Digitizing Governance Risk And Compliance

Bruce McCuaig

Most of our treasured concepts of control, and many of our accepted risk practices, will land in the digital boardroom with a thud and disappear — if they make it there at all.

The truth is, much of the information provided by GRC professionals is not digital and can’t be digitized usefully.

The outputs of most control and compliance assessments are subjective opinions on control effectiveness. Much of the output of risk professionals are informed guesses about the future. Insight is often lacking.

Why does this matter? It matters because digital Darwinism will not be kind to GRC if it does not evolve.

Understanding control ineffectiveness

I find it useful to step outside the business world and have a look at our practices through a real-life lens. Some years ago my ophthalmologist prescribed eye drops to reduce the interocular pressure (IOP) in my eyes. He assured me the medication was “effective” (medical practitioners don’t make a distinction between “design” and “operating” effectiveness).

So I researched the medication and discovered that its manufacturer, one of the world’s most distinguished pharmaceutical firms, was so convinced of its “effectiveness” that in some jurisdictions the company offered a money-back guarantee if it did not deliver promised results.

I think in the world of GRC, we would rate the design effectiveness of the eye drops as high.

Curious, I did some further research. It turns out that studies conducted by the manufacturer to secure regulatory approval revealed the following issues:

  • Approximately 20% of patients stopped taking the medication because of its side effects.
  • Approximately 10% of patients studied forgot 20% of their doses.
  • A very small percentage suffered severe and sometimes life-threatening complications.

This kind of information provides insight, supports a risk acceptance decision, and should be reported in a digitized business environment.

No control is 100% effective all of the time

Control effectiveness decisions require knowledge of both a specific objective and related issues. In reality, there is no universal standard for the effectiveness of a control or for that matter a medication. The question is not “Is the control effective?” but “How much risk does it leave us with, and how is performance impacted?”

Let’s digitize and report the data and let the effectiveness decision be made by the stakeholders.

What does the digital boardroom need to know about risks and controls?

Frankly, boards are starving for useful information about GRC. Control effectiveness opinions aren’t digital, but the underlying data supporting control effectiveness and risk acceptance decisions can be digitized. Boards, in my experience, don’t find risk heat maps useful. They want digital data about key risk indicators, incidents, and issues.

Boards want visualization capabilities and analytical tools, and the data to feed those tools.

The tools are here today

Tools exist now, and have existed for years, to digitize GRC. We have access to incredible technology that can monitor and report on almost any aspect of GRC. But these tools are rarely used. The business case for using them, based on cost savings and extended coverage, has always been overwhelmingly compelling. Still they aren’t widely used.

The case for automating GRC

Here’s the real business case for automation in GRC. Automation produces digital information. Opinions must be supported by insightful data. Without the data GRC will have nothing useful to say to the digital board. Absent from the digital board room, GRC will not have a voice in performance, strategy, or resource allocation. GRC will not be managed strategically.

The real business case for digitizing GRC is survival. Fortunately, there is tremendous value to add by doing so. GRC won’t survive without digitizing.

Sorry, but digital Darwinism is unkind.

Is GRC on your board’s agenda? What do you tell your board about GRC?

Share your thoughts on GRC technology. SAP is sponsoring a technology survey with OCEG. Take this opportunity to provide your input to the 2015 OCEG GRC Technology Strategy Survey.

Register now to attend our webcast about GRC in the Digital Board Room and learn how digital GRC will benefit your board.


Bruce McCuaig

About Bruce McCuaig

Bruce McCuaig is director of Product Marketing at SAP GRC solutions. He is responsible for development and execution of the product marketing strategy for SAP Risk Management, SAP Audit Management, and SAP solutions for three lines of defense. Bruce has extensive experience in industry as a finance professional, as a chief risk officer, and as a chief audit executive. He has written and spoken extensively on GRC topics and has worked with clients around the world implementing GRC solutions and technology.