It’s A Volatile, Complex World: Is Your GRC Robust Enough?

Michael Diehl

In today’s highly challenging business and risk environment – made even more daunting by constant political upheavals, roller-coaster economies, and ever-more-stringent regulatory requirements – how ready and sound is your organization’s governance, risk, and compliance (GRC) capability?

A recent SAP study, conducted among 1,010 GRC executives in organizations with revenues of over US$500 million (or equivalent) across a range of sectors, revealed varying levels of preparedness. Executives in only one in 10 companies are satisfied that the company has adequate GRC tools, technologies, and processes in place; and only one executive in 10 is confident that these will keep pace with future growth. This leaves the organizations vulnerable to GRC failures and, consequently, business disruption, loss of revenue, and reputational damage.

The need to move beyond “siloed” views of GRC

The same SAP study also revealed vastly differing approaches to GRC execution. Although the best practice is one single, unified technology platform for all GRC processes – with managers sharing a balanced GRC view and common metrics across all processes and projects – more than two-thirds of the organizations surveyed employ department- or issue-specific solutions. Moreover, the GRC tools they use are often neither purpose-built nor integrated with the organizations’ existing systems.

These fragmented views of GRC make it nearly impossible for top management to access a “single, coherent version of the truth” on which to base decisions. For any business, this lack of enterprise-wide visibility affects not just its ability to control and comply, but also its cost-effectiveness and competitive edge.

Helping GRC adapt to an ever-changing world

Today, more than ever, organizations need to improve consistency, identify risks earlier, reduce costs, and increase strategic value. To facilitate continuous control and monitoring as well as effective risk management, they need to overhaul their approach to GRC and ensure:

  • Better alignment of risk management objectives with business objectives
  • Clearer ownership of risk management processes and operating model
  • Improved ability to provide a comprehensive view of risk
  • More structured and frequent risk-related communications to key stakeholders and decision-makers within the organization
  • More effective use of technology across the organization to efficiently manage risk

Three lines of defense: The future of GRC

To help companies improve the sophistication and structure of their GRC execution, SAP recommends three lines of defense in managing risk:

The first involves control of business operations as well as risks in business activities. This line of defense entails evaluating and monitoring controls with streamlined assessment and testing, issue identification and remediation, integration with risk management, and integration with policy management.

The second is the risk management function, which further identifies, measures, monitors, and reports risk on an enterprise-wide basis, independently of the first line of defense. Incorporating control and compliance management, the risk management function offers organizations configurable risk models as a basis for classifying and aggregating risks, identification and configuration of key risk indicators (KRIs), continuous KRI monitoring, as well as alerts and dashboards to report risk status.

The third line of defense is the internal audit function, which provides independent assurance about the soundness of the overall governance framework. The internal audit function performs automation and continuous risk-based auditing for even better insight and greater confidence in the GRC execution, and also ensures that policies and processes are in place and consistently applied.

For good business, make GRC everybody’s business

One of the greatest challenges faced by GRC professionals is inadequate support from the rest of the business. Close to one-third of respondents in the SAP survey acknowledged a lack of board buy-in of GRC, and almost as many said that there was hardly any collaboration between GRC stakeholders and managers.

In today’s complex and uncertain times, GRC should become everybody’s business. The right GRC tools, processes, and technology are every organization’s robust defense against the unpredictable.

For more insight, please register for our upcoming webinar GRC in the Digital Board Room on December 15 at 10 a.m. EST, 4 p.m. CET.

You can also download our SAP GRC Strategy Selector mobile app, available at no charge in the iTunes store. It is designed to assess risks and suggest an appropriate risk management strategy.


Michael Diehl

About Michael Diehl

Michael Diehl is a senior director of Global Finance Audience Marketing at SAP, where he lead messaging and customer insights. With 16+ years of experience at SAP, he has a strong track record in technology innovations. His specialties include finance, machine learning, thought leadership, go-to-market strategy, digital marketing, messaging, and positioning.