If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"Founded in 1972, SAP has a rich history of innovation and growth as a true industry leader. SAP currently has sales and development locations in more than
50 countries worldwide and is listed on several exchanges, including the Frankfurt Stock Exchange and NYSE
under the symbol SAP."
Source : SAP
Governance, Risk and Compliance Management: Realizing the Value of Cross-Entreprise Solutions
Governance Risk Compliance is also known as :
governance risk compliance,
GRC,
governance risk compliance management,
governance risk compliance solutions,
GRC management,
GRC solutions,
governance, risk and compliance resources,
GRC resources,
GRC risk,
spiraling compliance costs,
it governance risk compliance,
governance, risk and compliance software strategies,
GRC software strategies,
cross enterprise solutions,
risk management,
framework for governance risk and compliance,
GRC initiatives ,
governance risk and compliance initiatives,
GRC manager,
rating it governance,
compliance management,
streamline grc initiatives,
managing risk audit,
compliance program,
governance risk management ,
compliance activities,
GRC risk management,
rating it governance compliance.
CONTENTS
Executive Summary
The Business Need for Cross-Enterprise GRC Solutions
The Goal: A Holistic Approach to GRC
Cross-Enterprise GRC Solutions: A Closer Look
- Support for Business Processes and Functions
- Reconcile to Report and Financial Close
- Procure to Pay
- Order to Cash
- Hire to Retire
- Payroll
- Production to Delivery
- Support Across the Complete IT Stack
- Support for Enterprise Application Software Solutions
- Multiapplication GRC
- Cross-Application GRC
- Additional Attributes of an Enterprise-Class GRC Solution
- Integrated GRC
- Automated GRC
SAP Solutions for Governance, Risk, and Compliance
- SAP Solutions for GRC, Cisco SONA'Ready
- The Foundation for Cross-Enterprise GRC
Evolving SAP Software into Cross-Enterprise Products
- SAP GRC Access Control
- SAP GRC Process Control
For More Information
Powered by SAP NetWeaver
EXECUTIVE SUMMARY
Governance, risk, and compliance (GRC) issues are hot topics
today, thanks to a myriad of high-profile stories about companies
that failed to meet regulatory requirements governing finance,
environmental compliance, and other areas. In each case,
executives have been held accountable, stock prices have
dropped, and brand image has suffered. GRC issues are also a top
priority because business leaders increasingly understand that
seemingly small operational control weaknesses can significantly
impair corporate performance. These obstacles might range
from a supplier inventory shortage that impacts revenue, to a
faulty or counterfeit product that erodes brand and increases
costs, to a leakage of confidential data that damages reputation
and creates a compliance liability.
Many companies have responded to regulatory mandates by implementing
disconnected, tactical processes and point solutions
that address a single regulation or corporate initiative. But these
fragmented efforts can make compliance far more costly and
complicated than it needs to be. You would need to purchase
and deploy multiple GRC applications for each enterprise application
and then define risks, set policies, and monitor compliance
for each application. At the same time, you need to find a
way to manage countless GRC policies, decisions, and GRC data
' data that is likely based on different metrics, standards, software,
and methodologies. The resulting complexity can make
it impossible to aggregate this data to gain a complete view of
enterprise risk.
SAP offers a new approach for monitoring, identifying, and
managing risk across the enterprise. A true cross-enterprise
GRC solution dramatically simplifies management and
execution of these activities ' making it easy to compile data
for a comprehensive perspective on overall exposure, monitor
compliance and risk effectively, and adjust business processes to
meet changing business and regulatory mandates.
This paper explains SAP's vision for a cross-enterprise GRC
solution and the benefits it can provide, defines key terms,
and discusses what to look for when evaluating GRC software
options. It also discusses how SAP is evolving the SAP® solutions
for governance, risk, and compliance (SAP solutions for GRC)
to deliver the industry's first comprehensive, fully integrated
cross-enterprise GRC solution.
