Upload
faisalaff
View
344
Download
11
Embed Size (px)
Citation preview
PricewaterhouseCoopers
PwC Governance Risk and ComplianceSAP BusinessObjects Risk Management
SAP LTT group
Aligning SAP GRC Risk Management solutionwith your Risk Management Framework
PricewaterhouseCoopers
Table of Contents
1. Risk Management Framework Key Considerations
2. Business drivers & Risk Management approach
3. PwC’s SAP GRC Risk Management methodology
4. Risk Management Operating Model
5. SAP GRC Risk Management Value Proposition
6. SAP GRC Risk Management key implementation considerations
7. Key Benefits of integrating SAP GRC Risk Management with SAP GRC Process Control
8. SAP GRC Risk Management Implementation Case Study Overview
9. Why PricewaterhouseCoopers?
Slide 2
PricewaterhouseCoopers
Risk Governance
RiskResponse
Policies,Procedures,
& Risk Limits
Risk Tools,Technology,
Infrastructure
Strategy
Top downguidance (Risk
Appetite)
Risk Organization
Risk Monitoring, Reporting,including Key Risk Indicators
Risk AssessmentProcess
- Identify risks by business objective- Assess, prioritize risks as H, M, L(eg, with RCSA), by likelihood &impact- Define Key Risk Indicators (KRIs)- Define KRI tolerance- Determine risk response
requirements
The business strategy, objectives and risk
appetite should drive risk management
priorities and discipline in the pursuit of
business objectives..
Monitoring and reporting on risks
will enable to anticipate and
respond to changes in its risk
profile.
The risk assessment and
management process must ensure
that risks are identified timely,
assessed consistently, and addressed
in accordance with the organization’s
risk appetite.
Policies, procedures
and risk limits are
intended to provide
consistent guidance
and parameters to the
business to manage
risk within the
organization’s risk
appetite.
Organization and governance must
provide for clear direction, guidance,
and oversight of risk management
activities as part of performance
management.
Tools and technology
facilitate the risk
management process,
particularly the risk
assessment, risk
monitoring and risk
correlation processes
Slide 3
Risk Management Framework Key Considerations
PricewaterhouseCoopers
Risk Management principles should be implemented in a progressive manner.Sustainability is enhanced when risk management is embedded in existing processes.
Business drivers and Risk Management approach
Slide 4
Governance
Enhance risk communicationsto the board
• Assess the company’s enterprise riskprofile
• Describe how the risks are to be managed
• Assign accountability for key risks,including consideration of emerging risk
• Begin to formalize risk tolerance & appetite
• Monitor changes in risk profile andpractices
• Modify risk reporting and communications
Strategic
Optimize strategic decisions usingrisk management
• Modify key processes to better incorporaterisk management techniques. Forexample:
o Scenario planning capability isdeveloped and applied to helpdetermine risk impacts and to evaluateimpact of broader, strategic risks(emerging risks).
o Performance measurement: BUs &projects evaluated on a risk-adjustedbasis.
• Risks are correlated and linked to strategicpriorities and business objectives.
Operational
Align risk and performancemanagement
• Start with strategic objectives
• Integrate risk and performance metrics
• Agree on risk tolerances around keymetrics
• Redesign compensation and incentives toincent risk adjusted performance
• Adopt “common” risk assessment and“assurance” reporting standards
throughout the enterprise.
Business drivers
Transform Risk Management process from a silo approach to a more coordinated and oriented approach.
Consolidate risks at higher levels of the organization and evaluate global risk exposure.
Respond intelligently by focusing on key risks, creating cross-organizational resolution strategies and tracking response costs.
Improve visibility and optimize decision making by aligning risks to strategic priorities and business objectives.
Enhance risk communications to the board.
Monitor key risks in a proactive way through a standardized and centralized Key Risk Indicator framework.
PricewaterhouseCoopers
Risk Definition, Assessment, Monitoring, Reporting Processes
• Determine key business objectives basedon company strategy.
• Establish Organizational hierarchy anddefine Risk Appetite and Risk Toleranceacross the organization.
• Establish Risk Classification & BusinessActivity hierarchies.
• Identify risks to business objectives acrosskey risk categories, developing a company-wide risk profile.
• Assign driver and Impact categories tocentral risks.
• Align accountability structures formanaging risks.
• Design and conduct surveys to be used fora risk assessment.
