You are on page 1of 17

Governance, Risk and Compliance: Why do you need to invest?

Barry Franck / Risk Assurance Services March 27, 2012

Agenda

About PwC Key drivers behind increased investment in GRC technology Key components of GRC technology

GRC Technology benchmark 2012


SAP GRC Business case

2011 SAP AG. All rights reserved.

About PwC
As leading organizations are seeking to leverage the use of technology to manage risk, automate controls and continuously monitor their SAP environment, PwC is the only professional services organization with a Governance, Risk and Compliance (GRC) Special Expertise Partner (SEP) relationship with SAP.
Attendance at SAP GRC laboratories, providing independent testing of SAP solutions and insight into strengths, challenges and opportunities for using GRC technology.

Geographical presence in key markets, providing resource solutions and options in key locations.

Steering and influencing the technical development of the tools, providing a channel for clients to influence developments.

Deep expertise in all components of SAP GRC technology including Access Control, Process Control, Risk Management and GTS technology solutions.

PwCs Risk &


Control Solutions for SAP
Relationships with key layers of SAP technology development and management.

2011 SAP AG. All rights reserved.

Agenda

About PwC Key drivers behind increased investment in GRC technology Key components of GRC technology

GRC Technology benchmark 2012


SAP GRC Business case

2011 SAP AG. All rights reserved.

Key drivers behind increased investment in GRC technology


Business transformation & SAP consolidation programme Protecting investment Global shared service and control centers Transparency and accountability for controls Increased regulatory requirements Pressure to reduce the cost of regulation and assurance Emergence of business control functions Demand for technology to provide support Increased maturity and consolidation in GRC technologies Enhanced quality and capability Demand for better management information Appetite for visibility and insight

Boards and senior management are demanding greater insight & visibility into the effectiveness of controls and compliance across the organisation

..GRC technology is seen as a key enabler

2011 SAP AG. All rights reserved.

Agenda

About PwC Key drivers behind increased investment in GRC technology Key components of GRC technology

GRC Technology benchmark 2012


SAP GRC Business case

2011 SAP AG. All rights reserved.

Key components of GRC technology


Document and manage the company's overall enterprise risk framework(s), which includes:
Risk framework (Risk profile, risk appetite, risk tolerances, strategy, objectives, etc.) Centralised organisation structure and hierarchy Risk repository and classification (Risk portfolio) Risk assessment processes Risk correlation and simulation Response plans library and incident management Loss metrics and event collection management Consolidated risk heat map and risk exposure Role-based access controls and security

Document and manage the company's overall compliance and control framework(s), which includes:
Support multiple compliance framework(s) Centralised organisation structure and hierarchy Policy, process and procedure definition and management. Centralised control repository Centralised test and assessment libraries Centralised planning Whistleblower mechanisms (Ad-hoc issue management) Testing evidence repository Issue and remediation management Role-based access controls and security

Enterprise risk repository & management

Compliance and control repository & management

Audit lifecycle management


1 GRC Strategy & objectives 4

End-to-end management of the audit lifecycle, which includes:


Audit scoping and scheduling Organize work papers and documentation Support all types of audits, including internal audits, operational audits, IT audits, quality audits, etc. Manage audit work plans Risk management monitoring efforts including but not limited to independent reviews, RCSAs, and surveys to oversee and monitor compliance and risk management activities Role-based access controls and security

GRC GRC Technology Technology platform platform

GRC environment

GRC modules

Continuous monitoring and analytics

2 GRC Organisation structure

Access management

Continuous monitoring and analysis of controls, data and transactions, which includes:
Continuous control monitoring Continuous data monitoring (master, transactional) Continuous risk monitoring Automated business rule framework Exception-based monitoring Data analytics capabilities Exception and issue-tracking platform Role-based access controls and security

Document and manage the company's overall SAP security framework, which includes:
Sensitive access risks and controls Segregation of duties, risks and controls Continuous access monitoring Super-user access management Security in user provisioning and role management Role-based access controls and security

2011 SAP AG. All rights reserved.

Agenda

About PwC Key drivers behind increased investment in GRC technology Key components of GRC technology

GRC Technology benchmark 2012


SAP GRC Business case

2011 SAP AG. All rights reserved.

GRC Technology benchmark 2012

1
1

Enterprise risk repository & management

The vast majority of clients are still using a wide range of spreadsheets (e.g. Excel, Access) to document and maintain their enterprise risk repository

2
Organisations have generally adopted a sequential and phased approach when deploying the GRC Risk Management technology, focussed on core functionality first

3
Technology vendors are providing pre-delivered Risk Framework(s), but only few organisations have acquired or use the content

4 5

Most of the risk events managed within the GRC technology fall under the Strategic ,Financial and Compliance risk categories
Risk management is still viewed as a compliance exercise and are typically performed with an annual frequency. Very few organisations have designed more sophisticated risk analysis processes by introducing additional dimension(s) such as risk velocity, risk reaction, etc.

