View
258
Download
1
Category
Preview:
Citation preview
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.
Bringing SAP Process Control and SAP Risk Management Together to Improve Visibility, Reduce Costs, and Streamline End-to-End Compliance Processes
Solene Alos EY
1
In This Session
• Who?
For prospective SAP customers and for risk management, compliance, or audit directors and
managers
• What?
The use of SAP Process Control (PC) and Risk Management (RM) modules and their integration
to improve visibility, reduce costs, and streamline end-to-end compliance processes
• How?
Enable SAP RM users to propose or assign controls from SAP PC to risks
Enable SAP PC users to use insights from SAP RM to take a risk-based approach to testing
controls
• Where?
Two components of SAP GRC, PC and RM, integrate together
2
What We’ll Cover
• What we are seeing in the market
• SAP GRC overview
• SAP PC overview
• SAP RM overview
• SAP PC and RM integration
• Live demo: RM and PC integration
• Common SAP GRC challenges
• Wrap-up
3
Rising Risk Management Challenges
Our recent EY global survey of more than 250 leading organizations found a direct link between effective
risk management practices and improved financial performance. Harnessing the power of GRC
technology to improve risk information, streamline processes, and reduce cost was the biggest challenge
and opportunity in achieving the needed risk management maturity.
SAP
ECC
SAP
SRM Oracle JDE
Hyper-
ion
SAP
CRM
Other
…
SOX GxP FCPA Sunshine
Act
Customs/
trade HIPAA Others
Information
technology
Compliance
Operations/
supply chain
Finance
Human
resources
Internal audit
Regulatory requirements
Application landscape Fu
nct
ion
al u
nit
s
Reg
ion
s an
d b
usi
nes
s se
gm
ents
Seg
men
t C
Seg
men
t B
Seg
men
t A
Overspending on risk by at least 25%-30%
Hidden costs in risk spend
Inefficiency in control structure and compliance testing
Overlap and redundancy across processes
Duplicative activities at corporate and business unit levels
Not focused on the risks that matter or the risks that could
create value
Strategic capital structure
Emerging markets focus
Executing alliances and transactions
Failure to build competitive advantage in key risk areas
Failing to anticipate and respond to emerging risks
Risk not integrated with planning and performance management
Risk exposure in major initiatives and programs
Lack of alignment and communication at all levels of the enterprise
Inability to proactively respond to emerging risks in a highly regulated environment
Risk
management
Risk
management
Risk
management Governance
Governance
Compliance
Compliance
Compliance Governance
4
Turn Risk into Results with GRC Technology Enablement
Improve controls and processes:
Better aligned risk coverage, including the
identification of stronger, more pervasive
controls
Reduced level of effort associated with
performing and testing controls
Increased control and process efficiencies
enabled through automation and continuous
monitoring
Improved control mix that addresses key
business risks while driving process efficiencies
Embed risk management:
Comprehensive and continuous risk management
and monitoring
Central management of financial, operational, and
compliance risks and controls across organization
Enhance risk strategy:
Improved alignment to the objectives and
strategy of the business
Improved visibility to risks that matter to
the organization
Proactive identification of risks
Enhanced decision making
Optimize risk management functions:
Elimination of duplicate and fragmented risk
management activities
Increased integration and coordination among
business, IT, and compliance
Sustainability of risk management process
Effective top-down and bottom-up reporting
Turning risk
into results
Enhance
risk strategy Embed
risk
management
Optimize risk
management
functions
Improve
controls and
processes
Risk agenda
5
Road Blocks to SAP PC and RM Implementations
• Lack of business case
• Multiple parties involved in decision making:
Risk management, compliance, Sarbanes-Oxley (SOX), other regulatory groups, audit
• Need for mature risk management or compliance processes
• Maturity of risk management technology solution
• Lower priority, as it is not a transactional system
• Need for enterprise risk management or compliance transformation during
implementation of SAP PC or RM
6
What We’ll Cover
• What we are seeing in the market
• SAP GRC overview
• SAP PC overview
• SAP RM overview
• SAP PC and RM integration
• Live demo: RM and PC integration
• Common SAP GRC challenges
• Wrap-up
7
GRC Overview
SAP GRC
Risk Management (RM)
Holistic risk visibility, key risk indicators, top-down to bottom-up risk integration, risk
intelligence through dashboards
Access Control (AC)
Sensitive access and segregation of duties, critical and emergency access management,
compliant access provisioning, role management
Process Control (PC)
