1 / 33

Surviving in a Riskier World with a Governance Risk and Compliance Strategy

Surviving in a Riskier World with a Governance Risk and Compliance Strategy. Patrick Wang GRC Business Development APJ. Agenda. Introduction GRC solutions Risk Management Internal Controls Access Controls Summary. Introduction. What is GRC?. Airbags. Seatbelts. Temperature gauge.

barton
Download Presentation

Surviving in a Riskier World with a Governance Risk and Compliance Strategy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Surviving in a Riskier World with a Governance Risk and Compliance Strategy Patrick Wang GRC Business Development APJ

  2. Agenda Introduction GRC solutions Risk Management Internal Controls Access Controls Summary

  3. Introduction

  4. What is GRC? Airbags Seatbelts Temperature gauge Fuel gauge Car seats Brakes Crash avoidance Maintenance records

  5. GRC involves these elements and many others…. Compliance Global trade compliance Legal Audit Quality Risk Policy Monitoring Access risk management EH&S

  6. Can your organization answer these questions? • What risks impact your ability to perform? • What is the status of your compliance initiatives? • Does excessive access introduce opportunity for fraud and errors? • Are controls in place and shared across your organization? • Are risk responses ready and effective? • Are behaviors reflective of policies?

  7. The cost is realCompliance enforcement and poorly managed risk events are costly Conduct, transmission, ownership, manipulation, disruptions Bribery and Corruption, Spills, Explosions Off-label marketing, product recalls, price fixing Trading conflicts, currency manipulation, laundering, restricted trading parties

  8. Costs resulting from non-compliance can’t be ignoredEnforcement is 2.7 times higher than investing in compliant processes $9.4 Million $3.5 Million Source: Ponemon Institute LLC The True Cost of Compliance 2011

  9. But what’s the hidden cost? Control failures / Risk event Disrupts operations Lowers customer satisfaction Reduces investor confidence Increases scrutiny Raises business costs Unachieved objectives Performance Impact

  10. Conversely, there is potential for a positive impact OptimizedPerformance Shareholder value attained Brand enhanced Customer demands met Major disruptions avoided Controls enhance performance Risks anticipated and managed Opportunities identified

  11. SAP GRC customers are seeing a positive impactOptimizing Performance • Grew through financial crisis • Discovered new oil reserves • Minimizing risk and non-compliance events • Worlds largest dairy exporter • Expanding global dairy trade in a compliant manner • 17% growth of net profit

  12. SAP GRC Solutions

  13. SAP capabilities for GRC SAP Solutions for GRC Analyze Dashboards And Visualization Non-compliance Effectiveness Exceptions Monitor ERP Configuration Events Risk Indicators Transactions Controls Manage Risk Compliance Audit Policy Access Trade GRC Shared Compliance Platform Controls Hierarchies Policies Risk Response Product Updates User Experience

  14. Key solutions for successSAP GRC solutions translate capabilities into value Reporting & Analytics SAP Solutions for GRC SAP Global Trade Services SAP Process Control SAP Access Control SAP Policy Survey SAP Access Approver SAP Sanction-Party List (mobile) (mobile) (mobile) SAP Audit Management SAP RiskManagement SAP Nota Fiscal Electronica GRC Shared Compliance Platform Controls Hierarchies Policies Risk Response Product Updates User Experience

  15. Key solutions for successSAP GRC solutions translate capabilities into value Reporting & Analytics SAP Solutions for GRC SAP Global Trade Services SAP Process Control SAP Access Control SAP Policy Survey SAP Access Approver SAP Sanction-Party List (mobile) (mobile) (mobile) SAP Audit Management SAP RiskManagement SAP Nota Fiscal Electronica GRC Shared Compliance Platform Controls Hierarchies Policies Risk Response Product Updates User Experience

  16. Key solutions for successSAP GRC solutions translate capabilities into value • GRC for Industries and LoBs Reporting & Analytics SAP Solutions for GRC SAP Global Trade Services SAP Process Control SAP Access Control SAP Policy Survey SAP Access Approver SAP Sanction-Party List (mobile) (mobile) (mobile) SAP Audit Management SAP RiskManagement SAP Nota Fiscal Electronica GRC Shared Compliance Platform Controls Hierarchies Policies Risk Response Product Updates User Experience NATIVE SAP ERP integration and integration to non-SAP ERP SAP Legacy Others

  17. Risk Management

  18. SAP Risk ManagementPreserve and grow value Monitor thresholds, effectiveness of risk responses, and corrective actions Plan risk management within the context of value to the organization Plan Monitor &Report Link Respond Analyze Respond to risk after balancing costs and benefits Link risks, risk drivers, risk indicators, impacts and responses Analyze risk via scenarios, modeling,& other factors to understand exposure

  19. Risk Heatmap

  20. First level • Second level • Third level

  21. Response Plan

  22. Internal Controls

  23. SAP Process ControlEnsure effective controls and on-going compliance Support decisions and promote accountability with insightful analytics and sign-off Document controls and policies centrally; map to key regulations and impacted organizations Report Document Scope Monitor Evaluate Perform automated, exception-based monitoring of ERP systems Perform periodic risk assessments to determine scope and test strategies Evaluate control design and effectiveness; raise and remediate issues

  24. Business Pain: Overuse of One-Time Vendors • One-time vendors • Generally used to limit admin burden for infrequently used vendors • Bypassing controls • May be used to bypass ERP controls related to vendor maintenance and payment • Implications • Non-compliance with company policies • Fraud • Errors • Inadequate vendor history • …. Excerpt from above: One-time vendor records shall be used for all payments made to vendors that are paid on a one-time basis or very infrequently and that are not established in the SAP Vendor Master Database The Bureau of Financial Management performs a periodic analysis of the payments posted to one-time vendor records to determine if a permanent vendor master record should be established.

  25. Solution: Automating One-Time Vendor Review • What the business rule does • Uses new grouping and aggregation feature to group AP invoices for one-time vendors, presenting both the sum and the count of the invoices • What the customer does • Customer schedules on a recurring basis to trigger semi-automated activity to verify one-time vendors are being used appropriately

  26. Access Controls

  27. SAP Access ControlManage access risk and prevent fraud Monitor emergency access and transaction usage Find and remediate SoD and critical access violations MonitorPrivileges AnalyzeRisk ManageAccess CertifyAuthorizations MaintainRoles Certify access assignments are still warranted Automate access assignments across SAP and non-SAP systems X Legacy SAP_ALL Define and maintain roles in business terms

  28. Segregation of duties (SoD) Create Vendor Create Vendor Pay Vendor Pay Vendor vs.

  29. Integrated GRC Develop and Package External Content Enterprise Risk: Fraud Responses Access Risk Management Compliance Management Risk Management Transfer Accept Avoid Control Reduce Controls Regulations Process Process Risks Policies Fraudulent invoices paid Procure to Pay Review of new vendors and related invoice support Review of uninvoiced goods receipts AP SOD rules in AC Update and roll out strengthened security policy Vendor Mgmt Valid invoices not entered APInvoicing Access Risks Mitigate Access Violations User can enter vendor & PO Monitor Access Status User can enter invoices & payments

  30. The SAP Difference • Unified GRC Platform: risk, compliance, audit, policy and internal control management • Proactive: integrated monitoring, continuous controls monitoring • Large Eco-system: industry-specific tailored solutions meeting your requirements • Proven: remarkable customers using essential solutions

  31. The SAP DifferenceProven: remarkable customers using essential solutions

  32. Thank You! Patrick Wang patrick.wang@sap.com Business Development Manager APJ Governance Risk and Compliance

More Related