How to stay in control in a rapidly changing world?
Insights into the use of Governance, Risk and Compliance (GRC) technology solutions in the Belgian market
How are Belgian organisations performing when it comes to the use and adoption of Governance Risk and Compliance (GRC) technology? FORFIRM Belgium conducted a survey to gain insight into Belgian organisations’ maturity on the use of GRC technology. The results of this survey show the evolution in the Belgian market since the previous survey, which was conducted by FORFIRM Belgium in 2013. At the same time it benchmarks Belgian organisations with the global trends.
We’d like to thank the close to 100 respondents who completed this survey. They represent a great diversity of company sizes and sectors.Respondents were individuals from all levels within these companies, from C-suite to operational staff and expert users. We analysed the survey results and highlighted some key findings in this report. We hope you find the information insightful and valuable in helping you further direct the GRC investments within your organisation. The information obtained through the survey has been used solely for preparing this report. At your request, we are more than willing to further discuss the results of this survey in the context of your own organisation, or to facilitate the development of an action plan that suits the focus of your business.
We wanted to gain more insight into how Belgian companies are managing risk, compliance and controls through the use of GRC technology and what added value such technology delivers for these companies.
96 organisations located in Belgium of various sizes across more than ten industries were surveyed on GRC tool implementation. We looked at if, when and why they used GRC technology and the advantages it offers. Given the majority of the respondents had SAP as their primary ERP (Enterprise Resource Planning) system, this report focuses on the conclusions related to GRC tools in a SAP context.
3.1 What is GRC technology?
‘GRC’ as a concept is an integrated, holistic approach to organisation-wide governance, risk and compliance.
GRC aims to help ensure that an organisation acts ethically and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people. Focus on efficiency and effectiveness improvement of impacted business and/ IT processes is a key component of GRC as well.
GRC technology are those tools adopted by companies to support them in their GRC initiatives. Key components of GRC technology entail:
- Documentation and assessment of a company’s enterprise-wide risks and risk management initiatives;
- Centralised repository of a company’s internal control components, linked to all relevant regulations. This includes the documentation of actual control execution (by management and control owners), combined with internal control test plans and results of regular internal control assessments (e.g. by an independent ‘risk & compliance’ function);
- Continuous monitoring of internal control elements, e.g. configurable elements of automated controls, critical master data updates, transaction level exceptions, etc.
- Preventive and detective management of security-related risks, like segregation of duties, access to sensitive business and IT-related functionalities and highly sensitive emergency-type access;
- Management of an internal audit lifecycle, starting from risk assessment, to audit planning, scoping, staffing, working paper documentation and action plan definition and follow-up.
GRC technology providers
There are currently a number of players in the market providing GRC technology solutions including SAP, CSI tools, BWise, OpenPages and more. Of the companies we surveyed, SAP emerged as the solution of choice with 40% adherence. The graph below shows the breakdown of GRC technology use by technology provider.
4.1 Belgian companies have increasingly adopted GRC technology, but are still lagging behind the global trend
Our survey shows an important increase in the adoption of GRC technology in the Belgian market. While in 2013, only 18% of companies used a dedicated GRC tool, today close to 70% of companies have adopted such technology in their organisation. Advanced use of ‘spreadsheet’ type solutions (MS Office products) dropped from 51% in 2013 to 13% today.
Despite this trend, Belgian companies still lag behind the global curve, where results of FORFIRM’s last global GRC survey (dated 2015) revealed that 96% of companies had invested in dedicated GRC technology.
Use of a GRC tool is widespread across industries, regardless of organisation type, size and international presence. The graphs below illustrate the extent of GRC tool use across these variables.
We see increased adoption across all sizes of companies, including small and medium-sized enterprises (SMEs; less than 1,000 employees): 70% have a tool (other than spreadsheets), vs. 69% overall, demonstrating that the use of such tools is no longer just for large corporations. This also shows that companies realise that spreadsheets are no longer the most effective tools to manage their risks.
