In this interview, Gavin Campbell of Integrc and Steve Biskie of High Water Advisors sit down with SAPinsider's Lucy Swedberg to discuss the current maturity level of the GRC market. Topics covered include:
- What drives businesses to implement GRC solutions
- The benefits of centralizing GRC data
- How to speed the time to ROI on GRC solutions
- The latest capabilities available in SAP GRC solutions
Lucy: Hi there, this is Lucy Swedberg with SAPinsider. I’m delighted to be here in Orlando, Florida, for our GRC 2014 event. I’m delighted to be joined by two very special guests this morning, I have Steve Biskie, who’s the managing director of High Water Advisors, and Gavin Campbell, who’s the director of Integrc. Thank you both for joining me this morning!
Steve and Gavin: Thank you.
Lucy: Great. So I wanted to start with some general thoughts about the overall state of the GRC market. We gather here every year to learn about it but I’m interested in, you know, you’ve got companies who in theory understand the repercussions of not taking action in the GRC space, but I’m wondering if they’re truly embracing and getting all the value out of their investment in the GRC solution space, so, just some initial thoughts. Steve, let’s start with you.
Steve: Yeah, so I’m coming from more of an audit and compliance background, and I think there’s greater recognition these days about the value of what GRC can mean to an organization, but there are still areas where companies are trying to justify making the investment, and it’s hard, because there are some components of the GRC suite where you’re clearly going to save time, but there are other components that are dealing with process efficiencies and compliance which isn’t an exciting field to be in, and I see a lot of companies just still struggling with how can they justify something that they just intuitively know they need to have, but doesn’t have a specific ROI business case. It’s like an insurance policy, you know you need it, you know you should have it, and it’s only until something happens sometimes that you realize you do.
Lucy: Yeah, tough to make it a priority otherwise. Gavin, how about you?
Gavin: I think we’re seeing a big change, if you turn the clock back to 2002, probably most of the organizations were being driven by the SOX imperative, and really organizations between 2002 to the, almost the last couple of years have been doing GRC from the bottom up, so they started off with access, and some of them did some process and moved on into risk and other areas, but now especially in the Middle East and Europe we’re seeing more organizations starting from the top down, starting with risk, and also looking at process, and obviously access has got an important part to play.
Steve: Which really is the right way, if you think about it Gavin, you know it’s, a lot of these tools were designed to mitigate risk and until you understand what that risk is through something like risk management, it’s tough to do that, bottom-up, effectively.
Gavin: Yeah, I think we’ve thought long and hard about this and we almost look back and we think that in the early days people targeted the SoDs because it was easy for the internal guys to understand, and it was easy for the auditors to almost give them a pain point, so it became the point where the communication happened, rather than say the big picture, like are you really monitoring your overall risk and not just your SoDs?
Steve: Yeah, and it’s one of those, Access Control, in addition to being easy, there was clear ownership, there was a security team that definitely owns that, and when you move into other solutions like Process Control, that ownership issue becomes more of a question.
Lucy: Great. Definitely. So let’s talk maybe about some recent challenges that you’re seeing your clients and companies up against, maybe even just versus six months, a year ago, what are some of the really recent challenges and trends that you think are maybe changing the GRC space a little bit?
Steve: I think for my side one of the things I’m seeing is just the, the rapid change that’s occurring in a lot of organizations and you know, the economy hasn’t fully turned around since the market crashed a number of years ago, but budgets are starting to free up, and I’m seeing more and more organizations start to push SAP more broadly across the company, and what they’re really struggling with is that consistency, of how do I make sure that, not just from a compliance perspective, but the way I operate my business, how do I make sure there’s consistency among these very disparate sides of the organization, and when pushing things out rapidly, not having that consistency can have some big repercussions dealing with anti-bribery and corruption and some of these compliance initiatives that can have big fines if they’re not really dealt with effectively. And I think for my organizations it’s that having visibility into what’s going on in these disparate operations and doing so in a way that they’ve got centralized knowledge of what’s happening and can capitalize on that.
Gavin: So I come at this from a slightly different perspective. I’ve spent the last two years in the Middle East, where the GRC maturity is probably maybe five, six years behind, so the organizations there have got a different challenge, they’re trying to get to the most mature in the world in one step. So they’re making a big step, a bold step, but it’s a long way to go for an organization that maybe has only had SAP as an ERP solution for a short time, so the biggest challenge they’re facing is they want to get to a very mature solution but a lot of the organizations aren’t really ready yet to get there, to get the benefits.
Steve: Yeah, I see that on the audit side as well, I’ve spoken with a number of auditors in the Middle East and it’s interesting, being from North America, I’ve always, my entire audit career, people know that if the auditors are concerned about something, it’s something you need to address, and yet I hear from my Middle East counterparts that that maturity isn’t even there in the audit profession itself, it’s more of an “optional” piece of the organization.
Gavin: Yeah, but when we do talk to customers and understand where they want to get to, when we try and benchmark them and explain that where they’re asking us to take them to is in the top 5% in the world, they all want to get there!
Lucy: Of course!
Gavin: They’ve got an aspiration to be the best. And even if that costs more money that’s what they want to be. So they’re going from, let’s say early entrance into the market, and are trying to get very advanced very quick.
Lucy: When you talk about the “they” there, I’m curious about, within a company, which organizations, or who, in other words, is sort of taking the onus of this initiative, is it a business-driven thing, it is an IT-driven thing, who ultimately is responsible for these efforts and who are you seeing sort of rise to the table and raising their hand and willing to drive this in their companies?
Gavin: Well for me it’s surprising, every company’s almost different.
Gavin: So you would think that it might, that it should be coming from the CFO down, but quite often you know you have the initial conversation with the IT teams, or maybe it’s an IT budgets that’s going to get spent, and that’s part of the issue really, is that you know, when we look at the critical success, we need to make sure that you put the “G” in GRC, and this is something I’m going to talk about later on today, and it’s really about, when people think of a GRC, they focus a lot on the risk and also on the compliance side, but not enough on the governance, and by not getting governance right at the start and engaging the business people, then they end up with solutions that aren’t adopted well.
Steve: And I see something similar, that unclear ownership in the process, I work with a lot of internal audit teams, and the rule of thumb generally in internal audit is you can’t be part of that governance structure, you’re inherently a monitoring-type engine, so there are a lot of internal auditors that shy away from pushing or driving these initiatives. But at the same token, to Gavin’s point, when that ownership doesn’t come from the areas of the business that you would normally expect that to come from, sometimes you just need someone to drive it, and as long as you’ve got that someone who’s taking that first step and introducing the application to the organization, at some point of course you hope that ownership transitions to the right silos, but for me it’s around “can someone step up and take the charge?”
Gavin: Steve, what percentage of companies do you think have a strategy for GRC?
Steve: I, you know, it’s sad, I think it’s pretty low. I think a lot of them will say that they have a plan, and they’ve got some concepts around where they’re going, but that word “strategy” to me is the big one.
Steve: And when I ask my customers about where they see this being three to five years from now, I get a lot of open stares, really, they clearly aren’t able to at least articulate it, even to themselves, let alone to someone else.
Gavin: Ok. So we do a lot of work with OCEG, which is the Open Compliance and Ethics Group, and a key part of their capability model is obviously getting this strategy right, so it’s interesting, but equally we don’t see many people who’ve got a defined strategy.
Steve: Yeah, for sure. I think one of the other challenges with this is, whenever getting into new technology, when technology is going to support that process, there’s always a starting point, there’s a cost to get started, I know Gavin, you were telling me about some things you’ve been working on to accelerate that ramp up process for companies and make it a little bit quicker for them to get to a point where they can start to see value?
