Bruce McCuaig

Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director - Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.


i-GRC And The Three Lines Of Defense

28-Nov-2017 | Bruce McCuaig

[no_syndicate_info][/no_syndicate_info] In my last blog, I appropriated the “i” from IDC’s The Rise of Intelligent ERP and, in a different blog, made the case that GRC professionals and stand

The Rise Of Intelligent GRC

7-Nov-2017 | Bruce McCuaig

Nibbling versus consuming: In my blog last week, I made the case that GRC practitioners merely nibbled on technology and did not truly “consume” it. Failure to consume technology prevents progress

Are You Just Nibbling At GRC Technology?

31-Oct-2017 | Bruce McCuaig

Last week, SAP CEO Bill McDermott told us at SAP that it wasn’t enough to sell our software to customers; we need to show them how to “consume” it. I couldn’t agree more. Governance, risk, and

GRC, governance, risk, risk management

Where Have All The Good Risks Gone?

5-Jul-2017 | Bruce McCuaig

Another week, another “Top 10” risk list. All the “Top 10” risks are disasters waiting to happen. They attract nods and sighs from the risk managers and risk pundits of the world. What would h

Shifting GRC To The “Left of Launch”

4-May-2017 | Bruce McCuaig

I recently read a news story explaining the new U.S. antimissile approach, known as “left of launch.” The story explained that the idea now is to strike an enemy missile before liftoff or during

Three Lines Of Defense And Integrated Reporting—Getting Internal Auditors Out Of Control And Into The Business

16-Feb-2017 | Bruce McCuaig

The role of internal auditors is to provide assurance, right? What does “assurance” look like? It looks like this: “In our opinion, internal control (substitute risk management, compliance, IT

audit, GRC, assurance, accounting, auditing, governance

Is Assurance Obsolete?

27-Jan-2017 | Bruce McCuaig

The literature today contains strong hints that the internal auditing profession is in trouble. One of the best sources of information is the annual State of the Internal Audit Profession survey produ

risk, GRC, governance

The Problem With Risk Appetite

9-Nov-2016 | Bruce McCuaig

It’s probably heresy for a risk management professional, but I simply do not accept the practicality of the concept of “risk appetite.” Sure, it’s conceptually appealing, but in most cases it

Governance, Risk, And (Maybe) Compliance

1-Sep-2016 | Bruce McCuaig

Regulatory compliance is an enigma to me. What does it have to do with governance and risk? I’m asking this as both a marketing guy and a long-time GRC professional. I find myself writing messaging

Measuring Performance Of The Three Lines Of Defense

11-Mar-2016 | Bruce McCuaig

The Three Lines of Defense concept was first introduced in 2006 as a proposal for better equipping audit committees. Here is a simple illustration of how it is supposed to work: