Shifting GRC To The “Left of Launch”

Bruce McCuaig

I recently read a news story explaining the new U.S. antimissile approach, known as “left of launch.” The story explained that the idea now is to strike an enemy missile before liftoff or during the first seconds of flight. The old approach waited until much later – after swarms of warheads had been released, had traveled thousands of miles, and were racing toward targets at speeds of more than four miles per second.

We must accept the inability to prevent enemies launching missiles and the fact that even one successful missile strike can be so disastrous that merely detecting and relying on responding to launches after the fact is too little, too late.

So the first line of defense against enemy missiles has shifted to “left of launch” – detecting and responding to the events and conditions that precede missile launches and anticipating them. The limits of reliance on effective launch detection and response have been reached.

Defining the limits of control effectiveness

The unspoken premise of internal control frameworks is that enough of the right kinds of “control” is the key to preventing risks from occurring or to detecting and responding to them quickly should they occur. More control is always better.

Auditors and business people look at the “design” and “operation” of controls and report “significant deficiencies” and “material weaknesses.” Effective controls are assumed to prevent or detect the “launch” of a risk.

Unlike missile-defense practices, internal-control thinking is almost completely aimed at the “right of launch.” Internal controls are considered a barrier to risk. The implicit assumption of “right of launch” thinking is that missile launches, or business risks, can be tolerated because those that can’t be prevented can be detected and thwarted before they have a significant impact.

Digitization and globalization mean that even if we reduce the frequency of risk events, their magnitude is so severe that they are intolerable. We have reached the limit of control effectiveness.

Are control deficiencies the best indicator of control effectiveness?

Looking left of control

What’s the answer? Two things are necessary.

First, it would be foolish to abandon the best controls now in place. But it’s essential to automate them and streamline them. There is huge opportunity to do so and the technology is available now.

Second, we need to begin to develop “left of launch” analytical capabilities to build the capabilities to discern the events and conditions that precede risk events.

Last week, I watched part of the National Football League annual draft. Professional sports have developed powerful analytical tools and metrics to rank and predict the success of athletes based on their physical and personal attributes. I’m not suggesting we rate and rank employees in this way, nor am I suggesting that would even be useful to do so. But surely we can look at streams of transactions and external events to discern troubling patterns or anomalies. Certainly we can predict the impact of compensation schemes on behavior and the impact of regulations and policies on business performance.

GRC professionals have lagged in their adoption. Virtually all recently published research suggests that internal audit must improve its skill sets in this area.

Moving “left of control” needs analytics, but that’s only the beginning. The control-effectiveness paradigm will take time to displace and replace. It permeates all aspects of GRC. New tools and conceptual frameworks are necessary.

I’m interested as always in your comments and reaction. Are you left of control? Do you want to shift there?

Learn more

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director - Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.

The “Ayurvedic” Approach To GDPR

Neil Patrick

At around 11 months before the General Data Protection Regulation (GDPR) or Regulation (EU) 2016/679 becomes effective, how are things looking in the marketplace?

GDPR is a topic I’ve been working on for some nine months as part of my role. This entails a lot of reading and research; talking to many, many customers and peers on the topic; learning what they are doing; and assisting customers with an approach to an end-to-end compliance capability. (Read our other GDPR articles.)

Beware of misleading comments

I’ve seen a number of misunderstandings and misrepresentations for GDPR that worry me. For example, I’ve seen it stated by others that GDPR requires data to be encrypted, or that data centres have to relocate from the United States to the European Union to be GDPR-compliant. Both are untrue, but contain just enough similar wording to GDPR to make it sound plausible. This reminds me of the story about someone suffering with up to 17 headaches a day and how that was resolved (but more on that a bit later).

Part of the problem is that vendors and agencies are bending the meaning of GDPR to suit their niche functional capabilities. I have also noticed a laziness when they don’t actually read the GDPR, but instead use someone else’s interpretation and/or summary points to develop a feature map and collateral. So, for example, software being positioned (and possibly purchased?) is a few levels of separation and interpretation away from the real GDPR requirement.

In addition to being wrong and confusing, this can also lead to a plethora of disconnected niche pieces of software cluttering up the enterprise, while not really addressing the needs of the actual regulation.