Central controls repository, automated controls testing, continuous control
monitoring, policy management, survey and self-assessments, integration with ARIS
Fraud Management
(enabled by HANA)
Identification and prevention of fraud, calibration and simulation features,
predictive scenario analysis
Audit Management
(enabled by HANA)
Annual audit plan, individual audit and workpaper management, issue management
Sustainability Performance Management
Support of multiple sustainability reporting frameworks, standards, and key performance
indicators (KPIs)
Global Trade Services
Export/import compliance, customs e-filing, sanctioned party-list screening
Environment, Health, and Safety
Better management of worker safety, environmental compliance and product
stewardship
Enterprise Performance
Management Data Warehousing
Enterprise Information
Management Analytic Applications
SAP Business Process Platform
8
SAP GRC as Part of SAP’s Analytics Suite
Data Integration Data Quality Management
Master Data Management
Metadata Management
Information Management
GRC
Risk Management
Access Control
Process Control Global Trade Services
Environment, Health, and Safety
Business Intelligence
Reporting Query, Reporting,
and Analysis
Dashboards and Visualization
Search and Navigation
Advanced Analytics
Enterprise Performance Management
Strategy Management
Planning, Budgeting, and Forecasting
Profitability and Cost Management
Consolidation
Spend and Supply Chain
Source: SAP
9
GRC Technology Enablement GRC Framework, Stakeholders, and Overall Value
GR
C fu
nctio
ns
Establish
tone at the top
Translate to policies
and procedures
Communicate and
create awareness
Manage policy and
maturing processes
Establish risk
framework Identify risks Assess risks Define risk response
Assess control
effectiveness Evaluate findings
Manage
remediation
Report on
compliance and risk
Cor
e pr
oces
ses
Process/controls optimization and continuous monitoring – translate policy to business controls
Record to report Planning Acquire to retire Treasury and cash
management
Research to develop Procure to pay Material to inventory Plan to produce
Order to cash Sell to customer Market to consumer
Hire to retire Tax Legal Compliance
IT processes – enable monitoring and enforcement Manage information
security
Manage program
changes Manage infrastructure Manage IT operations
Risk Mgmt Major activities
Governance and policy management – enterprise-wide oversight
Risk management – identification/oversight of risk
Audit and compliance management – ensure compliance with corporate policy and regulatory items
PC AC GTS
SAP GRC (sample solutions)
a
a
a
a
a
a
a
a
a
a
GRC framework
a
a
a
a
a
a
a
a
a
a
a
a
a
10
What We’ll Cover
• What we are seeing in the market
• SAP GRC overview
• SAP PC overview
• SAP RM overview
• SAP PC and RM integration
• Live demo: RM and PC integration
• Common SAP GRC challenges
• Wrap-up
11
SAP PC – Business Drivers and Opportunities
• Need for reduction in compliance spend and total cost of
ownership for controls
• Need for transparency of and accountability for the
internal controls and risk management activities and
outcomes
• Need for coordination among risk functions to reduce
compliance burden on business units
• Need for insights into risks and effectiveness of controls
within a disparate or complex application landscape
• Need to improve process efficiencies
• Need for integration of compliance initiatives
Key business drivers
• Reduced cost of compliance through automation
• Increased reliance on monitoring controls versus manual testing
• Reduced burden on business via management of multiple mandates
Cost-effective
compliance
• Increased risk coverage through real-time control exception reporting
• Centralized dashboards and reports for control status and remediation efforts
Enhanced
compliance
transparency
• Centralized “single version of the truth” compliance repository
• Accountability enforcement via workflow-based functionality
• Reduced process cycle time through report automation
Streamlined process
execution
Benefits
SAP PC is an enterprise-wide, internal controls management solution that provides capabilities for cross-
functional teams to fully document the control environment, evaluate the controls, certify the state of
controls, and report and analyze control information
12
GRC Process Control capabilities Key features
Fo
un
dati
on
►Centralized “single source of truth” repository of risks, controls,
policy, and survey data
►Support for multiple compliance and operational mandates (SOX,
Food and Drug Administration (FDA), data privacy, etc.) including
sharing of data across mandates
►Flexible, customizable organization and process hierarchies to
drive ownership of compliance activities
Inte
gra
tio
n
►Foundational master data elements (risks, controls, organization
hierarchy) shared across the GRC platform
►Seamless integration with other SAP and non-SAP enterprise
applications (ECC, SRM, BW/BI, ARIS, etc.)