Our study shows that the implementation of a GRC tool does not depend on the presence of certain internal audit or other risk/ compliance functions. Regulatory compliance such as Sarbanes-Oxley (SOx) and International Standard on Assurance Engagements (ISAE) certification doesn’t influence the presence of dedicated GRC tools, clearly showing that regulatory compliance is not the only driver for implementing GRC tools.
Companies using GRC technology use it for a variety of reasons
We asked organisations with a GRC tool in place what they used it for most. The main purpose cited was risk management, followed closely by internal control and access management:
What does your organisation use its GRC software/toolfor?
This indicates a clear shift from the older vision of GRC tools. In our 2013 survey, only seven percent used aGRC tool to document risks. Now, 48 respondents out of 72 indicate they’re using it to manage risk and 42 agree that their GRC tool is good for mapping risks to strategic priorities. Of the 72 respondents, 49 state the tool helps them understand how risks canoccur.
In the past, GRC tools were mainly used to manage segregation of duties (SoD) and sensitive access (SA) rights related risks in back-end ERP systems like SAP. While respondents agree that their GRC tool allows them to adequately manage their SoD and SA risks, other functionalities are cited such as risk identification and quantification, and automation of controls testing. Compared to our 2013 survey, where only five percent of respondents agreed their GRC tool provides a good way for continuous monitoring, this number has increased to nearly50%.
4.3 GRC toolinggovernance
Despite an increase in the use of functionality of the tools themselves, a significant number of companies doesn’t have the same level of controls on these GRC tools as on the ERP tools that they’re managing. This is clearly an area of attention in order to help ensure that GRC technology continues to evolve with the organisation and generates accurate and complete information.
• Only 40% indicate having a toolin place to protect their GRC from externalrisks
• 22 respondents indicate theydon’t have the governance to enable long-term sustainability (or were unsure)
• 79% have access proceduresin place, although 19 out of 72 indicated these areinformal
• 82% have change procedures, although 19 out of 72indicated these areinformal
Value driven through GRC technology adoption
A rapidly changing business environment has increased the need for robust operational processes, regulatory compliance and effective risk management. Technology has evolved significantly over the past years and will continue to do so. Technology will become (or is already) the cornerstone of successful organisations. With these technological advancements comes the need for more pro-active risk management. This is where GRC tools come into play. Like other tools, GRC tools have evolved over time and are now more performant and offer a wider range in functionality. As a result, a growing number of organisations is embracing the advantages of a GRC tool.
Below is an overview of some of the main benefits associated with adopting GRC technology.
Some key GRC technology valuedrivers
The potential benefits of having aGRC tool in place are numerous andvaried. Benefits can be quantitative, such as reduced cost and increased efficiencies, and qualitative such as fraud reduction and creating more time for value-added tasks.
GRC implementation can reduce costs through standardisation of testing, reporting, monitoring and documentation. The costs of managing compliance activities and centralising control monitoring and audit scheduling can also be cut by adopting a GRC tool. Remediation and costs for retesting failed controls also diminish, as automated controls have a higher passrate.
An undeniable advantage of GRC implementation is a more efficient enterprise risk management (ERM). Respondents claim faster resolution of deficiencies and better visibility on remediation activities. Maturity of internal control increases by adopting consistent practices, while audit costs and preparation time are reduced by leveraging the shared repository of risks and controls across the business. GRC process automation technology is improving accuracy and efficiency across various aspects of the business, thereby freeing time for more customer-focused tasks.
In our experience, we see below as the most common benefits generated from GRC technology adoption:
- Continuous monitoring Increased focus on continuous, automated monitoring as opposed to manual periodic sample testing not only reduces the cost of audit preparation and external auditor fees but also FTE requirements.
- Segregation of duties and restricted access reviews Organisations that automated periodic certification reviews see significant time savings in evaluating and responding to access reviews and certifications. The FORFIRM global survey shows that 84% of the organisations are using a GRC tool to monitor their SoD violations, and our survey shows that 75% of respondents agree that their tool efficiently supports their periodic user reviews and monitoring of SoD risks.
- Access approvals
The time to request, approve and systematically assign access decreases significantly with GRC tool automation. Users are more quickly able to obtain the access required to carry out their duties, resulting in significant operational efficiencies.
Safeguard your investment by involving specialists
Respondents generally agree that their investment has provided the benefits promised by the software provider. Only eight percent indicated otherwise. Most respondents are satisfied with the implementation (or at least partly satisfied), with only two respondents indicating dissatisfaction.
To ensure your organisation benefits from investing in these tools, a sound technical implementation of the GRC tool is required. However, it doesn’t stop there. It is key to embed GRC technology in your existing risk and control-related processes and initiatives in order to reap the benefit for your technology investment. This requires sufficient time and attention to be spent to people change management and end-user training as part of yourimplementation.
Furthermore, and as indicated earlier in this study, also GRC technology requires governance. As part of your implementation, sufficient attention should be given to the processes needed to continuously maintain your GRC technology after go-live, in order for the technology to continue to support the evolving needs of your organisation.
A critical success factor for leveraging the benefit of your GRC technology investment is therefore ensuring you have the right skills on board during your GRC technology implementation, either in-house or via external support. Survey respondents confirmed that external support is often called upon during GRC technology implementation, with close to 90% of SAP GRC implementations that occurred in Belgium since 2013 having been supported by an external consultant.
Building your GRC technology businesscase
Improved, robust, and efficient controls that leverage increased automation are becoming critical as the number and complexity of risks increase for companies. Organisations need to invest in a technological infrastructure that supports increased automation, better reporting and stronger overall controls governance. However, we see that cost is still often considered a hurdle. Twelve out of 14 respondents who didn’t yet have a GRC tool in place indicated that cost is a mainreason.
GRC technology initiatives are often denied in the annual budgeting process, as they compete with other business priorities. Companies are often only willing to invest in such technologies as a response to audit or compliance failures, or worse – reputational damage.
A GRC tool adds value, and developing a strong business case with proper financial metrics can help pave the way for more proactive and progressive investments in controls automation technology.
Clearly defining and quantifying the benefits of implementing a GRC tool will be essential for a strong business case. Examples of elements to be taken into account when quantifying the return on your GRC technology investment are:
- Continuous Control Monitoring (CCM)
–Cost savings by enabling CCM on existing controls;
–Cost savings by converting manual controls to automated, resulting in reduced operation cost associated with execution of controls;
–Cost savings by converting manual controls to automated, resulting in reduced testing cost.
- Data Analytics – Improved data analytics lead to operational and test savings (centralising analytics, improving filters to quickly identify exceptions, increasing frequency through better technology).
- Reliance by external auditors – While this can be a sensitive option, it can reduce annual audit fees when the external auditor relies on the automated controls/validation in your GRC tool.
- Increased compliance team efficiency – Your GRC tool facilitates reporting (centralized reporting) and issue management resolution, provides semi- automation of manual controls and improved standardization.
What will the future bring?
SAP’s latest ERP platform S/4 HANA is a robust next generation business solution. It’s deployable in the cloud or on-premise and is built to provide value and simplicity of use while effectively controlling andautomating processes, including compliance. SAP announced that it will end its mainstream maintenance support for SAP Business Suite 7 core application releases at the end of 2025. As a result, many organisations will be migrating to the newer version of SAP S/4 HANA in the comingyears.
To make sure that you continue to benefit from the investments made in your GRC tools, you must ensure that these are adapted to be fit forpurpose for S/4 HANA. Regardless of whether you opt for an on-premise or cloud solution, your GRC tools and relatedrisk management procedures should be updated. This includes the necessary technical changes to your systems, but also identifying and responding to the risks that arise through these new technologies, e.g. increased use of Fioriapps.
Starting 25 May 2018, all organisations processing personal data of European citizens must apply the new General Data Protection Regulation (GDPR). The objective of GDPR is to protect natural persons with regard to the processing of personal data and set out rulesaround the free movement of personal data. This regulation has a major impact on organisations’ data protection policies, processes, governance and overall how personal data needs to be handled in business. They’ll have to implement the new rules and must be able to demonstrate that they’re compliant with the new rules. In case of non-compliance, the GDPR introduced substantially higher (administrative) penalties of up to four percent of an organisation’s global annual turnover or 20 million euros, whichever is thehighest.
