surviving in a riskier world with a governance risk and compliance strategy
DESCRIPTION
Surviving in a Riskier World with a Governance Risk and Compliance Strategy. Patrick Wang GRC Business Development APJ. Agenda. Introduction GRC solutions Risk Management Internal Controls Access Controls Summary. Introduction. What is GRC?. Airbags. Seatbelts. Temperature gauge. - PowerPoint PPT PresentationTRANSCRIPT
Surviving in a Riskier World with a Governance Risk and Compliance Strategy
Patrick WangGRC Business Development APJ
© 2013 SAP AG. All rights reserved. 2
Agenda
Introduction
GRC solutions
Risk Management
Internal Controls
Access Controls
Summary
Introduction
© 2013 SAP AG. All rights reserved. 4
What is GRC?
Brakes
Seatbelts
Car seats
Airbags
Maintenance records
Temperature gaugeFuel gauge
Crash avoidance
© 2013 SAP AG. All rights reserved. 5
GRC involves these elements and many others….
Compliance
Audit
Risk
Monitoring
Access risk management
Policy
Global trade compliance
Legal
Quality
EH&S
© 2013 SAP AG. All rights reserved. 6
Can your organization answer these questions?
What risks impact your ability to perform?
What is the status of your compliance initiatives?
Does excessive access introduce opportunity for fraud and errors?
Are controls in place and shared across your organization?
Are risk responses ready and effective?
Are behaviors reflective of policies?
© 2013 SAP AG. All rights reserved. 7
The cost is realCompliance enforcement and poorly managed risk events are costly
Bribery and Corruption,
Spills, Explosions
Trading conflicts, currency manipulation, laundering, restricted
trading parties
Off-label marketing,
product recalls, price fixing
Conduct, transmission,
ownership, manipulation, disruptions
© 2013 SAP AG. All rights reserved. 8
Costs resulting from non-compliance can’t be ignoredEnforcement is 2.7 times higher than investing in compliant processes
$3.5 Million
$9.4 Million
Source: Ponemon Institute LLC The True Cost of Compliance 2011
© 2013 SAP AG. All rights reserved. 9
Control failures / Risk event
Lowers customer satisfaction
Reduces investor confidence
Raises business costs
Increases scrutiny
But what’s the hidden cost?
Performance Impact
Unachieved objectives
Disrupts operations
© 2013 SAP AG. All rights reserved. 10
Brand enhanced
Controls enhance performance
Opportunities identified
Risks anticipated and managed
Conversely, there is potential for a positive impact
Customer demands met
Major disruptions avoided
Shareholder value attained
OptimizedPerformance
© 2013 SAP AG. All rights reserved. 11
SAP GRC customers are seeing a positive impactOptimizing Performance
Grew through financial crisisDiscovered new oil reservesMinimizing risk and non-compliance events
Worlds largest dairy exporter Expanding global dairy trade
in a compliant manner 17% growth of net profit
SAP GRC Solutions
© 2013 SAP AG. All rights reserved. 13
SAP capabilities for GRC
GRC Shared Compliance Platform
Hierarchies PoliciesControls Risk Response
Product Updates
User Experience
SAP Solutions for GRC
MonitorRisk Indicators Controls Transactions ERP Configuration Events
ManageRisk Compliance Audit Policy Access Trade
AnalyzeDashboards And
Visualization Non-compliance Effectiveness Exceptions
© 2013 SAP AG. All rights reserved. 14
Reporting & Analytics
Key solutions for successSAP GRC solutions translate capabilities into value
SAP Solutions for GRC
GRC Shared Compliance Platform
Hierarchies PoliciesControls Risk Response
Product Updates
User Experience
SAP Audit Management
SAP RiskManagement
SAP Nota Fiscal Electronica
SAP Access Control SAP Process Control SAP Global Trade Services
(mobile)SAP Access Approver SAP Policy Survey SAP Sanction-Party List
(mobile)(mobile)
© 2013 SAP AG. All rights reserved. 15
GRC Shared Compliance Platform
Hierarchies PoliciesControls Risk Response
Product Updates
User Experience
Key solutions for successSAP GRC solutions translate capabilities into value
SAP Solutions for GRC
SAP Audit Management
SAP RiskManagement
SAP Nota Fiscal Electronica
SAP Access Control SAP Process Control SAP Global Trade Services
(mobile)SAP Access Approver SAP Policy Survey SAP Sanction-Party List
(mobile)(mobile)
Reporting & Analytics
© 2013 SAP AG. All rights reserved. 16
GRC Shared Compliance Platform
Hierarchies PoliciesControls Risk Response
Product Updates
