It’s the stated goal of SAP to eliminate 50% of manual activities in the next three years and to provide users with a hands-free UX.
As a GRC professional, I think it’s a fantastic idea, but accomplishing it requires some fundamental changes in the world of governance, risk, and compliance (GRC). Much of the information created by GRC professionals today is subjective, not captured anywhere in digital form, or widely dispersed and difficult to consolidate and integrate.
Don’t believe me? Just ask Amazon Alexa
Imagine a meeting of the Board Audit and Risk Committee today. Picture the chief audit, risk, or compliance executive (CAE) sitting at the boardroom table as the board committee asks the following questions. In my case, I used Amazon Alexa as the chief GRC officer. But today, I think the conversation would go something like this:
Audit committee member: Is everything under control?
Alexa: “Sorry, I’m not sure about that.”
As every CAE knows, that is the wrong answer. There is only one acceptable answer, and that is, “Yes, of course.” A cautious CAE might add some “except for” qualifications. But the answer can’t be “I don’t know.”
Audit committee member: What are our top 10 control weaknesses?
Alexa: “Jury is still out on that one.”
As every GRC professional knows, even after answering “Yes” to question 1, it’s important to have a top 10 list of the control weaknesses that remain. They can be trivial, but you need to show you at least looked.
Audit committee member: What are our top 10 risks?
Alexa: “I will look into it.”
This is a favorite (if silly) question. But it must be answered. Top 10 risks have probably already happened. A better question would be, What are the 10 best risks? But today the answer would be the same.
Audit committee member: What are the most important audits we need to perform?
Alexa: “I don’t know, but I will look into it for you.”
I’m standing by for the answer.
Let’s adjourn the meeting briefly and ask ourselves, What is going on? Will it ever be possible to reduce the manual effort of GRC professionals? Is a hands-free UX remotely possible to review GRC information?
What’s the problem today?
Most GRC information is based on subjective opinions supported by manual processes and human judgment. Control effectiveness can be a vague and subjective thing. (Most of the financial institutions and many of the other enterprises that crashed in the last financial crisis reported “effective” controls over financial reporting shortly before crashing.)
Control weaknesses may be fact-based and result from audits or other sources. But coverage is never continuous and never 100% complete. At best, it’s a backward-looking guess based on what we think we know today.
Top 10 risks lists usually consist of purely defensive risks with guesses as to frequency and likelihood. A far better question would be, “What are the 10 best risks—those undertaken to achieve gain?” GRC professionals won’t add value until they begin to examine opportunity as well as losses.
As for the most important audits needed, history shows that the correlation of audit resources to top business risks is very weak. Often what’s considered most important to auditors is not important to the business.
What needs to change?
Very briefly, and highly oversimplified: We need to shift from a belief-based manual approach to GRC practices to a data-based approach that can be automated and support queries in real time. Most of GRC today is an attempt to guess wisely and well. Automating guesses won’t improve the quality of the guess. Let’s let the data tell us the state of GRC.
All the GRC data must be linked to end-result business objectives. This is almost never done today. Here is an example of the logic needed:
- Measure internal-control effectiveness in terms of business performance against an objective. All performance deviation data must be explained by either data on control deficiencies, data on unforeseen risks, or data on erroneous risk identification and assessment. Note that extremely effective controls, regardless of how they are measured, may have adverse impacts on business objectives as well. Measure that, too.
- Top issues are deficiencies in control performance explained by data illustrating the impact on critical business objectives or critical business processes.
- The top risks are those associated with the greatest opportunities. Opportunity can be measured.
The most important audits are those that focus on measuring the reliability of the answers to the questions above.
The audit universe will be the digital boardroom. Take a look at our short video on SAP Digital Boardroom for GRC.
GRC must be digitized
Everything that is needed exists today. It’s all about integration, automation, continuous monitoring, predicting, and reporting.
I’d love to hear your thoughts on how GRC practices can change to support a reduction in manual activity and a hands-free UX. What technologies are needed? What are you doing today to make the shift?
Join us at IIA/ISACA GRC Conference in Nashville
Going to the IIA/ISACA GRC Conference in Nashville August 13-15? Look for me there in booth 317 along with my colleagues from our GRC team. Let’s continue the conversation.
Learn more about governance, risk, compliance, and security issues by reading our GRC Tuesday blogs.