If your organization’s risk program is based on a list of risk factors developed outside of your company’s four walls, rip up the list. In today’s complicated business environment, there’s no easy catch-all list of risks that apply to every company or industry — rather, managing risk requires a catered approach. For example, an oil refinery that violates a safety standard not only puts the refinery at risk of a safety-related incident, but also damages the company’s reputation because its core value proposition is to safely deliver energy products to consumers. But if a financial services company violates the same safety standard, the incident may not affect that company’s reputation and long-term value similarly because its core value does not involve delivering highly combustible products. Instead, an insider trading scandal or a federal securities violation could damage the financial services company’s value in the eyes of its customers or shareholders.
These examples illustrate how the importance of a specific risk varies based on how an organization creates value. Determining which less-visible risks could be harmful requires a thorough understanding of your company’s core value proposition: Where is the fundamental value in your business? What drives that value, and what can destroy it?
When governance, risk, and compliance (GRC) programs are approached in this way, there is a greater emphasis on how an organization can gain or sustain a competitive edge. This should be the real benefit of risk management — the ability to improve an organization’s value and competitive advantage on a continuing basis, while also avoiding catastrophes and other risk events.
Compliance programs can drive increased value and benefits throughout organizations. For global companies especially, the complexity and pace of regulatory change is increasing, requiring more resources to manage compliance. Not only are new regulations being added in most regions and markets, but renewed enforcement of existing regulations must be monitored. For example, recently, the US government has more actively prosecuted companies that violate the Foreign Corruption Practices Act (FCPA). While this regulation is not new, the level of enforcement has changed, and companies that don’t realize this are at a higher risk of not complying.
Rather than being viewed as a limitation, regulation like the increased FCPA enforcement can serve as motivation for companies to improve business practices and increase long-term value. Instead of trying to cover risk factors for auditors or achieve the bare minimum of compliance, organizations should make regulatory concerns and risk issues more visible to executives and board members.
Look Beyond the Obvious
Determining which risks are most important and which can bring the most upside must be a cross-functional imperative. Too often, risk managers prioritize only those risks that are easy to measure. If the finance department owns the GRC program, for example, it may focus on minimizing exposure to exchange rates — an important risk, no doubt, but alone not the risk that impacts the business’s ability to create value. Returning to the example of an oil refinery, complying with safety regulations is important and required, but doesn’t increase the company’s value — it avoids a potential decrease in value. An oil company’s fundamental value is directly linked to its proven developed and undeveloped oil and gas reserves. Its risk management program should prioritize those risks associated with the related business processes, such as land acquisition and usage rights, exploration, development, and reservoir management. Those risks may not be obvious to include in a GRC program, but doing so will allow risk managers to help the company create value.
The only way to effectively identify and prioritize a company’s GRC concerns is to involve various business roles in the strategy and discussion — from board members, to business leaders, to functional roles. Understanding the risks that could impact an organization’s ability to produce value is truly an enterprise-wide project.
Technology Supporting the Program
The most successful cross-functional GRC programs are based in strategy and supported by the right level of technology. Companies often depend on technologies that don’t offer the needed scalability to enable and sustain success. In some cases, an organization may establish an all-encompassing GRC program, but then it loses momentum if a large amount of manual effort is required. Simply implementing GRC technology doesn’t guarantee that a successful program will follow — the people, processes, and technology must all work together.
Technology can support a GRC program through monitoring, including key risk indicator (KRI) monitoring, continuous controls monitoring, and automated control testing. With a broad, cross-functional program that has many indicators to monitor, the monitoring process can be extremely time-consuming if it’s performed manually. Establishing KRI monitoring in an integrated enterprise system with real-time dashboards that provide instant access and visibility can reduce the effort level significantly.
Let’s return to the oil company. A pertinent example is monitoring safety training and recertification for workers. It’s an ongoing effort to educate staff and ensure that employees are current on their required certifications. Recertification and continued education in these areas minimize risk events. When training levels decline, the risk of a serious incident increases. Monitoring current certification levels provides a leading indicator to the potential for future catastrophic risk events. With the right technology platform, you can automate that process to provide notification when KRIs move past certain thresholds. When that happens, you can put the appropriate risk response into action to avoid a future risk event having an impact. The sooner you identify the movement of the risk indicator, the more effective the mitigation efforts will be.
Perhaps most important is technology’s ability to keep a GRC initiative moving forward. When a program starts, there’s typically sufficient energy and motivation to establish momentum. But if parts of the project languish due to IT issues, that momentum can slow and the program might not deliver on initial expectations. Eliminating technology challenges to allow the execution of strategic goals keeps the program’s momentum strong.
SAP customers that are either just starting or continuing to grow their GRC programs have access to a mature technology platform that can scale to support a wide variety of programs. SAP solutions for GRC reflect the latest innovations in areas of analytics, mobility, and cloud. For example, the 10.1 release of SAP solutions for GRC can be deployed on top of SAP HANA to support higher volumes of data and faster performance by consolidating operational and financial data from multiple systems. Automated KRI monitoring is faster and the advanced analytics capabilities in version 10.1 allow for better information sharing.
Maximizing the Reward
The most rewarding GRC programs combine the right people, processes, and technology to minimize risk and maximize reward. And while all SAP customers have their own risks and compliance priorities, they can benefit from the vast GRC experience of SAP’s services partners and technology partners in delivering specialized content, industry-specific best practices, and implementation expertise that will streamline the path to GRC success. Whether you choose an industry-specific partner or SAP Consulting, tapping into the SAP ecosystem can extend the value of SAP solutions for GRC to ensure that your program has the right level of support. You can learn more by reading the other articles in this special report or by visiting sap.com/grc.