Ex
ec
uti
on
►Workflow-enabled processes for automated monitoring,
automated/manual testing, issue management certifications, and
assessments
►Robust business rules framework to facilitate near-real-time
exception reporting
►Alerts and email notifications of control exceptions and associated
impact
Re
po
rtin
g ►Interactive reports and dashboards that provide real-time
compliance status and results
►Interactive, multi-format control, testing, exception, and
remediation status across processes, policies, geographies, and
accounts
Assessments and
certifications Continuous
monitoring
Automated and
manual testing
Issue management
and remediation
Policy lifecycle
management
Risks and controls
repository
Multiple compliance
mandates
Policy and survey
repository
GRC organization
hierarchy
Business process
hierarchy
Analytics Dashboards Reports
SAP GRC
Access Control
SAP GRC
Risk Management Enterprise integration
SAP GRC
Audit Management
SAP PC – Functionality
13
SAP PC – Dashboards
Evaluation status dashboard
Provides management-level overview, with drill-down capability,
regarding the status of controls evaluation and certification activity
Dashboards include: Issue summary (self-assessment, continuous monitoring, and testing
issues)
Remediation plan summary
Control testing effectiveness
Survey assessment summary
Sign-off
Reports and analytics
PC comes standard with over 40 reports that cover:
Master data (e.g., risks and controls)
Continuous monitoring framework and results
GRC security authorizations
Certifications, assessments, and testing
14
What We’ll Cover
• What we are seeing in the market
• SAP GRC overview
• SAP PC overview
• SAP RM overview
• SAP PC and RM integration
• Live demo: RM and PC integration
• Common SAP GRC challenges
• Wrap-up
15
SAP RM – Business Drivers
• Outdated, unreliable, and inconsistent risk
information
• Inability to meet corporate objectives and
stakeholders’ oversight expectations
• Crisis-driven, reactive, and unreliable risk
management processes
• Risk information that can’t be aggregated and
reported
• Risk management practices and tools not
standardized – Collaboration impossible
• High cost of control – Sub-optimal risk
appetite, no use of analytics or continuous
monitoring
C-suite and board
Investors, customers
Risk management
Internal controls
Compliance Internal audit
GRC professionals
Mission HR
Finance
Manufacturing
Business managers and
professionals
16
SAP RM – Opportunities
Mature state
Centralized processes
Reasonable impact on business
Ability to manage risks at multiple organizational levels
Inconsistent
approach
Cost pressures
Fear of unknown
Increasing
complexity
Reactive
Consolidated views and end-to-end risk management
processes
Scheduled risk assessment activities
Ability to improve audit activities
Consistent and real-time reporting
Centralized and consolidated heat map
Drill-down capabilities
Significant workflow automation
Centralized risk and risk assessment management
Integration with other SAP GRC solutions
Central end-to-end process
Automated risk activities Consistent
Cost efficient
Visibility
Simplified
Proactive
Typical current state
Multiple and manual risk
management processes
Fragmented, manual, and ad hoc
reporting
Inability to produce a consolidated
heat map
Lack of confidence that all risks were
captured
Lack of centralization
Significant impact on business
Inconsistent approach to capture
and assess risks across the
organization
17
SAP RM – Functionality
SAP RM enables organizations to execute coordinated, transparent, and automated
compliance and risk management activities
Pla
n
Inte
gra
te
Identify
, analy
ze,
respond
Mo
nito
r
SAP Risk Management capabilities Key features
-
Risks
surveys Key risk
indicators
Workflow
scheduling
Risk
responses Manage risk
lifecycle
Analytics Dashboards Reports
SAP Access
Control
SAP Process
Control Other applications
integration
SAP Audit
Management
► Centralized repository of risks (risk template, risk appetite, and
tolerances)
► Mapping of risks to strategic objectives, business process activities,
and organizations
► Centralized survey library
► Foundational master data elements shared across the GRC
platform
► Seamless integration between PC (controls and policies) and RM
(risk responses)
► Integration with other SAP and non-SAP applications (ECC, SRM,
EH&S, BI, etc.)
