I may be stretching the Latin adage “Si vis pacem, para bellum” a bit here, but I do believe the lesson that “peace lies in preparation” applies to governance, risk, and compliance (GRC). In many of our blogs, my colleagues and I have been addressing various internal control, audit, and risk management topics. But one of the major components of governance, risk, and compliance is often simply taken for granted: the “governance” pillar itself. And to me, automated monitoring is an integral aspect of ensuring that the governance works adequately – and as intended.
Peace from the top
In my view, the most important role of a chief compliance officer (CCO), chief risk officer (CRO), or chief audit executive is simply to safeguard the organization. The CCO must ensure that the company acts with integrity and within a regulatory context. The CRO must ensure that there is a risk management process in place that will adequately take care of identifying the risks and opportunities, their assessment and mitigation, and so on. All get their mandate from top management. As a result, this top management layer will be eager to know whether everything is working as intended or not.
And what is worse than having to tell your manager who’s asking for an update on risk or compliance topics to wait for a few weeks until all the information is consolidated?
By automating the reporting, our GRC colleagues can buy some peace from management (relatively speaking, that is), because they can provide this information rapidly whenever its required.
Peace from the operations
On thinking about what could be worse than the inability to provide management with a timely update, I was actually able to think of something: not being able to provide any update at all because the stakeholder assigned to the task hasn’t done it. This often occurs because the stakeholder sees no value in it, perceiving it as a pointless tick-the-box exercise. Or in some cases, where the procedure is extremely repetitive, for instance, operators might have the perception that their professionalism is being questioned when they have to fill in a survey regularly on whether or not they’ve followed the procedure.
When this information is collected automatically, everyone involved gains a little. Not only that, but:
- The operator won’t be burdened by a task that is far from adding value to his or her work.
- The information might actually be more accurate, as the system won’t try to “rush” to get it done as quickly as possible (contrary to some operators). It will just get done without any qualms.
Where to start and how to go about it?
I recommend starting with operations and identifying the processes that can easily be automatically controlled. This would be a quick win for both the operator and the GRC stakeholder, and make the case to management so that more resources can then be invested in more automated monitoring.
Attend the upcoming conference
But don’t just take my word for it. Should you want to hear what other companies are doing in this regard, I strongly recommend attending the International SAP Conference on Internal Controls, Compliance and Risk Management (15-16 March 2018 in Amsterdam, The Netherlands). This conference will include:
- Deep-dive workshops
- SAP executive keynotes
- A whole host of reference stories including BP, DHL Express, Innogy SE, Nationale Nederlanden, Stora Enso, United Utilities, Vodafone, and more
All of these great offerings will help ensure that you leave fully informed about how you can reimagine your business processes to deliver enhanced operations and performance.
If you are interested in learning more, you can download the brochure for the event.
I hope to meet you at this conference, and in the meantime, don’t hesitate to share your thoughts and feedback on how GRC stakeholders can become Zen masters, either on this blog or on Twitter @TFrenehard.