Connect with Us

About Us

The Decision Factor offers insightful comments and observations on analytics—from views on new technology approaches and market dynamics to the latest industry trends driving demand for faster, smarter information analysis. This blog contains personal views, thoughts, and opinions from SAP employees, mentors, and friends working in the area of analytics. It’s not endorsed by SAP nor does it constitute an official communication of SAP.

Archives

GRC Strategy Quadrant: Understanding Type D Risks

GRC Strategy Quadrant: Understanding Type D Risks

A Better Way to Classify Risks

There’s nothing new about classifying risks by category – strategic risk, operational risk, and so on. But I’m suggesting the strategy for managing risks is dramatically different for each section of the quadrant. And we make mistakes when we use a response strategy that doesn’t match the risk type.

In my previous blogs, I illustrated the GRC Strategy Quadrant, which classifies risks based on the risk “appetite” of the business and the perceived risk level, and I explained Type A, Type B and Type C

Misunderstanding Risk and Controls

Misunderstanding Risk and Controls

Time and again I hear that risk management is seen as something that is required by the regulators, perhaps by the board or top management, but is not seen as something that helps individual managers succeed.

Time and again I hear that boards are not receiving the information they need to know whether the risks to the organization’s strategies are managed appropriately.

Time and again I hear of organizations that are satisfied (i.e., complacent) with the periodic management of a list of significant risks — as if risks are somehow less dynamic than the business environment.

Time and again I …

GRC Strategy Quadrant: Understanding Type C Risks

Misunderstanding Risk and Controls

A Better Way to Classify Risks

There’s nothing new about classifying risks by category – strategic risk, operational risk, and so on. But I’m suggesting the strategy for managing risks is dramatically different for each quadrant. And we make mistakes when we use a response strategy that doesn’t match the risk type.

In my previous blogs, I illustrated the GRC Strategy Quadrant, which classifies risks based on the risk “appetite” of the business and the perceived risk level, and I explained Type A and Type B Risks in detail.

Today, I’m covering Type C …

GRC Strategy Quadrant: Understanding Type B Risks

GRC Strategy Quadrant: Understanding Type B Risks

In a recent blog, I illustrated a GRC Strategy Quadrant that I think can be used to tailor risk management strategies to different types of risks.

A Better Way To Classify Risks

There’s nothing new about classifying risks by category – strategic risk, operational risk, and so on. But I’m suggesting that the strategy for managing risks is dramatically different for each quadrant. And we make mistakes when we use a response strategy that doesn’t match the risk type.

In last week’s blog, I defined the four types of risks, and explained Type A in detail. …

GRC Strategy Quadrant: Type A Risks Explained

GRC Strategy Quadrant: Type A Risks Explained

In a recent blog , I illustrated a GRC Strategy Quadrant that I think can be used to tailor risk management strategies to different types of risks.

A Better Way To Classify Risks

There’s nothing new about classifying risks by category—strategic risk, operational risk, and so on. But I’m suggesting that the strategy for managing risks is dramatically different for each quadrant.

The quadrant classifies risks based on the risk “appetite” of the business and the perceived risk level. I will illustrate my points over the next few blogs, starting with Type A risks today.

The New Breed of CFO and How to Become One Yourself

The New Breed of CFO and How to Become One Yourself

‘Stick close to your desks and never go to sea, And you all may be rulers of the Queen’s Navy’

The chorus of “Sir Joseph Porter’s Song” above, taken from the Gilbert and Sullivan operetta H. M. S. Pinafore, is a satire said to be based on William Henry Smith (1825-91), the Victorian businessman who made a fortune through expanding his father’s bookselling business into a national chain which still thrives today as WH Smith. Like many successful businessmen William entered Parliament in 1868 and was appointed First Lord of Admiralty in 1877, – equivalent to the American “Secretary of …

Risk-Driven, Governance Risk and Compliance Oversight

GRC Strategy Quadrant

Risk management continues to fall short of expectations. Surveys show boards and senior executives believe risk management is important, but also reflect an overwhelming dissatisfaction with the implementation initiatives.

Adopt a Value Driven Approach to Risk

Recently, in an attempt to make risk management more relevant and sustainable, I wrote a blog aimed at focusing risk management on value driving activities of the business (“Driving Value with Risk Management”). My belief is that too much risk management activity is spent on identifying and assessing risks in low-value business processes or in objectives that don’t drive business …

Redefining the Role of Internal Audit: Part Two

Redefining the Role of Internal Audit: Part Two

In my last blog, Redefining the Role of Internal Audit: Avoiding Redundancy, I outlined the dangers auditors face if they don’t innovate and adapt to today’s technological advances. I also proposed that internal auditors should respond with a paradigm shift—from being in the auditing business to being in the knowledge business.

What would this new role for internal auditors look like? Let me suggest another definition:

The role of Internal Auditors is to create, interpret, and disseminate as widely as possible reliable, fact-based knowledge on the status of risks and controls that impact business performance.

What’s …

Can Risk Reporting Drive Risk Management?

Risk Management -- Still an Immature Profession

A year ago, my team conducted some research into risk management. We wanted to assess the state of risk management adoption, the role of technology, and the evolution of risk management practices.

We combined our research with that of others and issued an infographic illustrating our conclusions. To summarize, everyone thinks risk management is important. But “good enough” practices and technologies rule. Things are changing slowly and not necessarily for the better, if at all.

In this blog I want to assess the state of the risk management profession generally and provide an example of what a …

Making the Business Case for GRC

Making the Business Case for GRC

Why GRC?

I was in a meeting this week discussing with some colleagues how clients build a business case for acquiring governance, risk, and compliance solutions.

Many GRC professionals accept the concept of GRC, but struggle to justify the initiative, the investment, and the cultural changes required.

My colleagues and I agreed that the fundamental arguments used by clients to justify the benefits of GRC were a reduction in cost and an increase in efficiency. Rarely was there any attempt made by clients to claim any value added other than cost reduction.

There’s no doubt …