Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2016 Wellesley Information Services. All rights reserved.

Bringing SAP Process Control and SAP Risk Management Together to Improve Visibility, Reduce Costs, and Streamline End-to-End Compliance Processes

Solene Alos EY

1

In This Session

• Who?

For prospective SAP customers and for risk management, compliance, or audit directors and

managers

• What?

The use of SAP Process Control (PC) and Risk Management (RM) modules and their integration

to improve visibility, reduce costs, and streamline end-to-end compliance processes

• How?

Enable SAP RM users to propose or assign controls from SAP PC to risks

Enable SAP PC users to use insights from SAP RM to take a risk-based approach to testing

controls

• Where?

Two components of SAP GRC, PC and RM, integrate together

2

What We’ll Cover

• What we are seeing in the market

• SAP GRC overview

• SAP PC overview

• SAP RM overview

• SAP PC and RM integration

• Live demo: RM and PC integration

• Common SAP GRC challenges

• Wrap-up

3

Rising Risk Management Challenges

Our recent EY global survey of more than 250 leading organizations found a direct link between effective

risk management practices and improved financial performance. Harnessing the power of GRC

technology to improve risk information, streamline processes, and reduce cost was the biggest challenge

and opportunity in achieving the needed risk management maturity.

SAP

ECC

SAP

SRM Oracle JDE

Hyper-

ion

SAP

CRM

Other

…

SOX GxP FCPA Sunshine

Act

Customs/

trade HIPAA Others

Information

technology

Compliance

Operations/

supply chain

Finance

Human

resources

Internal audit

Regulatory requirements

Application landscape Fu

nct

ion

al u

nit

s

Reg

ion

s an

d b

usi

nes

s se

gm

ents

Seg

men

t C

Seg

men

t B

Seg

men

t A

Overspending on risk by at least 25%-30%

Hidden costs in risk spend

Inefficiency in control structure and compliance testing

Overlap and redundancy across processes

Duplicative activities at corporate and business unit levels

Not focused on the risks that matter or the risks that could

create value

Strategic capital structure

Emerging markets focus

Executing alliances and transactions

Failure to build competitive advantage in key risk areas

Failing to anticipate and respond to emerging risks

Risk not integrated with planning and performance management

Risk exposure in major initiatives and programs

Lack of alignment and communication at all levels of the enterprise

Inability to proactively respond to emerging risks in a highly regulated environment

Risk

management

Risk

management

Risk

management Governance

Governance

Compliance

Compliance

Compliance Governance

4

Turn Risk into Results with GRC Technology Enablement

Improve controls and processes:

Better aligned risk coverage, including the

identification of stronger, more pervasive

controls

Reduced level of effort associated with

performing and testing controls

Increased control and process efficiencies

enabled through automation and continuous

monitoring

Improved control mix that addresses key

business risks while driving process efficiencies

Embed risk management:

Comprehensive and continuous risk management

and monitoring

Central management of financial, operational, and

compliance risks and controls across organization

Enhance risk strategy:

Improved alignment to the objectives and

strategy of the business

Improved visibility to risks that matter to

the organization

Proactive identification of risks

Enhanced decision making

Optimize risk management functions:

Elimination of duplicate and fragmented risk

management activities

Increased integration and coordination among

business, IT, and compliance

Sustainability of risk management process

Effective top-down and bottom-up reporting

Turning risk

into results

Enhance

risk strategy Embed

risk

management

Optimize risk

management

functions

Improve

controls and

processes

Risk agenda

5

Road Blocks to SAP PC and RM Implementations

• Lack of business case

• Multiple parties involved in decision making:

Risk management, compliance, Sarbanes-Oxley (SOX), other regulatory groups, audit

• Need for mature risk management or compliance processes

• Maturity of risk management technology solution

• Lower priority, as it is not a transactional system

• Need for enterprise risk management or compliance transformation during

implementation of SAP PC or RM

6

What We’ll Cover

• What we are seeing in the market

• SAP GRC overview

• SAP PC overview

• SAP RM overview

• SAP PC and RM integration

• Live demo: RM and PC integration

• Common SAP GRC challenges

• Wrap-up

7

GRC Overview

SAP GRC

Risk Management (RM)

Holistic risk visibility, key risk indicators, top-down to bottom-up risk integration, risk

intelligence through dashboards

Access Control (AC)

Sensitive access and segregation of duties, critical and emergency access management,

compliant access provisioning, role management

Process Control (PC)

Central controls repository, automated controls testing, continuous control

monitoring, policy management, survey and self-assessments, integration with ARIS

