GRC and Security: For The Intelligent Enterprise

GRC and Security
for the Intelligent Enterprise

Speaker’s Name, SAP
Month 00, 2019
PUBLIC
Agenda
GRC and Security today
The Intelligent Enterprise
New technologies redefining GRC and Security processes
GRC and Security in practice
How to get there?
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

GRC and Security defined
“GRC is the integrated collection of “Information security refers to the processes

capabilities that enable an organization to and methodologies which are designed and
reliably achieve objectives while implemented to protect … any form of
addressing uncertainty and acting with confidential, private and sensitive
integrity - this is the outcome that we call information or data from unauthorized
Principled Performance. ”1 access, use, misuse, disclosure, destruction,
modification, or disruption. ”3
― OCEG
― SANS
“Every organizational business function and “Security in the digital economy…

process is governed in some way to meet everything is connected – therefore,
objectives. Each of these objectives has security is everything. ”4
risks as well as controls that increase the
likelihood of success (or minimize the ― SAP
impact of failure). These are the
fundamental concepts of GRC. ”2
1
http://www.oceg.org/about/what-is-grc/
― Forrester 2
https:/www.forrester.com/Governance-Risk-%26-Compliance-(GRC)
3
https://www.sans.org/information-security/
4
Security in the Digital Economy with SAP Whitepaper

GRC and Security require joint focus across the enterprise
Executive leadership setting the priority while eliminating silos and redundancy
CFO CIO CSO / CDO / VP Supply CRO CCO

DPO Chain
Long-term Digitalization of Internal / external Optimization of the Strategic risk Improving

strategy and products and security threats global supply chain mitigation regulatory
objectives services compliance
Driving profitable, Leveraging Safeguarding Maintaining a Linking risks to Automating

sustainable innovation to propel data and competitive edge objectives compliance
growth the organization information globally across the processes
enterprise and reporting

Forces driving GRC and Security transformation
Increasing need for Proliferation of

better managing risk and volatility new technology and business models
✓ Rapid onset and diversity of risk events and ✓ Digital transformation enabling real-time processes
potential for significant losses that allow for embedded risk and control monitoring
✓ Stakeholder pressure for more reliable ✓ Advances in predictive and machine learning
view of risk tied to company objectives capabilities
✓ Relentless cyber threats and need for protecting ✓ Interconnected landscapes, networks and
sensitive information and building trust resources requiring controlled data sharing
and access
✓ Global reach and complexity of regulatory

requirements ✓ M&A activity and entrance into new markets with
geopolitical and trade considerations

Digital trust in digital business
From PwC’s “The journey to digital trust”
If the lifeblood of the digital economy is data, its heart is

digital trust - the level of confidence in people, processes,
and technology to build a secure digital world. Companies,
regulators, and consumers need new mechanisms to build
that confidence as they address emerging challenges in
business, risk management, and compliance.1
Digital businesses that lead in safety, security, reliability, privacy and

1
data ethics will be the titans of tomorrow. It is a journey worth taking.
1
pwc.com/us/digitaltrustinsights
2018 and 2019 are pivotal years for digital trust
From PwC’s “The journey to digital trust”
An essay in The Economist predicted 2018 “will be

remembered as the year that privacy law finally started
catching up to the Internet.”1
Imagine what it would mean for businesses to begin a new

legacy of building digital trust in 2019.2
This year will be pivotal as organizations start laying that

foundation.
1
The Economist, Toward defining privacy expectations in an age of oversharing, Aug. 16, 2018
2
pwc.com/us/digitaltrustinsights
Where are we headed?
Greater automation for the Intelligent Enterprise
Artificial Intelligence Predictive analytics The system continuously

automates and improves helps improve decision- learns and adapts
processes making and performance to user actions and inputs
Vision: Achieve 50% automation within the digital core in the next 3 years

Agenda
How to get there?

• Better decisions
with instant, real-time insight
and prediction
• Increased performance 1 Intelligent Suite

through end-to-end
reinvented processes
• Higher productivity 2 Intelligent Technologies

with Digital Age UX and
intelligent assistance
• Lower TCO 3 Digital Platform

with simplified architecture
and cloud deployment

Benefits for GRC and Security with the Intelligent Enterprise
End-to-end innovation of GRC and Security processes across core business activities
Manufacturing Digital People

• Intelligent monitoring and reporting with instant, real-time insight & Supply Chain Core Engagement
and prediction on better, live data Customer Network &
Experience Spend
• Increased performance with in-memory Management
technology allowing for previously impractical monitoring scenarios SAP

Intelligent
now becoming the norm Suite
• Higher productivity with extensive opportunities for automation Intelligent

leading to resources focusing on higher value activities Technologies
• More comprehensive information security and monitoring across AI/ML | IoT | Analytics
hybrid environments
• Flexible deployment covering today and tomorrow’s Digital

architecture and landscapes Platform
Data Cloud
Management Platform

Vision of GRC and Security transformation
From daily routine to supporting growth and new business models
Insights
Predictive
Insights Predictive Insights
Analytics
and Forward
Insights looking
Machine
Learning Real-time
Detective, Insights
“rear view In process for
Operations mirror” real-time
focused decision
Automation making
Operations Operations
Traditional Delayed Live

Business Insights Business

Intelligent enterprises elevate employees to focus on higher-value tasks
Productivity Industrial Business Process Digital Intelligent

Automation Automation Transformation Enterprises
High-Value Tasks
Repetitive Tasks
Automation /
Augmented AI
1960s - 1980s 1990s - 2000s 2000s - 2010s 2010s - 2020s Time

Agenda
How to get there?

New technologies are driving the future direction for GRC and Security
Intelligent assistants to empower

users to focus on what matters
Machine learning to
reduce mundane
tasks and increase Predictive analytics
business agility to focus more on
outcomes than the past
Digital Core
Relevant and accurate data on which to run
monitoring and compliance checks

Relevant and accurate data is key
https://hbr.org/2018/04/if-your-data-is-bad-your-machine-learning-tools-are-useless
Digital Core
Relevant and accurate data on which to run
monitoring and compliance checks

Sample Machine Learning
in GRC and Security
SAP Identity Access Governance
Optimize role definition based on business and organizational processes
Organizations
and risks
Machine learning Implement business roles for
Users optimization for assignment updates with risk
business roles and impact analysis
Technical roles,
permissions,
entitlements
Leverage machine learning to automatically create business

roles aligned with organizational functions
Create business roles Reduce complexity for Provide a greater degree of Reduce the number
more closely aligned the role design process accuracy for users and role of roles necessary to
to business process assignments manage access

SAP Business Integrity Screening
Utilize machine learning to identify potential fraud and errors
Historical data
Predictive Automatically highlight Analyze results, manage

detection methods potential exceptions and alerts, and document
suspicious transactions investigations
Live transactions
Leverage machine learning to generate new detection rules that

complement existing detection strategies
Detect anomalies Identify gaps or Improve the accuracy of Better predict and
earlier to reduce inefficiencies in detection at less cost prevent future
financial loss business processes occurrence
SAP Enterprise Threat Detection
Refine algorithms to better detect threats
Analyze and
correlate logs Evaluate attack Perform forensic
detection patterns investigations and
High-volume
discover new patterns
processing of
security events
Leverage machine learning to refine anomaly detection methods such as

statistical methods, one-time behavior, and potential malicious sites
Keep systems secure in a Leverage powerful and flexible Receive actionable alerts in Help prevent damage to your
continuously changing monitoring, detection, and time to neutralize threats to business and reputation
cybersecurity threat environment response capabilities your business-critical asset
Agenda
How to get there?

Next-generation GRC and Security processes available today
Provide a
Provide secure access to Use predictive driven
consolidated view
applications and data across detection of fraud and
through the SAP
cloud and on premise errors in transactions
Leverage dynamic data Automate in-line Digital Boardroom
protection including screening of
masking and logging business partners
Generate alerts from Automate compliance and

Use machine learning to continuous controls and Deploy controls for duty optimization checks
monitor threats to risk monitoring robotic process for international trade
applications and data automation

GRC and Security in the SAP Digital Boardroom
One view of risk across the enterprise tied to objectives
Tied to Objectives Increased Accountability Improved Alignment

• Risk management framework aligned • Clear lines of responsibility across • Risk-based approach to reduce
with business value drivers operations, risk and compliance unneeded effort for controls and audits
• One view of business objectives linked management, and internal audit • Focused collaboration to leverage expert
to related risks, controls, and issues • Support for an integrated three knowledge and improve decision making
lines of defense approach

End-to-end innovation of GRC and Security processes across core business activities
One view of risk

Rapid consensus and decision making
Optimized global trade Automated monitoring and screening

Screen partners, manage imports/exports, Real-time compliance checks of transactions, master
and optimize duty rates data and configuration
Data privacy and protection Embedded controls

Protect data, control access, Reliable and efficient business
and detect threats processes
Secure access
User and application level security across hybrid landscapes

One view of risk
Imagine
• One single framework, methodology and repository of risk data for the
organization to share
• One report showing risk levels, key risk indicators, incidents and risk responses
• Complete alignment among risk, audit, and compliance teams on critical risks,
responses, gaps and issues
What’s Possible
• Identify unfavorable key risk indicators and take action before the risk exceeds
target levels
• All controls and policies are mapped to risks and regulations to minimize gaps
and redundancies
• On demand reporting of risks by objective, activity, organization and location
Use Cases
• 15% reduction in risk and loss events
• 90% improvement in visibility to risks
• 40% more-efficient risk and control management processes
Automated monitoring and screening
Imagine
• Real-time screening of third-parties and business partners
• Alerts indicating potential compliance and regulatory violations (anti-corruption, anti-
money laundering, indirect tax compliance)
• Monitoring of specific business processes for potential fraud and errors (T&E, P2P,
O2C)
What’s Possible
• Block risky transactions and business relationships before the fact
• Real-time alerts for immediate investigation and correction
• Create automated controls leveraging monitoring technologies
• Use predictive algorithms to identify new fraud patterns and promote early detection
Use Cases
• 100% of T&E claims now automatically reviewed with exception-based alerts whereas
before only 10% of employee claims were reviewed through manual processes
• Immediate simulation and calibration of new detections methods in 10 seconds
• Comprehensive analysis of and exception reporting on 1 billion data records
searching for duplicate payments
Embedded controls
Imagine
• Real-time checks and controls embedded in business processes to help ensure
compliance
• Automated, manage-by-exception monitoring to improve business process
performance
• Always-on controls improving reliability and consistency across global operations
What’s Possible
• Hundreds of business rules deployed for exception-based continuous control
monitoring
• Rapid resolution of exceptions and clear visibility of remediation activities
• Shared repository of process risks and controls across all areas
Use Cases
• 75% reduction in manual effort on selected control activities through automation by
using continuous controls monitoring (CCM)
• 1,400 hours saved by automating just 20 controls across organizational units in the
first year
• 800K USD savings in less than 12 months

Secure access
Imagine
• Uncovering potential access risks (including segregation of duties) in core applications
before they happen reducing the risk of fraud and errors
• Consolidating identity and access management across all users and application
landscapes including single sign-on
• Leveraging fine-grain authorization methods where required
What’s Possible
• Automated and machine learning driven processes for managing segregation of
duties, critical access, business roles, and superuser access
• Self-service and HR triggered workflow-driven access request and approval for
multiple systems
• Fine-grain access rights applied dynamically
• Transaction usage monitoring and near real-time risk alerting and mitigation
Use Cases
• 99% reduction in segregation-of-duties violations
• 50% reduction in cycle time of access management
• 39% reduction in number of composite and single roles
• 80% reduction in IT personnel time required to manage access and SoD controls
Data protection and privacy
Imagine
• Detect internal and external attacks against your business software landscape
• Protect your company reputation and intellectual property
• Meet regulatory requirements such as GDPR
• Manage personal and sensitive data across landscapes and geographies
What’s Possible
• Real-time monitoring of application-level threats and vulnerabilities
• Identify cyberattacks at the application layer with real-time pattern detection
• Secure files and data using transportable policies and encryption
• Enable sensitive data masking and logging
Use Cases
• Monitor, collect, and correlate all security events to detect security incidents and threats
• Analyze 5.3 billion events per day, 160K events / sec (peak), 160 billion events (total)
with 7.4 TB in-memory data
• Forensic analysis and modeling of new attack detection patterns and dashboards
• Ability to manage complexities of data sharing and data restriction across joint projects

Optimized global trade
Imagine
• Ability to react immediately to shifting trade regulations and tariffs
• Real-time screening of transactions to avoid doing business with restricted parties
• Driving significant savings through duty reduction and trade agreements
What’s Possible
• Comprehensive trade compliance and automation for all major global trade
requirements including import, export, preference, duties, tariffs, special customs
procedures, and restricted-party screening
• Scale with a true global platform while meeting regional and local requirements
• Streamline communication with brokers or direct e-filing to major Customs systems
Use Cases
• $90 million annual ROI generated from duty savings and suspension, broker savings,
self-filings, and more
• Managing trade across more than 150 plants and warehouses worldwide
• 7.6 million business partners screened with greater uniformity by using a common
approach
• Fewer supply chain disruptions due to automation of trade activities
Agenda
How to get there?

Be part of the digital transformation from the beginning
From PwC’s “The journey to digital trust”1
Engage security and GRC experts at the start of digital transformations
91% 53%
of enterprise-wide digital include proactive management
transformation include
security and/or privacy
but only… of cyber and privacy risks by
design in the project plan and
personnel as stakeholders budget “fully from the start"
Still a large opportunity for improvement to help ensure GRC

and Security is built in from the beginning
1
https://www.pwc.com/us/en/services/consulting/assets/journey-to-digital-trust.pdf
Fall 2018 Digital Trust Insights, PwC , Base: 3,000 respondents

You have complete choice
SAP solutions for GRC and Security can be deployed on premise or in the Cloud
SAP S/4HANA’s simplified data model and SAP S/4HANA

modern user experience are consistent
across both environments.
Considerations for selecting

the right deployment:
• Business functionality
• Regulatory, industry, and regional requirements
• Individualization options
• IT strategy
• Innovation cycles Cloud On Premise
• Adoption / upgrade efforts
• TCO
• Commercial models Data Model
ONE User Experience

SAP GRC and Security success

Customer success
Opportunities for embedded GRC
Integrate risk, compliance, and audit to Increasing risk visibility and improving Improve expense management
drive business efficiency and resilience enterprise risk and controls efficiency processes with automated monitoring
Exxaro wanted to boost enterprise-wide Honeywell desired one view of risk and Vodafone wanted to automate and
collaboration across all operations and one source of truth for decision makers become best in class for T&E claims audit
functions for a risk-based approach to
monitor key risks ▪ Utilize automated controls against key ▪ 100% of claims now automatically
processes reviewed with exception-based alerts
▪ 90% improvement in visibility to risks whereas before only 10% of employee
▪ Manage multiple regulatory and
▪ 20% savings in costs through effective compliance initiatives claims were reviewed through manual
risk management and better resource processes
allocation ▪ Improve transparency and insight
▪ Now able to investigate different types
▪ 800K US savings in less than 12 months of errors while still saving costs
▪ 10% reduction in auditing costs

Why SAP solutions for GRC and Security
• Most comprehensive GRC and Security suite from Manufacturing

Digital People
Core Engagement
the market leader & Supply Chain
Customer Network & Spend

• Most integrated set of capabilities to deploy along Experience Management
your current and future landscapes
SAP
• Highest coverage for language and country- Intelligent
Suite
specific regulatory requirements
Intelligent Technologies
• Global service coverage from SAP, global
partners, and expert ecosystem
• Broadest industry coverage and best practices AI/ML | IoT | Analytics
Digital
Platform
Data Cloud
Management Platform

More Information
SAP solutions for GRC & Security Practical Tools and Approach SAP Cloud Trust Center

Thank you.
Contact information:
F name L name
Title
Address
Phone number
Follow us
www.sap.com/contactsap
© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of
SAP SE or an SAP affiliate company.
The information contained herein may be changed without prior notice. Some software products marketed by SAP SE and its
distributors contain proprietary software components of other software vendors. National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or
warranty of any kind, and SAP or its affiliated companies shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP or SAP affiliate company products and services are those that are set forth in the express warranty
statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional
warranty.
In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or
any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation,
and SAP SE’s or its affiliated companies’ strategy and possible future developments, products, and/or platforms, directions, and
functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time for any reason
without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ
materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, and they
should not be relied upon in making purchasing decisions.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names
mentioned are the trademarks of their respective companies.
See www.sap.com/copyright for additional trademark information and notices.
SAP folgen auf
www.sap.com/germany/contactsap
© 2019 SAP SE oder ein SAP-Konzernunternehmen. Alle Rechte vorbehalten.

Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer,
ohne die ausdrückliche schriftliche Genehmigung durch SAP SE oder ein SAP-Konzernunternehmen nicht gestattet.
In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Die von SAP SE oder deren
Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten. Produkte
können länderspezifische Unterschiede aufweisen.
Die vorliegenden Unterlagen werden von der SAP SE oder einem SAP-Konzernunternehmen bereitgestellt und dienen ausschließlich
zu Informationszwecken. Die SAP SE oder ihre Konzernunternehmen übernehmen keinerlei Haftung oder Gewährleistung für Fehler
oder Unvollständigkeiten in dieser Publikation. Die SAP SE oder ein SAP-Konzernunternehmen steht lediglich für Produkte und
Dienstleistungen nach der Maßgabe ein, die in der Vereinbarung über die jeweiligen Produkte und Dienstleistungen ausdrücklich
geregelt ist. Keine der hierin enthaltenen Informationen ist als zusätzliche Garantie zu interpretieren.
Insbesondere sind die SAP SE oder ihre Konzernunternehmen in keiner Weise verpflichtet, in dieser Publikation oder einer
zugehörigen Präsentation dargestellte Geschäftsabläufe zu verfolgen oder hierin wiedergegebene Funktionen zu entwickeln oder zu
veröffentlichen. Diese Publikation oder eine zugehörige Präsentation, die Strategie und etwaige künftige Entwicklungen, Produkte
und/oder Plattformen der SAP SE oder ihrer Konzernunternehmen können von der SAP SE oder ihren Konzernunternehmen jederzeit
und ohne Angabe von Gründen unangekündigt geändert werden. Die in dieser Publikation enthaltenen Informationen stellen keine
Zusage, kein Versprechen und keine rechtliche Verpflichtung zur Lieferung von Material, Code oder Funktionen dar. Sämtliche
vorausschauenden Aussagen unterliegen unterschiedlichen Risiken und Unsicherheiten, durch die die tatsächlichen Ergebnisse von
den Erwartungen abweichen können. Dem Leser wird empfohlen, diesen vorausschauenden Aussagen kein übertriebenes Vertrauen
zu schenken und sich bei Kaufentscheidungen nicht auf sie zu stützen.
SAP und andere in diesem Dokument erwähnte Produkte und Dienstleistungen von SAP sowie die dazugehörigen Logos sind Marken
oder eingetragene Marken der SAP SE (oder von einem SAP-Konzernunternehmen) in Deutschland und verschiedenen anderen
Ländern weltweit. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen.
Zusätzliche Informationen zur Marke und Vermerke finden Sie auf der Seite www.sap.com/corporate/de/legal/copyright.html.
Appendix
Mandate for Finance: Secure Finance Systems against mal-use
Lower risk and increase compliance
Real-time risk analysis

Policy definition
Access Automated Threat Transaction

governance controls detection screening
Real-time audits

Business Process Example: Operational risk and compliance in Treasury
Holistic view of risk mitigation strategies
Lack of enterprise-wide visibility

▪ Cash visibility
▪ Bank account visibility
▪ End-to-end transaction traceability and drilldowns
Real-time Risk
Cyber risk Analytics
▪ Internal breaches – user access controls,
Key sources of treasury risk
transaction permissions, weak process controls

▪ External breaches – weak encryption, failure points
Threat Detection Access
Disconnected payment flow Treasury Governance
▪ Workflow and approvals Management
▪ Multiple hand-shakes to complete a transaction Payments Cash
Management
▪ Fragmented bank connectivity Debt &
Financial Risk
Investment
Management
Management
Distributed landscapes Transaction &
▪ Unsecured data exchanges Business Partner Cybersecurity
▪ Multiple failure points Screening
▪ Ineffective exception monitoring and resolution
Multiple parties in the ecosystem

Automated
▪ Corp. treasury, employees, signatories
Controls
▪ Counterparties, Vendors, Banks, Connectivity
partners
Policy Definition
Compliance breaches
▪ Internal procedures and policies
SAP HANA SAP Cloud Platform
▪ Regulatory requirements

The Forrester Wave™:
Governance, Risk, And Compliance Platforms, Q1 2016*
Highlights from the Forrester Wave Report

• SAP has gone through great efforts to bring a clean and easy-to-use interface
to its risk and audit GRC offerings
• SAP is gaining ground rapidly on functionality with the SAP HANA platform and
SaaS delivery
• With SAP HANA, data analytics and rapid deployment are becoming a reality
for SAP customers and it will continue to improve the risk analytics capabilities
of the company’s cloud-based audit and risk platform as they mature
If you are interested in receiving a copy of this Forrester Wave report, please
contact your SAP Sales Executive.
*The Forrester Wave™: Governance, Risk and Compliance Platforms, Q1 2016 by Renee Murphy, January 22, 2016. The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester
Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or
service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change."

SAP Global Trade Services – global market leader
ARC Advisory Group
“ “
“SAP Global Trade Services lays the foundation for
“SAP is the market share leader of the 2018 effective trade compliance by acting as the single system
worldwide Global Trade Compliance market.” of record for all compliance master data and content.”
Report Published January 2019
”
“When SAP GTS is integrated with SAP Transportation
Management and SAP Event Management, customers
can achieve global visibility and management capabilities
to enable greater end-to-end, compliant supply chains.”
Analyst: Clint Reiser
ARC Advisory Group’s “Global Trade Compliance Systems Worldwide

Market” Research Study — Market Analysis and Forecast through 2023”

Transform your governance, risk and compliance practices
Embed GRC and security in SAP S/4HANA
• Provide one view of risk

• Enable automated monitoring and screening
Enterprise risk • Embed controls across business processes
and compliance
• Manage users and identities across landscapes

• Improve user experience with single sign-on
Access
governance
• Manage digital rights to protect applications

and data
• Enhance application-level threat monitoring
Cybersecurity and and analysis
data protection
• Screen related parties and manage trade

compliance
• Leverage free trade agreements and
International
trade
optimize duty rates

SAP GRC solutions
Key themes
Enterprise risk and Cybersecurity and International trade

Access governance
compliance data protection management
 Manage risks, controls, and  Manage identities, authorized  Protect data, control access,  Manage import and export
regulatory requirements in business information access, data use, and detect threats compliance as well as free trade
operations and sharing conditions agreements in global supply chains
 Help ensure compliance with
 Screen third parties and detect  Mitigate access risk violations information security standards  Optimize trade utilizing special
anomalies and fraud and monitor financial impact customs procedures such as bonded
 Identify vulnerabilities in code warehouses, processing trade in
 Provide independent assurance of and remote function call China, and free trade zones in NA
risk and compliance standards (RFC) connections
 Manage Intrastat and export
compliance in S/4HANA

SAP GRC solutions
Solution mapping to key themes
Enterprise risk and Cybersecurity and International trade

Access governance
compliance data protection management
✓ SAP Process Control ✓ SAP Access Control ✓ SAP Enterprise Threat Detection ✓ SAP Global Trade Services
✓ SAP Risk Management ✓ SAP Cloud Identity Access ✓ SAP Data Privacy Governance ✓ SAP S/4HANA for international
Governance trade
✓ SAP Audit Management ✓ SAP Data Custodian
✓ SAP Identity Management ✓ SAP Watch List Screening
✓ SAP Business Integrity Screening ✓ SAP Enterprise Digital Rights
✓ SAP Cloud Platform Identity Management by NextLabs
✓ SAP Regulation Management by Provisioning Service
Greenlight ✓ UI masking for SAP
✓ SAP Single Sign-On
✓ UI logging for SAP
✓ SAP Cloud Platform Identity
Authentication Service ✓ SAP NetWeaver AS, add-on for code
vulnerability analysis
✓ SAP Dynamic Authorization
Management by NextLabs ✓ SAP Fortify by Micro Focus
✓ SAP Access Violation Management

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC by Greenlight 48
Enterprise risk and compliance Enterprise risk
Three lines of defense and compliance
• Driven by the business and focused Business drivers Risks Three lines of defense
on performance Operational L1 L2 L3
Financial Corporate
Business strategy and

• Assigned roles and accountability to Operational
Board and executive
Board and executive

Independent
risk and
management assurance
management
management
Risk appetite
Environmental compliance
increase oversight and avoid
objectives
Human capital
redundancy Manage Aggregate Provide
Reputation operational and independent
• Single source of data shared across Technology
risks and coordinate assurance on
compliance entity-level first and
the enterprise Compliance
in business risk and second lines
operations compliance of defense
• Continuous monitoring and automated Strategic activities
alerts to manage by exception
• One view of risk for real-time decision

support Embed risk and control monitoring
in SAP S/4HANA

SAP Risk Management
Preserve and grow value
Monitor and report Plan

Monitor thresholds, Plan risk management within
effectiveness of risk the context of value to the
responses, and corrective organization
actions
Identify
Link risks, risk drivers, risk
Respond Enterprise indicators, impacts and
Respond to risk after
risk and responses
compliance
balancing costs and benefits
Analyze
Analyze risk via scenarios,
modeling, and other factors
to understand exposure
SAP Risk Management
Risks defined within the context of value to the organization
Plan
▪ Align risk management with strategies and opportunities

▪ Model and align risks to org structure
▪ Create/leverage risk and activity catalogs
▪ Document risk appetite

SAP Risk Management
Risk interrelationships, drivers, and impacts identified
Identify
▪ Utilize surveys and charting capabilities

▪ Aggregate by organization category
▪ Identify drivers and impacts using the risk bow-tie builder
▪ Prioritize via an individualized heat map

SAP Risk Management
Risks analyzed via scenarios, modeling, and other factors to understand exposure
Analyze
▪ Modeling scenarios such as “Monte Carlo”

▪ Determination of inherent, residual, and planned residual risk levels
▪ “What-if” scenarios
▪ Qualitative and quantitative factors including velocity

SAP Risk Management
Risk responses determined after balancing costs and benefits
Respond
▪ Document responses
▪ Assign accountability
▪ Launch a workflow-driven response with remediation tracking
▪ Integrate with SAP Process Control and SAP Audit Management
for shared control response

SAP Risk Management
Monitoring of thresholds, effectiveness of risk responses, and corrective actions
Monitor & report
▪ Analytics and reports including heat maps

▪ Notifications to risk owners via automated alerts and key risk
indicators (KRIs)
▪ Monitoring of response effectiveness
▪ Assessment of impact on business objectives

SAP Risk Management
Key features for comprehensive enterprise risk management
Plan Identify Analyze Respond Monitor & Report
▪ Align risk ▪ Utilize surveys and ▪ Modeling scenarios ▪ Document responses ▪ Analytics and reports
management with charting capabilities such as “Monte including heat maps
▪ Assign accountability
strategies and Carlo”
▪ Aggregate by ▪ Notifications to risk
opportunities ▪ Launch a workflow-
organization category ▪ Determination of owners via
driven response with
▪ Model and align risks inherent, residual, automated alerts and
▪ Identify drivers and remediation tracking
to org structure and planned residual key risk indicators
impacts using the risk
risk levels ▪ Integrate with SAP (KRIs)
▪ Create/leverage risk bow-tie builder
Process Control and
and activity catalogs ▪ “What-if” scenarios ▪ Monitoring of
▪ Prioritize via an SAP Audit
response
▪ Document risk individualized heat ▪ Qualitative and Management for
effectiveness
appetite map quantitative factors shared control
including velocity response ▪ Assessment of
impact on business
objectives

Banking on SAP® GRC Solutions to Manage
Risks, Controls and Policies
Featured Partner
Banque Cantonale de Fribourg Ranked high among Switzerland’s commercial banks – with the lowest cost-income ratio in the Swiss market –
Fribourg, Switzerland Banque Cantonale de Fribourg (BCF) efficiently manages its GRC processes using SAP GRC solutions. With
/www.bcf.ch support from Riscomp, integrating operational risk, controls, and policy management into the broader IT
landscape has improved transparency for employees and other stakeholders.
Industry
Banking Before: Challenges and Opportunities
• Streamline risk management and control for more transparent processes
• Automate loss and policy management and integrate them with other GRC processes
Products and Services
Banking services for private and
• Improve scalability of GRC reporting, user interface, and processes
• Maintain status as an efficiency leader within the Swiss banking industry
15%
corporate customers
Reduction in risk and loss events
Why SAP and Riscomp GmbH
Employees
• Replaced legacy systems with standard SAP GRC solutions to provide essential, almost fully preconfigured
450
Revenue
functionality and reporting and extended functionality through policy management
• Improved user experience by integrating the renewed user interface with the SAP Fiori® UX
• Engaged Riscomp as a reliable partner for the initial implementation and subsequent support, functional
20%
SFr 255,7 million enhancements, and upgrades Increase in risk and control
management efficiency
SAP® Solutions After: Value-Driven Results

SAP® governance, risk, and • Accelerated approvals, reduced paper usage, and real-time insight for losses
compliance (GRC) solutions,
including the SAP Risk Manage-
ment and SAP Process Control
• Resourcefully managed access to all policy documents
• Preserved historical information on risks, losses, and controls through data migration to the new applications
• Increased overall efficiency with more integrated risk and control management
50%
Less time required for loss
applications, and the SAP Fiori ®
documentation
user experience (UX)
“With this integrated standard solution, BCF is covering its analysis and risk-mapping needs.
Automated management of internal controls, policies, and loss events is faster with significantly
reduced paper usage, and all processes have enhanced workflows.”
Pierre Romanens, Head of Risk Management, Banque Cantonale de Fribourg
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC Studio SAP | 54368enUS (17/10) ǀ This content is approved by the customer and may not be altered under any circumstances. 57
Exxaro: Greater Operational Efficiency with
SAP® Governance, Risk, and Compliance solutions
Company Objectives
Exxaro Resources Limited • Integrate risk, compliance, and audit to drive business efficiency and resilience
• Integrate enterprise and operational risk from one technology platform
90%
Headquarters • Utilize risk platform for compliance, audit, and stakeholder management Improvement in visibility of risks
Pretoria, South Africa
Why SAP
Industry
Mining
• Full end-to-end enablement of governance, risk, and compliance (GRC) processes, which supports the company’s
integrated GRC strategy
20%
Savings in costs through effective risk
• Ability to integrate with existing SAP® software
management and better resource
Products and Services • One integrated dashboard for risk, incident, and issue management
allocation
Coal and heavy minerals mining • Opportunity to automate and monitor controls to increase efficiency
Employees
10,000
Resolution
• Implemented the SAP Risk Management application for a risk-based approach to monitor key risks
• Used the framework in SAP Risk Management to boost enterprise-wide collaboration across all operations and
R10 million
Revenue
R13 billion (US$1.1 billion)
functions
• Worked with CQS Technology to implement the SAP Process Control application and automate controls in key (US$800,000)
business processes Savings in less than 12 months through
Web Site the implementation of
www.exxaro.com Benefits SAP Process Control
• Standardized risk management practices across all functions and disciplines
Partner • Enabled consistent, complete, and proactive coverage of risk planning, identification, analysis, treatment, and
CQS Technology Holdings
www.cqs.co.za
reporting
• Created improved, unified control environment using SAP Process Control 10%
• Moved from manual random sampling of controls to 100% testing coverage Reduction in auditing costs
“SAP governance, risk, and compliance solutions have enabled us to create transparency and accountability at
all layers of Exxaro and gain executive support, which has led to business efficiencies.”
Saret Van Loggerenberg, Manager of Risk and Compliance, Exxaro Resources Limited
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC Studio SAP | 39762 (16/02) This content is approved by the customer and may not be altered under any circumstances. 58
SAP: Speeding GRC control Testing by 90%
with SAP® GRC Solutions
Company Top Objectives
SAP SE • Standardize, automate, and accelerate all governance, risk and compliance (GRC) processes
• Create single, highly transporant source of GRC information
90%
Faster control testing on average
Headquarters • Display thought leadership in enterprise GRC management
Walldorf, Germany
Industry
Resolution
High tech • Implemented the SAP® Process Control; and SAP Risk Management applications company-wide
• Ability to integrate with existing SAP® software
3 FTEs
Products and Services • Integrated them with the SAP Business Integrity Screening application and the SAP Access Control and Redeployed to higher-value activities
Enterprise software and services SAP Customer Relationship Management applications
• Took a phased approach
Employees
87,800 Key Benefits 30%
• Better informed business decisions and mobile risk reporting Gain in report generation efficiency
Revenue
22 billion Euro
• Holistic regulation, process, risk, and control overviews based on a single data source
• Automatic control monitoring of system configuration and data
Web Site
www.sap.com
“SAP solutions for GRC serve as a single source of the truth, enabling decision makers at SAP to efficiently and
holistically manage risk – delivering real value to the business”
Miriam Kraus, Senior VP pf Governance, Risk, and Compliance, SAP SE

Keeping Reporting on Track with the SAP® Risk Management
Company
ProRail
Objectives
 Implement an operational model for effective and efficient use of risk management
Fast
resources 30% less time to run quarterly
Headquarters reports
 Simplify the long and complex reporting processes associated with a highly regulated
Utrecht, Netherlands
industry
 Ensure compliance with legal requirements and regulations
Industry
Travel and transportation Why SAP Effective
 Proven risk management tool set of the SAP® Risk Management application Quality reporting keeps
Products and Services management more informed
 Opportunities to cut costs while reducing business risk
Track maintenance and increases accountability
 Configuration that allows administration and management by department
Employees Benefits
4,300 ▪ Greater reliability in reporting
Web Site
▪ Better understanding of current risk conditions Transparent
▪ One system with one risk language, reducing reporting needs and time spent in Increased risk and response
www.prorail.nl meetings transparency gives a better
view of risk across the
organization
“SAP Risk Management has helped us transition from being controllers managing risk
to true department leaders. Not only does this make us accountable to one another, it
also makes us more accountable to our stakeholders who rely on this data to make
critical business decisions.”
Dorien Rookmaaker, Risk and Compliance Officer, ProRail
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 29592 (15/02) This content is approved by the customer and may not be altered under any circumstances.
60
SAP Process Control
Help ensure effective controls and on-going compliance
Report Document
Insightful reporting for Single source of truth shared
analysis and accountability across the enterprise
Plan
Planning of focused actions
Evaluate Enterprise
risk and to help ensure timeliness
End-to-end test and issue
compliance
resolution
Perform and monitor

Streamlined manual and
automated performance

SAP Process Control
Help ensure effective controls and ongoing compliance
Report Document
▪ Reports and dashboards ▪ Standardized internal control
▪ Audit trails and change analyses documentation
▪ Sign-off surveys and certification ▪ Sharing of compliance and control
structures across regulations and
Evaluate organizations
▪ User-definable surveys for self- ▪ Collaborative policy maintenance
assessments, control design, and and approval
disclosures
▪ Manual and automated tests of Plan
effectiveness ▪ Selection of scope and test
▪ Workflow-driven evaluations, issue Enterprise strategies
remediation, notifications, and status risk and ▪ Triggering of workflow-driven
reporting compliance performance, assessments, and
tests of effectiveness
Perform and monitor ▪ Defining and scheduling of
▪ Continuous control monitoring of configurations, continuous control monitoring rules
master data, transactions, and related changes ▪ Distribution of policies and related
▪ Automatic routing of exceptions through the surveys
workflow to appropriate users
▪ Manual control performance with collected
evidence available to testers

SAP Process Control
Document controls and policies centrally and map to key regulations and impacted organizations
Document
▪ Standardized internal control documentation

▪ Sharing compliance and control structures across regulations
and organizations
▪ Collaborative policy maintenance and approval

SAP Process Control
Perform periodic risk assessments to determine scope and test strategies
Plan
▪ Selection of scope and test strategies

▪ Triggering workflow-driven performance, assessments, and tests of
effectiveness
▪ Defining and scheduling continuous control monitoring rules
▪ Distribution of policies and related surveys

SAP Process Control
Perform manual and automated, exception-based monitoring of ERP systems
Perform and monitor
▪ Continuous control monitoring of configurations, master data, transactions,

and related changes
▪ Automatic routing of exceptions through the workflow to appropriate users
▪ Manual control performance with collected evidence available to testers

SAP Process Control
Evaluate control design and effectiveness and raise and remediate issues
Evaluate
▪ User-definable surveys for self-assessments, control design, and disclosures

▪ Manual and automated tests of effectiveness
▪ Workflow-driven evaluations, issue remediation, notifications, and status
reporting

SAP Process Control
Support decisions and promote accountability with insightful analytics and sign-off
Report
▪ Reports and dashboards

▪ Audit trails and change analyses
▪ Sign-off surveys and certification

SAP Process Control
Key features for comprehensive management of controls and compliance
Document Plan Perform and Monitor Evaluate Report
▪ Standardized internal ▪ Top-down, risk-based ▪ Continuous control ▪ User-definable surveys ▪ Comprehensive tracking
control environment scoping monitoring with for self-assessments, of evaluations and
documentation ▪ Focused test exceptions routed to control design, and related issues and
▪ Data upload from strategies appropriate user(s) disclosures action plans
provided spreadsheet ▪ Triggering of workflow ▪ Support for monitoring ▪ Manual tests of ▪ Reports and
tool tasks for performing configurations, master effectiveness based on dashboards that can be
▪ Definition and sharing of manual controls data, transactions, and test plans personalized by users
data across multiple change logs ▪ Automated tests of ▪ Audit trails and change
▪ Creation and
regulations scheduling of ▪ Multiple data source effectiveness based analyses
▪ User roles assigned at continuous control types including reports, upon business rules ▪ Reporting tools from
the data object level monitoring rules queries, and ▪ Management of ad hoc SAP BusinessObjects
configurable tables and evaluation-based BI suite for use with
▪ Manual control ▪ Distribution of policies
performance steps and and related surveys ▪ User-definable issues and remediation GRC solutions
due dates business rule ▪ Comprehensive ▪ Sign-off surveys and
parameters and workflow, notifications, certification
▪ Master data approval deficiency levels
workflow and status reporting

Eli Lilly and Company: Responding to Global Health Needs While
Strengthening Compliance with SAP® Process Control
>200
Company Objectives
Eli Lilly and Company • Create a central global repository across business units while helping the finance group reduce the number of
controls Business rules deployed for exception-
Headquarters • Eliminate disparate and regionalized manual work by control owners based continuous control monitoring
Indianapolis, Indiana • Maximize scalability, consistency, and reliability of control performance and compliance reporting (CCM)
• Implement an automated, manage-by-exception, self-documenting monitoring process to reduce internal control
Industry efforts and improve business process performance
Life sciences
Why SAP
75%
Reduction in manual effort on selected
Products and Services • Ability to integrate across 14 systems in the global SAP® solution landscape control activities by managing by
Development, manufacture, • Positive experiences with legacy SAP solutions across the company exception using CCM
and sale of medicines • Easy entry and lower total cost of ownership
Employees
41,000
Resolution
• Implemented the SAP Process Control application across 72 countries, including four regional shared-service 80%
centers and three outsourcing hubs Estimated reduction in time required for
Revenue • Integrated with the SAP Access Control application to automate controls over segregation of duties CCM business rule creation and
US$20 billion • Adopted new business rule parameter functionality to maximize reuse of business rules maintenance
Web Site Future plans

www.lilly.com • Expand SOX and FCPA regulatory monitoring, self-assessment, and testing across global financial, supply Increased
chain, and order-to-cash processes Management confidence thanks to
• Increase visibility using dashboards in SAP Process Control complete visibility on the status of
controls and changes
Better
"With SAP Process Control, we have saved time and money through automation. Most important, we Consistency and completeness of
have freed up resources to focus on higher-value activities for Lilly.” control performance, helping streamline
Emily Swaim Damson, Security and Controls Lead, Eli Lilly and Company processes and support audits
Exxaro: Greater Operational Efficiency with
SAP® Governance, Risk, and Compliance Solutions
Company Objectives
Exxaro Resources Limited • Integrate risk, compliance, and audit to drive business efficiency and resilience
• Integrate enterprise and operational risk from one technology platform
90%
Improvement in visibility of risks
Headquarters • Utilize risk platform for compliance, audit, and stakeholder management
Pretoria, South Africa
Industry
Why SAP
• Full end-to-end enablement of governance, risk, and compliance (GRC) processes, which supports the 20%
Mining company’s integrated GRC strategy Savings in costs through effective
• Ability to integrate with existing SAP® software risk management and better
Products and Services • One integrated dashboard for risk, incident, and issue management resource allocation
Coal and heavy minerals mining • Opportunity to automate and monitor controls to increase efficiency
Employees Resolution R10 million

10,000 • Implemented the SAP Risk Management application for a risk-based approach to monitor key risks
Revenue
• Used the framework in SAP Risk Management to boost enterprise-wide collaboration across all operations and
functions
(US$800,000)
R13 billion (US$1.1 billion) • Worked with CQS Technology to implement the SAP Process Control application and automate controls in key Savings in less than 12 months
business processes through the implementation of
Web Site SAP Process Control
www.exxaro.com Benefits
Partner
• Standardized risk management practices across all functions and disciplines
• Enabled consistent, complete, and proactive coverage of risk planning, identification, analysis, treatment, and 10%
CQS Technology Holdings reporting Reduction in auditing costs
www.cqs.co.za • Created improved, unified control environment using SAP Process Control
• Moved from manual random sampling of controls to 100% testing coverage
“SAP governance, risk, and compliance solutions have enabled us to create transparency and accountability at all
layers of Exxaro and gain executive support, which has led to business efficiencies.”
Saret Van Loggerenberg, Manager of Risk and Compliance, Exxaro Resources Limited
GSK Vaccines: Easing Compliance with SAP® Process Control
Company Objectives
GlaxoSmithKline Vaccines  Implement a single and integrated solution to support a strong control framework, Over 1 million
aligning on the company’s risk mitigation needs and business objectives SAP software transactions generated daily
Headquarters  Implement robust IT-controls and compliance processes for Life Science, data within scope
Rixensart, Belgium privacy, and financial regulations (including SOx)
 Shift to a more pro-active than reactive control management
Industry
Life sciences – pharmaceuticals
Why SAP
Smooth
 Integration of the SAP® Process Control application with SAP software already used
Vaccines
to run company’s major business processes implementation
 Single, integrated GRC solutions and landscape simplification Finishing within budget in
Web Site  Multi-compliance functionality and ability to support master data quality control six months
www.gsk.com
Benefits
 Increased internal control monitoring efficiency
 Quicker action and resolution of issues Automation and
 Transparency and trust in internal controls and compliance for GSK-Vaccines
stakeholders and external auditors
 Streamlined process to manage master-data quality
monitoring of
controls wherever
“We wanted a single and integrated solution for ensuring the effectiveness of our internal
control process, and that’s exactly what we found in SAP Process Control.”
possible
Christophe Louis, IT Project Manager, GlaxoSmithKline Vaccines
Delivering growing efficiencies
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC CMP20704 (13/12) 71
Achieving Effective Controls and Continuous
Compliance with SAP® Process Control
Company Top objectives
Hindustan Zinc Limited  Ensure best-practice business process controls to minimize risk, enhance efficiency, and meet
regulatory and statutory requirements
30%
Lower auditing costs
Headquarters  Maintain effective and transparent control of security and processes
Udaipur, India  Achieve audit efficiency and reduce total cost of ownership
Industry
Resolution
50%
Mining, mill products – primary Faster completion of the
 Implemented the SAP® Process Control application and integrated with the existing SAP ERP audit cycle
metals
application
 Streamlined the compliance structure across all divisions, plans, and the corporate office
Producer of zinc, lead, silver,
 Configured associated workflows with process control roles, responsibilities, and activities 50%
and cadmium Fewer manual reports
Key benefits
Employees  Continuous monitoring to better manage control configurations
6,000  Automated and standardized process compliance, simplifying processes, reducing errors and
omissions, and cutting costs
40%
More-efficient risk and
Revenue  Paperless compliance with the Sarbanes-Oxley Act control management
Rs 136.35 billion (US$2.23 billion)  Better visibility and transparency into compliance management processes
Web Site
www.hzlindia.com
“SAP Process Control provides a single source of truth, helping top management
Partner make effective, risk-based decisions at any time, which adds considerable value to
KPMG Advisory Services Pvt. Ltd. our company. We have also been able to strengthen our compliance process through
www.kpmg.com
automated and continuous management of internal controls.”
Mrs. Vijaya Gupta, Deputy Chief Financial Officer, Hindustan Zinc Limited
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 32733 (14/09) This content is approved by the customer and may not be altered under any circumstances. 72
SAP: Greater Digital Compliance with SAP® Process Control and
SAP S/4HANA
More
Company Objectives
SAP SE • Create exception-based business-process compliance monitoring using automated controls
• Analyze 1 billion data records from multiple data sources, which cannot usually be done in one step Analytical breadth to
Headquarters • Make use of Big Data analytic capabilities address high-risk areas
W alldorf, Germany
Faster
Why SAP
Industry • Ability to more easily design queries, conditional filters, and complex calculations using SAP HANA® platform
High tech calculation views
Analysis of and exception
• No limitations on the number of joins, conversions, and conditional filters reporting on 1 billion data
Products and Services • Ability to analyze 1 billion data records in just 11.2 seconds records
Enterprise software
and services Resolution
Employees
• Implemented the SAP® Process Control application integrated with the SAP S/4HANA suite
• Created additional query and filter logic required to support exception-based monitoring Better
77,000 Calculations and filtering to
Benefits focus on exceptions with high
Revenue • High-performance analysis without any negative source-system impact business impact
€6.34 billion • High-volume data analysis of complex control structures
• Control management by exception
Web Site
www.sap.com
”Data is our digital currency. Smart control design, combined with high-performance analytic capabilities
utilizing SAP S/4HANA as our digital core, is the key to successfully supporting our business to achieve
digital compliance.”
Miriam Kraus, Senior VP – Global Governance, Risk, and Compliance, SAP SE