THE BUSINESS NEED FOR CROSS-ENTERPRISE
GRC SOLUTIONS
Issues related to management of GRC have become top boardroom
priorities, thanks to highly publicized corporate scandals
and the release of a myriad of regulatory mandates designed to
prevent everything from fraud to environmental damage. Most
likely, you are keenly aware of the potential costs of noncompliance
today. In addition to facing possible fines, your business
could face the cost of litigation and remediation, as well as
confronting negative impacts on brand, reputation, and market
valuation. Equally important, executives at the top can be held
personally responsible for compliance failures.
A Definition of GRC
- Governance manages the strategic directives
a company wants to follow.
- Risk management assesses the areas
of exposure and potential impacts.
- Compliance is the tactical action to mitigate
risk.
Source: John Hagerty, AMR Research, April 3, 2006
Many companies have responded to regulatory mandates with
a series of disconnected, tactical, one-off projects to respond
to a single regulation or corporate initiative. Your business may
deploy multiple point solutions to address process control risks
within a core financial application, for example. However, while
fragmented GRC activities may be the status quo, they are likely
costing your business more than you think and more than is
necessary. AMR Research reports that compliance spending will
reach US$27.3 billion in 2006.
Of even greater significance is the fact that fragmented GRC
efforts make it impossible to implement a cohesive GRC strategy
for monitoring, identifying, and managing risk across the enterprise.
This fragmentation ' when replicated many times across
different business applications and business functions ' creates a
GRC management nightmare. For each business process or
application, you may have one or more different applications to
manage it. And for each process and each application, business
and IT departments need to define risks, set policies, monitor
compliance, manage attestations, address escalations and
mitigations, generate reports, and more. Complicating matters
further is the fact that departments responsible for different GRC
initiatives may use different metrics, standards, software, and
methodologies for analyzing risk and compliance information.
This makes it difficult to aggregate data, gain a complete view
of enterprise risk, effectively monitor compliance and risk, and
adjust business processes to meet changing requirements, market
trends, and regulatory mandates.
Clearly, fragmented approaches to GRC represent a massive '
and costly ' duplication of effort that impairs transparency and
increases opportunities for issues or weakness to fall through the
cracks until identified by regulatory body.
Forrester anticipates that "firms will establish
risk and compliance architectures, develop risk
intelligence, and implement GRC platforms,
as well as centralized communication and
training on corporate policies and procedures."
Forrester also anticipates the continued
evolution of the enterprise role that is responsible
for managing GRC.
Source: "Trends 2006: Enterprise Risk and Compliance,"
Forrester Research Inc., Michael Rasmussen,
December 13, 2005
THE GOAL: A HOLISTIC APPROACH TO GRC
A fragmented approach to GRC prevents transparency into your
business operations and severely limits your ability to use GRC as
a strategic asset for your company. To promote transparency,
GRC solutions must span multiple business processes. As illustrated
in Figure 1, the answer is to implement a single, holistic
solution that works with all of the enterprise applications used
to support those business processes.
A true cross-enterprise GRC solution delivers key functionality
across two dimensions:
- Breadth in terms of business processes or functions covered,
such as human resources, finance, customer relationship
management, sales, and so on
- Depth in terms of integration with multiple business applications,
which may include software from a major vendor, as
well as legacy and custom applications
Integration must extend throughout the entire technology
stack, from the highest-level enterprise applications down to the
data-exchange infrastructure. In addition, all applications that
are part of the solution must 1) address GRC issues across all
applications and business functions and 2) feed to and from
a single, centralized GRC data repository. These two characteristics
of cross-enterprise GRC enable you to address a multitude
of GRC challenges and result in the following benefits:
- Enterprise-wide risk monitoring 'You can monitor risk
across all enterprise applications and business functions,
deploying one solution, rather than multiple applications that
manage only a subset of GRC activities. You can significantly
lower the effort and cost of GRC for your company, freeing
resources for innovation and top-line growth.
- Greater transparency ' Executives gain greater transparency
into business operations across the enterprise, essential to increasing
overall GRC effectiveness. Transparency enables you
to overcome the effects of fragmentation, such as increased
risks, reduced effectiveness of controls, strategic misalignment,
and missed opportunities.
