jump to navigation

Real Answers to real problems June 3, 2007

Posted by Amit Chatterjee in Business User, Enterprise Software, Governance, GRC, Uncategorized.

Last week Dennis Howlett wanted a response to some real problems.  I thought I would go ahead and provide some thoughts back to him for a good discussion.

Cost of Fraud 

In his piece, Dennis asks how to manage against error, fraud and deliberate acts of omission.  Funny thing is that is exactly what enterprise software was designed to do.  I was told the story of a CFO of a large oil and gas company, and he recounted a story where an honest mistake could have undermined his company.  The simple story was that a clerk was given the task of distributing $1 million dollars amongst 1000 retail gas station owners as a way of saying thank you.  Unfortunately that clerk misunderstood and instead of sending a $1000 per owner, this person sent $1 million dollars to each owner. By simply establishing proper automated controls, not SOx compliance software companies can avoid this. 

The PCOAB estimates that in 2005, $675 billion dollars is lost to financial fraud (read error, omission, etc.).  That equates to $20,231 dollars per second.  Given it takes you 5 min to read this blog, that will be a cool $100k lost.  Which is why the software vendors create cannot focus on a legislation, the focus has to be on the business.  Most of proliferation of software options today are generated because those vendors chased SOx or Basel II or OSHA and that was a mistake.  We showed up 3 years after SOx because now is the time for a proper disciplined approach to managing controls and compliance in the organization.  It is not about meeting one requirement, but establishing a patterned approach to address corporate needs around controls across regional, system, and line of business regulatory issue.

Forest for the Trees

Dennis also points out that controls can be over-stifling.  I agree, too many controls lead to false-positives.  We don’t believe that systems or business processes should be throttled with control points every step of the way.  That is why we always suggest to customers to consult with a knowledgeable audit partner (Protiviti, Deloitte, PwC) to ensure that when setting up their controls, they identify the right controls that will protect their business. 

I often encounter companies that still are trying to reduce the controls they manage from 160,000 to 80,000.  Often they acknowledge that the material number of controls that ensure their business is an ongoing concerns is much less (more like 5,000 or 500).  Leveraging software and services from the above partners helps customers quickly scale down the management of controls to materially relevant set.  More importantly, scaling down allows software automation to manage the mundane, while the true control events are surfaced for humans to interact with.  We move away from humans as middle-ware and provide more strategic use of human resource.

It is Roadmap that makes the difference

I saw something Dennis referred to as a “fire blanket” approach, and he prefers that we suggest an approach to help companies “evolve.”  Dennis and our customers are both in luck.  In fact, we have adopted AMR’s Maturity Model to help companies determine which tools and when in their evolution they should begin adoption various elements of GRC.  We firmly believe that the story for true success is built thru a roadmap vs. assuming any company can consume all elements of GRC at once. 

Through this journey, we will have customers that can truly showcase a GRC story.  I know that right now our success stories don’t tell that story, but we are on our way to making customers satisfied to the point where they become true showcases of the GRC platform for SAP.

Updating the site

I know i promised to get some fancy assistance, but for some reason that has not materialized.  So I went ahead and managed to update some of the natural widgets that made sense to deploy here.  Please send your feedback on whether it is an improvement or not.



1. An Oracle take on GRC « AccMan - June 5, 2007

[…] either/or approach to GRC? SAPs argument has been well rehearsed but at present it comes down to a roadmap supported by an architecture. Oracle’s is more what I would call the ‘bag of […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: