Let's talk governance, risk and compliance – kerrching.

by admin on May 31, 2007

The last days have seen fierce debate among some of my colleagues around the area of governance, risk and compliance or GRC in SAP-speak. The discussion came about following a long piece James Governor wrote (SAP is one of Redmonk’s clients) which basically parroted what he was told by Amit Chatterjee and others and then spun it as a ‘new’ thing. James piece was followed by a light hearted dig by Vinnie Mirchandani who wonders whether SAP is going into the insurance business. It is a clever way of beating up vendors on price/value but as you might imagine, the vendor community is not having truck with that argument.

I find the title of James post worrying: SAP Grocks Governance Risk and Compliance: the new ERP. Companies have spent billions implementing ERP systems over the last 15 years and the subtext I hear is: ‘more of the same.’ Somehow I don’t think so and sincerely hope this doesn’t become the rallying cry.

I’ve talked with a range of interested parties, listened to Thomas Otter and Craig Cmehil’s podcast and read around the topic. The podcast is included below – it is worth the listening. But I’m still concerned.


Compliance
Thomas talks about systemetizing the separation of duties that any competent auditor will require as an example. But does that mean it is an extra feature for which payment should be extracted? It could be a differentiator but I’d expect to see it included in the product. If requested, I might well want to investigate alternatives. The counter argument may be the potential for audit cost savings but there is precious little evidence of auditors prepared to moderate their costs. WIth SOX looking like it will be overhauled, that alone should drive down costs.

As Thomas rightly acknowledges, compliance doesn’t stop with audit and if SAP is trying to run the entire gamut then it is biting off a very big set of problems which might be worth some extra. If it is able to provide coherent solutions that are value enhancing rather than compliance backfilling.

In one post, Thomas draws attention to Hackett Group research, suggesting that best practice companies have reduced relative financial compliance cost. If they haven’t then I’d be deeply concerned so I’m not sure I get his point in this context. I do however agree that the tyranny of spreadsheets has to end. This is something I’ve shouted about for over 10 years. But then there are plenty of other providers out there offering solutions to that problem.

The broader question has to be whether this is something exercising the minds of todays’ senior finance types in the SAP community. If the agenda for the upcoming SAP FBPN group is a litmus test, the answer has to be no. Or at best, not now.

Risk
On risk, the argument goes that enterprises will have a much more transparent way of assessing portfolio risk. That’s a nice idea but SAP spoils it by talking process. In my experience, risk management means companies veer towards being risk averse rather than innovative. Nevertheless, having your arms around an entire portfolio of alternative investments makes sense and is a current topic of interest. In SAPs defense, Thomas points to portfolio balance, which again makes sense. Whether enterprises will take that approach is unclear when assessed against practical application but as an overall concept, it’s got plenty going for it.

Governance
Flavour of the month. Every day I see yet another blog or article seeking to cash in on the green and/or clean agenda. I’m highly sceptical about this as it’s a topic spawning instant pundits. I hold to Al Gore’s view that in many situations, clean policies are good for business. But governance is way more than carbon neutral footprints or planting more trees.

Governance is about culture and ethos. Co-operative Bank for example has very clear policies about where it will and will not invest. Do they need to be told what is right and wrong? The same cannot be said of some of the oil companies. BP for example has a history of entering into shady deals. That despite a clear policy on bribery and corruption.

I don’t see a way you can satisfactorily systemetize that aspect of doing business. In conversation with Amit, he posited that putting appropriate information in front of executives and talking to the issues of reputation is a good start. That’s a fair statement but one that is hard to make stick in practice. Too many companies pay lip service to governance as it is and no amount of software will change that.

On one thing I will agree. Running a well governed business is profitable because we’re moving towards a world where reputation has to mean more than mere platitudes. But whether that’s a message enterprise software vendors should be taking to the market is less clear when I can grab free calculators.

