In recent times, SAP has been woo’ing me down the governance, risk and compliance (GRC) path. To its credit, the company has done a lot of good work in this area, seeking to develop industry alliances and raise awareness of the issues at stake, especially in the area of corporate citizenship. Most recently, James Farrar, who is VP corporate citizenship at SAP and Steve Rochlin, head of Accountability US managed to get a good article on the topic as it relates to Web 2.0 placed at the FT. Among other things, they say:

A decade ago if you brought together a company, an activist non-governmental organisation (NGO), and a government agency, you were guaranteed to create tension. Today, these oddly matched partners generate innovation out of positive, creative tension. Web 2.0 platforms make it easier to build such diverse communities that use different experience and perspective to create innovative solutions.

A couple of days ago, I received an SAP email newletter with the tantalizing headline:
Achieving Corporate Accountability with a Unified Approach to Governance, Risk, and Compliance Webcast. On the webcast David Kasabian, analyst with AMR reckons the market is worth $32 billion per annum. That makes it a good sized market. Holly Roland, VP marketing for GRC solutions at SAP talked extensively about managing the risks in the supply chain - something I’ve talked about elsewhere.

Imagine then my surprise when a June 2008 report from Gartner entitled Magic Quadrant for Enterprise Governance, Risk and Compliance landed on my digital doorstep that doesn’t list SAP. The company doesn’t appear anywhere although one of its partners, Protiviti does. Marketing ahead of reality, an unfortunate omission or something else? SAP has reached some 1,700 customers with GRC solutions and seen revenues double over the last year.

[Image credit: Gartner Inc.]

PS: I expect to hear a lot more about how the BusinessObjects acquisition is feeding into SAP’s GRC efforts at the forthcoming influencer’s meeting in Boston next month.

Next week I will be attending a meeting of Business for Social Responsibility in Boston. The meeting will be interesting as it is seeking to develop a framework that looks at the materiality concept as it applies to issues of importance to stakeholders.

One of the more interesting problems comes in finding the balance between what matters to stakeholders and what matters to business. What struck me from the graphic below is that in some cases, there is almost an inverse relationship between stakeholder importance of issues that get plenty of attention such as climate change risk and what influences business. Clearly there is an education process to be undertaken though the question I want answering is whether it is possible to develop software that adequately addresses both dimensions. For instance, data centre usage is high in the agenda but how might software be developed that uses less energy cycles than existing systems?

Immediately afterwards, I go to Orlando to attend SAPPHIRE, SAP’s annual customer shindig. I will be taking part in a round table discussion on issues around sustainability, a topic that is taking on increasing importance for companies like Intel, HSBC and others. Alongside this, a wiki has been opened that has the support of SAP, AccountAbility, and RedMonk in association with Business for Social Responsibility (BSR), and the International Business Leaders Forum (IBLF).

It’s first post refers to the use of Web 2.0 tools in the context of developing policies and actions that not only address issues of importance but do so in a way that allows business to prosper.

Web 2.0 revolutionizes how we regulate business, how we govern business, how we design and implement future business models, and how we innovate. But, there’s no guarantee that everyone – or anyone – will be pleased with the results of this revolution. Web 2.0 is an enabler. But what it enables is up to us and billions of other individuals.

• How do we want Web 2.0 to enable responsible business performance?
• How can we collaborate effectively to utilize Web 2.0 tools to enable stakeholder engagement and citizen voice that enhances the business and society relationship?
• How can Web 2.0 enable innovative, collaboratively generated solutions for pressing environmental, social, and governance-related issues?

In talking with OpenPages earlier this week it is abundantly clear that those businesses which understand risk management also understand that executing against risk management strategies can lead to significant business advantage. From my perspective, we can talk all day about whether it is right or wrong to undertake sustainability measures in a risk based environment but unless there is a benefit to the business then it won’t happen. I don’t expect to find definitive answers to these problems but I hope that fresh light will be shed on the nature and scale of the problems with which business has to wrestle.

A recent report entitled The State of Green Business, 2008 is packed with facts and figures that make heartening reading for anyone concerned with governance.

I was particularly struck by the laggardly growth in CSR reporting, that despite:

Customers, investors, and stakeholders are demanding increasingly greater accountability and transparency from companies on environmental and social issues. They want to know what companies are, and aren’t, doing, warts and all.

The report says that even though the Global Reporting Initiative is now reasonably well established, growth in meaningful CSR reporting has barely grown 50 per cent among Fortune 100 companies in the US in the last five years. That’s around two-thirds of the total that could be reporting. Among those reporting since 2002: Intel, HP and Motorola. The report says that:

Initially, companies largely focused on environmental, health, and safety indicators because those were areas where regulations already required disclosure. But the GRI forced many corporations to look more broadly at other areas of corporate policy and performance, such as product responsibility, supply chain issues, sourcing, governance, diversity, and social issues.

When I survey the reporting scene, it is apparent that many companies find it very difficult to figure out how the framework applies. In Doing Good: Business and the Sustainability Challenge, companies are said to be “at the baby steps stage” as concerns sustainability issues because “business people recognize their importance, but when it comes to the practical question of what they mean to the organization, there is a lot of confusion”. Ever that was so. James Farrar put a more positive gloss on the report:

If I am to make one criticism of the EIU study it is that it did not go far enough to explore strategic value drivers by key industry to drive a more granular debate on strategic sustainability management…

So what does this mean for the tech sector? In many respects the sustainability pioneers of the private sector came from the extractive industry and often borne out of crisis. Sustainability 2.0 will be driven forward by innovation and market forces. Business models will be reinvented to tap into more environmentally efficient and socially inclusive markets. For sustainability 2.0 to be successful more will be demanded of the entire tech industry in serving as both exemplar and enabler.

I hope James is right but given the difficulties we are already seeing in operating a framework that has horizontal meaning, let alone in verticals, it seems there is a long way to go. The software industry could point the way, offering standard methods of arriving at certain measures. Right now that’s being tackled in an ad hoc manner and I would prefer to see the major players coming together and picking off relatively ‘easy’ measures as examples to pave the way. Whether we will see that kind of cross party meeting of minds is another matter.

What I am confident is that as a market, CSR and GRC combine could well be larger than the ERP market.

I went to last week’s SAP sponsored GRC conference with high expectations. For some months now I’ve been eagerly following the work being done inside SAP on this topic, watching blogs like Greenmonk and James Farrar’s On Sustainability and building up my own understanding of the issues, some of which are much more complex than they first appear. Imagine then my dismay when two of what I thought were the more important sessions: Go Green: Managing Environmental Compliance While Building Brand Value and the other, a more general canter through issues around corruption that included the introduction of a survey on confronting corruption by PWC, were poorly attended. In the first session I counted around 30 people, in the second, fewer than 20. That for a conference that must have attracted some 5,000 delegates.

I realise we’re very early in understanding of how different aspects of sustainability and accountability impact business performance but in both cases, speakers made solid cases for business value derived from doing the right things. One of the problems as I see it is the way it is positioned by the analyst community.

I sat in on an analyst lunch where a Gartner representative posited that GRC falls into siloes - some around IT, others around finance and operations. I was horrified. To me this is a perpetuation of ‘old’ thinking. It simply doesn’t make sense to fence off risk in this manner. If anything, I regard it as counter productive. Here’s why.

Business may be organised along siloes but risk cuts right across and through the business. Take what happened at Siemens as an example. Earlier today it announced massive potential losses. Some came about because of turnkey projects gone sour but according to the FT:

The second problem came in the mobility unit, where delays in awarding big projects such as the Transrapid train and restructuring in one of its businesses led to about €200m in writedowns.

The final issue was in its IT division, where one of its large contracts with the UK Department for Work and Pensions was cancelled and other UK projects had smaller risks, leading to a writedown of more than €100m.

Siemens has been at the centre of an ongoing investigation into its business practices and could be the subject of huge fines by regulators in the US. The knock on effect in damaged reputation across the whole of its business cannot be discounted as a significant factor impacting performance. At the very least it should serve as a warning to others. Yet at a conference with sessions that should have been packed to the rafters, few seemed to care. What’s the problem?

Discussing these issues with senior SAP executives, it is clear we are very early in the game. Depending on whom one speaks with, there are a variety of agendas in play but no coordinated approach to market. This is hardly surprising given there are  many ways to attack GRC. Nevertheless, it is perhaps telling that in PwC’s Confronting Corruption, only 45% of respondents thought there is substantial value in having a publicly disclosed anti-corruption programme and controls. Elsewhere, TerraChoice asserts that greenwashing is rife lending credence to the argument that companies are yet to take the ‘green’ issue seriously.

