Surviving in a Riskier World with a Governance Risk

sunfloweremryologistData Management

Oct 31, 2013 (3 years and 10 months ago)

60 views

Surviving in a Riskier World with a Governance Risk
and Compliance Strategy




Patrick Wang

GRC Business Development APJ

©
2013 SAP AG. All rights reserved.

2

Agenda

Introduction

GRC solutions

Risk Management

Internal Controls

Access Controls

Summary

Introduction

©
2013 SAP AG. All rights reserved.

4

What is GRC?

Brakes

Seatbelts

Car seats

Airbags

Maintenance records

Temperature gauge

Fuel gauge

Crash avoidance

©
2013 SAP AG. All rights reserved.

5

GRC involves these elements and many others….

Compliance

Audit

Risk

Monitoring

Access risk management

Policy

Global trade compliance

Legal

Quality

EH&S

©
2013 SAP AG. All rights reserved.

6

Can your organization answer these questions?

What risks impact your ability to perform?

What is the status of your compliance
initiatives?

Does excessive access introduce opportunity
for fraud and errors?

Are controls in place and shared across your
organization?

Are risk responses ready and effective?

Are behaviors reflective of policies?

©
2013 SAP AG. All rights reserved.

7

The cost is real

Compliance enforcement and poorly managed risk events are costly

Bribery and
Corruption,
Spills,
Explosions

Trading conflicts,
currency manipulation,
laundering, restricted
trading parties

Off
-
label
marketing,
product recalls,
price fixing

Conduct,
transmission,
ownership,
manipulation,
disruptions

©
2013 SAP AG. All rights reserved.

8

Costs resulting from non
-
compliance can’t be ignored

Enforcement is 2.7 times higher than investing in compliant processes

$3.5 Million

$9.4 Million

Source:
Ponemon

Institute LLC


The True Cost of Compliance 2011


©
2013 SAP AG. All rights reserved.

9

Control failures / Risk event

Lowers customer satisfaction

Reduces investor confidence

Raises business costs

Increases scrutiny

But what’s the hidden cost?

Performance
Impact

Unachieved objectives

Disrupts operations

©
2013 SAP AG. All rights reserved.

10

Brand enhanced

Controls enhance performance

Opportunities identified

Risks anticipated and managed

Conversely, there is potential for a positive impact

Customer demands met

Major disruptions avoided

Shareholder value attained

Optimized

Performance

©
2013 SAP AG. All rights reserved.

11

SAP GRC customers are seeing a positive impact

Optimizing Performance


Grew through financial crisis


Discovered new oil reserves


Minimizing risk and non
-
compliance events


Worlds largest dairy exporter


Expanding global dairy trade
in a compliant manner


17% growth of net profit

SAP GRC Solutions

©
2013 SAP AG. All rights reserved.

13

SAP capabilities for GRC

GRC Shared Compliance Platform

Hierarchies

Policies

Controls

Risk
Response

Product
Updates

User
Experience

SAP Solutions for GRC

Monitor

Risk Indicators

Controls

Transactions

ERP Configuration

Events

Manage

Risk

Compliance

Audit

Policy

Access

Trade

Analyze

Dashboards And

Visualization

Non
-
compliance

Effectiveness

Exceptions

©
2013 SAP AG. All rights reserved.

14

Reporting & Analytics

Key solutions for success

SAP GRC solutions translate capabilities into value

SAP Solutions for GRC

GRC Shared Compliance Platform

Hierarchies

Policies

Controls

Risk
Response

Product
Updates

User
Experience

SAP Audit

Management

SAP Risk

Management

SAP Nota

Fiscal Electronica

SAP Access Control

SAP Process Control

SAP Global

Trade Services

(mobile)

SAP Access Approver

SAP Policy Survey

SAP Sanction
-
Party List

(mobile)

(mobile)

©
2013 SAP AG. All rights reserved.

15

GRC Shared Compliance Platform

Hierarchies

Policies

Controls

Risk
Response

Product
Updates

User
Experience

Key solutions for success

SAP GRC solutions translate capabilities into value

SAP Solutions for GRC

SAP Audit

Management

SAP Risk

Management

SAP Nota

Fiscal Electronica

SAP Access Control

SAP Process Control

SAP Global

Trade Services

(mobile)

SAP Access Approver

SAP Policy Survey

SAP Sanction
-
Party List

(mobile)

(mobile)

Reporting & Analytics

©
2013 SAP AG. All rights reserved.

