Our COO, Hans van Nes, attended the recent SAP sponsored Governance, Risk and Compliance conference (GRC2015) in Nice, France. His review forms the latest guest post, and I am reliably informed that the title refers to observations from the conference attendees and not his position on the beach at the Promenade des Anglais . . . .
. . . SAP GRC2015 lies behind us. While scanning through my notes I found that both the presentations and my many discussions with the attendees gave a good status overview of where we are with GRC strategies, implementing GRC solutions, their maturity and what is hampering further progress. Using actual quotes from attendees, speakers and the SAP ecosystem as entry points, I will try to explain why I chose the title for this blog.
“Sustained ownership for GRC initiatives is hard to achieve”
Who owns GRC? Well, from an operational perspective, there are many stakeholders across the business. The traditional centre of gravity has been balanced between in the finance function and IT. The strength of the IT ownership line, somewhat contrary to risk and control best practice, has its root in the technical complexity of the application landscape and security model (especially with SAP) and the GRC technologies themselves. The good news is the reported tendency to get more business line management involvement.
But few attendees claimed one strategic owner, although in theory perhaps it should be the CEO. Next in line would be the CFO who at least will have ownership of financial control and compliance elements. Some attendees reported Chief Risk Officer and even Chief Compliance Officer existence and involvement.
Occasionally the CFO, CRO or CCO takes a wholehearted sponsoring role for GRC, but many report that sponsor interest declines after the early stages of direction setting. Many organisations acknowledge that the daily operational processes, especially for Access Control and Process Control implementations, become an IT-led exercise with business process owners as distant re-active users.
One observation that aligns with our own experiences is that executives are primarily focussed on performance and risk related topics are often seen as less significant unless the organisation is faced with a clear and present existential threat. The rise of a philosophy that risk and performance are two sides of the same coin is very helpful in this context. The great news is that the emerging role of the Global Process Owner (GPO) has end to end responsibility for process optimisation and as such owns both the performance and risk elements. This is good for the future of stakeholder ownership in GRC. The new GPOs see the governance, risk and compliance requirements for their business process as an integral part of their continuous improvement agenda and are thus taking ownership for it. We are also seeing GPOs being appointed for Financial Control and Compliance itself, which goes a considerable way to address the business sponsorship issue, since this role typically reports through to the CFO.
“No, we don’t know what we will do next”
Looking at the hands raised during polls in the presentation sessions and confirmed in discussions with attendees, about 80% of the companies have just one GRC module implemented. Most of their implementation was issue driven (result of audit comments, fraud incidents, financial reporting requirements such as Sarbanes-Oxley or other specific risk exposure).
Remarkably, even the largest organisations don’t seem to have a blueprint on what to do (or not do!) in the field of GRC, for what reasons and with what goals. The above mentioned ownership issue seems to have contributed to this.
We are seeing increased emphasis at Board level: elements like a Governance assertion are already actively pursued, albeit often just focussing on transparency and whistle-blower topics. Annual reports are also starting to show general risk management assertions, describe the role of the internal control framework and the approach to audit. Fully embracing the GRC agenda at Board level will drive executive management to develop and own a broader GRC Roadmap.
“The appetite for another 3 year project is very low”
Admittedly, when your controls implementation has taken 3 years and has become more an IT thing and a tick box for the external auditors instead of a continuous improvement enabler for the business, engaging in another GRC project needs quite some compelling event behind it. The desire for more agile implementations with reusable components and pre-loaded content is very clear.
Standard template implementations can be done in a rapid development style but some companies have complex processes, system landscapes and organisational structures so it is a trade off. Or as one person said to me: “The two things that killed our implementation plan were getting all the stakeholders into a planning workshop and getting the GRC software operational!”
“The new UI is nice but give me basic functionality first”
Undoubtedly the SAP GRC suite is developing into an ever more complete and mature platform to support many of the GRC demands we face. Having said that, there is still no single vendor that offers a credible ‘one stop shop’. Behind the conference PowerPoint, the reality of today is that the ‘devil is in the detail’. Usrs report that individual modules are not well integrated, not intuitive in their use and are labour intensive to deploy and use. Independent service providers have discovered these omissions and offer to address these with expertise and reusable content and software. The SAP strategy to move to the beauty of the Fiori interface is seen as “nice” and may be long overdue but conference attendees were demanding more functionality first.