► Identify and analyze risks and document responses
► Workflow-enabled processes for risk assessments, risk response
creation, and KRIs
► KRIs that facilitate near-real-time risk identification, analysis, and
response
► Reports and dashboards that provide real-time risk reporting
► Centralized and consolidated risk heat map
PC AC AM
Risks library Business
objectives Org.
hierarchy Activities
hierarchy
Survey
library
18
SAP RM – Dashboards
List of risk instances
summarized in the
dashboard
Selection criteria Four quadrants to
the dashboard
Four quadrants to answer four questions:
• Risk level per risk category – Determine where the risks are
• Risk exposure – Determine how mitigated risks are
• Risks per driver category – Determine why the risks exist
• Risks per impact category – Determine what the risks affect
19
What We’ll Cover
• What we are seeing in the market
• SAP GRC overview
• SAP PC overview
• SAP RM overview
• SAP PC and RM integration
• Live demo: RM and PC integration
• Common SAP GRC challenges
• Wrap-up
20
SAP PC and RM Integration
• Holistic risk management approach
• How to integrate PC with RM:
Master data
Integration scenarios
21
Why Does Risk Management and Compliance Management Matter? Increasing Number of Regulations
Multilateral
Instrument
52-1111
Toxic Substances
Management
Chemical Facility Anti-
Terrorism Standards (CFATS)
FCPA (Foreign Corrupt
Practices Act)
FDA compliance
GxP 21 CFR
Custom-Trade Partnership
against Terrorism (C-TPAT)
Sarbanes-Oxley Act
Data Privacy Laws CA-SB
1386, HIPAA
Gramm-Leach-Bliley Act,
COPPA
Switzerland:
- Corp. Governance SWX
- Code of Obligations
EU: Foreign Trade
Administration Act
EU: REACH
Registration, Evaluation, and
Authorization of Chemicals
UK Anti-Bribery Act
European Data Protection
Directive
Foreign Exchange Order
JSOX
PNEMEN
National Policy of Exports of
Military Goods
King II Report
Clause 49
of the Listing
Agreement
Regulation 13E of the
Customs (Prohibited
Exports) Regulations
Corporate Law Economic
Reform Program
(CLERP) 9
Hazardous Waste Act
Air Toxics National
Environment
Protection Measure
(NEPM)
F.E.R.C./N.E.R.C.
EU Company Law Directives
4, 7, and 8
Hong Kong:
Code on Corporate Governance
Practices
22
Example of a Holistic Risk Management Approach Three Lines of Defense (LOD)
• Three lines of defense
Operations and business units Management assurance
Independent assurance
1 2
3
Risk assessment – enabled via SAP GRC RM Controls testing – enabled via SAP GRC PC
23
SAP PC and SAP RM Implementation Approach
• RM focus is to manage risks. PC focus is to manage controls. From an implementation perspective, it might be
preferable to start from a risk management perspective to establish the risk assessment process, then implement
process controls to determine which controls to test based on risk assessment.
• In practice, however, most companies follow a bottom-up approach and are more likely to start with PC implementation
than an RM implementation
Manual audit, compliance, and risk processes
SAP GRC Access Control
• Implementation of sensitive access and segregation of duties
• Implementation of critical and emergency access management and compliant user provisioning
• Remediation of sensitive access and segregation of duties issues
• Optimization of overall security and access processes
SAP GRC Process Control
• Pilot continuous configuration controls monitoring (CCM) for select controls
• Define full CCM organizational requirements to deploy CCM fully
• Enable configuration rules
• Enable transactional rules
• Control status dashboard monitoring (vs. previous manual testing)
SAP GRC Risk Management
Audit, compliance, and risk processes Technology enablement
SA
P G
RC
mod
ule
Impl
emen
tatio
n ro
adm
ap
• Implementation of
organizational structure,
centralized risk templates
library, and other master
data elements (shared
master data with PC)
• Enable direct risk analysis
• Enable collaborative
surveys risk analysis
• Enable automated key risk
indicators monitoring
• Enable integration of PC
and RM
24
GRC technology enablement maturity model
Area 1 – Not established 2 – Basic 3 – Integrated 4 – Automated 5 – Optimized
Risk management
Risk management and
compliance processes
that are manual in
nature (e.g., risk
analysis, control testing,
reporting)
Duplicative and
redundant assessment
processes
Minimal use of
technology to support
risk functions (e.g., data
repository, monitoring)
No integration or
communication
between risk functions
Visibility to risk
landscape
Identify risk portfolio
and link to process and
controls
Assessment and audit
plans integrated
Information shared
across risk functions
Auto-calculate risk heat
map and risk strategy
Risk management and
performance indicators
monitored (KRIs, KPIs)
Communication
automated through
workflow
Real-time risk
analysis/forecasting
performed (e.g.,
predictive analysis)
Key risk indicators
linked to key
performance indicators
to identify trends and
monitor desired
financial outcomes
Master data
management (MDM)
Limited or no data
models, standards, or
definitions
No focus on data
quality or
standardization
Disparate data models
Immature and non-
standardized data
policies and procedures
Limited data oversight
Increased focus on
integrated data
standards and
transitioning to an
enterprise data model
Standardized and
global data definitions
and standards
Data change and
monitoring controls
Systematic controls to
validate data according
to global MDM
standards
Data processed and
managed centrally
Risks and Controls Technology Enablement Maturity Model
• Organizations should assess risks and controls technology maturity as part of a risk integration/
transformation program, determine gaps, and remediate to enhance business performance
Legend: Maturity levels further enabled by the integration of PC and RM
25
GRC technology enablement maturity model (cont.)