16

GRC Shared Compliance Platform

Hierarchies

Policies

Controls

Risk
Response

Product
Updates

User
Experience

Key solutions for success

SAP GRC solutions translate capabilities into value

SAP Solutions for GRC

SAP Audit

Management

SAP Risk

Management

SAP Nota

Fiscal Electronica

SAP Access Control

SAP Process Control

SAP Global

Trade Services

(mobile)

SAP Access Approver

SAP Policy Survey

SAP Sanction
-
Party List

(mobile)

(mobile)

Reporting & Analytics


GRC for Industries and LoBs

NATIVE SAP ERP integration
and
integration to non
-
SAP ERP

Others

Legacy

SAP

Risk Management

©
2013 SAP AG. All rights reserved.

18

Monitor thresholds, effectiveness

of risk responses, and corrective
actions

Respond to risk after
balancing costs and
benefits

Analyze risk via scenarios, modeling,

& other factors to understand
exposure

Link risks, risk drivers,
risk indicators,
impacts and
responses

Plan risk management
within the context of value
to the organization

SAP Risk Management

Preserve and grow value

©
2013 SAP AG. All rights reserved.

19

Risk
Heatmap

©
2013 SAP AG. All rights reserved.

20

First level

Second level


Third level

©
2013 SAP AG. All rights reserved.

21

Response Plan

Internal Controls

©
2013 SAP AG. All rights reserved.

23

Support decisions and promote
accountability with insightful
analytics and sign
-
off

Perform automated,
exception
-
based

monitoring of ERP systems

Evaluate control design and
effectiveness; raise and
remediate issues

Perform periodic risk
assessments to determine
scope and test strategies

Document controls and policies
centrally; map to key regulations
and impacted organizations

SAP Process Control

Ensure effective controls and on
-
going compliance

©
2013 SAP AG. All rights reserved.

24

Business Pain: Overuse of One
-
Time Vendors

One
-
time vendors

Generally used to limit admin burden
for infrequently used vendors

Bypassing controls

May be used to bypass ERP controls
related to vendor maintenance and
payment

Implications

Non
-
compliance with company policies

Fraud

Errors

Inadequate vendor history

….

Excerpt from above:

One
-
time vendor records shall be used for all payments
made to vendors that are paid on a
one
-
time basis or
very infrequently

and that are not established in the
SAP Vendor Master Database

The Bureau of Financial Management performs a
periodic analysis of the payments posted to one
-
time vendor records
to determine if a permanent
vendor master record should be established.

©
2013 SAP AG. All rights reserved.

25

Solution: Automating One
-
Time Vendor Review

What the business rule does

Uses new grouping and aggregation feature to group AP invoices for one
-
time
vendors, presenting both the sum and the count of the invoices

What the customer does

Customer schedules on a recurring basis to trigger semi
-
automated activity to verify
one
-
time vendors are being used appropriately

Access Controls

©
2013 SAP AG. All rights reserved.

27

Monitor emergency access and
transaction usage

Certify access
assignments are still
warranted

Define and maintain roles in
business terms

Automate access
assignments across SAP
and non
-
SAP
systems

Find and remediate SoD and
critical access violations


SAP Access Control

Manage access risk and prevent fraud

SAP_ALL

X

Legacy

©
2013 SAP AG. All rights reserved.

28

Segregation of duties (
SoD
)

Create Vendor

Pay Vendor

Create Vendor

Pay Vendor

©
2013 SAP AG. All rights reserved.

29

©
2013 SAP AG. All rights reserved.

30

Access Risk
Management

Integrated GRC

Develop and
Package External
Content

Compliance
Management

Risk Management

Enterprise Risk: Fraud

Responses

Reduce

Control

Avoid

Accept

Transfer

Regulations

Process

Procure to Pay

Vendor Mgmt

AP

I
nvoicing

Process Risks


Fraudulent
invoices paid

Valid


invoices not
entered

Access Risks

User can

enter vendor

& PO

User can

enter invoices
& payments

Controls

Review of new
vendors and
related invoice
support

AP SOD
rules in AC

Review of
uninvoiced
goods
receipts

Monitor
Access
Status

Mitigate
Access
Violations

Policies

Update and roll
out strengthened
security policy

©
2013 SAP AG. All rights reserved.

31

The SAP Difference

Unified GRC Platform:
risk,
compliance, audit, policy and
internal control management

Proactive:
integrated
monitoring, continuous
controls monitoring

Large Eco
-
system:
industry
-
specific tailored solutions
meeting your requirements

Proven:
remarkable
customers using
essential
solutions

©
2013 SAP AG. All rights reserved.

32

The SAP Difference

Proven: remarkable customers using essential solutions

Thank You!


Patrick Wang

patrick.wang@sap.com


Business Development Manager APJ

Governance Risk and Compliance