Connect with Us

About Us

The Decision Factor offers insightful comments and observations on analytics—from views on new technology approaches and market dynamics to the latest industry trends driving demand for faster, smarter information analysis. This blog contains personal views, thoughts, and opinions from SAP employees, mentors, and friends working in the area of analytics. It’s not endorsed by SAP nor does it constitute an official communication of SAP.


Risk-Based…Well, Everything, Really!

sphere with audit word and others

Since I started working in GRC software, and actually even some time before when working on audit topics, a recurring concept has been risk-based auditing or similar denomination.

The intent here is to focus the audit function on the riskiest parts of the company in order to ensure that all high-profile risks are reviewed regularly, correctly monitored, and so on to protect the business from operational surprises.

Nevertheless, audit isn’t the only function that focuses its efforts on high-profile risk areas. Internal control and compliance departments have a similar approach, but called risk-based compliance, applied notably when performing a …

Bank Executives Weigh-In on Big Data’s Value for Managing Risk

big data word cloud above a laptop

If you’re a banker—anywhere in the world—the topic of risk management is near and dear to your heart. Since the 2008 financial crisis, it‘s become even more front and center in the minds of most bankers and government regulators. This landscape is not getting simpler, but actually grows more complex by the day.

Regulations and scrutiny are increasing, reputations and revenues are at risk. More volatility in the market, rising demands of shareholders, customers, partners, and vendors, (not to mention technologies such as internet and mobile banking) are changing the risk profile that a bank must manage and respond to.

GRC Technology Can Bring Much More than Compliance and Good Risk Management

woman holds tablet in hand outstretched

Business activity monitoring (BAM) and business process management (BPM) are great ideas that have been around for quite some time. They have also developed significantly since the early 2000s, giving birth to a number of tools and technology solutions to support companies’ BAM/BPM programs. However, implementing these programs and the related tools has proved challenging to say the least. Not uncommonly, large, costly BAM/BPM projects have been abandoned by several companies for lack of results and insurmountable hurdles like integration issues, customization efforts, maintenance nightmares, and so on.

Mounting External Pressures

In parallel, external impositions have increased on companies …

Risk Management Is Only for Big Companies

mountain climber on snowy peak

Now there’s a sentence I have heard many, many times! I believe this assumption comes from the association that risk management equals management of compliance risks, which applies mostly to regulated companies or public companies.

As we’ve already discussed many times in these blogs, this is a misconception – compliance risks only compose one risk category that deserves to be managed. It certainly doesn’t define a complete risk management scope.

All companies manage risks since they’re inherent to any production or service delivery activity. For instance, small and medium enterprises (SMEs) might manage:

Treasury risks: suppliers and employees aren’t …

Risk Management Project – Where Do I Start?

businesswoman drinks coffee and talks to coworker

Whenever I talk to customers that decide to embark on a risk management project, and wherever they are in the world, one question always kick starts the conversation: So, where do I start?

As a matter of fact, when writing this post, I was kicking myself: Why didn’t I start my blog postings with this topic first? I should have indeed, and I do apologize that it comes so late. It seems that we all want to see the results of a project and invite people to the house warming party before we even lay its foundations…

For all risk …

What Should Auditors Audit?

monitoring risk and control

In the past, auditors were famous for finding problems. They audited a process, business unit, or location and found “weaknesses” in internal control. These were then prioritized based on the auditors’ assessment of the risk they represented.

These days, leading internal audit teams are moving from this idea of auditing controls, sometimes called controls assurance, to auditing whether management’s processes, systems, and organization (which include controls) provide reasonable assurance that risks are at acceptable levels.

They are moving from controls assurance to risk assurance.

They are also moving from auditing the past (hindsight) to providing insight on current activities and …

GRC and Golf: Games of Honor

golf ball lies at edge of hole

I was sitting in my backyard yesterday, which overlooks a golf course in Anthem, Arizona, and my mind was wandering as I thought about the topic for my next blog. Just for the fun of it, I thought about some key aspects of golf that might be applicable to governance, risk, and compliance. If you are a golfer, you’ve probably heard some of this before—but I’m guessing you’ve never heard this applied to GRC.

Perhaps the US Golf Association (USGA) says it best in an excerpt from The Human Element:

“Golf is …

Monitoring Risk and Control Deficiencies – Who’s Responsible?

Who’s responsible for ensuring that corrective actions to remedy issues identified by internal audit are completed?

Management is responsible for the system of internal control as well as for managing risk.Management is responsible for correcting deficiencies either in controls or in the management of risk, whoever identified them.

So why does internal audit, more often than not, monitor completion of these actions? Why should they be the ones that report progress to the audit committee and executive management?

Internal audit certainly has an interest in seeing these actions taken. Not only does it mean that their recommendations for change …

GRC Strategy Quadrant: Understanding Type D Risks

GRC Strategy Quadrant: Understanding Type D Risks

A Better Way to Classify Risks

There’s nothing new about classifying risks by category – strategic risk, operational risk, and so on. But I’m suggesting the strategy for managing risks is dramatically different for each section of the quadrant. And we make mistakes when we use a response strategy that doesn’t match the risk type.

In my previous blogs, I illustrated the GRC Strategy Quadrant, which classifies risks based on the risk “appetite” of the business and the perceived risk level, and I explained

Misunderstanding Risk and Controls

monitoring risk and control

Time and again I hear that risk management is seen as something that is required by the regulators, perhaps by the board or top management, but is not seen as something that helps individual managers succeed.

Time and again I hear that boards are not receiving the information they need to know whether the risks to the organization’s strategies are managed appropriately.

Time and again I hear of organizations that are satisfied (i.e., complacent) with the periodic management of a list of significant risks — as if risks are somehow less dynamic than the business environment.

Time and again I …