“GRC on HANA might be a great idea but my customers are not willing to pay”
Getting a budget for any project starts with a business case. In the case of specific GRC initiatives the problem can appear to be too abstract, isolated and/or to poorly described in business terms to attract attention and ownership. GRC is often not the way to get ones emotional needs met!
Many attendees expressed difficulties in selling an “insurance policy” to their stakeholders: Reputation is probably the highly valued asset of a company and when recently tarnished, budgets become available. Plans to implement monitoring systems for events and risks that have not yet occurred or may be perceived as low likelihood can be a ‘big ask’.
Getting funding for technology upgrades proves to be even more difficult: “The promise of more near real-time monitoring is great but my internal customers are already having a hard time remediating the exceptions we find. We are even forced to skip technical upgrades because testing capacity is not funded.”
A possible answer may be in combining the risk and performance sides of the GRC coin: analysing process exceptions enables process optimisation and control assurance, resulting in optimised processes. By defining more tangible results, the perceived ‘insurance premium’ element goes down and the business improvement rationale increases.
“Divide and conquer is the name of the game”
One attendee, a financial control manager, observed ‘People obviously like to sit on their own chair’. Owning this chair gives a position (indispensible, specialist, policeman, etc.). Her frustration in this case was that progress on an access control solution was being hampered by opposite forces from HR (who owned access provisioning) and IT (who owned identity management). Sharing and cooperation to move from a focus on the chair to the collaborative round table will not happen organically. We also know that every organisation has its own special kind of ‘immune system’ that repels change agents like a dangerous virus. The immune system can include both the internal and external “ecosystem” that flourishes on having things not automated and integrated but requiring costly and time consuming manual checks and remediation.
“Finally access control and identity management come together”
SAP announced that the development teams for GRC and IdM/Access Management are being merged to one business unit. Far more important is that this opens the way for a shared repository containing all user information for both Access Control and IdM. Although likely driven by the need to manage the various emerging Cloud access subscription profiles, this opens up opportunities for integrated user management and control. The ownership issues described above will, however, become even more apparent and challenging. And in the words of one attendee: “We might need to go back to the Workers Council to get approval.” (In Germany these strong employee unions have extensive rights to challenge and veto developments that affect the control asserted over employees)
“Between a rock and a hard place”
To augment the above statements from the attendees, I add a few of my personal observations:
- The most common lesson learned expressed in each customer presentation was “Get management commitment”. GRC initiatives are business activities with business outcomes at stake. Be clear on desired outcomes and relevant stakeholders.
- The most common business driver for GRC initiatives was “Additional assurance”
- The most common regret expressed by attendees on their GRC initiatives was “Lack of attention to continuous process improvement”
When I summarise all the comments made it is clear that 360° adoption of GRC is still low and only slowly progressing. The closest implementation to the stated vision was that at SAP itself and, as the software provider, that may represent an interesting intersection between marketing, governance, risk and compliance!
Slightly disappointing was that only a minority of the presentations were given by customers, overwhelmed by those from SAP, partners and sponsors.
Despite the debate over what exactly ‘GRC’ is, the topic is getting ever more airtime in organisations. The pressure for enhanced transparency and good governance are outpacing even legislation and industry standards. Risks for reputational damage are getting greater, the need for greater visibility is growing and the chances for fraud, waste and error are increasing despite the increased level of process standardisation, control automation and technology integration underway.
Transforming this key set of requirements into business cases and creating ownership within organisations is a struggle and the solutions offered today are still not yet mature, agile or simple enough, leaving many organisations today between the rock of “something must be done” and a hard place of “not at that cost”.
Having said this, organisations making pragmatic and insightful use of currently available technology have implemented practical solutions today that bring clear business value. The growing alignment with global process ownership will further help to get GRC more aligned with the business. On-going development of the technology solutions accompanied by good methodologies will increase the simplicity of implementation and agility of use. As we move towards more consumer grade GRC technology and ease of use, the business appetite will increase, the Gordian Knot of GRC will unravel and the ‘rock and the hard place’ will become distant memory and folklore for organisations.
Thanks for reading . . .