Fraud Management

(enabled by HANA)

Identification and prevention of fraud, calibration and simulation features,

predictive scenario analysis

Audit Management

(enabled by HANA)

Annual audit plan, individual audit and workpaper management, issue management

Sustainability Performance Management

Support of multiple sustainability reporting frameworks, standards, and key performance

indicators (KPIs)

Global Trade Services

Export/import compliance, customs e-filing, sanctioned party-list screening

Environment, Health, and Safety

Better management of worker safety, environmental compliance and product

stewardship

Enterprise Performance

Management Data Warehousing

Enterprise Information

Management Analytic Applications

SAP Business Process Platform

8

SAP GRC as Part of SAP’s Analytics Suite

Data Integration Data Quality Management

Master Data Management

Metadata Management

Information Management

GRC

Risk Management

Access Control

Process Control Global Trade Services

Environment, Health, and Safety

Business Intelligence

Reporting Query, Reporting,

and Analysis

Dashboards and Visualization

Search and Navigation

Advanced Analytics

Enterprise Performance Management

Strategy Management

Planning, Budgeting, and Forecasting

Profitability and Cost Management

Consolidation

Spend and Supply Chain

Source: SAP

9

GRC Technology Enablement GRC Framework, Stakeholders, and Overall Value

GR

C fu

nctio

ns

Establish

tone at the top

Translate to policies

and procedures

Communicate and

create awareness

Manage policy and

maturing processes

Establish risk

framework Identify risks Assess risks Define risk response

Assess control

effectiveness Evaluate findings

Manage

remediation

Report on

compliance and risk

Cor

e pr

oces

ses

Process/controls optimization and continuous monitoring – translate policy to business controls

Record to report Planning Acquire to retire Treasury and cash

management

Research to develop Procure to pay Material to inventory Plan to produce

Order to cash Sell to customer Market to consumer

Hire to retire Tax Legal Compliance

IT processes – enable monitoring and enforcement Manage information

security

Manage program

changes Manage infrastructure Manage IT operations

Risk Mgmt Major activities

Governance and policy management – enterprise-wide oversight

Risk management – identification/oversight of risk

Audit and compliance management – ensure compliance with corporate policy and regulatory items

PC AC GTS

SAP GRC (sample solutions)

a

a

a

a

a

a

a

a

a

a

GRC framework

a

a

a

a

a

a

a

a

a

a

a

a

a

10

What We’ll Cover

• What we are seeing in the market

• SAP GRC overview

• SAP PC overview

• SAP RM overview

• SAP PC and RM integration

• Live demo: RM and PC integration

• Common SAP GRC challenges

• Wrap-up

11

SAP PC – Business Drivers and Opportunities

• Need for reduction in compliance spend and total cost of

ownership for controls

• Need for transparency of and accountability for the

internal controls and risk management activities and

outcomes

• Need for coordination among risk functions to reduce

compliance burden on business units

• Need for insights into risks and effectiveness of controls

within a disparate or complex application landscape

• Need to improve process efficiencies

• Need for integration of compliance initiatives

Key business drivers

• Reduced cost of compliance through automation

• Increased reliance on monitoring controls versus manual testing

• Reduced burden on business via management of multiple mandates

Cost-effective

compliance

• Increased risk coverage through real-time control exception reporting

• Centralized dashboards and reports for control status and remediation efforts

Enhanced

compliance

transparency

• Centralized “single version of the truth” compliance repository

• Accountability enforcement via workflow-based functionality

• Reduced process cycle time through report automation

Streamlined process

execution

Benefits

SAP PC is an enterprise-wide, internal controls management solution that provides capabilities for cross-

functional teams to fully document the control environment, evaluate the controls, certify the state of

controls, and report and analyze control information

12

GRC Process Control capabilities Key features

Fo

un

dati

on

►Centralized “single source of truth” repository of risks, controls,

policy, and survey data

►Support for multiple compliance and operational mandates (SOX,

Food and Drug Administration (FDA), data privacy, etc.) including

sharing of data across mandates

►Flexible, customizable organization and process hierarchies to

drive ownership of compliance activities

Inte

gra

tio

n

►Foundational master data elements (risks, controls, organization

hierarchy) shared across the GRC platform

►Seamless integration with other SAP and non-SAP enterprise

applications (ECC, SRM, BW/BI, ARIS, etc.)