The discussions I had with SAP were refreshing for their honesty and robustness. Each time they were challenged, SAP execs conceded there is much to be done in the formulation of approaches, the development of technologies and the education of customers. Holly Roland, VP blogal marketing described it as a “Marathon not a sprint.” SAP was also open to ideas about how the market might be approached and, more importantly, engaged. My sense is that focusing too much on risk is not the way to go albeit I agree that controls designed to capture high level risks at the decision making stage should be fundamental to any GRC strategy. At a time of economic uncertainty, the last thing business needs is another Enron or Siemens yet as an industry, we need to find ways that demonstrate the business profit in following GRC policies with bite. So for example David Ahrens of SAP Americas pointed out that: “Standard and Poors are starting to measure against the visibility into enterprise risk as a means of assessing credit ratings.” I’ll bet not many CXOs know that.

On one thing SAP and I were firmly agreed: there needs to be an alignment between governance and strategic goals. In other words, companies need to think about their business in a different way, one that asks the question: If we pursue this opportunity, what will be our operational risks?

The other week, I kicked off a debate at SAP’s developer and business community that was described by some as ‘provocative.’ To cut a long story short, I was pointed in the direction of an appalling story about the use of slave labour in Jordan by a supplier to Victoria’s Secret. That company’s parent is Limited Brands. SAP supplied the specialist software to run Limited’s global supply chain, several years before the human rights abuses became public. The provocative part came where I wondered what a secondary supplier - in this case SAP - might do given it has an active CSR group that is attempting to frame a series of responses to issues in which the group is interested. The responses that followed were interesting and thought provoking. That’s a start.

As a freelancer writer, I am in a privileged position. I am not constrained by the terms of service that employees need to observe when it comes to commenting on corporate policy. At the same time, I am aware that raising such issues is bound to cause some head scratching. Any company that supplies the Global 2000 will at some stage cross the path of those who are less than scrupulous. When it does, then it needs to frame a sensible response. Pointing to the principles to which it holds itself accountable somehow doesn’t seem enough.

I’m often highly critical of companies’ CSR efforts. Too often they’re little more than fine sounding words on a back page of the financial statements. Nowadays, issues such as climate change, sustainability and accountability are becoming harder to avoid. Companies that continue to say plenty and do nothing will increasingly find themselves roundly lashed by those who demand change. In this case, SAP employees took what I consider a brave stance.

James Farrar, who leads SAP’s CSR effort said to me in email:

We’re on the same wavelength…This is a hugely complicated area but its as important as climate change in my view. In fact, many would argue that problems like climate change can only be unlocked by human rights.

He is right on all counts. And therein lies the problem. Just how much ‘power’ does a secondary technology provider truly have in these situations? At this point precious little. But that is not an excuse for inaction.

Marilyn Pratt, who is an evangelist in SAP’s business process expert community who has an unabashed kibbutznik view of the world with the emphasis on sharing expanded on my general line of thinking, coming up with the start of an action plan based upon From Corporate Responsibility to Backstory Management:

So this is a call to action: “the path to really managing your backstory runs through big visions, hard targets and open admission of shortcomings. Shoe manufacturers should work to envision a boldly responsible shoe, one which not only incorporates their ambitions about the future of footwear, but also encompasses the cutting-edge standards in ethical behavior: a shoe, say, that has a one-planet ecological footprint and meets the highest possible labor standards. That company should share the vision of that shoe with every one of its customers.”

As a company/community of knowledge workers, what kind of visions, behaviors and yes, shortcomings, do we wish to share?

Even if the truth is “inconvenient” we had better embrace it and acknowledge our responsibility in the value chain. And yes that means all of us: stakeholders, individuals, employees, and organizations alike. None, it would seem are exempt.

When I wrote the original piece, I was well aware of the risks I was taking. At present, SAP involves me in many of its initiatives, sometimes on the record, sometimes not. Taking a prod at companies of this size can quickly get you shoved to the back of the ‘interview request queue’ as I have found in the past. The fact SAP employees not only responded, but are taking a pro-active stance (see RESIST as an example) on a broad range of issues is not only inspiring but thought leading. This in a further email from James Farrar:

Best practice in this area is concept of sphere of influence and so stakeholder demand then usually focuses upstream rather than down where for the most part the vendor has no power or legitimacy to police the extended actions of its customers. Obvious exceptions here is when the product itself is inherently problematic eg. alcohol, tobacco, firearms, porn but then again focus is once more usually on the production process and features of the product itself to make it inherently less harmful.

In the next few days, I will be meeting senior SAP executives at its upcoming GRC 2008 conference to discuss these issues. It will be interesting to hear their thoughts and engage in what is bound to be a fascinating series of conversations.

I recently listened to Lisa Nolan talk about doing business in China. Lisa runs Lizal Inc, a US based full service merchandise manufacturer for brands like Coach and Wal-Mart. The company has manufacturing offices in Guandong and Taiwan. The business employees between 4,000 to 8,000 people depending on the season. Lizal can take anything from a napkin drawing to a fully specified drawing and turn it into goods that span everything from event promotional items to high end retail goods.

China’s economy is booming, helped in part by $27 billion worth of exports to Wal-Mart stores. But doing business in China is not simply a matter of setting up shop, hiring cheap labour and supplying goods. According to Lisa, there are many compliance issues that American companies have to overcome: “US companies take compliance very seriously. If a light over an exit sign at your factory isn’t working you can get written up as being in breach of compliance requirements. A lot of times it is the little things that catch you out.”

The compliance rules of some companies are so strict that making it over the barriers is not only onerous but costly: “In some cases, compliance can eat up 30 per cent of your first year’s revenue. That’s tough but the long term rewards are worthwhile - if you’re prepared to do what customers require.” Asked why companies are so stringent, Lisa says that in recent years, brands have become aware of the potential reputational risk to which they expose themselves. Last June, the New York Times asserted that:

Over all, the number of products made in China that are being recalled in the United States by the federal Consumer Product Safety Commission has doubled in the last five years, driving the total number of recalls in the country to 467 last year, an annual record.

These are emotive issues that capture the public’s attention so for Lisa, staying in line is one of her most important agenda items.

During our conversation, Lisa said that her business is subject to third party audits as a way of ensuring her facilities are in line with what is agreed. “Sometimes these involve outside accountants who check our payroll records to ensure we’re paying a proper wage to our staff.” This led me to speculate whether auditors might be getting two dips at the same pot. I asked Lisa if she knows whether the information gathered for customer audit was available to financial auditors for her own company accounts. She thought they were separate issues - which they are - but it strikes me that auditors could save their clients money if those kinds of record were passed across as part of the annual financial audit review process.

The biggest problem faced by manufacturers is that each brand has its own compliance rule book. This means there is a separate set of procedures to overcome for each company supplying brands which drives up compliance cost. Some companies are looking towards SA8000 as a way of providing a single international compliance standard for social accountability. Of her own company, Lisa says “We’re still researching to see if that certification is something that would benefit us.”

Given the hurdles, is it all worth it? “Our customers are very protective of their supplier facilities. Many companies take one look and say they won’t bother. We on the other hand have benefited greatly from doing as we’re asked. It’s all about the rewards that go with a good reputation for doing the right thing.”

Davos aka the World Economic Forum is underway. This annual get together of the great, the good and not so great or good is being fanfared with the strapline: The Power of Global Collaboration. Sounds wonderful doesn’t it until you realise what is not on the agenda. This from Bob Jacobson at Corante who is not attending:

So how real is the Davos commitment to innovation?

First, what options and alternative are permitted to be discussed at Davos? Is creating and funding a global economic safety net, as the UN has proposed, on the table? What about a more equitable distribution of global wealth? How about rich nations taxing themselves for their disproportionately enormous economic and environmental demands on already terrifically strained physical and social environments, then putting the revenues in a global fund to deal with real global problem-solving? Is unbridled immigration from poor nations to rich an open option? A world government? A universal social democracy? Corporations devoting 25% of their income (not just five percent of their profits) to fighting climate change? Not surprisingly, these options are non-starters at Davos.

Pretty damning stuff but Rob makes good points. From the relative comfort of our homes global problems often seem far away and irrelevant. It is all too easy to turn a blind eye yet I am starting to come across companies that take this stuff seriously. Later this week for instance, I plan to publish a story about how compliance around worker rights matters in a global economy and how some well known brands are taking this seriously. Similarly, I’m seeing more companies asking important questions about sustainability. It is happening in the most unlikely of places.

Read what James Farrar has to say about a recent trip to Nigeria. He paints a rosy picture but one tinged with a healthy dose of reality. As he says:

I think the changes we are seeing with the rapid development in BRIC and N11 countries is more fundamental and we have to look beyond on our own western bias to understand them.

We do well to listen to people like James.

Governance, risk and compliance which conveniently contracts down to a Gartner compliant TLA - GRC - is one of the hottest topics in the enterprise world today. If the Enron, Tyco and other financial scandals were not enough, the popularity of all things ‘green’ has put GRC close to the top of agenda in many CXO offices. But as always with a new acronym, people want to know what it means. Read more