elba's picture

On Thursday, September 17, I was at the European GRC Conference in Vienna, organized by IDS Scheer. The topic of this international event was successful governance, risk and compliance management and how to make it efficient. There were more than 100 participants from several European countries. Obviously, this business challenge meets a wide spread interested community.

Guenter Brandner and Gerhard Donner from Ernst & Young Vienna opened the conference with their keynote about "Corruption or compliance – Weighing the costs". They recommended the audience to implement safeguarded processes to cope with the compliance problem and to increase efficiency due to cost cuts and performance improvement. They understand under safeguarded processes that they are robust enough and well documented to withstand possible cross-examination in court. They should be reliable, secure, effective, efficient and compliant.

After that, Markus Dobmeyer from Infineon presented how they implemented ARIS for SOX and process management at Infineon. One of their main problems was to make their SOX activities more efficient and thereby enhance quality and value of process harmonization triggered by SOX. He shared some lessons learned with the audience. Infineon followed a war room approach that showed to be very valuable for first time modeling, but should include expert consultancy, in this case from IDS Scheer. He also recommended a preparation and planning phase of three months before modeling data.

The conference also included speeches from IDS Scheer experts. Martin KIing and Nils Westphal started with their presentation about the ARIS Solution for GRC and the core product ARIS Risk & Compliance Manager. They said that instable processes make reliable conclusions about the risk or compliance status impossible. That means that processes and the appropriate controls should be documented. But it also means that as-is processes must be executed as described. If not, controls will be avoided and the internal control system is not effective. With the ARIS Solution for GRC this problem can be solved as the testing workflow for the controls is exactly defined and monitored.

During the next presentation Michael Hoffmann and Frank Heil from IDS Scheer referred about the topic "KPI-based management control using IT as an example – methods, processes and systems". They said that it’s necessary for a company to focus on key performance indicators if they want to enhance their business performance. They explained the IDS Scheer consulting approach and took the ARIS ITIL V3 reference model as an example.

The last presentation of the day was held by Franz Ringswirth from Telekom Austria. He showed how they implemented ARIS for their internal control system (ICS). First, they implemented a SOX-ICS, but after their delisting in May 2007, they optimized it to a EURO-ICS. They achieved a very high awareness of the management regarding business process management and its benefits for their own responsibilities.

The conference was concluded by a panel discussion with Guenter Brandner and Gerhard Donner from Ernst & Young, Franz Ringswirth from Telekom Austria and Martin Kling from IDS Scheer. They wrapped-up the topics of the day and gave some future outlook. As the complexity of the compliance challenge will rather increase than simplify, each company should define a board member responsible for compliance management. No matter, if it’s the CEO, CRO, CIO or who ever. Especially in Europe, the regulations can be very diverse in each country. That’s why it is difficult to say, what will be the main compliance topics in the future. Martin Kling from IDS Scheer said that it makes sense to combine compliance management and operational risk management. But in reality these are often separated departments in companies. They should learn to work more close together. Franz Ringswirth liked the term of business continuity very much. It underlines that compliance is not only a one time project, but something that has to be integrated into everyday business.

That was my personal review of this interesting conference. Hope to see you next time!

Tags: GRC