what we will cover - · pdf filewhat we will cover • who is exxaro? • the exxaro grc...
TRANSCRIPT
![Page 1: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/1.jpg)
![Page 2: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/2.jpg)
What we will cover
• Who is Exxaro?
• The Exxaro GRC Strategy and how SAP supports this
• Using SAP Risk Management to prioritise business processes
• Driving operational accountability and transparency: SAPProcess Control
• Driving efficiency through management reports out of SAPProcess Control
• Wrap-up
![Page 3: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/3.jpg)
![Page 4: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/4.jpg)
Setting the context, who is Exxaro?
• Exxaro is a diversified mining company: interests in coal,TI02, Ferrous & Energy
• 2nd largest coal producer in RSA with production of40 million tones
• Largest open-pit coal mine in Africa
• One of top 10 companies globally with bestshareholder returns
• Market capitalisation of R52 billion ($6 billion)
![Page 5: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/5.jpg)
![Page 6: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/6.jpg)
GRC = Proactive + Efficient
![Page 7: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/7.jpg)
Management system to ensure youexist in future
Clear roles and responsibilities
Effective decision making
+
+
Transparency, accountability andintegrity
+
Business Efficiency=
GRC and its elements are set out in various lawsand standards
![Page 8: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/8.jpg)
Proactive + efficient = more money onthe bottom line …
![Page 9: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/9.jpg)
The Exxaro GRC strategy
EnergyFuelsMatter
Non-renewableRenewableResourcesProspecting to Proven
BWAWaste
Ecosystem processesClimate changeEco-efficiency
Health & hygieneSafetyKnowledgeSkillsIntellectual outputMotivationWellnessRelationshipsHuman rightsEquity
Internal socialSocial relationshipsValues and trustEthicsCo-operationNetworksOperating model
External socialPartnershipsCo-operation
CommunicationTrust & ReputationLicence to operateCustomersSuppliers
InfrastructureMiningBeneficiationLogisticsBuildingsGeneral
TechnologyEngineering ProductiveICT Systems
ProcessesPlanning , execution ,BICompetitive edge
InnovationIPEco-efficiency
OwnershipCash & currencyIntangible assetsShare price ÷ndsRiskCorporate governancePerformancemeasurementInvestment & growth
To the extent that these capitals are maintained or developed, the organisation will remain sustainable.
Governance
Risk/Assurance
Compliance
![Page 10: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/10.jpg)
How this is reflected in our strategyand business model …
![Page 11: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/11.jpg)
How this is reflected in our strategyand business model …
![Page 12: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/12.jpg)
Understand where SAP GRC fits into theorganisational GRC culture …
What is SAPRisk Management
in relation toGRC culture?
What is SAPRisk Management
in relation toGRC culture?
Peo
ple
Step Location
Resilient
Resilient
Proactive
Compliant
Basic
![Page 13: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/13.jpg)
Where are we in the SAP GRC journey?
2013 2014 2015SA
PR
isk
SAP
PCIn
tegr
atio
nSA
PPo
licy
Strategic +Operational
Procure toPay
Hire to Retire
Strategic
EWPM EHS&M
Safety, Health,Environment &
Community
Upgrade to 10.1
![Page 14: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/14.jpg)
![Page 15: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/15.jpg)
There are three business rule types
Configuration
Master data
Transaction
Rules relating toconfiguration settings orparameters in the ERP
system
Rules relating togovernance of master
data in ERP system
Rules relating to businesstransactions within theERP system based on
available data
Monitor configurationchanges to the duplicate
invoice indicators
Monitor changes to vendormaster records e.g.
