Archive for the ‘Post of Note’ Category
Posted on June 2nd, 2008 by Steve Elliott »Permalink
My friends in the governance, risk and compliance world tell me that this year’s major industry conferences like SAP GRC 2008, COLLABORATE-08 and ASUG 2008 all point in one direction as far as continuous controls monitoring goes – companies are hungry for an end-to-end approach that goes beyond separation of duties (SoD) and Sarbanes Oxley (SOX) compliance to what we at Approva call an integrated Controls Intelligence strategy. What do we mean by that? Currently, a huge majority of companies are using the piecemeal approach to continuous monitoring, kind of like making sure the doors and windows of your house are shut and the fire alarm is working. But we all know that the ADT security system is the protection net that keeps you at peace while you are at the beach. The Approva Controls Intelligence solution is like the ADT system ensuring all critical company assets are protected, be it financial, IT, business processes.
But more importantly, have you switched to a controls intelligence platform that provides you an end-to-end solution to governance, risk and compliance? Most recently, Approva has developed the BizRights Version 4.1 that takes a targeted approach to user access and system configuration monitoring, whether they’re using Oracle, PeopleSoft, SAP, or another ERP system.
With Approva BizRights 4.1 Controls Intelligence Suite, we’ve given our customers access to something that no one else can offer – accurate, unified views of their enterprise-wide controls environment. This allows them to bring financial controls together with IT so that they can independently validate the state of their controls, without worrying about their ERP vendor’s release schedule.
This adds a one-of-a-kind element of speed and visibility to controls that helps our users reduce risk, speeds up operations, bolsters enterprise security and lessens compliance obligations. BizRights 4.1 also gives our Oracle and PeopleSoft customers something we think they’ll really appreciate – a performance-driven controls monitoring solution that bolsters enterprise security and protects the company’s resources from unmitigated risks. Here’s what Treasury & Risk Management magazine had to say about Approva’s BizRights Version 4.1.
So if your company is considering taking its risk and compliance strategy to the next level, please take a look at how some of our customers have optimized the Approva BizRights Controls Intelligence solution to achieve far-reaching results in their compliance efforts.
Tags: Tags: BizRights, controls intelligence, Approva
Posted on May 16th, 2008 by Silas Matteson »Permalink
Is GRC a market category, or a set of features & functions within other existing market categories? That’s a debate for Industry analysts, which is what they do best. Frankly, I’m not sure Global 2000 companies are that worried about it. I think what they are concerned about is how to better manage the internal controls that help keep their businesses from veering off the highway and into a ditch of waste, fraud or corporate malfeasance.
Today, so many products get lumped into the category of GRC that it makes it hard for the casual observer to understand the differences.
Historically, I lump products into 2 simple categories:
1) Products that document and report on controls within a business and
2) Products that test & analyze controls.
Maybe an analogy will help; think of a student taking a class. All the materials the teacher uses to teach, from lecture notes and handouts to labs –even the student’s final report card — are the documentation products. Everything associated with the quizzes and exams the student takes, on the other hand, are the testing products.
The testing products determine what information a student should know about the class and measures how well they actually performed in meeting those objectives. Where this all gets more complicated are students or corporations take more than one class.
In today’s market, most “GRC” products support one student – one class, and the teachers have little input to the tests the student take to measure the effectiveness of the class and the teacher. In other words, the documentation products and the testing products are largely independent of each other and they tend to focus in subsets of business functions, control areas, and compliance programs.
You can probably guess how we need the “GRC” products to evolve. First, the two primary categories of products need to become more closely aligned and integrated. The tests need to reflect the documentation and vice versa. Secondly, we need an enterprise view; a corporation is not one student taking one class. The GRC products need to support controls across all business functions within the entire corporation including financial controls, operational controls and IT controls. Third, the GRC products need to support all compliance programs and transform the results into actionable business information that will support a diverse audience of executives, business process owners and auditors.
At Approva, one of our interests is in how to take testing to the next level. This means testing more controls, streamlining the processes for resolving and mitigating control weaknesses and using the results of the tests to drive business efficiencies and effectiveness.
Measuring against a control objective or standard is a problem that has been solved. The future lies in using information from controls testing to drive business improvement. How? Why not use the results from the tests to change the way the business operates so these problems can be prevented? Why not use the results to make predictions about potential future control breakdowns? Why not use the results to give business leaders better visibility into the areas of their business that needs attention? Better visibility makes for better decisions. Better decisions make for better run businesses. Now that’s a class that’s easy to understand but hard to get an A in.
