- Users of SAP in the Philippines

Surviving in a Riskier World with a Governance Risk
and Compliance Strategy
Patrick Wang
GRC Business Development APJ
Agenda
Introduction
GRC solutions
Risk Management
Internal Controls
Access Controls
Summary
© 2013 SAP AG. All rights reserved.
2
Introduction
What is GRC?
Airbags
Seatbelts
Temperature gauge
Fuel gauge
Car seats
Brakes
Crash avoidance
Maintenance records
© 2013 SAP AG. All rights reserved.
4
GRC involves these elements and many others….
Compliance
Global trade compliance
Legal
Audit
Quality
Risk
Policy
Monitoring
Access risk management
© 2013 SAP AG. All rights reserved.
EH&S
5
Can your organization answer these questions?
What risks impact your ability to perform?
What is the status of your compliance
initiatives?
Does excessive access introduce opportunity
for fraud and errors?
Are controls in place and shared across your
organization?
Are risk responses ready and effective?
Are behaviors reflective of policies?
© 2013 SAP AG. All rights reserved.
6
The cost is real
Compliance enforcement and poorly managed risk events are costly
Bribery and
Corruption,
Spills,
Explosions
© 2013 SAP AG. All rights reserved.
Off-label
marketing,
product recalls,
price fixing
Trading conflicts,
currency manipulation,
laundering, restricted
trading parties
Conduct,
transmission,
ownership,
manipulation,
disruptions
7
Costs resulting from non-compliance can’t be ignored
Enforcement is 2.7 times higher than investing in compliant processes
$9.4 Million
$3.5 Million
Source: Ponemon Institute LLC
The True Cost of Compliance 2011
© 2013 SAP AG. All rights reserved.
8
But what’s the hidden cost?
Control failures / Risk event
Disrupts operations
Lowers customer satisfaction
Reduces investor confidence
Increases scrutiny
Raises business costs
Unachieved objectives
Performance
Impact
© 2013 SAP AG. All rights reserved.
9
Conversely, there is potential for a positive impact
Optimized
Performance
Shareholder value attained
Brand enhanced
Customer demands met
Major disruptions avoided
Controls enhance performance
Risks anticipated and managed
Opportunities identified
© 2013 SAP AG. All rights reserved.
10
SAP GRC customers are seeing a positive impact
Optimizing Performance
Grew
through financial crisis
Discovered
new oil reserves
Minimizing
risk and noncompliance events

Worlds largest dairy exporter
 Expanding global dairy trade
in a compliant manner
 17% growth of net profit
© 2013 SAP AG. All rights reserved.
11
SAP GRC Solutions
SAP capabilities for GRC
SAP Solutions for GRC
Analyze
Dashboards And
Visualization
Non-compliance
Effectiveness
Exceptions
Monitor
Risk Indicators
Controls
Transactions
ERP Configuration
Events
GRC Shared Compliance Platform
Manage
Risk
Controls
© 2013 SAP AG. All rights reserved.
Compliance
Hierarchies
Audit
Policies
Risk
Policy
Response
Product
Access
Updates
User
Trade
Experience
13
Key solutions for success
SAP GRC solutions translate capabilities into value
Reporting & Analytics
SAP Solutions for GRC
SAP Access Control
SAP Access Approver
(mobile)
SAP Global
Trade Services
SAP Process Control
SAP Policy Survey
SAP Sanction-Party List
(mobile)
(mobile)
GRC Shared Compliance Platform
SAP Audit
Controls
Hierarchies
Management
© 2013 SAP AG. All rights reserved.
SAP Risk
Risk
Policies
Management
Response
SAP Nota
Product
User
Fiscal Electronica
Updates
Experience
14
Key solutions for success
SAP GRC solutions translate capabilities into value
Reporting & Analytics
SAP Solutions for GRC
SAP Access Control
SAP Access Approver
(mobile)
SAP Audit
Management
SAP Global
Trade Services
SAP Process Control
SAP Policy Survey
SAP Sanction-Party List
(mobile)
(mobile)
SAP Risk
Management
SAP Nota
Fiscal Electronica
GRC Shared Compliance Platform
Controls
© 2013 SAP AG. All rights reserved.
