Enterprise Risk Management Process Automation … - Enterprise Risk Management...Enterprise Risk Management Process Automation at Sybase ... Management at Sybase ... conducted Sybase

Enterprise Risk Management Process Automation at Sybase

ISACA March Luncheon

March 22, 2012

Presented by: Bruce Carpenter: Sybase John Livingood: Protiviti

© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.

2008: Three Top Economists Agree Worst Financial Crisis Since Great Depression

1


What We'll Cover …

• Sybase's Legacy ERM Framework

• Drivers for a GRC Platform

• The SAP BusinessObjects GRC Implementation Program at Sybase

• Sybase's Current ERM GRC Process

• Future GRC Phases

• Wrap-Up

2


Milestones for Risk Management at Sybase

2006 2008 2009 2010

Regulatory risk assessment conducted

Sybase implements SAP

GRC Phase 1

Treasury Department conducted organization wide risk identification

process (bottom up approach)

•  Questionnaire

•  Interview Approach

•  Qualitative / Judgmental Evaluation of Risks

Strategic risk identification process introduced (top down

approach)

•  Executive Leadership Team (ELT) identified key risks associated with meeting strategic objectives for CEO

•  Chief Executive (CEO) identified Top 5 risks

•  Manual reporting to Audit Committee

•  Global legal conducted world wide compliance risk assessment

•  Finance and HR teams worked with legal and internal audit to prioritize areas for compliance

3


Key Building Blocks for Sybase Risk Management

Key Building Blocks

4


Manual Risk Management Process

Identified and documented risks

that executives needed to manage

to meet performance

objectives for chief executive

Internal Audit conducted quarterly

interviews with ELT & CEO

Included external data (risk from Big

Four, external surveys, current market issues

(e.g. credit crunch))

Manual reporting quarterly to audit

committee. Included concepts

of inherent risk and residual risk,

qualitative risk rating scale

(include details)

Impact Level Color Dollar Amount

High Red Greater than $100 Million

Medium Yellow Between $25 Million and $100 Million

Low Green Between $0 Million and $25 Million

5


Pre-GRC: Quarterly Risk Reporting

Primary Risks

$100m

$25m

4

3

2

1

5

Inherent – The natural risks of being in a particular business, before assessing the impact of management controls.

Sybase Top 5 Risks: 1. Manage revenue impact of Financial

Services Industry changes 2. Manage risk of declining value in

Balance Sheet (Key Investments) 3. Monitor and adjust forecasts of

revenue and margins during changing economic times

4. Maintain high quality of products and services

5. Navigate changes in / impact of regulatory environment for Telcos

Impa

ct

(fina

ncia

l los

s; h

arm

to re

puta

tion)

Low

H

igh

High Low

KEY

High Risk Exposure

$0m Impact – means the level of financial and/or reputation harm to the firm. Likelihood – means the probability and frequency in which the risk may occur. Likelihood

6


Sybase Top 5 Risks: 1. Manage revenue impact of Financial

Services Industry changes 2. Manage risk of declining value in

Balance Sheet (Key Investments) 3. Monitor and adjust forecasts of

revenue and margins during changing economic times

4. Maintain high quality of products and services

5. Navigate changes in / impact of regulatory environment for Telcos

Impa

ct

(fina

ncia

l los

s; h

arm

to re

puta

tion)

Low

H

igh

Primary Risks

KEY

$0m

$100m

$25m

High Low

4

3

2

1

5

Impact – means the level of financial and/or reputation harm to the firm. Likelihood – means the probability and frequency in which the risk may occur.

High Risk Exposure

Likelihood

Pre-GRC: Quarterly Risk Reporting (continued)

7


Risk Management Summary for Audit Committee

Sales iAS S365 Product

Development

Marketing / Corporate

IT HR Legal Finance M&A

•  Monitor revenue impact of Financial Services Industry changes

•  Risk B •  Risk C

•  Risk A •  Risk B •  Risk C

•  Understand possible change in business models at Telcos

•  Risk B •  Risk C

•  Ensure quality of products and services

•  Risk B

•  Risk A •  Risk B

•  Risk A •  Risk B


•  Monitoring financial results, including revenue and margin targets

•  Monitor risk of declining value in Balance Sheet

•  Risk C •  Risk D


Audit Committee Risk management oversight ELT Ongoing risk identification, review and monitoring Internal Audit Coordination, auditing and reporting Business Function Sales, iAS, S365, Product Development, Marketing/Corporate IT,

HR, Legal, Finance, M&A

8


Sybase Top Five Risks Quarterly Update: Example

Ref. No.

Definition Risk Management Initiative Status Q2'09 Responsibility Status Q4'09

1 Manage revenue risks arising from changing financial condition of financial services industry customers (e.g., acquisitions, mergers).

Sales Pipeline Review identified mergers and acquisitions of FSI customers to assess impact on future revenues.

License revenue: The formation of larger FSI companies will potentially allow bigger deals, which will be easier to negotiate. Results: Plan upside for 2009. Ongoing monitoring by FSI team.

ELT Members 2009 target from top 20 global accounts is $xxx million. Forecast to achieve goal.

…but what is missing?

9


Credit Crisis Example Risk Category Risk Management Initiative

Conduct Investment Analysis

Revalue Auction Rate Securities

Critical Service Providers Evaluate Counterparty Risks

Monitor Sales Pipeline Mergers of FSI Customers

Manage Deferred Revenue

Analyze Exposure to Stockholder Volatility Shareholder Stability Risks Analyze Top 50 Shareholders to Identify Potential Exposures

Analyze Accounts Receivable FSI % FSI Customer Financial

Stability Calculate FSI % of Doubtful Accounts

Evaluate Extended Payment Terms FSI %

Monitor Other Credit Granting Exposure Financial Stability of Other

Customers

Insurance Company Stability Identify Potential Exposure to Insurance Company Failure

Evaluate Potential Risks for Payroll

Mission Critical Suppliers Evaluate Potential Risks for Data Center & Networks

Evaluate Potential Risks for SAS 70 Providers

…in the future, how many of these could be automatically monitored?

1

2

3

4

5

6

7

10


Dashboard: Regulatory Risks

…But this reporting format is inconsistent with other risk management reporting

Priority Compliance Risks Scope Defined

Responsibility for

compliance assigned

Risk Assessment Conducted

Policy / Process Defined

Communication and Training

Compliance Monitoring

and Reporting

Defined penalties for

breaches

Process to ensure

continuous improvement

Financial Compliance

FCPA 1Insider Trading

Litigation Holds - IT Backup 2Political Contributions/Gifts; Lobbying Rules

Export Control Requirements (US and Foreign) 3Data Privacy (of customers, employees, third parties)

Antitrust 4Related Party Transactions

Copyright (Infringement of Third Party Rights)

Patent Infringement

Notes: 1. Review APO Entertainment Policies in high-exposure countries. In Progress 2. E-Vault implementation will facilitate improved ability to locate e-mail and related documents. In Progress 3. Review export controls world wide. In Progress 4. Consider annual training or reminder for all sales managers, salespeople and controllers involved in

indirect channel sales. Awaiting automated survey capability in SAP

Immediate action needed Improvement opportunities identified Compliance effort assessed as adequate

11








• Wrap-Up

12


Implementing GRC – Key Drivers

Lack of real-time reporting

Could not relate controls to risks

Difficult to manipulate data

Hard to develop data analytics to enable data driven risk monitoring

Need to keep pace with developments in ERM •  Risk appetite •  Risk velocity

13


Implementing GRC – Key Drivers

14


License Key

Downloads

Key Risk Indicators and Data Analytics: Channel Stuffing

15

Risk: The ability to monitor ongoing software downloads to detect channel stuffing

