surviving in a riskier world with a governance risk and compliance strategy

Surviving in a Riskier World with a Governance Risk and Compliance Strategy

Patrick WangGRC Business Development APJ

© 2013 SAP AG. All rights reserved. 2

Agenda

Introduction

GRC solutions

Risk Management

Internal Controls

Access Controls

Summary

Introduction


What is GRC?

Brakes

Seatbelts

Car seats

Airbags

Maintenance records

Temperature gaugeFuel gauge

Crash avoidance


GRC involves these elements and many others….

Compliance

Audit

Risk

Monitoring

Access risk management

Policy

Global trade compliance

Legal

Quality

EH&S


Can your organization answer these questions?

What risks impact your ability to perform?

What is the status of your compliance initiatives?

Does excessive access introduce opportunity for fraud and errors?

Are controls in place and shared across your organization?

Are risk responses ready and effective?

Are behaviors reflective of policies?


The cost is realCompliance enforcement and poorly managed risk events are costly

Bribery and Corruption,

Spills, Explosions

Trading conflicts, currency manipulation, laundering, restricted

trading parties

Off-label marketing,

product recalls, price fixing

Conduct, transmission,

ownership, manipulation, disruptions


Costs resulting from non-compliance can’t be ignoredEnforcement is 2.7 times higher than investing in compliant processes

$3.5 Million

$9.4 Million

Source: Ponemon Institute LLC The True Cost of Compliance 2011


Control failures / Risk event

Lowers customer satisfaction

Reduces investor confidence

Raises business costs

Increases scrutiny

But what’s the hidden cost?

Performance Impact

Unachieved objectives

Disrupts operations


Brand enhanced

Controls enhance performance

Opportunities identified

Risks anticipated and managed

Conversely, there is potential for a positive impact

Customer demands met

Major disruptions avoided

Shareholder value attained

OptimizedPerformance


SAP GRC customers are seeing a positive impactOptimizing Performance

Grew through financial crisisDiscovered new oil reservesMinimizing risk and non-compliance events

Worlds largest dairy exporter Expanding global dairy trade

in a compliant manner 17% growth of net profit

SAP GRC Solutions


SAP capabilities for GRC

GRC Shared Compliance Platform

Hierarchies PoliciesControls Risk Response

Product Updates

User Experience

SAP Solutions for GRC

MonitorRisk Indicators Controls Transactions ERP Configuration Events

ManageRisk Compliance Audit Policy Access Trade

AnalyzeDashboards And

Visualization Non-compliance Effectiveness Exceptions


Reporting & Analytics

Key solutions for successSAP GRC solutions translate capabilities into value




Product Updates

User Experience

SAP Audit Management

SAP RiskManagement

SAP Nota Fiscal Electronica

SAP Access Control SAP Process Control SAP Global Trade Services

(mobile)SAP Access Approver SAP Policy Survey SAP Sanction-Party List

(mobile)(mobile)




Product Updates

User Experience




SAP RiskManagement




(mobile)(mobile)





Product Updates

User Experience




SAP RiskManagement




(mobile)(mobile)


GRC for Industries and LoBs

NATIVE SAP ERP integration and integration to non-SAP ERP

OthersLegacySAP

Risk Management


Monitor thresholds, effectiveness of risk responses, and corrective actions

Respond to risk after balancing costs and benefits

Analyze risk via scenarios, modeling,& other factors to understand

exposure

Link risks, risk drivers, risk indicators,

impacts and responses

Plan risk management within the context of value

to the organization

SAP Risk ManagementPreserve and grow value


Risk Heatmap


First levelSecond level Third level


Response Plan

Internal Controls


Support decisions and promote accountability with insightful analytics and sign-off

Perform automated, exception-based monitoring of ERP systems

Evaluate control design and effectiveness; raise and

remediate issues

Perform periodic risk assessments to determine scope and test strategies

Document controls and policies centrally; map to key regulations

and impacted organizations

SAP Process ControlEnsure effective controls and on-going compliance


Business Pain: Overuse of One-Time Vendors

One-time vendorsGenerally used to limit admin burden for infrequently used vendors

Bypassing controlsMay be used to bypass ERP controls related to vendor maintenance and payment

ImplicationsNon-compliance with company policies FraudErrorsInadequate vendor history….

Excerpt from above:

One-time vendor records shall be used for all payments made to vendors that are paid on a one-time basis or very infrequently and that are not established in the SAP Vendor Master Database

The Bureau of Financial Management performs a periodic analysis of the payments posted to one-time vendor records to determine if a permanent vendor master record should be established.


Solution: Automating One-Time Vendor Review

What the business rule doesUses new grouping and aggregation feature to group AP invoices for one-time vendors, presenting both the sum and the count of the invoices

What the customer doesCustomer schedules on a recurring basis to trigger semi-automated activity to verify one-time vendors are being used appropriately

Access Controls


Monitor emergency access and transaction usage

Certify access assignments are still warranted

Define and maintain roles in business terms

Automate access assignments across SAP

and non-SAP systems

Find and remediate SoD and critical access violations

SAP Access ControlManage access risk and prevent fraud

SAP_ALLX

Legacy


Segregation of duties (SoD)

Create Vendor Pay Vendor Create Vendor Pay Vendor


Acc

ess

Ris

k M

anag

emen

t

Integrated GRC

Develop and Package External

Content

Com

plia

nce

Man

agem

ent

Ris

k M

anag

emen

t

Enterprise Risk: Fraud

Responses

ReduceControlAvoidAccept Transfer

RegulationsProcess

Procure to Pay

Vendor Mgmt

AP Invoicing

Process Risks

Fraudulent invoices paid

Valid invoices not

entered

Access RisksUser can

enter vendor & PO User can

enter invoices & payments

ControlsReview of new vendors and

related invoice support

AP SOD rules in AC

Review of uninvoiced

goods receipts

Monitor Access Status

Mitigate Access

Violations

Policies

Update and roll out strengthened security policy


The SAP Difference

Unified GRC Platform: risk, compliance, audit, policy and internal control management

Proactive: integrated monitoring, continuous controls monitoring

Large Eco-system: industry-specific tailored solutions meeting your requirements

Proven: remarkable customers using essential solutions


The SAP DifferenceProven: remarkable customers using essential solutions

Thank You!

Patrick [email protected]

Business Development Manager APJGovernance Risk and Compliance

mailto:[email protected]

surviving in a riskier world with a governance risk and compliance strategy

Documents