- Increased automation ' You can automate manual processes,
which results in highly repeatable, consistent, and auditable
GRC processes. At the same time, automation enables fast,
cost-effective reporting that saves time and money and
helps ensure that the data you submit to regulatory agencies is
reliable and supportable.
- Simplified compliance ' You can adjust to regulatory changes
easily and speed compliance efforts, which can play a critical
role ' for example, bringing new products to market faster
than the competition.
All of these benefits are made possible by the fact that a true
cross-enterprise GRC solution dramatically simplifies management
and execution of GRC activities. Whereas before you
needed a different application to manage each business process
or application, with cross-enterprise GRC, you need only one.
Having a single GRC solution means that you need to define
risks and set policies once for the entire enterprise. It also means
that metrics, standards, software, and methodologies for analyzing
risk and compliance information are consistent across the
enterprise, making it easy to aggregate data, gain a complete view
of enterprise risk, effectively monitor compliance and risk, and
adjust business processes to meet changing requirements, market
trends, and regulatory mandates.
CROSS-ENTERPRISE GRC SOLUTIONS: A CLOSER LOOK
When evaluating GRC technologies, it's important to understand
the baseline functionality required in a cross-enterprise
GRC solution. The solution should provide the following:
- Support for all core business processes and functions
- Support for all major enterprise application software solutions
- Support across the complete IT stack
- Integrated GRC processes
- Automated GRC processes
Support for Business Processes and Functions
To qualify as a true cross-enterprise GRC application, the solution
must provide business process controls that address all core
business processes in your organization, ranging from the supply
chain to finance to operations. Examples include the following.
Reconcile to Report and Financial Close
The leading source of material weakness disclosures relates to
controls for the reconcile-to-report process ' a process that
places a tremendous strain on the accounting staff. In addition,
mistakes or delays can cause significant harm to a company's
financial statements and ultimately, its share price.
Errors in financial results are often the result of manual processes
and calculations performed in a compressed time frame across
multiple locations and groups and a wide variety of enterprise
applications. All of these variables create an environment in
which it is easy to make simple calculation and data-entry
mistakes. These mistakes can easily add up to material problems
that require rework or in the worst case, a financial restatement.
A true cross-enterprise GRC solution automates manual
processes with controls in the reconcile-to-report area as much
as possible. These controls eliminate the source of most material
weaknesses ' and by default, significantly reduce the need for
financial restatements. In addition, they free accounting staff to
focus on more strategic activities.
Procure to Pay
For most large organizations, procurement activities generate
thousands of transactions across multiple enterprise applications
each day. This complexity can make it nearly impossible to
ensure the validity of procure-to-pay transactions. Lack of automated
controls for procure-to-pay processes impairs cash flow
and can cause inaccurate account balances related to delivery of
low-quality goods, duplicate vendor payments, lost discounts,
and improperly valued inventory. An even more serious threat is
significant losses due to fraud.
A true cross-enterprise GRC solution addresses these challenges
by providing controls throughout the procure-to-pay process
that detect or even prevent accidental or malicious activities.
Order to Cash
Optimizing the order-to-cash process is a strategic priority for
most companies. Since this process concludes with revenue
recognition, it can present a high degree of risk to company
management. The risks are magnified when companies have
high order volumes from a global customer base, and customers
use complex discounting structures and multiple payment
terms. Clearly, financial professionals need to implement automated
process controls to identify revenue leakage, improper
shipping cutoffs, and potentially fraudulent activities.
A true cross-enterprise GRC solution addresses these challenges
by providing best-practice controls that safeguard the order-tocash
processes.
Hire to Retire
Ensuring employee information security ' while maintaining
adequate information transparency for key stakeholders of an
organization ' requires a robust hire-to-retire process with the
appropriate controls needed to achieve both objectives. With a
cross-enterprise GRC solution in place, you get best-practice
controls that enforce policies and detect or even prevent failures
in the hire-to-retire process.