SAP: Speeding GRC Control Testing by 90% with
SAP® Solutions for Governance, Risk, and Compliance
Company Objectives
SAP SE • Standardize, automate, and accelerate all governance, risk, and compliance (GRC) processes 90%
• Create a single, highly transparent source of GRC information Faster control testing on
Headquarters • Display thought leadership in enterprise GRC management average
Walldorf, Germany
Resolution
Industry
High tech
• Implemented the SAP® Process Control and SAP Risk Management applications company-wide
• Integrated solutions with the SAP Fraud Management analytic application and the SAP Access Control and SAP Customer
3 FTEs
Relationship Management applications Redeployed to higher-value
Products and Services • Took a phased approach activities
Enterprise software and services
Members
Future plans
• Better-informed business decisions and mobile risk reporting 30%
68,800 • Holistic regulation, process, risk, and control overviews based on a single data source Gain in report generation
• Automatic control monitoring of system configuration and data efficiency
Web Site
www.sap.com
“SAP solutions for GRC serve as a single source of truth, enabling decision makers at SAP to
efficiently and holistically manage risk – delivering real value to the business.”
Miriam Kraus, Senior VP of Governance, Risk, and Compliance, SAP SE
Winner of the 2014 grc

20/20 award for integrated
GRC architecture

Banking on SAP® GRC Solutions to Manage
Risks, Controls and Policies
Featured Partner
Banque Cantonale de Fribourg Ranked high among Switzerland’s commercial banks – with the lowest cost-income ratio in the Swiss market –
Fribourg, Switzerland Banque Cantonale de Fribourg (BCF) efficiently manages its GRC processes using SAP GRC solutions. With
/www.bcf.ch support from Riscomp, integrating operational risk, controls, and policy management into the broader IT
landscape has improved transparency for employees and other stakeholders.
Industry
Banking Before: Challenges and Opportunities
• Streamline risk management and control for more transparent processes
• Automate loss and policy management and integrate them with other GRC processes
Banking services for private and
• Improve scalability of GRC reporting, user interface, and processes
• Maintain status as an efficiency leader within the Swiss banking industry
15%
corporate customers
Reduction in risk and loss events
Why SAP and Riscomp GmbH
Employees
• Replaced legacy systems with standard SAP GRC solutions to provide essential, almost fully preconfigured
450
Revenue
functionality and reporting and extended functionality through policy management
• Improved user experience by integrating the renewed user interface with the SAP Fiori® UX
• Engaged Riscomp as a reliable partner for the initial implementation and subsequent support, functional
20%
SFr 255,7 million enhancements, and upgrades Increase in risk and control
management efficiency
SAP® Solutions After: Value-Driven Results

SAP® governance, risk, and • Accelerated approvals, reduced paper usage, and real-time insight for losses
compliance (GRC) solutions,
including the SAP Risk Manage-
ment and SAP Process Control
• Resourcefully managed access to all policy documents
• Preserved historical information on risks, losses, and controls through data migration to the new applications
• Increased overall efficiency with more integrated risk and control management
50%
Less time required for loss
applications, and the SAP Fiori ®
documentation
user experience (UX)
“With this integrated standard solution, BCF is covering its analysis and risk-mapping needs.
Automated management of internal controls, policies, and loss events is faster with significantly
reduced paper usage, and all processes have enhanced workflows.”
Pierre Romanens, Head of Risk Management, Banque Cantonale de Fribourg
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC Studio SAP | 54368enUS (17/10) ǀ This content is approved by the customer and may not be altered under any circumstances. 75
SAP Regulation Management by Greenlight
SAP Process Control
Report Intake
Demonstrate comprehensive Maintain authoritative sources
auditability of regulatory compliance for multiple regulatory alerts
and mandates
Evaluate
Monitor Identify and address
Align compliance requirements compliance gaps to meet new
with operational activities and Enterprise or changed regulatory
automate testing of controls risk and requirements
compliance
Collaborate
Establish accountability and
unify requirements and controls
across operations and
compliance stakeholders
SAP Regulation Management
Maintain authoritative sources for multiple regulatory alerts and mandates
Intake
▪ Maintenance of a single authoritative source for regulatory alerts and mandates

intake
▪ Integration of multiple internal and external data sources
﹣ RSS feeds, documentation, XML, CSV, XLS feeds
﹣ Internal regulatory data databases
﹣ External content feed integration: Thomson Reuters, LexisNexis, and many others
▪ Single catalog of comprehensive regulatory data: press releases and regulatory
mandates through to enforcement announcements

Identify and address compliance gaps to meet new or changed regulatory requirements
Evaluate
▪ Data ownership and accountability by providers, themes, and

organizational structures
▪ Evaluation of implementation impact by assets, compared against
policies and operational risks
▪ Review of new and existing regulations, implementation projects, and
action plans

Establish accountability and unify requirements and controls across operations and compliance stakeholders
Collaborate
▪ Regulatory impact risk assessments
▪ Workflow initiation and delegation of actual, articulated, and

internal created requirements
▪ Action plans, assessments, and surveys

Align compliance requirements with operational activities and automate testing of controls
Monitor
▪ Alignment of compliance requirements with operational activities

and automation of controls testing
▪ Action planning and tracking
▪ Workflow user management and regulatory data tracking
▪ Regulatory risk register integrations down to process, control, and

policy
▪ Implementation project Gantt plan tracking

Demonstrate comprehensive auditability of regulatory compliance
Report
▪ Comprehensive regulatory process and accountability

o Flexible dashboards, graphs, and charts
o Compliance memo reporting templates
▪ Extractable datasets into XLS and CSV files

SAP Regulation Management by Greenlight
Key features for comprehensive regulation management
Intake Evaluate Collaborate Monitor Report
▪ Single authoritative ▪ Data ownership and ▪ Regulatory impact risk ▪ Alignment of compliance ▪ Demonstration of the
source for intake of accountability by assessments requirements with comprehensive
regulatory alerts and providers, themes, and ▪ Workflow initiation and operational activities and regulatory process and
mandates organizational delegation of actual, automation of controls accountability
▪ Integration of multiple structures articulated, and testing ▪ Flexible dashboards,
internal and external ▪ Evaluation of internally created ▪ Action planning and graphs, and charts
data sources implementation impact requirements tracking ▪ Compliance memo
▪ Single catalog of by assets, against ▪ Action plans, ▪ Workflow user reporting templates
comprehensive policies and operational assessments, and management and
risks ▪ Extractable data sets
regulatory data: press surveys regulatory data tracking into XLS and CSV files
releases, regulatory ▪ Review of new and ▪ Regulatory risk register
mandates through to existing regulations, integrations down to
enforcement implementation process, control, and
announcements projects, and action policy
plans
▪ Implementation project
Gantt plan tracking

Anomaly, fraud, 3rd-party risk detection and investigation to protect your business
Analyze Performance Design

Monitor key performance Determine screening lists,
indicators and create analyze patterns and define
management reports detection rules and models
Set-up
Define detection strategy
Investigate Enterprise through simulation and
Manage alert workload with risk and calibration
efficient evaluation, qualification compliance
and remediation of issues
Detect
Execute mass and real-time
detection and stop anomalies
or irregular transactions

Analyze patterns and define screening & detection rules/models
Design
▪ High-performance application architecture

▪ Predictive insight and more intuitive design

Define detection & screening strategies using simulations and calibration
Set-up
▪ Define detection strategies based on fine granular criteria

▪ Define screening strategies for business partners
▪ Real-time simulations and calibration of strategies

Execute mass and real-time detection, and stop exception-related business transactions
Detect
▪ Mass screening and detection in real-time leveraging SAP

HANA technology
▪ Fully integrated bi-directional exception processing

Manage alert workload with efficient evaluation, qualification, and remediation
Investigate
▪ Comprehensive alert management with advanced inquiry and analysis features

▪ Collaborative and faster investigation and intuitive capture of findings
▪ One-click resolution for simpler screening alerts (business partners)
▪ Effective remediation of irregularities – leverage the integration with SAP
Process Control (optional)

Monitor key performance indicators and create management reports
Analyze Performance
▪ Real-time performance analytics and management reporting for

better informed decisions and timely action
▪ Monitor and optimize the quality of investigations

Key processes and features
Design Setup Detect Investigate Analyze Performance
▪ High-performance ▪ Define detection ▪ Mass screening and ▪ Comprehensive alert ▪ Real-time performance
application strategies based on detection in real- management with analytics and
architecture fine granular criteria time leveraging SAP advanced inquiry and management reporting
HANA technology analysis features for better informed
▪ Predictive insight ▪ Define screening
decisions and timely
and more intuitive strategies for ▪ Fully integrated bi- ▪ Collaborative and faster
action
design business partners directional investigation and intuitive
processing capture of findings ▪ Monitor and optimize the
▪ Real-time
quality of investigation
simulations and ▪ One-click resolution for
calibration of simpler screening alerts
strategies (business partners)
▪ Effective remediation of
irregularities – leverage
the integration with SAP
Process Control (optional)
BSH: Identifying High-Risk Transactions with
SAP® Fraud Management powered by SAP HANA® (original solution name)
Company Objectives
BSH Home Appliances Group • Comply with internal guidelines and German and international regulations for incoming and
outgoing payments Real-time
Headquarters • Increase automation and speed of transaction screening Payment run screening
Munich, Germany • Identify high-risk transactions in relevant risk areas
• Manage alerts effectively
Industry • Minimize disruption of business
Consumer products
Why SAP
Faster
Processing time
Products and Services • SAP® Fraud Management application powered by SAP HANA®, part of SAP solutions for of high-risk transactions
Brands include Bosch, Siemens, governance, risk, and compliance
with automated workflow
Gaggenau, Neff, Thermador, • SAP HANA platform, which has high-volume and real-time processing capabilities
Constructa, Viva, Ufesa, Junker, • SAP HANA Enterprise Cloud service, which allows for minimal impact on IT and faster
Zelmer, Balay, Pitsos, Coldex implementation
Employees Resolution Higher

53,000 • Defined detection rules, identifying high-risk transactions in predefined risk areas Accuracy in the
• Optimized screening of transaction data, including real-time checks of outgoing payments to identification of
identify deviations high-risk transactions
Revenue
• Implemented workflows to process alerts and block high-risk transactions
€11.4 billion (2014)
Benefits
Web Site
www.bsh-group.com
• Improved prevention of misconduct and infringements of guidelines
• Reduced risk from suspicious payments
Improved
Compliance thanks to
• Increased efficiency of allocated resources better detection of
Partners
• Minimized manual controls and business burden potential breaches
SAP Consulting services, SAP
Custom Development
organization “SAP Fraud Management and SAP HANA Enterprise Cloud enable BSH to use a best-practice
approach for the identification of high-risk transactions with minimal burden to the business and IT.”
Dr. Alexander von Reden, Head of Compliance Management, BSH Home Appliances Group

40700 (15/10) This content is approved by the customer and may not be altered under any circumstances.
SAP improves audit investigations to protect revenue with SAP® Business
Integrity Screening on SAP HANA ®
Company or Organization Objectives
SAP SE  Provide SAP Corporate Audit organization with reliable real-time fraud
Headquarters or Location
detection and investigation
 Protect the company from financial loss due to fraud and address
On time
All project deliverables were
Walldorf related audit findings accomplished in time and within
 Dispose of powerful analysis and detection optimization capabilities in budget
Industry the context of multiple systems and growing volumes of data.
High Tech

Why SAP
 Faster detection thanks to in-memory capabilities of SAP HANA Faster
Enterprise application  Integrated into SAP’s existing ERP solution portfolio A complete new software solution
software  Benefit from SAP’s comprehensive and integrated set of governance, live in less than 3 months
risk and compliance (GRC) solutions to prevent, detect and deter fraud
Employees
66,500 Benefits
 Fast treatment of alerts due to real-time detection
Better
Simulation and calibration of new
Revenue  Reduce current workload due to easier load operations and data
detections methods in 10 seconds
preparation
€16,815 million instead of 1 day
 Comprehensive coverage of typical fraud scenarios, like e.g. conflict of
interest
Web Site  Contribute to continuous improvement of impacted business processes
www.sap.com and sustainable compliance as part of the broader SAP GRC program Stronger
Preparation of investigations cut
down from days to hours
“ SAP Business Integrity Screening has already reduced our audit preparation time significantly and
provided tangible business and audit results in seconds instead of days. ”
Thomas Bamberger, Chief Audit Executive, SAP Group

SAP Audit Management
Transform audit. Move beyond assurance
Managing the audit activity

Monitoring progress
Establish a risk-based plan,
Monitor the disposition
prioritize audit activities and
of results reported to
align with the needs of the
management
enterprise
Planning the engagement

Communicating results Develop and document a
Communicate engagement Enterprise
risk and plan for each engagement
objectives, scope,
compliance
conclusions, findings, and
recommendations
Performing the engagement
Identify, analyze and
document relevant information

Manage the audit activity
Managing the audit activity
▪ Establish a framework for risk assessment and prioritization

▪ Communicate plans and resource requirements
▪ Deploy appropriate resources
▪ Report plan performance to senior management and the Board

Engagement planning
Engagement planning
▪ Establish engagement objectives and scope

▪ Assess relevant risks
▪ Plan appropriate and sufficient resources
▪ Develop and document engagement work program

Perform the engagement
Performing the engagement
▪ Identify relevant information

▪ Perform analysis and evaluation
▪ Document engagement information
▪ Supervise the engagement

Communicate results
Communicating results
▪ Determine communication criteria

▪ Disseminate results

Monitor progress
Monitoring Progress
▪ Establish a follow-up process to monitor

management actions
▪ Capture incidents and losses
▪ Monitor the disposition of consulting engagements

Key features for end-to-end audit management
Managing the Audit Engagement Performing the Communicating Monitoring

Activity Planning Engagement Results Progress
▪ Establish a ▪ Establish engagement ▪ Identify relevant ▪ Determine ▪ Establish a follow up

framework for risk objectives and scope information communication process to monitor
assessment and criteria management actions
▪ Assess relevant risks ▪ Perform analysis and
prioritization
evaluation ▪ Disseminate ▪ Capture incidents and
▪ Plan appropriate and
▪ Communicate plans results losses
sufficient resources ▪ Document
and resource
engagement ▪ Monitor the disposition
requirements ▪ Develop and document
information of consulting
engagement work
▪ Deploy appropriate engagements
program ▪ Supervise the
resources
engagement
▪ Report plan
performance to
senior management
and the Board