6
The majority of organisations respond to risks through the creation and/or assignment of existing controls (financial, operational, etc.). In most cases, the quantitative evaluation of residual risk exposure is still a manual, non-standardised and non-automated process.

2011 SAP AG. All rights reserved.

GRC Technology benchmark 2012

2
1 2

Compliance and control repository & management

GRC technology has significantly matured. Year 2011 has seen the consolidation of GRC vendors and the sophistication of both the GRC technology and its users.

Due to increase in maturity of GRC technology, clients with no dedicated GRC technology are directly investing in off -theshelf GRC solutions. Client adoption of off-the-shelf GRC technology has increased compared to last year. This increase has been led by SAP GRC Process Control solution which has grown from 29% to 36%.
The vast majority of organisations are acquiring a GRC technology with a primary objective of documenting and organising their existing control framework(s). However, few organisations are exclusively using the GRC technology for specific activities such as continuous monitoring.

Organisations are decommissioning their existing legacy/ bespoke applications in favour of robust and sustainable platform offered by dedicated GRC technology vendors. An increase in regulatory compliance requirements (e.g: SOX, FDA, UK Bribery, FERC, etc.) has led organisations to consider consolidating their internal control repository into a single centralised multi- compliance framework.

Few technology vendors offer a continuous monitoring platform which is embedded within the compliance and control framework .

2011 SAP AG. All rights reserved.

10

GRC Technology benchmark 2012

3
1

Continuous monitoring and analytics

Continuous monitoring (CM) technology is still maturing. Few organisations are currently using a CM solution as part of their routine compliance activity. The use of CM technology is always very targeted (one SAP instance, one market, one company, etc.) and limited (specific financial processes, specific types of continuous monitoring mechanism, etc.).

2
Most of the organisations that are implementing CM have defined a sequential and gradual deployment by waves in order to make sure that the element of change around people & process can be effectively managed, governed and embedded.

3
Almost half of the surveyed clients have expressed interest in acquiring a CM solution within the next 2 to 3 years. Clients have already started to develop a common set of Operating Principles that act as a foundation for effective, efficient & tailored CM technology implementation and utilisation.

4
Organisations are initially developing automated rules to monitor critical configurations , before rolling out the CM technology for data monitoring (master and transactional data).

2011 SAP AG. All rights reserved.

11

GRC Technology benchmark 2012

4
1 2

Access management

Organisations are looking to optimise their investment in GRC access management technology by integrating it with wider business process risks and controls.

SAP GRC Access control solution dominates the market in large enterprises that run SAP ERP systems.

Organisations are looking to expand the coverage of GRC access management technology to non-core SAP platforms such as HR, CRM, BI and APO.

Organisations have matured in the management of segregation of duties and sensitive access risks and are now looking at GRC access management technology to support user provisioning processes across the underlying SAP landscape .

5
Emergency access management continues to be a challenge for organisations that have invested in GRC access management technology due to skill set deficiencies.

6
Organisations that have already invested in GRC access management technology to support user provisioning processes, are now looking for wider integration with identity management (IdM). This continues to be an aspiration.

2011 SAP AG. All rights reserved.

12

GRC Technology benchmark 2012

5
1

Audit lifecycle management

Internal audit (IA) functions continue to focus their technology spend on standalone Audit Management Systems (AMS). 69% of functions surveyed now employ this technology.

While even the smallest functions use an AMS for audit file management and issue tracking, only larger functions tend to use more advance functionality for audit scheduling, time management, stakeholder KPI, etc.

3
Paisley and TeamMate dominate the global market for dedicated AMS solutions. There is a decreasing level of interest in bespoke solutions.

4
An increasing number of IA functions are looking to co-invest with the business in a GRC platform, whereby IA utilises the audit module. It is generally recognised that the functionality provided is inferior to an AMS but that synergies arise around cost and data sharing.

Other IA functions prefer to maintain a separate AMS as they perceive this to be independent. However, they may have readaccess to a business-owned GRC solution in order to extract risk and control data.

