sap inside track toronto asug ontario 2013 enterprise risk management: align goals with actions
DESCRIPTION
Presentation to the 2013 SAP Inside Track and ASUG Ontario meetings June 19, 2013. Overview of five elements for enterprise risk management (ERM) using SAP RM10 as well as case study and best practices for audit management and supply chain risk management.TRANSCRIPT
Enterprise Risk Management using RM10 –Align to Your Goals and Actions
William Newman, CMC, MBAManaging Principal, Newport Consulting GroupCommunications Chair, ASUG Michigan Chapter
We are the ASUG Michigan Chapter. With over 2,500 ASUG members and home to the Automotive SIG and key working groups.
We offer three meetings annually:• March - Joint Meeting with Automotive
SIG (Detroit)• June – Joint Meeting with West
Michigan CWG (Grand Rapids)June 27, 2013 sponsored by GVSU
• September / October – UA Partner meeting (Mount Pleasant)October 3, 2013 sponsored by CMU
Join us, we are just a lake away!
Great Lakes, Great Times.
GREETINGS FROM MICHIGAN – Your Great Lakes Friends! Twitter: @asug_michigan
• Managing Principal, Newport Consulting Group
• Member, SAP Sustainability Executive Advisory Council, Business Influencer Program, Office of CFO Marketing
• Certified Management Consultant (since 1995)
• Adjunct faculty - Northwood University (International Management, Sustainability Management, member UA program), University of Oregon Sustainable Leadership Program (Sustainable Supply Chain)
• Professional Speaker (ASUG, SAP Insider, TEDx, Sustainable Business Forum, MACPA, SAI, Supply Chain Council, SAP Experts), Writer, SAP Press author “Understanding BusinessObjects Enterprise Performance Management (EPM)”
• SCN Blog it Forward post: http://scn.sap.com/community/about/blog/2012/10/24/blog-it-forward--william-newman
Hello. Call me “Bill” please…
Introductions @william_newman
Understanding the basis for Enterprise Risk
Management (ERM)
Executive Challenges Aligning to Goals and Actions
SAP Risk Management 10 Platform for ERM
Considerations for Audit Practices
Considerations for Supply Chain Risk Activities
A Case Review – How One Organization Got Started
Links and References
Key Take-away Points
Summary and Discussion
Today’s Agenda
Agenda @william_newman
Understanding Enterprise Risk Management @william_newman
Enterprise Risk Management represents a company-wideapproach to risk management activities in a holistic, pragmatic, and managed approach across multiple company operations, functions, and activities.
- As abstracted from the Global Accenture Risk Management Report, 2011
Understanding Enterprise Risk Management @william_newman
• Aligning Risk Appetite and Strategy• Enhancing Risk Response Decisions• Reducing Operational Surprises and Losses• Identifying and Managing Multiple Cross
Enterprise Risks• Seizing Opportunities• Improving Deployment of Capital
ERM objectives typically include some or all of the following:
Source: SAP, 2012 as modified by Newport Consulting Group
Enterprise risk management
(ERM) in business includes the
methods and processes used by
organizations to manage risks and
seize opportunities related to the
achievement of their objectives.
Executive Challenges Aligning Goals to Actions @william_newman
Challenges remain as to motive, satisfaction and capabilities…
Executive Challenges Aligning Goals to Actions @william_newman
Additional Sources: Discontinuity of risk management practices, in terms of demand, satisfaction, and board level understanding (various sources: The Economist Intelligence Unit Survey, Ascending the Maturity Curve (March, 2011); McKinsey Global Survey, Governance since the Economic Crisis (March, 2011); Report on the 2011 Accenture Global Risk Management Study, (February, 2011)
… which suggests a certain “call to action” for executives.
“Practical knowledge of risk management concepts and principles are needed in the corporate environment as never before, and executives have created demand for this knowledge. How this knowledge is crafted into ERM practices, standards, and guidelines inside of corporate policy is open for revision.”
Source: The Executive Dilemma: How to Increase Enterprise Risk Management Performance? GRC Expert, 2012.
SAP Risk Management 10 ERM Platform @william_newman
123
ERM is not linked to fundamental value drivers of the business
Shareholder devaluation occurs based on measuring nonproductive drivers
ERM is not focused significantly or deeply enough on the broad “value-killer, fat-tail” risks
SAP recognizes there are 3 primary reasons for ERM failure:
Source: The Executive Dilemma: How to Increase Enterprise Risk Management Performance? GRC Expert, 2012.
SAP Risk Management 10 ERM Platform @william_newman
SAP Business Suite and LOB Processes (example: Supply
Chain)
KPIs, Metrics, Measures(BI Analytics, EPM solutions)
Impacts to Measures(BI Analytics, GRC & other
solutions)
Mitigation and Remediation Plans(GRC RM, PC, AC, ERP-PS)
Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012.
Overall Audit Documentation
SAP Risk Management 10 ERM Platform @william_newman
Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012.
1 2
SAP Risk Management 10 ERM Platform @william_newman
3 4
Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012.
SAP Risk Management 10 allows for a “graphical view” to portray bow tie riskformats, including risk drivers, impacts.
SAP Risk Management 10 ERM Platform @william_newman
Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012.
5 6
The Bow Tie Builder graphical view allows specific risk driver and impact descriptions
meaningful to specific organizations.
SAP Risk Management 10 ERM Platform @william_newman
Source: Increase Enterprise Risk Management Performance with SAP Business Objects RM 10. SAP Experts, 2012.
Risk actions – such as mitigations – may be added from the Bow Tie Builder.
7
You can identify specific areas of the risk, associated with organizations and processes. A common mitigation action is an audit program, let’s see how RM10 works to support audit programs and functional risk areas.
Considerations for Audit Practices @william_newman
Business audits are increasingly standard as a risk managementfunction across a number of different functions including:
• Information Technology (SAS 70, SSAE 16)• Financial Management processes (SOX 404, Dodd-Frank)• Information Use (ITAR, security constraints)• Sustainability (LEED, SA 8000, Natural Step, GRI)• Assurance activities (AA 1000)• Quality Management processes (ISO 9000, CAPA, APQP)• Environmental Management processes (ISO 14000)• Product Compliance Regulations (ROHS, REACH, ELV)• Treasury Management and Currency Exchange (SWIFT)
Audits are not just for IT system management anymore!
Considerations for Audit Practices @william_newman
Regardless of the business function or processes, most agree the audit format contains several common stages and activities.
Source: Adapted from IIA, University of Illinois materials, as modified by Newport Consulting Group.
Considerations for Audit Practices @william_newman
SAP NetWeaver’s Audit Management allows full program life cycle management for internal audit activities, including:
• Information Technology• Management Systems, and • Financial Operations
As part of the SAP NetWeaver platform, SAP NetWeaver’s Audit Management connects seamlessly with specific SAP modules such as
• SAP ERP Project System • SAP ERP HCM • SAP Risk Management
New updates for SAP GRC 10.0 release! Ships FREE with Business Suite!
Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011)
2
Considerations for Audit Practices @william_newman
Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011)
1
In this example we can associate an Accounts Payable audit with both financial operations and even treasury risks if involving foreign
currencies and operating units.
• During the execution stage of an audit, work papers often suggest corrective or preventive actions in real time.
• SAP NetWeaver audit management allows you to identify these work papers and capture remediation actions on the fly so that these can be automatically summarized in the findings report.
Considerations for Audit Practices @william_newman
3
Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011)
MEMBERSHIP [email protected] for Supply Chain Risk Activities @william_newman
Functional Risk Management can look at many areas, including supply chain disruptions due to disasters, business continuity, and sociopolitical risk…
Read my article on supply chain visibility
in SCN
MEMBERSHIP [email protected] for Supply Chain Risk Activities @william_newman
…which can then roll-up and into a broader ERM program environment, providing transparency and proactive management.
Source: Newman, William. Understanding SAP BusinessObjects Enterprise Performance Management, Galileo Press (2010).
MEMBERSHIP [email protected] for Supply Chain Risk Activities @william_newman
SAP Supply Chain Performance Management 2.0 allows for supply chain risks to be mapped to RM10 as part of an
overall ERM program portfolio.
