Internal Controls: The Journey from Compliance to Risk Management
- by Gary Dickhart, Vice President, SAP GRC Customer Advisory Office, SAP
- March 15, 2008
See how to make compliance more operational with a more preventative, integrated approach that emphasizes risk management over compliance. By embedding more controls into this approach, your organization achieves greater efficiency and lower compliance testing costs than in the more manual report and review model that many companies use.
The Sarbanes-Oxley Act prompted management to report the controls enforced in its company’s systems. Initial responses to the act were strictly compliance-based, as organizations focused on providing enough information to pass external audits without worrying about the efficiency and effectiveness of their systems. Over time, many companies have decided that it is more cost effective to be proactive, using automatic processes and risk management strategies in conjunction with manual processes associated with compliance strategies.
Some organizations view the assessment and management of their internal controls solely as a compliance activity. On the other hand, other organizations view controls as an integral governance aid to help manage risk and reach operational goals. It is very important for managers leading implementation efforts for GRC initiatives to recognize their organization’s approach so they can succeed not only in achieving compliance but in enabling their organizations to embrace a risk management approach to sustain and reduce compliance costs.
Both approaches enable you to be compliant, but solely looking for compliance ultimately results in a short-term accomplishment that becomes more costly to sustain over time. In many companies, the person implementing cannot exert enough influence to change the view of compliance as something other than a one-time project. In addition, many large organizations take many years to take on the more strategic approach. Implementers need to be aware of two factors: management’s willingness to adopt a more strategic approach, and the capabilities to drive and manage changes in the organization during or outside the project. If management is unwilling, other “natural” change agents might help the implementation team, such as the drive for lower costs in sustaining the program, the desire to reach levels of their competitors, or weaknesses pointed out by auditors that need to be addressed over time.
I’ll compare and contrast the two approaches and explain why more organizations will be entertaining a more strategic part of their governance model over the next few years. I’ll start with an overview of the approaches, and then look at each approach individually.
Would you like to see this full item?