Connect with Us

About Us

The Decision Factor offers insightful comments and observations on analytics—from views on new technology approaches and market dynamics to the latest industry trends driving demand for faster, smarter information analysis. This blog contains personal views, thoughts, and opinions from SAP employees, mentors, and friends working in the area of analytics. It’s not endorsed by SAP nor does it constitute an official communication of SAP.

Archives

GRC and Golf: Games of Honor

golf ball lies at edge of hole

I was sitting in my backyard yesterday, which overlooks a golf course in Anthem, Arizona, and my mind was wandering as I thought about the topic for my next blog. Just for the fun of it, I thought about some key aspects of golf that might be applicable to governance, risk, and compliance. If you are a golfer, you’ve probably heard some of this before—but I’m guessing you’ve never heard this applied to GRC.

Perhaps the US Golf Association (USGA) says it best in an excerpt from The Human Element:

“Golf is …

Is Business Continuity a Separate Activity?

coworkers at a table smiling

During a recent breakfast event, I was having a coffee with two security managers who were in charge of business continuity for their organizations: one was from the IT department and the other one was a business operations manager.

The questions of our debate revolved around were: Who should be the most significant contributor to business continuity activities and should continuity management be a separate activity?

Interestingly, we all agreed that we saw more and more business continuity management reaching outside IT domain where it historically focused on IT disaster recovery planning and information security to a more business-process …

GRC Is NOT My Life

woman uses mobile GRC app

My Fictional Day Begins…. By Carla

After I drag myself out of bed and finish my morning ablutions, I sit down with coffee and cereal to read the latest Federal Register followed by Compliance Today and a few industry publications. I make notes as I go of any regulation changes relevant to my job. You see, the company is extremely interested in avoiding compliance risk—and to be honest, it makes my work life miserable.

Oh, pardon me, I should introduce myself. I am Carla Franco, a working manager of a purchasing team within a large global enterprise. I can’t …

Monitoring Risk and Control Deficiencies – Who’s Responsible?

Who’s responsible for ensuring that corrective actions to remedy issues identified by internal audit are completed?

Management is responsible for the system of internal control as well as for managing risk.Management is responsible for correcting deficiencies either in controls or in the management of risk, whoever identified them.

So why does internal audit, more often than not, monitor completion of these actions? Why should they be the ones that report progress to the audit committee and executive management?

Internal audit certainly has an interest in seeing these actions taken. Not only does it mean that their recommendations for change …

The Critical Role of Marketing Executives in the Risk Management Process

617062.TIF

From my experience, marketing executives are often involved in the risk management process quite late – usually to manage the communication aspect of a crisis. Therefore, they’re only involved when the risk has transformed into a critical incident and the company is in a defensive mode.

I strongly believe that marketing executives can bring a lot to the table for a proactive risk management approach. This would notably help in monitoring the reputational risk and protecting the brand from adverse events.

As we all know, communication channels have exponentially expanded in the last few years to reach volumes that …

Auditing on an iPad: The Opportunity of Big Data

big data graphic

In my last blog of this series, I discussed the value of data analytics to help organizations provide greater assurance over data integrity. I used the example of an insurance company, which was able to use data analytics to more accurately identify potential fraud prior to claim payment.

But just consider the data sources here. For this analysis to be accurate, it will involve more than just financial records. The age, location, gender, income level, and socio-economic background are just some of the additional factors that, together, can allow more accurate identification …

Auditing on an iPad: The Bell Tolls for Audit Sampling

Redefining the Role of Internal Audit: Avoiding Redundancy

Over the last month, I’ve been looking at the results of surveys conducted by the Big Four accounting firms regarding internal audit. The messages are pretty consistent—audit departments need to pick up their game. They need to provide more proactive advice to stakeholders. The move from policeman to trusted advisor is requiring broader operational skills within the audit department.

But most importantly, auditors need to leverage technology more effectively. As I discussed in the first blog of this series, mobile-enabled audit management products provide an important opportunity to make the process of …

Key Risk Indicators in a Sound Risk Management Process: What Are They Really?

Misunderstanding Risk and Controls

For many people, risk management helps companies make sure that their compliance risks are monitored and that they have controls in place to take care of them.

Personally, I strongly believe that risk management is much more than that – it helps companies really steer their business, avoid roadblocks, seize opportunities, and react appropriately.

Key Risk Indicators (KRIs) are indicators of the possibility of a future adverse impact on the organization. They serve as an early warning system to the stakeholders and enable preventive action to be taken directly on the risks and opportunities flagged.

In that sense, they …

Dead Rats in Risk Management

http://www.dreamstime.com/royalty-free-stock-photo-dead-mouse-image7220815

It seems that almost every day I read blogs or articles in professional journals lamenting the fact that business executives aren’t supporting risk management initiatives in their business or not consuming the reports and conclusions of their risk management professionals.

In addition, we see evidence regularly in the press that risk management is failing and that catastrophic and harmful losses persist. There’s a reason for this. Risk management practices embrace beliefs and methodologies that create apparently” profound reports—but instead it’s ponderous and essentially useless information. It results in inert, albeit attention grabbing, charts and graphs.

I call them dead …

Dead Rats and GRC

Dead Rats and GRC

GRC Quiz:

Please select the best answer:

1. A flight attendant in a commercial airliner notices smoke coming from the stove in the rear galley. He is trained to:

a. Immediately contact the pilot and report a “material weakness” in the smoke detection system.

b. Immediately contact the pilot and report smoke coming from the stove in the galley.

2. You are awoken in your home in the middle of the night by the sound of intruders. You should:

a. Immediately call the police and report a “key risk indicator.”

b. Immediately …