Bruce McCuaig


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director - Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.

GRC, governance, risk, risk management

Where Have All The Good Risks Gone?

5-Jul-2017 | Bruce McCuaig

Another week, another “Top 10” risk list. All the “Top 10” risks are disasters waiting to happen. They attract nods and sighs from the risk managers and risk pundits of the world. What would h

Shifting GRC To The “Left of Launch”

4-May-2017 | Bruce McCuaig

I recently read a news story explaining the new U.S. antimissile approach, known as “left of launch.” The story explained that the idea now is to strike an enemy missile before liftoff or during

Three Lines Of Defense And Integrated Reporting—Getting Internal Auditors Out Of Control And Into The Business

16-Feb-2017 | Bruce McCuaig

The role of internal auditors is to provide assurance, right? What does “assurance” look like? It looks like this: “In our opinion, internal control (substitute risk management, compliance, IT

audit, GRC, assurance, accounting, auditing, governance

Is Assurance Obsolete?

27-Jan-2017 | Bruce McCuaig

The literature today contains strong hints that the internal auditing profession is in trouble. One of the best sources of information is the annual State of the Internal Audit Profession survey produ

risk, GRC, governance

The Problem With Risk Appetite

9-Nov-2016 | Bruce McCuaig

It’s probably heresy for a risk management professional, but I simply do not accept the practicality of the concept of “risk appetite.” Sure, it’s conceptually appealing, but in most cases it

Governance, Risk, And (Maybe) Compliance

1-Sep-2016 | Bruce McCuaig

Regulatory compliance is an enigma to me. What does it have to do with governance and risk? I’m asking this as both a marketing guy and a long-time GRC professional. I find myself writing messaging

Measuring Performance Of The Three Lines Of Defense

11-Mar-2016 | Bruce McCuaig

The Three Lines of Defense concept was first introduced in 2006 as a proposal for better equipping audit committees. Here is a simple illustration of how it is supposed to work:    

Finding The Risks Worth Having

3-Feb-2016 | Bruce McCuaig

The risk literature is full of promises that adopting risk management practices will prevent risk. There are, in fact, areas where risks are destructive and have little value-adding potential and shou

GRC Predictions For 2016

26-Jan-2016 | Bruce McCuaig

Over the last few weeks, in the spirit of the holidays, my colleagues here posted blogs on the Twelve Days of GRC Christmas and Resolutions for a Better GRC in 2016. I offered to complete the trilogy

Digitizing Governance Risk And Compliance

30-Nov-2015 | Bruce McCuaig

Most of our treasured concepts of control, and many of our accepted risk practices, will land in the digital boardroom with a thud and disappear — if they make it there at all. The truth is, much