Despite greater attention to risk from corporate leadership, many teams responsible for governance, risk and compliance (GRC) activities are still trying to make do with manual processes.
Even with the increasing complexity of today’s risk environments and the stakes involved, many organisations are not keeping pace. Rather than take advantage of automated reporting and monitoring capabilities with centralised information management, GRC professionals are expected to struggle through - with spreadsheets, disconnected data and an exceptional knowledge of their users and rule-sets.
Many boards find it challenging to support a business case to justify the investment in modern GRC tooling, often unaware of the hidden costs and limitations their current approach creates. Few CXOs react positively to scaremongering and most would prefer to spend money on a growth-linked initiative, than a system to safeguard the business and reduce its risk exposure.
However, if the hidden costs of a manual approach were more obvious, it is likely that more business leaders would support the case for investment.
SAP security & controls
If you work in an organisation that relies on SAP to run many aspects of its business, the scenario described above will sound all too familiar. You may have an in-house team, some degree of automation and centralisation already, but probably feel that more should be done. You may even feel your business is carrying an unacceptable level of avoidable risk and it’s your job to make senior management more aware.
A great way to improve understanding is to demonstrate the inherent costs and potential impact of your current processes and tools. This can be achieved by clearly breaking down your direct and indirect costs.
Direct costs are a result of the time spent on tasks and resolving issues, as well as delays caused by manual processes, such as waiting on access approvals. Indirect costs occur as a by-product of the manual approach and are linked to your organisation’s increased risk exposure. It is the possible ‘collateral damage’ created by GRC inefficiencies, such as regulatory penalties and legal liability.
Indirect costs are also attributable to the time mis-spent by SAP security and GRC practitioners - carrying out activities that would not be necessary were a more effective process already be in place. Examples include repeated audit remediation, chasing red-herrings as a result of inadequate risk information and the manual collation of data for reporting purposes.
Piece this jigsaw together with accuracy and true granularity, and there is no doubt that the cumulative cost will significantly outweigh the investment needed in a GRC improvement programme and/or technology.
Spreadsheets, manual processes and a photographic memory may be sufficient in low complexity situations, but are an unsustainable means of managing SAP security and controls in larger enterprises.
As a business expands, the SAP landscape gets bigger and bigger. You will need to cater for more users, roles, access authorisations, segregation of duties (SoD) risks, as well as implement more controls. Then add into the mix the challenge of doing this in an organisation that makes the whole process a constant moving target.
Any number of related issues and initiatives will have an impact - the integration of new systems (through M&A for example), new SAP functionality and HANA environments, shadow IT practices, adapting to new regulations (such as GDPR) and changing business operations.
With so many role combinations, variations and conflicts, it becomes impossible for internal teams to cover everything manually. Your key resources become less and less productive and the number of errors made continue to rise.
Also, when you're doing things manually, you're constantly making judgements about areas you might want to check. It's too labour intensive to actually check them all, so instead you rely on a small sample, because you don't have the time to do it all thoroughly. With an automated tool, every transaction can be checked, so there is no margin for error.
Here’s a list of typical direct costs:
- Time spent entering data
- Time spent creating risk reports
- Time spent disseminating reports
- Time wasted correcting errors
- Time wasted chasing unnecessary risks
Fundamentally, deciding to stick with the manual approach becomes a simple choice of either increasing your headcount or living with the consequences.
As complexity increases, so too do the direct costs associated with a manual or semi-automated approach. You quickly reach a tipping point where you’ll never have enough resources available, so your organisation has to be prepared to carry more risk.
It might be acceptable to run with as much risk as is tolerable. Some organisations thrive on the feeling of being agile, dynamic and risk-taking. However, what naturally occurs are more instances of risk manifesting itself in the business, which in turn adds more indirect costs, such as those listed below:
- Exposure to penalties and liabilities resulting from non-compliance
- Exposure to increased auditor scrutiny and corrective actions
- Exposure to reputational damage
- Exposure to fraud
- Exposure to business downtime and financial harm
The subjectivity that comes from a manual process with very limited insight means you cannot be aware of your actual risk status at any time. You are normally reliant on the knowledge of a few key people who know the process, understand the roles, the risks and so on. Risk is open to interpretation and highly prone to error.
Such a responsibility can weigh heavy on the shoulders of those responsible, which might lead them to provide leadership with the answers they want to hear. This ultimately could mean they decide to leave the organisation too, with all that personal knowledge and experience going with them.
With an automated tool you put in place a tightly controlled system that you simply can’t argue with. And it won’t hand in its notice during a critical period.
A final point on hidden costs relates to the technology deployment model. On-premise SAP security and GRC tools often incur significant ongoing costs in terms of implementation, fixes, patches, upgrades, downtime, hardware refreshes and so on. Often these aren’t all factored into a business case. Cloud-based solutions for SAP GRC offer an alternative approach, providing more predictability through a subscription fee that covers all costs, with the exception of configuration and training.
The most obvious indirect cost will come from your external auditors. You can’t avoid an audit cost completely, but you can avoid the constant requests for more information. If you can demonstrate that you’ve done GRC properly in the first place, there is likely to be minimal cost attached to any of your audit investigations. The additional upside is you can take advantage of the external audit process to have more productive conversations.
This can be a huge saving in effort when it comes to audit time. In most manual scenarios, you will be searching for paperwork and emails to respond to audit requests. This just increases time spent with auditors, ensuring they understand your manual processes - versus an automated one that allows you to direct them to a location, so they can find exactly what they need.
If you automate this process, then you’re quickly reducing both direct and indirect costs with an automated central repository for evidence for auditors – because it’s inherently captured in your GRC tool. You’re building the transparency, with the book of audit assertion and all the evidence in one place.
Put simply, the more manual your process and more complex your organisation - the greater the risk your business will carry. Understandably, the senior leadership team who isn’t dealing with the day-to-day challenges of manual GRC, will be unaware of what’s really happening and what is potentially being missed.
While it is essential to present the direct and indirect costs of a manual GRC approach to your board, it’s arguably more important to convey the burden it places on those having to run with it. This is often the true hidden cost.