change in banking details
Identify duplicatepayments e.g. same
vendor, same date, sameamount, same invoice
Description Example
![Page 16: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/16.jpg)
Controls aremonitored byusing business
rules(automated
testing)
Exceptions andinternal controls
are identified andraised
automatically asissues and sent tothe control owner
The control ownerreviews the issue,
creates aremediation planand assigns it to a
remediator
Users follow aworkflow-based
process to ensurethat appropriate
remediationaction is taken
Once remediationplan has been
completed by theremediator, it is
automatically sentback to the
control owner toclose the issue
Testcontrol
Raiseissues
Createremediation plan
Remediateissue
Closeissue
System Control owner Mediator Control owner
Control and issue remediation
![Page 17: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/17.jpg)
Exxaro risk management process5 Phases
Risk Planning Risk IdentificationRisk
Assessment /Analysis
Risk Treatment Reporting
![Page 18: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/18.jpg)
Reporting = Management tools for efficiencyand proactiveness
![Page 19: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/19.jpg)
![Page 20: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/20.jpg)
How does SAP process control differfrom traditional auditing?
Traditional auditing• Sample testing
• Focus on manual controls
• Detective monitoring
• Once-off annually
• Compliance driven
SAP process control• Testing of all controls in the
business process
• Focus on automated controls
• Real time monitoring
• Preventative monitoring
• 24/7
• Increase in business efficiency
![Page 21: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/21.jpg)
Process control = audit = efficiencyAchieving higher confidence – lower cost
Cost Reduction
Manual Controls
Today
Manual Controls
Automated
Maturity Level 1
# controls
Less manual labour,Less pushback from thebusiness and lower costof preparing for an audit
![Page 22: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/22.jpg)
Achieving higher confidence – lower cost andbusiness process improvement
Cost Reduction and Process Improvement
Manual Controls
Manual Controls
Automated
Today Maturity Level 1
Manual Controls
Automated
Maturity Level 2
time
# controls
Less manual labour(workflow, reports)
Less pushback from theBusiness lower cost ofpreparing for an audit
More controls,more granularity andhigher frequency ofchecks consistency
![Page 23: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/23.jpg)
Achieving higher confidence – lower cost and businessprocess improvement (cont.)
Cost Reduction and Process Improvement
Manual Controls
Manual Controls
Automated
Today Maturity Level 1
Manual Controls
Automated
Maturity Level 2
Time
# Controls
Cost
Assurance
![Page 24: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/24.jpg)
• High-level procure-to-pay process
An Exxaro case study: procure-to-pay
Createrequisition
orderCreate RFQ
Createpurchase
order
Create agoods receipt
note uponreceiving
goods
Receive &capture an
invoicePay the invoice
Vendor masterrecords
Proc
urem
ent
Fina
nce
Vend
orm
anag
emen
t
![Page 25: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/25.jpg)
• Summary of controls implemented
An Exxaro Case Study: Procure-to-Pay (cont.)
Controls
10Business
rules
13Controls
14Business
rules
31Controls
5Business
rules
125629
Proc
urem
ent
Fina
nce
Vend
orm
anag
emen
t
NB
![Page 26: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/26.jpg)
![Page 27: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/27.jpg)
Every report serves a different purpose – summaryreport for process owner
![Page 28: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/28.jpg)
Every report serves a different purpose – summary reportby organisation for BU financial manager
![Page 29: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/29.jpg)
Every report serves a different purpose – detailed issuereport for sub-process owner and control owner
![Page 30: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/30.jpg)
Every report serves a different purpose – remediationstatus report for control owner and sub-process owner
![Page 31: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/31.jpg)
Every report serves a different purpose – summary issueowner report
![Page 32: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/32.jpg)
![Page 33: What we will cover - · PDF fileWhat we will cover • Who is Exxaro? • The Exxaro GRC Strategy and how SAP supports this • Using SAP Risk Management to prioritise business processes](https://reader031.vdocuments.mx/reader031/viewer/2022020213/5a755e507f8b9aea3e8c7803/html5/thumbnails/33.jpg)
Wrap-up, take home points
• GRC = Being efficient + proactive
• First define your GRC strategy
• Align your organisational GRC culture with SAP GRC
• Follow a risk-based approach for all audit activities
• Implement high impact controls first
• Opt for automated control monitoring
• Design your management reports in such a way that yourimplementation will lead to a more efficient organisation