I went to last week’s SAP sponsored GRC conference with high expectations. For some months now I’ve been eagerly following the work being done inside SAP on this topic, watching blogs like Greenmonk and James Farrar’s On Sustainability and building up my own understanding of the issues, some of which are much more complex than they first appear. Imagine then my dismay when two of what I thought were the more important sessions: Go Green: Managing Environmental Compliance While Building Brand Value and the other, a more general canter through issues around corruption that included the introduction of a survey on confronting corruption by PWC, were poorly attended. In the first session I counted around 30 people, in the second, fewer than 20. That for a conference that must have attracted some 5,000 delegates.

I realise we’re very early in understanding of how different aspects of sustainability and accountability impact business performance but in both cases, speakers made solid cases for business value derived from doing the right things. One of the problems as I see it is the way it is positioned by the analyst community.

I sat in on an analyst lunch where a Gartner representative posited that GRC falls into siloes - some around IT, others around finance and operations. I was horrified. To me this is a perpetuation of ‘old’ thinking. It simply doesn’t make sense to fence off risk in this manner. If anything, I regard it as counter productive. Here’s why.

Business may be organised along siloes but risk cuts right across and through the business. Take what happened at Siemens as an example. Earlier today it announced massive potential losses. Some came about because of turnkey projects gone sour but according to the FT:

The second problem came in the mobility unit, where delays in awarding big projects such as the Transrapid train and restructuring in one of its businesses led to about €200m in writedowns.

The final issue was in its IT division, where one of its large contracts with the UK Department for Work and Pensions was cancelled and other UK projects had smaller risks, leading to a writedown of more than €100m.

Siemens has been at the centre of an ongoing investigation into its business practices and could be the subject of huge fines by regulators in the US. The knock on effect in damaged reputation across the whole of its business cannot be discounted as a significant factor impacting performance. At the very least it should serve as a warning to others. Yet at a conference with sessions that should have been packed to the rafters, few seemed to care. What’s the problem?

Discussing these issues with senior SAP executives, it is clear we are very early in the game. Depending on whom one speaks with, there are a variety of agendas in play but no coordinated approach to market. This is hardly surprising given there are  many ways to attack GRC. Nevertheless, it is perhaps telling that in PwC’s Confronting Corruption, only 45% of respondents thought there is substantial value in having a publicly disclosed anti-corruption programme and controls. Elsewhere, TerraChoice asserts that greenwashing is rife lending credence to the argument that companies are yet to take the ‘green’ issue seriously.

The discussions I had with SAP were refreshing for their honesty and robustness. Each time they were challenged, SAP execs conceded there is much to be done in the formulation of approaches, the development of technologies and the education of customers. Holly Roland, VP blogal marketing described it as a “Marathon not a sprint.” SAP was also open to ideas about how the market might be approached and, more importantly, engaged. My sense is that focusing too much on risk is not the way to go albeit I agree that controls designed to capture high level risks at the decision making stage should be fundamental to any GRC strategy. At a time of economic uncertainty, the last thing business needs is another Enron or Siemens yet as an industry, we need to find ways that demonstrate the business profit in following GRC policies with bite. So for example David Ahrens of SAP Americas pointed out that: “Standard and Poors are starting to measure against the visibility into enterprise risk as a means of assessing credit ratings.” I’ll bet not many CXOs know that.

On one thing SAP and I were firmly agreed: there needs to be an alignment between governance and strategic goals. In other words, companies need to think about their business in a different way, one that asks the question: If we pursue this opportunity, what will be our operational risks?

The other week, I kicked off a debate at SAP’s developer and business community that was described by some as ‘provocative.’ To cut a long story short, I was pointed in the direction of an appalling story about the use of slave labour in Jordan by a supplier to Victoria’s Secret. That company’s parent is Limited Brands. SAP supplied the specialist software to run Limited’s global supply chain, several years before the human rights abuses became public. The provocative part came where I wondered what a secondary supplier - in this case SAP - might do given it has an active CSR group that is attempting to frame a series of responses to issues in which the group is interested. The responses that followed were interesting and thought provoking. That’s a start.

As a freelancer writer, I am in a privileged position. I am not constrained by the terms of service that employees need to observe when it comes to commenting on corporate policy. At the same time, I am aware that raising such issues is bound to cause some head scratching. Any company that supplies the Global 2000 will at some stage cross the path of those who are less than scrupulous. When it does, then it needs to frame a sensible response. Pointing to the principles to which it holds itself accountable somehow doesn’t seem enough.

I’m often highly critical of companies’ CSR efforts. Too often they’re little more than fine sounding words on a back page of the financial statements. Nowadays, issues such as climate change, sustainability and accountability are becoming harder to avoid. Companies that continue to say plenty and do nothing will increasingly find themselves roundly lashed by those who demand change. In this case, SAP employees took what I consider a brave stance.

James Farrar, who leads SAP’s CSR effort said to me in email:

We’re on the same wavelength…This is a hugely complicated area but its as important as climate change in my view. In fact, many would argue that problems like climate change can only be unlocked by human rights.

He is right on all counts. And therein lies the problem. Just how much ‘power’ does a secondary technology provider truly have in these situations? At this point precious little. But that is not an excuse for inaction.

Marilyn Pratt, who is an evangelist in SAP’s business process expert community who has an unabashed kibbutznik view of the world with the emphasis on sharing expanded on my general line of thinking, coming up with the start of an action plan based upon From Corporate Responsibility to Backstory Management:

So this is a call to action: “the path to really managing your backstory runs through big visions, hard targets and open admission of shortcomings. Shoe manufacturers should work to envision a boldly responsible shoe, one which not only incorporates their ambitions about the future of footwear, but also encompasses the cutting-edge standards in ethical behavior: a shoe, say, that has a one-planet ecological footprint and meets the highest possible labor standards. That company should share the vision of that shoe with every one of its customers.”

As a company/community of knowledge workers, what kind of visions, behaviors and yes, shortcomings, do we wish to share?

Even if the truth is “inconvenient” we had better embrace it and acknowledge our responsibility in the value chain. And yes that means all of us: stakeholders, individuals, employees, and organizations alike. None, it would seem are exempt.

When I wrote the original piece, I was well aware of the risks I was taking. At present, SAP involves me in many of its initiatives, sometimes on the record, sometimes not. Taking a prod at companies of this size can quickly get you shoved to the back of the ‘interview request queue’ as I have found in the past. The fact SAP employees not only responded, but are taking a pro-active stance (see RESIST as an example) on a broad range of issues is not only inspiring but thought leading. This in a further email from James Farrar:

Best practice in this area is concept of sphere of influence and so stakeholder demand then usually focuses upstream rather than down where for the most part the vendor has no power or legitimacy to police the extended actions of its customers. Obvious exceptions here is when the product itself is inherently problematic eg. alcohol, tobacco, firearms, porn but then again focus is once more usually on the production process and features of the product itself to make it inherently less harmful.

In the next few days, I will be meeting senior SAP executives at its upcoming GRC 2008 conference to discuss these issues. It will be interesting to hear their thoughts and engage in what is bound to be a fascinating series of conversations.