Payroll
Payroll is one of the largest expenditures in many organizations,
making it a prime target for fraud. The volume and frequency of
payroll transactions create additional risks, such as the likelihood
of errors due to complexities in tax regulations, time accounting,
and other areas. With a cross-enterprise GRC solution in place,
you receive best-practice controls that protect the entire payroll
process from accidental or malicious activities.
Production to Delivery
The production-to-delivery process often requires a wide range
of cross-industry controls to address issues such as product
quality and workplace safety. In addition, there are many
industry-specific variations and additions to these horizontal
controls, such as enhancements specific to the U.S. Food and
Drug Administration in the life sciences industry. A true crossenterprise
GRC solution also delivers controls for this process to
ensure that there are no material deviations from regulatory
mandates or company policy.
Support Across the Complete IT Stack
Businesses increasingly need controls that extend down to operating
system and network layers. For example, to address network
and IT security risks related to compliance, you are probably
performing manual audits of all devices and IT systems or
using point solutions focused on IT or network compliance. In
either case, this approach requires addressing regulatory requirements
manually and makes it difficult to leverage data between
the point solutions. This can be a serious problem given that
the reporting requirements for compliance with the Control
Objectives for Information and Related Technologies (COBIT)
framework alone can diminish IT productivity.
To address these types of risks, you need a holistic crossenterprise
GRC solution that takes into account not only
controls for core business processes but also IT controls that
extend through all levels of the IT infrastructure ' from the
operating system and network all the way up to the highest-level
business applications. The software that typically monitors and
reports on network activity should correlate events to
higher-level GRC information so that, for example, sensitive
customer information (such as customer credit card numbers)
does not pass outside company firewalls.
Support for Enterprise Application Software Solutions
A cross-enterprise GRC solution also needs to provide full
support for heterogeneous business applications by providing
both multiapplication functionality and cross-application
functionality. The following sections explore these terms.
Multiapplication GRC
Multiapplication GRC solutions enable you to define all risks,
policies, functions, and controls just once using nontechnical,
common business language and to store this data in a central
repository for reuse by multiple GRC applications. The solutions
automatically map these risks, policies, and functions to all of
the underlying business applications, regardless of where they
are in the enterprise.
Automated, multiapplication functionality helps you avoid fragmentation
of risk analysis, policies, and controls; ensures consistency
across the enterprise; and eliminates duplication of effort
across applications. For example, you may have three applications
that support "create vendor" and "pay vendor" processes.
To prevent fraud, you define a rule that no one user can have
permission to both create and pay a vendor. Without multiapplication
functions in place, you need to deploy a different
GRC application to monitor each business application ' and
define the rule three different times. Given the law of large
numbers, having this kind of data scattered across multiple
applications eventually results in inconsistencies, errors, and
oversights. Also, if you find a violation of a rule, you need to put
a mitigating control in place across three different applications '
another potential source of oversight, as companies can lose
track of which users have what controls, when they expire, and
so on. And if management needs visibility across the enterprise
with regard to this issue, individual reports from the various
GRC applications need to be manually reconciled ' a costly and
error-prone process.
A multiapplication solution automatically applies the rules to
each business application involved in creating and paying vendors.
Multiapplication functionality alone, however, does not address
the fact that business processes often span multiple applications.
To return to our prior example, multiapplication
functionality allows you to detect instances when a user has permission
to both create and pay a vendor within a single application.
But it cannot detect when a user tries to bypass the policy
by creating a vendor in one application and paying the vendor in
another.
Cross-Application GRC
Only GRC software that offers cross-application functionality
can detect cross-application risks. Multiapplication software is
gradually evolving into cross-application software that enables
you to apply policies and controls across business applications
and uncover risks spread across them ' the holy grail of GRC.
For example, you may have a business policy stating that
purchase orders over a certain amount require management
approval. This process control can potentially be sidestepped by
employees who submit two purchase orders for lesser amounts
across two different applications. To prevent this type of process
control failure, you can deploy a cross-application GRC product
that includes functionality for monitoring all purchase order
activity across all relevant enterprise applications. Centralized
business rules can detect a suspicious sequence of purchase
orders for an individual and generate an alert to a manager
responsible for compliance in the procurement area with the
Sarbanes-Oxley Act, who can take immediate action. (In contrast,
multiapplication software would only enable you to detect
when employees submit two purchase orders within the same
application.)