Area 1 – Not established 2 – Basic 3 – Integrated 4 – Automated 5 – Optimized
Process automation
Unmanageable
amounts of paper and
spreadsheets
Technology not used to
enable risk, IT, and
business processes
Risk, IT, and business
processes using
minimal functionality
Use of technology not
aligned across
functions/processes
Risk, IT, and business
processes aligned and
integrated with
technology
Risk, IT, and business
processes fully
automated to the extent
possible
Technology critical to
and embedded within
core risk, IT, and
business processes
Internal controls
Heavy reliance on
manual and detective
controls
Technology not used to
enforce automated or
preventive controls
Risks and controls
manually documented
and maintained
Risk and control library
that is not rationalized
or maintained
Some reliance on
automated detective
controls
Rationalized universal
risk and control library
maintained
Technology used to
implement automated
or IT-dependent manual
controls, replacing
manual controls
Real-time control and
process monitoring
(e.g., alerts)
Increased reliance on
automated and
preventive controls
Continuous process
and control monitoring
(KRIs, KPIs, control
gaps)
Most controls
automated and
preventive in nature
Risks and Controls Technology Enablement Maturity Model (cont.)
Legend: Maturity levels further enabled by the integration of PC and RM
• Organizations should assess risks and controls technology maturity as part of a risk integration/
transformation program, determine gaps, and remediate to enhance business performance (cont.)
26
GRC technology enablement maturity model (cont.)
Area 1 – Not established 2 – Basic 3 – Integrated 4 – Automated 5 – Optimized
Reporting
Technology not relied
upon to satisfy basic
reporting requirements
Reporting manual in
nature (i.e.,
spreadsheets)
Minimal reporting
(limited to out-of-the-
box reports)
Available reporting not
integrated and siloed
across the company
Reporting capabilities to
report on findings,
gaps, and exceptions
Improved GRC
reporting across the
company
Flexible and ad hoc
reporting (e.g.,
dashboards)
Comprehensive GRC
reporting across the
company
Top-down flexible
reporting across the
business
Automated dashboards
heavily utilized across
the company
Organizational adoption
Organization not
focused on leveraging
technology
Lack of technology
acceptance across the
enterprise
Technology adoption
segregated among
business functions
Technology acceptance
across the company
Increased focus on
integrating systems and
processes
Technology fully
adopted across
business, IT, and risk
functions
Company’s focus on
automating controls and
processes
Culture that promotes
technology to enable
and optimize business,
risk, and IT functions
Risks and Controls Technology Enablement Maturity Model (cont.)
Legend: Maturity levels further enabled by the integration of PC and RM
• Organizations should assess risks and controls technology maturity as part of a risk integration/
transformation program, determine gaps, and remediate to enhance business performance (cont.)
27
SAP PC and RM Integration
• Holistic risk management approach
• How to integrate PC with RM:
Master data
Integration scenarios
28
SAP PC and RM Integration Points
• Shared master data:
Shared organization structure
Shared risk catalog
Use of a central PC process hierarchy as part of RM activity hierarchy
• Integration scenarios:
RM assigns an existing PC control and/or policy to a risk
RM offers/proposes a new control and/or policy in PC as a reaction to a risk
Assessments in PC change the completeness of risk response in RM
Tests in PC change the effectiveness of risk response in RM
• Technical integration:
Same technical architecture
Some common configurations in SAP RM and PC
29
SAP PC and RM Integration
• Holistic risk management approach
• How to integrate PC with RM:
Master data
Integration scenarios
30
SAP RM Master Data
Source: SAP
Master data objects: Organization (shared with
PC)
Risk (shared with PC)
Activity hierarchy (can use
PC processes)
Strategic objectives
Legend: Shared with PC
31
There are several master data objects within SAP Process Control. Each object is a building block used to construct the overall
structure needed to support evaluation and testing.
