Ranga Bodla, SAP - Treasury & Risk · 2011. 4. 21. · Ranga Bodla, SAP Governance, Risk &...
Transcript of Ranga Bodla, SAP - Treasury & Risk · 2011. 4. 21. · Ranga Bodla, SAP Governance, Risk &...
Managing Risk in Perilous Times
Ranga Bodla, SAPGovernance, Risk & Compliance Solution Marketing
Michael Rasmussen, Corporate Integrity
December 1, 2009
Speakers
Ranga Bodla, Sr. Director, Governance, Risk and Compliance – SAP
Michael Rasmussen, J.D., President, Risk & Compliance Advisor – Corporate Integrity
© SAP 2008 / Page 2
Agenda
• How to integrate risk management into your organization's
operations and strategic decision-making processes
• How to consolidate risk factors so that they are visible across
the entire organization
• How to develop robust scenario planning to help manage
unanticipated events
Slide 4© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Leading Strategies for Enterprise Risk Management
Michael Rasmussen
Slide 5© 2009, Corporate Integrity, LLC www.Corp-Integrity.com(c) OCEGAssess & Align
“Risk is like fire: If controlled it will
help you; if uncontrolled it will rise up
and destroy you.”
Theodore Roosevelt
Slide 6© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Are you focused only on what you see?
“Never in all history have we harnessed
such formidable technology. Every
scientific advancement known to man has
been incorporated into its design. The
operational controls are sound and
foolproof!”
E.J. Smith, Captain of the Titanic
Risk
Awareness
Risk
Ignorance
Slide 7© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Silos Lead to Greater Risk
• A reactive and siloed approach to risk management is a recipe for disaster and leads to . . .
– Lack of visibility. A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture.
– Wasted and/or inefficient use of resources. Silos of risk and compliance lead to wasted resources.
– Unnecessary complexity. Varying risk and compliance approaches introduce greater complexity to the business environment.
– Lack of flexibility. Complexity drives inflexibility - the organization is not agile to the dynamic business environment it operates in.
– Vulnerability and exposure. A reactive approach leads to greater exposure and vulnerability.
Slide 8© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Defining Our Terms
• Risk
The probability of something happening that will have an impact on objectives; most importantly, but not exclusively, an adverse impact.
• Risk Management
A system of processes and structures that enable an organization to
• identify, evaluate, analyze, optimize, monitor, improve, or transfer risk
• communicate risk findings and decisions to stakeholders
• realize potential opportunities while managing adverse effects of risk
Slide 9© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Defining Our Terms
• Effective Risk Management
– addresses opportunities, obstacles and threats in a holistic fashion
– continually identifies obstacles and threats,
– assesses the potential impact of threats,
– identifies opportunities for further assessment,
– assures risk-intelligent decisions and
– implements structures to enable the organization to appropriately pursues opportunities while addressing the obstacles and threats.
Slide 10© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Instead Of This…
Risk A Risk B Risk C
A1 A2 A3
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
DiscreteRisks, Regulations& Standards
DiscreteRequirements
DiscreteControls& Activities
SiloedFunctions& Departments
B1 B2 B3
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2 C3
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
IT Business
Integration
IT
IT Business
Integration
IT
IT Business
Integration
IT
No Linkage Weak Linkage
Slide 11© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Full Linkage Strong Linkage
Do This…
Risk A Risk B Risk C
A1 A2 A3
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
DiscreteRisks, Regulations& Standards
B1 B2 B3
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2 C3
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
IT Business
Integration
IT
IT Business
Integration
IT
IT Business
Integration
IT
AB1
C1 C2
C3 C4
C5 C6
C1 C2
C3 C4
C5 C6
CommonRequirements
CommonControls& Activities
IntegratedFunctions& Departments
Slide 12© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
RISK:in Business Perspective
Slide 13© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Risk questions organizations need to ask
• Do you know you know your risk exposure at the business process, operations, as well as enterprise levels?
• How do you know you are taking and managing risk effectively to achieve optimal operational performance and hit strategic objectives?
• Can you accurately gauge the impact of risk taking on business strategy as well as loss?
• Does the business get the information it needs to take timely action to risk exposure to seize opportunities while avoiding or mitigating negative events?
• Does your business monitor key risk indicators across key systems and processes?
• Are you optimally measuring and modeling risk?
Slide 14© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Multi-Perspective Risk Analysis
• As organizations build risk management programs it is important that they build a360-degree multi-perspective risk analysis framework that allows an organization to think outside the box and look at risk from a variety of perspectives.
• The challenge is for organizations to develop processes to harness internal and external information to be intelligent about their risk and regulatory environments so they can make wise business decisions. This involves gathering information from the internal environment such as:
• Losses.
• Issues/events.
• Success & performance.
• Controls.
• Policies.
• Risk appetite.
• Risk management.
• Compliance.
• Culture.
• Business relationships.
Slide 15© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Aligning Risk & Performance
• Effective risk management can only be achieved if key risk indicators are set in a business context and mapped over to corresponding key performance indicators.
• The goal of a business strategy and performance aligned risk management program is effective because it:
• Addresses opportunities, obstacles and threats in a business context.
• Continually identifies obstacles and threats,
• Assesses the potential impact of threats,
• Identifies opportunities for further assessment,
• Assures risk-intelligent decisions and
• Implements structures to enable the organization to appropriately pursue opportunities while addressing the obstacles and threats.
Slide 16© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
GRC Capability Model: High Level View of OCEG Red Book 2.0
INFORM &INTEGRATE
DETECT & DISCERN
ORGANIZE & OVERSEE
ASSESS & ALIGN
MONITOR & MEASURE
PREVENT & PROMOTE
RESPOND & RESOLVE
8 INTEGRATED COMPONENTS 8 UNIVERSAL OUTCOMES
Enhance Organizational Culture
Increase Stakeholder Confidence
Prepare & Protect the Organization
Prevent, Detect & Reduce Adversity
Motivate /Inspire Desired Conduct
Improve Responsiveness & Efficiency
Optimize Economic & Social Value
Achieve Business Objectives
Slide 17© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Element View Of The GRC Capability Model
Slide 18© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
RISK:in Business Perspective
Slide 19© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Enterprise Risk Management
Strategic Risks
•Geo-Political Risks
• Industry Risks
• Succession Planning
•Competitive Environment
•Corporate Governance
•Business Strategy
•Reputation/Brand
• Stakeholder Expectations
•Market Demands
Financial/Treasury Risks
•Market risks
• Interest, foreign exchange
•Equity risks
•Hedging/Diversification
• Liquidity
•Credit risks
Operational Risk
•Physical Assets
• Information Assets
•Business Relationships
•Technology
•Human Resources
• Finance & Treasury
•Products & Services
•Business Resiliency & Continuity
•Marketing, Communications & Sales
Legal & Compliance
•Ethics & Culture
• Litigations
•Regulatory Compliance
• Liability
•Reporting requirements
•Policies & Procedures
• Investigations
•Environmental
•Health & Safety
•Contracts
•Privacy
Corporate Social Responsibility, Sustainability, Triple Bottom Line Reporting
Social Accountability – Financial Responsibility – Environmental Stewardship
RISK: A Taxonomy of Risk
Slide 20© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
RISK: Risk Management Process
Establish the Context
• Internal context
• External context• Risk mgmt context• Develop criteria• Define the structure
Identify Risks
• What can happen?
•When and where?•How & why?
Analyze Risks
• Identify existing
controls•Determine
consequences & likelihood
•Determine level of risk
Evaluate Risks
•Compare against criteria
• Set priorities
Communicate & Consult
Monitor & Review
Treat Risks
•Identify options•Assess options•Prepare &
implement plans•Analyze and
evaluate residual riskTreat
Risks
Source: AS/NZS 4360:2004 and ISO 31000
Slide 21© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Ultimate Risk Platform
• Organizations continue to manage risk in silos, where distributed business units and processes maintain their own data, spreadsheets, analytics. modeling, frameworks, and assumptions.
• Risk platforms (if deployed) are typically not equipped to capture the complex interrelationship among operational risks that span global operations, business relationships, lines of business, and processes.
Do you know you know your risk exposure at the business process as well as enterprise operations levels?
How do you know you are taking and managing risk effectively to achieve optimal operational performance and hit strategic objectives?
Can you accurately gauge the impact of risk taking on business strategy as well as loss?
Does the business get the information it needs to take timely action to risk exposure to seize opportunities while mitigate negative events?
Do you have repetitive and inefficient controls, documentation, processes, testing, and risk measurement / management?
Are you optimally measuring and modeling risk?
Slide 22© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Ultimate Risk Platform
Ultimate Risk
Platform
Risk & Control
Assessment
Internal Loss Events
External Loss Data
Key Risk Indicators
Reporting
Extensible & Flexible Platform
• This includes:
– Risk identification
– Assessment
– Surveying
– Analysis
• To mange risk, an organization will implement a taxonomy of risks and a framework designed to provide a sound and well-controlled operational environment.
• The risk solution needs to be able to integrate with multiple-frameworks.
• Organizations need to manage the balance between the cost of controls and the reduction in risk that the controls effect.
• The platform should support a range of assessment styles including qualitative and quantitative assessments, as well as top-down and bottom-up techniques.
• Risk measurement should cover both inherent and residual risk metrics.
Slide 23© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Ultimate Risk Platform
Ultimate Risk
Platform
Risk & Control
Assessment
Internal Loss Events
External Loss Data
Key Risk Indicators
Reporting
Extensible & Flexible Platform
• Operational losses are increasing in frequency and impact because business has grown more complex, particularly as transaction volumes have increased.
• Organizations have distributed operations, growth in business relationship, and businesses’ reliance on automated systems outpaces their ability to monitor risk.
• Critical requirements for an ORM process includes capturing loss information. This includes
– Creating a consistent categorization scheme for loss events
– Linking loss to the risk taxonomy which allows an organization to pinpoint the root cause of losses and determine if certain controls are failing.
• Facilitates the continual optimization of risk management as well as the control environment.
• A risk platform needs to combine assessment data with loss event data to support a risk management process.
Slide 24© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Ultimate Risk Platform
Ultimate Risk
Platform
Risk & Control
Assessment
Internal Loss Events
External Loss Data
Key Risk Indicators
Reporting
Extensible & Flexible Platform
• External losses are a key component of the Ultimate Risk Platform.
• The solution should support automatic up-load and down-load capability for interfacing with external loss consortiums (e.g., ORX) or commercial providers (e.g., Algorithmics, AON, SAS).
• The system should facilitate the use of external loss for capital modeling, scenario analysis and benchmarking.
Slide 25© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Ultimate Risk Platform
Ultimate Risk
Platform
Risk & Control
Assessment
Internal Loss Events
External Loss Data
Key Risk Indicators
Reporting
Extensible & Flexible Platform
• Continual monitoring and management of key risk indicators - including trending and aggregation of KRIs – is a critical element of a risk management process.
• A risk platform is to support automatic notification to risk owners when KRI values reach thresholds.
• Workflows should automate risk process such as KRI review and analysis.
• KRIs must support thresholding and time-trending.
• The best systems will also allow you to align enterprise performance management with risk management and give you a view into risk optimization as opposed to simply risk mitigation.
• Organizations take risk – they need assurance they are taking the right risk to meet objectives and that risk is effectively monitored and managed.
Slide 26© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Ultimate Risk Platform
Ultimate Risk
Platform
Risk & Control
Assessment
Internal Loss Events
External Loss Data
Key Risk Indicators
Reporting
Extensible & Flexible Platform
• A risk platform needs to provide timely and accurate information to risk managers, risk owners in lines of business, senior and executive management, board, and external constituencies such as auditors and regulators.
• Risk reports enable management to maintain risk at appropriate levels within line of business, escalate issues and provide consistent data aggregation across business roles and functions.
• With improved visibility into its risk environment, an organization is in a position to make risk intelligent business decisions.
• The risk platform needs to support a variety of risk reports including high-level dashboards, risk models, and detailed reports.
• It has to be able to aggregate data across business entities, relationships, risk categories, event types, and time periods.
Slide 27© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Ultimate Risk Platform
Ultimate Risk
Platform
Risk & Control
Assessment
Internal Loss Events
External Loss Data
Key Risk Indicators
Reporting
Extensible & Flexible Platform
• Organizations need an adaptable solution and process to meet specific needs, taking into account corporate governance including corporate policies and procedures.
• When choosing a technology platform organizations need to pick an application that can adjust to its process as opposed to adjusting processes to fit the application.
• Important areas for extensibility include. . .
– Business hierarchy.
• Multiple hierarchies (legal, finance, organizational)
• Multiple levels (with no limit),
• asymmetrical hierarchies are all essential to conform risk to the business.
– Localization.
– Risk Framework.
