The post below is written by my good friend, Bruce Carpenter, who leads both internal audit and risk management for Sybase. By way of disclosure, Sybase was acquired by SAP partway through their GRC journey, and they have operated as an independent division of SAP since then, with Bruce continuing to run audit, risk, and compliance.
Integrating GRC Into the Rhythm of the Business
By Bruce Carpenter
At Sybase we are proud and delighted to be awarded the 2012 OCEG Principled Performance Award for our GRC program.
I like to think that we have integrated governance risk and compliance into the rhythm of Sybase’s business, and I’d like to explain to you how that happened, and to give you examples of the results.
As VP Internal Audit I am responsible for SOX, risk management, internal audit, and compliance. Combining these functions provided the context to organize GRC resources.
Our CEO John Chen wanted to create company performance led by integrity. To do that he wanted a GRC framework that didn’t operate in a separate silo, but was integrated across departments, and supported his direct reports to more effectively manage risk across the organization. His goal reflected the OCEG Red Book objective of “Principled Performance”. John Chen’s leadership was instrumental in creating the sponsorship needed to get our program going. He knew that the most significant risks generally required coordination between more than one executive team member, so this process could also support strategy coordination
The result was to refocus ERM using a top-down approach, directly aligning risk identification with strategic direction. The CEO requested that internal audit meet quarterly with each ELT member to identify key risks associated with meeting their strategic goals.
The next step was to conduct a compliance risk assessment to identify legal and regulatory risks. Working with Global Legal, HR, and Finance , we identified compliance risks worldwide. We prioritized 20 of these. We also recognized that many of our existing SOX controls, particularly our Entity Level Controls and our IT controls also play an important part in demonstrating regulatory compliance. We wanted to be able to link these regulatory risks with our existing controls, but there was no easy way to do this. It became clear that an exercise in pivot tables and linked spreadsheets wasn’t going to be enough.
Limitations of Manual Reporting
Even though the components of an effective program existed, we lacked the ability to provide effective real-time reporting. These are classic examples of challenges with manual processes.
We had risks which were of enterprise risk management level and risks which were at a compliance level. We knew that we had controls that addressed both categories of risks. But we couldn’t relate them.
The existing data was difficult to manipulate, so therefore of less use to support effective management decisions.
We wanted to lift our methodology to the next level to consider concepts like risk appetite, and risk velocity.
Using the automation process to enhance GRC methodology
We used the bowtie functionality (the left part of the tie represents the risk drivers, and the right is the potential effect) of the SAP GRC application, introducing methodology enhancements that proved very useful in the design conversations with the executive leadership team (“ELT”): Risk Drivers, Risk Impact, and Key Risk Indicators. To demonstrate the use of the bowtie concept we analyzed the risks associated with channel stuffing. Implementation of appropriate strategies including partner audits reduced this risk for Sybase.
It became clear that a risk driver in one part of the organization (owned by one ELT member) could impact the Risk Impact for which another ELT member would be responsible. Automation facilitated a more holistic assessment and response to risks at Sybase.
Moving forward, pie charts showing driver categories will allow management to shift the focus away from individual risks to manage the causes or drivers of those risks, improving the effectiveness of overall risk management. Similarly, it will be possible to produce real-time heat maps combining graphical reporting and detailed risk listings, with interactive drill down capabilities.
How GRC supported the Business
So let’s consider some examples of Principled Performance within Sybase:
• An increase in share price of around 300% over five years
• An increase in financial services industry revenue of $90 million over two years at a time when revenues could easily have been in decline
• A reduction in the incidence of channel stuffing due to on-site partner audits and other management strategies
• Automating the link between compliance risks and controls to facilitate reporting to mCommerce customers
Summary: The impact on management
As GRC professionals we strive to make our work both relevant and useful. One executive used these words to explain his thinking around GRC and risk management:
“… gets my attention to what is required to achieve best industry practice with regard to risk management”
“The risk management process creates the pressure of knowing that we have to get things done…”
“There is a person (you) and a process (the company process) and people know that this is important”
This is an important journey. I believe effective GRC automation has the potential to significantly impact organizational performance, and enhance management understanding of the associated risks they are required to manage.
I want to close with some thoughts to open up a conversation.
• There may be those among my fellow auditors who believe that risk management, compliance and internal audit responsibilities should always be separated, regardless of organization size. What are your views?
• At Sybase, we have worked to ensure the active participation of Sybase senior executives in our GRC programs. What are ways you have achieved this in your organization?
• We wanted to develop a focus on business performance, not just the performance of controls. What steps have you been able to take to ensure your GRC program has a strategic focus?
• We value the contribution of GRC technology, not just audit technology to achieve our success. How has technology enhanced organisational thinking around GRC for your organization?
I am interested in your comments and experiences.