GRC – Evolution
The motivation to create this posting stems from recent conversations internally and externally, from sales meetings, training and recent industry events I’ve attended. I must point out in that this post is not going down the rabbit warren of should the three lines of defences be renamed or span four, five, or six lines of defence as everyone (including myself) has a different opinion. But in general if you speak about the three lines of defence everyone understands and relates to this so lets leave it there for now.
What I’m going to focus on is how a business could benefit from maturing their approach to risk from being a box ticking exercise to strategic advantage.
In general organisations implemented GRC solutions because they were told to, because a regulator or industry body has told them to, and this is still very much the case in most industries. So GRC is usually seen as a costly and separate from the business. However this does seem to be changing, from recent studies the Board expects the Chief Risk Officer (CRO) to provide the guidance and leadership that was historically reserved for the CEO and CFO.
Why is this? Historically in some organisations the cost of be compliant is the difference between being in business or shutting up shop. The original expectation from the board of a CRO was to keep the regulators at bay. But expectation is changing; the CRO is looking at different data or the same data but from a different angle. This can highlight very quickly if certain activities with in the business are worth the risk. The pressure and focus on the CRO has increased dramatically, with many requiring access, to data from core parts of the business such as Asset management, Marketing, Resourcing and HR. But are the tools they purchased or implemented up to the challenge that the board has set?
At SAP I’m working daily with customers to not only improve compliance and meet regulatory challenges but to also demonstrate the value of creating across business joined up mitigation strategies. One of the more recent examples was the design of an asset maintenance risk strategy. This involved creating an end-to-end Business Process with in SAP Process Control that linked data from SAP ERP and SAP Enterprise Asset Management, combining that with HR and marketing. So in SAP Process Control I was able to design a Pump replacement strategy, document the known risks relating to People, Processes and systems, but mitigate each step with real data.
For example, with regards to people I was able to pull data from HR, to assigning the correct people with the correct training and qualifications to reduce the risk rating. In turn I was able to check the asset data for location, documentation and replacement part availability, once again reducing the impact of the risk on the business. All these steps are clearly managed with accountability with in SAP Process Control. While this is happening in the foreground, SAP Regulation Management manages all of the documentation for the vast forest of regulations that a company faces. But equally SAP Access Control is governing the level of data my profile will allow.
The final piece of the solution is meeting the requirements of the Audit function. SAP Audit Management provides the last line of defence and the assurance required by the Board, internal and external auditors. SAP Audit Management seamlessly integrates with all the Risks, Processes and Controls and other areas of the business to provide that view.
But this is just the beginning of the story, by combining SAP GRC with SAP Predictive Analytics we can start to build out Predictive Risk Management, or Predictive Maintenance while at the same time assessing the Risks involved.
But the final piece of the story, How does the CRO communicate this in real time to the Board? Well Sap Digital Boardroom, enables the CRO to demonstrate live in the boardroom the impact of Risks to different areas of the business and try out scenarios that may reduce or increase risks and help identify new opportunities.
This really is true Enterprise Risk Management (ERM)!
If you have any questions or would like to find out more please go to www.sap.com/.