Slide 28© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Assess & Align
• Assess risks and optimize the organizational risk profile with a portfolio of initiatives, tactics, and activities
– identify events, forces, and factors that may affect the achievement of organizational objectives
– define the current risk profile by analyzing the inherent risk and residual risk after considering current risk optimizing activities
– evaluate and implement selected options to reduce, avoid or mitigate adverse effects of risk and take advantage of identified opportunities
Slide 29© 2009, Corporate Integrity, LLC www.Corp-Integrity.com
Assess & Align – Key Principles
• Focus on key organizational objectives, assets, and operations
• Categorize risks to structure the identification process and ensure that the organization identifies risks uniformly across departments and silos
• Risks rarely fall into singular categories, but rather tend to be multi-faceted, so use multiple identification
• Priority risks should include both inherently high risks and unacceptably high residual risks
• Where appropriate, embed optimizing activities in mainline business planning and processes
• Consider the external as well as internal context of risks
© SAP 2008 / Page 30
Continuous
Monitoring of Key
Risk Indicators and
Controls
Strategic dialogs on
Risk (vs. Reward)
Lines of Business
Board and CEO
Lines of Business
The Goal: Make Risk Management Part of the
Business
Internal Audit
Corporate
Finance / PlanningRisk Management
Variance caused
by Risk built
into plans
Control activities
focused on most
risky areas
Head of Strategy
New strategies/
initiatives developed
with risk “built-in”
Continuous
Monitoring of Key
Risk Indicators and
Controls
© SAP 2008 / Page 31
Enterprise Risk Management
Implementation approach
An approach whereby all categories of risk across each program are aggregated at the enterprise
level and treated holistically, while at the same time recognizing the need to maintain levels of granularity.
CEO
CFO
Business Unit BBusiness Unit A Business Unit C
Transparency
• Enterprise-wide view of the
totality of risk
Consistency
• Common risk management
framework and risk
management solution
Enterprise Risk
Framework and ProcessesSAP BusinessObjects
Risk Management
© SAP 2008 / Page 32
Enterprise Risk Management
Risk-adjusted management of strategy and performance
SAP Differentiators
SAP Solution
■ Drive agreement on top risks,
thresholds, and appetite
■ Identify all key risks across the
enterprise
■ Perform qualitative and quantitative
analysis
■ Create resolution strategies for top risks
that maximize return on capital
■ Build proactive monitoring into existing
business processes and strategies
■ Protect Existing Value with Continuous Risk and Control Monitoring
■ Create New Value with Risk-Adjusted Strategy and Planning
Risk Planning
Risk
Identification
Risk
Monitoring
Risk Response
Risk Analysis
Measure
Performance
Define
Strategy
Plan and
Perform
Assessments
and Tests
Construct
Budgets &
Forecasts
© SAP 2008 / Page 33
Protect Existing Value with
Continuous Risk and Control Monitoring
Examples of KRI content
already available in SAP
and partner’s operational
systems
Sample content packs
based upon partner and
customer suggestions
Risk KRI Controls Examples of Thresholds
Quality Customer Complaints 10% over trailing 3-month average
Overdue Notifications 5% of all notifications
Product Inspection 10% over trailing 3-month average
Product Returns 10% over trailing 3-month average
Reliability Overall Equipment
Effectiveness10% over trailing 3-month average
Health & Safety Recordable Injuries 5 per month
Safety Near Misses 10% over trailing 3-month average
Overdue Maintenance Orders Overdue by 1 week
Environmental Air, Water & Waste - Number of
permit limits exceeded3 per month
Hazardous emissions 90% of legal limit
Financial Controls Failed Controls 5% of all controls
Segregation of Duty violations 23 violations
Demand and
Supply Mismatch
Inventory (days) above
maximum10% over maximum
Inventory (days) below
minimum5% below minimum
Forecast accuracy 10% below trailing 3-month average
Procurement RiskSingle sourcing
5% increase in spend of
single-sourced material
Service levels 5% below trailing 3-month average
Logistic disruptionDelivery lead times
15% increase in lead times by shipper
relative to 3-month average
© SAP 2008 / Page 34
Pro-actively mitigate risks before KPIs change to yellow/red status
Create New Value with Risk-Adjusted Strategy
© SAP 2008 / Page 35
Create New Value with Risk-Adjusted Planning
R1
R2
R3
R4
R5
R6
Risks / Risk Categories
+/- 1%
-200
-100
+/- 2%
+/- 5%
+/- 10%
Forecasted P&L 2010
Revenue 1.000
- Material Costs 400
= Profit Margin 600
- Personnel Costs 300
- Other Costs 150
- (incl. Risk Transfer) 5
- DoA 50
= Operating Profit 100
- Interest Expenses 44
- Extra Profit / Loss 0
= EBIT 56
Sales Volume
New Competitor
Material Costs
Personnel Costs
IR Changes
Add. Costs
