Enterprise Risk Management using RM10 – Align to Your Goals and Actions William Newman, MBA, CMC – Managing Principal, Newport Consulting Group

August 10, 2012 SAP Americas HQ

SAP Inside Track Newtown Square, PA August 10, 2012

Speaker Introduction

William D. Newman, CMC, MBA

• Managing Principal, Newport Consulting Group

• Member, SAP Sustainability Executive Advisory Council

• Certified Management Consultant (since 1995)

• Over 25 years in industry, professional services

• Recognized SAP BusinessObjects Influencer

• Adjunct faculty, Northwood University (International Management)

• Adjunct faculty, University of Oregon (Sustainability Leadership)

• Management Consulting Taskforce (Michigan Assn. of CPAs)

• Professional Speaker (American SAP User Group, SAP Insider, TEDx, Sustainable Business Forum, Michigan Assn. of CPAs) TEDx talk at http://www.youtube.com/watch?v=8BmLVpdWvFk

• Numerous articles on program oversight, stakeholder engagement, strategy, sustainable supply chain, social media

• Twitter (@william_newman)

• Google+ (+William Newman)

• Email wnewman@newportconsgroup.com

Page - 2

Sessions today based on papers found in

Speaker Introduction

Page - 3

See our presentation on Wednesday, September 12:

Session 0413: Increase Stakeholder Adoption by Leveraging Mobile Platform Applications

• Understanding the basis for Enterprise Risk Management

• Executive Challenges Aligning to Goals and Actions

• SAP Risk Management 10 Platform for ERM

• Considerations for Audit Practices

• Considerations for functional risk management activities

• Links and References

• Key Take-away Points

• Summary and Discussion

Discussion Points

Page - 4

Understanding ERM

Page - 5

Enterprise Risk Management represents a company-wide approach to risk management activities in a holistic, pragmatic, and managed approach across multiple company operations, functions, and activities. - As abstracted from the Global Accenture Risk Management Report 2011 by Newport Consulting Group

Understanding ERM

Page - 6

• Aligning Risk Appetite and Strategy • Enhancing Risk Response Decisions • Reducing Operational Surprises and

Losses • Identifying and Managing Multiple

Cross Enterprise Risks • Seizing Opportunities • Improving Deployment of Capital

ERM objectives typically include some or all of the following:

Source: SAP, 2012 as modified by Newport Consulting Group

Enterprise risk management

(ERM) in business includes the

methods and processes used

by organizations to manage

risks and seize opportunities

related to the achievement of

their objectives.

• Understanding the basis for Enterprise Risk Management

• Executive Challenges Aligning to Goals and Actions

• SAP Risk Management 10 Platform for ERM

• Considerations for Audit Practices

• Considerations for functional risk management activities

• Links and References

• Key Take-away Points

• Summary and Discussion

Discussion Points

Page - 7

Executive Challenges

Page - 8

Challenges remain as to motive, satisfaction and capabilities…

Source: Discontinuity of risk management practices, in terms of demand, satisfaction, and board level understanding (various sources: The Economist Intelligence Unit Survey, Ascending the Maturity Curve (March, 2011); McKinsey Global Survey, Governance since the Economic Crisis (March, 2011); Report on the 2011 Accenture Global Risk Management Study, (February, 2011)

Executive Challenges

Page - 9

… which suggests a certain “call to action” for executives.

Source: The Executive Dilemma: How to Increase Enterprise Risk Management Performance? GRC Expert, 2012.

“Practical knowledge of risk management concepts and principles are needed in the corporate environment as never before, and executives have created demand for this knowledge. How this knowledge is crafted into ERM practices, standards, and guidelines inside of corporate policy is open for revision.”

• Understanding the basis for Enterprise Risk Management

• Executive Challenges Aligning to Goals and Actions

• SAP Risk Management 10 Platform for ERM

• Considerations for Audit Practices

• Considerations for functional risk management activities

• Links and References

• Key Take-away Points

• Summary and Discussion

Discussion Points

Page - 10

SAP ERM Platform

Page - 11

SAP recognizes there are 3 primary reasons for ERM failure:

Source: The Executive Dilemma: How to Increase Enterprise Risk Management Performance? GRC Expert, 2012.

