Effective Cross-Enterprise

Governance, Risk and Compliance:

How SAP helps customers achieve a

unified approach to GRC

Ranga BodlaGovernance, Risk & Compliance Solution Marketing

Speakers

Ranga Bodla, Sr. Director, Governance, Risk and Compliance – SAP

Ranga.bodla@sap.com

650.796.8252

Jerry Helton, Sr. Director, Greenlight Technologies

Jerry.helton@greenlightcorp.net

407.405.6869

© SAP 2008 / Page 2

Agenda

• Objective overview of how to successfully prioritize, manage

and analyze multi-platform compliance initiatives with real life

case studies.

• Attendees will develop an understanding of leading best

practices to help organizations stay compliant and manage

enterprise risk

• Attendees will also get an overview of various solutions to

achieve a unified view of enterprise compliance

© SAP 2008, /4

Compliance

Board of directors

Finance

Legal

Sales

Contracts

HR

Controller

IT

Policy mgmt.

Audit and compliance

Treasury

Compliance

Compliance

Compliance

U.S.

Germany

Japan

U.K.

France

China

Canada

India

Compliance

Governance

Compliance

Risk mgmt.

GovernanceRisk mgmt.

Risk mgmt.

Governance

Risk mgmt.

Risk Mgmt.

Risk mgmt.

Governance

HCM FinancialsManu-

facturing Sourcing Supply chain

Sales Marketing Service Billing

SOX JSOXCreditrisk

OSHAMSHA

RevenuerecognitionFDA

ROHS

WEEEKyoto

Compliance

Risk mgmt.

Governance

GRC often crosses across the enterprise

© SAP 2008 / Page 5

The IT Management Nightmare

CMO CSO VP Customer

Service VP R&DVP Mfg /

COOVP Supply

Chain / COOVP

Procurement VP HR CFO CIO

All areas of the organization are affected by Regulatory Requirements

IT is forced to come up with approaches for all of these driving the cost of

compliance

Proof of Compliance is required

Business Processes are the “connector” across silo organizations

FinancialLabor, Environmental, Health, Industry Specific

Clean Air

RCRA

FMLA

FDA

ERISA

Customs

Waste / Superfund (SARA)

FAA

OSHAISO

Clean WaterREACH

FERC

NERC

Privacy

Privacy

Anti-spam

SOX

OMB A-123

ISO/IEC 27001

AS8015-2005

HIPAA

GLBA

PCI DSS

Basel-II

Security

© SAP 2009 / Page 6

Typical Approach to Addressing GRC

People – Middleware

USERMANAGEMENT

ARCHIVE

WORK FLOW

ARCHIVE

BUSINESS INTELLIGENCE

WORK FLOW

PORTAL

BUSINESS INTELLIGENCE

WORK FLOW

PORTAL

BUSINESS INTELLIGENCE

WORK FLOW

BUSINESS INTELLIGENCE

ARCHIVE

USER MANAGEMENT

GRC is layered on top of

and/or separate from the

core business processes

Unified Approach Optimizes Performance

Embedding GRC in the Process

People – Middleware

ARCHIVE

WORK FLOW

BUSINESS INTELLIGENCE

WORK FLOW

ARCHIVE

PORTAL

BUSINESS INTELLIGENCE

WORK FLOW

BUSINESS INTELLIGENCE

ARCHIVE

USER MANAGEMENT

USERMANAGEMENT

PORTAL

BUSINESS INTELLIGENCE

WORK FLOW

GRC Management By

Exception: Proactive &

Preventative

© SAP 2009 / Page 7

Effective GRC must go across the enterprise

Compliance Across Heterogeneous Applications and Systems

Cross-Application

PeopleSoft

Hire-to-Retire

Reconcile-to-Report

Procure-to-Pay

Order-to-Cash

Production-to-Delivery

Cro

ss

-Fu

nctio

nal

SAP Cross-Application Support

© SAP 2008 / Page 9

Maximize Strategic and Operational Performance

SAP BusinessObjects Solutions for GRC

Increase visibility across risk and compliance initiatives

Standardize on a common language for risk and compliance

Align controls with strategic objectives

Monitor performance against requirements

Reduce cost

Design and implement automated controls to support

any framework

Move to automated testing of controls

Manage the effectiveness of controls at any time, across

any system

Manage risk across the enterprise

Unify management of strategic, financial, operational and compliance risks

Identify and manage risks before they impact the business

Proactively monitor risk across end-to-end business processes

Governance

Controls &

Compliance

Risk

Management

Leverage GRC Across SAP and Non-SAP

ORCL PSFT JDE HYP Siebel Baan Legacy

Security

Models

False

Positives

Controls

Content

Mitigating

Controls

Change

ControlsResQ

Ad-hoc

Reports

Business

Suite

GRC

Real time Integration across all Enterprise Systems

Greenlight Technologies

Trusted co-development partner providing leading GRC control

automation solutions since 2004

Over 70 Enterprise customers

GRC-Middleware solution

Industry’s most comprehensive automated controls portfolio

Oracle, Peoplesoft, Hyperion, JDE, Ariba, I-many and Legacy systems

Real-Time, cross platform continuous compliance

SAP Relationship

Certified SAP software partner

Solutions powered by NetWeaver

Market

Specific

Application

Specific

Greenlight is global provider for real time, cross platform connectors for

SAP GRC

HIPAA

FDA

FCPA

NERC

Basel II

Order to Cash

Procure to Pay

GR to production

Master Data

Transaction

Controls

Inventory

Warehouse and

QA

Hire to Retire

Access Control

Connectors RTAsAutomated GRC Controls Legacy Systems

•SOD Risk Analysis

• Compliant User

Provisioning

• Business Transaction

Controls

• Super User Management

RTA

Design Studio

ResQ

SAP-Greenlight Partnership

Over 25 Connectors• Oracle, PSFT, JDE

• Hyperion, Siebel,

Ariba, Lawson,

• And multiple third

party applications

Solution Approach

Consolidation and monitoring of enterprise access risk across non SAP

systems all from a SINGLE SAP GRC platform

Leverage SAP GRC and Greenlight connectors integration to have unified,

preventive, automated compliance management for financial andday to

day operational controls

Real time architecture enables alerts and preventive access controlsSTOP the violations before they occur

Rollout Plan Security setups assessment, role/task based security definitions, user groups

etc.

SOD risk identification and analysis (ex. Financial, Charge-back, Contracts, FDA

risks for Pharma)

Residual risk analysis

Risk mitigation process, business users empowerment

Utilize RTA Design Studio to deploy SOD and Compliant User

Provisioning connector for any/all future systems

RTA Design Studio

Greenlight introduces a New, Innovative , “Patent Pending” Technology

SAP & Greenlight Case Study # 1

NEEDS:

Significant non SAP landscape

Oracle, Hyperion, Legacy

systems

Automate SOD risk analysis,

compliant provisioning and superuser

access to non SAP systems

Saving of time and resource costs

>1700 roles in non SAP (Oracle)

makes manual analysis impossible

19,000 users across 7 SAP

landscapes including R/3, APO, HR,

and SEM

RESULTS:

Implemented Greenlight Real Time

Agent (RTA) solutions for SOD risk

analysis, compliant

provisioning

External auditor helped validate rule

set

Clean Access process, Moved from

detective to preventive

Expanding the coverage to Legacy

systems and ResQ (superuser-Oracle)

NEEDS:

Significant non SAP landscape

Oracle, JDE, Bookmaster and

20+ Legacy systems

Integrate SAP GRC with non SAP

systems for SOD risk analysis and

superuser access for Oracle

Automate legacy manual batch

extraction for SAP GRC

Reliable Audits, Saving of time and

resource costs

>1400 roles in system (Oracle)

15,000 users within Oracle

RESULTS:

Implemented Greenlight RTA solutions

for SOD risk analysis for Oracle

Clean SOD risk analysis, results

validated

next phase includes ResQ (Oracle-

Superuser) and Greenlight Design

Studio for Legacy systems

RTAs

Automated batch extraction

SAP & Greenlight Case Study # 2

Average Value Reported

Proven Customer Savings

in Cross Platform integration

Delivering Significant Reductions in Cost and Labor

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Reduction in audit report findings for security

Reduction in time cleaning up audit report findings for security

Reduction in time spent on external/internal audit

Reduction in time spent managing authorization risk

Reduction in internal/external audit costs

Reduction in costs on managing user authorization risk

35%

28%

44%

36%

41%

39%

Value Proposition of Integrated GRC

Consistent and Real time visibility of enterprise risk and compliance

throughout the enterprise to achieve preventive compliance

SOD Risk analysis, compliant provisioning across the enterprise systems

from SAP GRC

Real time, preventive, Cross-System compliance

Optimized and efficient audits – SIGNIFICANT savings of costs and time

Expanded audit scope and transparency for all the business processes

and systems within the company

Immediate ROI, Reliable and Consistent compliance

Leverage existing IT investment - No additional Hardware

Getting Started: GreenLight Remote Risk

Assessment

No Cost, No Risk, Partner-Enabled GRC Sales Opportunity

Demonstrate the value of cross-platform GRC using the

customer’s own data

Real Time Cross Platform SAP GRC and SOD risks

(GreenLight’s Access Control demo environment)

Supported by both SAP and GreenLight technical resources

Jerry HeltonSenior Director,

Markets Development

270 South Main Street

Flemington NJ 08822

Tel: 908-782-5700 x 122

Cell: 407-405-6869

Jerry.helton@greenlightcorp.net

Questions

Contact Info

Ranga Bodla, Sr. Director, Governance, Risk and Compliance – SAP

Ranga.bodla@sap.com

650.796.8252

Jerry Helton, Sr. Director, Greenlight Technologies

Jerry.helton@greenlightcorp.net

407.405.6869

© SAP 2008 / Page 21