Enterprise Risk Management using RM10 –Align to Your Goals and Actions

William Newman, CMC, MBAManaging Principal, Newport Consulting GroupCommunications Chair, ASUG Michigan Chapter

We are the ASUG Michigan Chapter. With over 2,500 ASUG members and home to the Automotive SIG and key working groups.

We offer three meetings annually:• March - Joint Meeting with Automotive

SIG (Detroit)• June – Joint Meeting with West

Michigan CWG (Grand Rapids)June 27, 2013 sponsored by GVSU

• September / October – UA Partner meeting (Mount Pleasant)October 3, 2013 sponsored by CMU

Join us, we are just a lake away!

Great Lakes, Great Times.

GREETINGS FROM MICHIGAN – Your Great Lakes Friends! Twitter: @asug_michigan

• Managing Principal, Newport Consulting Group

• Member, SAP Sustainability Executive Advisory Council, Business Influencer Program, Office of CFO Marketing

• Certified Management Consultant (since 1995)

• Adjunct faculty - Northwood University (International Management, Sustainability Management, member UA program), University of Oregon Sustainable Leadership Program (Sustainable Supply Chain)

• Professional Speaker (ASUG, SAP Insider, TEDx, Sustainable Business Forum, MACPA, SAI, Supply Chain Council, SAP Experts), Writer, SAP Press author “Understanding BusinessObjects Enterprise Performance Management (EPM)”

• SCN Blog it Forward post: http://scn.sap.com/community/about/blog/2012/10/24/blog-it-forward--william-newman

Hello. Call me “Bill” please…

Introductions @william_newman

Understanding the basis for Enterprise Risk

Management (ERM)

Executive Challenges Aligning to Goals and Actions

SAP Risk Management 10 Platform for ERM

Considerations for Audit Practices

Considerations for Supply Chain Risk Activities

A Case Review – How One Organization Got Started

Links and References

Key Take-away Points

Summary and Discussion

Today’s Agenda

Agenda @william_newman

Understanding Enterprise Risk Management @william_newman

Enterprise Risk Management represents a company-wideapproach to risk management activities in a holistic, pragmatic, and managed approach across multiple company operations, functions, and activities.

- As abstracted from the Global Accenture Risk Management Report, 2011

Understanding Enterprise Risk Management @william_newman

• Aligning Risk Appetite and Strategy• Enhancing Risk Response Decisions• Reducing Operational Surprises and Losses• Identifying and Managing Multiple Cross

Enterprise Risks• Seizing Opportunities• Improving Deployment of Capital

ERM objectives typically include some or all of the following:

Source: SAP, 2012 as modified by Newport Consulting Group

Enterprise risk management

(ERM) in business includes the

methods and processes used by

organizations to manage risks and

seize opportunities related to the

achievement of their objectives.

Executive Challenges Aligning Goals to Actions @william_newman

Challenges remain as to motive, satisfaction and capabilities…

Executive Challenges Aligning Goals to Actions @william_newman

Additional Sources: Discontinuity of risk management practices, in terms of demand, satisfaction, and board level understanding (various sources: The Economist Intelligence Unit Survey, Ascending the Maturity Curve (March, 2011); McKinsey Global Survey, Governance since the Economic Crisis (March, 2011); Report on the 2011 Accenture Global Risk Management Study, (February, 2011)

… which suggests a certain “call to action” for executives.

“Practical knowledge of risk management concepts and principles are needed in the corporate environment as never before, and executives have created demand for this knowledge. How this knowledge is crafted into ERM practices, standards, and guidelines inside of corporate policy is open for revision.”

Source: The Executive Dilemma: How to Increase Enterprise Risk Management Performance? GRC Expert, 2012.

SAP Risk Management 10 ERM Platform @william_newman

123

ERM is not linked to fundamental value drivers of the business

Shareholder devaluation occurs based on measuring nonproductive drivers

ERM is not focused significantly or deeply enough on the broad “value-killer, fat-tail” risks

SAP recognizes there are 3 primary reasons for ERM failure:

Source: The Executive Dilemma: How to Increase Enterprise Risk Management Performance? GRC Expert, 2012.

SAP Risk Management 10 ERM Platform @william_newman

SAP Business Suite and LOB Processes (example: Supply

Chain)

KPIs, Metrics, Measures(BI Analytics, EPM solutions)

Impacts to Measures(BI Analytics, GRC & other

solutions)

Mitigation and Remediation Plans(GRC RM, PC, AC, ERP-PS)

Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012.

Overall Audit Documentation

SAP Risk Management 10 ERM Platform @william_newman

Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012.

1 2

SAP Risk Management 10 ERM Platform @william_newman

3 4

Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012.

SAP Risk Management 10 allows for a “graphical view” to portray bow tie riskformats, including risk drivers, impacts.

SAP Risk Management 10 ERM Platform @william_newman

Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012.

5 6

The Bow Tie Builder graphical view allows specific risk driver and impact descriptions

meaningful to specific organizations.

SAP Risk Management 10 ERM Platform @william_newman

Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012.

Risk actions – such as mitigations – may be added from the Bow Tie Builder.

7

You can identify specific areas of the risk, associated with organizations and processes. A common mitigation action is an audit program, let’s see how RM10 works to support audit programs and functional risk areas.

Considerations for Audit Practices @william_newman

Business audits are increasingly standard as a risk managementfunction across a number of different functions including:

• Information Technology (SAS 70, SSAE 16)• Financial Management processes (SOX 404, Dodd-Frank)• Information Use (ITAR, security constraints)• Sustainability (LEED, SA 8000, Natural Step, GRI)• Assurance activities (AA 1000)• Quality Management processes (ISO 9000, CAPA, APQP)• Environmental Management processes (ISO 14000)• Product Compliance Regulations (ROHS, REACH, ELV)• Treasury Management and Currency Exchange (SWIFT)

Audits are not just for IT system management anymore!

Considerations for Audit Practices @william_newman

Regardless of the business function or processes, most agree the audit format contains several common stages and activities.

Source: Adapted from IIA, University of Illinois materials, as modified by Newport Consulting Group.

Considerations for Audit Practices @william_newman

SAP NetWeaver’s Audit Management allows full program life cycle management for internal audit activities, including:

• Information Technology• Management Systems, and • Financial Operations

As part of the SAP NetWeaver platform, SAP NetWeaver’s Audit Management connects seamlessly with specific SAP modules such as

• SAP ERP Project System • SAP ERP HCM • SAP Risk Management

New updates for SAP GRC 10.0 release! Ships FREE with Business Suite!

Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011)

2

Considerations for Audit Practices @william_newman

Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011)

1

In this example we can associate an Accounts Payable audit with both financial operations and even treasury risks if involving foreign

currencies and operating units.

• During the execution stage of an audit, work papers often suggest corrective or preventive actions in real time.

• SAP NetWeaver audit management allows you to identify these work papers and capture remediation actions on the fly so that these can be automatically summarized in the findings report.

Considerations for Audit Practices @william_newman

3

Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011)

MEMBERSHIP memberservices@asug.comConsiderations for Supply Chain Risk Activities @william_newman

Functional Risk Management can look at many areas, including supply chain disruptions due to disasters, business continuity, and sociopolitical risk…

Read my article on supply chain visibility

in SCN

MEMBERSHIP memberservices@asug.comConsiderations for Supply Chain Risk Activities @william_newman

…which can then roll-up and into a broader ERM program environment, providing transparency and proactive management.

Source: Newman, William. Understanding SAP BusinessObjects Enterprise Performance Management, Galileo Press (2010).

MEMBERSHIP memberservices@asug.comConsiderations for Supply Chain Risk Activities @william_newman

SAP Supply Chain Performance Management 2.0 allows for supply chain risks to be mapped to RM10 as part of an

overall ERM program portfolio.

These risks can also be associated with key risk indicators (KRIs) and SCOR 11

operating models key performance indicators (KPIs) which can help to minimize financial and operational

risk targets and increase performance.

