Nibbling vs. Consuming
Last week, I made the case that GRC practitioners merely nibbled on technology and did not truly “consume” it. Failure to consume technology prevents progress and leaves practices unchanged in spite of tremendous benefits to be gained.
What Nibbling Looks Like
GRC professional paradigms, methodologies and practices are driven by a variety of standards and regulatory requirements that have proven resistant to technological change. For all practical purposes, the regulators and standard setters write the textbook on GRC practices.
Recently, I spoke to a gathering of 25 very senior GRC professionals and outlined some of the technological innovations driving financial and operational transformation. I outlined the characteristics and nature of SAP S/4HANA and the universal journal. I illustrated how machine learning, robotics, and predictive tools could radically change the way their business operated today and how it would look in the future.
I then asked the audience what they thought the impact of digital transformation would be on them as GRC practitioners. The consensus was that they would probably need more auditors, more risk managers, more compliance people, and so on. Everything would change. They would not.
These GRC professionals insisted on positioning themselves on the outside of digital transformation. They were nibbling on the technology–acknowledging it existed but not consuming it. The textbooks on GRC practices are out of date. I had expected them to question the very need for some of their practices and deliverables, to explore new ways to deliver their services, and to consider new services they could deliver.
What Consuming Looks Like
I expect GRC professionals to “consume” technology. I believe their customers expect the same. But GRC professionals have allegiance to their standard setters, not their customers.
It’s generally true that the standards and frameworks driving GRC professionals don’t recognize the transformative power of technology and its potential impact. Generally, the assumption of regulators and standard setters is that practices and methodologies won’t change.
In the world of real-time in-memory processing, the Internet of Things (IoT) and predictive analytics, the assumption is:
- Audits will still be necessary, and they will be conducted in the same way by professionals with the same skill sets.
- Risks will still need to be identified and assessed in the same way.
- Practices (and the standards and regulations that drive them) will remain the same.
But who does that attitude serve? Consider:
- Have the COSO frameworks been updated to reflect a data-driven world instead of a transaction driven world?
- How about the standards governing detection of deficiencies and Sarbanes Oxley compliance?
- Do today’s risk management standards recognize the impact of technology on risk management practices and methodologies?
- Are audit reports the most relevant output from auditors?
- Can we now predict and avoid compliance failures? Or must we continue to detect them after the fact?
The Rise of Intelligent GRC (i-GRC)
“Monolithic, cobbled together antiquated ERP systems of record are the technology backbone of the majority of businesses today. While antiques such as jewelry, furniture and pottery may increase in value over time, systems of record have hit their demise because their design and value cannot match the digital business needs of today. The most competitive and digitally modern businesses have embraced new innovative business models unlocking the value of information.” IDC
So, how can GRC professionals create intelligent GRC?
I think the first step is to fully understand the state of relevant technology and ask if existing paradigms still apply. GRC professionals should ask themselves:
- How do real-time in-memory processing, machine learning, predictive analytics, and other emerging technology impact the business today and how can we exploit those technologies?
- What GRC practices and methodologies must be questioned and revised considering these innovations?
- How can SOX deficiencies be predicted rather than detected?
- Can we predict control failure or detect in with analytical tools?
- Can technology automate root cause analysis? Can the identification and assessment of business risks be driven bottom up by incident analysis?
- Can we do cost benefit analysis of controls and policies using artificial intelligence to assess impact on objectives and business performance?
- Can we detect and remove inefficient or redundant controls with machine learning?
- What is the role of internal audit in i-GRC? Are audits relevant as we know them today? Is insight possible instead?
Let me leave you with a couple of questions.
Like i-ERP envisioned in the IDC article, i-GRC will be distinguished by:
- On-demand (not periodic) GRC practices that rely on automation of high volume repeatable tasks.
- The adoption of machine learning and advanced analytics consuming data from a carefully designed and constructed data set.
- i-GRC professionals with high levels of digital knowledge and expertise and indifference towards todays practices.
- An orientation to the future, not the past, and a drive to contribute to business performance.
GRC professionals who fail to consume technology will be consumed by it.
- Read the other GRC Tuesday blogs for more information on all things GRC.
- Join us at SAPinsider GRC2018 in Las Vegas. Register before December 15 for early bird discounts.