2011 SAP AG. All rights reserved.

13

Agenda

About PwC Key drivers behind increased investment in GRC technology Key components of GRC technology

GRC Technology benchmark 2012


SAP GRC Business case

2011 SAP AG. All rights reserved.

14

SAP GRC Business case common foundations


Compliance
Evolution of compliance in the market (i.e. SOX, FDA, FERC) Desire to be SOX-ready in the event of US listing

Internal Audit
IA and IC functions can centralise testing of controls Ability to maintain evidence of testing performed Targeted effort

Internal Controls
Test design and operating effectiveness of controls End to end risk and controls technology to support internal controls

Automation
Continuous controls monitoring Management by exception Automation of report generation AC & PC integration

Reporting
Real time, exception based Adherence to global template, protect investment Cross process, organisation, function

Control Effectiveness
Control self assessments Remediation and deficiency evaluation Cost effective view of operational controls

Centralisation & Shared services


Centralised control repository Document and test controls once Leverage testing of controls in a SSC environment across organisations
2011 SAP AG. All rights reserved.

Protect investment
Drive sustainable blueprint design Monitor changes to risk & control templates Ensure operating model is robust and sustained

Visibility
Management wants real-time visibility into operational effectiveness of control environment Dashboards

15

Q1

Q2

Q3

Q4

Q5

Q6

Q7

Q8

Develop business case Define scope


GRC vendor selection

Business case: Gain an understanding of the "As-Is" technical landscape as it relates to GRC technology/ technical requirements. Gain an understanding of the "As-Is" regulatory environment(s) and GRC processes and procedures.
Align operating model Purchase and install hardware Detailed planning Build and test prototype

GRC organisation structure: Roles & responsibilities (technical & functional aspects). Identify skills required to complete the defined processes within the GRC technology platform.

Feasibility checks: Check if GRC technology platform can support functional requirements in terms of governance, risks & controls Evaluate the need and effort for additional customisation.

GRC technology platform: Vendor evaluation and selection. Evaluate vendors capabilities in relation to GRC functional requirements.

Master data conversion Security/Role design Functional design spec.

Master Data conversion includes: Process hierarchy and control matrix Risk classification Organisation hierarchy Policy and regulation hierarchies Manual test plans and surveys

Functional role design: Design roles and authorisations based on organisation structure requirements and operating model.

Configuration design docs User Allocation

Acceptance testing: Test GRC technology against acceptance criteria and sign-off testing results.

Prepare early implementation and select Pilot organisations (include one shared service provider and underlying organisations). Implement core GRC processes (Quick-Win): Control self-assessment Risk and control design assessment Test of effectiveness for manual controls Aggregation of deficiencies and sign-off process Risk assessment/ Policy assessment

Deploy GRC technology platform including core GRC processes to all organisations.
Testing (FCT, IPT, UAT)

Functional and configuration design specifications: Define functional design specification (including custom development requirements). Link between the functional requirements and the technical configuration needed to ensure that GRC technology platform meets requirements.

CDM deployment (master data): Implement monitoring procedures to track changes to master data . Establish centralised and regionalised (Shared service centres) groups (Exception Desk) to manage exceptions and issues.

Training

Go-Live (1) Deploy GRC processes (pilot)


Evaluate pilot and sign-off

Conduct training (end-user & super-user communities): Provide specific learning(s) and empower users. Transition ownership to client

Go-Live (2)

Deploy GRC processes (Big Bang)

Identify automation potential

Define approach to automation: Identify existing automated controls Identify drivers and objectives of automation. Define Formalisation and Reengineering processes to enable automation (automation has to incorporate reengineering in the limited sense of first transforming manual processes to facilitate their automation).

Automation Go-Live (1) Automation Go-Live (2)

CDM deployment (transactional data): Continuous monitoring of business activities and transactions. Establish centralised, regionalised and localised groups (Exception Desk) to manage exceptions and issues.

Continuous control monitoring: automated controls (Design / build/ test/ deploy)

CCM deployment (automated controls): Start with Baselining technique for key automated controls (Quick win). Establish centralised group (Exception Desk) to manage exceptions and issues.

Continuous data monitoring (CDM): master data (Design / build/ test/ deploy)

Evaluate & Sign-off

Automation Go-Live (3)

Continuous data monitoring (CDM): transactional data (Design / build/ test/ deploy)

Deployment of continuous monitoring (Sequential and gradual CCM implementation approach with limited business intrusiveness)

2011 SAP AG. All rights reserved.

16

Thank You!
Contact information: Barry Franck Partner PricewaterhouseCoopers SA Avenue Giuseppe-Motta 50 Geneva 2, 1211, Switzerland +41 58 792 9254