Tata Steel Europe Transforms the Audit Process with SAP Audit
Management Running in SAP HANA® Enterprise Cloud
Company Objectives
Tata Steel Europe  Support the audit process of the multilingual audit department operating in multiple locations end to end Reduced
 Improve audit efficiency, effectiveness, and timeliness Administrative effort in the
Headquarters  Reduce the overall cost of the audit audit process
IJmuiden, The Netherlands
Why SAP
Industry
Mill products – steel production
 Analytics solutions based on the SAP HANA® platform and cloud enabled through the SAP HANA Lower
Enterprise Cloud service Up-front investment to set
 Risk-based, mobile functionality that alleviates paper-based workloads and audit planning and increases up the audit process
Products and Services productivity
Steel  SAP HANA Enterprise Cloud as an innovation accelerator with a focus on enterprise-wide issues and
Employees
tomorrow’s opportunities Increased
Productive audit time
30,000 Resolution
 Integrated the SAP® Audit Management application into the SAP software landscape
Web Site
www.tatasteel.com
 Established a basis for easy, fast access to the latest technology and related up-to-date knowledge More
Consistency between
Benefits documentation, auditing,
 Improved transparency reporting, and QA
 Reduced total staff time and manual effort per engagement processes
 Increased audit coverage by using embedded analytics
 Gained new opportunities through better understanding of the business based on Big Data analytics
“SAP Audit Management allows us to focus more on auditing and less on administration. Big Data analytics
opens up a number of new opportunities for us to look at information in different ways, thereby helping
transform our business and unlock value.”
Willem Ypma, IT Audit Manager, Tata Steel Europe
SAP Runs SAP: Transforming Audits and Moving Beyond Assurance
Company Objectives
SAP SE  Implement an audit management solution covering entire audit lifecycle Reduced
Administrative effort covering
Headquarters  Improve audit efficiency and reduce overall cost of ownership the entire audit lifecycle
Walldorf, Germany  Elevate audit impact with technology-based insight into business risks
Industry
High tech
Why SAP Increased
 Support for a shift from periodic to continuous assurance through integration of audit Productivity by using intuitive
processes with the SAP® Risk Management application and the SAP Business Integrity user interfaces and
Products and Services Screening application technology
Business software applications
and services  Analytics solutions from SAP and the SAP HANA® platform to focus on enterprise-level
Employees
issues and opportunities today and tomorrow
 Software, risk-based tools, and mobile functionality to improve working paper
Simplified
Use by developing a
74,400 management, audit planning, and productivity solution for auditors by
auditors
Web Site Benefits
www.sap.com  Gained transparency of audit engagements
 Reduced total staff time and manual effort per engagement
 Increased audit efficiency and expanded audit coverage by leveraging Big Data
 Shifted from assurance to advisory engagements by using analytics
 Achieved stronger stakeholder relationship
“SAP Audit Management is an integrated application with a new user interface that helps corporate audit
to manage the entire audit lifecycle efficiently while supporting our mission to be a trusted advisor to
executive management.”
Thomas Bamberger, Chief Audit Executive, SAP SE
Access governance Attribute based access Access
Digital identity enabled enterprise governance
• Reduce cost and improve security with identity Policy checks

management and automated provisioning HR Events Approvals
Access Requests
• Manage access for enterprise applications - cloud
Digital Identity
or on premise
• - role and / or attribute-based controls Single Any
sign-on device
• Enable greater user productivity by eliminating
excessive logins with single sign-on Onboarding Identity of things Provisioning
• Reduce audit costs by quantifying the financial

impact of access risk violations
• Support and monitor critical capabilities and Auditing Certification Reporting

accounts for privileged users
SAP S/4HANA Other Business

Cloud Applications Applications
SAP Access Control
Manage access risk
Monitor privileges Analyze risk

Monitor emergency access Find and remediate
and transaction usage segregation of duties and
critical access violations
Provision users
Automate access
Certify authorizations Access
administration for enterprise
Certify that access governance applications
assignments are still
warranted
Maintain roles
Define and maintain roles in
business terms
SAP Access Control
Find and remediate segregation of duty (SoD) and critical access violations
Analyze risk
▪ Use a comprehensive, predefined rule set
▪ Perform cross-system analysis for enterprise applications in real

time or offline mode
▪ Take action to remediate and mitigate access risks
▪ Simulate changes to identify and prevent new risks
SAP Access Control
Automate access administration for enterprise applications
Manage access
▪ Self-service, automated access requests
▪ Workflow-driven approval process
▪ Embedded risk analysis simulations to “stay clean”
▪ Automated provisioning to enterprise applications
SAP Access Control
Define and maintain roles in business terms
Maintain roles
▪ Rely on a configurable methodology for role definition and maintenance
▪ Define roles in business terms and align with business processes
▪ Analyze and optimize business roles
SAP Access Control
Certify access assignments are still warranted
Certify authorizations
▪ Automate periodic user-access reviews
▪ Certify role content and assignment to users
▪ Automate review of mitigating control assignments
SAP Access Control
Monitor emergency privileges and transaction usage
Monitor privileges
▪ Manage emergency access
▪ Review user and role transaction usage details
▪ Get proactive notification of conflicting or sensitive action usage
▪ Customize dashboards and reports
SAP Access Control
Key features for end-to-end access management
Analyze risk Manage access Maintain roles Certify authorizations Monitor privileges
▪ Rely on a ▪ Self-service ▪ Streamline role ▪ Automate periodic ▪ Manage

comprehensive, automated access definition and user-access reviews emergency access
predefined rule set request maintenance with a
▪ Certify role content ▪ Review details of
configurable
▪ Perform cross- ▪ Workflow-driven and assignment to user and role
methodology
system analysis for approval process users transactions
enterprise ▪ Define roles in
▪ Embedded risk ▪ Automate review of ▪ Get proactive
applications in real business terms and
analysis mitigating control notifications of
time or offline mode align with business
simulations to “stay assignments conflicting or
processes
▪ Take action to clean” sensitive action
remediate and ▪ Analyze and optimize usage
▪ Automated
mitigate access risks business roles
provisioning to ▪ Customize
▪ Simulate changes to enterprise dashboards and
identify and prevent applications reports
new risks
Fiat India: Strengthening control and governance and
minimizing access risk with SAP® Access Control
Company Objectives
 Become better informed about best practices for remediation and mitigation of access risk
Fiat India Automobiles Private
Limited (FIAPL)  Adapt segregation-of-duties (SoD) rules to meet company’s needs 90%
 Proactively identify risks prior to user provisioning Fewer SoD violations
Headquarters
Pune, Maharashtra, India Why SAP
Industry
 Central repository for mitigation controls
 Flexible and scalable role management framework
50%
Less cycle time for access
Automotive  Comprehensive documentation of role management activities for audit purposes management
Products and Services Resolution

Fiat and Tata passenger cars
and passenger car engines
 Expedited adoption of the SAP® Access Control application thanks to RBEI’s rapid implementation
methodology and value-adding best practices for security
30%
Reduction in composite
 Tailored the SoD rule set to the company’s business scenarios and rationalized naming conventions and single roles
Employees  Streamlined the role management process with risk-free roles and harmonized user access administration
4,000
Web Site
Future plans
 Grow with and adapt to changes, thanks to future-proof, scalable technology
Lower
Cost of compliance
www.fiat-india.com  Encourage and empower employees with enhanced self-services
 Improve monitoring and analysis or risks and controls with one-click access to dashboards and reports
Partner
Robert Bosch Engineering and
Business Solutions Private Ltd.
(RBEI)
www.bosch-india-software.com “With SAP Access Control, we now have real-time visibility into our current risk position, so
we can proactively manage and reduce risk. We can document authorizations and controls in
place, harmonize access administration, and enforce our scalable user-access governance
framework across the entire organization.”
Vishwajay Chakravarty, Vice President, Information Systems and Technology, Fiat India Automobiles Private Limited
Wheels India: Improving Access Risk Management and Role
Management with SAP® Access Control
Company
Wheels India Limited
Objectives
• Analyze access risks 60%
• Build customized segregation-of-duties (SOD) rule sets Reduction in SOD
Headquarters
• Access risk remediation and mitigation consulting violations for each role
Chennai, Tamil Nadu, India
• Analyze, design, and optimize business roles
Industry
Why SAP
• SAP® Access Control application for proactive identification of access risks at the user and role levels
50%
Automotive Decrease in access
prior to provisioning management cycle time
• Ability to maintain a centralized repository of mitigation controls
Steel wheels and other
• Documentation of access risks and controls for audit purposes
auto components
• Visibility and auditability of superuser access
• Harmonized user access administration process 30%
Employees
• Streamlined role management process with a flexible framework Fewer composite and
• Self-service with all the controls in place for gaining access single roles
3,800
• Elimination of paper access forms, promoting environmentally conscious IT
Revenue
Resolution
Rs 2,000 crore
(US$301 million)
• Worked with Robert Bosch in India to deploy SAP Access Control
• Customized the SOD rule set tailored to the Wheels India business
Web Site
Benefits
www.wheelsindia.com
• 90% fewer access risks, through role redesign and SOD consulting
Partner
• More efficient mitigation controls through a centralized repository
Robert Bosch Engineering
• Flexible and scalable role management framework with standard naming conventions
and Business Solutions
• Overview of key access risks and controls, through one-click reports and dashboards
www.bosch-india -software.com “We have a more transparent environment thanks to SAP governance, risk, and compliance solutions,
and we are better informed about SOD violations. It is easier to identify, categorize, mitigate, monitor,
control, and report risks in our business processes.”
V.R. Indarsarath, Vice President – IT, Wheels India Limited
Hinduja Global Solutions: Creating a More Transparent
Environment with SAP® Access Control
Objectives
Company
HGS Ltd.
• Analyze and mitigate access risks
• Build a custom rule set for segregation of duties
• Analyze, design, and optimize business roles
99%
Headquarters Reduction in segregation-of-
Bangalore, India duties violations
Why SAP
Industry
• World-class functionality in the SAP® Access Control application
• Trusted industry leader
Professional services
• Ability to customize the software for the company's needs 50%
Products and Services Reduction in cycle time of
Business process
Resolution access management
Implemented SAP Access Control
outsourcing and
call center services
Benefits
• Created a custom rule set for segregation of duties tailored to HGS’s needs
39%
Employees Reduction in number of
28,000
• Established a central repository for mitigation controls
composite and single roles
• Built a flexible and scalable role-management framework with standard naming conventions
Revenue
• Gained access to one-click reports and dashboards to get an overview of key access risks and controls
US$458 million
Web Site
www.teamhgs.com
“With SAP Access Control, it is easy to be informed about segregation-of-duties violations and
Partner mitigated risks, which helped us to create a more transparent environment. The application
Robert Bosch Engineering and provided an easy way to identify, categorize, mitigate, monitor, control, and report on risks in
Business Solutions Private Ltd. our business processes.”
www.bosch-india-software.com Subramanya C, Chief Technology Officer, HGS Ltd.
Treating governance and compliance strategically with
SAP® Access Control
Automating authorization management with SAP® Access Control
SAP Cloud Identity Access Governance
Simple, seamless, and adaptive
Privileged access management*

Access analysis
Achieve account-based access, log
Analyze access, refine user
consolidation, and review with
assignments, manage controls
automated log assessment for fraud
Role design
Access Optimize role definition and
Access certification* streamline governance
Review access, role, risk, and governance
mitigation control
Access request
Optimize access, workflow,
Planned*
policy-based assignment, and
processes
SAP Cloud Identity Access Governance, access analysis service
Analyze access, refine user assignments, manage controls
Access analysis
▪ Delivers insight into segregation of duties (SoD) and critical

access for on-premise and cloud solutions with built-in risk scoring
▪ Provides configurable and predefined access policies and rules
▪ Enables refinement of assignments to optimize user access for security
and compliance
▪ Allows management of controls including integrated control monitoring and
testing
▪ Enables preconfigured audit reporting
SAP Cloud Identity Access Governance, role design service
Optimize role definition and streamline governance
Role design
▪ SAP Fiori-based, bottoms-up business role design with

machine learning and role re-engineering
▪ Ability to assure business role compliance with
organizational policies
▪ Integrated reconciliation process to help ensure
consistency of business roles
▪ Ability to smoothly link access analysis and role design
SAP Cloud Identity Access Governance, access request service
Optimize access, workflow, policy-based assignment, and processes
Access request
▪ Self-service access-request forms with built-in guides and

data-driven filters
▪ Auditable access-request workflow
▪ Integrated, compliant user-provisioning process
▪ Native integration with cloud apps
SAP Cloud Identity Access Governance, access certification service
Review access, role, risk, and mitigation control
Access certification*
▪ Automate periodic access reviews

▪ Enable reviews specific to organizational needs
▪ Support large-scale reviews
▪ Manage the review process
▪ Access data-driven views for the review process
*Planned
SAP Cloud Identity Access Governance, privileged access management service
Account-based access, log consolidation, and review with automated log assessment for fraud
Privileged access management*
▪ Administration of privileged user accounts

▪ Temporary use of elevated permissions
▪ Integrated session tracking
▪ Workflow-based activity review
*Planned
SAP Cloud Identity Access Governance
Feature overview
Access Privileged access

Access analysis Role design Access request
certification* management*
▪ Delivers insight into ▪ SAP Fiori-based, ▪ Self-service access ▪ Automate periodic ▪ Administration of
segregation of duties bottoms-up business request forms with access reviews privileged user
(SoD) and critical access role design and role built-in guides and ▪ Enable reviews specific accounts
for on-premise and cloud refactoring data-driven filters to organizational needs ▪ Temporary use of
solutions
▪ Ability to assure ▪ Auditable access ▪ Support large-scale elevated permissions
▪ Provides configurable and business role request workflow reviews ▪ Integrated session
predefined access policies compliance with ▪ Integrated, compliant ▪ Manage the review tracking
and rules organizational policies user provisioning process ▪ Workflow-based
process ▪ Access data-driven activity review
▪ Enables refinement of ▪ Integrated
▪ Native integration views for the review
assignments to optimize reconciliation process
with cloud apps process
user access for security to help ensure
and compliance consistency of
business roles
▪ Allows management of
controls including ▪ Ability to smoothly link
integrated control access analysis and
monitoring and testing role design
▪ Enables preconfigured
audit reporting *Planned
SAP Dynamic Authorization Management application by NextLabs
Enhancing security for data and business applications
Gain insight Automate controls

Monitor data and application Use single policy platform to
activity and streamline centralize and automate
business processes data and application security
Access
Prevent violations governance Secure access
Minimize fraud; prevent Use consistent and on-the-
compliance and security fly access enforcement with
violations dynamic authorization
SAP Dynamic Authorization Management
Automated enforcement of data and application security controls
Automate controls
▪ Incorporates an attribute-based access control model with fine-grained

contextual information
▪ Automates data classification and segregation
▪ Provides ability to control access at the transaction or field level
Enforce policy decisions consistently and on-the-fly
Secure access
▪ Real-time policy messages with explanation and corrective workflow

▪ Integration with existing identity management, HR, and directory systems
▪ Centralized policy management, ensuring consistent application across
geographies and divisions
Prevent fraud, compliance, and security violations
Prevent violations
▪ Automatically incorporates business rules and policies and applies them from a
central system
▪ Real-time contextual information prevents users from accessing unauthorized
information
▪ Integrates with SAP Access Control segregation of duties (SoD) rule set to
prevent violations
Monitor data and application activity and streamline business processes
Gain insight
▪ Removal of barriers to improve efficiency

▪ Centralized reporting and audit to detect patterns and anomalies
▪ Dashboards, trend analysis, and incident investigation for preventive action
Key features for attribute-based access control
Automate controls Secure access Prevent violations Gain insight
▪ Incorporates an ▪ Real-time policy ▪ Automatically ▪ Removal of barriers to

attribute-based access messages with incorporates business improve efficiency
control model with fine- explanation and rules and policies and
▪ Centralized reporting
grained contextual corrective workflow applies them from a
and audit to detect
information central system
▪ Integration with patterns and
▪ Automates data existing identity ▪ Real-time contextual anomalies
classification and management, HR, and information prevents
▪ Dashboards, trend
segregation directory systems users from accessing
analysis, and incident
unauthorized
▪ Provides ability to ▪ Centralized policy investigation for
information
control access at the management, ensuring preventive action
transaction or field consistent application ▪ Integrates with SAP
level across geographies Access Control SoD
and divisions rule set to prevent
violations
SAP Access Violation Management application by Greenlight
Access control solution extension
Report Extend
Summarize financial Extend the capabilities of
exposure due to SoD SAP Access Control across
violations enterprise systems
Access
governance
Monitor Notify
Correlate business Notify business owners
transactions to users to when SoD violations are
identify materialized SoD executed
violations
SAP Access Violation Management
Extend
▪ Extend the capabilities of SAP Access Control across enterprise systems