Sybase Partner B Partner A System Integrator End User

Product ASE

Report generated to show software

activation

SALES

SHIPPING


Risk: Software Inventory "Stuck" in the Channel

Source: SAP

16


Sybase Risk Management Maturity Model

Link Risks to Controls

Periodic Quantification Evaluation and Reporting

Building Awareness Defined Process

Real-Time Monitoring of KRI

Risk Informed Decision Making

Drive Revenue by Being Able to Demonstrate Compliance

Identification of KRIs

17

Risk Management Maturity Model

Business Policies

Business Processes

People and Organizations

Management Reports Methodologies Systems

and Data

Opt

imiz

ed

Man

aged

D

efin

ed

• Risk strategies in place

• Continuous improvement focus

• Fully integrated risk & strategic management

• Inefficiencies removes, using formal cost / benefit analysis

Risk management is aligned with: • Individual performance metrics

• Knowledge and skill upgrades

• 'What if' scenarios are identified and tracked

• Special reports are defined for key risk areas

• Risk quantification integrated into business decisions

• Prioritize mitigation efforts using risk analysis

• Integrated risk measurement systems are continuously improved

• Special purpose systems quantify portfolios of risk

• Risk tolerance limits effective

• Allocated to operating units

• Risk management integrated with line management activities

• Corrective actions are taken when limits exceeded or procedures are violated

• Strong teamwork in place

• Role models evolving • Prepared for contingencies

• Expertise fully in place

Integrated risk reporting:

• Risk-adjusted profitability measure

• Linked to KPIs • Exception reporting

• Integrated risk models used

• Early warning systems • Exposures anticipated through time-tested models and analytics

• Capital allocation techniques applied

• Enhanced functionality & expanded risk coverage

• Risk data collected as part of normal business routines

• Database systems support risk management of risk

• Enterprise-wide policies and guidelines documented and allocated to org units

• Uniform risk management processes

• Mitigation & oversight are documented & applied

• Modeling process exists

• Defined accountabilities • Integrated teams, backup capabilities, standard roles, training

• Central coordination function

• Enterprise-wide reports

• Exceptions and 'near misses'

• Track action plans

• Improved, consistent measures of performance variability exist

• Systematic approach to loss exposures

• Risk coverage expanded based on formal risk assessment

Use of: • Stable client service application to leveraged decision making

• Scalable and reliable architecture

• Web-enabled processes for data organization, extraction, analysis and reporting

• Risk policies are articulated and followed

• Risk tolerance limits established

• Policies documented and stable

• Process gaps identified and corrected

Risk owners have: • Clearly defined roles • Support • Training

• Regular consistent reports

• Some key metrics

• Improved risk measures evolving

• Consistent risk-related assumptions

• Use specified methods

• Systematic data collection exists for some risks

• Independent spreadsheet models are used as opposed to a centralized application

• Improved system security / data integrity exists, fostering improved confidence in models

• Policies and risk tolerance limits undocumented and vague

• No formal processes • Event responses reactionary and ad hoc

• Event response characterized by individual heroics

• No individual accountability

• Ad hoc management reports

• Incomplete, inconsistent untimely

• Rough risk measures • Over simplification of risk prevalent

• Methodology lacks key risk characteristics

• Spreadsheets used to manage risk-related information

• Poor data quality

Initi

al

Rep

eata

ble

Source: SAP

Risk Management Maturity Model – Past

Business Policies

Business Processes



and Data

Opt

imiz

ed

Man

aged

D

efin

ed




Risk owners have: • Clearly defined roles • Support • Training

• Regular consistent reports

• Some key metrics

• Rough risk measures • Over simplification of risk prevalent

• Methodology lacks key risk characteristics

• Spreadsheets used to manage risk-related information

• Poor data quality

Initi

al

Rep

eata

ble

Source: SAP

Business Policies

Business Processes



and Data

Opt

imiz

ed

Man

aged

D

efin

ed




• Defined accountabilities • Integrated teams, backup capabilities, standard roles, training

