At my personal weblog, I recently wrote about compliance issues at Merrill Lynch and Beazer Homes. The focus of those posts was the role of management and the internal/external audit teams. In the Beazer piece, I speculate about GRC concerns. Here, I expand on that topic area.
In the past I’ve been critical of GRC efforts. My reasoning is simple. Unless there is compelling economic and business benefit, then companies will only pay lip service. There’s plenty of evidence of that. When asked I usually pull out the case of Sage. This is a company that has a defined CSR policy but has nothing in place that you could vaguely call actionable. From its own website:
We currently do not set specific CSR targets for our OpCos, but it is a matter that the Board continues to monitor. At present the Board does not consider it appropriate to link the management of social, environmental and ethical issues to remuneration incentives, given the difficulties in objectively measuring risk management and performance in this area.
This is a cop out in my opinion. Sage is not alone but it is a good example of what I mean by ‘paying lip service.’ Even those companies that have documented business processes for differrent aspects of GRC are not doing enough. If Merrill’s or Beazer had been more rigorous in enforcing what should have been SOX-based controls, then they might not have been so publicly criticized.
There have to be auditable processes that are routinely applied to risk related issues. These will vary from industry to industry but frameworks can be laid out that have broad application and then ‘drilled down’ to accommodate the individual requirements of business sectors.
These are relatively early days as companies wake up to the reputational risks they face. My sense in talking to some of SAPs GRC specialists is that there is a strong appetite for tools that will help reduce risk. However, I am equally certain that companies have not yet understood the disconnection between the way they measure for internal reporting purposes and what happens at audit. This is not just true of financial measures but of non-financial measures.
Part of the problem lays in the relative antiquity of some tools used by audit practitioners. It seems logical to me that if tools are being developed for the purpose of assessing and rectifying risk issues then the obvious next step is to build test tools for external AND internal audit usage.
I will not pretend my thinking is fully formed. Far from it. However, I firmly believe that a collaborative approach to these issues is crucial. Finance needs to work more closely with opertions and with both internal and external audit arms. The alternative does not bear thinking about.
I understand from speaking with James Farrar that SAP is alive to the broad nature of these issues and is engaged in a series of initiatives designed to understand and move debates forward. That’s all to the good. The outcomes will directly impact GRC development thinking.
I look forward to learning more on what I believe will be a fascinating journey.
In the meantime, it would be remiss of me to avoid mentioning The Wisdom of Clouds and SAPFeedingKnowledge. James was kind enough to share some of his thinking in this area with myself and Marilyn Pratt. SAP Community Cares.
As someone with a bee in his bonnet about ethical issues, I can see it has all the makings of a great project. James already thinks something I wrote a while back has ‘a whiff of mischief.’ He’s right. I may well contribute 😉