The primary directive of a mature governance, risk management, and compliance (GRC) program is to deliver effectiveness, efficiency, and agility to the business in managing the interrelationship of performance, risk, and compliance. Effective, efficient, and agile GRC is built on an integrated architecture that is enterprise wide; delivers consistent and uniform value from the boardroom to the front office; focused at value protection and creation; and is proactive in measurement, management and interdiction. GRC architecture connects the fabric of the business together across the organization and its disparate systems, processes, and information. To address this and build a sustainable architecture for the future, SAP turned to its own GRC solutions and put into practice exactly what they advocated other organizations to do. SAP implemented an integrated GRC architecture that brought together SAP Process Control 10 and SAP Risk Management 10 across a global implementation at SAP for risk assessed internal control monitoring and assurance. GRC 20/20 has evaluated and verified the implementation of SAP’s own internal use of SAP GRC and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized SAP with a 2014 GRC Value Award in the domain of GRC Architecture and Integration.
Complexities of GRC Hinders Organizations
The individual components of GRC — governance, risk management, and compliance — are a necessary and intricate challenge to business. GRC is not optional: every organization has some approach to GRC from the ad hoc to the agile. The primary directive of a mature GRC program is to deliver effectiveness, efficiency, and agility to the business in managing the interrelationship of performance, risk, and compliance. This requires a strategic approach that connects the enterprise, business units, processes, transactions, and information to enable transparency, discipline, and control of the ecosystem of business and operational activities. Doing this is not easy as all of these elements are in a constant state of change.
GRC maturity increases as the ability to connect, understand, analyze, and monitor interrelationships and underlying patterns of performance, risk, compliance across the business grows. Various systems and processes interrelate in apparent and not so apparent interactions that can surprise the organization and catch it off guard. When risk is understood and compartmentalized in silos, the organization fails to see the web of risk interconnectedness and its impact on performance and strategy leading to greater exposure than any individual silo understood.
To maintain integrity, and execute on strategy, the organization has to be able to see the individual risk (the tree) as well as the interconnectedness of risks (the forest).
GRC relationships are non-linear. They are not a simple equation of 1 + 1 = 2. They are a mesh of exponential relationship and impact in which 1 + 1 = 3 or 30 or 300. What seems like a small disruption or risk exposure may have a massive effect or no effect at all. In a linear system, effect is proportional with cause, in the non-linear world of business and GRC it is exponential. Business is chaos theory realized. The small flutter of risk can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.
The challenge is how to reconcile business agility with GRC strategy and architecture. Most GRC decisions were considered as a base reaction to the newest regulatory demand. This resulted in dollars spent in GRC with a limited understanding alignment to the business. GRC was approached tactically and not strategically. Organizations have ended up with topography of GRC projects individually focused on risk at departments, or regulatory/risk issues that have often failed to deliver cross-enterprise insight when needed. What is often missing is a level of integration that provides a central nervous system that connects everything and makes it operate as a body.
The Bottom Line: Effective, efficient, and agile GRC is built on an integrated architecture that is enterprise wide; delivers consistent and uniform value from the boardroom to the front office; focused at value protection and creation; and is proactive in measurement, management and interdiction. GRC architecture connects the fabric of the business together across the organization and its disparate systems, processes, and information. This requires GRC strategy, process, information, and technology to work together across the business and its operations. It is about enabling GRC within business systems such as business intelligence, performance, and an ERP environment. This provides real-time insight into business decisions, operational intelligence, and monitoring in the context of risk and compliance.
How SAP Achieved Value in an Integrated GRC Architecture
Headquartered in Germany, with locations in more than 130 countries, SAP is a leader in enterprise software and software-related services. SAP solutions enable the back office to boardroom, warehouse to storefront, desktop to mobile device by empowering organizations to work together more efficiently and use business insight effectively to stay ahead of competition. More than 253,500 customers around the world and across industries use SAP applications and services.
To manage the diversity and complexity of their business operations, SAP knew they had to address the integration and architecture across governance, risk management, and compliance (GRC) functions. Risk management data was administrated in an operational risk management solution while internal control management was managed in the SAP MIC (Management of Internal Controls) solution. This was a challenging disconnect between control repository and risk management activities.
