I went to last week’s SAP sponsored GRC conference with high expectations. For some months now I’ve been eagerly following the work being done inside SAP on this topic, watching blogs like Greenmonk and James Farrar’s On Sustainability and building up my own understanding of the issues, some of which are much more complex than they first appear. Imagine then my dismay when two of what I thought were the more important sessions: Go Green: Managing Environmental Compliance While Building Brand Value and the other, a more general canter through issues around corruption that included the introduction of a survey on confronting corruption by PWC, were poorly attended. In the first session I counted around 30 people, in the second, fewer than 20. That for a conference that must have attracted some 5,000 delegates.

I realise we’re very early in understanding of how different aspects of sustainability and accountability impact business performance but in both cases, speakers made solid cases for business value derived from doing the right things. One of the problems as I see it is the way it is positioned by the analyst community.

I sat in on an analyst lunch where a Gartner representative posited that GRC falls into siloes - some around IT, others around finance and operations. I was horrified. To me this is a perpetuation of ‘old’ thinking. It simply doesn’t make sense to fence off risk in this manner. If anything, I regard it as counter productive. Here’s why.

Business may be organised along siloes but risk cuts right across and through the business. Take what happened at Siemens as an example. Earlier today it announced massive potential losses. Some came about because of turnkey projects gone sour but according to the FT:

The second problem came in the mobility unit, where delays in awarding big projects such as the Transrapid train and restructuring in one of its businesses led to about €200m in writedowns.

The final issue was in its IT division, where one of its large contracts with the UK Department for Work and Pensions was cancelled and other UK projects had smaller risks, leading to a writedown of more than €100m.

Siemens has been at the centre of an ongoing investigation into its business practices and could be the subject of huge fines by regulators in the US. The knock on effect in damaged reputation across the whole of its business cannot be discounted as a significant factor impacting performance. At the very least it should serve as a warning to others. Yet at a conference with sessions that should have been packed to the rafters, few seemed to care. What’s the problem?

Discussing these issues with senior SAP executives, it is clear we are very early in the game. Depending on whom one speaks with, there are a variety of agendas in play but no coordinated approach to market. This is hardly surprising given there are  many ways to attack GRC. Nevertheless, it is perhaps telling that in PwC’s Confronting Corruption, only 45% of respondents thought there is substantial value in having a publicly disclosed anti-corruption programme and controls. Elsewhere, TerraChoice asserts that greenwashing is rife lending credence to the argument that companies are yet to take the ‘green’ issue seriously.

The discussions I had with SAP were refreshing for their honesty and robustness. Each time they were challenged, SAP execs conceded there is much to be done in the formulation of approaches, the development of technologies and the education of customers. Holly Roland, VP blogal marketing described it as a “Marathon not a sprint.” SAP was also open to ideas about how the market might be approached and, more importantly, engaged. My sense is that focusing too much on risk is not the way to go albeit I agree that controls designed to capture high level risks at the decision making stage should be fundamental to any GRC strategy. At a time of economic uncertainty, the last thing business needs is another Enron or Siemens yet as an industry, we need to find ways that demonstrate the business profit in following GRC policies with bite. So for example David Ahrens of SAP Americas pointed out that: “Standard and Poors are starting to measure against the visibility into enterprise risk as a means of assessing credit ratings.” I’ll bet not many CXOs know that.

On one thing SAP and I were firmly agreed: there needs to be an alignment between governance and strategic goals. In other words, companies need to think about their business in a different way, one that asks the question: If we pursue this opportunity, what will be our operational risks?