Gavin: Sure. So we’ve developed a methodology which we’ve been able to package more like a product for implementing SAP GRC, so right now we can reduce the time to benefit by 50% and make a significant reduction in the cost for businesses. One of the things we really like is we’re able now to build a sandbox system in less than one day, which enables us to, at the very start of a project, let the company see what the outcome’s going to be like in the end, and we call that the benefit of hindsight in advance, so let’s not get to the end, let’s understand what it’s going to be like early on, have an agile blueprint, and then you’ve got people engaged who’ve got a shorter timeframe, they understand what they’re going to get, and it’s a good tool for getting the ownership too.
Lucy: I would imagine that helps with the adoption challenges we were just speaking about, sort of seeing the endgame is half the battle a lot of times.
Steve: Exactly, if you’re the champion of a project like this, you’ve got a lot of personal risk on the line, and the quicker you can show the organization that you’re getting the value, and I think, you know, I was really impressed when we were talking about that before Gavin, your ability to very rapidly demonstrate some tangible results from this, and in days, as opposed to months.
Lucy: So let’s talk a little bit from a solution standpoint, I know GRC technology clearly is evolving rapidly, are there any new key capabilities or solutions that you think are starting to maybe make some changes in the SAP customer base that you’ve seen so far?
Steve: Yeah, so there are a couple that I’m pretty excited about. Last year at this time SAP announced Fraud Management coming out and for someone in the audit and compliance space I think there are some fantastic capabilities with that tool, the way they’ve designed it, the ability to actually score a set of rules where any one condition may not stick out as being “that condition tells me that something bad is happening,” but when you add all those together, all of a sudden that becomes a compelling case. I’m pretty excited about Fraud Management, and the auditor in me is also excited about something SAP will be talking about today, their new Audit Management application, it’s the first application they’ve built more towards internal auditors, they’ve had a couple around for external auditors as well, so I finally get to use some new SAP technology for me.
Lucy: There you go!
Gavin: Yeah, I think as well in the, certainly in the RFPs that we’re helping SAP respond to, the audit management is another piece of the jigsaw. That’s, some of the other competitors that didn’t have some rich capability that SAP had, they had something different, that app is audit, and now that gap was being closed, so it’s going to be quite interesting moving forward.
Steve: Yeah, I think the combination of them makes a really compelling risk story for organizations, you’ve got the risk management components, you’ve got the ability to monitor those processes through Process Control, you’ve got an oversight function through an internal audit group that now has technology that can plug in, so it’s going to be pretty exciting over the next few years.
Gavin: Yes, I really love the user interface as well, so it is like a, it fulfills the concept of you know, Apple easy and Google quick. That’s really what the millenials and the kids coming through are going to want.
Gavin: Everybody wants it easy, they want their iPod, they want it everywhere, so.
Lucy: Again for adoption, it’s part of the story, right? So ok, to wrap up here, if you were to speak generally to GRC attendees here or to GRC folks of interest in our SAPinsider audience, any parting tips of wisdom, words of advice that you could really offer at sort of this date in time in the GRC market, you know, what would you advise them?
Gavin: Well, I’ve been thinking long and hard about this cause I’m presenting on a topic this afternoon on Access Control, and the big thing for me really is don’t forget to put the “G” in GRC.
Steve: I like that theme, and I would add that make informed decisions about what you’re doing, a lot of organizations I work with just believe that what they’re doing is appropriate, they believe that processes are in place, but they haven’t actually put any systems or structure in place to make sure that’s really happening, so if you’re unsure, do a quick assessment, you’re going to know right away whether you’ve got some problems and make some intelligent, informed decisions around this.
Lucy: Great. Some great advice, I thank you both! Again, this is Lucy Swedberg at SAPinsider GRC 2014, and I’m very grateful to Gavin Campbell, Steve Biskie, thank you both for joining me today. Thank you.
Gavin: Thanks Lucy!