Hierarchies
Policies
Risk
Response
Product
Updates
User
Experience
15
Key solutions for success
SAP GRC solutions translate capabilities into value
 GRC for Industries and LoBs
Reporting & Analytics
SAP Solutions for GRC
SAP Access Control
SAP Access Approver
(mobile)
SAP Audit
Management
SAP Global
Trade Services
SAP Process Control
SAP Policy Survey
SAP Sanction-Party List
(mobile)
(mobile)
SAP Risk
Management
SAP Nota
Fiscal Electronica
GRC Shared Compliance Platform
Controls
Hierarchies
Policies
Risk
Response
Product
Updates
User
Experience
NATIVE SAP ERP integration and integration to non-SAP ERP
SAP
© 2013 SAP AG. All rights reserved.
Legacy
Others
16
Risk Management
SAP Risk Management
Preserve and grow value
Monitor thresholds, effectiveness
of risk responses, and corrective
actions
Plan risk management
within the context of value
to the organization
Respond to risk after
balancing costs and
benefits
Link risks, risk drivers,
risk indicators,
impacts and
responses
Analyze risk via scenarios, modeling,
& other factors to understand
exposure
© 2013 SAP AG. All rights reserved.
18
Risk Heatmap
© 2013 SAP AG. All rights reserved.
19
First level
Second level
 Third level
© 2013 SAP AG. All rights reserved.
20
Response Plan
© 2013 SAP AG. All rights reserved.
21
Internal Controls
SAP Process Control
Ensure effective controls and on-going compliance
Support decisions and promote
accountability with insightful
analytics and sign-off
Document controls and policies
centrally; map to key regulations
and impacted organizations
Perform automated,
exception-based
monitoring of ERP systems
Perform periodic risk
assessments to determine
scope and test strategies
Evaluate control design and
effectiveness; raise and
remediate issues
© 2013 SAP AG. All rights reserved.
23
Business Pain: Overuse of One-Time Vendors
One-time vendors
Generally used to limit admin burden
for infrequently used vendors
Bypassing controls
May be used to bypass ERP controls
related to vendor maintenance and
payment
Implications
Non-compliance with company policies
Fraud
Errors
Excerpt from above:
One-time vendor records shall be used for all payments
made to vendors that are paid on a one-time basis or
very infrequently and that are not established in the
SAP Vendor Master Database
The Bureau of Financial Management performs a
periodic analysis of the payments posted to onetime vendor records to determine if a permanent
vendor master record should be established.
Inadequate vendor history
….
© 2013 SAP AG. All rights reserved.
24
Solution: Automating One-Time Vendor Review
What the business rule does
Uses new grouping and aggregation feature to group AP invoices for one-time
vendors, presenting both the sum and the count of the invoices
What the customer does
Customer schedules on a recurring basis to trigger semi-automated activity to verify
one-time vendors are being used appropriately
© 2013 SAP AG. All rights reserved.
25
Access Controls
SAP Access Control
Manage access risk and prevent fraud
Monitor emergency access and
transaction usage
X
Find and remediate SoD and
critical access violations
SAP_ALL
Certify access
assignments are still
warranted
Legacy
Automate access
assignments across SAP
and non-SAP systems
Define and maintain roles in
business terms
© 2013 SAP AG. All rights reserved.
27
Segregation of duties (SoD)
Create Vendor
© 2013 SAP AG. All rights reserved.
Pay Vendor
Create Vendor
Pay Vendor
28
© 2013 SAP AG. All rights reserved.
29
Risk Management
Integrated GRC
Enterprise Risk: Fraud
Develop and
Package External
Content
Responses
Accept
Avoid
Transfer
Control
Reduce
Compliance
Management
Regulations
Process
Process Risks
Procure to Pay
Fraudulent
invoices paid
Vendor Mgmt
Valid
invoices not
entered
AP Invoicing
Access Risk
Management
Access Risks
User can
enter vendor
& PO
© 2013 SAP AG. All rights reserved.
User can
enter invoices
& payments
Controls
Review of new
vendors and
related invoice
support
Review of
uninvoiced
goods
receipts
Policies
AP SOD
rules in AC
Update and roll
out strengthened
security policy
Mitigate
Access
Violations
Monitor
Access
Status
30
The SAP Difference
Unified GRC Platform: risk,
compliance, audit, policy and
internal control management
Proactive: integrated
monitoring, continuous
controls monitoring
Large Eco-system: industryspecific tailored solutions
meeting your requirements
Proven: remarkable
customers using essential
solutions
© 2013 SAP AG. All rights reserved.
31
The SAP Difference
Proven: remarkable customers using essential solutions
© 2013 SAP AG. All rights reserved.
32
Thank You!
Patrick Wang
patrick.wang@sap.com
Business Development Manager APJ
Governance Risk and Compliance