Rat2Recent research commissioned and published by SAP (Managing risk in an age of complexity) reveals a startling conclusion that seems to reinforce the notion that complexity is a problem for GRC professionals.

“GRC is characterised by increased complexity. This, alongside pressures from the business to prove effectiveness, is creating significant challenges for GRC professionals.”

Complexity is a Symptom Not a Problem

I have a contrarian view. Let’s look at this more carefully.

A couple of weeks ago I published a blog that introduced the notion of “control management”. (It’s rare to see those two words used together).In 2015, with the tools, skills, resources, and knowledge we have at our disposal, the idea that complexity makes business more challenging is silly. Complexity is not the problem. It’s a symptom.

Cars are more complex than ever with more regulations, higher speeds, and more traffic. Driving a modern automobile is simpler than ever.

Aviation is more complex. There’s more aircraft, more destinations, more congestion, more threats, and more regulations. Booking a ticket, getting a boarding pass, and flying to anywhere in the word is simple.  (Comfort is another matter).

The internet is complex. But finding and ordering a book, and getting it delivered the same or the next day, is simple.

Control Management Must Simplify GRC

Here’s another finding in the research mentioned above:

“Control failure is seen to be the second biggest risk to organizations over the next two years, behind competitive forces.

I think this finding proves my point.

In most business endeavors, complexity is being addressed and simplified. If business is more complex and managing a business is more difficult, my belief is that we have failed, not as risk managers but as control managers.

Let’s look at some simple examples I have seen in some companies. And these are really simple tasks we make complex. Examples are:

Selecting a vendor, and procuring and paying for goods and services requires so many sign-offs and steps that business opportunities, as well as discounts, are lost.

Employees spend hours inputting data in needlessly complex, error prone, expense account systems

Documentation, assessment, and testing of (bad) controls is a major and complex task, consuming scarce and expensive resources.

We have the notion that controls are supposed to be “effective”. It’s an abstract thought that does not bear close scrutiny. Many businesses with “effective” controls go bankrupt. Most businesses with “effective” controls complain about complexity.

Report Card on Control Management

The concept of control management is new.

My contention is that controls are simply not seen as a manageable dimension of the business. The outcome is the belief that more controls are always better, that controls all work the same way, and that only experts know enough to implement them. It’s quite similar to herbal medicine. Some of its good, some of its bad. Pick the expert you agree with and just believe.

Control Management Report Card Report Card Letter grade
Use the minimum , number of necessary controls to achieve an objective D
Automate controls wherever possible F
Consciously design controls to adapt to human behavior F
Push accountability for controls to the business D
Hold people accountable, don’t blame controls for human failure F
Manage controls strategically F
Design controls to reduce complexity F


One Last Research Finding

Wherever complex environments have been simplified, one factor stands out. In all cases controls have been automated.

What does our recent research tell us about control automation in GRC? Only 15% believe continuous control monitoring is extremely effective and 17% believe continuous risk monitoring is extremely effective.

I went back to the researchers for an explanation. They explained that the reason the results seemed low was not a reflection of the value of automation and continuous monitoring, it was a reflection of the fact that very few companies were using either technique.

Expect complexity to remain a big issue for GRC.

I’m always interested in your feedback. What is your experience with control automation and continuous monitoring of risks and controls? Do you think controls are a manageable dimension of the business? What’s your suggestion for reducing complexity?