Burying Your Head in the Sand Is Not a Risk Management Strategy

Article by Ole S?lvsten Hemmingsen - Managing Director at Nagarro A/S

IT systems, especially ERP systems such as SAP, form the backbone of any modern company. Therefore, effective risk management is crucial to safeguarding a company's vital functions. Yet, we still often see that risk management in SAP systems is underprioritized, sidelined, or even ignored. This can lead to severe consequences, such as data loss, financial losses, and damage to a company’s reputation.

It’s high time we recognize and prioritize SAP risk management as an indispensable part of strategic planning and daily operations. Only by taking risks seriously and being proactive can we ensure a stable and secure future for the company.

Out of Sight, Out of Mind: What We Can’t See Doesn’t Exist

Let’s be clear: burying your head in the sand is not a sustainable risk management strategy. Just because you cannot see your risks doesn’t mean they aren’t there. Burying your head in the sand is and always will be a temporary strategy.

This might lead to the question: has risk management turned into a “strategy of hope”? A strategy where companies allow risks to remain unknown and hope for the best, instead of being proactive about them. While this may have some logical explanations, the explanations are often less strategic and more personal, driven by a form of professional fear. Those responsible for risk management who have ignored the risks for too long might fear what it means to begin addressing them transparently and informedly. Questions may arise, such as:

What are the side effects of focusing on risk management?

Will it expose me and my team if everything now comes to light?

Will someone think we should have acted sooner if it turns out we’ve had a significant risk hanging over us?

The short answer to these questions is no. Organizations typically support people who take responsibility, identify weaknesses, and take initiatives that make the company stronger in the long term. Addressing risk management is not an act of exposing past mistakes but rather a proactive approach that ensures the company's future success. When management sees responsibility being taken and efforts being made to improve the security and robustness of their SAP systems, it will be viewed as a positive and necessary development.

So, let’s stop hoping for the best and start taking control of our risks. By implementing effective risk management, we can protect our digital backbone and ensure a sustainable and successful future for the company.

It Doesn’t Have to Be Expensive, But It Can Be Very Costly to Ignore

Risk management doesn’t have to be expensive but ignoring it can be very costly. While risk management is beginning to gain more attention on to-do lists, it’s still not always prioritized highly enough. One reason for this might be the misconception that starting your risk management journey is costly. However, this is not entirely true.

Of course, risk management can become expensive, especially if one aims for 100% security—something that isn’t realistic or necessary at all. It’s about finding the right balance between flexibility, functionality, cost, and security. The costs depend on an organization’s ambitions and maturity in realizing those ambitions.

Often, identifying risks isn’t that expensive, though the high costs can start to appear when mitigating or eliminating those risks. Our message to companies is therefore: Start by identifying your risks and shift from a reactive to a proactive approach. If you want support for risk management in your organization, it helps to present a clear picture of where the risks lie. Once risks are identified, it becomes much easier to secure funding to address them.

The Complexity of SAP and the Need for Support

The requirements for effective risk management are substantial and increasing, and SAP's complexity makes it nearly impossible to tackle this burden without support from a structured approach. Identifying risks using a standardized framework and following best practices requires more than manual methods. It’s unreasonable to expect employees to take on this responsibility without providing them with the necessary tools and support to perform the task effectively.

Generally, when it comes to IT, areas like risk management can seem somewhat abstract, and the consequences are often underestimated. However, if we translate this issue to the physical world, the critical nature of structured risk management becomes obvious. Consider, for example, a large pharmaceutical company producing life-saving medicines. Here, one would never forgo control over which doors should be locked, who has access to various areas in the production environment and ensuring that not everyone can come and go as they please. So why isn’t this treated with the same level of concern when it comes to IT access, SAP Segregation of Duties, controls, and cybersecurity?

In today’s business world, IT plays a crucial role in everything employees do and can do. Ignoring the need for structured IT risk management is equivalent to leaving a physical facility open to anyone. It’s essential that companies recognize that an effective SAP risk management strategy is just as important as physical security and control. Only in this way can we ensure that IT systems remain secure and effective, ultimately protecting the company’s vital functions and data.

Risk management is rarely the most glamorous topic— but it is sensible and essential much like insurance. There isn’t a clear ROI, but it’s incredibly important to be proactive and work on prevention rather than be perpetually putting out the fires as issues arise. Proactive risk management ensures that we avoid severe problems before they escalate, ultimately safeguarding the company’s integrity and operations. It’s about creating a secure and stable future by taking control of potential risks now, rather than managing disasters later.