GRC Tuesdays: GRC Naughty or Nice Quiz
By Thomas Frénéhard, Bruce McCuaig, and Jan Gardiner
SAP GRC Solutions Team
Santa Is Checking—Were You Naughty or Nice?
Traditionally we have finished our GRC Tuesdays blog with something holiday-oriented and more whimsical. This year, for your holiday enjoyment, we are helping you see how you might rank on Santa’s “Naughty or Nice” list. But don’t worry—we won’t share our results with him!
Do you tell the truth?
- I NEVER hide anything from the auditors
- When it’s not a material risk, I just keep it for myself
- Whatever you do, DO NOT—I repeat DO NOT!—open the folder “Critical Risks – To Be Deleted”
Do you share your toys?
- Everyone has got access to my GRC platform and I encourage people to use it
- I only give access to my GRC solution to control and risk owners… and to the auditors
- My preeeecious! If you want access, it’s easy: submission of your request with a three-phase workflow, internal billing for your usage, and a “pretty please.”
What snack are your leaving Santa (i.e. sending the regulators)?
- XBRL file of all the losses and the associated reports
- I send compulsory reports but without additional analysis
- A very nice drawing and some cookies if they come to visit!
Do you ever skip school?
- I attend all my training, compulsory or optional, and provide timely feedback
- I try to… but time is not always on my side
- Remind me again of where I can find the list of training I need to do
Did you do your homework?
- I have all my badges and I am a certified IT auditor / business continuity manager / other (select the one that applies)
- I did attend sessions with CPE credits, and I am THIS close to keeping my certifications
- I have been certified in the past… Surely there is no need to take it again, right?
Do you help others?
- “Always available” is my motto
- If they are part of my team, sure! Otherwise, you’d better check with my manager
- Only if there is something in it for me. Cake? Ice cream?
Do you use time wisely?
- Yes, we use a risk-based approach to focus our efforts on the highest risks so we don’t waste time controlling and auditing the little things
- Sure, we have a lot of GRC work to do and we move quickly from one task to the next in order by date
- Ummm, we are still working on reports from 2016
Do you keep your room clean?
- Yes, we keep our documentation updated and correct as we go through the year so we won’t have a lot to do during the holiday season
- Well, we aren’t very good at regularly updating what has changed (or what should change)….
- We plan to update our risks and controls the next time we change GRC systems
Do you follow directions from your parents (managers)?
- Yes, provided directions are in accordance with company policies and consistent with our ethical business practices
- I let my managers think I am following instructions, they never check
- I prefer to do whatever is expedient and gets me the biggest allowance
Now, tally your scores as follows: a. = 3 points, b. = 1 points, c. = 0 point. Add up your score and see how you did.
27 points = Perfect score! Santa should be very good to you, but in the meantime, why not enjoy some holiday cookies and egg nog?
21-26 points = Not perfect, but you are still definitely on the “nice list.” So, no worries about coal in your stocking!
11-20 points = You have some serious work to do—you’re in the naughty range.
0-10 points = Not only might you get coal in your stocking, you might find that you’re going to be sanctioned by regulators (or at least your boss)
Our sincere best wishes for a happy holiday season and a rewarding new year!
Thomas, Bruce, and Jan