Source: Manage Supply Chain Risks Using Supply Chain Management 2.0, GRC Expert (2012)

Listen to my SCOR11 review on IXN Podcast

in iTunes (IXN002)

MEMBERSHIP memberservices@asug.comConsiderations for Supply Chain Risk Activities @william_newman

Source: Manage Supply Chain Risks Using Supply Chain Management 2.0, GRC Expert (2012)

In this example we can link a risk from RM10 into performance

measurements and operational data found in SCPM 2.0

1

2

Case Study – How One Organization Got Started @william_newman

• Large Multinational Organization• Major SAP transformation underway• Third party purchased existing PC-based

audit software (burning platform)• Looked to leverage AIS function of ECC

(near term) as well as RM10, PC10 capabilities (downstream)

Example audit risk management engagement

Based on this, the organization’s

internal audit department looked

at how to leverage Access

Controls, Process Controls, and

NetWeaver Audit Management

with Risk Management 10.

Case Study – How One Organization Got Started @william_newman

System Topology

The concept of using the

records tracking inside AIS

of ECC 6.0, combined with

the document

management features of

NW Audit Management

was compelling.

Case Study – How One Organization Got Started @william_newman

System Context

Fortunately the process

for conducting the audit

was reasonably consistent

across business audit

domains. Much of the

system context was on

workflow, approvals.

Case Study – How One Organization Got Started @william_newman

Permissions

Once roles and workflow

were defined a permissions

matrix was determined based

on modified “CRUD-M” level

access to audit report and

working papers

documentation.

ILLUSTRATIVE

Case Study – How One Organization Got Started @william_newman

Other aspects• SAP User Roles would determine AC

permissions for NW Audit Management based on audit eventually stage gate position using

PC• Integrated message system between NW

Audit Management and SAP Messaging, Microsoft Outlook

• AIS would “feed” auditor working papers based on ISACA T-codes and “scenario basis”

ILLUSTRATIVE

Links and References @william_newman

• Newman, William. Understanding SAP BusinessObjects Enterprise Performance Management, Galileo Press (2010)

• Newman, William. Reduce Risk in your Supply Chain with Supply Chain Performance Management, GRC Expert (March 12, 2010) login required

• Newman, William. How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (October 4, 2011) login required

• Newman, William. Increase Enterprise Risk Management Performance with Risk Management 10.0, GRC Expert (April 18, 2012) login required

• Newman, William. The Bow Tie Builder Tool, GRC Expert (May 1, 2012) login required

• Newman, William. Supply Chain Management 2.0 Offers Better Integration, Analytics, searchSAP.com (March 21, 2012)

• Stackpole, Beth. Deploying Supply Chain Management Software Hinges on Breadth, Depth, Integration,searchManufacturingERP.com (April 18, 2012)

• Stackpole, Beth. Ripe with Opportunity, Global Supply Chain also Brings Substantial Risk, searchManufacturingERP.com (March 14, 2012)

Key Take Away Points @william_newman

1. There is a great need for Enterprise Risk Management (ERM) – and a lot of confusion as to what this means. This creates significant opportunity for SAP and its partners.

2. SAP Risk Management 10.0 offers a great platform to build, manage, and assess the effectiveness of an ERM program

3. As part of mitigation activities, organizations are looking towards audits to build these actions into their ERM programs. SAP NetWeaver Audit Management offers easy to use connections into RM10 and other GRC tools.

4. Functional risk management allows deeper dives into specificprocesses, functions and operational activities in the organization.

5. SAP Supply Chain Performance Management 2.0 – allows for quick integration to RM10 risk activities while leveraging the Supply Chain Council SCOR model and SCRP framework.

Discussion @william_newman

Contact @william_newman

William Newman, CMC, MBA

Managing Principal / Owner

Newport Consulting Group, LLC

+1 (248) 978 – 2000

wnewman@newportconsgroup.com

www.newportconsgroup.com

Visit the ASUG Michigan Chapter!

http://www.asug.com/chapters/4149

Thank you.