1

2

3

ERM is not linked to fundamental value drivers of the business

Shareholder devaluation occurs based on measuring nonproductive drivers

ERM is not focused significantly or deeply enough on the broad “value-killer, fat-tail” risks

SAP ERM Platform

Page - 12

Source: SAP, 2012. ILLUSTRATIVE ONLY

SAP ERM Platform

Page - 13

Source: SAP, 2012.

SAP ERM Platform

Page - 14

Source: SAP, 2012.

SAP Risk Management 10 allows new “graphical view” to portray bow tie risk formats, including risk drivers, impacts.

SAP ERM Platform

Page - 15

Source: SAP, 2012.

The Bow Tie Builder graphical view allows specific risk driver and impact descriptions

meaningful to specific organizations.

SAP ERM Platform

Page - 16

Source: SAP, 2012.

Risk actions – such as mitigations – may be added

from the Bow Tie Builder.

SAP ERM Platform

Page - 17

Source: SAP, 2012.

You can identify specific areas of the risk, associated

with organizations and processes. A common

mitigation action is an audit program, let’s see how RM10 works to support

audit programs and functional risk areas.

• Understanding the basis for Enterprise Risk Management

• Executive Challenges Aligning to Goals and Actions

• SAP Risk Management 10 Platform for ERM

• Considerations for Audit Practices

• Considerations for functional risk management activities

• Links and References

• Key Take-away Points

• Summary and Discussion

Discussion Points

Page - 18

Audit Practices

Page - 19

Business Audits are gaining popularity as a risk management function across a number of different functions including: • Information Technology (SAS 70, SSAE 16)

• Financial Management processes (SOX 404, Dodd-Frank)

• Information Use (ITAR, security constraints)

• Sustainability (LEED, SA 8000, Natural Step, GRI)

• Assurance activities (AA 1000)

• Quality Management processes (ISO 9000, CAPA, APQP)

• Environmental Management processes (ISO 14000)

• Product Compliance Regulations (ROHS, REACH, ELV)

• Treasury Management and Currency Exchange (SWIFT)

Audits are not just for IT system management anymore!

Audit Practices

Page - 20

Regardless of the business function or processes, most agree the audit format contains several common stages and activities.

Pre-audit

Assessment

Initiate Audit

Activities

Conduct

Field Work

Develop

Working Papers

Prepare

Audit Findings

Deliver Exit

Conference

Prepare and Distribute Final

Report

Planning Execution Findings Corrective Actions

Source: Adapted from IIA, University of Illinois materials, as modified by Newport Consulting Group.

Audit Practices

Page - 21

SAP NetWeaver’s audit management allows full program life cycle management for internal audit activities, including:

• Information Technology

• Management Systems, and

• Financial Operations

As part of the SAP NetWeaver platform, SAP NetWeaver’s audit management connects seamlessly with specific SAP modules such as

• SAP ERP Project System

• SAP ERP HCM

• SAP Risk Management

New enhancements are available as part of the SAP BusinessObjects GRC 10.0 release!

Note: SAP NetWeaver’s audit management ships with the SAP NetWeaver

platform as part of the SAP BusinessSuite 7.0 release

Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011)

Audit Practices

Page - 22

In this example we can associate an Accounts Payable audit with both

financial operations and even treasury risks if involving foreign currencies and operating units.

Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011)

Audit Practices

Page - 23

BusinessObjects Access Control and SAP BusinessObjects Process Control can be used to allow the audit team to have access to in-process documents and records without making this information available to the other members of an organization, until such time as it is formally published.

Source: How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (2011)

• During the execution stage of an audit, work papers often suggest corrective or preventive actions in real time.

• SAP NetWeaver audit management allows you to identify these work papers and capture remediation actions on the fly so that these can be automatically summarized in the findings report.

• Understanding the basis for Enterprise Risk Management

• Executive Challenges Aligning to Goals and Actions

• SAP Risk Management 10 Platform for ERM

• Considerations for Audit Practices

• Considerations for functional risk management activities

• Links and References

• Key Take-away Points

• Summary and Discussion

Discussion Points

Page - 24

Functional Risk Management

Page - 25

Functional Risk Management can look at many areas, including supply chain disruptions due to disasters, business continuity, and sociopolitical risk…

Source: Newman, William. Understanding SAP BusinessObjects Enterprise Performance Management, Galileo Press (2010).

Functional Risk Management

Page - 26

… which can then roll-up and into a broader ERM program environment, providing transparency and proactive management.

Source: Newman, William. Understanding SAP BusinessObjects Enterprise Performance Management, Galileo Press (2010).

SAP BusinessObjects Supply Chain Performance Management 2.0, which is now in ramp-up, allows for supply chain risks to be mapped to RM10 as

part of an overall ERM program portfolio. These risks can also be associated with key risk indicators (KRIs) which can impact financial and operational

performance targets.

Functional Risk Management

Page - 27

Source: Managing Risk in the Organization Using the SCOR Methodology, Supply Chain Council (2008)

The Supply Chain Council SCOR model includes a supply chain risk perspective (SCRP) which pre-defines risk categories which are common to an Enterprise Risk Management program.

The SCOR model and the SCRP framework is structured already inside SCPM 2.0. SAP has earned several awards from the Supply Chain Council for this solution approach.

Supply Chain Risk Perspective Supply Chain Council SCOR Model

Functional Risk Management

Page - 28

In this example we can link a risk from RM10 into

performance measurements and

operational data found in SCPM 2.0

Source: Manage Supply Chain Risks Using Supply Chain Management 2.0, GRC Expert (2012)

• Understanding the basis for Enterprise Risk Management

• Executive Challenges Aligning to Goals and Actions

• SAP Risk Management 10 Platform for ERM

• Considerations for Audit Practices

• Considerations for functional risk management activities

• Links and References

• Key Take-away Points

• Summary and Discussion

Discussion Points

Page - 29

Links and References

Page - 30

• Newman, William. Understanding SAP BusinessObjects Enterprise Performance Management, Galileo Press (2010)

• Newman, William. Reduce Risk in your Supply Chain with Supply Chain Performance Management, GRC Expert (March 12, 2010) login required

• Newman, William. How SAP Solutions Can Make the Audit Process More Cost-effective, GRC Expert (October 4, 2011) login required

• Newman, William. Increase Enterprise Risk Management Performance with Risk Management 10.0, GRC Expert (April 18, 2012) login required

• Newman, William. The Bow Tie Builder Tool, GRC Expert (May 1, 2012) login required

• Newman, William. Supply Chain Management 2.0 Offers Better Integration, Analytics, searchSAP.com (March 21, 2012)

• Stackpole, Beth. Deploying Supply Chain Management Software Hinges on Breadth, Depth, Integration, searchManufacturingERP.com (April 18, 2012)

• Stackpole, Beth. Ripe with Opportunity, Global Supply Chain also Brings Substantial Risk, searchManufacturingERP.com (March 14, 2012)

• Understanding the basis for Enterprise Risk Management

• Executive Challenges Aligning to Goals and Actions

• SAP Risk Management 10 Platform for ERM

• Considerations for Audit Practices

• Considerations for functional risk management activities

• Links and References

• Key Take-away Points

• Summary and Discussion

Discussion Points

Page - 31

1. There is a great need for Enterprise Risk Management (ERM) – and a lot of confusion as to what this means. This creates significant opportunity for SAP and its partners.

2. SAP Risk Management 10.0 offers a great platform to build, manage, and assess the effectiveness of an ERM program

3. As part of mitigation activities, organizations are looking towards audits to build these actions into their ERM programs. SAP NetWeaver Audit Management offers easy to use connections into RM10 and other GRC tools.

4. Functional risk management allows deeper dives into specific processes, functions and operational activities in the organization.

5. SAP Supply Chain Performance Management 2.0 – now in ramp up – allows for quick integration to RM10 risk activities while leveraging the Supply Chain Council SCOR model and SCRP framework.

Key Take-away Points

Page - 32

• Understanding the basis for Enterprise Risk Management

• Executive Challenges Aligning to Goals and Actions

• SAP Risk Management 10 Platform for ERM

• Considerations for Audit Practices

• Considerations for functional risk management activities

• Links and References

• Key Take-away Points

• Summary and Discussion

Discussion Points

Page - 33

Summary and Discussion

Page - 34

Thank you for participating.

Please feel free provide feedback on this session via chat, email,

twitter or on SCN.

Visit us and learn more at www.newportconsgroup.com