Thought Leader Interview

Norman Marks: Risk Management and Decision Support

Vice President, Evangelist at SAP

Dan Power, Editor of, conducted phone and email interviews with Norman Marks in midDecember 2011.

Q1: How do you define the concept of a Decision Support System?

Marks' Response: I see decision support systems as providing the information necessary to make well-informed decisions. Ideally, the information should be reliable, current, timely, useful, delivered directly to the decision-maker, and in a useful form.

I see business intelligence as encompassing DSS. For many years we were looking in the rearview mirror; now we have the ability to look at real-time information collected directly from the enterprise application system, packaged in a form that is useful to the decision-maker, and delivered to them wherever they are in the world – on their mobile device. We have moved from looking in the mirror at dated information (which is not what you want when you are making a critical decision) to using near real-time information. Analyses of millions of records that used to take many hours can now be completed in seconds. For more on how SAP has changed the world of decision support, check out

In addition, we are able to improve the quality of decision-making through the use of predictive analytics that look, with improving accuracy, into the near future.

Q2: How do you define risk management?

Marks' Response: I use the definitions in the ISO 31000:2009 global risk management standard. It is a standard on the implementation of risk management in organizations. Risk is defined as the "effect of uncertainty on objectives". Risk management is the “coordinated activities to direct and control an organization with regard to risk.”

Q3: What do we really know about how computerized decision support impacts risk management decision making?

Marks' Response: Risk management enables and supports an organization’s decision-making. I don’t see how you can make quality business decisions without giving due attention to risk: both the potential for adverse impacts and opportunities for reward. Decision support is simply the provision of information for decision-making and that includes information about risks.

Leading companies recognize this and have integrated, for example, their performance reporting to include risk indicators. SAP supports balanced scorecards with both key performance indicators (KPI) and key risk indicators (KRI) for any strategy.

Q4: In general, what should managers know about risk management? How can and should risk information be used in decision making?

Marks' Response: Risk management should be part of every manager's essential skill set. Decisions should be made with full knowledge and appreciation of risk. Sadly few MBA programs include risk management.

One key point is that risk management should not be a separate process; it should be part of how you manage the business, performed by business managers, and embedded in every business process.

Q5: In general, what computerized decision support do you think managers need and want?

Marks' Response: Managers need the right information in good time to enable quality decisions. Decision support has to provide the information when it is needed for the decision, where it is needed – and these days, that means literally in the hands of the decision-maker. It has to be reliable, current, and complete, and it has to be in a form that is immediately useful.

Q6: Should managers be "hands-on" users of computerized decision support applications?

Marks' Response: Yes. The latest technology allows follow-up and drill down. Today 70% of members of Boards of Directors are complaining they are not getting enough information when it comes to risk, performance, and strategy. At SAP more than 10,000 iPads are helping managers to manage better. Managers can get more timely information with faster response times. Our managers feel empowered using an iPad with analytics. Information can be delivered to the palm of your hand with astonishing speed.

The follow-up is enabled by presentation of the data in a form where the manager can drill down to the next level. By clicking on one number, they can see the details. By selecting different options from a pull-down menu, they can change the view to present the results by region, product, time period, etc.

When you receive a report, it usually doesn’t give you precisely the answers you need. In fact, more often than not it creates new questions. With the speed of analysis and the ability to craft new questions and receive answers quickly, the quality of decisions is significantly enhanced.

For example, we have customers who want to query, say, all their ATM transactions every day. Because they number in the hundreds of millions, they used to have to wait most of the day for the information. Now, it is available in a matter of seconds. They can analyze the results in different ways, including running additional queries, and make better-informed decisions more quickly – and sometimes, decisions have to be made extremely fast.

Q7: What is the role of Boards of Directors in risk management? Can they benefit from computerized support?

Marks' Response: In my blog on December 1, 2011, I discussed "Advice on board oversight of risk management". I would say to a board:

First, recognize that risk is the effect of uncertainty on objectives. Risk management is not just about how the organization is protected from adverse events, such as an earthquake. It’s also about how the organization handles uncertainty in general, which includes its ability to respond with agility to minimize potential adverse effects and embrace potential opportunities.

You can read all 10 of my suggestions at

Directors complain, as I said before, about the paucity of risk information with which to oversee risk management. With today’s technology, they should have all the information they need.

Q8: What are the risks of using mobile technologies for decision support?

Marks' Response: There are risks, but there are also tremendous benefits. We are putting information in a place that is vulnerable to theft or loss. We also have a need to authenticate the user to ensure they are authorized to receive and use the information, and it has to be delivered completely and securely.

As you know, there is a new word in the business lexicon: ‘app’. SAP is one of the leading developers of apps for the enterprise, which extend the use of our enterprise application software to the palms of our customers’ employees. They can submit purchase requisitions, for example, on their phone or tablet, which are approved by the manager on her smart phone. Sales personnel can perform all their work on their iPad, without having to come into the office to enter their work into the corporate systems. They can also receive reports and analyses on those same devices.

It’s not only the data that is now on your iPhone or Zoom tablet; it’s (part of) the enterprise system itself. For, risk, security, and audit professionals, this is the next frontier.

About Norman Marks

Norman Marks is a Vice President and Evangelist at SAP, where he focuses on thought leadership around internal audit, governance, risk management, compliance, enterprise performance, and business intelligence. Prior to Business Objects’ acquisition by SAP in 2008, he was their Vice President of Internal Audit responsible for internal auditing, the Sarbanes-Oxley Section 404 (SOX) program, risk management, and license compliance.

Norman has been chief audit executive of major global corporations since 1990, and is a recognized thought leader in the profession of internal auditing. He is the author of two of the most downloaded Institute of Internal Auditors (IIA) products: a guide for management to Sarbanes-Oxley Section 404 and the GAIT methodology for defining the scope for SOX of IT general controls. He is the editor of the Corporate Governance column in the IIA’s Internal Auditor magazine, a member of the review boards of several audit and risk management publications (including the magazines of ISACA and the IIA), a frequent speaker internationally, the author of several award-winning articles, and a prolific blogger about internal audit, risk management, governance, and compliance (consistently rating as one of the top influencers in social media on the topics of GRC, internal audit, risk management, and governance).

Norman has been profiled in publications of the AICPA and the IIA as an innovative and successful internal auditing leader. He has been honored as a Fellow of the Open Compliance and Ethics Group for his GRC thought leadership, and as an Honorary Fellow of the Institute of Risk Management for his contributions to risk management.


Power, D., "Norman Marks Interview: Risk Management and Decision Support", DSSResources.COM, 01/22/2012.