WIXLIB

SAP GRCGovernance Risk and Compliance

Agenda EY’s Global Governance, Risk and Compliance Survey 2015 Governance, Risk and Compliance Challenges SAP GRC Solutions An examplePage 1

EY’s Global Governance Risk and ComplianceSurvey 2015Page 2

Looking at Risk DifferentlyWe believe that regardless of how they are organized, it is beneficial to considerrisks in the context of your business and how best to respond to those risksIn this year’s survey, we asked 1,196 participants, around the globe and across sectors, howwell they are managing risk and what they need to do to better manage the risks that driveperformance.In this year’s survey, we found that organizations are making progress in improving the waythey manage risk in response to a changing risk landscape.However, organizations also indicated that there is still further room for improvement andopportunities to be seized. However, this requires businesses to change the way they workand how they capitalize on it Organizations have primarily focusedon risks that can be managed throughthe implementation of controls. Howwever, leading organizations arenow focusing more of their time andefforts on managing the risks thatimpact value creation.Page 3 Our global GRC survey tells thatorganizations are looking for a morecomprehensive, coordinated andinnovative approach. But this requires“building a risk-aware organization.”

What Our Clients Telling UsIn 2015 GRC survey; risk strategy, coordination, internal audit, technology topics werefocused to gain better understanding of how well organizations are managing riskWhile organizations demonstrated they are making progress, they indicated that further opportunitiesexist to improve the way that they identify, manage and respond to risk.Survey FindingsTop five risksButtom five al disaster3.Regulatory3.Data privacy4.Cybersecurity4.R&D5.Reputational5.Merger & acqLinks to the business97%97% made progressin linking their riskmanagementobjectives andbusiness objectives16%but only 16% of the97% consider them tobe closely linked todayRisk involvement66%66% of organizationsindicated that riskmanagement haslimited involvementPage 490%but 90% expect to bedirectly involved orproviding inputs withinthe next three years.ImplicationsSurvey Findings While organizations have expandedtheir view of risk, they continue toprimarily focus on preventable risks. Organizations that also focus onstrategic and external risks are able toprofit from the upside of risk.21% of respondentsindicated risk activities arewell-coordinated today;whereas 67% indicatedthey expect risk activities tobe well-coordinated withinthree years. Organizations have made asignificant amount of progress inbridging the gap between riskmanagement objectives and businessobjectives. However, greater opportunityexists for organizations to achievestronger alignment. Organizations recognize the value ofdirectly involving risk management inbusiness decision-making. Organizations that directly involverisk management are better able toidentify, manage and respond to therisks that impact their business.Top internal audit skills orexperience1.Critical/analytical thinking2.Analytics3.Risk management4.Audit5.Business strategyGRC technology46% of respondents do not yet utilize aGRC technology, 49% utilize one or moretechnologies and 5% did not know.Implications Organizations expect to seea significant improvement inthe level of coordination ofrisk activities. Businesses clearlyrecognize that their InternalAudit functions require theappropriate skills andexperience. Organizations mustappropriately develop andalign talent with the requisiteskill sets. Many organizations adoptand leverage technology tobetter enable and sustain riskmanagement activities. Organizations must viewtechnology as a way to moreefficiently and effectivelyexecute, as well as sustain,their responses to risk.

Robust Risk Aware OrganisationRisk is a key part of strategic business planningRisk is a key part of strategic business planning and top of mind of many boards today; however, theboard’s ability to provide oversight could be enhanced by more frequent evaluations of the organization’srisk profile.88%of respondents indicatethat the board or a boardcommittee providesoversight of theorganization’s riskmanagement activities.77%Page 583%of respondents evaluatetheir organization’s riskprofile on an annual basis,limiting their ability toadjust their businessstrategy based onchanges to their risklandscape.of respondents identify,assess and develop plansto address risks to all keyiinitiatives (43%) oridentify and discuss therisks (40%).

Building a Risk Aware OrganisationTo build a risk aware organisation, a stepped approach to risk management isrequired:Advance StrategicThinking Identify and assessrisks that impactbusiness strategy Design riskresponse to reducethe downside andtake of upsidepotentialPage 6OptimiseFunctions andProcesses Optimally alignfunctions to executethe organization’srisk responseplans/strategy Develop riskprocesses tofacilitate bettercoordination,communication andreportingEmbeddedSolutions Design solutions thatprevent, balance orlimit risk Implementtechnologies toeffectively executeand sustain thesolutions

