About Me

I'm one of the Directors @ su53 Solutions. su53 provides risk management, compliance and security services to companies that run SAP, reducing costs, automating process conformance, driving business results and enhancing your status as a trusted organisation. I'm passionate about Risk Management and Security. My views are influenced by OCEG thinking. My vision aligns Risk to Strategy, focuses on mapping controls to risks, leverages, CCM and data mining. All this operates within your boundaries. Technology is the enabler. Collaboration and Communication are key to the success of GRC. My path to my current role has been varied, joining a Big 4 as a post-graduate from Queens Belfast and Notre Dame Indiana, before developing in depth SAP® BASIS skills en route to a focused career plan to become a lead thinker in SAP related GRC, audit and security. I've travelled extensively and worked with many organisations(from Australia to the Arctic). The breadth of exposure to client SAP systems and the various attitudes, abilities, process and practices around risk management has given me a sound perspective on best-practice. GRC isn’t my job, it’s my passion.

Tuesday 22 March 2011

The impact of "Social" on GRC

Don't laugh - this sounds like a bridge too far but you may be surprised.

The last few years have seen social networking become part of everyday life. Hundreds of millions of people are using facebook, twitter, linkedin and other sites. Price comparison sites are accessed by millions and recently we've seen sites giving bulk discounts to the masses.
I've been thinking recently about how "Social" can apply to GRC. It's interesting to see how the future could leverage the brain power and insight of the masses, but also use them to encourage user adoption, better behaviour. I've spotted several examples recently that I wanted to share:
1. The su53 GRC Dashboards - http://www.youtube.com/watch?v=W18amVURIEs&feature=youtu.be
By allowing comparisons between different parts of your business - over time users are encouraged to improve and make better decisions. Transparency will drive better adoption and performance. It was interesting to see the reaction from John Garrish of SAP. He prompted the "Social GRC term". Also  fascinating  the feedback from some SAP GRC customers. Some like to name and shame their laggards, others take a softer approach.

2. Michael Rasmussen's anecdote from the OCEG bootcamp(quoting Tom Peters) - "If you want to know what's really going on you should ask the janitor" prompts some more thoughts about how the masses can help with Risk Management. We are already familiar with the whistleblower concept, but there must be some mileage in using the power of the crowd for more here. I'll be doing some research on how the crowd  to help with KRI's, to help you detect and avoid events. Watch this space!

3. "Apple" shares the results of it's 2010 supplier audit. (http://tinyurl.com/5r99pwy) I was impressed by the article from Computer world. It seems that there is some benefit in externalising your GRC information. This policy matters to Apple. Making the results public demonstrates this internally, but Apple will also benefit from brand enhancement here.

User adoption, embedding GRC in the business processes and encouraging ownership are key elements of any successful GRC program. I think "social" can have a part to play here. Do let me know your thoughts.
Posted by at

1 comment:

  1. Gavin Campbell22 March 2011 at 08:05

    I've corrected an error in the original post. I'd credited Michael with the quote about nthe janitor. Apparently he was quoting Tom Peters. I really like this quote and use it frequently.

    ReplyDelete

Subscribe to: Post Comments (Atom)