SAP BusinessObjects GRC Solutions We are the G-R-C in GRC · impact of risk Maximize Strategic and...
Transcript of SAP BusinessObjects GRC Solutions We are the G-R-C in GRC · impact of risk Maximize Strategic and...
SAP BusinessObjects GRC Solutions
We are the G-R-C in GRC !
Axel StreichardtDirector Solution Marketing – SAP BusinessObjects GRC
© SAP 2008 / Page 2
Agenda
1. SAP BusinessObjects GRC and the problem it solves
2. Benefits to customers using SAP BusinessObjects GRC
3. SAP BusinessObjects GRC Solutions overview
4. Summary and next steps
© SAP 2008 / Page 3
The SAP® BusinessObjects™ Portfolio
DataIntegration
Data QualityManagement
Master DataManagement
MetadataManagement
InformationManagement
Governance, Risk,and Compliance
RiskManagement
AccessControl
ProcessControl
Global TradeServices
Environment,Health and Safety
BusinessIntelligence
Reporting Query, Reporting,and Analysis
Dashboards andVisualization
Search andNavigation
AdvancedAnalytics
Enterprise PerformanceManagement
StrategyManagement
Planning, Budgetingand Forecasting
Profitability andCost Management Consolidation
Spend andSupply Chain
© SAP 2008 / Page 4
Agenda
1. SAP BusinessObjects GRC and the problem it solves
2. Benefits to customers using SAP BusinessObjects GRC
3. SAP BusinessObjects GRC Solutions overview
4. Summary and next steps
© SAP 2008 / Page 5
What problems are we solving?Maximize Strategic and Operational Performance
Today, companies spend a lot of time and effort to manage their regulationsand policies with insufficient results and without addressing all types of
business risks
Excessive time, effortand cost for complianceLack of confidence and
visibility
Non-scalable controlmanagement
Late detection of fraud andincreased risk
Regulations,Policies
Risks
Controls
Management InstrumentGood Governance has a Impact On Credit Ratings
To meet Standard & Poor’s requirement, a formal Enterprise Risk Managementprocess must be in place covering business risk (not just compliance)
Starting Q3 2008, all enterprises will be evaluated on their ERM practices, and inQ2 2009 the ERM score will impact credit rating calculations
Poor ERM scores could substantially impact an enterprise’s cost of capital
1 Year Credit Spread for Industrial Companies, Source: S&P
For example:Drop from A to BBB+ = 70%
increase in cost of capitalDrop from BBB to BBB- = 75%
increase in cost of capital
GRC as Proof of Good Governance: Effective and Efficient Management
MultilateralInstrument
52-111
Toxic SubstancesManagement
(ITAR) InternationalTraffic in Arms
Regulations22 CFR 120-130
(EAR) ExportAdministration
Regulations15 CFR Chapter VII
US CustomsRegulations
19 CFR
InternationalEmergency
Economic PowersAct (S. 1612)
Sarbanes-Oxley
Data Privacy LawsCA-SB 1386, HIPAAGramm-Leach-Bliley
Act, COPPA
Switzerland:- Corp. Governance SWX- Code of Obligations
EU: Foreign TradeAdministration Act
EU Company LawDirectives 4, 7, and 8
EU: REACHRegistration, Evaluation,
and Authorization ofChemicals
German CustomsAdministration Law
European DataProtection Directive
Foreign ExchangeOrder
JSOX
Hong Kong:Code on Corporate
Governance Practices
PNEMENNational Policy ofExports of Military
Goods
King II Report
Clause 49of the ListingAgreement
Regulation 13E ofthe Customs
(Prohibited Exports)Regulations
Corporate LawEconomic Reform
Program (CLERP) 9
Hazardous WasteAct
Air Toxics NEPM
GRC to ensure Compliance with regulatory mandates
ComplianceExamples of Regulations across Industries and Regions
Errors and IrregularitiesWhat is the damage caused by fraud and errors?
Economic Crime
ACFE (Association of Certified FraudExaminers):Average fraud loss: 7% of annual revenue
PwC Global Economic Crime Survey 2007:Over 43 percent of the companiesinterviewed reported suffering one or moresignificant economic crimes.The average loss from fraud per companyincreased nearly 40 percent in two years fromroughly US$1.7 million in 2005 toapproximately US$2.4 million in 2007.
Estimates are hard to get, due toGrey zone of criminal behaviorHigh number of unreported casesSignificant subsequent damages (Brand,Image, …)
Employee Errors
More frequent than “crime”
Insufficient process controls can result inProcurement ErrorsOverpayments to VendorsExcessive Rebates to CustomersChanges to Payment Terms…
Estimates are hard to get
Not just for regulatory or liability reasons, but also plain good business sense for anyorganization
GRC TodayDispersed, inefficient, ineffective, siloed
Compliance TeamManagement &
Executives
Testing controlsmanually
SOD violations
No riskoverview
? ?
How efficientare controls?
What are ourrisks?
Where do westand?
How can weimprove?
Performance overview
IT Department
! ?Various tools
Disconnectedsolutions
Consolidate resultsfrom multiple sources
What is ourstrategy?
Why is thisimportant?
© SAP 2008 / Page 10
What are the causes?
Fragmented and manual control environment:Multiple systems, widespread use of Excel, word documents, email…
Responsibilities in silos for testing, monitoring and certifying: lack of best practices
Insufficient visibility on the status of risks in the enterprise:No commonly defined KRI across groups and departments
Missing tools to monitor and consolidate risks
Costs are increasing – Low ROI:Increased efforts to comply with regulations worldwideNo common platform to address all aspects of GRC
No monitoring in place:Late detection of deficiencies and tedious remediation process
-> Exposure to fraud estimated to represent 5 to 7% of revenue in large enterprises(Source: ACFE Report to the Nation 2008)
“Governance, risk, and compliance professionals require systems that generate a “single version ofthe truth” and the information necessary to succeed in this new environment.”
– O.C.E.G. Study: “Using Technology To Build Your GRC System ”
“If detective procedures are not in place, frauds that are discovered will require more investigativeeffort and result in greater loss. “
– Compliance Week : “Establishing Accountability for Your Antifraud Efforts”
! ?Send out paper-baseddocumentation surveys for
completion
Save documents andspreadsheets to local
file servers
Create testplan
Receive testinstructions via email
Perform manualtests based on
verbal instructions
Consolidate resultsfrom multiple sources
? ?
What do weneed to test?
Who shouldperform thetest?
What am Isupposed todo?
Why is thisimportant?
Where do westand?
How can weimprove?
Provide com-pliance platform
Automated controltesting
Manage risks effectivelyand efficiently
Reports anddashboards
Compliance TeamIT Department Management &Executives
-> Complete, Enterprise-wide GRC Solution
Unify andintegrated
applications for theentire IT landscape
Better overview ofperformance andalign strategy and
performance
Reduced cost ofcompliance with
automated controlsand streamlined
testing
Better managedrisk thanks torobust control
management andremediation
GRC TomorrowUnified, cost-effective, risk-driven
Mitigate risk through effective controls andremediation
Increase fraud prevention and timely detection through on-going monitoring of business systems.Use comprehensive reports and dashboards to monitor controlactivities, risks and issue status.Standardize on a common language for risk and compliance.
Reduce cost and improve complianceAutomate control testing and monitoring across heterogeneousenvironments with “out-of-the-box” rules.Integrated solution stack for seamless data and informationexchange.Open regulatory framework to fast and easy adapt to newcompliance issues.
Improve executive confidence with enterprise-widecontrol and risk management
Provide real-time visibility of control effectiveness andremediation of key issues, eliminating surprises.Align corporate strategic objectives with policies and controls.End-to-end compliance from network level to executive review.
Complete, Enterprise-wide GRC to maximize strategic and operational performance
SAP BusinessObjects GRCHow it solves the problem
© SAP 2008 / Page 12
Compliance TrendsAnalysts quotes for GRC trends
By 2010, auditors will expect regulated organizations to detect fraud byperforming transaction monitoring on a continuous basis, and 60% ofregulated firms will have such an automated process in place.1
The demand for SOD functionality will grow through 2010 as organizationslook to automate controls for efficiency and cost savings.1
Financial GRC alone will grow >20% for 2008.2011, reaching over $4.6 billionby 2011. 3
Size of the GRC market in 2008 at approximately $52.1 billion 4
Risk management is now the new compliance, equaling or exceedingfinancial governance in influence and spending. 2
1 Gartner, Inc. “MarketScope for Segregation of Duty Controls Within ERP and Financial Applications” by Paul E. Proctor et al, September 25, 2008
2 AMR – The Governance, Risk Management, and Compliance Spending Report, 2008–2009: Inside the $32B GRC Market – John Hagerty3 IDC – Kathy Wilhide4 Michael Rasmussen - 2008 GRC Drivers, Trends, & Market Directions – Corporate Integrity
© SAP 2008 / Page 14
Agenda
1. SAP BusinessObjects GRC and the problem it solves
2. Benefits to customers using SAP BusinessObjects GRC
3. SAP BusinessObjects GRC Solutions overview
4. Summary and next steps
Minimized audit timeand resources
Repeatable framework forrisk-based analysis
Automate key processesand controls
Reduce ComplianceCosts
Unified process, complianceand risk methodologies
Increased visibility acrossimpact of risk
Maximize Strategic andOperational
Effectiveness
Benefits
Continuous monitoring ofcompliance and risks
More reliable, trustworthyrisk and compliance data
Standardized risk andcompliance methodologies
Improve Predictabilityand Performance
Alignment of riskand strategy management
© SAP 2007 / Page 16
Customer Leadership - SAP solutionsfor GRC across all Industries
ManufacturingRetail CPG Media/EntertainmentTelco
Energy Technology Healthcare Food & Beverage Other
Financial
© SAP 2008 / Page 17
Agenda
1. SAP BusinessObjects GRC and the problem it solves
2. Benefits to customers using SAP BusinessObjects GRC
3. SAP BusinessObjects GRC Solutions overview
4. Summary and next steps
Plan
Iden
tify
&An
alyz
eR
espo
ndM
onito
r
Drive agreement on top risks,thresholds, and appetite
Identify and assess all key risksacross the enterprise
Create resolution strategies for toprisks that maximize return on capital
Build proactive monitoring into existingbusiness processes and strategies
SAP BusinessObjects Risk ManagementRisk-adjusted management of enterprise performance
Protect existing valueStreamline cross-enterprise risk identification, analysis,and mitigation
Prevent incidents and losses through automaticrisk monitoring
Create new valueIncrease the success of strategies and initiatives
Improve performance through risk-adjusted forecastsand plans
Increase enterprise transparencyEnsure business units operate within appropriate riskappetite
Improve governance by aligning business processes,risks, and controls
SAP BusinessObjecs Access ControlControl access and authorizations across your enterprise
Anal
yze
and
Rem
edia
te
Enterprise rolemanagement
Analyze andremediate risk
Compliantuser
provisioning
Doc
umen
tan
d Au
dit
IdentityManagement
Automate Reviews
Mod
el a
ndC
ontr
ol
Superuserprivilege
management
SoD Rules & RegulationsCorporate PoliciesBest Practices
Embed cross-function
FIN SCM SRM MFG HR
Manage by exception Collaborate acrossfunctions
Protect information and prevent fraudAutomatically eliminate access and authorization riskswith out-of-the-box rules
Enforce segregation of duties across applicationsand departments
Prevent improper access instead of reacting to problems
Optimize operationsAutomate segregation of duties management
Automate access management
Promote IT and Line of Business collaboration
Enforce accountability with review and approvalprocesses
Ease compliance and avoid authorization risk
Minimize time and cost forfinancial compliance
Provide proof and reliability with control tests andaudit trail for SOD controls
Report and review key risk indicators forsystem access
Embe
d an
dEx
ecut
e
Provide proofStreamline audits
Embed cross-platform
SAP BusinessObjects Process ControlEnd-to-end, cross enterprise business process control
Mitigate risk with effective controls and remediationIncrease fraud prevention, timely detection withon-going monitoring
Monitor control activity with comprehensive reports, dashboards
Resolve exceptions efficiently with workflow-driven issueidentification and remediation
Reduce cost and improve complianceAutomate control testing, monitoring across SAP & non-SAPsystems with “out-of-the-box” rules
Shorten audit cycles with optimized compliance activities
Streamline manual evaluation, issue identification, remediationwith automated task notifications
