Surviving in a Riskier World with a Governance Risk and Compliance Strategy

Patrick WangGRC Business Development APJ

Agenda

Introduction

GRC solutions

Risk Management

Internal Controls

Access Controls

Summary

Introduction

What is GRC?

Brakes

Seatbelts

Car seats

Airbags

Maintenance records

Temperature gaugeFuel gauge

Crash avoidance

GRC involves these elements and many others….

Compliance

Monitoring

Access risk management

Policy

Global trade compliance

Quality

Can your organization answer these questions?

What risks impact your ability to perform?

What is the status of your compliance initiatives?

Does excessive access introduce opportunity for fraud and errors?

Are controls in place and shared across your organization?

Are risk responses ready and effective?

Are behaviors reflective of policies?

The cost is realCompliance enforcement and poorly managed risk events are costly

Bribery and Corruption,

Spills, Explosions

Trading conflicts, currency manipulation, laundering, restricted

trading parties

Off-label marketing,

product recalls, price fixing

Conduct, transmission,

ownership, manipulation, disruptions

Costs resulting from non-compliance can’t be ignoredEnforcement is 2.7 times higher than investing in compliant processes

$3.5 Million

$9.4 Million

Source: Ponemon Institute LLC The True Cost of Compliance 2011

Control failures / Risk event

Lowers customer satisfaction

Reduces investor confidence

Raises business costs

Increases scrutiny

But what’s the hidden cost?

Performance Impact

Unachieved objectives

Disrupts operations

Brand enhanced

Controls enhance performance

Opportunities identified

Risks anticipated and managed

Conversely, there is potential for a positive impact

Customer demands met

Major disruptions avoided

Shareholder value attained

OptimizedPerformance

SAP GRC customers are seeing a positive impactOptimizing Performance

Grew through financial crisisDiscovered new oil reservesMinimizing risk and non-compliance events

Worlds largest dairy exporter Expanding global dairy trade

in a compliant manner 17% growth of net profit

SAP GRC Solutions

SAP capabilities for GRC

GRC Shared Compliance Platform

Hierarchies PoliciesControls Risk Response

Product Updates

User Experience

SAP Solutions for GRC

MonitorRisk Indicators Controls Transactions ERP Configuration Events

ManageRisk Compliance Audit Policy Access Trade

AnalyzeDashboards And

Visualization Non-compliance Effectiveness Exceptions

Reporting & Analytics

Key solutions for successSAP GRC solutions translate capabilities into value

Product Updates

User Experience

SAP Audit Management

SAP RiskManagement

SAP Nota Fiscal Electronica

SAP Access Control SAP Process Control SAP Global Trade Services

(mobile)SAP Access Approver SAP Policy Survey SAP Sanction-Party List

(mobile)(mobile)

Product Updates

User Experience

SAP RiskManagement

(mobile)(mobile)

Product Updates

User Experience

SAP RiskManagement

(mobile)(mobile)

GRC for Industries and LoBs

NATIVE SAP ERP integration and integration to non-SAP ERP

OthersLegacySAP

Risk Management

Monitor thresholds, effectiveness of risk responses, and corrective actions

Respond to risk after balancing costs and benefits

Analyze risk via scenarios, modeling,& other factors to understand

exposure

Link risks, risk drivers, risk indicators,

impacts and responses

Plan risk management within the context of value

to the organization

SAP Risk ManagementPreserve and grow value

Risk Heatmap

First levelSecond level Third level

Response Plan

Internal Controls

Support decisions and promote accountability with insightful analytics and sign-off

Perform automated, exception-based monitoring of ERP systems

Evaluate control design and effectiveness; raise and

remediate issues

Perform periodic risk assessments to determine scope and test strategies

Document controls and policies centrally; map to key regulations

and impacted organizations

SAP Process ControlEnsure effective controls and on-going compliance

Business Pain: Overuse of One-Time Vendors

One-time vendorsGenerally used to limit admin burden for infrequently used vendors

Bypassing controlsMay be used to bypass ERP controls related to vendor maintenance and payment

ImplicationsNon-compliance with company policies FraudErrorsInadequate vendor history….

Excerpt from above:

One-time vendor records shall be used for all payments made to vendors that are paid on a one-time basis or very infrequently and that are not established in the SAP Vendor Master Database

The Bureau of Financial Management performs a periodic analysis of the payments posted to one-time vendor records to determine if a permanent vendor master record should be established.

Solution: Automating One-Time Vendor Review

What the business rule doesUses new grouping and aggregation feature to group AP invoices for one-time vendors, presenting both the sum and the count of the invoices

What the customer doesCustomer schedules on a recurring basis to trigger semi-automated activity to verify one-time vendors are being used appropriately

Access Controls

Monitor emergency access and transaction usage

Certify access assignments are still warranted

Define and maintain roles in business terms

Automate access assignments across SAP

and non-SAP systems

Find and remediate SoD and critical access violations

SAP Access ControlManage access risk and prevent fraud

SAP_ALLX

Legacy

Segregation of duties (SoD)

Create Vendor Pay Vendor Create Vendor Pay Vendor

Integrated GRC

Develop and Package External

Content

Enterprise Risk: Fraud

Responses

ReduceControlAvoidAccept Transfer

RegulationsProcess

Procure to Pay

Vendor Mgmt

AP Invoicing

Process Risks

Fraudulent invoices paid

Valid invoices not

entered

Access RisksUser can

enter vendor & PO User can

enter invoices & payments

ControlsReview of new vendors and

related invoice support

AP SOD rules in AC

Review of uninvoiced

goods receipts

Monitor Access Status

Mitigate Access

Violations

Policies

Update and roll out strengthened security policy

The SAP Difference

Unified GRC Platform: risk, compliance, audit, policy and internal control management

Proactive: integrated monitoring, continuous controls monitoring

Large Eco-system: industry-specific tailored solutions meeting your requirements

Proven: remarkable customers using essential solutions

The SAP DifferenceProven: remarkable customers using essential solutions

Thank You!

Patrick Wangpatrick.wang@sap.com

Business Development Manager APJGovernance Risk and Compliance

Surviving in a Riskier World with a Governance Risk and Compliance Strategy

Documents

Surviving redundancy

Surviving Sepsis

Has Finance Made the World Riskier

Safer Ratios, Riskier Portfolios - Tilburg University · Safer Ratios, Riskier Portfolios: ... difference analysis indicates that banks make riskier loans and shift investment portfolios

Surviving architecture

SURVIVING AND INNOVATING · 2021. 6. 6. · Tata Kelola Perusahaan Corporate Governance LAPORAN TAHUNAN 2020 ... Tinjauan Operasional O perational Performance Review ... Akuntan Publik

BIGGER BANKS, RISKIER BANKS - Demos · BIGGER BANKS, RISKIER BANKS III. THE BIG BANKS GO ON GAMBLING WITH OUR MONEY In 1999, Congress formally repealed the Glass-Steagall Act, the

Surviving Quantico

Surviving Suicide

Surviving Recession

Surviving Desperation

Surviving in a Riskier World with a Governance Risk and Compliance Strategy Patrick Wang GRC Business Development APJ

Riskier Compound Lotteries - 國立臺灣大學homepage.ntu.edu.tw/~josephw/20151105_NTU_slides.pdf · Riskier Compound Lotteries Nov, 5, 2015 @NTU ECON Ming-Hung Weng, Economics

Is value riskier than growth? - Simon Business SchoolJournal of Financial Economics 00 (2005) 000-000 Is value riskier than growth? Ralitsa Petkovaa, Lu Zhangb,c* aWeatherhead School

Has Financial Development Made the World Riskier? - Federal

Surviving math

Surviving Comps

Safer Ratios, Riskier Portfolios - Robert H. Smith School ... · Safer Ratios, Riskier Portfolios: ... the 2012 Adam Smith Corporate Finance Conference at Oxford University, the 2012

SURVIVING DISASTER!

Surviving Menopause