Holistic representation of integrated Governance Risk and Compliance in an organizational framework

Enterprise Governance, Risk, and Compliance (EGRC) describes processes, practices, and procedures organizations use to manage their business objectives in light of risks while meeting compliance requirements. The goal is to provide relevant information clearly outlining the risk and reward balance to enable an informed decision-making process. In light of the challenges resulting from the inherent complexity of interrelated businesses and processes, this can hardly be managed without software solutions. It remains challenging and costly if not fully integrated. Governance represents a centralized and coordinated framework for organizations to manage all aspects of business operations. Aside from strategic goals, business objectives, and resources, applicable laws and regulations have to be understood to ensure compliance. Based upon the individual and increasingly complex compliance requirements, the managing board is responsible for establishing, maintaining, and evaluating necessary measures along financially relevant business processes to protect the organization and subsequently shareholders as applicable.

Process Control

With SAP Process Control, it is possible to record and document applicable regulations, standards, and associated requirements. The so-called multi-compliance framework allows you to link a regulation to an organization according to applicability. It also supports that controls which are relevant for regulation may be shared—including corresponding testing results. For example, a control that meets the requirements of regulation A and regulation B can be tested once. The controls results can then be shared among the regulations associated. Together, with a reduction in testing effort and costs, this methodology fosters transparency when it comes to regulation control coverage. As part of the operational governance structure, organizations establish policies and procedures to provide clear structure, guidance, and to create awareness. The policy management module is a part of this solution supporting the policy management lifecycle. This starts at creation, via reviews and updates to personalized rollouts including mail notifications, utilizing options like surveys or quizzes, while providing track records in reporting. Neither controls nor policies have to stand alone. But before looking into further integration aspects, let us understand the risk part a bit better.

Risk

All business processes have inherent risks. Think of risk in the context of vendor management—fraudulent invoices, or faked vendor payments via one-time vendor accounts. Risks are increasingly complex, and they are costly. There is no business without a risk, but these risks have to be identified, assessed, mitigated, and monitored. In addition, they must be reported in accordance with applicable legal requirements. Given that every “heartbeat” of business operations is accompanied by a risk, they have to be holistically managed. Looking at the complexity of a global company with business processes in finance, supply chain, human resources, IT, and more, we can easily talk about thousands of risks. These risks may be of different criticalities. But to be able to know, they have to be understood first.

Managing Risk

SAP Risk Management fully supports the complete lifecycle from risk planning, identification, analysis, mitigation, validation, monitoring, and reporting. Risk can be recorded on a one single entry screen where all relevant information is available and can even be personalized. Figure 1: One single entry screen – Fiori App - Manage Risk – tab overview Comprehensive reporting is provided together with heatmaps and drill downs. There are SAP Analytics Cloud (SAC) dashboards providing detailed risk profile information, risk category/factor aggregation, driver and impact interdependencies, and more. Figure 2: SAC Risk Profile Dashboard – Source: Configure SAC Risk Profile Dashboard | SAP Help Portal Workflows and e-mail notifications are available to efficiently manage the risk management processes and responsibilities. Access to risk information can be granted according to a need-to-know principle. Key risk indicators can be established with automated monitoring. With the help of organizational thresholds, it is possible to manage the respective impact criticality and also to reflect the risk appetite. A risk in a small subsidiary may be business-critical for that particular location, but for the overall group it may be less relevant. Now that we have the risk information available and the regulation and control content as outlined above, it is time to understand how they integrate.

Mitigation

Once a risk is recorded, it is possible to assign a response as mitigation. In addition, a control or even a policy may be assigned. Both can be utilized to influence the risk analysis by determining a corresponding mitigation effect. It is worth noting that controls can be automated. While different types of automation are supported, let us have a look at a configurable control that basically analyzes SAP table information. A connection is established to the source system (like SAP S/4HANA) and the continuous control monitoring part can be utilized to read data from tables and table joints. It also applies a business logic to understand where there may be exceptions from a rule. Let us assume that one-time vendor invoices may not exceed 500 USD, and then the tables BSEC (one-time vendor) and BSEG (document posting line items) can be monitored to see if any of the one-time vendor postings actually exceeds this threshold. The automation is suitable for master data, configuration data, transactional data, and more. A smart design can help significantly reduce testing efforts. The 100 percent data sampling ensures that the data is holistically analyzed and monitored. Exhibit 3: Business Process – Risk – Control Furthermore, SAP provides a 360-degree reporting view to understand the risk control coverage for individual organizations and the whole enterprise. All information is available in real-time, for on-premise and the private cloud. By supporting the outlined end-to-end processes in managing governance and risks in a comprehensive way along the business operations while providing necessary transparency and information, a relevant step toward achieving compliance is already taken. With the SAP Process Control solution, the manual control performance, control design and testing, test of effectiveness, and sign-off can be managed.

Audit Management

Moreover, looking at the three lines of defense model, the first two lines are supported as elaborated in the previous sections. The first line is the operational risk and control management embedded in the business. The second line comprises the functions that oversee these activities—a risk and control department for example. The third line of defense (audit department) is intended to provide an independent assurance function. This leads us to the SAP Audit Management solution. All process steps along the audit management lifecycle are supported with respective roles, workflows, and notifications. This starts with the audit planning, execution, findings, reporting, up to follow-up and tracking, including resource management and allocation. Aside from that, risks, processes and controls from SAP Risk Management and SAP Process Control can be fully integrated. This makes it so that a risk-based audit approach can be easily realized and control design and evaluations be properly considered. Depending on the audit results, even risk proposals may be issued to the risk repository based upon qualifying findings. Enterprise Governance, Risk, and Compliance provides a centralized and coordinated framework for an organization’s strategy on how to manage governance, risk and regulatory compliance. The SAP GRC solutions SAP Process Control, SAP Risk Management and SAP Audit Management support both the strategic as well as tactical and operational approach on the “how to.” End-to-end and fully integrated with real-time data and sophisticated reporting capabilities are continuously enhanced to stay top-notch.

Realization

When it comes to realization: Think big but start small. Look into piloting options (where you can add the most value or address the most critical pain points short-term) and consider lessons learned to ensure that your change management process meets the needs. Involve your stakeholders and collect feedback to further improve. Please also bear in mind that every software project requires a solid enablement and guidance to be successful. Invest wisely and don’t be cheap. If you are interested to learn more, do not hesitate to contact me. There is way more out there in our strong SAP GRC solution portfolio!