These risks can also be associated with key risk indicators (KRIs) and SCOR 11
operating models key performance indicators (KPIs) which can help to minimize financial and operational
risk targets and increase performance.
Source: Manage Supply Chain Risks Using Supply Chain Management 2.0, GRC Expert (2012)
Listen to my SCOR11 review on IXN Podcast
in iTunes (IXN002)
MEMBERSHIP [email protected] for Supply Chain Risk Activities @william_newman
Source: Manage Supply Chain Risks Using Supply Chain Management 2.0, GRC Expert (2012)
In this example we can link a risk from RM10 into performance
measurements and operational data found in SCPM 2.0
1
2
Case Study – How One Organization Got Started @william_newman
• Large Multinational Organization• Major SAP transformation underway• Third party purchased existing PC-based
audit software (burning platform)• Looked to leverage AIS function of ECC
(near term) as well as RM10, PC10 capabilities (downstream)
Example audit risk management engagement
Based on this, the organization’s
internal audit department looked
at how to leverage Access
Controls, Process Controls, and
NetWeaver Audit Management
with Risk Management 10.
Case Study – How One Organization Got Started @william_newman
System Topology
The concept of using the
records tracking inside AIS
of ECC 6.0, combined with
the document
management features of
NW Audit Management
was compelling.
Case Study – How One Organization Got Started @william_newman
System Context
Fortunately the process
for conducting the audit
was reasonably consistent
across business audit
domains. Much of the
system context was on
workflow, approvals.
Case Study – How One Organization Got Started @william_newman
Permissions
Once roles and workflow
were defined a permissions
matrix was determined based
on modified “CRUD-M” level
access to audit report and
working papers
documentation.
ILLUSTRATIVE
Case Study – How One Organization Got Started @william_newman
Other aspects• SAP User Roles would determine AC
permissions for NW Audit Management based on audit eventually stage gate position using
PC• Integrated message system between NW
Audit Management and SAP Messaging, Microsoft Outlook
• AIS would “feed” auditor working papers based on ISACA T-codes and “scenario basis”
ILLUSTRATIVE
Links and References @william_newman
• Newman, William. Understanding SAP BusinessObjects Enterprise Performance Management, Galileo Press (2010)
• Newman, William. Reduce Risk in your Supply Chain with Supply Chain Performance Management, GRC Expert (March 12, 2010) login required
• Newman, William. How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (October 4, 2011) login required
• Newman, William. Increase Enterprise Risk Management Performance with Risk Management 10.0, GRC Expert (April 18, 2012) login required
• Newman, William. The Bow Tie Builder Tool, GRC Expert (May 1, 2012) login required
• Newman, William. Supply Chain Management 2.0 Offers Better Integration, Analytics, searchSAP.com (March 21, 2012)
• Stackpole, Beth. Deploying Supply Chain Management Software Hinges on Breadth, Depth, Integration,searchManufacturingERP.com (April 18, 2012)
• Stackpole, Beth. Ripe with Opportunity, Global Supply Chain also Brings Substantial Risk, searchManufacturingERP.com (March 14, 2012)
Key Take Away Points @william_newman
1. There is a great need for Enterprise Risk Management (ERM) – and a lot of confusion as to what this means. This creates significant opportunity for SAP and its partners.
2. SAP Risk Management 10.0 offers a great platform to build, manage, and assess the effectiveness of an ERM program
3. As part of mitigation activities, organizations are looking towards audits to build these actions into their ERM programs. SAP NetWeaver Audit Management offers easy to use connections into RM10 and other GRC tools.
4. Functional risk management allows deeper dives into specificprocesses, functions and operational activities in the organization.
5. SAP Supply Chain Performance Management 2.0 – allows for quick integration to RM10 risk activities while leveraging the Supply Chain Council SCOR model and SCRP framework.
Discussion @william_newman
Contact @william_newman
William Newman, CMC, MBA
Managing Principal / Owner
Newport Consulting Group, LLC
+1 (248) 978 – 2000
www.newportconsgroup.com
Visit the ASUG Michigan Chapter!
http://www.asug.com/chapters/4149
Thank you.