The Governance Risk and ComplianceChallengesPage 7

The burning platformUnprecedented focus on GRC post issues and the increasingly complex regulatoryenvironment has put tremendous cost pressures on organizations. Can’t keep up – The pace at whichtechnology and innovation is driving change inthe business and regulatory landscape isunprecedented. Chief compliance andoperating officers cannot keep up withchanging expectations and spiraling costs ofcompliance 200 billion#1area of focus forBoard of directorsof Fortune 100companiesCost of compliancein Fortune 500companiesWork smarter, not harder – There isunprecedented focus to work smarter andcoordinate GRC efforts versus the traditional‘pile-on’ approach to add more controls forevery new requirementof companiesexpect cost ofcompliance tosignificantly increaseover the next 5 years60%67%of companieshave overlapping riskcoverage in two ormore risk functionsHow is it good business to letyour cost of compliance outrunthe business benefit?- Fortune 100 CFO”Managing the costof compliance hasgrown larger thanI’ve anticipated”Less than 15%of Fortune200 companies havemoderate to significantcoordination in riskmanagement activitiesBased on EY Global Surveys, Thompson Reuter Cost of Compliance survey 2014, and EY insights through industry roundtables and networking forumsPage 8

SAP GRC SolutionsPage 9

SAP Governance, Risk and Compliance (GRC)OverviewEnhance risk strategyEmbed risk management Improved visibility Comprehensive and continuousrisk management and monitoring Proactive identification of risks Central management of risks andcontrols across organization Enhanced decision makingRisk AgendaEnhanceriskstrategyImprove controls andprocesses Better aligned risk coverage,including the identification ofstronger, more pervasivecontrols Improved control mix thataddresses key business riskswhile driving processefficienciesPage 10EmbedriskmanagementTurningrisk intoresultsImprovecontrols andprocessesOptimize riskmanagementfunctionsOptimize riskManagement functions Consolidated riskmanagement activities Increased integration amongbusiness, IT andcompliance Effective top-down andbottom-up reporting

Critical Considerations for ImplementationGRC integrates process, people and technology Definition of GRC road map and consideration of priorwork / requirements before implementing the tool(role design, controls improvement, improvement ofrisk management function) GRC Projects are not technology projects but ratherbusiness projects Providing the right content to the tool is key forsuccess Governance model is critical for the sustainability ofthe solutionDefining theroadmapBusinessinvolvementContentGovernancePage 11

GRC roadmapIntegrates process, people and tionGRCenterprisetransformationDeliver GRC solutions for specific events or situations Use SAP PC for Business/IT process and controls monitoring and testing Implement AC to manage segregation of dutiesDesign and deliver specific GRC function/process Internal controls optimisation and monitoring IA process/technology transformation Compliance function enhancement Analytics enablement and fraud monitoring Financial close reconciliation automation Functional risk systems conversionDevelop an enterprise-wide GRC program supporting strategicvision and objectives Risk management integration initiatives Risk and controls transformation initiatives Driver-based performance management integration Business intelligence integration Continuous monitoringHolistic enterprise-wide technology enablementRapidassessment/diagnosticPage 12Future statevision ss caseand roadmapFuture statedesignFuture statebuildGo-live andsustainability

ContentSAP GRC Access Control – Rule SetPlanSOD / SA risksdesigned in RACMi.DesignReview SAPdelivered GRCrules Team identified SoD andSensitive Access (SA)risks in Risk & ControlsMatrixii. Risks transition to GRCAC team for buildBuildi.TestReview ofcustom SAPtransactions Conduct Gap Analysisand Identify gaps at Risklevel and transactionlevelii. Identify false positivesFinal Preparationi.ii. Identify applicable riskgroups and ratingsiii. Evaluate Risk RankingGRCGlobalRulesetIncludes: SOD and SA Risks Functions and Transactions Custom Transactions Authorization checksUtilize for: Role and User Analysis Remediation and MitigationPage 13Relevant SAPIndustry Solutiontransactions Review customtransactions to identifyrisk exposure forcompliance / fraud*Post Go-Livei.Include SAPIndustry Solutionfor Insurancespecifictransactionsii. Obtain processowner sign-off

GovernanceSAP GRC Access Control – Governance StructureARM-User ProvisionEmergency AccessPage 14

Business involvementRisk management data objects and their relationshipsBusiness Strategy/ Object ivesBusiness Processes/ Activities Most t rust ed brand Et hic & Compliance 20% market share Sales and Market ingKey Risk Indicator (KRI) Act ual t o plan deviat ionOrganizationRisk CategoryConsumer Product CompanySalesOpportunit ies (Driver/ Benefits / Enhance) Increase Earnings by 5% Increase Sales by 4% Compet it or price changesDriversImpacts Int ense price compet it ion FinesRisk Sales performance expect at ions Reduced shelf spacePredat orypricing Growt h st rat egy Damaged reput at ionPrevent ive responses reduceCorrect ive responses reducet he probabilit y of risk event st he impact of risk event sResponsesResponse Catalog (Risk Management)Mitigate Review and approvepricingPage 15Transfer Insurance coverAccept Risk Impact s areinsignificantControls/ Policies Catalog (Process Control)Avoid Fixed pricingControls Access cont rols t opricing mast er filesPolicies Robinson-Pat man Act Pricing

Project ExamplesPage 16