Ex

ec

uti

on

►Workflow-enabled processes for automated monitoring,

automated/manual testing, issue management certifications, and

assessments

►Robust business rules framework to facilitate near-real-time

exception reporting

►Alerts and email notifications of control exceptions and associated

impact

Re

po

rtin

g ►Interactive reports and dashboards that provide real-time

compliance status and results

►Interactive, multi-format control, testing, exception, and

remediation status across processes, policies, geographies, and

accounts

Assessments and

certifications Continuous

monitoring

Automated and

manual testing

Issue management

and remediation

Policy lifecycle

management

Risks and controls

repository

Multiple compliance

mandates

Policy and survey

repository

GRC organization

hierarchy

Business process

hierarchy

Analytics Dashboards Reports

SAP GRC

Access Control

SAP GRC

Risk Management Enterprise integration

SAP GRC

Audit Management

SAP PC – Functionality

13

SAP PC – Dashboards

Evaluation status dashboard

Provides management-level overview, with drill-down capability,

regarding the status of controls evaluation and certification activity

Dashboards include: Issue summary (self-assessment, continuous monitoring, and testing

issues)

Remediation plan summary

Control testing effectiveness

Survey assessment summary

Sign-off

Reports and analytics

PC comes standard with over 40 reports that cover:

Master data (e.g., risks and controls)

Continuous monitoring framework and results

GRC security authorizations

Certifications, assessments, and testing

14

What We’ll Cover

• What we are seeing in the market

• SAP GRC overview

• SAP PC overview

• SAP RM overview

• SAP PC and RM integration

• Live demo: RM and PC integration

• Common SAP GRC challenges

• Wrap-up

15

SAP RM – Business Drivers

• Outdated, unreliable, and inconsistent risk

information

• Inability to meet corporate objectives and

stakeholders’ oversight expectations

• Crisis-driven, reactive, and unreliable risk

management processes

• Risk information that can’t be aggregated and

reported

• Risk management practices and tools not

standardized – Collaboration impossible

• High cost of control – Sub-optimal risk

appetite, no use of analytics or continuous

monitoring

C-suite and board

Investors, customers

Risk management

Internal controls

Compliance Internal audit

GRC professionals

Mission HR

Finance

Manufacturing

Business managers and

professionals

16

SAP RM – Opportunities

Mature state

Centralized processes

Reasonable impact on business

Ability to manage risks at multiple organizational levels

Inconsistent

approach

Cost pressures

Fear of unknown

Increasing

complexity

Reactive

Consolidated views and end-to-end risk management

processes

Scheduled risk assessment activities

Ability to improve audit activities

Consistent and real-time reporting

Centralized and consolidated heat map

Drill-down capabilities

Significant workflow automation

Centralized risk and risk assessment management

Integration with other SAP GRC solutions

Central end-to-end process

Automated risk activities Consistent

Cost efficient

Visibility

Simplified

Proactive

Typical current state

Multiple and manual risk

management processes

Fragmented, manual, and ad hoc

reporting

Inability to produce a consolidated

heat map

Lack of confidence that all risks were

captured

Lack of centralization

Significant impact on business

Inconsistent approach to capture

and assess risks across the

organization

17

SAP RM – Functionality

SAP RM enables organizations to execute coordinated, transparent, and automated

compliance and risk management activities

Pla

n

Inte

gra

te

Identify

, analy

ze,

respond

Mo

nito

r

SAP Risk Management capabilities Key features

-

Risks

surveys Key risk

indicators

Workflow

scheduling

Risk

responses Manage risk

lifecycle

Analytics Dashboards Reports

SAP Access

Control

SAP Process

Control Other applications

integration

SAP Audit

Management

► Centralized repository of risks (risk template, risk appetite, and

tolerances)

► Mapping of risks to strategic objectives, business process activities,

and organizations

► Centralized survey library

► Foundational master data elements shared across the GRC

platform

► Seamless integration between PC (controls and policies) and RM

(risk responses)

► Integration with other SAP and non-SAP applications (ECC, SRM,

EH&S, BI, etc.)

► Identify and analyze risks and document responses

► Workflow-enabled processes for risk assessments, risk response

creation, and KRIs

► KRIs that facilitate near-real-time risk identification, analysis, and

response

► Reports and dashboards that provide real-time risk reporting

► Centralized and consolidated risk heat map

PC AC AM

Risks library Business

objectives Org.

hierarchy Activities

hierarchy

Survey

library

18

SAP RM – Dashboards

List of risk instances

summarized in the

dashboard

Selection criteria Four quadrants to

the dashboard

Four quadrants to answer four questions:

• Risk level per risk category – Determine where the risks are

• Risk exposure – Determine how mitigated risks are

• Risks per driver category – Determine why the risks exist

• Risks per impact category – Determine what the risks affect

19

What We’ll Cover

• What we are seeing in the market

• SAP GRC overview

• SAP PC overview

• SAP RM overview

• SAP PC and RM integration

• Live demo: RM and PC integration

• Common SAP GRC challenges

• Wrap-up

20

SAP PC and RM Integration

• Holistic risk management approach

• How to integrate PC with RM:

Master data

Integration scenarios

21

Why Does Risk Management and Compliance Management Matter? Increasing Number of Regulations

Multilateral

Instrument

52-1111

Toxic Substances

Management

Chemical Facility Anti-

Terrorism Standards (CFATS)

FCPA (Foreign Corrupt

Practices Act)

FDA compliance

GxP 21 CFR

Custom-Trade Partnership

against Terrorism (C-TPAT)

Sarbanes-Oxley Act

Data Privacy Laws CA-SB

1386, HIPAA

Gramm-Leach-Bliley Act,

COPPA

Switzerland:

- Corp. Governance SWX

- Code of Obligations

EU: Foreign Trade

Administration Act

EU: REACH

Registration, Evaluation, and

Authorization of Chemicals

UK Anti-Bribery Act

European Data Protection

Directive

Foreign Exchange Order

JSOX

PNEMEN

National Policy of Exports of

Military Goods

King II Report

Clause 49

of the Listing

Agreement

Regulation 13E of the

Customs (Prohibited

Exports) Regulations

Corporate Law Economic

Reform Program

(CLERP) 9

Hazardous Waste Act

Air Toxics National

Environment

Protection Measure

(NEPM)

F.E.R.C./N.E.R.C.

EU Company Law Directives

4, 7, and 8

Hong Kong:

Code on Corporate Governance

Practices

22

Example of a Holistic Risk Management Approach Three Lines of Defense (LOD)

• Three lines of defense

Operations and business units Management assurance

Independent assurance

1 2

3

Risk assessment – enabled via SAP GRC RM Controls testing – enabled via SAP GRC PC

23

SAP PC and SAP RM Implementation Approach

• RM focus is to manage risks. PC focus is to manage controls. From an implementation perspective, it might be

preferable to start from a risk management perspective to establish the risk assessment process, then implement

process controls to determine which controls to test based on risk assessment.

• In practice, however, most companies follow a bottom-up approach and are more likely to start with PC implementation

than an RM implementation

Manual audit, compliance, and risk processes

SAP GRC Access Control

• Implementation of sensitive access and segregation of duties

• Implementation of critical and emergency access management and compliant user provisioning

• Remediation of sensitive access and segregation of duties issues

• Optimization of overall security and access processes

SAP GRC Process Control

• Pilot continuous configuration controls monitoring (CCM) for select controls

• Define full CCM organizational requirements to deploy CCM fully

• Enable configuration rules

• Enable transactional rules

• Control status dashboard monitoring (vs. previous manual testing)

SAP GRC Risk Management

Audit, compliance, and risk processes Technology enablement

SA

P G

RC

mod

ule

Impl

emen

tatio

n ro

adm

ap

• Implementation of

organizational structure,

centralized risk templates

library, and other master

data elements (shared

master data with PC)

• Enable direct risk analysis

• Enable collaborative

surveys risk analysis

• Enable automated key risk

indicators monitoring

• Enable integration of PC

and RM

24

GRC technology enablement maturity model

Area 1 – Not established 2 – Basic 3 – Integrated 4 – Automated 5 – Optimized

Risk management

Risk management and

compliance processes

that are manual in

nature (e.g., risk

analysis, control testing,

reporting)

Duplicative and

redundant assessment

processes

Minimal use of

technology to support

risk functions (e.g., data

repository, monitoring)

No integration or

communication

between risk functions

Visibility to risk

landscape

Identify risk portfolio

and link to process and

controls

Assessment and audit

plans integrated

Information shared

across risk functions

Auto-calculate risk heat

map and risk strategy

Risk management and

performance indicators

monitored (KRIs, KPIs)

Communication

automated through

workflow

Real-time risk

analysis/forecasting

performed (e.g.,

predictive analysis)

Key risk indicators

linked to key

performance indicators

to identify trends and

monitor desired

financial outcomes

Master data

management (MDM)

Limited or no data

models, standards, or

definitions

No focus on data

quality or

standardization

Disparate data models

Immature and non-

standardized data

policies and procedures

Limited data oversight

Increased focus on

integrated data

standards and

transitioning to an

enterprise data model

Standardized and

global data definitions

and standards

Data change and

monitoring controls

Systematic controls to

validate data according

to global MDM

standards

Data processed and

managed centrally

Risks and Controls Technology Enablement Maturity Model

• Organizations should assess risks and controls technology maturity as part of a risk integration/

transformation program, determine gaps, and remediate to enhance business performance

Legend: Maturity levels further enabled by the integration of PC and RM

25

GRC technology enablement maturity model (cont.)