The real problems
Much of what SAP is talking about comes down to documentation and process. Which is fine in itself but as one person said: “If you’ve got a shitty system and document it, you’ve still got a shitty system.” My concerns go further:

  • It is impossible to legislate against error, fraud and deliberate acts of omission. Determined individuals will always find a way of side-stepping regulation. Why else is there a UK tax amnesty in place for those hiding assets abroad?
  • Most errors don’t occur because of systems failure – at least not these days. They occur because of issues outside the system. How can you guard against that? You can’t. That’s why we have audits to not only test systems but also to test how those systems are used. No amount of systemetizing will solve that problem.
  • I’ve seen some of the questionnaire stuff SAP has in place and I see a risk of over controlling. It may add a degree of comfort but it stifles the business. Where for example are the systems that will help you figure out whether a process is over controlled?
  • Rather than taking a fire blanket approach, isn’t it better that GRC be assessed from a quality perspective that allows companies to evolve? I’m not hearing that message.
  • Amit was beaming at recent sales success but in today’s market, I’d expect his unit to be doing well. I’ll be more impressed when I see the case studies. At present, there is a miserly collection of 25, some of which have tenuous links to GRC while others are clear spin on old stories.

In a final piece of irony, Thomas points to a piece that talks about Sarbanes-Oxley as a scapegoat. It’s also a great way to spread FUD in the name of software sales.

Technorati Tags: , , , , ,

Tagged as: GRC

  • http://www.redmonk.com/jgovernor james governor

    dennis – i positioned my blog as a piece about Amit and and what he said so please spare us your rather flabby positioning about parroting and spin. RedMonk created the compliance oriented architecture (COA) back in 2004 based on more than a hundred interviews with a range of stakeholders, and have long argued compliance should be looked at methodically, in service oriented fashion, and not in silos. the rest of the industry is catching up with that view, which is good to see. GRC is not SAP’s term – it has broad industry adoption. indeed its one of the reasons we’re likely to rename the COA framework. Why do you think IBM just announced its own end to end GRC program?

    If we’re to support a principle, rather than ticklist based approach to compliance, we’re going to need decent systems to support that. Compliance requires discipline. I am all for unmanaged innovation, but I also appreciate large companies require a somewhat more managed approach to some disciplines: compliance is one of them.

    Finally I have been thinking about corporate sustainability a lot, and i think its only going to grow in importance. I would love to see companies with chief sustainability officers, using GRC tools and techniques to explain to shareholders why they were investing in long term sustainability efforts, rather than chronic short termism. A good GRC foundation allows for pushback against auditors and others. It is about taking responsibility, not avoiding it. Scary huh.

  • http://www.redmonk.com/jgovernor James Governor

    ad hominem attacks do you no credit, dennis. you are very well qualified to engage in a debate on the issues. if andrew mcafee at HBR is right about technology, then we may all need to accept that ERP does drive competitiveness. But what comes next?

  • http://www.theotherthomasotter.wordpress.com Thomas Otter

    Dennis,
    thanks for the links.
    My point was a simple one. Best in class companies now have the “cost of the finance” function at a lower level than they did pre-SOX 2002. They have done this through process improvement and clever use of technology. They now have better transparency and lower cost. This is goodness, plain and simple.

    In terms of the FBPN we regularly cover the GRC topic, earlier this year we ran a detailed focus workshop for non-sox compliance companies, there is another session in Amsterdam in July on governance risk and compliance, So your insinuation there is nonsense.

    The podcast was meant as an introduction for my techie friends to get a simple overview of what GRC is about, it wasn’t meant to be an indepth analysis of the failings or successes of SOX 404, SODs, risk mitigation etc. If you would like me to talk more on this, happy to do so.

    James proposed a compliance orientated architecture about 4 years ago. It remains one of the best papers I’ve read on compliance and technology.

  • http://www.accmanpro.com Dennis Howlett

    James – you are paid by SAP to say nice things so I don’t expect you to be critical. Remember I was there too so I know the arguments Amit puts forward and he also knows that while I believe some ideas make sense (for which I credit the company), I have issue with others. Describing what you said in those terms is hardly ‘ad hominem’ but you are entitled to your opinion.

    COA as I read it (and you will recall that I have read it) is a technical expression. GRC is about business. Embedded GRC is not new and SAP is coming from a long way back compared to specialist players. If you truly believe that then I’d urge you to encourage SAP to go the COA route rather than the bag of bits it currently holds in its portfolio.

    If you think GRC allows push back to auditors then I’d suggest you look at what’s has happened post-SOX and re-assess. Audit fees have declines 0.5%. I don’t condone or justify. In any event, they are a tiny line item in the grand scheme of things.

    Regardless, you can put all the systems in you like but it doesn’t obviate the need to comply with the laws of the land. It doesn’t remove the requirement for testing of what people do. And it’s done because 80% of problems are people based and not due to systems weaknesses.