• Central coordination function

• Enterprise-wide reports

• Exceptions and 'near misses'

• Track action plans

• Improved, consistent measures of performance variability exist

• Systematic approach to loss exposures

• Risk coverage expanded based on formal risk assessment

Use of: • Stable client service application to leveraged decision making

• Scalable and reliable architecture

• Web-enabled processes for data organization, extraction, analysis and reporting

Initi

al

Rep

eata

ble

Risk Management Maturity Model – Current

Source: SAP

Business Policies

Business Processes



and Data

Opt

imiz

ed

Man

aged

D

efin

ed

• Risk strategies in place

• Continuous improvement focus

• Fully integrated risk & strategic management

• Inefficiencies removes, using formal cost / benefit analysis

• Risk quantification integrated into business decisions

• Prioritize mitigation efforts using risk analysis

• Integrated risk measurement systems are continuously improved

• Special purpose systems quantify portfolios of risk

• Strong teamwork in place

• Role models evolving • Prepared for contingencies

• Expertise fully in place

Integrated risk reporting:

• Risk-adjusted profitability measure

• Linked to KPIs • Exception reporting

• Enhanced functionality & expanded risk coverage

• Risk data collected as part of normal business routines

• Database systems support risk management of risk

Initi

al

Rep

eata

ble

Risk Management Maturity Model – Future

Source: SAP








• Wrap-Up

22


SAP BusinessObjects GRC Modules

Access Control

Process Control

Governance, Risk,

and Compliance

Global Trade Services

Environment, Health and

Safety

Risk Management

23


Integrated Governance Risk & Compliance

24

Acce

ss R

isk

Man

agem

ent

Develop and Package External Content

Proc

ess C

ontro

lRi

sk M

anag

emen

t

Enterprise Risk: Fraud

Responses

ReduceControlAvoidAccept Transfer

RegulationsProcess

Procure to Pay

Vendor Mgmt

AP Invoicing

Process RisksFraudulent invoices

paidValid

invoices not entered

Access RisksUser can

enter vendor & PO User can

enter invoices & payments

ControlsReview of new vendors and

related invoice support

AP SOD rules in AC

Review of uninvoiced

goods receipts

Monitor Access Status

Mitigate Access

Violations

Policies

Update and roll out strengthened security policy


SAP GRC Roadmap – Discussion Document

25

25

SoD Analysis/Reporting

Risk Register & Response Plans

Repository of Manual Controls

Firefighter Access Mgmt

Automated User Provisioning

Role Mgmt & Administration

Automated Controls

Controls Test Workflow

Surveys & Certifications

Survey / Automate Workflow

Risk Simulation

Acce

ss

Cont

rol

Proc

ess

Co

ntro

l Ri

sk

Man

agem

ent

Phase II

Automated KRIs

Phase III Phase I

eGRC Platform Integration

eGRC Integrated Control Library

Manual Key Risk Indicators


Refining and Developing Methodology

26

Risk Management

Respond

Identify and assess all key risks across

the enterprise

Create resolution strategies for top risks that maximize return on capital

Build proactive monitoring into existing business

processes and strategies

Plan

Identify and Analyze Monitor

Drive agreement on top risks, thresholds,

and appetite

Source: SAP


Specific Sybase Challenges

Challenges

! Defining risk categories, risk drivers, and impact categories

! Defining key risk indicators

! Ensuring system flexibly handles both regulatory compliance and other enterprise risks

27


Methodology Refinement: Development of Risk Categories

28

Compliance Financial and Tax Strategic (Business)

•  Regulatory (Legal)

•  Contractual Liability

•  Professional Services

•  S365 (Regulatory (Legal))

•  Financial Compliance

•  FCPA Compliance

•  SOX Compliance

•  SEC Filing •  SEC

Compliance •  Federal /

State / Local •  EMEA Tax •  APO Tax •  HR Compliance •  Data Privacy •  Sybase 365

•  Intercompany Pricing

•  Interest Rate Risk

•  Liquidity •  Balance Sheet •  Foreign

Exchange •  Credit Risk

•  Managing Profitability

•  Sybase •  Sybase 365

(Managing Profitability)

•  Technology •  Protection of IP •  Product Quality &

Innovation – Sybase – Sybase 365 – Ianywhere

•  Suppliers •  Reputation •  Integration Risk •  Acquisitions •  Software Platforms •  Customer Satisfaction •  Information for Decision

Making •  Market Risk •  Workforce Quality •  Communication of

Strategy – Sybase – Sybase 365 – Revenue Growth

Political Operational

•  War / Civil Unrest

•  Government Action

•  Protectionism •  Anti-globalism •  Terrorism

•  Personnel •  Business

Continuity Planning

•  Delivery of Software

•  Criminal

•  Information/Data •  IT Infrastructure •  Sybase 365 IT

Infrastructure •  Physical Damage


Methodology Refinement: Developing Impact Categories

Description Impact Category Loss of revenues Revenue

Increased cost Cost

Impact in customer satisfaction Customer Satisfaction

Damage to reputation / brand Reputation

Loss of Product / IP Value Product / IP Value

Environmental Impacts Environmental

Inability to effectively manage cash, or collect receivables; Reduced credit worthiness in market Cash / Capital

Loss of intangible value Intangibles

Markets overall view on companies future sustainability. Market Perception

29


Methodology Refinement: Quantification of Impact Categories

Impact Level Quantitative Impact (in 1000 € )

Insignificant € 0 € 200

Minor € 200 € 1,000

Moderate € 1,000 € 5,000

Major € 5,000 € 25,000

Business Critical Over € 25,000

30


Project Risks to Consider

Common Pitfalls •  Failure to obtain "buy-in," involvement, and support from Executive Management •  Risks are managed in "silos" leading to decisions that are not always well coordinated •  Risk awareness is low due to limited management focus or communication across

business or functional units •  Risk management activities are not linked to strategy and current process is not clearly

defined

Leading Practices •  Approach in phases, taking advantage of visionaries and high value pilots before

proceeding to ERM •  A risk management advocate drives the process but business units own risk with periodic

audit / compliance review •  Embed risk management into existing processes and performance scorecards •  Identify risk interrelationships and assumptions; refine common language and standards

over time •  Instill a risk management culture (awareness, recognition, etc.)

31








• Wrap-Up

32


Key Advantages vs. Manual Process

Siloed Manual Risk Registers Standardized Risk Management

New Capabilities

• Merged Excel risk registers into the central SAP BusinessObjects Risk Management database

• System promotes common language and standard interpretations for risks

• Risks automatically plotted in heat map

Value Added

• Transparent view of comprehensive risks allows for greater consistency and knowledge sharing across regions

• Executive can weigh decisions based on a normalized risk equation, rather than multiple interpretations

• Focus can shift from formatting and spreadsheet errors to true analysis for exposure and profitability, as well as active response plans

33


Key Advantages vs. Manual Process (continued)

• Multiple views available depending on role and interest:

– Risk Category – Drivers –  Impacts – Exposure, etc

• View entire organization, a region, a specific country at once

• Quickly and effectively highlight top risks to management for investigation and intervention

• SAP BusinessObjects Risk Management dashboards and heat maps can be viewed by executives whenever and wherever needed

# Definition Risk Manage-ment Initiative Status Q3'09 Respons-

ibility Status Q4'09

1 Manage revenue risks arising from changing financial condition of financial services industry customers (eg, acquisitions, mergers)

Sales Pipeline Review identified mergers and acquisitions of FSI customers to assess impact on future revenues

License revenue: The formation of larger FSI companies will potentially allow bigger deals, which will be easier to negotiate. Results: Plan upside for 2009. Ongoing monitoring by FSI team.

ELT Members

2009 target from top 20 global accounts is $xxx million. Forecast to achieve goal.

Labor Intensive Periodic Reporting On Demand Risk Views

New Capabilities Value Added

34


Heat Map Dashboard Overview

Risk Event Organization Activity Person Inherent Risk

Residual Risk

Inherent Risk Amount

Residual Risk Amount

Currency

EXAMPLE

35


Reporting: Old Style Im

pact

(fi

nanc

ial l

oss;

har

m to

repu

tatio

n)

Likelihood

Low

H

igh

Primary Risks

High

$0m

$100m

$25m

Low

4

3

1

5

4

3 2

5

1

2

Old style reporting

•  Qualitative measurement

•  Limited supporting data to justify ratings

36


Reporting: New Style

New style reporting: Inherent Risk before impact of management strategies ! Clearer use of color !  Incorporates reporting on all risks, not just Top 5 ! Clearly shows numbers of risks in each cell

(continued next page)

Insignificant Minor Moderate Major Business Critical

Near Certainty 2 8 8

Highly Unlikely 1 4

Likely 6 4

Unlikely 2 4

Remote 1 1

37


Reporting: New Style

New style reporting: Residual Risk showing impact of current management strategies !  Assessments supported by more quantitative data !  Easier recognition of risk reduction ! Note: Management strategies are in initial stages of implementation



Near Certainty 6 1 4

Highly Unlikely 4 1 2

Likely 1 2 2 1

Unlikely 1 5 6

Remote 1 2

38


Reporting: New Style New style reporting: Expected impact of planned management strategies ! Clearer visual picture of expected impact of risk management

strategies !  Allows management to clearly visualize risks which may need

additional strategy development


Near Certainty 1 1

Highly Unlikely 1 1

Likely 2 4

Unlikely 1 1 6 6 5

Remote 1 1 3 4 3

39


Reporting New Style: Example Risk Overview by Dollars

Reporting new style: Residual Impact •  Allows management to consider whether they would like to accelerate

current strategies, or implement additional strategies based on dollar impact

40


Reporting New Style: Overview Dashboard

EXAMPLE Examples of new additional interactive reporting styles

Risk Event Organization Activity Risk Category Inherent Risk Residual

Risk Inherent Risk

Amount Residual

Risk Amount Currency

41


Reporting New Style: Driver Categories

Now we are able to consider whether any single driver constitutes a major risk, allowing management to consider the need for additional strategy development

Risk Event Organization Activity Risk Category

Inherent Risk

Residual Risk


Residual Risk Amount Currency

42


Reporting New Style: Impact Categories

EXAMPLE Now we are able to relate impacts to drivers and consider whether

this suggests a need to adjust management strategy

Risk Event Organization Activity

Risk Category

Inherent Risk

Residual Risk


Residual Risk Amount Currency

43


Current State of Sybase ERM

Has a more quantitative framework

Holds managers more accountable to action plans because they have a clearer understanding of the risk

Is more auditable and more cost effective to operate

44


Impact on Executive Team Risk Management Behavior…

"Get my attention to what is required to achieve best industry practice with regard to risk management"

"There is a person (you) and a process (the company

process) and people know that this is important"

"The risk management process creates the pressure of knowing that we have to get things done

45







• Linking Risks to Controls


• Wrap-Up 46


Linking Compliance Risks with Controls: Pilot Implement Link

Implement Process

Controls: Pilot

• Automate monitoring of SOX control testing

• Identify controls which contribute to demonstrating compliance

Link Risk Management

Data to Process Controls: Pilot

• Link controls (PC) to risks (RM)

• Conduct pilot to link data privacy risks to existing controls

PC = SAP BusinessObjects Process Control RM = SAP BusinessObjects Risk Management

47

An initial pilot study was conducted to link data privacy compliance risks with existing internal controls (Entity level controls and IT General Controls) The objective was to demonstrate the capabilities of GRC 10.0 to link risks with controls


What Got Us Started? May 2010 Bank No. 1, located in Germany, requested compliance with approximately 50 diverse requirements relating to German banking regulations, data security requirements, and data privacy.

June 2010 Bank No. 2, also located in Germany, provided list of approximately 40 compliance requirements – not identical, but similar to Bank No. 1

November 2010 Bank No. 3, located in Czech Republic, provides a list of approximately 30 compliance requirements. Again, similar to Bank No. 1, but not identical.

48


Common Thread: Making Risk Management Relevant and Useful

Regulatory Compliance Requirements •  Data privacy and protection compliance •  European banking laws

Common Internal Control Requirements •  IT General Controls

•  Data security •  User access •  Physical security

•  Entity Level Controls •  Data confidentiality •  Code of conduct

Applied to Sybase’s third-party service providers as well as internal operations

Driven by customer business needs 49


The Pilot: Data Protection and Privacy Part 1: Resolving Issues from Initial External review: e.g.,

"  Strengthen governance and risk management around data privacy. "  Implemented policies to govern the management of personal

information.

•  Strengthened role of data protection officer •  Revised Data Protection and Privacy Governance

Structure •  Reviewed and revised 15 related internal policy

documents •  Communicated policy requirements as appropriate •  Conducted specific training where relevant

Specific Sybase Actions

•  Largely completed Current Status

50


The Pilot: Data Protection and Privacy (cont.)

•  Part Two: Ensuring current internal controls match all identified compliance risks

•  Internal Risk Assessment •  External advice •  Customer contractual requirements

Identifying Compliance

Risks

•  Entity level controls •  IT General Controls

Matching with Controls

•  Within Sybase 365 •  At Service Provider Locations

Identifying Control

Locations

51


Update with

Test Results

Process Control (PC)

IT General Control 1 Risk Statement 1



Entity Level Control 1


Risk Management (RM) Response Plan

Risk Statement 1 IT General Control 1

Risk Statement 2

IT General Control 2

Response Plan Mitigation

Risk Statement 3 IT General Control 3



Link Compliance Risks to Control Requirements

Response Plan Controls

52


Process Control (PC) Compliance Risk:

Unauthorized physical access to data centers by unauthorized users may

result in unauthorized use, disclosure, modification, damage or loss of data.

AS002 Physical Access – The Systems Engineering

Team will maintain complete lists for each data center and any internal core processing

systems of all personnel granted on going access.

Update with

Test Results

Link Compliance Risks to Control Requirements (cont.)

Risk Management (RM)

Response Plan Control AS002 Physical Access – The Systems Engineering Team will maintain complete lists for

each data center and any internal core processing systems of all

personnel granted on going access.

Mitigation – Awareness campaign conducted. Encryption policies

implemented. Training audiences identified and training conducted.

Enterprise Risk: Maintain Data Security & Privacy

53


Understanding the Current Picture

54

Risks

Controls

Workflow Control Testing

Version Control

Mitigation Strategies

Compliance Requirements Reporting

Current Picture?

Risk Assessment


Understanding the Current Picture (cont.)

Risks

Controls

Control Testing Mitigation Strategies

Compliance Requirements

Reporting #Current Picture#

Risk Assessment

Risk Management Process Control

Defined Workflow! No version control issues !

55


The Pilot: Multiple Response Plans

56


The Pilot: PC Control Response Plan

57


The Pilot: Assessment Dashboard

58


The Pilot: Failing Physical Access ITGC

59








• Wrap-Up

60


Future State Implement Link Build Refine

Enhance Process Controls

• Build automated SOX control tests

• Develop additional automated compliance testing

Link Risk Management

Data to Process Controls

• Link controls (PC) to risks (RM)

• Relate new risks to existing controls (new regulatory requirements)

Build Automated KRIs Linking to Core SAP ERP

Refine Reporting

PC = SAP BusinessObjects Process Control RM = SAP BusinessObjects Risk Management

61


Linking Risk-Based Compliance Initiatives with Compensating Controls

Regulatory Requirements •  Foreign Corrupt Practices Act (FCPA) Sub-processes & Controls (including test plans) • Monitoring Agent / Third Party

!  Review Payments* !  Monitor Wire Transfers* !  SOD: Vendor Maintenance vs. Invoices*

•  Awareness and Training !  Code of Conduct !  Hotline

• Due Diligence and Contract Review !  Contract Agreements !  Third-Party Due Diligence

Report • Monitoring Training Status (FCPA Compliance)* Functional Areas •  FI / CO • Global Trade Services & Human Capital Management

* Indicates the potential for automated testing linking SAP ERP and SAP BusinessObjects Process Control


62


Risk Event: Employee / Agent Involved in Illegal Arrangement (FCPA)

KRIs •  # of reviews conducted for due diligence on all foreign business partners and third-party representatives (manual) •  % employees with foreign official contact who have had FCPA training (SAP ERP HCM) •  Expense % of total compensation for sales agents responsible for international accounts (SAP – Payroll) Drivers •  Operate in overseas high-risk markets •  Use of third-party representatives to facilitate overseas business •  Conduct business with foreign state-run entities

Impacts •  SEC & DOJ violations, fines, penalties, remediation •  Ineligibility of doing business with foreign entity •  Disclosures, investigation, prosecution, oversight Responses •  SOD – Separate Vendor Maintenance from Invoice Approval* •  Monitor employees that are overdue for ethics / FCPA training* •  Monitor suspicious payment attributes such as round payments, one-time vendor, etc.* •  Code of Conduct and FCPA or anti-corruption policies in place •  Anti-corruption training in place & Whistleblower line

Linking Risk-Based Compliance Initiatives with Compensating Controls

* Indicates the potential for automated testing linking SAP ERP and SAP BusinessObjects Process Control

63








• Wrap-Up

64


Don't rush.

It's a marathon,

not a sprint.

65


Resources Links used in preparation

www. protiviti.com/ERM-FAQ !  Guide to Enterprise Risk Management (FAQ)

www. protiviti.com/PRIM2 !  Integrated Performance and Risk Management

www. protiviti.com/RiskOversight !  Board Perspectives – Risk Oversight

www. protiviti.com/Bulletin !  The Bulletin – Corporate Governance and Risk Management

www.service.sap.com/NetWeaver®

!  Requires login credentials to the SAP Service Marketplace www.sapsuperusers.com/forums www.sapfans.com/forums www.sdn.sap.com/irj/sdn/bpx-grc

!  SAP GRC Risk Management Guide www.sdn.sap.com/irj/sdn/forums

!  Follow Governance, Risk, and Compliance (Under Business Process Expert)

66


7 Key Points to Take Home ERM operates best under an integrated RM philosophy.

If you cannot relate new risks to your existing controls, you are dead in the water when it comes to compliance.

Don't underestimate the appetite of senior management to get engaged in a risk-based conversation.

Define your organizations elements (risk categories etc) correctly to maximize system effectiveness and flexibility.

Reality check frequently. Review input often to ensure your risk management platform is an integrated component of your ERM processes.

Automation can play a critical role in showing how your existing internal controls to demonstrate compliance with new compliance risks.

The ultimate value of the investment lies in data driven risk monitoring

67


Your Turn!

Bruce Carpenter [email protected]

925.236.8562

How to contact us:

John Livingood [email protected]

415.402.3682

68


Disclaimer

SAP, R/3, mySAP, mySAP.com, SAP NetWeaver®,

Duet™®, PartnerEdge, and other SAP products and

services mentioned herein as well as their respective logos

are trademarks or registered trademarks of SAP AG in

Germany and in several other countries all over the world.

All other product and service names mentioned are the

trademarks of their respective companies.

69

Documents

Enterprise Risk Management Process Automation … - Enterprise Risk Management...Enterprise Risk Management Process Automation at Sybase ... Management at Sybase ... conducted Sybase