Every so often, companies revise their processes to identify areas of improvement. And the governance, risk, and compliance (GRC) process is not exempt from this overhaul exercise, as I am sure you already know and have already experienced.
Usually, we at SAP get involved at a later stage: after the redesign phase when the process has been redefined—or simply refined—and the intent is to support it via a software solution.
Unfortunately, in many cases, the ask is simply to reproduce what is already there—albeit with few improvements, but without major enhancements. Many organizations still use Excel for governance, risk, and compliance aspects and software vendors like SAP are simply asked to “port” these files into a system of records for instance.
What I personally find a shame is that by doing so, users won’t benefit fully from the automation that the GRC software can deliver. As a result, we aren’t able to reduce the manual workload as much as intended by the solution. This rarely, if ever, delivers the return on investment that the GRC sponsors were hoping for.
The question I often asked myself—and customers—is why wouldn’t you want to explore new routes, including adding more automation? Here, I have to admit that the answer is usually pretty straightforward: We didn’t think about this or didn’t even know it was an option.
When you don’t know what you’re missing
To me, this parallels a story that my colleague Bruce McCuaig shared in an older post, “GRC Tuesdays – Redefining the Role of Internal Audit: Avoiding Redundancy.” As Bruce said, “The development of the transportation industry at the beginning of this century, I believe, is comparable to the technology innovations of the last few years. And I suggest that the same fundamental choices that had to be made then by blacksmiths must be made now by internal auditors.”
Think about it. Back in the early 1900s, if you were to ask what locomotion system people wanted, they would have replied “faster horses.” And this is simply because they hadn’t experienced the automobile. Once they got a taste of it, it changed everything. (We got the traffic jams that we all know today… but that’s a very different story.)
Automotor Horse, Patented Sept. 19, 1899.
I’m not saying that GRC is stuck in the 1900s; don’t get me wrong. But why not take it to the 21st century and leverage all the new capabilities and technologies that are now available: continuous monitoring, predictive analytics, simulation and calibration, real-time and on-demand reporting on any device of your choice, and so on?
Errare humanum est, sed perseverare diabolicum!
I don’t believe that we continue to ask and reproduce the same schemes because it feels comfortable or because we are reluctant to change. Sure, this can be the case in some instances, but in my opinion, this is not true for the majority of stakeholders. As a result, the only limitation is our own knowledge and experience. If we don’t know it exists, we rarely ask for it.
I don’t claim to be a philosopher—far from it—but there is a quote from Seneca the Younger that applies well to this purpose: Errare humanum est, sed perseverare diabolicum. That is, “To err is human, but to persist in error is diabolical.”
You can’t expect a different and better outcome if you use the same approach as you did in the past. This is Einstein’s definition of insanity. So why not explore new options and be creative? To continue with Einstein quotes: “The important thing is to not stop questioning. Curiosity has its own reason for existing.”
So think out of the box and challenge the status quo.
Should you want food for thought for your GRC program, then I invite you to join us at the second edition of the SAP Conference on Internal Controls, Compliance and Risk Management March 2019 in Barcelona.
If you were interested in this blog, then I am sure that this conference, themed around “Next Generation GRC,” will appeal to your curiosity! What’s more, the agenda has just been released, so be one of the firsts to find out about the sessions.
I look forward to seeing you at this conference next year and to reading your thoughts and comments on Twitter @TFrenehard before then.
Want to hear more how GRC and security leaders are harnessing the power of technology innovations to transform their operations? Register today to attend the first-ever, complimentary online SAP Finance and Risk Management Virtual Event for an insightful experience of customers, experts, partners, and SAP executives discussing today’s pressing challenges and opportunities.