Sustainability — Arrival of a new corporate focus June 14, 2007Posted by Amit Chatterjee in Business User, Enterprise Software, General Enterprise Musings, Governance, GRC, Uncategorized.
Awakening of a new trend
Last week, I was invited to a McKinsey presentation on the impact of Green or Corporate Sustainability Management (CSM). When McKinsey offers to give a presentation, people stop and listen. In a packed room, Matt Rogers, a director of the Firm led the audience through the impact that carbon and other green house gas initiatives were being addressed by the clients that the Firm serves (Low Carbon Future).
During the presentation, it was clear that there was a significant need for changing behavoir. I was trying to determine how long it would take to make this trend a reality vs. short-term FAD status. Then I was hit with the most interesting stat of the whole presentation. Another director of the Firm announced that McKinsey was currently serving 20 of the Fortune 100 around establishing or building out their corporate sustainability program.
Ladies and gentlemen, CSM has arrived. Basically, when a large corporation is willing to hire McKinsey brainpower (which does not come cheap) to establish a strategy, it is no longer a fad, but a true initiative for change within an organization. Thus marks the arrival of CSM into our lexicon as a legitimate method for competitive advantage or lever for shareholder value. This is truly exciting news.
Basics of CSM
CSM is defined as meeting the needs of the present without compromising the ability of future generations to meet their own needs.
Corporations are increasingly under attack if they disregard environmental and social concerns. For example, the Financial Times considers climate change to be the next legal battlefield. Just few months ago the State of California filed a lawsuit against six automakers for global warming damages.
Corporate Social Responsibility (CSR) is a strategic weapon that companies in all industries around the world use as a reaction, to protect their key value drivers – their good name and brand reputation. Companies like BT, General Electric and Wal-Mart (Carbon-Neutral companies) are helping change the game by building sustainability factors into their competitive strategy. This explains the burst of non-financial /CSR reports over the past few years. According to Al Gore, “the full spectrum of value that represents a corporation’s activities can only be understood if you look outside the narrow confines of financial reports.”
However, hardly any company has a systematic approach to manage their non-financials (like energy consumption, emissions, degree of diversity among workforce etc.). They rely on manual operations, on number crunching, and time-consuming processes, which lack transparency and are difficult to audit.
What SAP can do to help
Therefore, SAP has recently committed to systematically cover the domain of non-financial indicators. We’re planning a solution which automates key elements of the process of CSR reporting (List of reporting). This solution will automatically extract non-financial indicators from the backend, allow analytics, drill down and benchmarks. This can be the first step to integrating financial and non-financial indicators. Management of the triple-bottom-line (financial, social and environmental issues) will become as powerful, transparent and accountable as one can expect from SAP. This can become a paradigm shift, expanding SAP’s traditional core competence to the area of non-financials.
Real Answers to real problems June 3, 2007Posted by Amit Chatterjee in Business User, Enterprise Software, Governance, GRC, Uncategorized.
1 comment so far
Last week Dennis Howlett wanted a response to some real problems. I thought I would go ahead and provide some thoughts back to him for a good discussion.
Cost of Fraud
In his piece, Dennis asks how to manage against error, fraud and deliberate acts of omission. Funny thing is that is exactly what enterprise software was designed to do. I was told the story of a CFO of a large oil and gas company, and he recounted a story where an honest mistake could have undermined his company. The simple story was that a clerk was given the task of distributing $1 million dollars amongst 1000 retail gas station owners as a way of saying thank you. Unfortunately that clerk misunderstood and instead of sending a $1000 per owner, this person sent $1 million dollars to each owner. By simply establishing proper automated controls, not SOx compliance software companies can avoid this.
The PCOAB estimates that in 2005, $675 billion dollars is lost to financial fraud (read error, omission, etc.). That equates to $20,231 dollars per second. Given it takes you 5 min to read this blog, that will be a cool $100k lost. Which is why the software vendors create cannot focus on a legislation, the focus has to be on the business. Most of proliferation of software options today are generated because those vendors chased SOx or Basel II or OSHA and that was a mistake. We showed up 3 years after SOx because now is the time for a proper disciplined approach to managing controls and compliance in the organization. It is not about meeting one requirement, but establishing a patterned approach to address corporate needs around controls across regional, system, and line of business regulatory issue.
Forest for the Trees
Dennis also points out that controls can be over-stifling. I agree, too many controls lead to false-positives. We don’t believe that systems or business processes should be throttled with control points every step of the way. That is why we always suggest to customers to consult with a knowledgeable audit partner (Protiviti, Deloitte, PwC) to ensure that when setting up their controls, they identify the right controls that will protect their business.
I often encounter companies that still are trying to reduce the controls they manage from 160,000 to 80,000. Often they acknowledge that the material number of controls that ensure their business is an ongoing concerns is much less (more like 5,000 or 500). Leveraging software and services from the above partners helps customers quickly scale down the management of controls to materially relevant set. More importantly, scaling down allows software automation to manage the mundane, while the true control events are surfaced for humans to interact with. We move away from humans as middle-ware and provide more strategic use of human resource.
It is Roadmap that makes the difference
I saw something Dennis referred to as a “fire blanket” approach, and he prefers that we suggest an approach to help companies “evolve.” Dennis and our customers are both in luck. In fact, we have adopted AMR’s Maturity Model to help companies determine which tools and when in their evolution they should begin adoption various elements of GRC. We firmly believe that the story for true success is built thru a roadmap vs. assuming any company can consume all elements of GRC at once.
Through this journey, we will have customers that can truly showcase a GRC story. I know that right now our success stories don’t tell that story, but we are on our way to making customers satisfied to the point where they become true showcases of the GRC platform for SAP.
Updating the site
I know i promised to get some fancy assistance, but for some reason that has not materialized. So I went ahead and managed to update some of the natural widgets that made sense to deploy here. Please send your feedback on whether it is an improvement or not.
A Great Debate… misses an opportunity June 3, 2007Posted by Amit Chatterjee in Business User, Enterprise Software, Governance, GRC, Uncategorized.
So in the past few days, it seems that GRC has come to the forefront of several blog discussions. I was at a corporate off-site involved in a team building activity for the latter part of the week, so missed any opportunity to check out the debate. But now, late night on Saturday, I can finally join the debate.
Thanks to James , Vinnie, Thomas, and Dennis contributed differing views points on a heated debate. However, I believe that after reading the rebuttals etc, we fell into the trap of defending or debating the lowest common denominator regarding GRC, the “C.” As usual, compliance takes most of the credit, while the actual business drivers of G and R are forgotten.
The Frank “C”
As an individual who lives and breathes this space 24/7, I really think that the “C” argument about big government is the basic line of thinking that drives conventional wisdom.
Similarly, when the Fed Chairman speaks for 4 hours, conventional wisdom sums up the health of the US economy entirely based on whether interest rates went up or down. Clearly not wrong (and often directionally correct), but lacks any true depth on what’s really going on.
Compliance is a here to stay. Everyone loves to say the world is flat — but governments are not flattening. When is the last time someone heard about a government closing down because it was not needed? Increasing trade inter-dependencies are giving governments new opportunities to enforce compliance on companies that normal could avoid those legal domains through innovation methods of incorporating, distributing or manufacturing their goods or services in different manners. Compliance is intended to ensure that all companies compete in a similar fashion. Of course, manifestations of that compliance has not always resulted in a level playing field, but instead hurts the home team.
We can talk all we want about legislation and governments, the best we can hope for is that regulators are willing to be flexible and create legislation that ensures better corporate behavior while promoting a business benefit to the legislation. Adding a simple business benefit to compliance would turn these stories into positive case studies on why compliance works instead of complaining about the costs (as a side note: in the US last year CEO compensation was $12.2 billion, while compliance spend was only $6.6 billion).
Why “R” is business value
So the hardest part of reading Dennis’s blog was the short amount of time he spent on Risk. I very much liked his articulation of the “real problems”, and in the next blog I will offer my perspective on how software can address those without losing a business benefit.
Back to Risk management. So for those new to this space, risk management represents the clear business value generation out of G,R, and C. If risk management is done properly, companies perform better than companies who think the world is full of “opportunity only.” I would disagree with Dennis that risk management means stifling innovation. In fact, I would suggest sitting down with Chris Kite ,VP of Risk Management at Cisco, (recently named 100 most influential in Finance), and let her detail examples on how risk management is a driver to business performance. Cisco is a company known for innovation, that has ensured greater success of those innovations through better risk management.
