Connect with Us

About Us

The Decision Factor offers insightful comments and observations on analytics—from views on new technology approaches and market dynamics to the latest industry trends driving demand for faster, smarter information analysis. This blog contains personal views, thoughts, and opinions from SAP employees, mentors, and friends working in the area of analytics. It’s not endorsed by SAP nor does it constitute an official communication of SAP.

Archives

GRC Technology Can Bring Much More than Compliance and Good Risk Management

woman holds tablet in hand outstretched

Business activity monitoring (BAM) and business process management (BPM) are great ideas that have been around for quite some time. They have also developed significantly since the early 2000s, giving birth to a number of tools and technology solutions to support companies’ BAM/BPM programs. However, implementing these programs and the related tools has proved challenging to say the least. Not uncommonly, large, costly BAM/BPM projects have been abandoned by several companies for lack of results and insurmountable hurdles like integration issues, customization efforts, maintenance nightmares, and so on.

Mounting External Pressures

In parallel, external impositions have increased on companies …

The Effective Audit Engagement

mobile BI team sitting around a table

So far, I have discussed “What Should Auditors Audit?”and “The Risks to Include in the Audit Plan.

Now I want to talk about how we should staff the audit engagement and how technology can help us. We already know the risks that will be addressed in the engagement and whether it will be an assurance or an advisory (or consulting) project.

So, Who Needs to Be on the Project and for How Long?

I like my audits …

The Risks to Include in the Audit Plan

close up of someone using an iPad for auditing

In my last post, I discussed “What Should Auditors Audit?” My answer was that internal audit should address the risks that matter to the organization, its board, and executive management team:

“All risks that could affect the achievement of corporate goals, including unstated objectives such as compliance and safety, are prioritized and the top ones considered for inclusion in the audit plan.”

I also explained that, “When internal auditors provide insight and even foresight on the risks that matter, their work matters to the board and top …

Risk Management Is Only for Big Companies

mountain climber on snowy peak

Now there’s a sentence I have heard many, many times! I believe this assumption comes from the association that risk management equals management of compliance risks, which applies mostly to regulated companies or public companies.

As we’ve already discussed many times in these blogs, this is a misconception – compliance risks only compose one risk category that deserves to be managed. It certainly doesn’t define a complete risk management scope.

All companies manage risks since they’re inherent to any production or service delivery activity. For instance, small and medium enterprises (SMEs) might manage:

Treasury risks: suppliers and employees aren’t …

Why Speed Matters to GRC

people moving quickly in a station

The Art of Speed: 2009

About five years ago, I was sitting beside a pool in Palm Springs while on a winter vacation when my phone rang. It was one of my credit card providers calling to tell me my credit card had been stolen. That’s right, they were telling me – not asking me.

They explained that over the previous four days, my card had been used at a college bookstore and a college pub, and several other places I had not ever frequented, even though I routinely traveled around the world on business. The expenditures were modest, probably …

Risk Management Project – Where Do I Start?

businesswoman drinks coffee and talks to coworker

Whenever I talk to customers that decide to embark on a risk management project, and wherever they are in the world, one question always kick starts the conversation: So, where do I start?

As a matter of fact, when writing this post, I was kicking myself: Why didn’t I start my blog postings with this topic first? I should have indeed, and I do apologize that it comes so late. It seems that we all want to see the results of a project and invite people to the house warming party before we even lay its foundations…

For all risk …

What Should Auditors Audit?

monitoring risk and control

In the past, auditors were famous for finding problems. They audited a process, business unit, or location and found “weaknesses” in internal control. These were then prioritized based on the auditors’ assessment of the risk they represented.

These days, leading internal audit teams are moving from this idea of auditing controls, sometimes called controls assurance, to auditing whether management’s processes, systems, and organization (which include controls) provide reasonable assurance that risks are at acceptable levels.

They are moving from controls assurance to risk assurance.

They are also moving from auditing the past (hindsight) to providing insight on current activities and …

GRC and Golf: Games of Honor

golf ball lies at edge of hole

I was sitting in my backyard yesterday, which overlooks a golf course in Anthem, Arizona, and my mind was wandering as I thought about the topic for my next blog. Just for the fun of it, I thought about some key aspects of golf that might be applicable to governance, risk, and compliance. If you are a golfer, you’ve probably heard some of this before—but I’m guessing you’ve never heard this applied to GRC.

Perhaps the US Golf Association (USGA) says it best in an excerpt from The Human Element:

“Golf is …

Is Business Continuity a Separate Activity?

coworkers at a table smiling

During a recent breakfast event, I was having a coffee with two security managers who were in charge of business continuity for their organizations: one was from the IT department and the other one was a business operations manager.

The questions of our debate revolved around were: Who should be the most significant contributor to business continuity activities and should continuity management be a separate activity?

Interestingly, we all agreed that we saw more and more business continuity management reaching outside IT domain where it historically focused on IT disaster recovery planning and information security to a more business-process …

GRC Is NOT My Life

woman uses mobile GRC app

My Fictional Day Begins…. By Carla

After I drag myself out of bed and finish my morning ablutions, I sit down with coffee and cereal to read the latest Federal Register followed by Compliance Today and a few industry publications. I make notes as I go of any regulation changes relevant to my job. You see, the company is extremely interested in avoiding compliance risk—and to be honest, it makes my work life miserable.

Oh, pardon me, I should introduce myself. I am Carla Franco, a working manager of a purchasing team within a large global enterprise. I can’t …