GRC Tuesdays: From the Three Lines of Defense-A Window for GRC in the SAP Digital Board Room
My colleagues and I have been blogging frequently about the Three Lines of Defense. Most of our readers know by now the simple principles behind the framework. Surveys show that most of our customers around the world have or are planning to implement the Three Lines of Defense framework. And SAP offers governance, risk and compliance (GRC) solutions that enable the Three Lines of Defense.
What is not fully appreciated by most is that the Three Lines of Defense is not an end result in and of itself. Implementing the framework is merely the stepping stone to a seat for GRC in the digital boardroom.
- The Three Lines of Defense has no purpose other than to build reliable information.
- GRC has no purpose but to provide a lens to manage the business.
But two problems persisted.
Problem #1:The Three Lines of Defense Didn’t Talk to Each Other
The unspoken goal of GRC professionals is to make GRC a manageable dimension of the business.
Today, GRC professionals produce numerous varieties of exception reports, but all are in silos:
- Heat maps illustrate risk but not the impact of risks on business performance.
- Reports on control effectiveness are silent on the risks they relate to.
- Audits are planned based on risks that are irrelevant to the business.
- None of the three pillars of the Three lines of defense talk to each other, nor is there any attempt reconcile their views or to ensure coverage is complete and accurate.
The first step in making GRC a manageable dimension of the business is to create a reliable database of reliable information. That’s the job of the Three Lines of Defense framework.
Problem #2:GRC Data Wasn’t Aggregated for Reporting to Management and the Board
Management and boards deal in business strategy and performance. Traditional approaches to GRC don’t link to business objectives or the risks and controls that impact performance.
The second step in making GRC a manageable dimension of the business is to use technology, in our case the SAP Digital Board Room platform, to aggregate and integrate the data and provide a basis for managing GRC strategically.
Two Proofs of Concept
In the last few weeks, my colleagues in solution management, solution experience, and products have achieved breakthroughs. They have developed Proof of Concepts for reporting among the Three Lines of Defense in our demo environment.
Our Three Lines of Defense reports allow each line to review their contributions for quality and completeness and hand off their data for review, assurance, and reporting using standard reporting tools.
GRC in the SAP Digital Board Room
My colleagues have also demonstrated in the illustration below how the data created by the Three Lines of Defense can be extracted and viewed in the SAP Digital Board Room.
These two developments are true breakthroughs. But this blog is not the best medium to explain and illustrate the power of these proofs of concept. You need to see them in person.
Both of these tools will be demonstrated at SAPinsider GRC2017 in Las Vegas this March 21-24. If you aren’t already planning to attend, these two presentations by my colleagues are sufficient reason to register.
Learn More At GRC2017 in Las Vegas
- Register for SAPinsider GRC2017
- Plan to attend Jan Gardiner’s session, “How to Use SAP Process Control as the core of your Three Lines of Defense” for an illustration of the Three Lines of Defense reporting proof of concept.
- Watch for the scheduled SAP Digital Board Room demos. We are scheduling Thomas Frenehard to demo his GRC reports LIVE on the SAP Digital Board Room demo station.
- I also recommend you plan to attend Michael Rasmussen’s session, “A blueprint for effective GRC strategies in a dynamic environment: Understanding drivers, trends, and the business case for GRC.” Michael is a GRC Economist & Pundit with GRC 20/20 Research , LLC