expert guidance to minimize operational risk · 2011-05-16 · director, business systems...
TRANSCRIPT
Expert Guidance to Minimize
Operational RiskRam Krishnan
SAP
© 2011 SAP AG. All rights reserved. 2
Agenda
Business Case for Operational Risk Management (ORM)
Managing Operational Risk with Enterprise GRC (eGRC)
Solutions
Q & A
Business case for operational risk
management (ORM)
© 2011 SAP AG. All rights reserved. 4
accidents per year
product safety losses per year
Up to
loss per incident caused
by regulation violations
Some statistics to considerOperational risk is real
© 2011 SAP AG. All rights reserved. 5
Companies are suffering catastrophic lossesExamples
BP – Texas City
March 23, 2005
Explosion during restart of
processing unit after maintenance
15 dead
170 injured
$21 million OSHA fine - 2005
$2.3 billion estimated loss
$87 million OSHA fine - 2009
Imperial Sugar
February 7, 2008
Dust explosion due to poor
ventilation and lack of proper
preventative maintenance
14 dead
60 injured
$180 million - $220 million
estimated loss
$7.7 million OSHA fine
Tesoro – Anacortes
April 2, 2010
Cause not yet known – occurred
during maintenance activities
6 dead
Production losses ongoing ($1.6
million estimated to date)
Investigation ongoing
© 2011 SAP AG. All rights reserved. 6
Operational risk is poorly managedGap and opportunity for innovation
6%
9%
15%
16%
22%
21%
67%
73%
75%
38%
45%
32%
42%
39%
42%
21%
18%
17%
56%
46%
53%
42%
39%
37%
12%
9%
8%
0% 20% 40% 60% 80% 100%
Supply chain disruptions
Technology risk -- operational
Episodic or catastrophic risk
Reputational risk
Market risk
IT risk
Credit and fraud risk
Compliance risk including financial reporting risk (e.g., regulatory)
Liquidity risk
Fully Partially Ad hoc or don't know
How well are top risks managed?
Tra
ditio
na
lN
on
fina
ncia
l:
op
era
tiona
l an
d
en
viro
nm
enta
l risk
Source: IBM Institute for Business Value, 2008
To
p r
isk
s
© 2011 SAP AG. All rights reserved. 7
Overarching business problemUnwanted events, large and small
Unwanted events are a huge problem for anyone who
has an asset-intensive business due to direct costs,
compliance penalties, and reputational costs.
People and companies struggle with achieving “zero
harm”
Complex organizations and operational settings create
demanding challenges
Resources for management of risks are limited, prioritization
and focus of activity is critical
People don’t always do what they are supposed to do –
ongoing behavioral modification is key
How can a company ensure that the “right things” get done?
How does a company know what the "right things” are?
© 2011 SAP AG. All rights reserved. 8
Facility manager
Safety and health business advisor
Director, business systems continuous improvements
Director, SAP Applications
Customer ResearchIdentifying our business case in customer needs
VP, safety
Maintenance manager
Production manager
Director, safety management systems
Safety and sustainable development operations manager
Area manager for facility operations
Risk management expert
Roles
Safety manager for gas operations
EH&S consultant
Director, product safety and health
Safety manager
Industries
United States
Canada
Countries
South Africa
Mining
Energy utility
Upstream oil and gas
Mill
Chemicals
Volume
20 customers
2 partners
> 50 interviews
> 2,000 data points
Food and beverage
France
Norway
6 site visits
© 2011 SAP AG. All rights reserved. 9
User needsUsers cut across companies and communities
Execs
“How do I know if our risk level changes,
gets worse?” and
“Are we meeting our plan to manage
risk?”
Managers
“How do I manage the dynamic world of
the factory floor to stay within company’s
target risk level?”
Workers
“How do I get the information and tools
I need so I can do my job, in line with
company’s established risk controls?”
Citizens
“How do I get the information
I need so I can achieve a level
of comfort with the company’s
operations?” and
“How can I help the plant be
safer and have a lower
impact?”
Current
Scope
Road map
Managing operational risk with
enterprise GRC (eGRC) solutions
© 2011 SAP AG. All rights reserved. 11
The goal: continuous risk-adjusted management of
enterprise performance
I can see how strategy
changes effect our risks –
and know what to do.
With automated
processes, the data
we need is at our
fingertips.
I have the information
to prevent risks and
ensure compliance.