Tags: GRC, governance, risk & compliance, controls intelligence
Posted on May 1st, 2008 by Julie Garland McLellan »Permalink
This is the most important aspect of board governance. The oversight function is the absolute minimum that investors and owners have a right to expect from boards. Some boards are too focused on simply providing the minimum.
Board members should, individually and collectively, have experience of business and community life that will enable them to add value to the organisation as well as to effectively monitor its operations. They add this value by the insights they bring.
Oversight is looking at a function and asking the compliance related questions:
• Should we be doing this?
• Are we doing this correctly?
• Are the right people doing this and do they have the right tools and training?
Insight comes when the board start ask questions about performance such as:
• Are these activities the best activities for generating the results we want?
• If they are the best activities, could we do them more effectively or efficiently?
• What would help our people to be more effective?
• Who does these activities better than we do and what could we learn from them?
An insightful board will challenge and support the President or CEO by helping to keep the organisation focused on outcomes rather than processes.
Foresight comes when the board can predict aspects of future performance by monitoring current KPIs. A board with foresight is able to look at the evolving corporate landscape and ask questions such as:
• What activities will be required in the future?
• What must we learn now to be more effective in the future?
• How will we track that our people are learning the required skills?
• When should we start to deploy new activities?
It is important to remember that the oversight role is the foundation for the insight role. No board can sensibly offer advice on improving performance if there is any doubt about the veracity of the information they are basing their insights upon. Similarly the board must have appropriate good quality data from their performance insight to be able to make any use of their instincts regarding foresight. Attempting to move to a higher level without the data from the lower levels is dangerous; it can leave a board exposed to making decisions that do not stand the test of later analysis.
Attempting to govern a successful company without progressing from oversight to foresight is also dangerous. The board can become trapped in old paradigm thinking and performance can deteriorate to a point where future options are limited by lack of resources. Boards must have confidence in their data to be able to move successfully through from oversight to insight and then to foresight so that their organisation moves from compliance to performance to sustained competitive advantage.
Tags: corporate boards, risk management, compliance
Posted on April 24th, 2008 by Julie Garland McLellan »Permalink
Have you recently read any articles about what your board should be focused on? Was it bird-flu, Internet portals, Terrorism or some other fad?
I wish I had a dollar for every article on the latest buzz-word that every board should worry about. Or fifty cents for every list of twenty questions board members should ask about the craze. I would hate to be on a board that was so easily sidetracked from their real concern; running the company so that it achieves what it was set up to achieve.
In some great research from Australia, Neil Buck surveyed real company directors on what risks they thought most likely to impact their companies. His initiative revealed 16 categories of risk which, when read by company directors, were recognised as things they worry about.
I have followed up on that research and interviewed 241 company directors on the big risks facing their company. Unsurprisingly the number one risk was financial but (sad news for the audit community) it was not financial statement misstatement or fraud, but simple cash flow risk that kept directors awake at night. Fixing this is a question of strengthening the business. Improving reporting or ticking boxes in the board room won’t help.
Directors the world over are focused (as they should be) on running businesses to generate wealth (or benefits in a not-for-profit context) in an environmentally and socially acceptable manner. If bird flu is important for the business they will focus on that. If not, they should focus on what is important for their business.
Directors can rely on their own judgement to help them to evaluate such things. They may get it wrong occasionally (all boards, when they are being honest, have a decision they regret in their history) but it rarely is so wrong that they can’t fix it. Unless, of course, they are rushing from one fad to the next without pause for thought.
Anyone who suggests that every possible risk should be a board focus is either totally inexperienced in the board room or hoping to sell your board something. For optimum results, focus your board on what is important for your organisation by holding an annual discussion of strategic aims and current targets. Forget the current fashion and just talk about what the organisation needs to achieve and what are the risks that threaten that achievement.
You will be amazed by the power that the board can generate and the value that they can add.
Tags: corporate boards, risk management
Julie Garland McLellan is a professional company director and corporate governance consultant. Her book “All Above Board” is a practical manual for government sector boards. Julie delivers practical boardroom training and performance assessments that empower boards to achieve results. Readers are invited to subscribe to her newsletter ‘The Director’s Dilemma” free of charge until 1 January 2009.
