GRC Tuesdays: What Do GRC Reports and Plato Have in Common? It’s All an Impression
When designing the proof of concept for GRC in the SAP Digital Boardroom (see From the Three Lines of Defense – A Window for GRC in the SAP Digital Boardroom), I decided to go back to the basics and ask myself What would executives expect to find in this type of dashboard to help steer their organization? And then, my next thought was What’s already available to them, and how do they use it?
Most executives tell me they use static reports they receive either online or even in a printed format.
To some extent—and apologies to the true philosophers here—this could be compared to Plato’s Allegory of the Cave.
In this metaphor, a group of prisoners are chained in a cave and forced to stare at a wall in front of them. Displayed on this wall are shadows of objects, puppets, and so on. Hence, they see only an image of the real world but not the reality itself.
I might be pushing my reasoning here, but static reports are just that: an image—or worse an interpretation – of the progress, performance, risk and control level, and so forth but not the event itself. If an executive wants more information about one risk event, he or she would have to get out of the proverbial cave and start looking for it.
And, very much like in the Allegory of the Cave, this executive would be at first blinded by the amount of information, and it would take some time for him to absorb it all. Since time is of the essence in all organizations, I don’t feel this is the right approach.
Executives today are asking for more, even if they don’t always formally express it. In my experience, executives don’t just want to be able to review the information that’s provided to them. They want to interact with it, analyse it in depth, so they can ensure that their operation or even strategic business decisions are properly informed versus just a guess.
I’m not saying that the people creating these reports wish to act as “puppet masters” at all, just that they have to make do with what’s at their disposal in terms of technology.
Innovation Enables GRC to Deliver Information and Insights
This is where we must be innovative. Technology has moved forward and, in some cases, is more advanced than what’s being used. Unfortunately, I don’t believe that most risk and compliance departments have truly embraced this change. Far from being disruptive, this change helps remove the manual consolidation and analysis steps that take so much time.
Instead of providing data, risk and compliance departments should focus on delivering information, which is much more valuable, as it means illuminating the potential issue in its full context and, when possible, with a recommended solution.
If they fully leverage technology, risk and compliance departments can then move away from quarterly meetings with executive-type engagements and start a continuous dialogue, because the information is available to all, at any time, when necessary.
However, let’s hope the story ends better for the teams who fully leverage the new options than for the characters in Plato’s cave, and that other executives also decide that it’s far better to see real data than just an “impression.”
Do you already leverage technology to deliver continuous risk and compliance insights to your executives? If so, what has been their feedback?
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
For more on GRC-related topics, be sure to follow and read the GRC Tuesday series.