Monitor &Re-assess
Monitor Leading riskindicators & mitigation
responses
Respond &Implement
• Using risk profile, assess likelihood andpotential impact of identified risks toestablish risk tolerance levels.
• Determine/evaluate adherence to riskguidance and tolerance.
• Consolidate group of risks.
• Prioritize risks using Global & Local HeatMaps.
• Evaluate analyzed risks & identify patterns.
• Based on risk assessment, align resourcesand accountability structure with initiativesthat fall within company risk tolerance.
• Define risk interdependency model anddetermine risk influence factors.
• Based on risk assessment and definedtolerance level, determine risk responsestrategy.
• Define risk response / action plans to bemonitored to ensure adherence to defined risktolerance levels, including accountability andtimeline.
• Leverage investment in SAP GRC ProcessControl by applying internal controls asresponses to risks.
• Evaluate Completeness & Effectiveness ofresponses and measure residual risk levels.
• Build Risk Indicators for key risk areas(Identify existing metrics, assess gaps,improve metrics, validate & identify trigger-levels).
• Report on risks using dashboards anddetailed reporting tailored to stakeholderrisk information needs.
• Ensure ongoing monitoring of riskresponses.
• Monitor Risk Indicators and establishcontrol plan and escalation criteria.
• Collect and analyze loss data throughthe Incident Loss Database.
• Build and conduct risk scenario planning& analysis.
• Perform re-assessment for all impactedrisks through risk assessment planning.
Continuous assessment of Risk Exposure (feedback loop)Automated & continuous monitoring of Key Risk Indicators.
Re-assess and update risk levels across the organization hierarchythrough the risk interdependency management model.
Slide 5
PwC’s SAP GRC Risk Management implementation methodology
Measure residual risk &Establish risk correlation
Evaluate cross-organization risk
exposure
Plan &Identify
Assess &Prioritize
Identify risks to businessobjectives & Assess
inherent risks
Business / FunctionalLeader (Owners &
Responsible Parties)
• Each Business / Functionwill provide informationrelated to risk events
• Inputs are obtained inmultiple ways, including useof indicators, internalknowledge of business aswell as external sources
• As part of annual planningprocesses, the Business /Function provide risk eventinformation to the risk eventowners based on relevantinputs
• Quarterly, the Business /Function will provide anupdate to the risk eventowner
Input 3
Input2
Input1
Risk Event Owner
• Each risk event has oneowner who compilesreporting
• Risk analysis for each eventfocuses on current status,target status, risk response,corrective action / mitigationplan(risk event slides presentedherein)
Corporate Audit
• Corporate Audit aggregatesinformation obtained from theRisk Event Owners
• Heat map updates andconsolidated reporting will beprepared
• Corporate Audit facilitatesthe ERM process throughoutyear, including assisting riskevent owners):
• Annual risk assessment
• Quarterly specific riskupdates
• Periodic testing of riskmitigation controls toassess effectiveness andareas for improvement
Chief Risk Officer
• Chief Risk Officer reviewscorporate risk report onperiodic basis covering allrisk events
• Risk report includes thefollowing highlights –
- Priority of risk events
- Effectiveness of riskresponse strategies
CEO/Board
Audit Committee
• Reviews outputs of ERMprogram, includingunderstanding howsignificant risks aremanaged
• Review heat maps andperiodic assessments ofspecific risk events andassociated mitigation plans
• Board will have a wellgrounded basis for newSEC proxy reporting relativeto risk oversight (effectivefor 2010)
Corporate
Audit
Chief Risk
Officer
Roles and responsibilities for tracking risk should be assigned to individuals across the organization,facilitating the ongoing monitoring of risk events.
