What we will cover

• Who is Exxaro?

• The Exxaro GRC Strategy and how SAP supports this

• Using SAP Risk Management to prioritise business processes

• Driving operational accountability and transparency: SAPProcess Control

• Driving efficiency through management reports out of SAPProcess Control

• Wrap-up

Setting the context, who is Exxaro?

• Exxaro is a diversified mining company: interests in coal,TI02, Ferrous & Energy

• 2nd largest coal producer in RSA with production of40 million tones

• Largest open-pit coal mine in Africa

• One of top 10 companies globally with bestshareholder returns

• Market capitalisation of R52 billion ($6 billion)

GRC = Proactive + Efficient

Management system to ensure youexist in future

Clear roles and responsibilities

Effective decision making

+

+

Transparency, accountability andintegrity

+

Business Efficiency=

GRC and its elements are set out in various lawsand standards

Proactive + efficient = more money onthe bottom line …

The Exxaro GRC strategy

EnergyFuelsMatter

Non-renewableRenewableResourcesProspecting to Proven

BWAWaste

Ecosystem processesClimate changeEco-efficiency

Health & hygieneSafetyKnowledgeSkillsIntellectual outputMotivationWellnessRelationshipsHuman rightsEquity

Internal socialSocial relationshipsValues and trustEthicsCo-operationNetworksOperating model

External socialPartnershipsCo-operation

CommunicationTrust & ReputationLicence to operateCustomersSuppliers

InfrastructureMiningBeneficiationLogisticsBuildingsGeneral

TechnologyEngineering ProductiveICT Systems

ProcessesPlanning , execution ,BICompetitive edge

InnovationIPEco-efficiency

OwnershipCash & currencyIntangible assetsShare price &dividendsRiskCorporate governancePerformancemeasurementInvestment & growth

To the extent that these capitals are maintained or developed, the organisation will remain sustainable.

Governance

Risk/Assurance

Compliance

How this is reflected in our strategyand business model …

How this is reflected in our strategyand business model …

Understand where SAP GRC fits into theorganisational GRC culture …

What is SAPRisk Management

in relation toGRC culture?

What is SAPRisk Management

in relation toGRC culture?

Peo

ple

Step Location

Resilient

Resilient

Proactive

Compliant

Basic

Where are we in the SAP GRC journey?

2013 2014 2015SA

PR

isk

SAP

PCIn

tegr

atio

nSA

PPo

licy

Strategic +Operational

Procure toPay

Hire to Retire

Strategic

EWPM EHS&M

Safety, Health,Environment &

Community

Upgrade to 10.1

There are three business rule types

Configuration

Master data

Transaction

Rules relating toconfiguration settings orparameters in the ERP

system

Rules relating togovernance of master

data in ERP system

Rules relating to businesstransactions within theERP system based on

available data

Monitor configurationchanges to the duplicate

invoice indicators

Monitor changes to vendormaster records e.g.

change in banking details

Identify duplicatepayments e.g. same

vendor, same date, sameamount, same invoice

Description Example

Controls aremonitored byusing business

rules(automated

testing)

Exceptions andinternal controls

are identified andraised

automatically asissues and sent tothe control owner

The control ownerreviews the issue,

creates aremediation planand assigns it to a

remediator

Users follow aworkflow-based

process to ensurethat appropriate

remediationaction is taken

Once remediationplan has been

completed by theremediator, it is

automatically sentback to the

control owner toclose the issue

Testcontrol

Raiseissues

Createremediation plan

Remediateissue

Closeissue

System Control owner Mediator Control owner

Control and issue remediation

Exxaro risk management process5 Phases

Risk Planning Risk IdentificationRisk

Assessment /Analysis

Risk Treatment Reporting

Reporting = Management tools for efficiencyand proactiveness

How does SAP process control differfrom traditional auditing?

Traditional auditing• Sample testing

• Focus on manual controls

• Detective monitoring

• Once-off annually

• Compliance driven

SAP process control• Testing of all controls in the

business process

• Focus on automated controls

• Real time monitoring

• Preventative monitoring

• 24/7

• Increase in business efficiency

Process control = audit = efficiencyAchieving higher confidence – lower cost

Cost Reduction

Manual Controls

Today

Manual Controls

Automated

Maturity Level 1

# controls

Less manual labour,Less pushback from thebusiness and lower costof preparing for an audit

Achieving higher confidence – lower cost andbusiness process improvement

Cost Reduction and Process Improvement

Manual Controls

Manual Controls

Automated

Today Maturity Level 1

Manual Controls

Automated

Maturity Level 2

time

# controls

Less manual labour(workflow, reports)

Less pushback from theBusiness lower cost ofpreparing for an audit

More controls,more granularity andhigher frequency ofchecks consistency

Achieving higher confidence – lower cost and businessprocess improvement (cont.)

Cost Reduction and Process Improvement

Manual Controls

Manual Controls

Automated

Today Maturity Level 1

Manual Controls

Automated

Maturity Level 2

Time

# Controls

Cost

Assurance

• High-level procure-to-pay process

An Exxaro case study: procure-to-pay

Createrequisition

orderCreate RFQ

Createpurchase

order

Create agoods receipt

note uponreceiving

goods

Receive &capture an

invoicePay the invoice

Vendor masterrecords

Proc

urem

ent

Fina

nce

Vend

orm

anag

emen

t

• Summary of controls implemented

An Exxaro Case Study: Procure-to-Pay (cont.)

Controls

10Business

rules

13Controls

14Business

rules

31Controls

5Business

rules

125629

Proc

urem

ent

Fina

nce

Vend

orm

anag

emen

t

NB

Every report serves a different purpose – summaryreport for process owner

Every report serves a different purpose – summary reportby organisation for BU financial manager

Every report serves a different purpose – detailed issuereport for sub-process owner and control owner

Every report serves a different purpose – remediationstatus report for control owner and sub-process owner

Every report serves a different purpose – summary issueowner report

Wrap-up, take home points

• GRC = Being efficient + proactive

• First define your GRC strategy

• Align your organisational GRC culture with SAP GRC

• Follow a risk-based approach for all audit activities

• Implement high impact controls first

• Opt for automated control monitoring

• Design your management reports in such a way that yourimplementation will lead to a more efficient organisation

Your Turn!

How to contact me:

Saret van LoggerenbergSaret.vanloggerenberg@exxaro.com