Improve executive confidence with enterprise-wide control management
Provide real-time visibility of control effectivenessand remediation
Unify control management with a single system of record
Enforce accountability with review, certification, sign-off ofprocesses across the organization
Cer
tify
PerformAssessments
TestAutomated Controls
TestManualControls
Doc
umen
tTe
stM
onito
r
Certify and Sign Off(302, 404,…)
Remediate Issues
Control Environment:Process-Control-Objective-Risk
Monitor exceptions
IT Infrastructure
Business Processes
…
SAP BusinessObjects Global Trade ServicesStreamline your cross-border transactions
Ensure full regulatory trade complianceEnable standardized, enterprise-wide trade complianceprocesses
Streamline export/import license management andembargo checks
Gain visibility with reporting/monitoring
Accelerated Cross-Border TransactionReduce cycle time and costs using seamlessintegration with logistics processes and expeditedinbound/ outbound customs clearance
Mitigate financial risk and improve profitExploit trade preference agreements by determiningeligibility of products
Mitigate the financial risk of international trade with letterof credit management
Res
titut
ion
Trad
e Pr
efer
ence
Impo
rtM
anag
emen
tEx
port
Man
agem
ent Letter of
CreditManagement
OutboundCustoms
Clearance
ProductClassification
ElectronicComplianceReporting
ProductClassification
ElectronicComplianceReporting
InboundCustoms
Clearance
Securities andLicense Handling
RestitutionRecipes Handling
RestitutionCalculation
$$££€€
$£€
PreferenceDetermination
$£ ¥€Vendor
DeclarationHandling
Letter ofCredit
Management
CustomerDeclarationHandling
Prod
uct
Stew
ards
hip
Che
mic
alC
ompl
ianc
eEn
viro
nmen
tal
Com
plia
nce
Wor
ker
Hea
lth &
Saf
ety
Ensure environmental complianceMonitor evolving stakeholder requirements and local,regional, national, and international regulations
Automatically prepare and validate regulatory reportsfor EH&S issues
Align operations with sustainability standardsMonitor and report regulated emissions and chemical use
Implement responsible operations and product designto align with community and customer expectations
Monitor workplace safetyTrack health and safety concerns against organizational
and regulatory thresholds
Proactively prevent accidents and reduce insurance costs
SAP EH&S ManagementEnsure environmental, health, safety oversight
DEMO
© SAP 2008 / Page 24
Agenda
1. SAP BusinessObjects GRC and the problem it solves
2. Benefits to customers using SAP BusinessObjects GRC
3. SAP BusinessObjects GRC Solutions overview
4. Summary and next steps
© SAP 2008 / Page 25
Effective Monitoring of Exceptions andRemediation
Summary
BenefitsStreamlined Documentation
Report and Certify with confidence
Reduced Risk:Lower fraud-related lossFaster remediationImproved business processesand overall performance
Reduced Cost of compliance :Automation /Monitoring frees upresources for value tasksShorter audit cyclesStreamlined evaluationsLower TCO
Improved confidence:Visibility /Real-time informationSingle version of the truthReinforced accountability
Cost-efficient Testing and Evaluation
…
RemediationExceptions
Top 5 Reasons to Buy From SAP
Unified SolutionSingle-SourcedUnified process, compliance and risk methodologiesDrive visibility across processes and functions“…from strategic risk assessment to operational-levelcontrol…”
Integrated and Automated SolutionLeverage information that exists in your enterprisesystems alreadyAutomatically monitors risks and controls inheterogeneous IT landscapesIncreased reliability and confidence in state of controlsthrough automationEmbedded testing and monitoring
Most Comprehensive SolutionSAP uniquely combines all the essential capabilitiesto implement a fully integrated, highly automated risk-driven internal control system
Documentation of controlsDocumentation of all enterprise risksAutomated testing of controlsAutomated monitoring controlsAutomated monitoring of key risk indicatorsProactive risk remediation / mitigationProactive control failure remediation / mitigation
Unique ability to provide visibility, transparency andproactive management from strategic risk assessmentto operational-level control.
Key Step En Route To Building TheBridge Between Strategy and Execution
“…executives know what they are asking for andemployees know what to do…”Proof that the linkage is workingProof to the auditors
SAP has the “gravitational pull” for aglobal GRC ecosystem
Global Trade ServicesEnvironment, Health and Safety ManagementData Privacy by SAP and Cisco…
© SAP 2008 / Page 27© SAP 2008 / Page 27
For more information
See www.SAP.com/GRC for:
GRC informationSolution Brief, Solution in detail, etc..
Customer Case Studies
Talecris
Benetton
Ryerson
Online self-running Demo
Information on all other SAP's GRC applications
Risk Management
Access Control
Global Trade Services
Environment, Health and Safety Compliance Management