I may be stretching the Latin adage “Si vis pacem, para bellum” a bit here, but I do believe the lesson that ‘peace lies in preparation’ applies to GRC.
In many of our GRC Tuesdays blogs, my colleagues and I have been addressing various internal control, audit, and risk management topics, but one of the major components of governance, risk and compliance is often simply taken for granted: the “governance” pillar itself. And to me, automated monitoring is an integral aspect of ensuring that the governance works adequately – and as intended.
Peace from the Top
In my view, the most important role of a chief compliance officer, chief risk officer or chief audit executive is simply to safeguard the organization. The CCO must ensure that the company acts with integrity and within a regulatory context, the CRO must ensure that there is a risk management process in place that will adequately cater for the identification of the risks and opportunities, their assessment and mitigation and so on. All get their mandate from top management. As a result, this top management layer will be eager to know whether everything is working as intended or not.
And what is worse than having to tell your manager who’s asking for an update on risk or compliance topics to wait for a few weeks until all the information is consolidated?
By automating the reporting, our GRC colleagues can buy some peace from management (relatively speaking that is), because they can provide this information rapidly whenever its required.
Peace from the Operations
On thinking again about what could be worse than not being able to provide management with a timely update, I was actually able to think of something: not being able to provide any update at all because the stakeholder assigned to the task hasn’t done it. This often occurs because they see no value it in and/or perceive it as a pointless tick-the-box exercise. Or in some cases, where the procedure is extremely repetitive for instance, the operator might have the perception that their professionalism is being questioned when they have to fill-in a survey regularly on whether or not they’ve followed the procedure.
When this information is collected automatically, everyone involved gains a little . Not only that, but:
- The operator won’t be burdened by a task that is far from adding value to his work.
- The information might actually be more accurate as the system won’t try to “rush” to get it done as quickly as possible (contrary to some operators). It will just get it done without any qualms.
Where to Start and How to Go about It?
I would personally recommend starting by the operations and identifying those processes that can easily be automatically controlled. This would be a quick win for both the operator and the GRC stakeholder and make the case to management so that more resources can then be invested in more automated monitoring.
Attend the March International SAP Conference on Internal Controls, Compliance, and Risk Management
But don’t just take my word for it. Should you want to hear what other companies are doing with this regard, then I strongly recommend attending the International SAP Conference on Internal Controls, Compliance and Risk Management (15-16 March 2018 in Amsterdam, The Netherlands). This conference will include:
- Deep-dive workshops
- SAP executive keynotes
- Whole host of customer reference stories including BP, DHL Express, Innogy SE, Nationale Nederlanden, Stora Enso, United Utilities, Vodafone and more.
All of these great offerings will help ensure that you leave fully informed about how you can reimagine your business processes to deliver enhanced operations and performance.
Should you be interested in learning more, you can download the brochure for the event.
I hope to meet you at this conference, and in the meantime, don’t hesitate to share your thoughts and feedback on how GRC stakeholders can become Zen Masters either on this blog or on Twitter @TFrenehard