Many companies are implementing measures to ensure compliance with this new regulation. GRC tools can be a major asset to record the identified risks and the way companies are responding to theserisks.
GRC tools can also assist to demonstrate to the regulator thatyour company has implemented the necessary controls. Tools such as SAP GRC Emergency Access Management clearly show who has logged on to your system and what they have done. Not only can GRC technology be used to detect and prevent internal misuse of personal data, they can also be applied for protection against external threats.
Our recent CEO survey showed that cyber threats are a major concern to most CEOs, with 40% of CEOs indicating they are extremely concerned about the impact of cyberattacks on their organisations. While ERP systems are often overlooked when it comes to cyberattacks, their increasing online availability makes them vulnerable. ERP systems are often connected to other systems within an organisation, which could result in furtherexposure in case of a cyberbreach.
A recent study from Onapsis shows that each year, on average, 340 SAP security notes were released over the last five years. On average, ittakes12 months for SAP to release a security note after it’s been identified and another six months before organisations implement the security notes, meaning a window of vulnerability of 18months.
As GRC tools grow in this space, organisations need to invest toensure their systems are protected against cyberattacks. A GRC tool can help automate the efforts to protect your systems, from both internal and externalthreats.
Robotic process automation (RPA) and intelligent process automation (IPA) are new technologies that allow companies to automate their risk and compliance activities so GRC users can focus their efforts on interpreting results rather than manually generating them. However, attention should be paid to applying the right technology. For example, the use of RPA to automate the monitoring of a particular control may be unnecessary if the situation can be fixed at the source with more effective application configuration or security. Conversely, advanced analytics and RPA may be best used together. Analytics can be used to pull data across diverse environments, then an RPA solution can review the output. Existing GRC technologies can provide an end-to- end compliance management solution and workflow for all of these capabilities, not to mention a single source of truth for governance, risk and compliance.
With the automation of business and compliance processes comes great amounts of data. Companies are starting to use this data to carry out advanced analytics to gain insights into the processes and controls. One of the key challenges is to present this data in a digestible way for the end user. This is where the use of dashboards and other visualisation techniques comes in, e.g. the new SAP GRC Access Control 12.0 is Fiori- enabled and focuses even more on the user’s experience
At FORFIRM we’ve developed a dashboard to help users interpret SAP FireFighter (FF) activities. Our dashboard converts your SAP FF logs into easy-to-understand graphs providing a complete overview on your SAP FF activities and focus your review on the key risk areas.
SAP Emergency Access Management is critical to address high-priority access issues, but few organisations have a deep understanding of how that emergency access is actually used. Learn to analyse emergency usage to spot trends and gain insights from your firefighters with the SAP Firefighter dashboard, developed by our SAP Risk assurance experts.
Our SAP Firefighter Dashboard is a user-friendly, digital platform which allows you to:
- Identify high-risk activities in the use of your SAP firefighters
- Spot trends in emergency user behaviour
- Improve your firefighter process
- Improve your IT controls over SAP emergency users
- Save time in log review
Clients who’ve adopted the tool have reported a significantly streamlined and more mature emergency process.
A call-to-action for Belgian organisations
Regulations and security threats are constantly evolving. Managing governance, risk, compliance and security continues to be a challenge for most organisations. With increasing compliance requirements, organisations are seeking to reduce cost and increase value derived from investment in control processes, people and technology.
GRC tools offer non-negligible advantages in the form of reduced costs, increased efficiencies through automation and minimised errors resulting in greater compliance. The results of our study show that Belgian companies have made efforts to implement dedicated GRC tools but are still behind compared to their global peers and competitors. We see an increase in terms of number of companies using GRC tools and in terms of functionality. However, as these technologies evolve, your organisation must ensure your tools continue to adequately manage risk, including detecting and protecting against cyber threats.
A dedicated GRC solution should be an essential component of any company’s risk and control structure. Those companies relying on outdated or manual tools leave themselves at a distinct disadvantage in the face of their competitors.