﹣Report who could perform critical or SoD activities
﹣ Prevent risks through simulation of changes prior to provisioning access
﹣ Ensure clean roles through critical access and SoD monitoring
﹣ Conduct comprehensive and automated periodic SoD and user access reviews
Notify
▪ Eliminate manual reviews and facilitate business involvement through

notifications only when SoDs materialize
▪ Use notifications to allow business reviewers to directly access the transactional
risk details
▪ Issue reminders and escalation notifications
Monitor
▪ Identify materialized risks through 100% transaction monitoring in the business

applications
▪ Act on, document, and close risks in a centralized, consistent, and effective
approach across business units, processes, and geographies
▪ Provide an online, streamlined SoD mitigation process
Report
▪ Summarize and report financial value of SoD violations
▪ Articulate the financial exposure that access risk has on business areas
▪ Uncover violator trends and at-risk applications or business processes
Key features for end-to-end access violation management
Extend Notify Monitor Report
▪ Extend the capabilities of ▪ Eliminate manual reviews ▪ Identify materialized risks ▪ Summarize and report
SAP Access Control across and facilitate business through 100% transaction financial dollar value of SoD
enterprise systems involvement through monitoring in the business violations
notifications only when applications
▪ Report who could perform ▪ Articulate the financial
SoDs materialize
critical or SoD activities ▪ Act on, document, and close exposure that access risk has
▪ Use notifications to allow risks in a centralized, on business areas
▪ Prevent risks through
business reviewers to consistent, and effective
simulation of changes prior ▪ Uncover violator trends and
directly access the approach across business
to provisioning access at-risk applications or
transactional risk details units, processes and
business processes
▪ Ensure clean roles through geographies
▪ Issue reminders and
critical access and SoD
escalation notifications ▪ Provide an online,
monitoring
streamlined SoD mitigation
▪ Conduct comprehensive and process
automated periodic SoD and
user access reviews
Simplifying SoD management with SAP Access Control
and SAP Access Violation Management
Company Top objectives

Sharp Electronics Corporation
United States Headquarters

 Leverage technology to streamline access governance processes across enterprise
applications 80%
 Contextualize the segregation of duty (SoD) risk in terms of financial exposure to the business Reduction in IT personnel time
Mahwah, New Jersey required to manage access
Resolution governance and SoD controls
Industry
 Deployed the SAP Access Control application as the company’s centralized access
High tech

governance solution
 Deployed the SAP Access Violation Management application by Greenlight to automate SoD
controls and to provide insight into financial exposure due to SoD violations
300 hours
Reduction in time spent per month
Home electronics, appliances,
mobile devices, and business  Established this centralized solution as the basis for security as a shared service and as a on SoD control monitoring
solutions platform for further expansion
Web Site
www.sharpUSA.com
Key benefits
 Automation that reduced manual efforts for managing access governance and SoD
procedures across the enterprise
33%
Increase in the number of systems
 Reduction in external audit costs managed by SAP Access Control
 Reduction in the IT security team – from five employees to one
“The synergy between system solutions and procedure and technology and humanity
empowers and frees companies to focus on core business functions. Leveraging innovative
solutions like SAP Access Control and SAP Access Violation Management allows Sharp to do
more and maximize resources.”
Wyatt MacManus, Associate Director, Information Security, Sharp Electronics Corporation
Citrix: Proactively Addressing Enterprise Wide Access
Compliance with SAP Access Violation Management
Company Objectives
Citrix Systems Inc.
Headquarters
 Maintain security principals to standardize, automate, and provide the ability to scale as the company enables and adopts
new cloud technologies including SAP solutions, SAP Ariba solutions, and Concur solutions
 Provision and analyze transaction and user activities across SAP and non-SAP business applications to proactively detect
8–10 week
Implementation, which could be
Ft. Lauderdale, Florida and minimize risks completed in parallel with other
 Automate the workflow related to role provisioning and monitoring with controls to protect the company activities and allowed Citrix to
Industry  Eliminate manual touch points related to provisioning and monitoring, automating where possible standardize, automate, and scale
High tech  Centralize information and governance, and proactively mitigate segregation-of-duties (SoD) violations

Hardware and software
Why SAP
 SAP Access Violation Management application by Greenlight, which provides the ability to accurately identify and remediate
SoD and critical violations in real time and will support all enhancements in the future
41%
Time savings for proactive risk
solutions
 Automation of access assignments for the SAP ERP application and SAP Ariba solutions as well as proactive prevention of management and mitigation of SoD
Employees access violations violations
9,500
Resolution
Web Site
www.citrix.com
 Implemented SAP Access Violation Management to address the needs for risk analysis, user access management, and
managing the access control process
 Ability to prioritize controls based on impact to the business and understand the interrelationships
Quantified
Financial exposure and savings to
better understand the potential
Benefits financial impact of actual access
 Real access risk analysis to accurately identify and remediate SoD and other violations in real time violations
 Improvement in user access management by automating access assignments across the on-premise SAP ERP application
and cloud-based SAP Ariba solutions, while preventing access violations with embedded risk analysis
 Ability to conduct periodic certification of authorizations, ensure SoD mitigations are effective, and summarize the financial
impacts Improved
“Citrix leveraged SAP Access Violation Management to simplify security processes, automate and improve workflow, and Governance as well as automated
prioritize controls based on business impact. Implementing this solution has allowed us to provision and analyze provisioning and analysis of access
transactions and user activities across SAP and non-SAP business applications to detect and prevent risks and meet our risk
service-level objectives.”
Danielle Bass, Global Accounting Systems Director, Citrix Systems Inc.
Jabil Circuit: Monitoring Users with 95% Less Data Review
with SAP Access Violation Management by Greenlight
Company Objectives
Jabil Circuit Inc.
Headquarters
 Monitor segregation-of-duty (SoD) compliance continuously without manual intervention
 Introduce 100% transactional monitoring for configured controls.
 Identify the number of users with access authorization bearing high SoD risk
50%
Reduction in SoD risk
St. Petersburg, Florida
Why SAP
Industry
Professional services –
manufacturing
 The SAP Access Violation Management application by Greenlight for support to identify and remediate SoD
violations in real time
 Certified integration with other SAP software for support of all future enhancements
6-month
Implementation
 Support for SAP Access Violation Management that is consistent with support provided for other SAP solutions
Electronics manufacturing
services
Resolution
 Implemented risk analysis, user access management, and access control process management
 Prioritized controls based on impact to the business
More
Frequent reporting
Employees  Implemented rapidly, helping Jabil manage SoD assignments proactively
161,000  Not all controls can be implemented into SAP Access Violation Management
Revenue Benefits
 Moved from quarterly to continuous monitoring of user access risks
Improved
US$18 billion (2016) Efficiency
 Reduced dramatically the volume of data reviewed by looking at exceptions instead of the entire population of more
than 15,000 users
Web Site
 Included a newly acquired company in the automated control process
www.jabil.com
 Provided the external auditor with user access audit reports from SAP Access Violation Management
“By focusing on actual SoD events rather than possible SoD events, we reduced the amount of data
we have to review by 95%. With more than 15,000 users in our monitoring scope, SAP Access
Violation Management has significantly increased our efficiency.”
Roberto Bayon, Senior Director of Finance, Jabil Circuit Inc.
SAP Single Sign-On
Secure authentication, single sign-on and more
Landscape Security
Productivity
Enable secure
Enable end users to focus
communication with
on business tasks instead of
certificate lifecycle
manual authentication
management and encryption
Access
Simplicity governance Secure Authentication
Quickly implement a Reduce exposure to cyber
foundation for secure access attacks by mitigating the
and extend it over time risks of insecure passwords
SAP Single Sign-On
Productivity
▪ Enhance the end-user experience by replacing multiple manual authentication

dialogs with just one
▪ Allow users to access all connected systems based on authentication with one
strong password, no need to remember a long list of passwords
▪ Optionally integrate with Microsoft Windows desktop authentication so that
employees authenticated in Windows do not have to enter any additional
password
▪ Reduce costs for password resets and helpdesk interaction
SAP Single Sign-On
Secure Authentication
▪ Optionally enable two-factor-authentication based on Time-based One-Time-

Passwords, RADIUS-enabled solutions, SMS, or email
▪ Balance security with usability by using risk-based authentication to decide on
need for second factor at runtime
▪ Support SAP desktop clients and browsers
▪ Re-use existing infrastructure such as Microsoft Active Directory, hardware
security tokens or smart cards
▪ Utilize a secure central storage of credentials to minimize the risk of passwords
leaking from local systems
▪ Replace multiple less-secure passwords with one secure password and prevent
passwords ending up on post-it-notes
SAP Single Sign-On
Simplicity
▪ Easy installation without software changes on the business application servers

▪ Wizard-based, guided configuration on AS ABAP, eliminating most common
configuration mistakes
▪ No more need to provision, protect, and reset passwords across many systems
▪ Easy, centralized management of password policies that cover the whole
landscape
▪ Optional re-use of an existing corporate Public Key Infrastructure
▪ Supporting industry-standard single sign-on technologies Kerberos/SPNEGO,
X.509 certificates and SAML 2.0
SAP Single Sign-On
Landscape Security
▪ Automated lifecycle management for certificates, reducing the TCO of running a

secure system landscape
▪ Secure Network Communication protocol for SAP desktop clients ensures
encryption of critical business data during transport
▪ Efficient user authentication in warehouse and assembly line scenarios through
user identification based on RFID tokens
▪ Support for Windows and MacOS desktops
▪ Option to integrate Hardware Security Modules for secure key storage
▪ FIPS 140-2 certified cryptographic functions
SAP Single Sign-On
Productivity Secure Authentication Simplicity Landscape Security
▪ Enhance user ▪ Optionally enable two- ▪ Easy installation ▪ Automated lifecycle

experience by factor-authentication without software management for
replacing multiple changes on the certificates
▪ Balance security with
manual authentication business application
usability by using risk- ▪ Secure Network
dialogs with just one servers
based authentication Communication
▪ Allow users to access ▪ Wizard-based, guided protocol encryption of
▪ Support SAP desktop
all connected systems configuration on AS critical business data
clients and browsers
based on ABAP during transport
authentication with one ▪ Re-use existing
▪ No more need to ▪ Support for Windows
strong password infrastructure such as
provision, protect, and and MacOS desktops
Microsoft Active
▪ Optionally integrate reset passwords
Directory, hardware ▪ Option to integrate
with Microsoft across many systems
security tokens or Hardware Security
Windows desktop
smart cards ▪ Supporting industry- Modules for secure key
authentication
standard single sign-on storage
▪ Enable a secure
▪ Reduce costs for technologies
central storage of ▪ FIPS 140-2 certified
password resets and Kerberos/SPNEGO,
credentials cryptographic functions
helpdesk interaction X.509 certificates and
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
SAML 2.0 141
SAP Cloud Platform Identity Authentication Service
Single sign-on for cloud- and hybrid-scenarios
Simplify
Provide optimal user
experience and easy to
consume self services
Integrate
Seamlessly integrate with
existing infrastructure Access
and applications Governance Protect
Reduce exposure to cyber
attacks with flexible
configuration for strength of
authentication
Integrate
▪ Seamlessly integrate into existing user stores

▪ Interoperate with applications supporting the SAML- or OpenID Connect-
standard
▪ Identity federation with corporate identity providers
▪ Conditional authentication flow to allow different authenticating authorities based
on email domain, user type or group membership
▪ Users authenticated with Microsoft Active Directory enjoy single sign-on to cloud
applications without re-authentication
Simplify
▪ One login to access numerous Cloud applications

▪ Single sign-on across SAP- and non-SAP applications
▪ Convenient user self services reduce TCO for administrative tasks
▪ User profile to edit user details, change password, activation of mobile devices
(for 2FA) and to ensure right of information for user’s personal data
▪ Responsive UIs and multi-language support
Protect
▪ Various authentication options from username/password, Kerberos/SPNEGO to

delegated login via social or corporate IdP
▪ Configurable password policies
▪ Two-factor authentication
▪ Risk-based authentication for flexible adjustment of strength of authentication
▪ User group assignment as an option for access control
Integrate Simplify Protect
▪ Seamlessly integrate into existing ▪ One login to access numerous ▪ Various authentication options
user stores Cloud applications from username/password,
Kerberos/SPNEGO to delegated
▪ Interoperate with applications ▪ Single sign-on across SAP- and
login via social or corporate IdP
supporting the SAML- or OpenID non-SAP applications
Connect- standard ▪ Configurable password policies
▪ Convenient user self services
▪ Identity federation with corporate reduce TCO for administrative ▪ Two-factor authentication
identity providers tasks
▪ Risk-based authentication for
▪ Conditional authentication flow to ▪ User profile to edit user details, flexible adjustment of strength of
allow different authenticating change password, activation of authentication
authorities based on email mobile devices (for 2FA) and to
▪ User group assignment as an
domain, user type or group ensure right of information for
option for access control
membership user’s personal data
▪ Users authenticated with Microsoft ▪ Responsive UIs and multi-
Active Directory enjoy single sign- language support
on to cloud applications without
re-authentication
SAP Cloud Platform Identity Provisioning Service
Identity Lifecycle Management for SAP’s cloud applications
Protect
Integrate
Prevent risks due to
Quickly adopt new
excessive access rights and
business processes across
segregation-of-duties
multiple applications
violations
Access
governance
Integrate
Establish seamless access across applications within

business processes
▪ Manage identities in SAP’s cloud applications
▪ Support industry standards such as SCIM to open up Access
the identity lifecycle for 3rd party business- and IAM governance
solutions
▪ Integrate with SAP Identity Management for a hybrid
identity lifecycle across cloud and on-premise
applications
Protect
Ensure every person has exactly the right level of access

required to fulfill her tasks, at any point in time
▪ Onboard new employees quickly and enable them to
access all relevant applications
Access
governance ▪ Update the level of access of any person over time to
ensure it does not exceed the requirements of the job
▪ Prevent mistakes and lack of transparency that come
with a manual process
Integrate Protect
▪ Manage identities in SAP’s cloud applications ▪ Various authentication options from

username/password, Kerberos/SPNEGO to delegated
▪ Support industry standards such as SCIM to open up login via social or corporate IdP
the identity lifecycle for 3rd party business- and IAM
solutions ▪ Configurable password policies
▪ Two-factor authentication
▪ Integrate with SAP Identity Management for a hybrid
identity lifecycle across cloud and on-premise ▪ Risk-based authentication for flexible adjustment of
applications strength of authentication
▪ User group assignment as an option for access control
SAP Identity Management
Covering the entire identity lifecycle, business-driven and compliant
Resignation / Termination Hiring

How long does it take to remove How long does it take for new
ALL permissions of an employee employees to receive all
and how can you ensure that permissions and become productive
they were properly removed? in their new job?
Access
governance
Promotion / New Position Substitution
Are permissions automatically Who has adequate permissions
adjusted if someone is to fill in for a co-worker?
promoted to a new position?
Hiring
▪ From the first day in a new company, an employee is able to log on to all
relevant systems, including access to employee self-services, SAP systems, as
well as personalized email account
▪ Several phases can happen in a custom-defined sequence:
▪ After the HR-agent ensures that all necessary employee data is available, such as position and
entry date, the personal data will be extracted to SAP Identity Management, event based and
triggered by the entry date
▪ SAP Identity Management automatically provisions the user data and assignments of business
roles to all relevant connected systems based on the employees position noted in HCM
▪ Manager approval is optional and workflow driven
▪ On the first day of work, the provisioning of role and authorization information to relevant target
systems has been done and the new employee can start to work
▪ Identities are stored centrally throughout the system landscape
Substitution
▪ Responsibilities have to be taken over from co-workers for certain periods

▪ SAP Identity Management ensures to add and remove access rights on a
pre-defined validation period
▪ Access re-certification can be defined
▪ Extensive reporting capabilities ensure the auditability of user access across the
whole landscape
▪ Basic reporting is done by SAP Identity Management based on log data
▪ Extended reporting with SAP Business Warehouse allows for advanced
filtering and sorting
▪ SAP Lumira allows for customer specific reports and analysis with rich
graphical capabilities
Promotion / New Position
▪ After a promotion employees usually take over new responsibilities

▪ Automatic processes in SAP Identity Management can trigger several actions:
▪ On the first day in a new role, the employee needs to have access to
additional self-services or new applications and processes
▪ New user IDs or new access assignments are required and will be
created in connected systems
▪ Workflow based approval mechanisms allow control by management
Resignation / Termination
▪ When employees leave the company it is important to make sure that all access
is removed for the particular employee immediately
▪ User IDs will be blocked, locked or deleted in all connected systems based on
the event trigger from HCM and with this the user account is disabled
▪ Flexible workflow definitions can ensure that the user name is also
removed from address directories
▪ Auditing is still possible because user IDs will not be removed from logs
Promotion / New Resignation /

Hiring Substitution
Position Termination
▪ First-day access to all ▪ Addition or removal of ▪ Positioned-based triggers ▪ HR triggers based on
relevant systems, access rights for pre- for new or additional resignation or termination
including access to defined validation periods positions result in access being
personalized email (substitution periods) removed
▪ New user IDs or new
▪ Custom-defined ▪ Access re-certification can access assignments are ▪ User IDs are blocked, locked
sequences including be defined generated in connected or deleted in all connected
HR event-based systems systems with the user
▪ Extensive reporting
triggers account disabled
capabilities ensure the ▪ Workflow based approval
▪ Automatic provisioning auditability of user access mechanisms allow for ▪ Flexible workflow definitions
of user data and across the whole control by management can ensure that the user
assignments including landscape name is also removed from
approval workflows address directories
▪ Extended reporting with
▪ Identities stored SAP Business Warehouse ▪ Auditing is still possible
centrally throughout the and SAP Lumira because user IDs will not be
system landscape removed from logs
Cybersecurity and data protection Cybersecurity and
data protection
▪ Manage cyber risk and align with

information security standards Users and Secure
Authorizations Configuration
▪ Identify cyber attacks at the application
layer with real-time pattern detection
▪ Secure files and data using

transportable policies and encryption
Custom Code Business Security
Audit Log
▪ Enable sensitive data masking and Security Applications
logging
▪ Identify vulnerabilities in code and RFC

connections
Threat Secure Maintenance
Detection of SAP Code
Data
Security
Effectively identify and analyze threats
Integrate Analyze
Integration of SAP and non- Efficiently enrich, analyze,
SAP log data and correlate logs
Cybersecurity
and data
Investigate
protection Evaluate
Forensic analysis and Automatically evaluate attack
modeling of existing and detection patterns with real-
new attack detection time alerting
patterns and dashboards
Analyze
▪ Select the logs to be analyzed

▪ Normalize log data
▪ Generate log database
▪ User Pseudonymization out of the box plus user resolution with
special authorization in case of evidence of an attack or misuse
▪ Dashboards for analyzing the system landscape and distribution
of security notes from SAP
Evaluate
▪ Real time alerting

▪ Delivers predefined patterns for ETD, charts and monitoring pages as content
for an SAP system, automatic integration of SAP logs
▪ Includes patterns for the DSAG ERP Auditing Guide
▪ ETD Anomaly Pattern – created in the Anomaly Detection Lab
▪ Out of the box ETD Security Notes Pattern provides input to the System Status
Monitor
▪ See systems missing critical patches and risk ratings of vulnerabilities
▪ Find out if attempts are made to exploit the vulnerabilities
▪ Evaluate paths and develop new patterns for analysis in the Forensic Lab
Investigate
▪ Dashboard in Forensic Lab with drill down capabilities through charts, graphs
▪ Apply filters to the normalized log data that exists in the SAP HANA database
▪ Visualize the filtered data in a path to look for standout values
▪ Generate new attack detection patterns from forensic investigations in paths
▪ Compliance
▪ Authorization Concept
▪ Audit Logging
▪ Saving Evidence for Attacks
▪ Log Management
▪ User Pseudonymization
Integrate
• Leverage the high performance and complex analysis capabilities of the SAP
HANA Platform and in memory database that allows fast correlation of all log
data
▪ Propagate alerts to SIEM and trigger events to any kind of receiver system
▪ Pushing via Email
▪ Pushing as JSON
▪ Pulling as JSON / LEEF
▪ Log Learning
▪ Analysis on semantic level
▪ Common procedures/tools to analyze and correlate all log data
▪ Non-SAP log recognition and conversion
Analyze Evaluate Investigate Integrate
▪ Select the logs to be ▪ ETD Pattern – ▪ A series of filter is ▪ SIEM Partners

analyzed developed in the referred to as a path ▪ Log Learning
forensic lab
▪ Normalize Log Data ▪ Visualize the filtered
▪ ETD Anomaly data to look for
▪ Generate Log
Pattern – created standout values
Database
in the Anomaly
▪ Generate attack
Detection Lab
detection patterns
▪ ETD Security from paths
Notes Pattern –
programmed by
SAP to provide
input to the
System Status
Monitor
SAP Data Privacy Governance
Data protection and privacy (DPP) governance for the extended enterprise
Manage policies
Monitor and report* Create, disseminate, and
Report status and details via acknowledge DPP policies
a unified cockpit
Survey and track

Cybersecurity Gather and report records of
and data processing activities (ROPA)
protection
Manage risks and controls*
Identify and audit related risks
and mitigating controls Assess business impact
Perform data privacy (DPIA)
and cybersecurity* business
impact analysis
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC *Planned, see current roadmap 164
Data protection and privacy governance for the extended enterprise
Manage policies
▪ Create and disseminate policies related to data protection, privacy,

and security
▪ Gather policy acknowledgements by those subject to them
▪ Gather training attendance status as further evidence that appropriate
policies are understood*
Survey and track
▪ Create records of processing activities (ROPA) surveys, optionally

leveraging existing templates
▪ Publish surveys to gather ROPA information
▪ Use survey results to populate a repository to report ROPA information and
determine whether a data protection impact assessment (DPIA) is required
▪ Create ROPA entries based on data analysis of SAP S4/HANA Cloud and
third-party systems*
Assess business impact
Data protection impact assessment

▪ Assess criticality of DPP-relevant processes with data privacy impact
assessments
Cybersecurity business impact analysis

▪ Deploy survey-based IT security threat modeling and issue mitigation for
appropriate defense strategies*
Manage risks and controls
▪ Enable a risk framework to assess and monitor risks associated with

DPP-relevant processes*
▪ Document manual and automated controls related to DPP
requirements and risks*
▪ Detect compliance breaches via operational DPP checks (automated
controls)*
▪ Support DPP-related audit process*
Monitor and report
Monitoring
▪ Provide insights into status and information for regulatory reporting
▪ Create a cockpit for a single point of entry for DPP tasks such as
connectivity to SAP Information Lifecycle Management*
▪ Integrate with SAP Identity Management for DPP access risks, risk
assessments, and access optimization*
Assess business Manage risk and

Manage policies Survey and track Monitor and report
impact controls
▪ Create and ▪ Create records of ▪ Assess criticality of ▪ Enable a risk framework ▪ Provide insights into
disseminate policies processing activities DPP-relevant to assess and monitor status and information
related to data surveys, optionally processes with data risks associated with for regulatory reporting
protection, privacy, leveraging existing privacy impact DPP-relevant
processes* ▪ Create a cockpit for a
and security templates assessments
single point of entry for
▪ Gather policy ▪ Publish surveys to gather ▪ Deploy survey-based ▪ Document manual and DPP tasks such as
acknowledgements by ROPA information IT security threat automated controls connectivity to SAP
those subject to them modeling and issue related to DPP Information Lifecycle
▪ Use survey results to requirements and risks*
mitigation for Management*
▪ Gather training populate a repository to
appropriate defense ▪
attendance status as report ROPA information Detect compliance ▪ Integrate with SAP
strategies* breaches via operational
further evidence that and determine whether a Identity Management
appropriate policies data protection impact DPP checks (automated for DPP access risks,
are understood* assessment is required controls)* risk assessments, and
▪ access optimization*
▪ Create ROPA entries Support DPP-related
based on data analysis of audit process*
SAP S4/HANA Cloud and
third-party systems*
© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC
*Planned, see current roadmap 170
SAP Data Custodian
Public-cloud data transparency and control
Data transparency Data control

Monitor and report on data Create and enforce public-
access, storage, movement, cloud data access, location,
processing, and location in movement, and processing
the public cloud policies
Public-cloud
data
protection
SAP Data Custodian
Data transparency – where, how, and who
Data transparency
Transparency of the SAP Data Custodian solution helps

customers answer the following key questions:
▪ Where is my data stored?
▪ How has the data been moved and processed? Public-cloud
data
▪ Who is accessing my data and from which location? protection
SAP Data Custodian
Data control − governance, enforcement, prevention, and compliance
Data control
Data control functionality of SAP Data Custodian helps

customers achieve:
▪ Governance – configure public-cloud data location,
movement, processing, and access policies
Public-cloud
data ▪ Enforcement – enforce geolocation controls for data
protection access, storage, processing, and movement
▪ Prevention – prevent unlawful transfer of business
data
▪ Compliance – help comply with global data protection
regulations
SAP Enterprise Digital Rights Management application by NextLabs
Data-centric security for the extended enterprise
Monitoring and reporting Data classification

Monitor and report data Automate the discovery and
access and usage, including classification of structured
enforcement decisions and unstructured data
Cybersecurity
and data
protection
Automated enforcement Policy-based control
Apply policies to secure any Create and manage policies
file for sharing across to control access to files
devices, e-mail, and other and data
collaboration technologies
SAP Enterprise Digital Rights Management
Automate discovery and data classification
Data classification
▪ Automates discovery, data classification, and protection, supporting both policy

driven and ad hoc data encryption
▪ Provides comprehensive classification model for data objects from desktop
office files to engineering CAD files
▪ Integrates data classification into your core line-of-business and enterprise
content-sharing applications
Establish policy-based controls for information and data
Policy-based control
▪ Create persistent, attribute-based policies using simple business language

▪ Define runtime policy messages and corrective workflow
▪ Integrate with existing federated identity management, HR, and directory
systems
▪ Incorporate real-time segregation of duties checks with integration to SAP
Access Control risk analysis
Prevent IP theft, maintain compliance, and avoid security violations
Automated enforcement
▪ Dynamic application of security policies through the evaluation of

a range of attributes to determine enforcement actions
▪ Automatic control and protection of high-value data downloaded
from business applications
▪ Use of encryption – as well as online and offline checks – to
prevent unauthorized users from accessing specific files,
documents, and information
Monitor data and application activity and streamline business processes
Reporting and monitoring
▪ Internal and external monitoring of data access and usage

▪ Centralized reporting to support compliance and audit, or to detect
patterns and anomalies
▪ Establishment of alerts (usage, sharing, attempts) with integrated
incident investigation
Key features for end-to-end digital rights management
Data classification Policy-based control Automated enforcement Reporting and monitoring
▪ Automates discovery, ▪ Create persistent, ▪ Dynamic application of ▪ Internal and external

data classification, and attribute-based policies security policies through monitoring of data access and
protection, supporting using simple business the evaluation of a range usage
both policy-driven and ad language of attributes to determine
▪ Centralized reporting to
hoc data encryption enforcement actions
▪ Define runtime policy support compliance and audit,
▪ Offers comprehensive messages and corrective ▪ Automatic control and or to detect patterns and
classification model for workflow protection of high-value anomalies
data objects from desktop data downloaded from
▪ Integrate with existing ▪ Establishment of alerts
office files to engineering business applications
federated identity (usage, sharing, attempts)
CAD files
management, HR, and ▪ Use of encryption – as well with integrated incident
▪ Integrates data directory systems as online and offline investigation
classification into your checks – to prevent
▪ Incorporate real-time
core line-of-business and unauthorized users from
segregation of duties
enterprise content-sharing accessing specific files,
checks with integration to
applications documents, and
SAP Access Control risk
information
analysis
UI Logging for SAP
Data access transparency and analysis
Integrate Log Data Access

Integration with UI Masking Coherent log of users’ input and
for SAP for better data system output on the UI level,
protection, and with SAP enriched with meta information for
Enterprise Threat Detection analysis
for advanced and automated
analysis of access
Cybersecurity Gain Insight
and data Understand how and which data are
accessed, and set up alerts in case
Report protection of access to critical or sensitive data
Draw on comprehensive
access data to report internally
and externally Investigate
Receive alerts to specific, questionable
activities, and deep-dive into the log file
to identify and prove improper data
access
UI Logging for SAP: Logging of data access
Log Data Access
Generate a coherent and deep protocol for who gained access

to which data and in which manner
▪ Create coherent data access protocol for most relevant SAP
UIs
▪ Leverage protocols for user input and system output
▪ Enrich with meta information for better analysis and
investigation
UI Logging for SAP: Leverage the log to learn on normal data usage
Gain Insight
Leverage the log data to learn and distinguish between typical

and non-typical data access
▪ Analyze the log file to understand the data access baseline
(which types of users typically access which data types) and
outliers or unexpected access
▪ Analyze the log file to refine the authorization setup (scope,
users, which data to keep)
UI Logging for SAP: Investigate specific user and their access to data
Investigate
Generate triggers based on questionable data access,

and conduct a deep-dive investigation
▪ Receive alerts in case of access to predefined
sensitive data
▪ Apply filters to identify dubious data access
▪ Track down perpetrators and sort out innocent users
UI Logging for SAP: Leverage the log for reporting and documentation purposes
Report
Draw on comprehensive access data to report and

document data usage
▪ Draw on comprehensive access data to report
internally and externally
UI Logging for SAP: Leverage integrated solutions for additional capabilities
Integrate
Integration with other SAP solutions

▪ Integrate with UI Masking solutions for SAP
▪ Data handover to and specific patterns in SAP Enterprise
Threat Detection for advanced and automated analysis of
access
▪ Integrate the log file with SIEM systems
UI Logging for SAP
Key features for data access transparency and analysis
Log data access Gain insight Investigate Report Integrate
• Create coherent data ▪ Analyze the log file to ▪ Receive alerts in • Draw on • Integrated with the UI
access protocol for understand the data case of access to comprehensive Masking for SAP offering
most relevant SAP access baseline predefined access data to • Data handover to and
UIs (which types of users sensitive data report internally specific patterns in SAP
• Protocols user input typically access and externally Enterprise Threat
▪ Apply filters to
and system output which data types) Detection for advanced
identify dubious
and outliers or
• Enriched with meta data access and automated analysis
unexpected access
information for better of access
▪ Track down
analysis and ▪ Analyze the log file to • Integrate the log file with
perpetrators and
investigation refine the SIEM systems
sort out innocent
authorization setup
users
(scope, users, which
data to keep)
UI Masking for SAP
Protect sensitive information in the user interface layer
Integrate Secure access

Leverage UI Logging for Determine sensitive UI fields
SAP and SAP Enterprise and apply protective actions
Threat Detection to identify in runtime based on users’
potential data abuse authorizations
Cybersecurity
and data
Gain insights protection Automate authorizations
Understand who tries and Determine users’ special
succeeds to access authorization in runtime,
sensitive data, and whether based on static roles or
to refine solution setup dynamic attribute-role settings
UI Masking for SAP: Determine which values to protect, and how
Secure access
Build on the existing authorization setup, refining access determination to the UI

field level
▪ Runtime determination of sensitive information on UI field level
▪ Configurable protective actions: mask value, reset field, switch field to display
mode, hide field; suppress lines in table displays, etc.
▪ Configurable two-step action for access to clear data (“reveal on demand”)
UI Masking for SAP: Refine the existing authorization setup
Automate authorizations
Add a dynamic attribute-rule based access determination option to your existing

authorization setup
▪ Runtime determination of additional authorization to access clear/unmasked
information
▪ Static options: Authorization determined based on PFCG roles (integrate with
existing roles and authorizations; or set up a new/separate layer only for
controlling UI Masking)
▪ Dynamic option: authorization based on rules and attributes (user, data object,
other variables)
UI Masking for SAP: Analyze users’ authorizations
Gain insight
Leverage the solution to understand users‘ authoriations to access data

▪ Understand from Access Trace who can see which types of fields protected or in
clear
▪ Understand from Access Trace who revealed which data, and on how many
occasions
▪ Refine authorizations
UI Masking for SAP: Leverage related solutions for additional capabilities
Integrate
Integration with other SAP solutions

▪ Functionally integrated with UI Logging solutions for SAP
▪ Integrated with SAP Enterprise Threat Detection (reveal on-demand information)
UI Masking for SAP
Key features for defining and protecting sensitive information, and controlling who has access
Secure access Automate authorizations Gain insights Integrate
▪ Runtime determination ▪ Runtime determination ▪ Understand from ▪ Functionally integrated

of sensitive information of additional Access Trace who can with UI Logging
on UI field level authorization to access see which fields solutions for SAP
clear/unmasked
▪ Configurable protective ▪ Understand from ▪ Integrated with ETD
information
actions: mask value, Access Trace who (Reveal on Demand
reset field, switch field ▪ Static options: revealed which data information)
to display mode, hide Authorization
▪ Refine authorizations
field; suppress lines in determined based on
table displays, etc. PFCG roles (existing
or new)
▪ Configurable two-step
action for access to ▪ Dynamic option:
clear data (“reveal on authorization based on
demand”) rules and attributes
(user, data object,
other variables)
SAP NetWeaver AS, add-on for code vulnerability analysis
Identify and remedy security vulnerabilities in ABAP custom code
Integrate
Integrate with other
Analyze
elements of the SAP
Analyze security
landscape as well as non-
vulnerabilities
SAP solutions
Code
Vulnerability
Analyzer
Remedy
Remedy security Evaluate
vulnerabilities Evaluate security
vulnerabilities
Analyze
▪ Execute static, automated checks on ABAP custom code

▪ Visualize security findings in Solution Manager
▪ Visualize security findings in SAP Fortify by Micro Focus
Evaluate
▪ Review default priorities of findings

▪ Redefine priorities of individual findings
▪ Hide older findings using baseline
▪ Create Word- and Excel documents listing findings
▪ Analyze findings using Solution Manager and SAP Fortify by Micro Focus
Remedy
▪ Read documentation explaining why findings constitute vulnerabilities

▪ Correct source coding based on findings
▪ Execute additional CVA runs to ensure finding are all fixed
Integrate
▪ Use either SAP GUI or Eclipse to execute CVA runs

▪ Take advantage of CVA’s integration with ATC (ABAP Test Cockpit) as SAP’s
testing environment
▪ Extract findings to analyze them in Solution Manager
▪ Extract findings to analyze them in SAP Fortify by Micro Focus along with
findings for non-ABAP coding (discovered using Fortify)
Analyze Evaluate Remedy Integrate
▪ Execute static, ▪ Review default ▪ Read documentation ▪ Use either SAP GUI or
automated checks priorities of findings explaining why Eclipse to execute CVA
on ABAP custom findings constitute runs
▪ Redefine priorities of
code vulnerabilities
individual findings ▪ Take advantage of
▪ Visualize security ▪ Correct source CVA’s integration with
▪ Hide older findings
findings in Solution coding based on ATC (ABAP Test
using baseline Cockpit) as SAP’s
Manager findings
▪ Create Word- and testing environment
▪ Visualize security ▪ Execute additional
Excel documents ▪ Extract findings to
findings in SAP CVA runs to ensure
listing findings analyze them in
Fortify by Micro finding are all fixed
Focus ▪ Analyze findings using Solution Manager
Solution Manager and ▪ Extract findings to
SAP Fortify by Micro analyze them in SAP
Focus Fortify by Micro Focus
International Trade Management International
Elevate global trade in the organization trade
▪ Automate trade processes for imports

and exports and screen third parties for
improved compliance and efficiency Importer Broker Exporter
▪ Leverage free trade agreements to drive International trade

management
bottom line savings
▪ Manage special customs procedures
such as e-filing, bonded warehouses,
processing trade in China, foreign trade Carriers Trade Content Customs / Authorities
zones to optimize duty rates
▪ Centralize international trade on a Import / Export
Management
Screening Free Trade
Agreements
Special Customs
Procedures
single platform to drive consistency
across global operations Other Business
SAP S/4HANA SAP ERP Applications
SAP Global Trade Services
Run global trade
Special customs procedures Restricted-party screening

Leverage foreign-trade zones, Ensure proper screening of
processing trade in China, bonded restricted or denied parties with
warehousing, inward and outward inline process blocking and
processing relief (IPR/OPR), Intrastat, release
Excise Movement and Control System
(EMCS), and others
Export management
Manage export compliance,
Trade preference International classification, outbound trade
finance, and customs services
Leverage any free trade trade
with direct filing
agreement with preference management
determination and vendor or
customer declaration-handling Import management
Effectively manage import
compliance, classification,
inbound trade finance, and
customs services with direct filling
Ensure proper screening of restricted or denied parties
Restricted-party screening
▪ Screen against up-to-date, restricted-party lists

▪ Screen vendors, customers, business partners, contractors, and so on
▪ Screen parties and release transactions in real time
▪ Improve compliance confidence with checks throughout the processing of sales
and purchasing transactions
Effectively manage export compliance
Export management
▪ Manage exports, including license-creation and automatic determination

▪ Classify products for export
▪ Create export declarations and documentation
▪ Control export of physical and digital goods and data
▪ Automate trade compliance for technical data
▪ Integrate export across the supply chain
Effectively manage import compliance
Import management
▪ Manage import processes, including licenses and automatic license

determination
▪ Classify products for import
▪ Create import declarations and documents
▪ Manage letters of credit
▪ Calculate customs value as well as duties, taxes, and fees
▪ Integrate imports with the inbound supply chain
Confidently leverage free trade agreements
Trade preference
▪ Request and manage vendor declarations

▪ Calculate product origin and preference eligibility
▪ Enhance preference processing at a level beyond product ID
▪ Generate declarations for customers
▪ Integrate sales, production, and procurement with preference processes
Simplify special customs procedures and regulations
Special customs procedures
▪ Processing under IPR, OPR, and processing under customs control (PUCC)
▪ Utilizing bonded warehouses
▪ Managing foreign-trade zones
▪ China localization general and processing trade
▪ Supporting region-specific processes including EMCS and restitution
▪ Meeting Intrastat requirements
▪ Integration across the supply chain
Key features for end-to-end global trade management
Restricted-party Special customs

screening Export management Import management Trade preference
procedures
▪ Screen against up-to- ▪ Manage export, ▪ Manage import ▪ Request and manage ▪ Processing under IPR,
date, restricted-party lists including license- processes, including vendor declarations OPR, and processing
▪ Screen vendors, creation and automatic licenses and automatic ▪ Calculate product origin under customs control
customers, business determination license determination and preference (PUCC)
partners, contractors, and ▪ Classify products for ▪ Classify products for eligibility ▪ Utilizing bonded
so on export import warehouses
▪ Generate declarations
▪ Screen parties and ▪ Create export ▪ Create import for customers ▪ Managing foreign-trade
release transactions in declarations and declarations and zones
real time ▪ Integrate sales,
documentation documents production, and ▪ China localization general
▪ Improve compliance ▪ Control export of ▪ Manage letters of credit procurement with and processing trade
confidence with checks physical and digital preference processes
throughout the ▪ Calculate customs value ▪ Supporting region-specific
goods and data as well as duties, taxes, processes including EMCS
processing of sales and
purchasing transactions ▪ Integrate export across and fees and restitution
the supply chain ▪ Integrate imports with ▪ Meeting Intrastat
the inbound supply requirements
chain ▪ Integration across the
supply chain
Tremco Streamlines Regulatory Trade Compliance
Business challenges
Company
Tremco Incorporated  Tremco’s global activities growing, both on sourcing and selling sides $4M
 Increased regulations (number and complexity of requirements) and regulatory attention Annual avoidance of duty
Headquarters  Heavy dependence on manual processes and institutional knowledge to handle global trade compliance through NAFTA
Beachwood, Ohio  Extraordinary effort and cost to ensure compliance with numerous trade regulations affecting 10,000 SKUs
Industry Technical implementation 50%

Construction materials,  Deployed the SAP Global Trade Services (SAP GTS) application to automate mission-critical global trade and Fewer resources required to
chemicals compliance processes: ensure global trade compliance
 Preferential and free trade agreement
Products and Services  Export/import management
Sealants, adhesive materials,
roofing, and construction
 Sanctioned parties list/compliance control
 Integrated SAP GTS and SAP ERP for real-time compliance checks
90%
Reduced time to respond to
supplies certificate of origin requests
Key benefits
Employees  Eliminated time-consuming, manual compliance tasks and improved efficiency using automation
2,000+  Reduced cost and effort of global trade compliance, duties, and taxes
 Assured easy access to updated regulatory content for all entities worldwide
Web Site
www.tremcoinc.com
Partner
Krypt, Inc.
www.kryptinc.com “By implementing SAP GTS, we are now in control of the risks that a company undertakes when trading
internationally. We have a newfound confidence level that our trading is being done in a compliant fashion.”
Kevin Riddell, International Logistics Manager, Tremco Inc.
Johnsonville Sausage: Bringing Big Taste to Cooking
Enthusiasts Worldwide with SAP Global Trade Services
Company Objectives
Johnsonville Sausage LLC • Support international business growth without increasing full-time staff Reduced
• Replace inefficient, manual export processes Tactical, daily work for
Headquarters • Integrate with freight forwarders and customs-certified systems trade compliance
Sheboygan Falls, Wisconsin professionals
Why SAP
Industry Selected the SAP Global Trade Services (SAP GTS) application for functionality and reduced longer-term total
Consumer products cost of ownership after blueprinting with a competitive cloud-based provider Lower
Products and Services Resolution Total cost of ownership,
Fresh and smoked-cooked • Simplified landscape with the integration of SAP GTS to the SAP ERP application utilizing internal resources
sausage products • Utilized existing reporting tools from SAP supporting SAP GTS
• Automated forms coming from SAP GTS and SAP ERP including USDA certificates and Shipper’s Letter of
Members Instruction
1,600 • Used flexible and easy-to-maintain Adobe forms available with SAP GTS Fewer
• Minimized reconciliation and data validation activities with trusted data and automated information flows Supply chain disruptions
Web Site due to automation of
www.johnsonville.com Future plans trade activities
• Expand solution usage to include import functionality, sanctioned-party screening, and export self-filing with
U.S. Customs
• Deploy SAP GTS with the SAP S/4HANA suite
“When evaluating global trade solutions, consider all costs, as some costs are buried in integration
requirements and are affected greatly with an increase in volume and document counts, as well as
change fees. With SAP GTS, we did not have these additional costs.”
Jason Beyersdorf, IT Business Partner, Johnsonville Sausage LLC
Lenovo Manages Cross-Border Trade
with SAP Global Trade Services
Company or Organization The company’s top objectives
Lenovo Group Limited
Industry
▪ Manage global trade business following international business expansion
▪ Reduce risk by meeting regulatory requirements
2,000%
High Tech Increase in transaction
▪ Replace costly legacy systems volume
Personal computers and
The resolution
mobile internet devices
Employees
▪ Implemented the SAP Global Trade Services application integrated with the SAP ERP
application and replaced an expensive legacy system
15
▪ Streamlined import and export processes by integrating with brokerage services Leased legacy systems
27,039 replaced.
▪ Completed initial implementation in 12 months and subsequent rollouts in 6 to 8
Revenue months
US$21 billion
Web Site
The key benefits
▪ Improvement of trade management business process efficiency with standardized
$ 12 million
www.lenovo.com Leasing costs saved
procedures in over 40 countries and 26 distribution centers annually
▪ Streamlined management of rapid increase in business volume
▪ Reduced leasing costs of legacy systems
“Following our global expansion, SAP Global Trade Services has helped Lenovo to manage
our cross-border trade effectively, mitigate compliance risks, and reduce operational costs.”
Xiaoyu Liu, GM of Global Application Development, CIO/BT Organization, VP Lenovo Group Limited
SAP S/4HANA for international trade
Run global trade in SAP S/4HANA
Embargo Intrastat
Support for European requirements
Block transactions related to
around order-to-cash and procure-
embargoed countries
to-pay processes
Classification
Classification of materials to
International
Legal Control support export control and Intrastat
trade
Create, manage, and assign
export licenses
management
SAP GTS and SAP Watch List
Integration
Enable broader global trade
management requirements in an SAP
S/4HANA software environment
SAP Watch List Screening
Avoid risk and improve screening compliance
Integration and extensibility Restricted-party screening

Pre-built integration with SAP Use a SaaS model that simplifies
S/4HANA and published APIs to screening, provides instant
extend to other systems access to up-to-date watch lists,
streamlines uploads – and
accelerates time to value
International
trade
management
Restricted-party screening
▪ Real-time compliance checks for order-to-cash and procure-

to-pay processes
▪ Automated screening of restricted or denied parties with
inline process blocking and release International
trade
▪ Ad-hoc screening for extended use cases management
Integration and extensibility
▪ Deployed in the cloud and is available as software as a

service (SaaS), so you can access your software from any
Web browser
International ▪ Pre-built integration with SAP S/4HANA

trade ▪ Published APIs to extend to other systems
management

GRC and Security: For The Intelligent Enterprise

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GRC and Security: For The Intelligent Enterprise

Uploaded by

Copyright:

Available Formats

GRC and Security

for the Intelligent Enterprise

GRC and Security today

The Intelligent Enterprise

New technologies redefining GRC and Security processes

GRC and Security in practice

How to get there?

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 2

“GRC is the integrated collection of “Information security refers to the processes

“Every organizational business function and “Security in the digital economy…

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 3

CFO CIO CSO / CDO / VP Supply CRO CCO

Long-term Digitalization of Internal / external Optimization of the Strategic risk Improving

Driving profitable, Leveraging Safeguarding Maintaining a Linking risks to Automating

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 4

Increasing need for Proliferation of

✓ Global reach and complexity of regulatory

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 5

If the lifeblood of the digital economy is data, its heart is

Digital businesses that lead in safety, security, reliability, privacy and

An essay in The Economist predicted 2018 “will be

Imagine what it would mean for businesses to begin a new

This year will be pivotal as organizations start laying that

Artificial Intelligence Predictive analytics The system continuously

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 8

GRC and Security today

The Intelligent Enterprise

New technologies redefining GRC and Security processes

GRC and Security in practice

How to get there?

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 9

• Increased performance 1 Intelligent Suite

• Higher productivity 2 Intelligent Technologies

• Lower TCO 3 Digital Platform

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 10

Manufacturing Digital People

technology allowing for previously impractical monitoring scenarios SAP

• Higher productivity with extensive opportunities for automation Intelligent

• Flexible deployment covering today and tomorrow’s Digital

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 11

Traditional Delayed Live

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 12

Productivity Industrial Business Process Digital Intelligent

1960s - 1980s 1990s - 2000s 2000s - 2010s 2010s - 2020s Time

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 13

GRC and Security today

The Intelligent Enterprise

New technologies redefining GRC and Security processes

GRC and Security in practice

How to get there?

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 14

Intelligent assistants to empower

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 15

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 16

Leverage machine learning to automatically create business

© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ PUBLIC 18

Predictive Automatically highlight Analyze results, manage

Leverage machine learning to generate new detection rules that

Leverage machine learning to refine anomaly detection methods such as

GRC and Security today

The Intelligent Enterprise

New technologies redefining GRC and Security processes

GRC and Security in practice