight: A Lens to Look Through and Levers to Pull

By Bruce McCuaig, Director, GRC Product Marketing, SAP

Originally published on SAP Analytics. Reposted with permission.

Risk management continues to fall short of expectations. Surveys show boards and senior executives believe risk management is important, but also reflect an overwhelming dissatisfaction with the ability of boards and senior executives to effectively oversee risk management.


According to recent research by the NC State Enterprise Risk Management Initiative in a survey of companies: “68% indicate that the board of directors is asking “somewhat” to “extensively” for increased senior executive involvement in risk oversight. That is even higher for large companies (86%) and public companies (88%).”

Recently, with my GRC colleagues at SAP, I’ve been experimenting with a new approach to risk oversight and strategy. Our approach provides a new lens to look though that allows companies to manage risks strategically.

We believe risks can be divided into four broad categories, each of which requires a unique primary strategy. This is the first in a series of blogs, building on comments and feedback we received over the past 18 months as we developed this concept.

With this blog we’re introducing a new iOS app we have developed to categorize risks. Download your early version of the app. It contains a number of embedded videos that expand upon our conclusions about risk management and provides examples of a lens to look through and levers to pull.

In the next few weeks, we’ll introduce an updated version of the app, expand on the ideas and tools we’ve developed, and solicit your comments.

Beyond Heat Maps: A New Lens For Risk Oversight

The diagram below outlines the basic concepts of the approach. The horizontal axis captures risk level as depicted on a traditional heat map. We suggest that risk levels can only be lowered to a finite degree by traditional controls. Beyond that point, risk management strategies must focus on avoiding the risk.

A simple example is that if one relies on fire extinguishers as a primary strategy for fire prevention, then implicitly fires are an acceptable risk. If fires were spontaneous, unpredictable, and unpreventable because of that belief then such a strategy may make sense. But controls are a bad approach for fires and any other similar risk where the necessary precursor events and conditions are known and discernable. If a major risk can be predicted, it must be averted, not controlled.

Similar examples will be provided for each quadrant in future blogs in this series.

The vertical axis captures management’s willingness to accept a risk. Assessing Risk Level and Risk Acceptance Willingness results in risks being placed in an appropriate quadrant. Each quadrant requires specific risk management practices and specific information and solution capabilities.


Risk Management Strategy Today: One Size Fits All

Risk oversight requires the ability to differentiate risks in a meaningful way and to develop responses appropriate to the nature of the risk. Risk management practices today don’t make sufficient distinctions to provide the necessary diversity in responses.

Most risk management strategies today rely on the use of controls as a primary strategy. Heat maps just don’t tell you what to do. In fact, they are a major source of frustration to boards and many senior executives.

My Questions to Our Readers

I will be exploring and explaining this concept in the next few weeks in this blog, and I’d love to hear from you. My questions to readers are:

  • Does it make sense?
  • Does it make clear how technology can be used?
  • Is it possible to use these concepts to guide risk management practices and to drive an integrated GRC strategy based on risk?
  • Is it useful from a board-oversight perspective?
  • What improvements can you suggest?
  • What are the flaws in this approach?

Interested in pursuing these ideas further? Join the SAP GRC team at SAPinsider GRC in Nice. I will be presenting the latest version of the GRC Strategy Selector app as a tool to bring the Three Lines of Defence to life as well as presenting an approach to using SAP Audit Management to drive costs down and add value. Register here and receive a €300 discount.


%d bloggers like this: