Sections

Three Lines Of Defense And Integrated Reporting—Getting Internal Auditors Out Of Control And Into The Business

Bruce McCuaig

The role of internal auditors is to provide assurance, right? What does “assurance” look like?

It looks like this: “In our opinion, internal control (substitute risk management, compliance, IT security) is effective…” Or words to that effect.

If there are exceptions, there will be audit findings. If the audit findings are significant, the assurance may be negative and the opinion will reflect ineffective controls (and so on).

Question: What’s the opposite of assurance? Read on.

Assurance means you think you know

Let me give you a contrary view on assurance.

I believe that assurance enables and perpetuates ignorance, blocking real knowledge about the things that executives should know about governance, risk, and compliance (GRC). It provides no guidance for managers to run the business or for stakeholders to assess the business.

Check out how many of the banks and other businesses that failed in the financial crisis were given positive opinions on internal control over financial reporting.

Years ago, I was appointed chief internal auditor. My CEO told me to be his eyes and ears.  Managing a far-flung complex enterprise before the technology innovations of today, some ignorance was excusable. Relying on more eyes and ears was understandable and to some extent essential.

But that is not the case today. Virtually all the data necessary to manage governance, risk and compliance strategically exists somewhere in the business in machine-readable form.

All the tools, capabilities, and frameworks to create, sustain and report knowledge are here today.

Assurance and exception reporting is not simply acceptable. Assurance reporting lowers a curtain on knowledge.

I believe internal auditors are now able to lead in the creation and reporting of real knowledge and they should be measured on their progress in doing so. It’s a massive shift, but the path has been charted.

It’s time for internal auditors to get out of control and into the business.

A leap forward for GRC: Integrated thinking from Exxaro

I have always believed that GRC is a manageable dimension of the business and the real challenge for GRC professionals is to provide business leaders with a lens to look through and levers to pull.

We need a framework for reporting the results of GRC and for illustrating the link between GRC and performance.

While integrated reporting may be relatively unknown in the U.S., it’s a growing global phenomenon. In my view, it provides this “lens to look through,” a framework for organizing GRC information and linking to business performance. If you don’t like the capital model as the organizing principle for reporting, use your business strategy as a framework.

To me, the three lines of defense is the engine of integrated reporting. It provides the levers to pull for management to run the business. In the three lines of defense model:

  • knowledge is created by the business,
  • aggregated by GRC experts, and
  • attested to by internal audit.

One of our customers, Exxaro Resources, has integrated the three lines of defense with integrated reporting. Exxaro is based in South Africa, where integrated reporting is mandatory.

What does knowledge look like in GRC?

The graphic below is from page 19 of the 2015 Exxaro Integrated Report.

This report is a top-level dashboard from which the business can drill down, looking at individual business processes and relevant information about risks and how they are managed.

Saret Van Loggerenberg, Exxaro’s brilliant manager of risk and compliance, summarizes their story in this short video.

Insight vs. assurance

Exxaro has identified, documented, and assessed their risks and controls, measured the net impact of the risks against the 5 capital model used by integrated reporting, linked the results to their stakeholders, and identified and reported the risk appetite levels and related key performance indicators.

This is what knowledge looks like, and it is the extreme opposite of “assurance.”

Knowledge, not an unsupported opinion, is the ultimate assurance.

Armed with this knowledge and the related key performance indicators, Exxaro management runs their business. The knowledge is created by the three lines of defense.

They don’t need assurance. They have knowledge instead. This report does for GRC what financial statements do for financial management.

Here are some questions to consider:

  1. Does this report provide the necessary information on the effectiveness of risk and control management?
  2. Does this report provide the business and stakeholders with information about how well the business is managed?
  3. Can internal auditors get out of control and into the business?

Learn more

Comments

Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director - Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.

Data Analysts And Scientists More Important Than Ever For The Enterprise

Daniel Newman

The business world is now firmly in the age of data. Not that data wasn’t relevant before; it was just nowhere close to the speed and volume that’s available to us today. Businesses are buckling under the deluge of petabytes, exabytes, and zettabytes. Within these bytes lie valuable information on customer behavior, key business insights, and revenue generation. However, all that data is practically useless for businesses without the ability to identify the right data. Plus, if they don’t have the talent and resources to capture the right data, organize it, dissect it, draw actionable insights from it and, finally, deliver those insights in a meaningful way, their data initiatives will fail.

Rise of the CDO

Companies of all sizes can easily find themselves drowning in data generated from websites, landing pages, social streams, emails, text messages, and many other sources. Additionally, there is data in their own repositories. With so much data at their disposal, companies are under mounting pressure to utilize it to generate insights. These insights are critical because they can (and should) drive the overall business strategy and help companies make better business decisions. To leverage the power of data analytics, businesses need more “top-management muscle” specialized in the field of data science. This specialized field has lead to the creation of roles like Chief Data Officer (CDO).

In addition, with more companies undertaking digital transformations, there’s greater impetus for the C-suite to make data-driven decisions. The CDO helps make data-driven decisions and also develops a digital business strategy around those decisions. As data grows at an unstoppable rate, becoming an inseparable part of key business functions, we will see the CDO act as a bridge between other C-suite execs.

Data skills an emerging business necessity

So far, only large enterprises with bigger data mining and management needs maintain in-house solutions. These in-house teams and technologies handle the growing sets of diverse and dispersed data. Others work with third-party service providers to develop and execute their big data strategies.

As the amount of data grows, the need to mine it for insights becomes a key business requirement. For both large and small businesses, data-centric roles will experience endless upward mobility. These roles include data anlysts and scientists. There is going to be a huge opportunity for critical thinkers to turn their analytical skills into rapidly growing roles in the field of data science. In fact, data skills are now a prized qualification for titles like IT project managers and computer systems analysts.

Forbes cited the McKinsey Global Institute’s prediction that by 2018 there could be a massive shortage of data-skilled professionals. This indicates a disruption at the demand-supply level with the needs for data skills at an all-time high. With an increasing number of companies adopting big data strategies, salaries for data jobs are going through the roof. This is turning the position into a highly coveted one.

According to Harvard Professor Gary King, “There is a big data revolution. The big data revolution is that now we can do something with the data.” The big problem is that most enterprises don’t know what to do with data. Data professionals are helping businesses figure that out. So if you’re casting about for where to apply your skills and want to take advantage of one of the best career paths in the job market today, focus on data science.

I’m compensated by University of Phoenix for this blog. As always, all thoughts and opinions are my own.

For more insight on our increasingly connected future, see The $19 Trillion Question: Are You Undervaluing The Internet Of Things?

The post Data Analysts and Scientists More Important Than Ever For the Enterprise appeared first on Millennial CEO.

Comments

Daniel Newman

About Daniel Newman

Daniel Newman serves as the Co-Founder and CEO of EC3, a quickly growing hosted IT and Communication service provider. Prior to this role Daniel has held several prominent leadership roles including serving as CEO of United Visual. Parent company to United Visual Systems, United Visual Productions, and United GlobalComm; a family of companies focused on Visual Communications and Audio Visual Technologies. Daniel is also widely published and active in the Social Media Community. He is the Author of Amazon Best Selling Business Book "The Millennial CEO." Daniel also Co-Founded the Global online Community 12 Most and was recognized by the Huffington Post as one of the 100 Business and Leadership Accounts to Follow on Twitter. Newman is an Adjunct Professor of Management at North Central College. He attained his undergraduate degree in Marketing at Northern Illinois University and an Executive MBA from North Central College in Naperville, IL. Newman currently resides in Aurora, Illinois with his wife (Lisa) and his two daughters (Hailey 9, Avery 5). A Chicago native all of his life, Newman is an avid golfer, a fitness fan, and a classically trained pianist

When Good Is Good Enough: Guiding Business Users On BI Practices

Ina Felsheim

Image_part2-300x200In Part One of this blog series, I talked about changing your IT culture to better support self-service BI and data discovery. Absolutely essential. However, your work is not done!

Self-service BI and data discovery will drive the number of users using the BI solutions to rapidly expand. Yet all of these more casual users will not be well versed in BI and visualization best practices.

When your user base rapidly expands to more casual users, you need to help educate them on what is important. For example, one IT manager told me that his casual BI users were making visualizations with very difficult-to-read charts and customizing color palettes to incredible degrees.

I had a similar experience when I was a technical writer. One of our lead writers was so concerned with readability of every sentence that he was going through the 300+ page manuals (yes, they were printed then) and manually adjusting all of the line breaks and page breaks. (!) Yes, readability was incrementally improved. But now any number of changes–technical capabilities, edits, inserting larger graphics—required re-adjusting all of those manual “optimizations.” The time it took just to do the additional optimization was incredible, much less the maintenance of these optimizations! Meanwhile, the technical writing team was falling behind on new deliverables.

The same scenario applies to your new casual BI users. This new group needs guidance to help them focus on the highest value practices:

  • Customization of color and appearance of visualizations: When is this customization necessary for a management deliverable, versus indulging an OCD tendency? I too have to stop myself from obsessing about the font, line spacing, and that a certain blue is just a bit different than another shade of blue. Yes, these options do matter. But help these casual users determine when that time is well spent.
  • Proper visualizations: When is a spinning 3D pie chart necessary to grab someone’s attention? BI professionals would firmly say “NEVER!” But these casual users do not have a lot of depth on BI best practices. Give them a few simple guidelines as to when “flash” needs to subsume understanding. Consider offering a monthly one-hour Lunch and Learn that shows them how to create impactful, polished visuals. Understanding if their visualizations are going to be viewed casually on the way to a meeting, or dissected at a laptop, also helps determine how much time to spend optimizing a visualization. No, you can’t just mandate that they all read Tufte.
  • Predictive: Provide advanced analytics capabilities like forecasting and regression directly in their casual BI tools. Using these capabilities will really help them wow their audience with substance instead of flash.
  • Feature requests: Make sure you understand the motivation and business value behind some of the casual users’ requests. These casual users are less likely to understand the implications of supporting specific requests across an enterprise, so make sure you are collaborating on use cases and priorities for substantive requests.

By working with your casual BI users on the above points, you will be able to collectively understand when the absolute exact request is critical (and supports good visualization practices), and when it is an “optimization” that may impact productivity. In many cases, “good” is good enough for the fast turnaround of data discovery.

Next week, I’ll wrap this series up with hints on getting your casual users to embrace the “we” not “me” mentality.

Read Part One of this series: Changing The IT Culture For Self-Service BI Success.

Follow me on Twitter: @InaSAP

Comments

The Future of Cybersecurity: Trust as Competitive Advantage

Justin Somaini and Dan Wellers

 

The cost of data breaches will reach US$2.1 trillion globally by 2019—nearly four times the cost in 2015.

Cyberattacks could cost up to $90 trillion in net global economic benefits by 2030 if cybersecurity doesn’t keep pace with growing threat levels.

Cyber insurance premiums could increase tenfold to $20 billion annually by 2025.

Cyberattacks are one of the top 10 global risks of highest concern for the next decade.


Companies are collaborating with a wider network of partners, embracing distributed systems, and meeting new demands for 24/7 operations.

But the bad guys are sharing intelligence, harnessing emerging technologies, and working round the clock as well—and companies are giving them plenty of weaknesses to exploit.

  • 33% of companies today are prepared to prevent a worst-case attack.
  • 25% treat cyber risk as a significant corporate risk.
  • 80% fail to assess their customers and suppliers for cyber risk.

The ROI of Zero Trust

Perimeter security will not be enough. As interconnectivity increases so will the adoption of zero-trust networks, which place controls around data assets and increases visibility into how they are used across the digital ecosystem.


A Layered Approach

Companies that embrace trust as a competitive advantage will build robust security on three core tenets:

  • Prevention: Evolving defensive strategies from security policies and educational approaches to access controls
  • Detection: Deploying effective systems for the timely detection and notification of intrusions
  • Reaction: Implementing incident response plans similar to those for other disaster recovery scenarios

They’ll build security into their digital ecosystems at three levels:

  1. Secure products. Security in all applications to protect data and transactions
  2. Secure operations. Hardened systems, patch management, security monitoring, end-to-end incident handling, and a comprehensive cloud-operations security framework
  3. Secure companies. A security-aware workforce, end-to-end physical security, and a thorough business continuity framework

Against Digital Armageddon

Experts warn that the worst-case scenario is a state of perpetual cybercrime and cyber warfare, vulnerable critical infrastructure, and trillions of dollars in losses. A collaborative approach will be critical to combatting this persistent global threat with implications not just for corporate and personal data but also strategy, supply chains, products, and physical operations.


Download the executive brief The Future of Cybersecurity: Trust as Competitive Advantage.


Comments

Tags:

To Get Past Blockchain Hype, We Must Think Differently

Susan Galer

Blockchain hype is reaching fever pitch, making it the perfect time to separate market noise from valid signals. As part of my ongoing conversations about blockchain, I reached out to several experts to find out where companies should consider going from here. Raimund Gross, Solution Architect and Futurist at SAP, acknowledged the challenges of understanding and applying such a complex leading-edge technology as blockchain.

“The people who really get it today are those able to put the hype in perspective with what’s realistically doable in the near future, and what’s unlikely to become a reality any time soon, if ever,” Gross said. “You need to commit the resources and find the right partners to lay the groundwork for success.”

Gross told me one of the biggest problems with blockchain – besides the unproven technology itself – was the mindset shift it demands. “Many people aren’t thinking about decentralized architectures with peer-to-peer networks and mash-ups, which is what blockchain is all about. People struggle because often discussions end up with a centralized approach based on past constructs. It will take training and experience to think decentrally.”

Here are several more perspectives on blockchain beyond the screaming headlines.

How blockchain disrupts insurance, banking

Blockchain has the potential to dramatically disrupt industries because the distributed ledger embeds automatic trust across processes. This changes the role of longstanding intermediaries like insurance companies and banks, essentially restructuring business models for entire industries.

“With the distributed ledger, all of the trusted intelligence related to insuring the risk resides in the cloud, providing everyone with access to the same information,” said Nadine Hoffmann, global solution manager for Innovation at SAP Financial Services. “Payment is automatically triggered when the agreed-upon risk scenario occurs. There are limitations given regulations, but blockchain can open up new services opportunities for established insurers, fintech startups, and even consumer-to-consumer offerings.”

Banks face a similar digitalized transformation. Long built on layers of steps to mitigate risk, blockchain offers the banking industry a network of built-in trust to improve efficiencies along with the customer experience in areas such as cross-border payments, trade settlements for assets, and other contractual and payment processes. What used to take days or even months could be completed in hours.

Finance departments evolve

Another group keenly watching blockchain developments are CFOs. Just as Uber and Airbnb have disrupted transportation and hospitality, blockchain has the potential to change not only the finance department — everything from audits and customs documentation to letters of credit and trade finance – but also the entire company.

“The distributed ledger’s capabilities can automate processes in shared service centers, allowing accountants and other employees in finance to speed up record keeping including proof of payment supporting investigations,” said Georg Koester, senior developer, LoB Finance at the Innovation Center Potsdam. “This lowers costs for the company and improves the customer experience.”

Koester said that embedding blockchain capabilities in software company-wide will also have a tremendous impact on product development, lean supply chain management, and other critical areas of the company.

While financial services dominate blockchain conversations right now, Gross named utilities, healthcare, public sector, real estate, and pretty much any industry as prime candidates for blockchain disruption. “Blockchain is specific to certain business scenarios in any industry,” said Gross. “Every organization can benefit from trust and transparency that mitigates risk and optimizes processes.”

Get started today! Run Live with SAP for Banking. Blast past the hype by attending the SAP Next-Gen Boot Camp on Blockchain in Financial Services and Public Sector event being held April 26-27 in Regensdorf, Switzerland.

Follow me on Twitter, SCN Business Trends, or Facebook. Read all of my Forbes articles here.

Comments