Area 1 – Not established 2 – Basic 3 – Integrated 4 – Automated 5 – Optimized

Process automation

Unmanageable

amounts of paper and

spreadsheets

Technology not used to

enable risk, IT, and

business processes

Risk, IT, and business

processes using

minimal functionality

Use of technology not

aligned across

functions/processes

Risk, IT, and business

processes aligned and

integrated with

technology

Risk, IT, and business

processes fully

automated to the extent

possible

Technology critical to

and embedded within

core risk, IT, and

business processes

Internal controls

Heavy reliance on

manual and detective

controls

Technology not used to

enforce automated or

preventive controls

Risks and controls

manually documented

and maintained

Risk and control library

that is not rationalized

or maintained

Some reliance on

automated detective

controls

Rationalized universal

risk and control library

maintained

Technology used to

implement automated

or IT-dependent manual

controls, replacing

manual controls

Real-time control and

process monitoring

(e.g., alerts)

Increased reliance on

automated and

preventive controls

Continuous process

and control monitoring

(KRIs, KPIs, control

gaps)

Most controls

automated and

preventive in nature

Risks and Controls Technology Enablement Maturity Model (cont.)

Legend: Maturity levels further enabled by the integration of PC and RM

• Organizations should assess risks and controls technology maturity as part of a risk integration/

transformation program, determine gaps, and remediate to enhance business performance (cont.)

26

GRC technology enablement maturity model (cont.)

Area 1 – Not established 2 – Basic 3 – Integrated 4 – Automated 5 – Optimized

Reporting

Technology not relied

upon to satisfy basic

reporting requirements

Reporting manual in

nature (i.e.,

spreadsheets)

Minimal reporting

(limited to out-of-the-

box reports)

Available reporting not

integrated and siloed

across the company

Reporting capabilities to

report on findings,

gaps, and exceptions

Improved GRC

reporting across the

company

Flexible and ad hoc

reporting (e.g.,

dashboards)

Comprehensive GRC

reporting across the

company

Top-down flexible

reporting across the

business

Automated dashboards

heavily utilized across

the company

Organizational adoption

Organization not

focused on leveraging

technology

Lack of technology

acceptance across the

enterprise

Technology adoption

segregated among

business functions

Technology acceptance

across the company

Increased focus on

integrating systems and

processes

Technology fully

adopted across

business, IT, and risk

functions

Company’s focus on

automating controls and

processes

Culture that promotes

technology to enable

and optimize business,

risk, and IT functions

Risks and Controls Technology Enablement Maturity Model (cont.)

Legend: Maturity levels further enabled by the integration of PC and RM

• Organizations should assess risks and controls technology maturity as part of a risk integration/

transformation program, determine gaps, and remediate to enhance business performance (cont.)

27

SAP PC and RM Integration

• Holistic risk management approach

• How to integrate PC with RM:

Master data

Integration scenarios

28

SAP PC and RM Integration Points

• Shared master data:

Shared organization structure

Shared risk catalog

Use of a central PC process hierarchy as part of RM activity hierarchy

• Integration scenarios:

RM assigns an existing PC control and/or policy to a risk

RM offers/proposes a new control and/or policy in PC as a reaction to a risk

Assessments in PC change the completeness of risk response in RM

Tests in PC change the effectiveness of risk response in RM

• Technical integration:

Same technical architecture

Some common configurations in SAP RM and PC

29

SAP PC and RM Integration

• Holistic risk management approach

• How to integrate PC with RM:

Master data

Integration scenarios

30

SAP RM Master Data

Source: SAP

Master data objects: Organization (shared with

PC)

Risk (shared with PC)

Activity hierarchy (can use

PC processes)

Strategic objectives

Legend: Shared with PC

31

There are several master data objects within SAP Process Control. Each object is a building block used to construct the overall

structure needed to support evaluation and testing.

Master data objects: Regulation

Organization hierarchy (shared with RM)

Process hierarchy (can be used as activity hierarchy in RM)

Control objectives

Risks (shared with RM)

Controls

Assigning and linking: Building the central control catalog: Assigning control objectives, risks, and controls in the process hierarchy

Master data overview and mapping to RACM: Summary of the key master data elements and how they map to the Risk

and Control Matrix (RACM)

Making the master data operational: Assigning business process hierarchy to the organization hierarchy

SAP PC Master Data

Legend: Shared with RM

32

Shared PC and RM Master Data Example – Risk Catalog

Used to create risk

categories, risks hierarchy,

and risk templates

Risk categories and

templates hierarchy Object type: Risk

category or risk

template

33

Shared PC and RM Master Data – Benefits

• Organization structure:

Send risk assessment and controls testing to the same organizations (can keep risk

owner and control tester separate)

Improve reporting consistency by reporting on risks and controls for the same

entities/organizations

• Risk catalog:

Enables sharing of risk categories and risk templates across modules

Easily correlates the risk assessment to the controls

• Process hierarchy and activity hierarchy:

PC business process catalog is displayed under the root activity in RM

You can choose PC local sub-processes as activities

34

SAP PC and RM Integration

• Holistic risk management approach

• How to integrate PC with RM:

Master data

Integration scenarios

35

SAP RM – Lifecycle

• Set up risk

organization and

define thresholds

• Strategic objective

setting

• Align strategic

objectives to

organizational entities

• Define roles and

responsibilities

• Define risk

classification system

• Define risk-relevant

business activities

• Define KRI monitoring

framework

• Define reporting

structures

Risk planning Risk identification Risk analysis Risk response Risk monitoring

• Identify risk and

opportunities

• Identify drivers and impacts

• Assign KRIs

• Document risk

interrelationships

• Review historical losses

• Analyze risks using

qualitative or quantitative

methods

• Build risk scenarios and

determine exposure

• Perform Monte Carlo

simulations

• Prioritize risks based on

risk level

• Group and aggregate

similar risks

• Document preventive and

recovery responses for risks

• Assign response ownership

and actions

• Assign an existing PC

control and/or policy to a

risk

• Propose a new control

and/or policy in PC as a

reaction to a risk

• Assessments in PC that

change the completeness

of risk response in RM

• Tests in PC that change

the effectiveness of risk

response in RM

• Plan re-assessment and

approval cycles

• Monitor KRIs

• Monitor response

effectiveness and

completeness

• Update risk exposure for

strategic objectives

• Report on risk exposure

• Document occurred

incidents and losses

Legend: PC/RM Integration scenarios

36

RiskPredatory

pricing

Responses

Response Catalog (Risk Management) Controls/ Policies Catalog (Process Control)

Mitigate Transfer Accept Avoid Controls Policies

• Review and approve pricing

• Insurance cover • Risk Impact s are insignificant

• Fixed pricing • Access cont rols t o pricing master files

• Robinson-Patman Act• Pricing

Key Risk Indicator (KRI)

• Actual t o plan deviat ion

• Compet it or price changes

Prevent ive responses reduce

t he probabilit y of r isk event s

Correct ive responses reduce

t he impact of risk event s

Risk Category

Sales

Organization

Consumer Product Company

Opportunit ies (Driver

/ Benefits / Enhance)

• Increase Earnings by 5%

• Increase Sales by 4%

Drivers

• Int ense price compet it ion

• Sales performance expectat ions

• Growth st rategy

Impacts

• Fines

• Reduced shelf space

• Damaged reputat ion

Business Processes/ Activities

• Ethic & Compliance

• Sales and Market ing

Business Strategy/ Object ives

• Most t rusted brand

• 20%market share

Assign/Propose PC Controls/Policy as RM Response

37

Assign/Propose PC Controls/Policy as RM Response (cont.)

SAP RM SAP GRC PC

Available controls in PC:

Control 1

Control 2

Control n

Proposed controls from RM:

Proposed control a

Proposed control n

1. Here’s a control that you might want to

use as a risk mitigation strategy.

2. Here’s a response created that you

might want to use/propose as a control.

3. If accepted, you should add the

proposed control to the list of available

controls.

1

2

3

Source: SAP

38

PC Assessments/Tests Update RM Responses Completeness/ Effectiveness

Notify on control changes

Exposure

Inherent risk

Residual risk

Residual risk (planned)

Response

completeness

Control design

assessment

0% Significantly deficient

50% Deficient

100% Adequate

Response effectiveness Control effectiveness

0% Failed

100% Pass

SAP Oracle

SCM FIN SRM HR

Business processes

IT infrastructure

Test automated

controls

Test manual

controls

Report Spread-sheet

Policy

Policy Policy management

SAP Risk Management SAP Process Control

39

What We’ll Cover

• What we are seeing in the market

• SAP GRC overview

• SAP PC overview

• SAP RM overview

• SAP PC and RM integration

• Live demo: RM and PC integration

• Common SAP GRC challenges

• Wrap-up

40

Demo – RM and PC Integration

This demo will take a top-down approach, starting from the results of the risk assessment in RM,

drilling down on specific risk and responses to show how risk ratings are calculated. We will then

look at the impact of PC controls assessments and tests on overall risk rating:

• Review of Risk Management dashboards

• Review of risk:

Risk analysis

Risk responses (including use of PC controls and policies)

• Review of control:

Assessment results’ impact on response completeness

Tests results’ impact on response effectiveness

• As time allows:

Review workflow to propose control as a response

Review PC/RM shared master data elements

41

SAP RM – Heat Map Dashboard

Organization and

timeline filters

Interactive heat

map

Risk type filter

Ability to drill

down on risk

42

Risk Identification

Assign one or multiple

risk drivers to the

enterprise risk template

Assign one or multiple

risk impacts to the

enterprise risk template

The enterprise risk template is a shared PC/RM

master data element and is the place where you

document all risk master data and related

information like risk assessments, key risk

indicators, response plans, etc.

43

Risk Analysis

Consolidated probability, impact, and

risk-level analysis view for this risk

Shows all assessments for this risk with

the option to drill down to the response

details (see next slide)

Graphical overview of the consolidated results of all

performed assessments filterable by different views

44

Assign/Propose PC Controls/Policy as RM Response

Source: SAP

An RM user can choose to assign or

propose a PC control or policy to an

RM risk

45

PC Assessments/Tests Update RM Responses Completeness/ Effectiveness

PC control effectiveness test results (pass/fail) drive the RM

response effectiveness value

46

PC Assessments/Tests Update RM Responses Completeness/ Effectiveness (cont.)

Source: SAP

The residual risks and planned residual risks in RM (bottom

screenshot) are being calculated based on the response

completeness and effectiveness (upper screenshot) derived

from PC control and policy results (previous slide screenshot)

47

What We’ll Cover

• What we are seeing in the market

• SAP GRC overview

• SAP PC overview

• SAP RM overview

• SAP PC and RM integration

• Live demo: RM and PC integration

• Common SAP GRC challenges

• Wrap-up

48

SAP GRC Implementation Common Challenges Skill Sets

Co

mp

lian

ce/a

ud

it

IT organization

Bu

siness p

rocess o

wn

ers

Executive management

Risk assessment and compliance

skills

• Have a clear perspective on process risks

• Knowledgeable of compliance regulations

and audit standards

• Knowledgeable of SAP control and risk

management features and potential issues

SAP business process skills

• Understands end-to-end business

processes

• Comprehends the intricacies of

company-specific processes

• Knowledgeable in SAP transactions

and process flow

SAP RM skills

• Familiar with SAP RM master data

• Knowledgeable of business objectives

and corresponding risks and key risk

indicators

• Familiar with direct risk assessments

and risk surveys

SAP technical skills

• Experienced in Basis, Advanced

Business Application Programming

(ABAP), and general SAP architecture

• Knowledgeable of hardware requirements

• A cross-functional team of IT,

compliance, and business

resources is imperative to the

success of an SAP GRC

implementation and

standardization program

• Without a balanced skill set within

the team, it is common to find the

following challenges:

SAP GRC is viewed as an IT

tool

SAP GRC is viewed as an

auditor’s tool

IT changes rules

Risk function changes rules

without approval from

business process owners

Training to various team

members is one-dimensional

(not cross-functional)

49

SAP GRC Implementation Common Challenges (cont.) Sponsorship and Ownership

The project management model for a successful

implementation of SAP GRC requires solid sponsorship,

especially at times of competing priorities. Process

ownership is equally as important for increasing and

sustaining the benefits of a new approach to

compliance.

Key SAP GRC decisions:

• Scope

• Risk management strategy

• Roles and responsibilities

• Procedures and standards

• Project management

• Monitoring

• Reporting and

analytics

• Communications

and

training

PMO

SAP GRC technical installation team

Internal auditors, risk function

Basis team

SAP GRC implementation team

Security team

Global process leads

Local process leads

Risk and controls process leads

Cross-level constituents play a critical role in grounding the design and execution to the realities of the

risk and control processes and in validating the solutions being developed

Operational teams identify design

alternatives. These teams identify the specific

improvement opportunities and develop the

methodology to implement the change.

