jump to navigation

A Great Debate… misses an opportunity June 3, 2007

Posted by Amit Chatterjee in Business User, Enterprise Software, Governance, GRC, Uncategorized.

Good debate, wish I was there.

So in the past few days, it seems that GRC has come to the forefront of several blog discussions.  I was at a corporate off-site involved in a team building activity for the latter part of the week, so missed any opportunity to check out the debate.  But now, late night on Saturday, I can finally join the debate.

Thanks to James , Vinnie, Thomas, and Dennis contributed differing views points on a heated debate.  However, I believe that after reading the rebuttals etc, we fell into the trap of defending or debating the lowest common denominator regarding GRC, the “C.”  As usual, compliance takes most of the credit, while the actual business drivers of G and R are forgotten.

The Frank “C”

As an individual who lives and breathes this space 24/7, I really think that the “C” argument about big government is the basic line of thinking that drives conventional wisdom. 

Similarly, when the Fed Chairman speaks for 4 hours, conventional wisdom sums up the health of the US economy entirely based on whether interest rates went up or down.  Clearly not wrong (and often directionally correct), but lacks any true depth on what’s really going on. 

Compliance is a here to stay.  Everyone loves to say the world is flat — but governments are not flattening.  When is the last time someone heard about a government closing down because it was not needed?  Increasing trade inter-dependencies are giving governments new opportunities to enforce compliance on companies that normal could avoid those legal domains through innovation methods of incorporating, distributing or manufacturing their goods or services in different manners.  Compliance is intended to ensure that all companies compete in a similar fashion.  Of course, manifestations of that compliance has not always resulted in a level playing field, but instead hurts the home team. 

We can talk all we want about legislation and governments, the best we can hope for is that regulators are willing to be flexible and create legislation that ensures better corporate behavior while promoting a business benefit to the legislation.  Adding a simple business benefit to compliance would turn these stories into positive case studies on why compliance works instead of complaining about the costs (as a side note:  in the US last year CEO compensation was $12.2 billion, while compliance spend was only $6.6 billion).

Why “R” is business value

So the hardest part of reading Dennis’s blog was the short amount of time he spent on Risk.  I very much liked his articulation of the “real problems”, and in the next blog I will offer my perspective on how software can address those without losing a business benefit.

Back to Risk management.  So for those new to this space, risk management represents the clear business value generation out of G,R, and C.  If risk management is done properly, companies perform better than companies who think the world is full of “opportunity only.”  I would disagree with Dennis that risk management means stifling innovation.  In fact, I would suggest sitting down with Chris Kite ,VP of Risk Management at Cisco, (recently named 100 most influential in Finance), and let her detail examples on how risk management is a driver to business performance.  Cisco is a company known for innovation, that has ensured greater success of those innovations through better risk management.

And companies like Cisco are not alone.  I would posit that most of the brand companies have a risk management organization that either manages the supply chain risk or manages enterprise risk.  Not surprisingly, I usually find companies that don’t have risk management functions in their organization, don’t have as much success.  [Note:  clearly a subjective view, no real scientific analysis was done by me, however should someone have data please let us know].  Risk management is a discipline that allows both risk seeking and risk averse companies maximize their risk preference for corporate and shareholder gain.  As one customer put it to me:  “Risk management leads to better informed decisions, but still not a perfect decisions.”

While Dennis believes that talking process is bad, I actually believe that you need to start there.  Risk management assumes information flow to be intact.  If you don’t clean up your documentation and provide a process for managing what you don’t know, you can never identify that “blinding insight.” 

Case in point, a large airline went through a risk management exercise about 8 years ago to understand where their risks were.  Most airlines tend to focus on risks such as unions, procurement of parts for maintenance, and ensuring or procuring the right routes and hubs.  While running a simulation, this particular airline realized that should oil prices move beyond a certain threshold of a reduced period of time (say a gas crisis), they would not be able reasonably pass that increase on to customers.  This was not just because of customer satisfaction, but the process to adjust those rates could not be executed fast enough to protect the airline margins.  Net,net this became a risk that they chose to take action on.  The result was the procurement of 10 year contracts on oil well below today’s current rates. 

This is of course not an isolated story, according to Deloitte Consulting, over half the Fortune 1000s will see two correlated risk events occurring at the same time, resulting in a loss of 20% of their market cap.  The impact worsens because 50% of those companies hit, take over a year to recover their lost market cap value, while 25% never recover. 

It is even more important to note that usually, no single risk will undo a company.  It is the situation when two correlated risks occur at the same time in different parts of the company that lead to major shareholder loss.  The key element to takeaway is that process, not blinding insight would have helped avoid those issues. 



1. theotherthomasotter - June 3, 2007

Good to see you back on the blog…
I’m with you on the R and the G, the sox 404 reductionalism drives me nuts.
BTW, there is more on http://manticoreblog.wordpress.com/2007/06/01/enough-sox-already/
I’d like nothing better to be discussing how software can support initiatives such as the Kimberley accord, the King report, Extractive Industries Transparency Initiative, Privacy, narative reporting, ethical supply chain management, carbon emissions reduction optimisation, REACH, RoHS..

2. amitgrc - June 3, 2007

From what I read of that thread, I completely agree. If we do have to talk about compliance, lets at least broaden the scope beyond SOx. Your list above is exactly the question anyone with a global business needs to be asking, “how can I manage my business without a software solution that will commit to addressing these needs in a consistent manner?” No matter what country a customer is in, they need to be thinking about more than financial compliance, and the focus needs to be on broadly architecting a solution to address that.

3. Dennis Howlett - June 4, 2007

Amit – I’ve seen some of the questionnaire material that is part of SAP proposed compliance initiatives. Mind numbing. The focus on SOX serves as a proxy as to what can happen and you’ll recall that in the EU generally, there has been a flat rejection of those approaches, despite ever creeping bureaucracy in many other areas.

Regardless, it still doesn’t answer the fundamental point. Seen what’s been happening at Pfizer and Astra Zeneca in recent times? The oil industry is rarely out of the news. These are 2 of SAPs biggest client industries in sore need of cultural shift. No amount of software will prevent their excesses.

When SAP can show proof positive that these initiatives are producing genuine and demonstrable value added then you’ve got a story. At the moment, it reads awfully like a long haul investment with ROI predicated on what has been seen in the past rather than the future.

4. Amit Chatterjee - June 5, 2007

Dennis to address your comment…”no amount of software will prevent their excesses”…

Corporate culture / commitment to running businesses ethically must be set by the senior executive team (tone at the top). Once this commitment has been made, these ethics are then cascaded throughout the organization both in doing business as usual, but ethics are also formalized in terms of policies and training. Software can embed controls into your processes, making sure that business as usual is done in line with accepted norms and thresholds. Software can also play an important role in communicating and documenting acceptance and understanding of policies, as well as in providing training on behavior expected of employees with regards to sexual harassment, bribery, etc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: