A few weeks ago, my colleague
Bo Baade-Pedersen, who leads GRC & Security Centre of Excellence for EMEA-South at SAP, guided me to a
recording of a lecture that was delivered by Clayton Christensen at the Saïd Business School in University of Oxford where he explained his theory of disruption, drawing on examples of innovations occurring in the steel industry but also automotive and consumer products.
In short, Clayton Christensen explains that there are 2 types of innovations:
*
Sustaining innovations where a company continuously improves its product to address a higher end of the market where margins are typically higher and
*
Efficiency innovations where a company completely rethinks a product that was previously so expensive and complicated it was only available to a select few and makes it more affordable so that it is now accessible to a much larger customer base.
This juggled my mind and I then started to wonder how Governance, Risk, and Compliance (GRC) technologies could support disruptive innovations – be it sustaining innovations or efficiency innovations, and by what means.
Detect Process Improvements
This is probably the core of “sustaining innovations”. To improve a product or service, improving the entire end-to-end process would be a great start.
That platform economies such as Uber, Airbnb, etc. disrupted the economy is undeniable. But did they do so by efficient or sustained innovations? Personally, I feel the latter.
They improved the process by centring it on the customer and providing a new experience. Taxis or hotel rooms weren’t overly expensive or complicated in nature, but these digital companies did make it much easier to consume.
Here, GRC technology could support by putting continuous monitoring at the core of the customer journey and automatically detecting and raising any anomalies and discrepancies in defined processes. This would then enable process owners to be alerted and resolve issues rapidly. In a previous blog (
GRC Tuesdays: When Governance, Risk, and Compliance Supports the Subscription Based Digital Economy), I illustrated how automated controls could monitor payment methods of a customer to ensure that they are warned in time in case it is about to expire. This is just an example for the billing process, but examples can also be found on supply chain, human resources, information technology, etc.
Illustration: SAP Process Mining by Celonis
Identity, Analyse and Seize Opportunities
One of the premises of surfing the innovation wave, and even go from sustaining innovations to efficiency innovations, resides in the simple fact that this innovation is identified and prioritized by the company.
As Clayton Christensen mentioned in his lecture, many people come up to the organization (internal or external) and claim to have the best idea since sliced bread.
Enabling this idea to make its way through the organization and get the right level of review is often more a question of sheer luck than science.
Most definition of GRC will agree that one of its facets is to address uncertainly – hence both risks but also opportunities.
GRC technology can help users identify and document potential opportunities and then trigger a collaborative process where colleagues from various areas can assess the likelihood it would be achieved and what could be the outcomes – from various perspectives: sales, operations, customer satisfaction, etc.
But that’s just one part of it. Knowing that you have a great potential but not being able to act on it isn’t of much help.
Where GRC technology can additionally come to the rescue is in the fact that enhancement plans – those actions that can be undertaken to further improve the chances of success, can also be documented, stakeholders assigned and progress tracked. This then doesn’t leave success to chance itself but rather to a more predictable method.
Illustration: Opportunities in SAP Risk Management
Proactively Detect Risks
Finally, many companies are facing challenges finding ways of performing useful, proactive, risk-based decision making. And really, what better way to become more innovative than seeing the risks before they are even on the horizon and getting ahead of the curve by finding alternatives?
I am pretty sure that the Captain of the Titanic wouldn’t have minded a last generation sonar and radar technology. Well, this is precisely what Proactive Risk Management is: a sonar for risks that are beyond eyesight. With this approach, companies are able to redirect the ship (or business unit) before it hits the iceberg.
Using business intelligence, augmented analytics, and built-in collaboration tools but also combining this with embedded risk management features such as what-if simulations, users could:
* Test various assumptions: what happens if we improve this aspect of the product, or reduce this risk, or add a new action to reduce the impact?
* Reduce difficulties in collecting meaningful, complete and up-to-date risk and control information focusing on what is really important to the business: what are our real time indicators telling us?
* Reduce difficulties in leveraging this often-complex information for useful and relevant board and management level decision making; something more engaging and better than “yet another heatmap”: how does all this information tie back to our corporate objectives?
This would definitely make the process more proactive, relevant to core business operations, and linked to the organization’s strategy.
This would also help companies take more business risks, but while still remaining aligned with the company’s risk appetite.
Illustration: Risk Management information displayed in SAP Analytics Cloud
While Remaining Compliance Of Course
And all of this without losing the perspective of being compliant since this is, after all, one of the major functions of GRC!
By automating the control and risk monitoring, testing, issue follow-up, etc. Companies can continue to act in compliance but this also enables better resource allocation. And, to some extent, frees up capital – human and monetary. It frees up human capital since experts can then focus on less manual tasks. Auditors, for instance, can spend more time on finding and sharing best practices rather than chasing issues and their resolution.
It also frees up monetary capital that is sometimes set aside for regulatory fines and legal fees. With increase number in regulatory requirements, some companies have decided to apply a similar approach to the one requested of banking corporations for operational losses – the minimum capital requirements. Some companies therefore decide to immobilize some capital to be able to face any legal actions from compliance breaches.
Of course, GRC isn’t the only enabler for competitive advantage. Nevertheless, I do hope that the options above will put GRC experts in new lights.
What about you, do you leverage GRC as a competitive advantage? I look forward to reading your thoughts and comments either on this blog or on Twitter
@TFrenehard