Master data objects: Regulation
Organization hierarchy (shared with RM)
Process hierarchy (can be used as activity hierarchy in RM)
Control objectives
Risks (shared with RM)
Controls
Assigning and linking: Building the central control catalog: Assigning control objectives, risks, and controls in the process hierarchy
Master data overview and mapping to RACM: Summary of the key master data elements and how they map to the Risk
and Control Matrix (RACM)
Making the master data operational: Assigning business process hierarchy to the organization hierarchy
SAP PC Master Data
Legend: Shared with RM
32
Shared PC and RM Master Data Example – Risk Catalog
Used to create risk
categories, risks hierarchy,
and risk templates
Risk categories and
templates hierarchy Object type: Risk
category or risk
template
33
Shared PC and RM Master Data – Benefits
• Organization structure:
Send risk assessment and controls testing to the same organizations (can keep risk
owner and control tester separate)
Improve reporting consistency by reporting on risks and controls for the same
entities/organizations
• Risk catalog:
Enables sharing of risk categories and risk templates across modules
Easily correlates the risk assessment to the controls
• Process hierarchy and activity hierarchy:
PC business process catalog is displayed under the root activity in RM
You can choose PC local sub-processes as activities
34
SAP PC and RM Integration
• Holistic risk management approach
• How to integrate PC with RM:
Master data
Integration scenarios
35
SAP RM – Lifecycle
• Set up risk
organization and
define thresholds
• Strategic objective
setting
• Align strategic
objectives to
organizational entities
• Define roles and
responsibilities
• Define risk
classification system
• Define risk-relevant
business activities
• Define KRI monitoring
framework
• Define reporting
structures
Risk planning Risk identification Risk analysis Risk response Risk monitoring
• Identify risk and
opportunities
• Identify drivers and impacts
• Assign KRIs
• Document risk
interrelationships
• Review historical losses
• Analyze risks using
qualitative or quantitative
methods
• Build risk scenarios and
determine exposure
• Perform Monte Carlo
simulations
• Prioritize risks based on
risk level
• Group and aggregate
similar risks
• Document preventive and
recovery responses for risks
• Assign response ownership
and actions
• Assign an existing PC
control and/or policy to a
risk
• Propose a new control
and/or policy in PC as a
reaction to a risk
• Assessments in PC that
change the completeness
of risk response in RM
• Tests in PC that change
the effectiveness of risk
response in RM
• Plan re-assessment and
approval cycles
• Monitor KRIs
• Monitor response
effectiveness and
completeness
• Update risk exposure for
strategic objectives
• Report on risk exposure
• Document occurred
incidents and losses
Legend: PC/RM Integration scenarios
36
RiskPredatory
pricing
Responses
Response Catalog (Risk Management) Controls/ Policies Catalog (Process Control)
Mitigate Transfer Accept Avoid Controls Policies
• Review and approve pricing
• Insurance cover • Risk Impact s are insignificant
• Fixed pricing • Access cont rols t o pricing master files
• Robinson-Patman Act• Pricing
Key Risk Indicator (KRI)
• Actual t o plan deviat ion
• Compet it or price changes
Prevent ive responses reduce
t he probabilit y of r isk event s
Correct ive responses reduce
t he impact of risk event s
Risk Category
Sales
Organization
Consumer Product Company
Opportunit ies (Driver
/ Benefits / Enhance)
• Increase Earnings by 5%
• Increase Sales by 4%
Drivers
• Int ense price compet it ion
• Sales performance expectat ions
• Growth st rategy
Impacts
• Fines
• Reduced shelf space
• Damaged reputat ion
Business Processes/ Activities
• Ethic & Compliance
• Sales and Market ing
Business Strategy/ Object ives
• Most t rusted brand
• 20%market share
Assign/Propose PC Controls/Policy as RM Response
37
Assign/Propose PC Controls/Policy as RM Response (cont.)
SAP RM SAP GRC PC
Available controls in PC:
Control 1
Control 2
Control n
Proposed controls from RM:
Proposed control a
Proposed control n
1. Here’s a control that you might want to
use as a risk mitigation strategy.
2. Here’s a response created that you
might want to use/propose as a control.
3. If accepted, you should add the
proposed control to the list of available
controls.