User Experience
Key solutions for successSAP GRC solutions translate capabilities into value
SAP Solutions for GRC
SAP Audit Management
SAP RiskManagement
SAP Nota Fiscal Electronica
SAP Access Control SAP Process Control SAP Global Trade Services
(mobile)SAP Access Approver SAP Policy Survey SAP Sanction-Party List
(mobile)(mobile)
Reporting & Analytics
GRC for Industries and LoBs
NATIVE SAP ERP integration and integration to non-SAP ERP
OthersLegacySAP
Risk Management
© 2013 SAP AG. All rights reserved. 18
Monitor thresholds, effectiveness of risk responses, and corrective actions
Respond to risk after balancing costs and benefits
Analyze risk via scenarios, modeling,& other factors to understand
exposure
Link risks, risk drivers, risk indicators,
impacts and responses
Plan risk management within the context of value
to the organization
SAP Risk ManagementPreserve and grow value
© 2013 SAP AG. All rights reserved. 19
Risk Heatmap
© 2013 SAP AG. All rights reserved. 20
First levelSecond level Third level
© 2013 SAP AG. All rights reserved. 21
Response Plan
Internal Controls
© 2013 SAP AG. All rights reserved. 23
Support decisions and promote accountability with insightful analytics and sign-off
Perform automated, exception-based monitoring of ERP systems
Evaluate control design and effectiveness; raise and
remediate issues
Perform periodic risk assessments to determine scope and test strategies
Document controls and policies centrally; map to key regulations
and impacted organizations
SAP Process ControlEnsure effective controls and on-going compliance
© 2013 SAP AG. All rights reserved. 24
Business Pain: Overuse of One-Time Vendors
One-time vendorsGenerally used to limit admin burden for infrequently used vendors
Bypassing controlsMay be used to bypass ERP controls related to vendor maintenance and payment
ImplicationsNon-compliance with company policies FraudErrorsInadequate vendor history….
Excerpt from above:
One-time vendor records shall be used for all payments made to vendors that are paid on a one-time basis or very infrequently and that are not established in the SAP Vendor Master Database
The Bureau of Financial Management performs a periodic analysis of the payments posted to one-time vendor records to determine if a permanent vendor master record should be established.
© 2013 SAP AG. All rights reserved. 25
Solution: Automating One-Time Vendor Review
What the business rule doesUses new grouping and aggregation feature to group AP invoices for one-time vendors, presenting both the sum and the count of the invoices
What the customer doesCustomer schedules on a recurring basis to trigger semi-automated activity to verify one-time vendors are being used appropriately
Access Controls
© 2013 SAP AG. All rights reserved. 27
Monitor emergency access and transaction usage
Certify access assignments are still warranted
Define and maintain roles in business terms
Automate access assignments across SAP
and non-SAP systems
Find and remediate SoD and critical access violations
SAP Access ControlManage access risk and prevent fraud
SAP_ALLX
Legacy
© 2013 SAP AG. All rights reserved. 28
Segregation of duties (SoD)
Create Vendor Pay Vendor Create Vendor Pay Vendor
© 2013 SAP AG. All rights reserved. 29
© 2013 SAP AG. All rights reserved. 30
Acc
ess
Ris
k M
anag
emen
t
Integrated GRC
Develop and Package External
Content
Com
plia
nce
Man
agem
ent
Ris
k M
anag
emen
t
Enterprise Risk: Fraud
Responses
ReduceControlAvoidAccept Transfer
RegulationsProcess
Procure to Pay
Vendor Mgmt
AP Invoicing
Process Risks
Fraudulent invoices paid
Valid invoices not
entered
Access RisksUser can
enter vendor & PO User can
enter invoices & payments
ControlsReview of new vendors and
related invoice support
AP SOD rules in AC
Review of uninvoiced
goods receipts
Monitor Access Status
Mitigate Access
Violations
Policies
Update and roll out strengthened security policy
© 2013 SAP AG. All rights reserved. 31
The SAP Difference
Unified GRC Platform: risk, compliance, audit, policy and internal control management
Proactive: integrated monitoring, continuous controls monitoring
Large Eco-system: industry-specific tailored solutions meeting your requirements
Proven: remarkable customers using essential solutions
© 2013 SAP AG. All rights reserved. 32
The SAP DifferenceProven: remarkable customers using essential solutions