    I’m well aware of how SAP scores on systems audit testing but that’s not the point.

    To your point about CSOs – nice idea but no business will get serious about this unless they see financial benefit. That’s because ‘business’ has no ethical compass. You and I may agree that those same companies ‘should’ take a different position but I defy you to make that stick on Wall Street, Threadneedle Street or Sandhill Road without a clear Al Gore angle.

    My over arching concern is that once again, tech vendors are saying – here’s a problem and the solution is more technology. You’ve said as much without considering the many other factors that impact.

    That is most assuredly worthy of examination and in that I have made no comment on your position.

    Back to normal programming…

  • http://www.redmonk.com/jgovernor James Governor

    Actually we are paid to advise SAP on strategy. We are not paid to say nice things about them. If I wanted to be in the white paper business I would be. We do say negative things about clients, I just happen to think GRC is a good idea.

    Actually Dennis, COA was never just a technical expression. Its about services required to support a business. It spans business and technology-a core point of the model is enabling a conversation between IT and the business.

    Comply with the law of the land. Or not. I made that point in my own blog entry, which you pretty much entirely dismissed. Some regulations can safely be ignored. Some issues can safely be ignored. That’s risk management. Why comply with US EPA or UK Data Protection regs when they are toothless? Not because of those laws, certainly. Businesses don’t comply with all the laws of the land.

    I have a clear angle about sustainability. Of course its about economics.

    And finally Dennis, if I have not said enough about the people issues, then that’s a good point to make. It took us a long time to get here. Of course compliance can be an ethical issue. I get that. I don’t think GRC solves all known compliance problems and never said it did. But both people and process need to be considered. Its not either or.

  • http://www.accmanpro.com Dennis Howlett

    Thomas – I did see it as an intro and a very good one as well – it was balanced. I’d argue that BICs (at least the ones I’ve spoken with) have a ‘non-standard’ mindset where the tech comes 2nd and only when needed.

    James – Take your point re: COA. Compliance in my world is a critical ethical issue which ICAEW is failing miserably to address BTW. On the people AND process issue you raise a critical point reflected elsewhere. People are often foisted with process = project problems = resentment and all that leads towards. Solve that problem and you’re golden -:)

  • http://www.dealarchitect.typepad.com vinnie mirchandani

    Dennis, James is usually good about pointing out when IBM or SAP is a client, but on that particular post he forgot to. I am with you though. On that one, he was in “reporting” mode – the scope of what Amit told him or what he heard including insurance, pollution, unions, carbon emission tracking just suggests a much bigger role than a piece of software can ever expect to deliver. I checked the post for “solving world hunger”…

  • http://www.dealarchitect.typepad.com vinnie mirchandani

    realize the image of government is a bit different on your side of the pond but I posted on Thomas’s these comments

    “I cannot believe so many of you think government policy has caused the stock market stabilization. Or that SAP which has mostly private sector customers is continuing to push the “compliance is good” agenda.

    Here’s Fortune’s take from the same article I quoted

    “For all that business has done to rehabilitate itself since, a significant factor has been what government has failed to do. It did not become the hero the public wanted. In the fight against terror, polling shows, just over half of Americans think the Iraq war made the U.S. more vulnerable to terrorism, not less so. Washington scandals – the Jack Abramoff lobbying mess, the Mark Foley sex mess – reminded voters that politicians can be every bit as sleazy as any executive.

    One episode did more than any other to turn attitudes around. That was Hurricane Katrina, when government at nearly every level looked utterly incompetent while businesses became the heroes. FedEx delivered 440 tons of relief supplies, mostly at no charge. Wal-Mart meteorologists informed managers that Katrina was headed for New Orleans more than 12 hours before the National Weather Service told the public; the company later hauled millions of dollars of supplies into the worst-hit areas days before FEMA showed up.”

  • Pingback: In further defence of compliance « Vendorprisey

  • Pingback: Enough SOX already « The Manticore blog

  • Pingback: Real Answers to real problems « Enterprise Software and GRC

  • Pingback: Real Answers to real problems « Enterprise Software and GRC

  • Pingback: http://amitchatterjee.com/ » Blog Archive » Real Answers to real problems

  • Pingback: http://amitchatterjee.com/ » Blog Archive » A Great Debate… misses an opportunity

  • Pingback: Irregular Enterprise mobile edition

Previous post:

Next post: