How to stay in control in a rapidly changing world?


How to stay in control in a rapidly changing world?

Insights into the use of Governance, Risk and Compliance  (GRC) technology solutions in the Belgian market

How are Belgian organisations performing when it comes to the use and  adoption of Governance Risk and Compliance (GRC) technology? FORFIRM  Belgium conducted a survey to gain insight into Belgian organisations’  maturity on the use of GRC technology. The results of this survey show  the evolution in the Belgian market since the previous survey, which was  conducted by FORFIRM Belgium in 2013. At the same time it benchmarks  Belgian organisations with the global trends.

We’d like to thank the close to  100 respondents who completed this  survey. They represent a great diversity  of company sizes and sectors.Respondents were individuals from all  levels within these companies, from C-suite to operational staff and expert  users. We analysed the survey results  and highlighted some key findings in  this report. We hope you find the information  insightful and valuable in helping  you further direct the GRC investments within your organisation.  The information obtained through the  survey has been used solely for  preparing this report. At your request,  we are more than willing to further  discuss the results of this survey in  the context of your own organisation,  or to facilitate the development of an  action plan that suits the focus of your business.

Introduction

We wanted to gain more insight into how Belgian companies are managing risk, compliance and controls  through the use of GRC technology and what added value such technology delivers for these companies.

96 organisations located in Belgium of various sizes across more than ten industries were surveyed on GRC tool  implementation. We looked at if, when and why they used GRC technology and the advantages it offers. Given  the majority of the respondents had SAP as their primary ERP (Enterprise Resource Planning) system, this  report focuses on the conclusions related to GRC tools in a SAP context.

3.1  What is GRC technology?

‘GRC’ as a concept is an integrated,  holistic approach to organisation-wide  governance, risk and compliance.

GRC aims to help ensure that an  organisation acts ethically and in  accordance with its risk appetite,  internal policies and external  regulations through the alignment of  strategy, processes, technology and  people. Focus on efficiency and  effectiveness improvement of  impacted business and/ IT processes  is a key component of GRC as well.

GRC technology are those tools  adopted by companies to support  them in their GRC initiatives. Key  components of GRC technology entail:

  • Documentation and assessment of a company’s enterprise-wide risks and risk management initiatives;
  • Centralised repository of a company’s internal control components, linked to all relevant  regulations. This includes the  documentation of actual control  execution (by management and  control owners), combined with  internal control test plans and  results of regular internal control  assessments (e.g. by an  independent ‘risk & compliance’  function);
  • Continuous monitoring of internal control elements, e.g. configurable elements of automated controls,  critical master data updates,  transaction level exceptions, etc.
  • Preventive and detective management of security-related risks, like segregation of duties,  access to sensitive business and  IT-related functionalities and  highly sensitive emergency-type  access;
  • Management of an internal audit lifecycle, starting from risk assessment, to audit planning,  scoping, staffing, working paper  documentation and action plan  definition and follow-up.

GRC technology providers

There are currently a number of players in the market providing GRC technology  solutions including SAP, CSI tools, BWise, OpenPages and more. Of the  companies we surveyed, SAP emerged as the solution of choice with 40%  adherence. The graph below shows the breakdown of GRC technology use by  technology provider.

 

grasec16

4.1 Belgian companies have  increasingly adopted GRC  technology, but are still lagging  behind the global trend

Our survey shows an important  increase in the adoption of GRC  technology in the Belgian market.  While in 2013, only 18% of companies  used a dedicated GRC tool, today close  to 70% of companies have adopted  such technology in their organisation.  Advanced use of ‘spreadsheet’ type  solutions (MS Office products) dropped  from 51% in 2013 to 13% today.

Despite this trend, Belgian companies  still lag behind the global curve,  where results of FORFIRM’s last global GRC  survey (dated 2015) revealed that  96% of companies had invested in  dedicated GRC technology.

grasec18

Use of a GRC tool is widespread across  industries, regardless of organisation  type, size and international presence.  The graphs below illustrate the extent  of GRC tool use across these variables.

We see increased adoption across all  sizes of companies, including small  and medium-sized enterprises (SMEs;  less than 1,000 employees): 70% have  a tool (other than spreadsheets), vs.  69% overall, demonstrating that the  use of such tools is no longer just for  large corporations. This also shows  that companies realise that  spreadsheets are no longer the most  effective tools to manage their risks.

Our study shows that the  implementation of a GRC tool does  not depend on the presence of  certain internal audit or other risk/  compliance functions. Regulatory  compliance such as Sarbanes-Oxley  (SOx) and International Standard on  Assurance Engagements (ISAE)  certification doesn’t influence the  presence of dedicated GRC tools,  clearly showing that regulatory  compliance is not the only driver for  implementing GRC tools.

grasec19

Companies using GRC technology use it for a variety of reasons

We asked organisations with a GRC tool in place what they used it for most. The  main purpose cited was risk management, followed closely by internal control  and access management:

What does your organisation use its GRC software/toolfor?

grasec21
grasec20

This indicates a clear shift from the older vision of GRC tools. In our 2013 survey, only seven percent used aGRC tool to document risks. Now, 48 respondents out of 72 indicate they’re using it to manage risk and 42 agree that their GRC tool is good for mapping risks to strategic priorities. Of the 72 respondents, 49 state the tool helps them understand how risks canoccur.
In the past, GRC tools were mainly used to manage segregation of duties (SoD) and sensitive access (SA) rights related risks in back-end ERP systems like SAP. While respondents agree that their GRC tool allows them to adequately manage their SoD and SA risks, other functionalities are cited such as risk identification and quantification, and automation of controls testing. Compared to our 2013 survey, where only five percent of respondents agreed their GRC tool provides a good way for continuous monitoring, this number has increased to nearly50%.
4.3 GRC toolinggovernance
Despite an increase in the use of functionality of the tools themselves, a significant number of companies doesn’t have the same level of controls on these GRC tools as on the ERP tools that they’re managing. This is clearly an area of attention in order to help ensure that GRC technology continues to evolve with the organisation and generates accurate and complete information.
• Only 40% indicate having a toolin place to protect their GRC from externalrisks
• 22 respondents indicate theydon’t have the governance to enable long-term sustainability (or were unsure)
• 79% have access proceduresin place, although 19 out of 72 indicated these areinformal
• 82% have change procedures, although 19 out of 72indicated these areinformal

Value driven through GRC technology adoption

A rapidly changing business environment has increased the need for robust operational processes, regulatory  compliance and effective risk management. Technology has evolved significantly over the past years and will  continue to do so. Technology will become (or is already) the cornerstone of successful organisations. With these  technological advancements comes the need for more pro-active risk management. This is where GRC tools come  into play. Like other tools, GRC tools have evolved over time and are now more performant and offer a wider range  in functionality. As a result, a growing number of organisations is embracing the advantages of a GRC tool.

Below is an overview of some of the main benefits associated with adopting GRC technology.

Some key GRC technology valuedrivers

The potential benefits of having aGRC tool in place are numerous andvaried. Benefits can be quantitative, such as reduced cost and increased efficiencies, and qualitative such as fraud reduction and creating more time for value-added tasks.
GRC implementation can reduce costs through standardisation of testing, reporting, monitoring and documentation. The costs of managing compliance activities and centralising control monitoring and audit scheduling can also be cut by adopting a GRC tool. Remediation and costs for retesting failed controls also diminish, as automated controls have a higher passrate.
An undeniable advantage of GRC implementation is a more efficient enterprise risk management (ERM). Respondents claim faster resolution of deficiencies and better visibility on remediation activities. Maturity of internal control increases by adopting consistent practices, while audit costs and preparation time are reduced by leveraging the shared repository of risks and controls across the business. GRC process automation technology is improving accuracy and efficiency across various aspects of the business, thereby freeing time for more customer-focused tasks.

In our experience, we see below as the  most common benefits generated  from GRC technology adoption:

  • Continuous monitoring Increased focus on continuous, automated monitoring as opposed  to manual periodic sample testing  not only reduces the cost of audit  preparation and external auditor  fees but also FTE requirements.
  • Segregation of duties and restricted access reviews Organisations that automated  periodic certification reviews see  significant time savings in  evaluating and responding to  access reviews and certifications.  The FORFIRM global survey shows that  84% of the organisations are using  a GRC tool to monitor their SoD  violations, and our survey shows  that 75% of respondents agree that  their tool efficiently supports their  periodic user reviews and  monitoring of SoD risks.
  • Access approvals

The time to request, approve and  systematically assign access  decreases significantly with GRC  tool automation. Users are more  quickly able to obtain the access  required to carry out their duties,  resulting in significant  operational efficiencies.

Safeguard your investment by involving specialists

Respondents generally agree that their investment has provided the benefits  promised by the software provider. Only eight percent indicated otherwise. Most  respondents are satisfied with the implementation (or at least partly satisfied),  with only two respondents indicating dissatisfaction.

grasec22

To ensure your organisation benefits  from investing in these tools, a sound  technical implementation of the GRC  tool is required. However, it doesn’t  stop there. It is key to embed GRC  technology in your existing risk and  control-related processes and  initiatives in order to reap the benefit  for your technology investment. This  requires sufficient time and attention  to be spent to people change  management and end-user training as  part of yourimplementation.

Furthermore, and as indicated earlier in this study, also GRC technology requires governance. As part of your implementation, sufficient attention should be given to the processes needed to continuously maintain your GRC technology after go-live, in order for the technology to continue to support the evolving needs of your organisation.
A critical success factor for leveraging the benefit of your GRC technology investment is therefore ensuring you have the right skills on board during your GRC technology implementation, either in-house or via external support. Survey respondents confirmed that external support is often called upon during GRC technology implementation, with close to 90% of SAP GRC implementations that occurred in Belgium since 2013 having been supported by an external consultant.

Building your GRC technology businesscase

Improved, robust, and efficient controls that leverage increased automation are becoming critical as the number and complexity of risks increase for companies. Organisations need to invest in a technological infrastructure that supports increased automation, better reporting and stronger overall controls governance. However, we see that cost is still often considered a hurdle. Twelve out of 14 respondents who didn’t yet have a GRC tool in place indicated that cost is a mainreason.

GRC technology initiatives are often  denied in the annual budgeting  process, as they compete with other  business priorities. Companies are  often only willing to invest in such  technologies as a response to audit or  compliance failures, or worse –  reputational damage.

A GRC tool adds value, and developing  a strong business case with proper  financial metrics can help pave the  way for more proactive and  progressive investments in controls  automation technology.

Clearly defining and quantifying the  benefits of implementing a GRC tool  will be essential for a strong business  case. Examples of elements to be  taken into account when quantifying  the return on your GRC technology  investment are:

  • Continuous Control Monitoring (CCM)

–Cost savings by enabling CCM  on existing controls;

–Cost savings by converting  manual controls to automated,  resulting in reduced operation  cost associated with execution  of controls;

–Cost savings by converting  manual controls to automated,  resulting in reduced testing  cost.

  • Data Analytics – Improved data analytics lead to operational and test savings (centralising analytics,  improving filters to quickly  identify exceptions, increasing  frequency through better  technology).
  • Reliance by external auditors – While this can be a sensitive option, it can reduce  annual audit fees when the  external auditor relies on the  automated controls/validation in  your GRC tool.
  • Increased compliance team efficiency – Your GRC tool facilitates reporting (centralized  reporting) and issue management  resolution, provides semi-  automation of manual controls  and improved standardization.

What will the future bring?

S/4HANA

SAP’s latest ERP platform S/4 HANA is a robust next generation business solution. It’s deployable in the cloud or on-premise and is built to provide value and simplicity of use while effectively controlling andautomating processes, including compliance. SAP announced that it will end its mainstream maintenance support for SAP Business Suite 7 core application releases at the end of 2025. As a result, many organisations will be migrating to the newer version of SAP S/4 HANA in the comingyears.
To make sure that you continue to benefit from the investments made in your GRC tools, you must ensure that these are adapted to be fit forpurpose for S/4 HANA. Regardless of whether you opt for an on-premise or cloud solution, your GRC tools and relatedrisk management procedures should be updated. This includes the necessary technical changes to your systems, but also identifying and responding to the risks that arise through these new technologies, e.g. increased use of Fioriapps.