As this example illustrates, end-to-end business processes can
touch multiple enterprise applications and departments ' and as
a result, GRC solutions must be able to identify and manage
risk within and across them. You want one GRC solution that
enables you to do the following:
- Document and store all rules and policies in a central GRC repository
- Apply these centralized rules and policies across all of your
major enterprise applications to identify and analyze risk
- Mitigate and remediate risks from a central GRC solution
Additional Attributes of an Enterprise-Class GRC Solution
In addition to supporting GRC activities across all business processes
and applications, a true cross-enterprise GRC solution also
delivers the following functionality.
Integrated GRC
A cross-enterprise GRC solution does not treat GRC activities as
separate activities but rather addresses them as one integrated solution.
Integrated GRC enables you to aggregate data, gain a
complete view of enterprise risk, effectively monitor compliance
and risk, and adjust business processes to meet changing requirements,
market trends, and regulatory mandates. It also simplifies
GRC, which reduces costs and the potential for error. And
because data is truly integrated, you can more easily link GRC to
corporate performance management, strategy setting, and company
policies to create reports that are useful to senior management.
If this information is fragmented, creating reports that
synthesize this data would require repeated linkages dozens of
times across different enterprise systems ' a costly endeavor.
Automated GRC
True cross-enterprise GRC solutions also automate the bulk of
activities that are typically processed manually by most companies
today ' for example, managing segregation-of-duties information
using spreadsheets. Automating the tracking and management
of this type of data across the enterprise reduces GRC
costs and eliminates countless errors that can lead to major
liabilities.
Defining Single-, Multi-, and Cross-Application Software
The GRC software industry is relatively new and, in many ways, has been
playing catch-up with the needs of businesses seeking
to comply with regulatory mandates in an effective, cost-efficient
manner. As illustrated in Figure 2, software products are
continuing to evolve from "siloed" GRC applications that focus on only
one enterprise application to those that enable crossapplication
management.
SAP SOLUTIONS FOR GOVERNANCE, RISK, AND COMPLIANCE
SAP has recognized the need for cross-enterprise GRC applications
and has deepened its own GRC domain expertise by investing
in SAP® solutions for governance, risk, and compliance (SAP
solutions for GRC) and a robust, industry-leading GRC partner
ecosystem. These solutions will enable you to achieve the goal
of managing GRC across your enterprise and even across your
extended business landscape ' and do so with confidence.
SAP solutions for GRC make up an integrated portfolio of applications
that embed and optimize all GRC activities to overcome
the problems caused by business fragmentation and disjointed
approaches to GRC management. These solutions are powered
by the SAP NetWeaver® platform, which provides a common
technical foundation that integrates with the mySAP™ Business
Suite applications and with third-party applications. They can
leverage information within your existing business applications
to evaluate risk and apply controls directly within business
processes. This results in greater transparency and predictability,
enabling you to improve GRC activities ' and overall enterprise
performance.
SAP solutions for GRC are based on the concept that business
processes are not contained within a single application or silo
function of a business. Instead, they cut across an entire corporation
or distributed value chain. This means that SAP solutions
for GRC have to function reliably outside a single application
and across a complex business network. The complexity of the
network requires that SAP solutions for GRC must be increasingly
adaptable and flexible to work in any heterogeneous
environment. Key applications are described in the table that
follows.
SAP Solutions for GRC, Cisco SONA'Ready
SAP and Cisco Systems Inc. have partnered to deliver a joint set
of solutions based on enterprise service-oriented architecture
(enterprise SOA) that allow you to address GRC needs across the
enterprise in a holistic, nonintrusive, flexible, and cost-effective
way. This approach leverages SAP solutions for GRC and the intelligent
network delivered by Cisco Service-Oriented Network
Architecture (SONA), Cisco's leading network architecture.
SAP solutions for GRC provide the business context for GRC
needs across the enterprise ' that is, the specific GRC-related
policies you have identified that are important to your business.
