Once every so often, companies revise their processes to identify areas of improvement. And the governance, risk, and compliance process is not exempt from this overhaul exercise as I am sure you already know and have already experienced.
Usually, we at SAP get involved at a later stage. After the redesign phase when the process has been redefined—or simply refined—and that the intent is to support it via a software solution.
Unfortunately, in many cases, the ask is simply to reproduce what is already there—albeit with few improvements but without major enhancements. Many organizations still use Excel for governance, risk, and compliance aspects and software vendors like SAP are simply asked to “port” these files into a system of records for instance.
What I personally find a shame is that, by doing so, users won’t benefit fully from the automations that the GRC software can deliver. As a result, we aren’t able to reduce the manual workload as much as intended by the solution. Also, this then rarely—if ever—delivers the return on investment that the GRC sponsors were hoping for.
The question I often asked myself—and customers—is why wouldn’t you want to explore new routes, including adding more automation?
Here, I have to admit that the answer is usually pretty straight forward: we didn’t think about this, or didn’t even know it was an option.
When You Don’t Know What You’re Missing
To me, this parallels a story that my colleague Bruce McCuaig shared in an older GRC Tuesdays post, Redefining the Role of Internal Audit: Avoiding Redundancy. As Bruce said then, “The development of the transportation industry at the beginning of this century, I believe, is comparable to the technology innovations of the last few years. And I suggest that the same fundamental choices that had to be made then by blacksmiths must be made now by internal auditors.”
Think about it. Back in the early 1900s, if you were to ask what locomotion system people wanted, they would have replied “faster horses.” And this is simply because they hadn’t experience the automobile. Once they got a taste of it, it changed everything… (We got the traffic jams that we all know today… but that’s a very different story.)
I’m not saying that GRC is stuck in the 1900s though, don’t get me wrong. But why not take it to the 21st century and leverage all the new capabilities and technologies that are now available? Continuous monitoring, predictive analytics, simulation and calibration, real-time and on-demand reporting on any device of your choice, and so on?
Errare Humanum Est, sed Perseverare Diabolicum!
I don’t believe that we continue to ask and reproduce the same schemes because it feels comfortable or because we are reluctant to change. Sure, this can be the case in some instances, but my personal opinion is that this is not true for the majority of stakeholders. As a result, the only limitation is our own knowledge and experience. If we don’t know it exists, we rarely ask for it.
I don’t claim to be a philosopher—far from it—but there is a quote from Seneca the Younger that applies well to this purpose: Errare humanum est, sed perseverare diabolicum. That is, “To err is human, but to persist in error is diabolical.”
You can’t expect a different and better outcome if you use the same approach as you did in the past. This is Einstein’s definition of insanity. So why not explore new options and be creative? To continue with Einstein quotes:
“The important thing is to not stop questioning. Curiosity has its own reason for existing.”
So think out of the box and challenge the status quo.
SAP Conference on Internal Controls, Compliance, and Risk Management – March 2019
Should you want food for thought for your GRC program, then I invite you to join us at the second edition of the SAP Conference on Internal Controls, Compliance and Risk Management in March 2019 in Barcelona.
If you were interested in this blog, then I am sure that this conference which is themed around “Next Generation GRC” will appeal to your curiosity! What’s more, the agenda has just been released today so be one of the firsts to find out about the sessions!
I look forward to seeing you at this conference next year and to reading your thoughts and comments either on this blog or on Twitter @TFrenehard before then.