GDPR
Starting 25 May 2018, all organisations processing personal data of European citizens must apply the new General Data Protection Regulation (GDPR). The objective of GDPR is to protect natural persons with regard to the processing of personal data and set out rulesaround the free movement of personal data. This regulation has a major impact on organisations’ data protection policies, processes, governance and overall how personal data needs to be handled in business. They’ll have to implement the new rules and must be able to demonstrate that they’re compliant with the new rules. In case of non-compliance, the GDPR introduced substantially higher (administrative) penalties of up to four percent of an organisation’s global annual turnover or 20 million euros, whichever is thehighest.
Many companies are implementing measures to ensure compliance with this new regulation. GRC tools can be a major asset to record the identified risks and the way companies are responding to theserisks.
GRC tools can also assist to demonstrate to the regulator thatyour company has implemented the necessary controls. Tools such as SAP GRC Emergency Access Management clearly show who has logged on to your system and what they have done. Not only can GRC technology be used to detect and prevent internal misuse of personal data, they can also be applied for protection against external threats.

Cyber

Our recent CEO survey showed that cyber threats are a major concern to most CEOs, with 40% of CEOs indicating they are extremely concerned about the impact of cyberattacks on their organisations. While ERP systems are often overlooked when it comes to cyberattacks, their increasing online availability makes them vulnerable. ERP systems are often connected to other systems within an organisation, which could result in furtherexposure in case of a cyberbreach.
A recent study from Onapsis shows that each year, on average, 340 SAP security notes were released over the last five years. On average, ittakes12 months for SAP to release a security note after it’s been identified and another six months before organisations implement the security notes, meaning a window of vulnerability of 18months.
As GRC tools grow in this space, organisations need to invest toensure their systems are protected against cyberattacks. A GRC tool can help automate the efforts to protect your systems, from both internal and externalthreats.
grasec23

Intelligent automation

Robotic process automation (RPA)  and intelligent process automation  (IPA) are new technologies that allow  companies to automate their risk and  compliance activities so GRC users  can focus their efforts on interpreting  results rather than manually  generating them. However, attention  should be paid to applying the right  technology. For example, the use of  RPA to automate the monitoring of a  particular control may be unnecessary  if the situation can be fixed at the  source with more effective application  configuration or security. Conversely,  advanced analytics and RPA may be  best used together. Analytics can be  used to pull data across diverse  environments, then an RPA solution  can review the output. Existing GRC  technologies can provide an end-to-  end compliance management solution  and workflow for all of these  capabilities, not to mention a single  source of truth for governance, risk  and compliance.

Data visualisation

With the automation of business and  compliance processes comes great  amounts of data. Companies are  starting to use this data to carry out  advanced analytics to gain insights  into the processes and controls. One  of the key challenges is to present this  data in a digestible way for the end  user. This is where the use of  dashboards and other visualisation  techniques comes in, e.g. the new SAP  GRC Access Control 12.0 is Fiori-  enabled and focuses even more on the  user’s experience

At FORFIRM we’ve developed a dashboard to help users interpret SAP  FireFighter (FF) activities. Our dashboard converts your SAP FF logs into  easy-to-understand graphs providing a complete overview on your SAP FF  activities and focus your review on the key risk areas.

SAP Emergency Access Management is critical to address high-priority  access issues, but few organisations have a deep understanding of how that  emergency access is actually used. Learn to analyse emergency usage to  spot trends and gain insights from your firefighters with the SAP Firefighter  dashboard, developed by our SAP Risk assurance experts.

Our SAP Firefighter Dashboard is a user-friendly, digital platform which  allows you to:

  • Identify high-risk activities in the use of your SAP firefighters
  • Spot trends in emergency user behaviour
  • Improve your firefighter process
  • Improve your IT controls over SAP emergency users
  • Save time in log review

Clients who’ve adopted the tool have reported a significantly streamlined  and more mature emergency process.

 

A call-to-action for Belgian organisations

Regulations and security threats are constantly evolving. Managing governance, risk, compliance and security  continues to be a challenge for most organisations. With increasing compliance requirements, organisations are  seeking to reduce cost and increase value derived from investment in control processes, people and technology.

GRC tools offer non-negligible  advantages in the form of reduced  costs, increased efficiencies through  automation and minimised errors  resulting in greater compliance. The  results of our study show that Belgian  companies have made efforts to  implement dedicated GRC tools but  are still behind compared to their  global peers and competitors. We see  an increase in terms of number of  companies using GRC tools and in  terms of functionality. However, as  these technologies evolve, your  organisation must ensure your tools  continue to adequately manage risk,  including detecting and protecting  against cyber threats.

A dedicated GRC solution should be  an essential component of any  company’s risk and control structure.  Those companies relying on outdated  or manual tools leave themselves at a  distinct disadvantage in the face of  their competitors.