Managing Enterprise Risks
2.2.1 Foreign Corrupt Practices Act Compliance Risk
Preventive
responses reduce
probability of event
Recovery
responses reduce
impact of event
Code of Conduct and FCPA
or anti- corruption
policies in place
Anti-corruption training in
place
Whistleblower line
SOD – Separate Vendor Maintenance
from Invoice Approval (AC)
Monitor employees that are overdue for
ethics/FCPA training (PC)
Monitor suspicious payment attributes
such as round payments, one time
vendor, etc. (PC)
Avoid business in
high risk markets
prone to abuse
Maintain legal and
penalty reserve
Contractual
protections with
agents
Performance MeasuresDrivers ImpactKey Risk Indicators
Business Process
Regulatory Compliance (S39)
Risk Event
Employee/Agent
Involved in Illegal
Arrangement
(FCPA)
Operate in over-seas high-risk
markets
# of reviews conducted for due
diligence on all foreign
business partners and third-
party representatives (manual)
Use of 3rd party
representatives to facilitate
overseas business
% employees with foreign
official contact who have had
FCPA training (SAP – HCM)
Conduct business with foreign
state-run entities
Expense % of total
compensation for sales agents
responsible for international
accounts (SAP - Payroll)
Financial – Earnings
(SEC & DOJ violations, fines,
penalties, remediation)
# of payments to foreign
officials characterized as
contributions, consulting
payments or miscellaneous
expenses
Financial – Revenue
(Ineligibility of doing business
with foreign entity)
Reputation
(Disclosures, investigation,
prosecution, oversight)
PC/AC ControlTransfer AcceptAvoidReduce
Responses
© SAP 2008 / Page 37
Tangible Benefits* % Impact
Operating Costs
Reduce losses / risk events
Reduce insurance premiums
ERM productivity improvements
Reduce borrowing costs
25-75%
10-30%
30-60%
0-40%
Revenue
Increase success rate of new initiatives/strategies 10-25%
Working Capital
Reduction in reserves to cover risk appetite 10-30%
How to Build the Business Case
SAP Value Engineering Can Assist
* Benchmarks from SAP’s Case Studies and Success Stories
© SAP 2008 / Page 38
UHY Advisors, LLP
“SAP GRC Risk Management
provides a best-practice
framework so we can identify,
analyze, respond to, and monitor
obstacles to reaching out firm’s
growth objectives.”
Norman Comstock, Managing Director, Technology Assurance and
Advisory Services (TAAS), UHY Advisors, Inc.
Challenge
Formal solution to identify, analyze, respond, and
monitor risks
Needed to identify and analyze risks to business
performance and strategy
Continuously monitor risk profiles
Why SAP?
Formal risk solution that aligns business processes
and business goals/objectives
Holistic, integrated, enterprise-wide risk management
platform
Ability to leverage operational data to help expose,
manage, and respond to risks
Results
Access to actionable risk management data to make
more informed decisions
Improved level of risk awareness to strategy
Increased consistency in risk management
methodology, communication, and risk appetite
© SAP 2008 / Page 39
Challenges and Opportunities
Lack of consistent, structured risk
management processes
Reactive approach to risk management,
resulting in “fire-fighting” instead of
prevention
Requirement to comply with financial
reporting regulations of Sarbanes-Oxley
Act of 2002
Objective
Set up single repository for risk
management data
Increase speed of response to
business threats
Reduce occurrence of issues
resulting in loss
Implementation Highlights
1,400 users across the organization
Assistance from the SAP Custom
Development organization
We Drink Our Own Champagne
GRC Risk Management saves SAP AG €3 million annually
Why SAP
Lack of required functionality in
software offered by other vendors
Benefits
Improved visibility of risk exposure
across the organization
Increased risk awareness, resulting in
better-informed decisions
A cut of €3 million in insurance
premiums year on year
Dramatic reduction in number of
insurance claims annually
Industry recognition for management
excellence – winner of European Risk
Management award
“SAP GRC Risk Management
differentiates us from other high-tech
vendors and helps to drive down our
insurance premiums. As a result,
we’re making annual savings of
approximately €3 million.”
George Haitsch
Vice President, Corporate Risk, Global Risk
Management, SAP AG
QUICK FACTS
SAP AG
Location:Walldorf, Germany
Industry: High Tech
Products and Services: Business software
Revenue: €9.4 billion
Employees: 39,355
Web Site: www.sap.com
SAP Solutions and Services: SAP GRC
Risk Management application
Questions
Contact Info
Ranga Bodla, Sr. Director, Governance, Risk and Compliance – SAP
Email: [email protected]
Phone: 650.796.8252
For more information: http://www.sap.com/usa/riskmanagement
Michael Rasmussen, J.D., President, Risk & Compliance Advisor – Corporate Integrity
Email: [email protected]
Phone: 888.365.4560
For more information: http://www.corp-integrity.com/
© SAP 2008 / Page 41