Risk Management Operating Model (1/2)
Slide 6
Global Business Services(GBS)
Business /Functional Leaders
Owners &Responsible Parties
CEO / CFO / Accounting/ Treasurer / Tax
Human Resource
General Counsel
Corporate Development
President, BusinessSegments
Corporate Audit
Chief RiskOfficer
• CEO
• Board
• AuditCommittee
SVP. Gen Counsel
EVP CRO-Research
CEO
EVP GBS
Chief Security Officer
Corporate Treasurer
Corporate Treasurer
Corporate Treasurer
Corporate Treasurer
Corporate Treasurer
Corporate Treasurer
Corporate Treasurer
Corporate Treasurer
Chief Security Officer
Chief HR Officer
EVP GBS
CBPIO
EVP GBS
Chief HR Officer
Chief HR Officer
EVP Corp Dev
CFO
EVP CRO-Research
SVP. Gen Counsel
SVP. Gen Counsel
SVP. Global Tax
SVP. Gen Counsel
CFO
EVP CRO-Research
Chief Security Officer
[B1] Customer/Contracts
[B2] Competition
[B3] Conflict of Interest
[B4] Emerging Technology
[B5] Political
[F1] Capital Access
[F2] Liquidity
[F3] Valuation
[F4] Credit Risk
[F5] Foreign Exchange
[F6] Interest Rate
[F7] Benefit Obligation
[F8] Inflation
[O1] Alliance & Vendor Execution
[O2] Ethics & Integrity
[O3] Information Security
[O4] Process Integrity
[O6] People
[O7] Performance & Rewards
[O8] Acquisitions / Divestitures
[O9] Inter Controls over Fin’l Rep
[O10] Modeling
[R1] Compliance / FCPA
[R2] Intellectual Property
[R3] Tax
[R4] Privacy
[R5] Reporting
[B6] Consumer Behavior
[B7] Business Continuity Plan
[O5] Data Integrity
Business andStrategic Risks
Financial Risks
Operational Risks
Regulatory &Compliance Risks
Risk Event Owner Risk Event Corporate AuditDirect Reporting Line
Risk Aggregation Line
[B8] Disaster RecoveryChief Security Officer
Risk Management Operating Model (2/2)
Flow of risk aggregation across the organization:
A bottom-up approach from function to board level, facilitated by corporate audit, would assist in deploying an effective riskmonitoring across the organization.
Slide 7
PricewaterhouseCoopers
Re
du
ce
Co
sts
Incre
ase
Vis
ibili
ty
Str
ea
mlin
eR
isk
Ma
na
ge
me
nt • Lower administrative
cost for riskmanagement throughautomation
• Preventive riskresponses throughKey Risk Indicatorsreduce probability ofevent and adverseimpact
• Response costtracking and efficientassessment of NetImpact of Response
• Time spent managingrisks will be reduce ina sustainable way
• Improve visibility ofRisk exposure acrossthe organization
• Clear insight into riskand complianceactivities across theenterprise and riskareas
• Accountability andactions are driven bytransparent and timelyreporting
• Enhance decisionmaking and businessperformance withinformed, risk basedinformation
• End-to-end riskprocesses across thevalue chain
• Plan & agree on toprisks and appetiteacross theorganization
• Understand trueexposure resultingfrom risk analysis andcorrelation
• Respond Intelligentlyby creating resolutionstrategies for criticalrisks
• Stay Informed bybuilding proactivemonitoring intoexisting processes
Ma
na
ge
Ch
an
ge • Risk-adjusted
management becomea driver of businesschange
• Align and leveragerisk and assuranceobjectives duringtimes of changes
• Providesmanagement withinsights on Key risksand responses as thebusiness executes itsstrategy
• Highlight trends andchanges in risk level
Slide 8
SAP GRC Risk Management Value Proposition
PricewaterhouseCoopers Slide 9
SAP GRC Risk Management Value Proposition
Key areas to consider in assessing Risk Managementeffectiveness
SAP GRC RMcoverage
SAP GRC RM value proposition
Risk Management is sponsored and driven by the Board, includingestablishing risk appetite and the policy framework for risk tolerance.
Risk Appetite and Risk Tolerances definition.
Risk profile matrix definition across the organization.
A robust, relevant and meaningful risk assessment is conducted thatcrosses the enterprise and considers relevant categories of risk: (e.g.,strategic, operational, financial and compliance).
Central risk category classification & risk templates.
Risk consolidation & interdependencies.
Risks are identified and linked to strategic priorities and businessobjectives.
Organization’s strategy & business objectives definition.
Link risks to business objectives and prioritize based onbusiness strategy.
A governance structure that supports oversight and execution ofappropriate risk response activities is established and in place.
Document preventive and recovery responses for risks andcreate centralized Risk Response Catalogue.
Respond to certain risks or types of risks through the creationand/or assignment of controls from SAP GRC PC (automatedtracking of response completeness & effectiveness)
Risk ownership is established and management accountability clearlyidentified.
Custom role definition and assignment of flexible workflowsbased on responsibilities.
Guided interface for executing risk management tasks.
Align accountability structures for managing risks.
Identified risk events are monitored on an ongoing basis. Consistent risk monitoring model through a guided interfacefor managing Key Risk Indicators across the organization.
Scenario planning capability is developed and applied to helpdetermine risk impacts and to evaluate impact of broader, strategicrisks (emerging risks).
Link risks and simulate the outcome on impacts through thescenario management functionality (scenario analysis &Monte-Carlo simulation).
Sophistication of Risk Management process (introduction of a thirddimension to risk measurement).
Possibility to take into account other risk criteria into currentRisk Assessment methodology: Risk Velocity (via the use of“Speed of Onset”).
PricewaterhouseCoopers Slide 10
SAP GRC Risk Management key implementation considerations
SAP GRC RM componentimplementation complexity level
High
Risk Management
maturity level
Medium
Low
Level 3
Standardized
Level 4
Integrated
Level 5
Optimized
• A risk framework with standardized qualitativeand quantitative measures as well ascategorization is applied to risks throughout theorganization .
• Risk Management procedures are standardized inan enterprise wide framework that is availableacross the organization. Information on risks isaccumulated in singular repository.
• Major risks are identified and plans developed tocontain risks.
• Risk identification is integrated into standardplanning activities in each business unit.
• Each business unit monitors and documents theresponse plans and/pr controls implemented withintheir own area of responsibility.
• Uniform processes are used to manage riskthroughout the organization.
• Business unit and organization wide risks aremeasured and consolidated across
• An integrated dashboard monitors riskmanagement categories.
• Understanding of the organization’s risk profilehelps drive strategic decision making.
• Effectiveness of controls across theorganization is periodically tested and reported.
• Results of implementation of controlsmeasured. There is a continuous integratedresponse to risks.
• The organization continuously conducts riskassessments; refines and applies best practices.
• Support Risk-Intelligent Strategy Management by leveraging a commonmethodology for managing relationship between KPIs and KRIs.
• Risk information is continuously developed and actively used to improve allorganization processes through a centralized Key Risk Indicator operating model.
• Organization strategic objectives detailed and measured in terms of operationalimpact and urgency.
• Interrelationship between risks via Influence Factors in order to evaluate andcommunicate potential risk exposure changes across the organization (scenarioanalysis)
• Lessons learned from prior risk management events are incorporated (Loss &Incident database)
• Automated conversion of Control Design Assessment and Control EffectivenessTesting results into Response Completeness and Response Effectiveness ratings.
Objectives hierarchy
Risk Classification hierarchy
Organization hierarchy
Risk Response: control(integration with SAPGRC PC)
Inherent Risk Analysis
Risk Response: plan
Residual and Plannedresidual risk Analysis
Activity Hierarchy
Activity Hierarchy(integration with SAPGRC PC)
Global and Local riskheat maps
Risk Consolidation
Risk Surveys/Assessments Loss & Incident database(Loss Matrix analysis)
Risk correlation andInfluence factors
Scenario Management(standard and Monte-Carlo)
Key Risk Indicator model andBusiness rule framework.
Increase the organization’s ability tomake more risk-intelligent decisions bydeveloping a combined approach tostrategy and risk (Integration with SAPStrategy Management).
PricewaterhouseCoopers
Key Benefits of integrating SAP GRC Risk Management withSAP GRC Process Control
Slide 11
Most businesses will seek to respond to certain risks or types of risks (e.g. financial and operational processes)through the creation and assignment of controls. These controls have generally been defined in the organization’sinternal control system or framework. It is possible to Respond/Mitigate certain risks or types of risks (e.g. financialand operational processes) in SAP GRC Risk Management through the creation and/or assignment existing internalcontrols defined in SAP GRC Process Control (business process and entity level controls).
By introducing controls already handled by PC into RM, organization will be able to improve the efficiency of their governance,risk and compliance activities. Improved handling of risk responses by including internal controls should improve decisionmaking and overall lower the cost of GRC activities.
Continuous measurement of residual risk in SAP GRC Risk Management based on control design assessment andcontrol effectiveness testing results in SAP GRC Process Control (automated conversion into risk responsecompleteness and risk response effectiveness ratings in SAP GRC Risk Management).
By integrating the two solutions, Risk Managers will be able to use specific Key Risk Indicators (belonging to “Controleffectiveness indicators” KRI category) defined in SAP GRC Process Control. These indicator will be used as “EscalationTriggers” and will track the effective operation of controls that have been considered as “risk response” in SAP GRC RiskManagement in order to mitigate some financial and operational risks.
