How Hershey Managed Risk During an SAP S/4HANA Implementation

Although moving to SAP S/4HANA Cloud is an exciting proposition, it can also be intimidating since there are some associated risks. If several potential problem areas are not addressed correctly, they can lead to significant issues for the company down the road. Some of these potential problem areas include the following:

• Financial reporting: Amid a digital transformation, all people, processes and systems must function together to ensure that data is accurate and gleaned in a timely fashion.
• Business execution: Failure to properly identify risks can lead to time-consuming and expensive reconfigurations.
• Compliance: Businesses must ensure that all new systems and solutions adhere to security and other regulatory requirements in all countries where they operate. They must also be agile enough to be able to adapt to any changes in regulations.

The Hershey Company

There are important ways to mitigate risks. The larger and more complex an enterprise’s SAP landscape is, the more potential pain points the business will need to watch for. Even at the largest companies with lots of processes, systems and solutions to look after, there are options to minimize risk.

Take the Hershey Company, for example. This large confectionary leader needed an SAP S/4HANA implementation strategy that would work effectively across its 19,000 employees, 100 brands and 80 countries where it operates.

The broad scope of the business presented various and unique challenges to its business, finance and accounting, IT and other teams. Hershey’s team put together a comprehensive strategy to manage and minimize risk during its ERP transformation as it implemented SAP S/4HANA.

What to Know before You Go

Before beginning its digital transformation journey, Hershey outlined several key objectives and considerations.

• Risk assessment phase: Before starting any digital transformation, a company should commit to a thorough evaluation of any potential risks it could encounter along the journey.
• External and internal audit alignment: Both internal and external auditors should agree on clearly outlined objectives from the earliest phase of the project.
• Clearly defined requirements: It is crucial that all stakeholders outline and agree on control requirements in the transformation process. There should also be a method in place to track progress throughout implementation to ensure that security is integrated.

Roadmap

To properly manage risk, it is a valuable strategy for all process owners to lie out a roadmap. A clearly defined strategy can help all stakeholders in the digital transformation understand the desired outcomes, required activities, key deliverables, and necessary approvals for each step.

Identifying risks and incorporating controls is critical in order to reduce the likelihood of controls failing after implementation since reconfiguring can be costly and time-consuming. Hershey adopted a five-step process for a pre-implementation risk assessment in order to monitor system security, control, and financial integration governance. The process included the following phases:

• Discovery: In the discovery phase, objectives for the transformation project should be outlined, systems and applications should be categorized, and controls need to be selected following a risk assessment.
• Design: besides designing security, controls, and financial integrations in the design phase, ownership should also be defined. A security risk and control matrix should be delivered with accountability plans.
• Build: In the build phase, security, control and financial integration are configured according to the specifications laid out in the previous steps.
• Test: The test phase includes testing and validating security control systems in an internal audit from information provided by security control owners.
• Launch: In the launch phase, controls are in place and launched. After going live, there are audit controls again to ensure everything works properly.

Leveraging GRC

During the process of risk management, the SAP GRC system can be a valuable ally. This solution is designed to monitor risks, compliance and cyber threats across critical systems. Hershey leveraged this solution and found several key benefits that aided in its transformation.

• Integrates with SAP and non-SAP systems
• Designed to drive cost-effective compliance
• Enables risk management transparency and accountability
• Simplifies process execution
• Facilitates integrated, cross-functional risk management

SAP offers valuable tools to companies that are undergoing a digital transformation to SAP S/4HANA, including Access Control and Process Control, both part of the larger SAP Governance Risk and Compliance solution. Hershey used these two control solutions in its transformation in order to maximize security.

Access Control works by restricting access to critical applications and resources to certain users. That not only provides real-time visibility into risks and conflicts over access, but also helps streamline compliance.

Process Control functions similarly, securing enterprises through constant control and compliance monitoring. That helps align processes with risk management and efficiency requirements.

For companies like Hershey that operate in dozens of nations, the SAP GRC Trade Services module ensures both import and export compliance across all countries where an enterprise does business.

The modules Hershey used share a common platform and data besides having a common architecture, making their implementation user-friendly. SAP GRC also uses fully automated and semi-automated continuous monitoring categories. Semi-automated monitoring notifies businesses in a defined frequency to keep a consistent eye on specific criteria as specified by the process owner.

Fully automated monitoring tracks access and monitors changes to critical data, financial report configuration and SAP configuration settings, only notifying businesses when exceptions or high-risk activities take place.

Before You Go Live

Once you think you are ready to go live, engage with internal audit to perform robust, real-time readiness assessments, and communicate results to stakeholders early and often. Ahead of the assessment, there are a few key considerations you must make to ensure that the audit provides an independent opinion surrounding go-live readiness for all financially relevant system implementations. You and your team should be sure to do:

• Coordinate scope and procedures with an external auditor to maximize reliance
• Share early results with the Project Management Office, and align on required remediation actions and dates
• Independently validate that remediation steps are addressed
• Report results to the Executive Steering Committee and the Audit Committee prior to going live

The go-live readiness assessment should center on a handful of key focus areas that must be evaluated within the project’s time frame. These focus areas include controls, change management, interfaces, security, testing, support, training and more.

Upon evaluation, auditors should rate each focus area based on the following set of criteria, which will help you sort each area into low and high-risk ratings.

Low

• Transformation is on track given the targeted go-live date
• No significant risks to financial reporting, business execution, or compliance were identified
• Audit observations should optimize existing processes, controls, or efficiency
• Implementation of recommendations are not required prior to go-live

Moderate

• Transformation is modestly behind schedule given the targeted go-live date
• It poses moderate risks to financial reporting, business execution, or compliance
• Existing personnel and resources can adequately address audit observations pre-go-live
• Audit’s opinion is that go-live is acceptable if recommendations are implemented

High

• Transformation is significantly behind schedule given the targeted go-live date
• It poses significant risks to financial reporting, business execution or compliance
• Additional time and/or resources are required to address audit observations
• Audit’s opinion is that go-live is not prudent prior to implement recommendations

If any areas are high-risk, the process owner should advise against going live until the issues are resolved or at least mitigated. Moderate risk areas should be addressed by management in alignment with targeted completion dates.

Conclusion

At a company like Hershey, having a clearly defined roadmap is critical to managing risk amid an SAP S/4HANA implementation journey. This plan allows all aspects of an enterprise to align objectives and agree from all process owners ahead of critical work.

With this agreement, enterprises can fully assess any risks to financial reporting, business execution, or compliance. The SAP GRC process can help reduce the number of manual controls through automation, ensuring accuracy and freeing up teams to focus on their specified roles.

Finally, robust assessments and audits are a key component of mitigating risk to ensure that all processes and systems are functioning as intended.