by Jan Gardiner, CPA, GRC Solution Management, SAP

JanpicMy Fictional Day Begins…. By Carla

After I drag myself out of bed and finish my morning ablutions, I sit down with coffee and cereal to read the latest Federal Register followed by Compliance Today and a few industry publications. I make notes as I go of any regulation changes relevant to my job. You see, the company is extremely interested in avoiding compliance risk—and to be honest, it makes my work life miserable.

Oh, pardon me, I should introduce myself. I am Carla Franco, a working manager of a purchasing team within a large global enterprise. I can’t tell you the company name, but you would recognize it immediately.

My job description says, in short, that our team is responsible for finding reliable suppliers who offer quality materials with the right price, availability, and terms. We prepare and process purchase requisitions and purchase orders, adhering to strict company policies and ensuring that suppliers perform as required.   I am, of course, responsible for supervising my team, which involves hiring, training, evaluating, and a lot more.

However, our upper management seems to expect that we all become GRC experts, and then they wonder why we spend so much time on compliance and not on doing the most important part of our jobs—you know, the things that add value to the company overall.

Anyway, I get to the office and find that our compliance and controls system has notified me that approvals are needed and control issues exist. I login to the system and stumble my way around, but I’m not a GRC expert, so this is somewhat painful for me. To be honest, I keep a “cheat sheet” just to find what I need to do and how to do it.

I manage to work my way through the tasks, only to find that I have several e-mails from our internal auditors, who want my team to pull process documentation—some of which is still in Excel. They want my written assessment of whether our controls are operating as designed and are effective. …And of course they want it “yesterday”!

I am probably complaining too much, but really, should I need to spend so much of my time trying to be a GRC expert when I am not? Is this the best use of my time? Isn’t there a better way?

Yes, There Is a Better Way

While the preceding story is fictional and extreme to make a point, I regularly meet customers who say that they would like to get their business users more involved in the compliance, control, or risk management processes. However, their business users already have “day jobs” and do not start each morning saying, “Can I ‘do GRC’ today?” The thought is laughable.

So, how do you win over end users? Without getting into a philosophical discussion of enlightened self-interest, I think it’s safe to say that there is a certain amount of self-interest involved, but most employees also want to do a good job for the company to help it succeed. With that in mind, my simple thought is this: make the end users’ jobs easier, less time-consuming, and more fulfilling. How?

  1. Don’t “do GRC,” but instead build good GRC practices into daily processes, using terminology business users understand. Then you can send a message to users: “Don’t do GRC, do your job.”
  2. Strive for targeted “zero-training” applications that present only what an end user needs to do or see—nothing else. Who wants to spend time and money on user training if it doesn’t improve their core skills?
  3. Automate what you can to minimize manual work while providing high quality results, so users realize a net time benefit. Better work, less time needed to do it? It’s a no-brainer.
  4. Favor small tasks done frequently over large ones done infrequently. If the job is too big, even the best employees will hesitate to get started. I’m sure you’ve heard the whale metaphor: “How do you eat a whale? One bite at a time.”
  5. Manage exceptions, not everything. To keep going with the whale-eating metaphor (apologies to any whales among my readers), it’s also easier to eat a much smaller whale.
  6. Do once, use many. By appropriate sharing and integration of information, not only do you help break down organizational silos and avoid doing the same work multiple times—but you also ensure that everyone is working with the same information.
  7. Encourage a little friendly competition to help keep things interesting and encourage creative thought. Comparative trends and metrics can be useful not only for management.

So, whether you see these tips as “do more with less” or just common sense, they can help business users drive continuous improvement and good practices.

Real-Life Examples

Let’s look at just three quick examples.

One SAP customer I know involves their business users in evaluating internal controls using offline forms. The users, most of whom never login to the SAP Process Control application, receive an e-mail with an offline form attached. Each user opens the e-mail, completes the form, and submits it via e-mail. The system processes it and imports it back into SAP Process Control.

No muss, no fuss, and very limited training on form usage—just on how the company wants the controls to be evaluated. The auditors benefit too—the users are more involved, and the auditors can go directly to the system for the information they need instead of taking up user time. (Not that business users don’t like to take time to fulfill auditor requests, but….)

Another customer found users spent too much time doing routine work like analyzing master data and transactions for errors or anomalies. The users, it seemed, were combing through a variety of reports to locate questionable items. Because it was a lot of work, it often got put off to the end of a quarter—usually when things were most hectic—and sometimes it didn’t get done at all. No surprise.

They substituted semi-automated processes where SAP Process Control rules located the exceptions and routed them directly to the right user for review. So the quantity of data reviewed was minimized and the frequency of reviews was increased. The user then did the review, documented his/her findings and conclusions, and fixed any resulting issues. No more end-of-quarter bottlenecks, late nights, and headaches—and issues were found and resolved sooner.

An internal controls manager told me their company openly encouraged competition among different groups (e.g., departments and locations) by ensuring that business users had metrics available not only for their organization but for other “competing” organizations. He reported that since the information became shared with top-performing organizations receiving recognition, there was steady improvement by all organizations. His view: A little friendly competition never hurts.

In Conclusion

These are just a couple thoughts I’d like to share. I’d welcome hearing about what your company is doing, what’s working, and what isn’t.