© 2011 SAP AG. All rights reserved. 12
Operational risk management Ensure safe and sustainable business operations
SAP differentiators
SAP solution
Embed risk and compliance activities into operational processes and systems
Maximize impact of risk mitigation capital by providing line of business managers better insight into status
of top risks
Risk planning
Risk
monitoring
Risk
response
Risk
assessment
Communicate risk
levels and response effectiveness
Define business context
(assets, tasks, locations, and persons)
Prepare risk reduction
action plans (notifications, projects, and
workflows)
Perform business,
context-based risk assessments
Identify operational risks for specific assets,
tasks, locations, and persons
Analyze and evaluate operational risks for
specific assets, tasks, locations, and people.
Create resolution strategies for top operational
risks that maximize return on capital
Communicate risk levels and control measures,
within the context of specific assets, tasks,
locations, and persons to affected people and
stakeholders
© 2011 SAP AG. All rights reserved. 13
Risk planning
Define the context for managing operational risks by identifying
assets, tasks, locations, persons, and business activities to be
assessed.
Set and align
business objectives to
organizational entities
Define risk
classification system
Document risk
management structure,
policies, roles, and
responsibilities
Create and manage
risk content and key
risk indicator (KRI)
templates
Define impact and
benefit categories
Define activity
categories
Map risks to business
context, such as
assets, tasks,
locations, and persons
Define risk-relevant
business activities
Identify key business
objectives and
initiatives
Assign key
performance indicators
(KPIs) to monitor
objectives and
initiatives
Set up risk appetite
and threshold levels
21 3
Process steps
© 2011 SAP AG. All rights reserved. 14
Define business contextRelate risks and responses with assets, tasks, locations, persons, etc.
Risk: control Hierarchy Object
Injuries resulting from working with harmful and/or toxic acids
EAM task lists Pipe maintenance
…
EHSM locations Plant A
…
HCM org hierarchy
HCM responsibility …
EAM assets
Industrial hygiene monitoring for chemical exposures
Training programs (chemicals, PPE, procedures, etc.)
Hazardous substance list Acid ABC
…
Pipe 1531
…
Plant maintenance
…
…
PPE equipment available and in
use
1:M
M:M
© 2011 SAP AG. All rights reserved. 15
Define business contextRelate risks and responses with assets, tasks, locations, persons, etc.
Configure “context” dimensions for SAP Business Suite software
“master data” entities
Configure “connectors” for each “dimension” with appropriate
“search / filter” criteria to assign
“context values”
“Context” tab is enabled for risks, responses, risk
templates, and response
templates
© 2011 SAP AG. All rights reserved. 16
Risk assessment
Identify and analyze the impact of operational risk events on the
business context and prioritize risks to allocate resources for risk
reduction.
Process steps
Identify risks and assign
key risk indicatorsAssess and model risk
events
Conduct collaborative
and survey-based
assessments
Update risk exposure
from assessments in
operational systems
Define business risk
scenarios and perform
what-if analysis and
Monte Carlo simulations
Use risk heat maps
and risk dashboards to
view risk levels
Prioritize operational
risks
Document risks and
assign KRIs for
continuous monitoring
in operational systems
Create predictive
indicators, using
multiple data sources
21 3
© 2011 SAP AG. All rights reserved. 17
Business context–based risk assessmentRisk assessments using the SAP EHS Management application
Create Risk Assessment in SAP EHS Management
Update analysis in SAP BusinessObjects
Risk Management application
Perform detailed risk analysis using data collected from air
monitoring, observations, and
comparison with benchmarks and regulatory limits
© 2011 SAP AG. All rights reserved. 18
Risk response
Perform risk-reduction actions, balancing the costs and benefits of
implementing each option.
Document preventive
and recovery
response plans
Perform controls and
implement response
plans
Perform risk mitigations
Schedule and conduct
control assessments
and tests
Document issues and
remediation
Perform ongoing
reassessments of risks
Update responses
Validate key risks
Plan reassessment
and approval cycles
Create or select existing
response plans,
procedures, and
controls
Initiate risk reduction
actions in operational
systems
Balance costs and
benefits of risk reduction
actions
21 3
Process steps
© 2011 SAP AG. All rights reserved. 19
Risk response automationPlant maintenance (PM) notification
Risk response automation
triggers actions within SAP
Business Suite
Example: plant maintenance
(PM) notification
Create PM Notification
Risk response automation options
Plant maintenance (PM) notification
Supply chain mgmt (SCM) action
Initiate project system (PS) projects
Initiate SAP ERP workflows
System tracks progress
and updates
“completeness” based
on status of the SAP
Business Suite actions
When “completeness” is
100%; “response
owner” is notified (with
e-mail) to update
“effectiveness”
© 2011 SAP AG. All rights reserved. 20
Risk monitoring
Communicate risk levels and control measures within the context of
specific assets, tasks, locations, and persons to affected people and
stakeholders.
