Lose The Myths: Step Toward A GRC Digital Transformation (Part 1)

Daniel Morfin

Part 1 in a 2-part series

In the exciting years that I’ve focused on topics related to enterprise risk and compliance, I’ve noticed some common factors that make it impossible for companies to step toward digital transformation on governance, risk, controls, and compliance (GRC).

Those factors are based on a series of doubts, misunderstandings, judgments, or obstacles—and all can be defined as myths.

I’ve identified a list of these myths. If you’re holding on to some of these, just get rid of them. Make a move and support a powerful enterprise risk and compliance strategy.

1. All GRC solutions are the same.

Be careful with this one. Not all solutions that claim to manage GRC truly do that. Keep in mind the purpose of GRC: To meet business objectives, safeguard the company, and provide business continuity.

With these objectives in sight, focus on at least the first three areas (including the fourth is also a great idea):

  • Continuous controls monitoring
  • Loss and fraud prevention
  • Enterprise risk and audit management
  • Cybersecurity

Now you have a better idea of what GRC should do.

2. We can have a GRC solution without technology.

Really? In the digital era, with the intelligent enterprise era now in front of us, how can we survive without technology?

I can’t imagine a driver using an atlas to navigate from one site to the other, listening to music on a Discman, or a director making decisions without an automated report. And I can’t imagine a risk, control, and compliance team mitigating enterprise risk without automated tools to help safeguard the company.

3. We aren’t prepared for a GRC solution.

These days, almost all midsize and large companies run with technology. Principal areas like finance, human resources, procurement, supply management, and others use automated solutions every day.

If a risk area doesn’t operate in the same rhythm as the business processes, there is a greater chance that the company will suffer an incident or damage. Then the discussion will be to remedy the risk caused by manual controls instead of focusing on the preparation.

You are living already with the risk, so the decision is: How much risk appetite do you have?

4. First, we need to clean house. Then we’ll think about GRC.

You have been in the same position for years—what will be different this time? The model is not scalable. You’ll be investing time and cost once again in cleaning, updating, compiling, consolidating, researching, and preparing all the information. Thee months later, you’ll be in the same situation.

Take advantage of a GRC solution, and you will be able to respond faster to the circumstances.

Stay tuned for Part 2.

This article originally appeared on the SAP Analytics blog and is republished by permission.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube


Daniel Morfin

About Daniel Morfin

Daniel Morfin is an evangelist in digital transformation for GRC and cybersecurity with SAP Global Finance and Risk Business Development, focusing on Latin America. With his extensive experience in GRC and cybersecurity in technology companies, he believes that risks are everywhere, making it important to understand them for better decision-making.