Bruce McCuaig

Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director - Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.

Three Lines Of Defense And Integrated Reporting—Getting Internal Auditors Out Of Control And Into The Business

16-Feb-2017 | Bruce McCuaig

The role of internal auditors is to provide assurance, right? What does “assurance” look like? It looks like this: “In our opinion, internal control (substitute risk management, compliance, IT

audit, GRC, assurance, accounting, auditing, governance

Is Assurance Obsolete?

27-Jan-2017 | Bruce McCuaig

The literature today contains strong hints that the internal auditing profession is in trouble. One of the best sources of information is the annual State of the Internal Audit Profession survey produ

risk, GRC, governance

The Problem With Risk Appetite

9-Nov-2016 | Bruce McCuaig

It’s probably heresy for a risk management professional, but I simply do not accept the practicality of the concept of “risk appetite.” Sure, it’s conceptually appealing, but in most cases it

Governance, Risk, And (Maybe) Compliance

1-Sep-2016 | Bruce McCuaig

Regulatory compliance is an enigma to me. What does it have to do with governance and risk? I’m asking this as both a marketing guy and a long-time GRC professional. I find myself writing messaging

Measuring Performance Of The Three Lines Of Defense

11-Mar-2016 | Bruce McCuaig

The Three Lines of Defense concept was first introduced in 2006 as a proposal for better equipping audit committees. Here is a simple illustration of how it is supposed to work:    

Finding The Risks Worth Having

3-Feb-2016 | Bruce McCuaig

The risk literature is full of promises that adopting risk management practices will prevent risk. There are, in fact, areas where risks are destructive and have little value-adding potential and shou

GRC Predictions For 2016

26-Jan-2016 | Bruce McCuaig

Over the last few weeks, in the spirit of the holidays, my colleagues here posted blogs on the Twelve Days of GRC Christmas and Resolutions for a Better GRC in 2016. I offered to complete the trilogy

Digitizing Governance Risk And Compliance

30-Nov-2015 | Bruce McCuaig

Most of our treasured concepts of control, and many of our accepted risk practices, will land in the digital boardroom with a thud and disappear — if they make it there at all. The truth is, much

Reporting On The Three Lines Of Defense: The Problem With Truisms

12-Nov-2015 | Bruce McCuaig

“The delay in boarding your flight is caused by the late arrival of the incoming flight.” We’ve all heard this announcement in our travels. There’s a name for a statement like this; it’s

Aligning The Three Lines Of Defense: The Enemy Is Us

7-Oct-2015 | Bruce McCuaig

In two of my recent blogs on the Three Lines of Defense (TLoD), I explained why I thought it would transform governance, risk management, and compliance (GRC) (Understanding the Three Lines of Defense