Home > Risk > A great GRC success story

A great GRC success story

The post below is written by my good friend, Bruce Carpenter, who leads both internal audit and risk management for Sybase. By way of disclosure, Sybase was acquired by SAP partway through their GRC journey, and they have operated as an independent division of SAP since then, with Bruce continuing to run audit, risk, and compliance.

Integrating GRC Into the Rhythm of the Business

By Bruce Carpenter

At Sybase we are proud and delighted to be awarded the 2012 OCEG Principled Performance Award for our GRC program.

I like to think that we have integrated governance risk and compliance into the rhythm of Sybase’s business, and I’d like to explain to you how that happened, and to give you examples of the results.

As VP Internal Audit I am responsible for SOX, risk management, internal audit, and compliance. Combining these functions provided the context to organize GRC resources.

Top-Down leadership
Our CEO John Chen wanted to create company performance led by integrity. To do that he wanted a GRC framework that didn’t operate in a separate silo, but was integrated across departments, and supported his direct reports to more effectively manage risk across the organization. His goal reflected the OCEG Red Book objective of “Principled Performance”. John Chen’s leadership was instrumental in creating the sponsorship needed to get our program going. He knew that the most significant risks generally required coordination between more than one executive team member, so this process could also support strategy coordination

The result was to refocus ERM using a top-down approach, directly aligning risk identification with strategic direction. The CEO requested that internal audit meet quarterly with each ELT member to identify key risks associated with meeting their strategic goals.

The next step was to conduct a compliance risk assessment to identify legal and regulatory risks. Working with Global Legal, HR, and Finance , we identified compliance risks worldwide. We prioritized 20 of these. We also recognized that many of our existing SOX controls, particularly our Entity Level Controls and our IT controls also play an important part in demonstrating regulatory compliance. We wanted to be able to link these regulatory risks with our existing controls, but there was no easy way to do this. It became clear that an exercise in pivot tables and linked spreadsheets wasn’t going to be enough.

Limitations of Manual Reporting

Even though the components of an effective program existed, we lacked the ability to provide effective real-time reporting. These are classic examples of challenges with manual processes.

We had risks which were of enterprise risk management level and risks which were at a compliance level. We knew that we had controls that addressed both categories of risks. But we couldn’t relate them.

The existing data was difficult to manipulate, so therefore of less use to support effective management decisions.

We wanted to lift our methodology to the next level to consider concepts like risk appetite, and risk velocity.

Using the automation process to enhance GRC methodology

We used the bowtie functionality (the left part of the tie represents the risk drivers, and the right is the potential effect) of the SAP GRC application, introducing methodology enhancements that proved very useful in the design conversations with the executive leadership team (“ELT”): Risk Drivers, Risk Impact, and Key Risk Indicators. To demonstrate the use of the bowtie concept we analyzed the risks associated with channel stuffing. Implementation of appropriate strategies including partner audits reduced this risk for Sybase.

It became clear that a risk driver in one part of the organization (owned by one ELT member) could impact the Risk Impact for which another ELT member would be responsible. Automation facilitated a more holistic assessment and response to risks at Sybase.

Moving forward, pie charts showing driver categories will allow management to shift the focus away from individual risks to manage the causes or drivers of those risks, improving the effectiveness of overall risk management. Similarly, it will be possible to produce real-time heat maps combining graphical reporting and detailed risk listings, with interactive drill down capabilities.

How GRC supported the Business

So let’s consider some examples of Principled Performance within Sybase:

• An increase in share price of around 300% over five years
• An increase in financial services industry revenue of $90 million over two years at a time when revenues could easily have been in decline
• A reduction in the incidence of channel stuffing due to on-site partner audits and other management strategies
• Automating the link between compliance risks and controls to facilitate reporting to mCommerce customers

Summary: The impact on management

As GRC professionals we strive to make our work both relevant and useful. One executive used these words to explain his thinking around GRC and risk management:

“… gets my attention to what is required to achieve best industry practice with regard to risk management”

“The risk management process creates the pressure of knowing that we have to get things done…”

“There is a person (you) and a process (the company process) and people know that this is important”

This is an important journey. I believe effective GRC automation has the potential to significantly impact organizational performance, and enhance management understanding of the associated risks they are required to manage.

I want to close with some thoughts to open up a conversation.

• There may be those among my fellow auditors who believe that risk management, compliance and internal audit responsibilities should always be separated, regardless of organization size. What are your views?
• At Sybase, we have worked to ensure the active participation of Sybase senior executives in our GRC programs. What are ways you have achieved this in your organization?
• We wanted to develop a focus on business performance, not just the performance of controls. What steps have you been able to take to ensure your GRC program has a strategic focus?
• We value the contribution of GRC technology, not just audit technology to achieve our success. How has technology enhanced organisational thinking around GRC for your organization?

I am interested in your comments and experiences.

  1. Khanh Vuong
    June 5, 2012 at 12:34 PM


    Great platform for an integrated system for managing risk, governance, controls, and compliance. One problem I see is that the independence of the auditing process conflicts with the involvement of the risk management function with the ELT. Case in point, there may be reasons for the ELT to decide not to remedy an audit finding for business reason (if only on a temporary basis), but if the CAE finds this out through the interaction on the risk management side, then the CAE is caught in a difficult position–to sympathize with management would be compromising on the audit finding and potentially put the organization at great risk or to press the issue and in the process call into question the whole involvement aspect of the risk management role.

    There are two possible arguments to make in favor of this GRC program under the supervision of the CAE: 1) the CAE can learn to wear two different hats and switch back and forth as necessary (much like what John Fraser described as his job at Hydro One); or 2) redefine the audit or the risk management function to be something of lesser significance than what they should be.

    What would work best is for integration to be carried out by the Board, rather than advocating the reporting line to be under the CAE’s or the CRO. Just my thoughts.

  2. Mohamed Saleem
    June 6, 2012 at 1:04 AM

    Respected Norman, you always share a wealth of information without taking side on any one group or standards, which is a quality of rare in recent times. Keep it up.

    Khanh made some good points.

    The question is Ownership or Collaboration. IMO, as long as IA limit to the extend of colloboration without impairing their independance, then there is a value preservation for all stakeholders. On the contrary, ownership role is bound to impair objectivity at individual level and independance at functional level thereby raising integrity issues on IA.

    Having said this, IA in most part is functioning in silos without collobaration and creating a police image rather than an active advisory role in line with IIA guidance on the role IA in ERM.

    Yes indeed, a scope exist to explore more roles without impairing idependance which I believe IIA would do it for IA & RM community, having great thinkers like you in IIA with impartial analysis.

    Mohamed Saleem B.TECH, CIA, CRMA

    • Norman Marks
      June 6, 2012 at 2:15 AM

      Thank you both for your kind comments.

      With respect to the separation of risk management and internal audit, I would point you to the IIA position paper on the role of internal audit in risk management. I have previously written about how I would modify the “fan” in that paper.

      Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Vice President, Evangelist Better Run Business SAP

      • Khanh
        June 6, 2012 at 4:16 AM

        Even with the fan would you put the cro under the cae?

        • Norman Marks
          June 6, 2012 at 4:40 AM

          Would I put the CRO under the CAE if all the provisions of the fan are met? If that is best for the company as a whole, yes. I would.

          Norman D. Marks, CPA, CRMA OCEG Fellow, Honorary Fellow of the Institute of Risk Management Vice President, Evangelist Better Run Business SAP

  3. June 27, 2012 at 12:08 AM

    GRC succes story is very meanningful.it’s really Rythom of business.Thanks for share this.

  1. June 6, 2012 at 1:08 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: