Part 7 in the “Controls and Risk Management” series
I was recently in a discussion with our development team, and the topic revolved around potential enhancements to the reporting that we include in our governance, risk, and compliance (GRC) solution. One of the questions they hoped I would answer in a straightforward way was: “What makes a good report template that all will love and use?”
It’s a simple question, indeed, that I’m sure you have been confronted with at some point. But it doesn’t have an easy answer. Many requirements come to mind, and I want to share my thoughts on this with you. First, a caveat: I don’t think there is a one-size-fits-all solution; every company and every stakeholder will have different needs.
To satisfy most and to be efficient, I believe that a good report template should (at minimum) tick the boxes below.
- Enable comparison. A report is always, whatever happens, a snapshot in time on the day the report is displayed, a selected date, etc. Much like a balance sheet provides a picture of the company on a given date, the risk heatmap is a picture of the organization’s risks at a point in time. Nevertheless, as with a balance sheet, what is most relevant is to compare different versions to understand the evolution of these risks.
- Be actionable. Reports (and this is the essence of risk-management reports) should support the decision-making process. What’s useful is when the stakeholder displaying the report can not only make the decision but also enforce it directly. A report should, therefore, give access to the information source so that a new action plan can be added straightaway: on a risk whose level has increased and is now above the tolerance defined or on a control that is no longer effective, for instance.
- Be visual and graphical. One of the tricks of a good report is to ensure that people will understand it, and to do so, will spend sufficient time on the information it displays. If the report has an unattractive display, there is a risk that it will receive only a glimpse and might miss the target. Making it visually appealing should help ensure that stakeholders will stop and read it. Graphics can help make a point quite simply without needing too much text. As they say, a picture is worth a thousand words. Now, this doesn’t mean that more details won’t be required, and this is where my next point comes into consideration.
- Be simple but adaptable. “Complexity on demand” is an approach that I very much like. A report can show limited information when displayed in a simplified mode, then, at the choice of the stakeholder, it can then grow in complexity by displaying much more information, while proposing sorting and filtering capabilities, and so on, as required.
These are only a few of the requirements for a good report template. But to my mind, they constitute a solid foundation and enable an evolution in time, hence satisfying the stakeholder’s needs.
What other “must have” requirements do you think all report templates should have? I look forward to reading your thoughts and comments on Twitter @TFrenehard
If you are interested in hearing more about this or just having an open discussion, please come see me at the SAP Conference on Internal Controls, Compliance, and Risk Management in Copenhagen March 3–4, which will explore the theme “Connected Controls and Risks.”
This article originally appeared on SAP Community and is republished by permission