Execution teams carry out the

solution. These teams develop

processes and technology

definitions that are effective and

sustainable.

Successful SAP GRC implementations are typically led by project

management office (PMO) teams that articulate the practical alignment

of existing business imperatives with the SAP GRC initiative. PMO

teams define the implementation strategy and are expected to provide

direction and drive consistency and accountability during system and

process design.

50

GRC Roadmap Example

Perform GRC security, controls, and/or enterprise

risk management design/redesign/assessment

Add PC functions CCM and Policy Management

Implement SAP GRC PC for central control repository, testing,

compliance assessment, and certification

GRC vendor selections

• Optimize your GRC

solutions

• Extend the GRC integration

to other applications

• Implement additional

solutions in line with your

long-term GRC vision

• Integrate your GRC

solutions

• Automate your processes

• Assess current GRC stage

• Create a long-term vision

• Implement quick wins

Develop GRC strategy and roadmap

Integrate AC, PC, and RM

Link KRIs to KPIs and

integrate with BI, BPM,

and other applications Add RM functions Incident Management, Key

Risk Indicators, Risk Forecasting, and Business

Objectives/Opportunities

Stage 2 Stage 3 Summary Stage 1

Implement SAP GRC RM for risk universe,

identification, analysis, and response

GRC maturity assessment Add AC modules Access Request Management

and Business Role Management

Implement and integrate Audit Management

Implement and integrate Fraud Management

Aligned Integrated Optimized

Implement SAP GRC AC for segregation of duties (SoD) and

emergency access management

Establish GRC team and responsibilities

Leverage SAP HANA and

mobile solutions

Implement and integrate

Global Trade Services

Develop a GRC business case

Create risk and controls shared services

Align stakeholders

Legend: Maturity levels further enabled by the integration of PC and RM

51

What We’ll Cover

• What we are seeing in the market

• SAP GRC overview

• SAP PC overview

• SAP RM overview

• SAP PC and RM integration

• Live demo: RM and PC integration

• Common SAP GRC challenges

• Wrap-up

52

Where to Find More Information

• “There’s no reward without risk: GRC survey 2015” (EY, 2015).

www.ey.com/GL/en/Services/Advisory/EY-theres-no-reward-without-risk-grc-survey-

2015-looking-at-risk-differently

• EY 5 insights for executive series on using GRC technology to turn risks into results

www.ey.com/GL/en/Services/Advisory/GRC-technology-to-turn-risk-into-results---

Overview

• “Expecting more from risk management: Drive business results through harnessing

uncertainty” (EY, May 2014).

www.ey.com/Publication/vwLUAssets/EY_-_Expecting_more_from_risk_management/

$FILE/EY-expecting-more-from-risk-management.pdf

53

Where to Find More Information (cont.)

• Matt Polak and Marsh Reppy, “Build a Powerful, Effective Business Case for Your GRC

Solution Implementation” (SAPinsider, December 2013).

www.ey.com/Publication/vwLUAssets/10-2012_GRC/$FILE/10-2012_GRC_Ernst&

Young.pdf

• SAP Help Portal

SAP Risk Management 10.1

http://help.sap.com/rm

SAP Process Control 10.1

http://help.sap.com/pc

• SAP GRC Solutions

www54.sap.com/solutions/analytics/governance-risk-compliance.html

54

7 Key Points to Take Home

• Integrate risk assessment with controls testing by integrating SAP RM and PC

• Share the organization hierarchy and the risk catalog and the process hierarchy across

RM and PC to drive consistency across compliance functions

• Enable SAP RM users to propose or assign controls from SAP PC to risks

• Enable SAP PC users to use insights from SAP RM to take a risk-based approach to

testing controls

• Run real-time risk reporting based on current control assessment and testing results

• Increase visibility into the risk management process by using a top-down approach,

drilling down from the risk heat map to risks, controls, and policies

• Reduce risk management costs and achieve new efficiencies via end-to-end process

automation and centralization

55

Your Turn!

How to contact me:

Solene Alos

Email: solene.alos@ey.com

Please remember to complete your session evaluation

56

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other

countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

Disclaimer

EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a

UK company limited by guarantee, does not provide services to clients. Ernst & Young LLP is an EY member firm serving clients in the US. For more information about our organization, please

visit ey.com.

© 2016 Ernst & Young LLP.

All Rights Reserved.

1401-118151

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for

specific advice.

Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026 Copyright © 2015 Wellesley Information Services. All rights reserved.