360 likes | 558 Views
Surviving in a Riskier World with a Governance Risk and Compliance Strategy. Patrick Wang GRC Business Development APJ. Agenda. Introduction GRC solutions Risk Management Internal Controls Access Controls Summary. Introduction. What is GRC?. Airbags. Seatbelts. Temperature gauge.
E N D
Surviving in a Riskier World with a Governance Risk and Compliance Strategy Patrick Wang GRC Business Development APJ
Agenda Introduction GRC solutions Risk Management Internal Controls Access Controls Summary
What is GRC? Airbags Seatbelts Temperature gauge Fuel gauge Car seats Brakes Crash avoidance Maintenance records
GRC involves these elements and many others…. Compliance Global trade compliance Legal Audit Quality Risk Policy Monitoring Access risk management EH&S
Can your organization answer these questions? • What risks impact your ability to perform? • What is the status of your compliance initiatives? • Does excessive access introduce opportunity for fraud and errors? • Are controls in place and shared across your organization? • Are risk responses ready and effective? • Are behaviors reflective of policies?
The cost is realCompliance enforcement and poorly managed risk events are costly Conduct, transmission, ownership, manipulation, disruptions Bribery and Corruption, Spills, Explosions Off-label marketing, product recalls, price fixing Trading conflicts, currency manipulation, laundering, restricted trading parties
Costs resulting from non-compliance can’t be ignoredEnforcement is 2.7 times higher than investing in compliant processes $9.4 Million $3.5 Million Source: Ponemon Institute LLC The True Cost of Compliance 2011
But what’s the hidden cost? Control failures / Risk event Disrupts operations Lowers customer satisfaction Reduces investor confidence Increases scrutiny Raises business costs Unachieved objectives Performance Impact
Conversely, there is potential for a positive impact OptimizedPerformance Shareholder value attained Brand enhanced Customer demands met Major disruptions avoided Controls enhance performance Risks anticipated and managed Opportunities identified
SAP GRC customers are seeing a positive impactOptimizing Performance • Grew through financial crisis • Discovered new oil reserves • Minimizing risk and non-compliance events • Worlds largest dairy exporter • Expanding global dairy trade in a compliant manner • 17% growth of net profit
SAP capabilities for GRC SAP Solutions for GRC Analyze Dashboards And Visualization Non-compliance Effectiveness Exceptions Monitor ERP Configuration Events Risk Indicators Transactions Controls Manage Risk Compliance Audit Policy Access Trade GRC Shared Compliance Platform Controls Hierarchies Policies Risk Response Product Updates User Experience
Key solutions for successSAP GRC solutions translate capabilities into value Reporting & Analytics SAP Solutions for GRC SAP Global Trade Services SAP Process Control SAP Access Control SAP Policy Survey SAP Access Approver SAP Sanction-Party List (mobile) (mobile) (mobile) SAP Audit Management SAP RiskManagement SAP Nota Fiscal Electronica GRC Shared Compliance Platform Controls Hierarchies Policies Risk Response Product Updates User Experience
Key solutions for successSAP GRC solutions translate capabilities into value Reporting & Analytics SAP Solutions for GRC SAP Global Trade Services SAP Process Control SAP Access Control SAP Policy Survey SAP Access Approver SAP Sanction-Party List (mobile) (mobile) (mobile) SAP Audit Management SAP RiskManagement SAP Nota Fiscal Electronica GRC Shared Compliance Platform Controls Hierarchies Policies Risk Response Product Updates User Experience
Key solutions for successSAP GRC solutions translate capabilities into value • GRC for Industries and LoBs Reporting & Analytics SAP Solutions for GRC SAP Global Trade Services SAP Process Control SAP Access Control SAP Policy Survey SAP Access Approver SAP Sanction-Party List (mobile) (mobile) (mobile) SAP Audit Management SAP RiskManagement SAP Nota Fiscal Electronica GRC Shared Compliance Platform Controls Hierarchies Policies Risk Response Product Updates User Experience NATIVE SAP ERP integration and integration to non-SAP ERP SAP Legacy Others
SAP Risk ManagementPreserve and grow value Monitor thresholds, effectiveness of risk responses, and corrective actions Plan risk management within the context of value to the organization Plan Monitor &Report Link Respond Analyze Respond to risk after balancing costs and benefits Link risks, risk drivers, risk indicators, impacts and responses Analyze risk via scenarios, modeling,& other factors to understand exposure
First level • Second level • Third level
SAP Process ControlEnsure effective controls and on-going compliance Support decisions and promote accountability with insightful analytics and sign-off Document controls and policies centrally; map to key regulations and impacted organizations Report Document Scope Monitor Evaluate Perform automated, exception-based monitoring of ERP systems Perform periodic risk assessments to determine scope and test strategies Evaluate control design and effectiveness; raise and remediate issues
Business Pain: Overuse of One-Time Vendors • One-time vendors • Generally used to limit admin burden for infrequently used vendors • Bypassing controls • May be used to bypass ERP controls related to vendor maintenance and payment • Implications • Non-compliance with company policies • Fraud • Errors • Inadequate vendor history • …. Excerpt from above: One-time vendor records shall be used for all payments made to vendors that are paid on a one-time basis or very infrequently and that are not established in the SAP Vendor Master Database The Bureau of Financial Management performs a periodic analysis of the payments posted to one-time vendor records to determine if a permanent vendor master record should be established.
Solution: Automating One-Time Vendor Review • What the business rule does • Uses new grouping and aggregation feature to group AP invoices for one-time vendors, presenting both the sum and the count of the invoices • What the customer does • Customer schedules on a recurring basis to trigger semi-automated activity to verify one-time vendors are being used appropriately
SAP Access ControlManage access risk and prevent fraud Monitor emergency access and transaction usage Find and remediate SoD and critical access violations MonitorPrivileges AnalyzeRisk ManageAccess CertifyAuthorizations MaintainRoles Certify access assignments are still warranted Automate access assignments across SAP and non-SAP systems X Legacy SAP_ALL Define and maintain roles in business terms
Segregation of duties (SoD) Create Vendor Create Vendor Pay Vendor Pay Vendor vs.
Integrated GRC Develop and Package External Content Enterprise Risk: Fraud Responses Access Risk Management Compliance Management Risk Management Transfer Accept Avoid Control Reduce Controls Regulations Process Process Risks Policies Fraudulent invoices paid Procure to Pay Review of new vendors and related invoice support Review of uninvoiced goods receipts AP SOD rules in AC Update and roll out strengthened security policy Vendor Mgmt Valid invoices not entered APInvoicing Access Risks Mitigate Access Violations User can enter vendor & PO Monitor Access Status User can enter invoices & payments
The SAP Difference • Unified GRC Platform: risk, compliance, audit, policy and internal control management • Proactive: integrated monitoring, continuous controls monitoring • Large Eco-system: industry-specific tailored solutions meeting your requirements • Proven: remarkable customers using essential solutions
The SAP DifferenceProven: remarkable customers using essential solutions
Thank You! Patrick Wang patrick.wang@sap.com Business Development Manager APJ Governance Risk and Compliance