The Activity hierarchy in SAP GRC Risk Management is used to define different types of business activities (businessprocess, project, initiatives, etc.) that requires risk management monitoring and action. It is possible to reuse existingbusiness process hierarchy from SAP GRC Process Control in order to classify the organization’s risk bearingbusiness activities in SAP GRC Risk Management.
By integrating the two solutions, you will be able to assign risks to specific business processes defined in SAP GRC ProcessControl without having to manually populate the Activity Hierarchy Master Data in SAP GRC Risk Management. Risk Reportingcan be done at Activity Level (Overview of Risk exposure by Activity Category).
PricewaterhouseCoopers Slide 12
SAP GRC Risk Management Implementation Case Study Overview
Quick facts
•Industry: Electric PowerDistribution/Heavy Construction
•SAP® solutions:SAP GRC Risk Management 3.0 & SAPGRC SAP GRC Process Control 3.0
•Implementation partner:PricewaterhouseCoopers
Current State
• Our client was managing risks in a fragmented environment (extensive manual efforts and
inconsistent processes across the organization) and was looking for a solution to standardize risk
management process and streamline cross-enterprise risk identification, analysis and monitoring.
• Conducting Proof-of-Concept and deployment planning to roll-out SAP GRC Risk Management
solution across all organisations
Objectives
• Consolidate risks at higher levels of the organization (“global” Risk Heat map y Risk Profile) and
incorporate risk management processes in strategic and operational decision making and
planning.
• Implement Key Risk Indicators in order to provide early warning signals for Risk
owners/managers.
• Design a proactive risk management system that will guide Risk Owners in assessing and rating
risk level through a unified and automated approach.
Implementation Highlights
• Developed SAP GRC Risk Management configuration rationale & design document to gain
agreement from stakeholders on the functionality to be implemented.
• Designed and configured complex business rules within the Business Rule Framework
Workbench solution (BRFplus*) in order to appropriately shape the key risk indicator monitoring
and analysis model in SAP GRC Risk Management.
• Conducted functional workshops to enable functional leads to gain insight into SAP GRC Risk
Management key functionalities (including scenario & Monte-Carlo analysis, integration with SAP
GRC Process Control to implement and monitor risk mitigation responses through control
assignment, Incident Management, Key Risk Indicator management, etc.)
• Empowered project core team members throughout the project and provided specific learning to
be incorporated into a full scale roll out plan
* BRFplus is the SAP NetWeaver Rule Engine written in ABAP allowing to build complex calculation andmodelling. The solution is delivered with SAP GRC Risk Management.
PricewaterhouseCoopers
Why PricewaterhouseCoopers?
Slide 13
PwC designed the SAP GRC Risk Management Implementation Program to address the challenges facingorganizations who are implementing Risk Management processes in SAP GRC Risk Management. A systematicapproach with incremental steps will help ensure that a sustainable Risk Management program, in line with leadingpractices, is developed in SAP GRC Risk Management and adopted across your organization.
Our Accelerated SAP GRC Risk Management program (AccelerateRM) leverages PwC’s Transform and Global RiskManagement methodologies and is tailored to SAP’s GlobalASAP implementation methodology.
Development of a wide range of intellectual property and accelerators to bring speed and experience to every SAPGRC Risk Management implementation project.
By leveraging knowledge and lessons learned across other SAP GRC projects, our unique Centre of Excellence teamwill assist you throughout the SAP GRC Risk Management implementation life cycle.
Proven SAP GRC Risk Management (version 3.0) implementation experience.
Assess Design Construct Implement Operate &Review
Perform readinesscheck and implement
across selectedorganization and
processes.
Transition ownershipto client.
Build and implementRisk Indicatorframework.
Build and implementRisk Correlation model.
Build and implementbusiness rules as risk
responses.
Design RiskManagement
specific processes andoperating model to be
implemented.
Create Businessblueprint to meet
client’s requirements.
Design ChangeManagement approach
and CommunicationPlan.
Understand "As-Is" riskmanagement model. Build
prototype and developbusiness case.
Define and validateproject scope& team.
Develop AccelerateRMprogram for
implementation.
Go-Live Support.
Develop and executeplan to expand andoptimize systemfunctionalities.
Provide continuousassistance in
developing leading riskindicator.
ProjectPreparation
FinalPreparationRealisation
BusinessBlueprint
14
5
3
2Go Live
& Support
AccelerateRM program