GRC Tuesdays: Mobile GRC – (R)Evolution or Hidden Danger?
I have been working in the Governance, Risk Management, and Compliance software area for close to 15 years now and I have been lucky to see the evolution of technological support for GRC processes. From offline fat clients for audit installed on individual machines over 15 years ago to machine learning aided fraud investigations that have been making their way into organizations in these last few years, we have clearly come a long way!
And this is what I focus on in these GRC Tuesdays post: how can technology better support 1st, 2nd and 3rd lines in performing their activities as diligently but as effortlessly as possible.
Recently, I have been asked about my thoughts on “mobile GRC” and whether I thought this was an evolution or a revolution. I have to admit that my response was more nuanced, and I added a category that my attendance didn’t seem to expect: it could also be a hidden threat.
To me, depending on what GRC activity we are referring to, it could fall into any of these buckets and as such, mobile GRC should only be considered in the context of the user experience of course, but more importantly what the expected outcome is.
By “mobile GRC”, I am referring to the features and functionalities supporting GRC processes (control and risk assessment, testing, audit, fraud investigation, reporting etc.) that are performed on mobile devices – be it smartphone or tablet.
Note: I have been asked about smartwatches in the past, but I personally feel that GRC processes require a bit more than a 40mm screen…
In this short blog, I’d like to explain what I would categorise in each of these buckets and why, hoping that this might help you decide in case this is something that you are investigating at the moment.
Let’s start with the positive aspects and why this can be considered an evolution or even a revolution to some extent.
I think you will agree that our mobile devices have become an extension of our workspace. We expect from our mobile devices to help us continue the work started on laptop or desktop when we are on the move and to be able to pick up where we left. Seamlessly.
This started with emails, agenda, notes, contact details, etc. of course but has since included many more capabilities such as project management, online meetings… and virtually anything you can think of that you currently do on your computer!
In this aspect, GRC software have embraced this transformation and it’s now possible for managers to validate a user access request while on the train, for risk owners to receive alerts on their risks directly on their phone so that they can urgently review the context if needed, etc.
Similarly, for auditors that are constantly on the move, their audit workspace has become virtual and they can access it from any device – anywhere in the world. This not only fosters collaboration, but is also very safe since the information is no longer hosted on someone’s machine but in a shared – secured – environment.
To me, this is the “evolution” stage.
What I believe makes it a “revolution” is when we start going a step further and making GRC active sort of say. Contribution to controls and risks is no longer only reactive when the user receives the activity in their inbox, but included alongside their other daily tasks. 1st, 2nd, 3rd line but also governing bodies get access to real time information from their phone or tablet and can drill-down into it without having to load a heavy report.
Potential Hidden Danger
In the introduction, I mentioned that I introduced a new category when sharing my thoughts on mobile GRC: a potential hidden danger.
By this, I don’t mean to refer to security or data breach. I am instead referring to missed goal when expectation from the provider and the recipient of the information differ and that no decision can be made based on the information provided.
Let’s assume you want your users to document risks in their business units. Would you rather they go quickly and provide 70% of the information or that they pause, think about it and document in detail what could trigger the risk, what the consequences would be, how it can be monitored, etc?
Studies have shown that information provided by mobile is often shorter in nature and summarized. As a result, this might not match your expectations for this case and I would therefore not recommend a simplified mobile layout.
What To Use & When
In order to make sure that control or risk contributions are relevant and can be leveraged in the decision making process, I think GRC teams should carefully consider what type of information they – or company executives – need before deciding on the technology they will make available to their colleagues.
For instance: are you simply expecting an acknowledgement to a policy from all your employees and contractors? Then, and since it’s easy to read a policy or procedure document on a mobile device and then check a box that you have read it, mobile GRC seems very suitable for this business case. You can even of course have a quiz on your mobile to make sure that you understood.
On the other hand, if you are looking for a detailed investigation and case documentation for potential fraud detection, then maybe this is not really suitable for mobile GRC.
At SAP, we actually decided to provide users with a dual approach. Hence supporting users – and GRC departments, as they feel most relevant for them and the intended use.
All SAP GRC solutions now leverage SAP Fiori user experience. This is our award-winning and UI technology-independent user experience.
By using SAP Fiori, users get the same look and fell – adapted to the device they are connecting from of course, whether they are on their laptop, desktop, tablet or smartphone. Mobility therefore becomes a logical and seamless extension to the desktop.
In addition, and for those business cases where mobile GRC makes absolute sense, we have dedicated Fiori apps which are once again technology-independent but where the flow and navigation have been adapted specifically to cater for straightforward information display and processing.
Take Issue Status in control testing for instance. With the dedicated SAP Fiori app Monitor Issue Status, 2nd line stakeholders can easily review and track issues resulting from control testing. They can display a list of current issues – including detailed information and related remediation plans for individual issues, but also email the issue owner for updates or the responsible remediator for updates on the remediation process.
Another example could be the regular risk assessment. With the SAP Fiori app Manage Risk Assessments, users can go through a simplified guided process to assess and submit risk assessments but also review historical risk assessments.
What about you, how does your GRC department decide what to use and when? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard