sap businessobjects grc solutions we are the g-r-c in grc · impact of risk maximize strategic and...

SAP BusinessObjects GRC Solutions

We are the G-R-C in GRC !

Axel StreichardtDirector Solution Marketing – SAP BusinessObjects GRC

© SAP 2008 /

Agenda

1. SAP BusinessObjects GRC and the problem it solves

2. Benefits to customers using SAP BusinessObjects GRC

3. SAP BusinessObjects GRC Solutions overview

4. Summary and next steps

© SAP 2008 /

The SAP® BusinessObjects™ Portfolio

DataIntegration

Data QualityManagement

Master DataManagement

MetadataManagement

InformationManagement

Governance, Risk,and Compliance

RiskManagement

AccessControl

ProcessControl

Global TradeServices

Environment,Health and Safety

BusinessIntelligence

Reporting Query, Reporting,and Analysis

Dashboards andVisualization

Search andNavigation

AdvancedAnalytics

Enterprise PerformanceManagement

StrategyManagement

Planning, Budgetingand Forecasting

Profitability andCost Management Consolidation

Spend andSupply Chain

© SAP 2008 /

Agenda





© SAP 2008 /

What problems are we solving?Maximize Strategic and Operational Performance

Today, companies spend a lot of time and effort to manage their regulationsand policies with insufficient results and without addressing all types of

business risks

Excessive time, effortand cost for complianceLack of confidence and

visibility

Non-scalable controlmanagement

Late detection of fraud andincreased risk

Regulations,Policies

Risks

Controls

Management InstrumentGood Governance has a Impact On Credit Ratings

To meet Standard & Poor’s requirement, a formal Enterprise Risk Managementprocess must be in place covering business risk (not just compliance)

Starting Q3 2008, all enterprises will be evaluated on their ERM practices, and inQ2 2009 the ERM score will impact credit rating calculations

Poor ERM scores could substantially impact an enterprise’s cost of capital

1 Year Credit Spread for Industrial Companies, Source: S&P

For example:Drop from A to BBB+ = 70%

increase in cost of capitalDrop from BBB to BBB- = 75%

increase in cost of capital

GRC as Proof of Good Governance: Effective and Efficient Management

MultilateralInstrument

52-111

Toxic SubstancesManagement

(ITAR) InternationalTraffic in Arms

Regulations22 CFR 120-130

(EAR) ExportAdministration

Regulations15 CFR Chapter VII

US CustomsRegulations

19 CFR

InternationalEmergency

Economic PowersAct (S. 1612)

Sarbanes-Oxley

Data Privacy LawsCA-SB 1386, HIPAAGramm-Leach-Bliley

Act, COPPA

Switzerland:- Corp. Governance SWX- Code of Obligations

EU: Foreign TradeAdministration Act

EU Company LawDirectives 4, 7, and 8

EU: REACHRegistration, Evaluation,

and Authorization ofChemicals

German CustomsAdministration Law

European DataProtection Directive

Foreign ExchangeOrder

JSOX

Hong Kong:Code on Corporate

Governance Practices

PNEMENNational Policy ofExports of Military

Goods

King II Report

Clause 49of the ListingAgreement

Regulation 13E ofthe Customs

(Prohibited Exports)Regulations

Corporate LawEconomic Reform

Program (CLERP) 9

Hazardous WasteAct

Air Toxics NEPM

GRC to ensure Compliance with regulatory mandates

ComplianceExamples of Regulations across Industries and Regions

Errors and IrregularitiesWhat is the damage caused by fraud and errors?

Economic Crime

ACFE (Association of Certified FraudExaminers):Average fraud loss: 7% of annual revenue

PwC Global Economic Crime Survey 2007:Over 43 percent of the companiesinterviewed reported suffering one or moresignificant economic crimes.The average loss from fraud per companyincreased nearly 40 percent in two years fromroughly US$1.7 million in 2005 toapproximately US$2.4 million in 2007.

Estimates are hard to get, due toGrey zone of criminal behaviorHigh number of unreported casesSignificant subsequent damages (Brand,Image, …)

Employee Errors

More frequent than “crime”

Insufficient process controls can result inProcurement ErrorsOverpayments to VendorsExcessive Rebates to CustomersChanges to Payment Terms…

Estimates are hard to get

Not just for regulatory or liability reasons, but also plain good business sense for anyorganization

GRC TodayDispersed, inefficient, ineffective, siloed

Compliance TeamManagement &

Executives

Testing controlsmanually

SOD violations

No riskoverview

? ?

How efficientare controls?

What are ourrisks?

Where do westand?

How can weimprove?

Performance overview

IT Department

! ?Various tools

Disconnectedsolutions

Consolidate resultsfrom multiple sources

What is ourstrategy?

Why is thisimportant?

© SAP 2008 /

What are the causes?

Fragmented and manual control environment:Multiple systems, widespread use of Excel, word documents, email…

Responsibilities in silos for testing, monitoring and certifying: lack of best practices

Insufficient visibility on the status of risks in the enterprise:No commonly defined KRI across groups and departments

Missing tools to monitor and consolidate risks

Costs are increasing – Low ROI:Increased efforts to comply with regulations worldwideNo common platform to address all aspects of GRC

No monitoring in place:Late detection of deficiencies and tedious remediation process

-> Exposure to fraud estimated to represent 5 to 7% of revenue in large enterprises(Source: ACFE Report to the Nation 2008)

“Governance, risk, and compliance professionals require systems that generate a “single version ofthe truth” and the information necessary to succeed in this new environment.”

– O.C.E.G. Study: “Using Technology To Build Your GRC System ”

“If detective procedures are not in place, frauds that are discovered will require more investigativeeffort and result in greater loss. “

– Compliance Week : “Establishing Accountability for Your Antifraud Efforts”

! ?Send out paper-baseddocumentation surveys for

completion

Save documents andspreadsheets to local

file servers

Create testplan

Receive testinstructions via email

Perform manualtests based on

verbal instructions

Consolidate resultsfrom multiple sources

? ?

What do weneed to test?

Who shouldperform thetest?

What am Isupposed todo?

Why is thisimportant?

Where do westand?

How can weimprove?

Provide com-pliance platform

Automated controltesting

Manage risks effectivelyand efficiently

Reports anddashboards

Compliance TeamIT Department Management &Executives

-> Complete, Enterprise-wide GRC Solution

Unify andintegrated

applications for theentire IT landscape

Better overview ofperformance andalign strategy and

performance

Reduced cost ofcompliance with

automated controlsand streamlined

testing

Better managedrisk thanks torobust control

management andremediation

GRC TomorrowUnified, cost-effective, risk-driven

Mitigate risk through effective controls andremediation

Increase fraud prevention and timely detection through on-going monitoring of business systems.Use comprehensive reports and dashboards to monitor controlactivities, risks and issue status.Standardize on a common language for risk and compliance.

Reduce cost and improve complianceAutomate control testing and monitoring across heterogeneousenvironments with “out-of-the-box” rules.Integrated solution stack for seamless data and informationexchange.Open regulatory framework to fast and easy adapt to newcompliance issues.

Improve executive confidence with enterprise-widecontrol and risk management

Provide real-time visibility of control effectiveness andremediation of key issues, eliminating surprises.Align corporate strategic objectives with policies and controls.End-to-end compliance from network level to executive review.

Complete, Enterprise-wide GRC to maximize strategic and operational performance

SAP BusinessObjects GRCHow it solves the problem

© SAP 2008 /

Compliance TrendsAnalysts quotes for GRC trends

By 2010, auditors will expect regulated organizations to detect fraud byperforming transaction monitoring on a continuous basis, and 60% ofregulated firms will have such an automated process in place.1

The demand for SOD functionality will grow through 2010 as organizationslook to automate controls for efficiency and cost savings.1

Financial GRC alone will grow >20% for 2008.2011, reaching over $4.6 billionby 2011. 3

Size of the GRC market in 2008 at approximately $52.1 billion 4

Risk management is now the new compliance, equaling or exceedingfinancial governance in influence and spending. 2

1 Gartner, Inc. “MarketScope for Segregation of Duty Controls Within ERP and Financial Applications” by Paul E. Proctor et al, September 25, 2008