Give it a go—read the GDPR

The GDPR is not the most riveting read, true, but it’s actually quite well structured. And if one takes the perspective of its intent—to protect people’s personal data from accidental or institutionalized misuse or loss—it makes a whole lot of sense. You don’t have to be a lawyer to understand that intent.

I was at a seminar recently and a representative from the supervising authority for that member state reflected that their GDPR experts were being poached by industry. They also pointed out that GDPR was an operational exercise, not a legal one, so lawyers alone wouldn’t be enough to determine a corporate response.

Pressure to sell drives confusion

Software companies want to sell licenses, and they want to get into the market quickly, so they need to enable their sales teams to articulate why their GDPR story is better than their competitors’. There is pressure to sell and to simplify the message.

But GDPR in its full extent is not that simple, and it touches a very broad range of roles in an organization as well as different levels. Legal, finance, compliance, audit, IT, security, training, as well as the board of directors, all own a slice of the GDPR pie. Combinations of technical tools, plus ongoing sustainable process governance and cultural change, are required

Because of the breadth of GDPR, the majority of vendors in this space can only offer niche solutions. This sometimes makes it difficult for them to add any real substantive contribution to GDPR compliance. But they still try to find some storyline to hook into.

Diagram courtesy of Neil Patrick

The diagram above is a way of interpreting and delivering a core set of GDPR requirements that can be operationalized via a single solution, as part of a centralized corporate response to GDPR. It has been crafted around the regulation itself as the source of truth. The solution can be integrated with other new tools and legacy systems to deliver a coordinated and centralized view on GDPR compliance.

I believe software vendors have a duty to go back to the regulation and read it, then determine how their software meets the requirements, and clean up their messaging. We’re less likely to get misleading statements, less likely to induce customer GDPR fatigue, and more likely to aggregate around approaches that benefit our customers.

GDPR requires a holistic approach to be effective, and to be a value-add

Now back to the person with the 17 headaches a day. Significant testing was done of the head, blood, hormones, enzymes, and so forth, focusing on solving the problem of headaches. After quite some time, a holistic doctor was engaged who approached the problem from a whole-body perspective, not just focusing on the head. The doctor discovered a misalignment of vertebra in the spine, plus a way of life that led to constrictions in the spine, resulting in the headaches. This is much like the Ayurvedic approach to medicine, which has the belief that health and wellness depend on a delicate balance between body, mind, and spirit.

GDPR needs to be addressed with the same contextualized—the whole-body approach. Organizations shouldn’t be acquiring and implementing niche tools to tick off stated problems as presented by third parties, but should be taking a holistic approach to rolling out the business change that is required by GDPR. Yes, this includes software, but also a permanent cultural shift in how the organization thinks about and handles personal data.

Ayurvedic GDPR

So what is required? Good software focusing on technical GDPR requirements (which does include encryption, but also pseudonymization and other appropriate technical measures); governance of the GDPR compliance processes; and ensuring that the necessary cultural change is pushed out into the business. In other words: better corporate body, mind, and spirit.

If done well and thoroughly, these are the same activities that will deliver benefits like:

  • Reduced cost of compliance (not just GDPR) and likelihood of a fine
  • Reduced organizational and individual risk, linked to business planning and mission
  • Good data governance
  • Reduce cybersecurity risk and reputational risk
  • Smaller, better-organized IT toolset
  • Cleaner user privilege administration
  • Greater organizational agility

Learn more

  • Read our other blogs about GDPR.
  • Read our other GRC Tuesday series blogs.

This article, GRC Tuesdays: “Ayurvedic” GDPR, originally appeared on the SAP BusinessObjects Analytics blog and has been republished with permission.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube


Neil Patrick

About Neil Patrick

Dr. Neil Patrick is a Director of SAP Centre of Excellence for GRC & Security covering EMEA. He has over 12 years’ experience in Governance, Risk Management and Compliance (GRC) & Security fields. During this time he has been a managing consultant, run professional services delivery teams in the UK and USA, conducted customer business requirements sessions around the world, and sales and business development initiatives. Neil has presented core GRC and Security thought leadership sessions in strategic customer-facing engagements, conferences and briefing sessions.

The Financial Impact Of Risk: What Every CFO Needs To Know Before Becoming A Bad Headline

Alicia Rudolph

Part 1 in a two-part series

Warren Buffett famously observed, “It takes 20 years to build a reputation and 5 minutes to ruin it.”

This was a lesson learned the hard way during the 2017 Academy Awards when the Best Film Oscar was inadvertently presented to the wrong production team. While the error was quickly discovered, the ensuing press coverage was immensely embarrassing for all concerned.

“This was a classic example of a manual control failure,” says Kevin McCollom, global solution owner for SAP government, risk, and compliance (GRC) solutions.

Along with the reputational hit, manual controls failures can hurt an organization’s ability to meet financial obligations, comply with laws and regulations, and maintain operational performance. Financial control problems are particularly worrisome for public companies since they can undermine the confidence of stockholders and potential investors.

Susan Stapleton, vice president of the customer advisory office at Greenlight Technologies, a provider of automated risk management solutions, says failures suggest a material weakness in financial reporting and invite scrutiny from external auditors.

“Deficiencies could cause you to be a headline in the news,” she says. “On top of that, company valuations often drop an average of 15 percent and as much as 20 percent over night. Your audit fees can also increase as much as 65 percent.”

Letting the fox control risk

Most organizations rely on manual controls to mitigate risk. This approach is problematic since people sometimes fail to follow process steps or to apply the controls each time they are required.

“You have to execute those controls,” McCollom says. “Not doing so is the kind of negligence that will end up in the headlines of the Wall Street Journal.”

Organizations can help to mitigate risk and human misbehavior by adopting a culture of risk management. “It starts with tone at the top,” Toni M. Lastella, ERP solutions managing director at Protiviti, Inc., a global consulting firm, says. “Senior leadership must impart a control-conscious way of thinking.”

Organizations also need automated monitoring running in the background and serving up exceptions that can be easily reviewed by the organization’s CFO and other financial managers. Without automated monitoring, Stapleton says control often becomes the fox guarding the hen house.

“What we have found is that the folks who are responsible for control are also the ones committing fraud,” she says. “When you don’t have centralized oversight where everyone can see the activity, these folks can do a lot of damage to a company.”

Getting ahead of critical risk

Ramping up a risk monitoring and control strategy requires time and effort and an investment in specialized technology. To avoid losses, organizations need to assess their exposure proactively rather than waiting for issues to surface or be uncovered by external auditors.

“You don’t need to know the ‘how’ of fraud or lack of control,” Lastella says. “But you need to know where the exposures might be.”

To gain those insights, organizations must take the initiative and implement preventative and detective controls. They can accelerate this process by partnering with external auditors and internal control consultants who have experience with risk mitigation and control automation. Not taking these steps increases risk and delays the hard work of building a control-conscious workforce.

“If you fail an audit, it is all hands on deck,” Stapleton says. “Then you are paying for this issue through the next two or three audit cycles. If you are a company of any size, your material weakness is also going to make the headlines.”

Leveraging purpose-built technology

Automated controls and continuous monitoring are essential for mitigating risk and improving financial reporting, McCollom says. By gaining an in-depth understanding of these issues and investing in appropriate technologies, organizations can plan for risk mitigation when introducing new product programs or entering new markets.

“You can jump way out in front of that competitor because you have anticipated risk and you have mitigation plans in place,” he says. “You have built risk management into your budget and processes and have the controls and continuous monitoring to keep the business on track with that strategic objective.”

Organizations need automation and a calculated approach to controlling risk because they cannot monitor everything. Balancing these needs and objectives is necessary to ensure resilience in today’s volatile financial markets. An enterprise-wide risk assessment is usually a good starting point for this type of initiative.

Learn more

Interested in learning more? Watch the Facebook video or listen to the SAPRadio show: “Financial Impact of Risk: Don’t Become That Bad Headline.” And follow @SAPPartnerBuild on Twitter.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube


Alicia Rudolph

About Alicia Rudolph

Alicia Rudolph is presently part of the Strategic Ecosystem Marketing at SAP. She is passionate about leveraging Social Media as a way to drive business for partners and customers alike.

Taking Learning Back to School

Dan Wellers


Denmark spends most GDP on labor market programs at 3.3%.
The U.S. spends only 0.1% of it’s GDP on adult education and workforce retraining.
The number of post-secondary vocational and training institutions in China more than doubled from 2000 to 2014.
47% of U.S. jobs are at risk for automation.

Our overarching approach to education is top down, inflexible, and front loaded in life, and does not encourage collaboration.

Smartphone apps that gamify learning or deliver lessons in small bits of free time can be effective tools for teaching. However, they don’t address the more pressing issue that the future is digital and those whose skills are outmoded will be left behind.

Many companies have a history of effective partnerships with local schools to expand their talent pool, but these efforts are not designed to change overall systems of learning.

The Question We Must Answer

What will we do when digitization, automation, and artificial intelligence eject vast numbers of people from their current jobs, and they lack the skills needed to find new ones?

Solutions could include:

  • National and multinational adult education programs
  • Greater investment in technical and vocational schools
  • Increased emphasis on apprenticeships
  • Tax incentives for initiatives proven to close skills gaps

We need a broad, systemic approach that breaks businesses, schools, governments, and other organizations that target adult learners out of their silos so they can work together. Chief learning officers (CLOs) can spearhead this approach by working together to create goals, benchmarks, and strategy.

Advancing the field of learning will help every business compete in an increasingly global economy with a tight market for skills. More than this, it will mitigate the workplace risks and challenges inherent in the digital economy, thus positively influencing the future of business itself.

Download the executive brief Taking Learning Back to School.

Read the full article The Future of Learning – Keeping up With The Digital Economy


Dan Wellers

About Dan Wellers

Dan Wellers is the Global Lead of Digital Futures at SAP, which explores how organizations can anticipate the future impact of exponential technologies. Dan has extensive experience in technology marketing and business strategy, plus management, consulting, and sales.


Why Millennials Quit: Understanding A New Workforce

Shelly Kramer

Millennials are like mobile devices: they’re everywhere. You can’t visit a coffee shop without encountering both in large numbers. But after all, who doesn’t like a little caffeine with their connectivity? The point is that you should be paying attention to millennials now more than ever because they have surpassed Boomers and Gen-Xers as the largest generation.

Unfortunately for the workforce, they’re also the generation most likely to quit. Let’s examine a new report that sheds some light on exactly why that is—and what you can do to keep millennial employees working for you longer.

New workforce, new values

Deloitte found that two out of three millennials are expected to leave their current jobs by 2020. The survey also found that a staggering one in four would probably move on in the next year alone.

If you’re a business owner, consider putting four of your millennial employees in a room. Take a look around—one of them will be gone next year. Besides their skills and contributions, you’ve also lost time and resources spent by onboarding and training those employees—a very costly process. According to a new report from XYZ University, turnover costs U.S. companies a whopping $30.5 billion annually.

Let’s take a step back and look at this new workforce with new priorities and values.

Everything about millennials is different, from how to market to them as consumers to how you treat them as employees. The catalyst for this shift is the difference in what they value most. Millennials grew up with technology at their fingertips and are the most highly educated generation to date. Many have delayed marriage and/or parenthood in favor of pursuing their careers, which aren’t always about having a great paycheck (although that helps). Instead, it may be more that the core values of your business (like sustainability, for example) or its mission are the reasons that millennials stick around at the same job or look for opportunities elsewhere. Consider this: How invested are they in their work? Are they bored? What does their work/life balance look like? Do they have advancement opportunities?

Ping-pong tables and bringing your dog to work might be trendy, but they aren’t the solution to retaining a millennial workforce. So why exactly are they quitting? Let’s take a look at the data.

Millennials’ common reasons for quitting

In order to gain more insight into the problem of millennial turnover, XYZ University surveyed more than 500 respondents between the ages of 21 and 34 years old. There was a good mix of men and women, college grads versus high school grads, and entry-level employees versus managers. We’re all dying to know: Why did they quit? Here are the most popular reasons, some in their own words:

  • Millennials are risk-takers. XYZ University attributes this affection for risk taking with the fact that millennials essentially came of age during the recession. Surveyed millennials reported this experience made them wary of spending decades working at one company only to be potentially laid off.
  • They are focused on education. More than one-third of millennials hold college degrees. Those seeking advanced degrees can find themselves struggling to finish school while holding down a job, necessitating odd hours or more than one part-time gig. As a whole, this generation is entering the job market later, with higher degrees and higher debt.
  • They don’t want just any job—they want one that fits. In an age where both startups and seasoned companies are enjoying success, there is no shortage of job opportunities. As such, they’re often looking for one that suits their identity and their goals, not just the one that comes up first in an online search. Interestingly, job fit is often prioritized over job pay for millennials. Don’t forget, if they have to start their own company, they will—the average age for millennial entrepreneurs is 27.
  • They want skills that make them competitive. Many millennials enjoy the challenge that accompanies competition, so wearing many hats at a position is actually a good thing. One millennial journalist who used to work at Forbes reported that millennials want to learn by “being in the trenches, and doing it alongside the people who do it best.”
  • They want to do something that matters. Millennials have grown up with change, both good and bad, so they’re unafraid of making changes in their own lives to pursue careers that align with their desire to make a difference.
  • They prefer flexibility. Technology today means it’s possible to work from essentially anywhere that has an Internet connection, so many millennials expect at least some level of flexibility when it comes to their employer. Working remotely all of the time isn’t feasible for every situation, of course, but millennials expect companies to be flexible enough to allow them to occasionally dictate their own schedules. If they have no say in their workday, that’s a red flag.
  • They’ve got skills—and they want to use them. In the words of a 24-year-old designer, millennials “don’t need to print copies all day.” Many have paid (or are in the midst of paying) for their own education, and they’re ready and willing to put it to work. Most would prefer you leave the smaller tasks to the interns.
  • They got a better offer. Thirty-five percent of respondents to XYZ’s survey said they quit a previous job because they received a better opportunity. That makes sense, especially as recruiting is made simpler by technology. (Hello, LinkedIn.)
  • They seek mentors. Millennials are used to being supervised, as many were raised by what have been dubbed as “helicopter parents.” Receiving support from those in charge is the norm, not the anomaly, for this generation, and they expect that in the workplace, too.

Note that it’s not just XYZ University making this final point about the importance of mentoring. Consider Figures 1 and 2 from Deloitte, proving that millennials with worthwhile mentors report high satisfaction rates in other areas, such as personal development. As you can see, this can trickle down into employee satisfaction and ultimately result in higher retention numbers.

Millennials and Mentors
Figure 1. Source: Deloitte

Figure 2. Source: Deloitte

Failure to . . .

No, not communicate—I would say “engage.” On second thought, communication plays a role in that, too. (Who would have thought “Cool Hand Luke” would be applicable to this conversation?)

Data from a recent Gallup poll reiterates that millennials are “job-hoppers,” also pointing out that most of them—71 percent, to be exact—are either not engaged in or are actively disengaged from the workplace. That’s a striking number, but businesses aren’t without hope. That same Gallup poll found that millennials who reported they are engaged at work were 26 percent less likely than their disengaged counterparts to consider switching jobs, even with a raise of up to 20 percent. That’s huge. Furthermore, if the market improves in the next year, those engaged millennial employees are 64 percent less likely to job-hop than those who report feeling actively disengaged.

What’s next?

I’ve covered a lot in this discussion, but here’s what I hope you will take away: Millennials comprise a majority of the workforce, but they’re changing how you should look at hiring, recruiting, and retention as a whole. What matters to millennials matters to your other generations of employees, too. Mentoring, compensation, flexibility, and engagement have always been important, but thanks to the vocal millennial generation, we’re just now learning exactly how much.

What has been your experience with millennials and turnover? Are you a millennial who has recently left a job or are currently looking for a new position? If so, what are you missing from your current employer, and what are you looking for in a prospective one? Alternatively, if you’re reading this from a company perspective, how do you think your organization stacks up in the hearts and minds of your millennial employees? Do you have plans to do anything differently? I’d love to hear your thoughts.

For more insight on millennials and the workforce, see Multigenerational Workforce? Collaboration Tech Is The Key To Success.