Cisco SONA expands the reach of SAP solutions for GRC into the
extended enterprise, beyond the borders of packaged enterprise
applications and into the landscape of physical and infrastructure
risk.
SAP solutions for GRC give you the visibility needed to move
away from reacting to business risks and events and toward improving
business predictability and performance. These solutions
provide business content to correctly interpret and respond to
the events detected and tracked by Cisco SONA. Cisco SONA can
then aggregate, normalize, and act upon business and IT events
with the appropriate business context for your organization and
across existing geographies and organizations.
The Foundation for Cross-Enterprise GRC
Both SAP and Cisco have built their solutions using a standardsbased
SOA, making it easy to integrate corporate GRC policies
and processes into your existing operations and heterogeneous
IT systems. In addition, this lays the ideal foundation for creating
and deploying composite applications to drive specialized GRC
processes. Composite applications span multiple solutions,
departments, and organizations to leverage existing systems and
ease future integration. They also allow quick reconfiguration to
accommodate new business structures, processes, and partner
requirements.
SAP and Cisco are developing a growing portfolio of prebuilt
composite applications ' to address customers' critical business
process issues. These predelivered composite applications for
GRC leverage SOA to address the most common challenges
around GRC, such as network and IT security, data privacy and
protection, and service-level compliance. They are also unique
because they are network-aware composite applications, resulting
in more powerful and farther-reaching functionality than is
possible with traditional composite applications.
EVOLVING SAP SOFTWARE INTO CROSS-ENTERPRISE PRODUCTS
Forward-looking customers are engaging with vendors such
as SAP that have committed to a holistic GRC vision. SAP is
evolving its SAP solutions for GRC into cross-application and
cross-functional products that support cross-enterprise GRC
management and transparency. As illustrated in the tables that
follow, SAP solutions for GRC support both breadth and depth.
SAP GRC Access Control
The following table describes the cross-application functionalities
of the SAP GRC Access Control application across various
business processes and functions. It lists the out-of-the-box process
coverage for access risk provided by SAP GRC Access
Control.
SAP GRC Process Control
The SAP GRC Process Control application deploys configurable,
automated controls for key business processes ' and even supports
custom controls unique to your company. Examples of
processes supported by SAP GRC Process Control include the
following:
- Procure to pay: Predelivered controls ensure control effectiveness
and efficiency for purchasing, inventory, accounts
payable, and legacy applications.
- Order to cash: Predelivered controls ensure control effectiveness
and efficiency for order management, inventory, accounts
receivable, general ledger, and legacy applications.
- Reconcile to report: Predelivered, automated controls for subledgers,
general ledgers, and consolidation systems eliminate
manual controls, streamline the financial close process, and
help ensure the accuracy of financial results.
In addition to providing process-level support across the enterprise,
SAP GRC Process Control addresses risks across various
functions and applications. Examples of the software's crossfunctional
support are illustrated in the following table:
FOR MORE INFORMATION
The SAP approach to GRC and the solution portfolio provides
the framework and the software solutions to help you build
your GRC architecture step-by-step, leveraging your existing
IT investments in SAP software and other technologies. SAP's
business process expertise, industry knowledge, and global
presence attract a continuously growing partner ecosystem.
In combination, SAP and its partners deliver a comprehensive
and integrated GRC solution portfolio unmatched by any single
vendor in the market.
To learn more about how SAP can help you with your GRC
strategy and reap the benefits of an integrated GRC approach,
please call your SAP representative today or visit us on the
Web at www.sap.com/grc.
POWERED BY SAP NetWeaver
SAP solutions for GRC are powered by the SAP NetWeaver
platform. SAP NetWeaver unifies technology components into a
single platform, providing the best way to integrate all systems
running SAP or non-SAP software. SAP NetWeaver also helps
organizations align IT with their business. As the foundation for
enterprise service-oriented architecture (enterprise SOA),
SAP NetWeaver allows organizations to compose and enhance
business applications rapidly to drive business change.
SAP
© Copyright 2007 SAP AG. All rights reserved.