2 AMR – The Governance, Risk Management, and Compliance Spending Report, 2008–2009: Inside the $32B GRC Market – John Hagerty3 IDC – Kathy Wilhide4 Michael Rasmussen - 2008 GRC Drivers, Trends, & Market Directions – Corporate Integrity

© SAP 2008 /

Agenda





Minimized audit timeand resources

Repeatable framework forrisk-based analysis

Automate key processesand controls

Reduce ComplianceCosts

Unified process, complianceand risk methodologies

Increased visibility acrossimpact of risk

Maximize Strategic andOperational

Effectiveness

Benefits

Continuous monitoring ofcompliance and risks

More reliable, trustworthyrisk and compliance data

Standardized risk andcompliance methodologies

Improve Predictabilityand Performance

Alignment of riskand strategy management

© SAP 2007 /

Customer Leadership - SAP solutionsfor GRC across all Industries

ManufacturingRetail CPG Media/EntertainmentTelco

Energy Technology Healthcare Food & Beverage Other

Financial

© SAP 2008 /

Agenda





Plan

Iden

tify

&An

alyz

eR

espo

ndM

onito

r

Drive agreement on top risks,thresholds, and appetite

Identify and assess all key risksacross the enterprise

Create resolution strategies for toprisks that maximize return on capital

Build proactive monitoring into existingbusiness processes and strategies

SAP BusinessObjects Risk ManagementRisk-adjusted management of enterprise performance

Protect existing valueStreamline cross-enterprise risk identification, analysis,and mitigation

Prevent incidents and losses through automaticrisk monitoring

Create new valueIncrease the success of strategies and initiatives

Improve performance through risk-adjusted forecastsand plans

Increase enterprise transparencyEnsure business units operate within appropriate riskappetite

Improve governance by aligning business processes,risks, and controls

SAP BusinessObjecs Access ControlControl access and authorizations across your enterprise

Anal

yze

and

Rem

edia

te

Enterprise rolemanagement

Analyze andremediate risk

Compliantuser

provisioning

Doc

umen

tan

d Au

dit

IdentityManagement

Automate Reviews

Mod

el a

ndC

ontr

ol

Superuserprivilege

management

SoD Rules & RegulationsCorporate PoliciesBest Practices

Embed cross-function

FIN SCM SRM MFG HR

Manage by exception Collaborate acrossfunctions

Protect information and prevent fraudAutomatically eliminate access and authorization riskswith out-of-the-box rules

Enforce segregation of duties across applicationsand departments

Prevent improper access instead of reacting to problems

Optimize operationsAutomate segregation of duties management

Automate access management

Promote IT and Line of Business collaboration

Enforce accountability with review and approvalprocesses

Ease compliance and avoid authorization risk

Minimize time and cost forfinancial compliance

Provide proof and reliability with control tests andaudit trail for SOD controls

Report and review key risk indicators forsystem access

Embe

d an

dEx

ecut

e

Provide proofStreamline audits

Embed cross-platform

SAP BusinessObjects Process ControlEnd-to-end, cross enterprise business process control

Mitigate risk with effective controls and remediationIncrease fraud prevention, timely detection withon-going monitoring

Monitor control activity with comprehensive reports, dashboards

Resolve exceptions efficiently with workflow-driven issueidentification and remediation

Reduce cost and improve complianceAutomate control testing, monitoring across SAP & non-SAPsystems with “out-of-the-box” rules

Shorten audit cycles with optimized compliance activities

Streamline manual evaluation, issue identification, remediationwith automated task notifications

Improve executive confidence with enterprise-wide control management

Provide real-time visibility of control effectivenessand remediation

Unify control management with a single system of record

Enforce accountability with review, certification, sign-off ofprocesses across the organization

Cer

tify

PerformAssessments

TestAutomated Controls

TestManualControls

Doc

umen

tTe

stM

onito

r

Certify and Sign Off(302, 404,…)

Remediate Issues

Control Environment:Process-Control-Objective-Risk

Monitor exceptions

IT Infrastructure

Business Processes

…

SAP BusinessObjects Global Trade ServicesStreamline your cross-border transactions

Ensure full regulatory trade complianceEnable standardized, enterprise-wide trade complianceprocesses

Streamline export/import license management andembargo checks

Gain visibility with reporting/monitoring

Accelerated Cross-Border TransactionReduce cycle time and costs using seamlessintegration with logistics processes and expeditedinbound/ outbound customs clearance

Mitigate financial risk and improve profitExploit trade preference agreements by determiningeligibility of products

Mitigate the financial risk of international trade with letterof credit management

Res

titut

ion

Trad

e Pr

efer

ence

Impo

rtM

anag

emen

tEx

port

Man

agem

ent Letter of

CreditManagement

OutboundCustoms

Clearance

ProductClassification

ElectronicComplianceReporting

ProductClassification

ElectronicComplianceReporting

InboundCustoms

Clearance

Securities andLicense Handling

RestitutionRecipes Handling

RestitutionCalculation

$$££€€

$£€

PreferenceDetermination

$£ ¥€Vendor

DeclarationHandling

Letter ofCredit

Management

CustomerDeclarationHandling

Prod

uct

Stew

ards

hip

Che

mic

alC

ompl

ianc

eEn

viro

nmen

tal

Com

plia

nce

Wor

ker

Hea

lth &

Saf

ety

Ensure environmental complianceMonitor evolving stakeholder requirements and local,regional, national, and international regulations

Automatically prepare and validate regulatory reportsfor EH&S issues

Align operations with sustainability standardsMonitor and report regulated emissions and chemical use

Implement responsible operations and product designto align with community and customer expectations

Monitor workplace safetyTrack health and safety concerns against organizational

and regulatory thresholds

Proactively prevent accidents and reduce insurance costs

SAP EH&S ManagementEnsure environmental, health, safety oversight

© SAP 2008 /

Effective Monitoring of Exceptions andRemediation

Summary

BenefitsStreamlined Documentation

Report and Certify with confidence

Reduced Risk:Lower fraud-related lossFaster remediationImproved business processesand overall performance

Reduced Cost of compliance :Automation /Monitoring frees upresources for value tasksShorter audit cyclesStreamlined evaluationsLower TCO

Improved confidence:Visibility /Real-time informationSingle version of the truthReinforced accountability

Cost-efficient Testing and Evaluation

…

RemediationExceptions

Top 5 Reasons to Buy From SAP

Unified SolutionSingle-SourcedUnified process, compliance and risk methodologiesDrive visibility across processes and functions“…from strategic risk assessment to operational-levelcontrol…”

Integrated and Automated SolutionLeverage information that exists in your enterprisesystems alreadyAutomatically monitors risks and controls inheterogeneous IT landscapesIncreased reliability and confidence in state of controlsthrough automationEmbedded testing and monitoring

Most Comprehensive SolutionSAP uniquely combines all the essential capabilitiesto implement a fully integrated, highly automated risk-driven internal control system

Documentation of controlsDocumentation of all enterprise risksAutomated testing of controlsAutomated monitoring controlsAutomated monitoring of key risk indicatorsProactive risk remediation / mitigationProactive control failure remediation / mitigation

Unique ability to provide visibility, transparency andproactive management from strategic risk assessmentto operational-level control.

Key Step En Route To Building TheBridge Between Strategy and Execution

“…executives know what they are asking for andemployees know what to do…”Proof that the linkage is workingProof to the auditors

SAP has the “gravitational pull” for aglobal GRC ecosystem

Global Trade ServicesEnvironment, Health and Safety ManagementData Privacy by SAP and Cisco…

© SAP 2008 / © SAP 2008 / Page 27

For more information

See www.SAP.com/GRC for:

GRC informationSolution Brief, Solution in detail, etc..

Customer Case Studies

Talecris

Benetton

Ryerson

Online self-running Demo

Information on all other SAP's GRC applications

Risk Management

Access Control

Global Trade Services

Environment, Health and Safety Compliance Management

http://www.SAP.com/GRCfor:

sap businessobjects grc solutions we are the g-r-c in grc · impact of risk maximize strategic and...

Documents