SAP SapphireNOW 2015, Orlando, USASAP recently announced SAP Cloud for Analytics, a planned software as a service (SaaS) offering that aims to bring all analytics capabilities into one solution for an unparalleled user experience (UX). The intent is for organizations to use this one solution to enable employees to track performance, analyze trends, predict, and collaborate to make informed decisions and improve business outcomes.

To me this sounds a lot like the mandate of governance, risk and compliance.

The Digital Boardroom

At SAP we’ve already begun to imagine a digital boardroom. As part of our Analytics business, my colleagues and I in governance risk and compliance (GRC) are keenly aware of the contribution our solutions can make to improving business decisions and business outcomes. But is the world of GRC ready for the digital boardroom?

And if the Three Lines of Defense is the framework we are advocating, what can we digitize for the digital boardroom? There is plenty of literature on implementing the Three Lines of Defense. I am basing much of this blog on the IIA’s guidance. However, this does not provide guidance on what to report or how to report it.

Five Requirements for Claiming a Seat at the Digital Board Room

  1. Reporting by the first line of defense – operating management

Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. How can this be reported? One of my colleagues mocked up the report below. It illustrates a possible report on the management of controls in a particular area. It’s a useful beginning. But if the digital boardroom is supposed to drive better outcomes, we need to find a way to illustrate the impact of controls on performance.

Figure 1

 

  1. Reporting by the second line of defense – risk management and compliance

Management establishes various risk management and compliance functions to help build and/or monitor controls for the first line of defense. What would it take to understand the effectiveness of first line of defense controls? A few years ago, I mocked up a simple app that aggregated losses and incidents by risk category. The best way to understand control effectiveness is to understand the losses and incidents that occurred. If the second line of defense classifies the root cause of the issues and losses, the Board can make intelligent decisions and come to sound conclusions. Right now the Board gets subjective opinions on control effectiveness from assurance providers. Control effectiveness opinions are not comforting to me. They make sense only when objective information is not available. I would prefer the facts and I believe the Digital Board wants its facts digitized.

Figure 2

 

  1. Reporting by the third line of defense

Internal auditors provide the governing body and senior management with comprehensive assurance based on the highest level of independence and objectivity within the organization. So how do we digitize “assurance”? I have asked myself this question for years. In my view internal audit can add value by “painting a picture” of the world of governance, risk and compliance. One way to do this is by showing how the organization conforms to a set of criteria.

There are many criteria. The Committee of Sponsoring Organizations (COSO) provides one. The International Standards Organization (ISO) provides others. OCEG provides yet another, specifically the GRC Capability Model, a detailed set of criteria designed to help organizations achieve principled performance.Figure 3

The Role of Analytics

Reporting to the digital boardroom will require classifying and tagging information and then slicing, dicing, and visualization. That is what analytics tools and BI solutions do. It is close to the opposite of reporting on control and risk effectiveness. It is reporting on control and risk facts. Nothing less will do.

Uncharted Territory

The digital boardroom will take the Three Lines of Defense and GRC generally into uncharted territory. If we as GRC professionals have anything to say, it had better be digital and it had better be useful.

As always, I am interested in your comments. The Three Lines of Defense concept is far from perfect but as I have suggested in my earlier blogs it is a sound basis for collaboration and a fine starting point.

How do you report on GRC topics to your Board today? Do they read your reports? Are they visual? What do you see in the future?

Are you interested in discussing the subject in person with other GRC professionals? Join our Three Lines of Defense workshop at the SAP Conference for Financial Planning, Consolidation and Controls. Click on the image below for more details. Right now we have a limited number of free passes available for SAP customers.

Event