GRC for JD Edwards Part 3
It is a common misconception that GRC is solely for big corporations, and in particular, big companies whose shares are publically traded on a stock exchange. This is not true. There are key aspects of GRC that are good practice for all businesses, but it is a matter of balance.
A publically traded business in the USA generally needs to comply with Sarbanes-Oxley (SOX) legislation, but there are sectors of business that have similar, or even more stringent regulations, particular the Pharma industry. And there are similar demands on all public bodies, and very similar legislation to SOX in most developed countries around the world.
Getting the Board on Board
Over the next few years, all mid-market companies will find that their auditors ask very similar questions. One can either take the view that the audit firms are interested in increasing their potential fees, or that they genuinely want to help businesses to be more efficient and to eliminate fraud.
In summary, it is very likely that your company is either being forced to take GRC seriously right now, or it will be in the next two years. The best business advice is to understand how to limit the costs of a GRC program, whilst balancing this with the need to prevent fraud.
It is critical to agree a strategy and instill a good culture at C level before starting any detailed GRC planning. It is down to the stakeholders in the business to define their priorities and decide whether matters such as losses through fraud, reputational damage and general security are important.
The power of JDE right now is very focused on two key areas; user experience and Digital Transformation. What do these things mean to your company? Getting a greater return and increased usability. It is critical that your security supports these development, not deters them.
With the advent of some of the amazing new technology from the JD Edwards EnterpriseOne team, we have built out some cutting edge composite pages and dashboards that will help the end user to better detect and manage potential fraud in their system.
I know a privately held business where the sole owner is obsessed with security. His nightmare is someone hacking their data, or defrauding them in the way that much larger companies like Target have suffered. He sets the tone, and thus the GRC program is properly funded.
I ask CFOs and CIOs what would happen if someone defrauded the company of a $1M by setting up a “dummy company scam”? I can guarantee that more than 75% of JDE sites are wide open to this kind of fraud, and most CIOs don’t even understand what it is, let alone whether their system is set up to stop it.
Frightening people with awkward questions can be a good way to get them to commit.
And then building a program with a good Return on Investment, which is sustainable with as little maintenance as possible.