Listen in as GRC specialist Steve Biskie of High Water Advisors provides his thoughts on the major developments in GRC for 2013 and what SAP users should be planning for in 2014.
Dave Hannon: Hello and welcome, this is Dave Hannon with SAPinsider. Joining me today is Steve Biskie, Co-founder and Managing Director of High Water Advisors and a presenter at the upcoming GRC 2014 conference. Welcome Steve, thanks for joining us today.
Steve Biskie: Thanks Dave, good to be here.
Dave: Steve and I are going to be talking a little bit about what we saw in the GRC space in 2013 and also what we can expect in 2014 going forward. Steve, looking back at 2013 there was a lot of activity in the GRC space, including some new solutions and roadmap directions for GRC, so I wanted to get your thoughts overall, what would you say was the biggest change in the GRC area in the past year?
Steve: Yeah, interesting question, Dave. When I look at the GRC space as a whole, I think there are a couple big areas. And a lot of the new stuff in GRC at the end of the day is really the same old stuff that we’ve had in GRC for a long time. We’ve got new regulations, we’ve got new requirements that are being put on various companies, depending on industry. I mean, there’s just a lot of new things that we need to focus in on that still fit that category of governance, risk, and compliance. In the US for example, one of the big changes, the Public Company Accounting Oversight Board, has put a lot more oversight and documentation requirements on the external audit firms, which is starting to filter through to some of my clients, indirectly impacting the information that they have to provide and what they need to be ready for in ways that are a pretty significant change from what they had to do.
But at the end of the day that theme, it’s still more of the same stuff, we’ve still got compliance, we’ve still got laws, we’ve still got regulations, and they’re constantly evolving and changing. So I think in the context of GRC there’s a lot that’s new but most of it’s the same type of thing we’ve been doing.
One of the more exciting things though is when we look at the solution side of it, there’s a lot better integration between the solutions that are out there these days, particularly when I look back at 2013, the other two themes that seem to come out is we’ve got more mobile capabilities now, which allows us to deal with compliance in a fashion that we can handle it in our own space, when we’re ready for it, in our time, and not have to be tied to a specific location to be able to deal with those. And also some cloud-based solutions as well that are pretty exciting, both from SAP and others across the GRC software space.
So I think where all that leads, Dave, is the ability for us, between the mobility, between the cloud, between some of the better content management systems we now have and the integration between those systems, is we’re just going to be able to be more efficient. So despite the fact we have a lot of new regulations and a lot of new requirements, hopefully if we’re applying the things that we’re seeing coming out from software vendors like SAP in 2013, we’ll still be able to do that without increasing our workload or increasing our staff size for it. So taking on more with less and being able to do that mobile I think is pretty exciting.
Dave: Ok, ok. So how do you think some of those changes impacted SAP customers specifically?
Steve: On the SAP side, I think the biggest change is just continued improvement in the integration between products. When I compare, within the GRC suite, Access Control and Process Control and Risk Management, one of the big things that happened—and this goes a little bit beyond just 2013, but tighter integration between those two and an integrated compliance framework that’s going on and I think the improvements made during 2013 allow us to also be more efficient. And if I take an example with Access Control now we have a much better way to integrate the mitigating controls that are set up in Access Control to what we’re doing in Process Control.
And one of the risks we’ve historically had is, we know that we have some segregation of duties issues and possibly some critical transactions that people have access to and sometimes we just can’t eliminate those, we’ve got small business areas, we’ve got areas of the organization that just don’t have the budget to have enough people to effectively segregate those duties so it’s natural that we apply some of these mitigating controls, whether it’s reviewing certain exception reports, whether it’s other types of monitoring we’re doing over the business transactions that people are running; but this integration now allows us to not only document that we have that control in place but actually make sure it’s working, and that’s one of the things I’ve seen that SAP has really been focused heavily on recently, is how do we take the suite of tools, whether it’s Access Control, whether it’s Process Control, whether it’s Risk Management or even GTS or the Brazilian invoicing requirements that we have and how do we integrate the controls that are in place in those frameworks and the documentation around those just to make it easier on our compliance professionals and provide visibility and transparency across the organization.
Dave: Ok, ok, good. When I spoke with you at GRC 2013 it was just as SAP was releasing its Fraud Management solution. I wanted to check in with you on that, what’ve you heard from customers or clients about the use of that solution specifically?
Steve: Yeah, I think there’s definitely a lot of interest in my client base and the companies I talk to around it. You know, to be realistic, this is a product that’s still in ramp-up, so we’re still waiting for that official release where the rest of the organizations are able to get their hands on it and use it. But the companies I talk to, and I’ve been involved in a number of forums specific to fraud management, are pretty excited about the potential for it.
And I think one of the interesting things is some of the excitement I hear is all of a sudden the awareness of these applications that are leveraging HANA in a way that’s more than just better and faster reporting out of the system. Something like Fraud Management, the ability to actually interact in real-time with the SAP ERP system to, after detecting indicators of potential fraud actually be able to place a block on a particular vendor while it’s being investigated and remove that block through the Fraud Management application in the claims management piece of that, without necessarily going back into the ERP system. That two-way interaction I think is opening a lot of people’s eyes to the potential, not just of SAP HANA, but the potential of where we can go in the compliance side of the house in the GRC space as we start to get more real-time with our applications. I think it’s one of those products that everyone knows it’s a first release and it’s going to evolve as people are waiting to get their hands on it, but I continue to hear a lot of people when they sit down and think about the possibilities, it really opens up their minds to what compliance might look like a decade from now, and I tell you what, I think it’s going to be dramatically different from the way it looks today.
Dave: So, speaking of looking forward, if you look forward to 2014, what are you most looking forward to in the GRC space? Are there new solution updates, or roadmap directions, some things you’re looking forward to this year?
Steve: Yeah, absolutely. I think SAP is going to continue to enhance the integration between the products in the GRC suite. And this is one of those that’s just taken time to do, some of those applications were acquired applications, some were built in-house by SAP, so now consolidating those and having that integration point is going to be better. I think tied into that, there’s some exciting things on being able to exploit the frameworks that SAP’s provided with additional content within there.
For example, in the fraud management space we’ve been working with another consulting organization on helping to think through and define some of the rules that, as this application rolls out, can provide better content for those organizations that are moving forward and that’s pretty exciting.
One of the more exciting things for me though is, you probably know, I’ve been an auditor my entire career or at least in audit-related activities and there’s some new things coming out, new functionality, new applications that SAP’s developed that are specific to the audit community. And I can’t really share a whole lot about those at this point but it’s pretty exciting when I look at SAP, there’s certainly some things in SAP that are geared towards auditors, we have the audit information system, there’s an audit management component built into it but realistically, SAP hasn’t done a lot to those applications in the last number of years. So it’s exciting when I see their roadmap to see that there’s some new emphasis on some tools that are going to benefit people like me directly and some of the people I work closely with in the internal audit and external audit space as well.
Dave: Ok, great. Lastly, for customers that are using SAP’s GRC solutions today, what advice do you have for them going into the new year? What should they be focusing on?
Steve: I think if there was one piece of advice I would have to organizations as they think through into 2014, particularly those that are using GRC products, and that’s just simply, remain diligent about your process. One of the things I see pretty consistently is these tools have great ability to help create efficiencies within our client’s processes which, at the end of the day are really cost centers, they’re added costs that our organizations have to take on. And they allow us to better report how those compliance processes are working and where we might have gaps within those.
But sometimes what companies lose sight of is when we get the pretty dashboards, when we get the nice visual indicators of where our risk lies, those are really driven by settings and implementation options that we turned on when we turned those application on and over time as our organization changes and our use of SAP changes, we need to be really really diligent about keeping those rules current and about keeping the system knowledgeable about the other changes we’ve made in the process. For example, if I’m using access control I need to be thinking about new transactions that I created through the year, new authorization objects and movement types and other objects that are field values within those to ensure that my rule set is actually providing me a complete picture of what I’m looking for. And the same thing on the process control side, I need to make sure that the way people are responding and using the tool, it might look like all my controls are in place and my self-certifications are reporting back that we don’t have any problems, but that’s not really happening if it’s become more of a check the box exercise. What we could find ourselves in the situation is, all of our graphs and charts look great, our dashboard looks good, our number of risks are going down, but it’s a false sense of security because the way we’ve used those tools hasn’t really been aligned with what’s really going on in my business. So that would be the piece I would focus in on, is continuing to be diligent about keeping these tools current, about enhancing them and maintaining them over time as our business and our organization changes, and particularly as we’re continuing to add features and customizations to SAP, making sure that the entire process, our entire compliance process, is completely reporting, and we’re getting a definitive set of what those risks are and how we’re responding to those.
Dave: Great, great, great. To hear more advice from Steve, you can catch his sessions at GRC 2014 in March down in Orlando. Steve Biskie, Managing Director of High Water Advisors, thanks for joining us today and sharing your insights.
Steve: Thank you very much Dave.