And companies like Cisco are not alone. I would posit that most of the brand companies have a risk management organization that either manages the supply chain risk or manages enterprise risk. Not surprisingly, I usually find companies that don’t have risk management functions in their organization, don’t have as much success. [Note: clearly a subjective view, no real scientific analysis was done by me, however should someone have data please let us know]. Risk management is a discipline that allows both risk seeking and risk averse companies maximize their risk preference for corporate and shareholder gain. As one customer put it to me: “Risk management leads to better informed decisions, but still not a perfect decisions.”
While Dennis believes that talking process is bad, I actually believe that you need to start there. Risk management assumes information flow to be intact. If you don’t clean up your documentation and provide a process for managing what you don’t know, you can never identify that “blinding insight.”
Case in point, a large airline went through a risk management exercise about 8 years ago to understand where their risks were. Most airlines tend to focus on risks such as unions, procurement of parts for maintenance, and ensuring or procuring the right routes and hubs. While running a simulation, this particular airline realized that should oil prices move beyond a certain threshold of a reduced period of time (say a gas crisis), they would not be able reasonably pass that increase on to customers. This was not just because of customer satisfaction, but the process to adjust those rates could not be executed fast enough to protect the airline margins. Net,net this became a risk that they chose to take action on. The result was the procurement of 10 year contracts on oil well below today’s current rates.
This is of course not an isolated story, according to Deloitte Consulting, over half the Fortune 1000s will see two correlated risk events occurring at the same time, resulting in a loss of 20% of their market cap. The impact worsens because 50% of those companies hit, take over a year to recover their lost market cap value, while 25% never recover.
It is even more important to note that usually, no single risk will undo a company. It is the situation when two correlated risks occur at the same time in different parts of the company that lead to major shareholder loss. The key element to takeaway is that process, not blinding insight would have helped avoid those issues.
A Little somethin’ about GRC May 5, 2007Posted by Amit Chatterjee in GRC.
Thank you to everyone who bothered to read the first blog. To those readers that gave me some great insight on how to blog properly, like including my picture etc — good news, I finally have been put in touch with a real pro team that will help me manage my blog. Karl Perron, the head of Global Deployment and Operations for SAP GRC is promising that my work will look much slicker in 4 weeks. So until then, please focus on content.
I wanted to start by testing a concept — can the availability of software assist in the transformation of an organizational structure?
I ask this because recently I have run into companies where we are actually are having discussions with people who have “GRC” on their business card. 6 months ago, this would not have happened. It has been less than 12 months, and business has been booming for us. Just a spectacular run. Yet, even with that run, I never thought I would sit across a “GRC” person.
So I did a little research, and surprisingly, Mike Rasmussen from Forrester Research (Mike is really prolific), has also noticed this massive change. He attributes it to political battles between different stakeholders. While the root cause of political battles are interesting to those within organizations, watching this from a vendor’s standpoint left me a bit speechless.
So while quiet, I did some thinking. Here’s what i came up with: when CRM came out, there was no political battle, nor as far as I could tell between indirect procurement and direct procurement when SRM was released. However, marketplaces, e-commerce, shared services, BPO, emerged, politics became a mainstay.
I was left with the notion that while traditional software that refine the viscosity of doing business with slipstream effectiveness, shows tremendous bottom-line impact, the software is not truly disruptive.
However, when the software impacts an organization in such a way that you can redefine its importance to the organization, or begin to document financial or material business impact, suddenly organizations are quick to capture the change management. Simply put, if the software enables the business to improve or provide better transparency for an organization, the organization might adjust how that software can be deployed.
For instance, basic fundamentals for GRC ensure that most companies use them on traditional applications to prevent financial fraud (Compliance, right?). However, the moment you start thinking about controls from a business standpoint, and not an audit standpoint, you change the business flow.
To give you an example, I was in China earlier this year and met with a few customers. Sicne most were not listed on NYSE or NASDAQ, they did not care about SarbOX. In fact, I did not think we could make an impact. Then we asked a simple question about control in the business, preventing fraud, and ensuring that they as managers knew what was going on. Suddenly they converted from skeptics to buyers. Controls and insight into the business had immense value, adhering to regulators did not.
I tell this story because that disruption is at the core of what is going inside organizations. IT, Security, Corporate Secretary, Internal audit, Compliance management, Risk management are all departments that within specific companies and industries will by default be the lead consolidator to take advantage of bringing G, R and C into a single leadership.
Here is how it could play out: in process industries Compliance will define the GRC organization. For Financial services, I bet it will be Risk Management that rules the day. I could see that for high tech a combination of Compliance and Risk management leaders could define the integrated group. People intensive industries will have Security dominate the front-lines (Privacy in retail, physical security in mines).
Most interesting change will be for the internal audit teams. Their role changes as integrating with these various groups will mean greater transparency, but with that comes uncertainty along determining what is materially relevant to manage and control. [h’m, if only I had software that could help me manage these risks and controls…]
The disruption is inherent in these orgs. If you really want to read why this software transformation will give organizations a chance to change, dust off a copy of James March’s A Garbage Can Model of Organizational Choice. I read that in college at some-point in a political science class (I never thought it would be much use). Here is the summary:
Organizations are a collection of :
- Choices looking for problems
- Issues and feelings looking for decision situations where they might be aired
- Solutions looking for issues for which they might be the answer
- Decision makers looking for work
Why “garbage cans”? It was suggested that organizations tend to produce many “solutions” which are discarded due to a lack of appropriate problems. However, problems may eventually arise for which a search of the garbage might yield fitting solutions.
For those risk managers reading this, it screams risk management. An afterthought at one point risk management done right has the potential to be the driver of transformation within a company.
Business change driven by software that drives organizational change which advances the need of this software. I really think GRC is a space meant for synergy between technology and business disruption.
I would like to hear from the blogosphere. Is GRC the Ultimate garbage can?
Seeking wisdom of crowds… April 30, 2007Posted by Amit Chatterjee in General Enterprise Musings, GRC, Uncategorized.
As with most first time bloggers, I was assuming that Web 2.0 would simplify my life. The reality is that the process i went through to make this blog actually appear was easily classified as a nightmare.
Everything from logging into a hosting account, to managing to identify the right “blog” service, determining how best to work with the blogosphere, simply was too taxing — clearly too much consumer choice has baffled me and cost me 8 weeks from inception of idea to actual execution.
I was completely prepared to abandon this effort, but my company, SAP had a conference last week (SAPPHIRE in Atlanta), and I met some other bloggers, and realized that blogging was the equivalent of talk radio for software. I was impressed by the number of bloggers, and also the varient in quality and approach to make their noise (voice) heard. Much like the days of listening to political pundits or even that recent shock DJ that got fired, each blog will undoubtedly share their point of view. Being a man with several points of view, this medium seems a natural home for me.
But what is different than talk radio, is that listener, or in this case the reader, has significant power. the “wisdom” does not end with my blog, but is rather the beginning of the refinement or rejection of a germinating idea that the source blog put forth. Hence I am even more excited about getting my ideas out there so they can be torn apart and then rebuilt, I want to engage the blogosphere for their wisdom on what is going on, and yes, amazingly even advice on what to do better.
At the same time, I look forward to sharing (read “expounding upon”) my insights from time spent in enterprise software. I have been in the space in 1997 in some form or another, and have been around the transformation of this industry. Even at an industry leader like SAP, I held numerous roles. I was part of the team that launched NetWeaver into the market, then head of strategy for product and technology at SAP. Also, I founded the SAP GRC business unit within SAP. I have been directly involved in the SAP GRC business since we announced the business unit last year. At some point, I am sure I will get into a biography or some story about myself, but for now, figure I spent most of my life either in or around the enterprise aspect of software.
Net net, I believe that enterprise software continues to work.
So practically, that means I dont subscribe to the point that new ideas mean value, nor do I believe that old ideas need to be there forever (I break enough glass). I believe despite excitement, new ideas usually don’t equate equivalent impact to old ideas that generate shareholder value (thus lack of uptake). While Web 2.0 will have an effect and is good for consumers (overall a very positive outcome)– right now the impact to an enterprise is not business ready.
Essentially, it is the equivalent of a REIT company explaining to its shareholders that its future growth is tied to its success in 2nd Life (play the game). No one is saying that cannot happen, but clearly you would be “investing at the early stages.”
So what I hope to establish with those that choose to read this, is an opportunity to provide a business implication focused view of the technology and provide readers with an understanding of how and where to invest in this curve.
I’ll post my first set of thoughts on Enterprise software and GRC in a few days. Look forward to the exchange.