The annual European main event for those interested in an update on SAP’s GRC solutions, was held in Vienna, combined with parallel events on SAP HANA, BI, Finance and HR. Our COO Hans van Nes attended and shared the highlights of the conference.
GRC is now an accepted and mandatory strategy for managing the business. The more successful organisations are approaching GRC from a business risk perspective and less from the check-box compliance driven focus that many initiatives started with. Stakeholders from the board, audit, risk, finance, IT and internal controls seem to be most in harmony when risk and compliance are both embraced as the common denominator as the two sides of the governance coin. However, the 3rd side of the coin (if there is one!), business performance, is still rarely mentioned in GRC circles. Yes, cost savings in the IT compliance, audit and reporting processes are absolutely part of the success stories, but (continuous) business process improvement is less widely observed. Fraud identification and prevention is a hot topic but the challenges of error and waste, often indistinguishable from fraud without forensic analysis, are not yet central on the radar screen.
Critical Success Factors: The Three S’s.
There were some interesting customer case studies describing the journey of setting up a mature and functional controls monitoring environment. There were three overarching themes that were commonly reported:
- Standardise: Select a framework, agree risks, limit variants, apply master data governance
- Simplify: Select only business relevant risks, automate controls and monitor risk as much as possible, eliminate redundancy and duplicates, hide the technology in the business process
- Sell: Support and serve stakeholders, engage with dashboards, align with management processes, create active operational community
Much of this reflects our own experience, although there was a heavy IT focus in the discussions. It is clear that the industry is progressing but that we still need to answer the some key questions around the ultimate business value of GRC. Our experience is that focussing on the performance/risk axis is the compelling driver.
Global Process Ownership
An interesting observation echoed in the conference was that the process owners of GRC are, or should be, in the business BUT the GRC process operators are largely in IT. Setting up GRC monitoring requires a lot of arcane ERP knowledge which is mainly found in IT. All the case studies made it clear that substantial and continuous support by IT is required, for everything from operational management of risk/rule changes to optimising reporting for stakeholders. Although there is great vendor focus on making the technology components friendlier from a user interface perspective and adding smart functionality, there is still a major challenge in end to end process ownership and governance. Our work on the GRC success framework addresses this very challenge.
Given that the conference was essentially a technology congress, it was no surprise that SAP and other vendors are widening the GRC playing field by adding integration capabilities (and thus more complexity) such as Identity Management which was a hot topic of discussion as organisations realise that user access compliance is just an element of a broader Joiners/Movers/Leavers process, much as we have showcased in our Identity & Access Governance webcast recently. This is logical because managing identities and access is the first level of defence against inappropriate access, which is further defended by transaction level process monitoring.
Including cyber security in the GRC scope was a new topic at the conference. Rightly, it was advocated that cyber security risks should become an integral part of the GRC environment. Although important, it would seem more logical to combine user access risk management with cyber security elements than to create a new separate module. I suspect this has as much to do with commercial imperatives as GRC strategy!
The more we apply detective transactional monitoring on process execution exceptions, which we strongly advocate, the more data volumes will continue to challenge. Enabling the use of in-memory technology such as SAP’s HANA is therefore a logical and even necessary move. Of course, the SAP strategy is to drive customers to the cloud based S4/HANA solution.
Although a rudimentary access control cloud- based SAP GRC module implemented in HANA was given a preview, it was acknowledged that the full SAP GRC suite would certainly remain an on premise solution.
The official overall conference message was around digitisation of the organisation and its relationship to risk management. Introduction of better dashboards making GRC related reporting management more relevant will help. A South African mining company showed an integrated dashboard looking at Natural, Human, Social, Manufactured and Finance capital performance. Of course, dashboards are not the exclusive domain of GRC and there was some broader marketing positioning to show how SAP could bring the digitised organisation to the next level of business relevance.
It might have been the vast venue but it felt like there were far less attendees than last year. This could be down to a number of factors but it reinforced the message that that a tool alone clearly does not provide enough business value. Organisations are shifting their focus away from adding further complexity towards simplification, process governance and end to end business impact. They want to know how to ensure their business processes are optimised.
- The GRC technology landscape is becoming richer and more powerful.
- The ‘GRC’ problem domain is morphing into a managed balance between risk and performance.
- Active GRC process ownership needs to make a significant move away from the IT to the business using a common success framework.
- Business continues to move fast and technology needs to be aligned to needs of the current and future stakeholders.
How we can help:
- GRC Success Framework – 9 Steps for Less Program Stress
- End to End Process Review – Validating stakeholder value throughout the risk and compliance cycle.
- Risk/Rule Review and Refinement – Ensuring your GRC environment is monitoring the latest, current risks for your business processes and systems.
Want to find out more? Click here: firstname.lastname@example.org