Intelligent GRC For The Intelligent Enterprise

Bruce McCuaig

We’ve all heard about digital transformation and the intelligent enterprise. But what exactly is the intelligent enterprise and what, if any, impact will it have on governance, risk, and compliance (GRC)? I will suggest that the impact could be profound.

What is an intelligent enterprise?

An intelligent enterprise is one that leverages data-driven insight to drive automated decisions and actions.

What does this mean exactly?

Every day, millions of data points are being generated from smart devices, day-to-day transactions, blockchain records, customer sentiment, and user feedback.

Now imagine using machine learning and artificial intelligence to detect unseen patterns in this data to predict whether these patterns lead to specific behaviors or functional outcomes, and to carry out the best course of action when these patterns occur.

What does this have to do with GRC?

My colleagues and I are genuinely trying to foresee the future of GRC in the context of the intelligent enterprise. It’s tough to predict the future in the face of such rapidly changing technology.

So instead of trying to predict the future, let’s apply the attributes and capabilities of the intelligent enterprise to the past.

The single largest force driving GRC for the last decade has been Sarbanes-Oxley (SOX) and similar requirements to report on internal control effectiveness.

Internal control is deemed effective if there are no significant deficiencies or material weaknesses. So “controls” are in place to prevent those events or conditions. Auditors document, test, and report on those controls.

What does this have to do with the intelligent enterprise?

Let’s look at a recent but typical “material weakness” reported as mandated under SOX legislation.

“The weakness relates to general information technology controls in the areas of user access and program change-management over certain information technology systems that support the company’s financial reporting processes. The access issues relate to the extent of privileges afforded users authorized to access company systems.”

In other words, the company’s auditors documented and examined the controls in place, assessed their effectiveness, detected patterns or gaps, and predicted possible unfavorable outcomes.

Isn’t it possible for intelligent technology to discern where user access and program change-management is inappropriate? Isn’t it possible for predictive technology to extrapolate the impact? Can’t machine learning suggest corrective actions? Or is this something only auditors can do?

Finding a material weakness sounds to me like a use case for intelligent GRC – except that “effective” intelligent GRC would suggest, and possibly implement, a corrective course of action long before the deficiency became material.

So what?

The obvious advantage is cost savings and perhaps timeliness. Expensive, unreliable, time-consuming manual tasks can be replaced with intelligent tools.

But let’s go further. If organizations can detect and prevent deficiencies in internal control using intelligent tools, why do auditors report on, and management certify, “internal control effectiveness”?

If deficient access controls can lead to a material weakness, shouldn’t the failure to use intelligent technology to monitor access be even more serious?

Shouldn’t auditors be reporting and certifying on the effectiveness of “intelligent GRC”? It’s not the controls that matter anymore. It’s the ability to intelligently detect or predict deficiencies that’s important.

The first line of defense is now the ability of intelligent GRC technology to detect absent or faulty controls.

Raising the bar for GRC

Intelligent GRC uses the tools of the intelligent enterprise to gain data-driven insight on the status of risks and to drive automated remediation and actions.

Think of it this way. In today’s automobiles, it’s not necessary to periodically open the hood and manually check the oil level. A sensor will detect low oil level and alert you. The “control” is now the sensor, not the manual inspection – which many autos today do not even allow. It’s important to focus attention on the design, integration reliability, and effectiveness of the various sensors in the vehicle.

How will this impact SOX reporting, for example? What if an enterprise fails to implement the intelligent technologies necessary to ensure reliable financial reporting? Shouldn’t that failure to adopt intelligent tools be deemed a significant deficiency or material weakness?

To go back to the automobile analogy, it’s not enough to manually check the oil. It’s necessary to determine that the automobile has the intelligent sensors to ensure its safe and reliable operations. Controls matter. Intelligence matters more.

In the intelligent enterprise, GRC professionals must focus on the effective use of intelligent technology to manage risk. Intelligent technology can monitor patterns, predict outcomes, assess risks based on issues and incidents, suggest or implement corrective actions, raise alerts, and so on.

Today’s audit, risk, and compliance standards do not recognize intelligent technology.

This has many implications. Here are just three.

  • GRC standards must be rethought and rewritten. Intelligence is the control.
  • GRC professionals must finally understand, adopt, and use intelligent technologies to serve their customers.
  • Intelligent GRC practices must align with business performance.

For more on this topic, please read Advice For The CFO: Get Out Of Control.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube

Why have AI, machine learning, predictive insights, and digital assistants become the must-have new tools of forward-thinking CFOs to drive business performance? Watch the Nov. 6 webcast.


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.