Process steps
Monitor key risk
indicators
Monitor response
effectiveness and
completeness
Continuously monitor
response effectiveness
and completeness
Track progress of
response plans with
notifications and alerts
Communicate risk
levels and response
effectiveness for
business context
Document potential
and actual operational
incidents and losses
Analyze operational
incidents database for
emerging risks
View dashboards
and reports on risk
exposure by business
objectives
Report occurred
incidents, losses, and
exposure
Continuously monitor
KRIs to track trends
and changes in risk
level
Respond proactively to
prevent risks from
occurring
21 3
© 2011 SAP AG. All rights reserved. 21
Safety and environmental risk managementExample
Business process
Environmental, health, and safety compliance
management
Risk event
Major accident
in facility
(refinery,
platform, or
mining site)
Business impact
Financial – revenue and earnings
(large costs for updating and maintaining facilities, loss of
production)
Legal
(large costs for regulatory action (fines, legal fees, settlement
fees, and so on)
Reputation
(disclosures, investigation, prosecution, and oversight)
Key performance indicators
number of injuries recorded in the past 12 months
percent of unplanned down time
Drivers Key risk indicators
Inherently dangerous
work environment
Hiring of unqualified
employees and
contractors
Inadequate safety-
related maintenance
Number of safety near-
misses
Number of employees
and contractors overdue
on safety training
Percent change in
reducing maintenance
budget
ControlTransfer AcceptAvoidReduce
Responses
Monitor employees overdue for required safety training
Monitor overdue safety-related maintenance orders
Notify of approaching deadlines or overdue status for
regulatory reporting
Perform self-assessments and regular safety audits or drills
Provide periodic safety training for employees
Automate due-date reminders for regulatory requirements
Outsource higher risk and regulated activities
Purchase insurance (worker’s compensation) for certain
higher-risk events
© 2011 SAP AG. All rights reserved. 22
* Case study and success story benchmarks from SAP
Tangible benefits* % impact
Operating costs
Reduce losses and risk events
Reduce insurance premiums
Enterprise resource management (ERM) productivity improvements
Reduce borrowing costs
Reduce controls testing cost
Reduce audit preparation cost
Reduce audit costs
Reduce compliance costs
Reduce user administration costs
Reduce role management and segregation of duties (SOD) costs
25%–75%
10%–30%
30%–60%
0%–40%
25%–75%
10%–30%
30%–70%
30%–60%
50%–75%
80%–90%
Revenue
Increase success rate of new initiatives and strategies 10%–25%
Working capital
Reduce reserves to cover risk appetite 10%–30%
Building the business case – tangible benefits
Q & A
© 2011 SAP AG. All rights reserved. 24
Resources
SAP BusinessObjects solutions:
www.sap.com/usa/solutions/sapbusinessobjects/index.epx
SAP solution portfolios for industries (manufacturing):
www.sap.com/usa/industries/index.epx
SAP solutions for sustainability:
www.sap.com/solutions/sustainability/offerings/index.epx
© 2011 SAP AG. All rights reserved. 25
Key points to take home
Operational risk is real and is causing companies catastrophic losses
Unwanted events are a huge problem for asset-intensive enterprises due to direct
costs, compliance penalties, and reputational costs
User needs for managing operational risks cut across companies and communities
Operational risk management:
Improves operational continuity by reducing the occurrence of unexpected incidents and
events, provides visibility across operational processes, improves employee well-being,
and ensures a safety culture
Maximizes the impact of risk mitigation capital
Enables safe asset operations and maintenance
Operational risk management solution aligns safety, performance, and risk
management, improving stakeholder visibility, manufacturing execution, and
business process performance
© 2011 SAP AG. All rights reserved. 27
No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary
software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer,
z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP,
RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or
registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for
technology invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
© 2011 SAP AG. All rights reserved
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services
mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National
product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments,
and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items
contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any
warranty whatsoever relating to third-party Web pages.