1
2
3
Source: SAP
38
PC Assessments/Tests Update RM Responses Completeness/ Effectiveness
Notify on control changes
Exposure
Inherent risk
Residual risk
Residual risk (planned)
Response
completeness
Control design
assessment
0% Significantly deficient
50% Deficient
100% Adequate
Response effectiveness Control effectiveness
0% Failed
100% Pass
SAP Oracle
SCM FIN SRM HR
Business processes
IT infrastructure
Test automated
controls
Test manual
controls
Report Spread-sheet
Policy
Policy Policy management
SAP Risk Management SAP Process Control
39
What We’ll Cover
• What we are seeing in the market
• SAP GRC overview
• SAP PC overview
• SAP RM overview
• SAP PC and RM integration
• Live demo: RM and PC integration
• Common SAP GRC challenges
• Wrap-up
40
Demo – RM and PC Integration
This demo will take a top-down approach, starting from the results of the risk assessment in RM,
drilling down on specific risk and responses to show how risk ratings are calculated. We will then
look at the impact of PC controls assessments and tests on overall risk rating:
• Review of Risk Management dashboards
• Review of risk:
Risk analysis
Risk responses (including use of PC controls and policies)
• Review of control:
Assessment results’ impact on response completeness
Tests results’ impact on response effectiveness
• As time allows:
Review workflow to propose control as a response
Review PC/RM shared master data elements
41
SAP RM – Heat Map Dashboard
Organization and
timeline filters
Interactive heat
map
Risk type filter
Ability to drill
down on risk
42
Risk Identification
Assign one or multiple
risk drivers to the
enterprise risk template
Assign one or multiple
risk impacts to the
enterprise risk template
The enterprise risk template is a shared PC/RM
master data element and is the place where you
document all risk master data and related
information like risk assessments, key risk
indicators, response plans, etc.
43
Risk Analysis
Consolidated probability, impact, and
risk-level analysis view for this risk
Shows all assessments for this risk with
the option to drill down to the response
details (see next slide)
Graphical overview of the consolidated results of all
performed assessments filterable by different views
44
Assign/Propose PC Controls/Policy as RM Response
Source: SAP
An RM user can choose to assign or
propose a PC control or policy to an
RM risk
45
PC Assessments/Tests Update RM Responses Completeness/ Effectiveness
PC control effectiveness test results (pass/fail) drive the RM
response effectiveness value
46
PC Assessments/Tests Update RM Responses Completeness/ Effectiveness (cont.)
Source: SAP
The residual risks and planned residual risks in RM (bottom
screenshot) are being calculated based on the response
completeness and effectiveness (upper screenshot) derived
from PC control and policy results (previous slide screenshot)
47
What We’ll Cover
• What we are seeing in the market
• SAP GRC overview
• SAP PC overview
• SAP RM overview
• SAP PC and RM integration
• Live demo: RM and PC integration
• Common SAP GRC challenges
• Wrap-up
48
SAP GRC Implementation Common Challenges Skill Sets
Co
mp
lian
ce/a
ud
it
IT organization
Bu
siness p
rocess o
wn
ers
Executive management
Risk assessment and compliance
skills
• Have a clear perspective on process risks
• Knowledgeable of compliance regulations
and audit standards
• Knowledgeable of SAP control and risk
management features and potential issues
SAP business process skills
• Understands end-to-end business
processes
• Comprehends the intricacies of
company-specific processes
• Knowledgeable in SAP transactions
and process flow
SAP RM skills
• Familiar with SAP RM master data
• Knowledgeable of business objectives
and corresponding risks and key risk
indicators
• Familiar with direct risk assessments
and risk surveys
SAP technical skills
• Experienced in Basis, Advanced
Business Application Programming
(ABAP), and general SAP architecture
• Knowledgeable of hardware requirements
• A cross-functional team of IT,
compliance, and business
resources is imperative to the
success of an SAP GRC
implementation and
standardization program
• Without a balanced skill set within
the team, it is common to find the
following challenges:
SAP GRC is viewed as an IT
tool
SAP GRC is viewed as an
auditor’s tool
IT changes rules
Risk function changes rules
without approval from
business process owners
Training to various team
members is one-dimensional
(not cross-functional)
49
SAP GRC Implementation Common Challenges (cont.) Sponsorship and Ownership
The project management model for a successful
implementation of SAP GRC requires solid sponsorship,
especially at times of competing priorities. Process
ownership is equally as important for increasing and
sustaining the benefits of a new approach to
compliance.
Key SAP GRC decisions:
• Scope
• Risk management strategy
• Roles and responsibilities
• Procedures and standards
• Project management
• Monitoring
• Reporting and
analytics
• Communications
and
training
PMO
SAP GRC technical installation team
Internal auditors, risk function
Basis team
SAP GRC implementation team
Security team
Global process leads
Local process leads
Risk and controls process leads
Cross-level constituents play a critical role in grounding the design and execution to the realities of the
risk and control processes and in validating the solutions being developed
Operational teams identify design
alternatives. These teams identify the specific
improvement opportunities and develop the
methodology to implement the change.
Execution teams carry out the
solution. These teams develop
processes and technology
definitions that are effective and
sustainable.
Successful SAP GRC implementations are typically led by project
management office (PMO) teams that articulate the practical alignment
of existing business imperatives with the SAP GRC initiative. PMO
teams define the implementation strategy and are expected to provide
direction and drive consistency and accountability during system and
process design.
50
GRC Roadmap Example
Perform GRC security, controls, and/or enterprise
risk management design/redesign/assessment
Add PC functions CCM and Policy Management
Implement SAP GRC PC for central control repository, testing,
compliance assessment, and certification
GRC vendor selections
• Optimize your GRC
solutions
• Extend the GRC integration
to other applications
• Implement additional
solutions in line with your
long-term GRC vision
• Integrate your GRC
solutions
• Automate your processes
• Assess current GRC stage
• Create a long-term vision
• Implement quick wins
Develop GRC strategy and roadmap
Integrate AC, PC, and RM
Link KRIs to KPIs and
integrate with BI, BPM,
and other applications Add RM functions Incident Management, Key
Risk Indicators, Risk Forecasting, and Business
Objectives/Opportunities
Stage 2 Stage 3 Summary Stage 1
Implement SAP GRC RM for risk universe,
identification, analysis, and response
GRC maturity assessment Add AC modules Access Request Management
and Business Role Management
Implement and integrate Audit Management
Implement and integrate Fraud Management
Aligned Integrated Optimized
Implement SAP GRC AC for segregation of duties (SoD) and
emergency access management
Establish GRC team and responsibilities
Leverage SAP HANA and
mobile solutions
Implement and integrate
Global Trade Services
Develop a GRC business case
Create risk and controls shared services
Align stakeholders
Legend: Maturity levels further enabled by the integration of PC and RM
51
What We’ll Cover
• What we are seeing in the market
• SAP GRC overview
• SAP PC overview
• SAP RM overview
• SAP PC and RM integration
• Live demo: RM and PC integration
• Common SAP GRC challenges
• Wrap-up
52
Where to Find More Information
• “There’s no reward without risk: GRC survey 2015” (EY, 2015).
www.ey.com/GL/en/Services/Advisory/EY-theres-no-reward-without-risk-grc-survey-
2015-looking-at-risk-differently
• EY 5 insights for executive series on using GRC technology to turn risks into results
www.ey.com/GL/en/Services/Advisory/GRC-technology-to-turn-risk-into-results---
Overview
• “Expecting more from risk management: Drive business results through harnessing
uncertainty” (EY, May 2014).
www.ey.com/Publication/vwLUAssets/EY_-_Expecting_more_from_risk_management/
$FILE/EY-expecting-more-from-risk-management.pdf
53
Where to Find More Information (cont.)
• Matt Polak and Marsh Reppy, “Build a Powerful, Effective Business Case for Your GRC
Solution Implementation” (SAPinsider, December 2013).
www.ey.com/Publication/vwLUAssets/10-2012_GRC/$FILE/10-2012_GRC_Ernst&
Young.pdf
• SAP Help Portal
SAP Risk Management 10.1
http://help.sap.com/rm
SAP Process Control 10.1
http://help.sap.com/pc
• SAP GRC Solutions
www54.sap.com/solutions/analytics/governance-risk-compliance.html
54
7 Key Points to Take Home
• Integrate risk assessment with controls testing by integrating SAP RM and PC
• Share the organization hierarchy and the risk catalog and the process hierarchy across
RM and PC to drive consistency across compliance functions
• Enable SAP RM users to propose or assign controls from SAP PC to risks
• Enable SAP PC users to use insights from SAP RM to take a risk-based approach to
testing controls
• Run real-time risk reporting based on current control assessment and testing results
• Increase visibility into the risk management process by using a top-down approach,
drilling down from the risk heat map to risks, controls, and policies
• Reduce risk management costs and achieve new efficiencies via end-to-end process
automation and centralization
55
Your Turn!
How to contact me:
Solene Alos
Email: solene.alos@ey.com
Please remember to complete your session evaluation
56
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
Disclaimer
EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a
UK company limited by guarantee, does not provide services to clients. Ernst & Young LLP is an EY member firm serving clients in the US. For more information about our organization, please
visit ey.com.
© 2016 Ernst & Young LLP.
All Rights Reserved.
1401-118151
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for
specific advice.
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026 Copyright © 2015 Wellesley Information Services. All rights reserved.
Recommended