Without a unified GRC architecture for control the master data repository was missing, data maintenance was significantly higher, leading at times to duplicated efforts. The effort for manual control testing and result consolidation was higher because there was no unified integrated architecture for risk and controls.
To address this situation and build a sustainable architecture for the future, SAP turned to its own GRC solutions and put into practice exactly what they advocated other organizations to do. SAP implemented an integrated GRC architecture that brought together SAP Process Control 10 and SAP Risk Management 10 across a global implementation at SAP for risk assessed internal control monitoring and assurance. This strategy included a consolidation of SAP’s governance, risk and compliance functions supported by an integrated GRC architecture built on SAP GRC solutions with multiple data source systems. SAP solutions for fraud management, access control, process control, and risk management were integrated to achieve a holistic regulatory, business process, risk, and control environment with a real-time single-source of truth. This has enabled SAP to realize the world’s largest integrated implementation of SAP GRC within SAP’s own internal environment incorporating more than 500 organizations across 100 countries.
SAP achieved this through a phased approach with up to four parallel work streams conducted by a project team of twelve members in less than two years. Aside from the data migration from previous legacy systems into an integrated solution scenario, the scope also included system integration with customer relationship management (CRM) and promise to deliver (PtD) – a project system. This is supported by online as well as offline (cascading Adobe Interactive Forms) survey scenarios, continuous control monitoring, issue management, control testing and scheduling, COSO questionnaires, and policy management across 67,000 users. In addition, 130 members of their senior management team are now using their mobile devices to make risk-based business decisions.
SAP’s integrated GRC architecture was implemented by SAP consulting. Utilizing their Task Force Implementation Service Best Practice approach, they were able to significantly reduce implementation effort.
The Value of SAP GRC at SAP
GRC is a capability to reliably achieve objectives [GOVERNANCE] while addressing uncertainty [RISK MANAGEMENT] and acting with integrity [COMPLIANCE].[1. This is the official definition of GRC found in the GRC Capability Model and other work by OCEG at www.OCEG.org.] Successful GRC strategies deliver the ability to effectively mitigate risk, meet requirements, satisfy auditors, achieve human and financial efficiency, and meet the demands of a changing business environment. GRC solutions should achieve stronger processes that utilize accurate and reliable information. This enables a better performing, less costly, and more flexible business environment.
GRC 20/20 measures the value of GRC initiatives around the elements of efficiency, effectiveness, and agility. Organizations looking to achieve GRC value will find that the results are:
- GRC Efficiency. GRC provides efficiency and savings in human and financial capital resources by reduction in operational costs through automating processes, particularly those that take a lot of time consolidating and reconciling information in order to manage and mitigate risk and meet compliance requirements. GRC efficiency is achieved when there is a measurable reduction in human and financial capital resources needed to address GRC in the context of business operations.
- GRC Effectiveness. GRC achieves effectiveness in risk, control, compliance, IT, audit, and other GRC processes. This is delivered through greater assurance of the design and operational effectiveness of GRC processes to mitigate risk, protect integrity of the organization, and meet regulatory requirements. GRC effectiveness is validated when business processes are operating within the controls and policies set by the organization and provide greater reliability of information to auditors and regulators.
- GRC Agility. GRC delivers business agility when organizations are able to rapidly respond to changes in the internal business environment (e.g. employees, business relationships, operational risks, mergers, and acquisitions) as well as the external environment (e.g. external risks, industry developments, market and economic factors, and changing laws and regulations). GRC agility is also achieved when organizations can identify and react quickly to issues, failures, non-compliance, and adverse events in a timely manner so that action can be taken to contain these and keep them from growing.
GRC 20/20 has evaluated and verified the implementation of SAP’s own internal use of SAP GRC and confirms that this implementation has achieved measurable value across the elements of GRC efficiency, effectiveness, and agility. In this context, GRC 20/20 has recognized SAP with a 2014 GRC Value Award in the domain of GRC Architecture and Integration.
GRC Architecture & Integration Efficiency Value
SAP utilizing SAP GRC solutions have been able to identify both quantitative (hard objective facts and figures) and qualitative (soft subjective opinions and experience) measure of value as they pertain to the human and financial efficiencies they have benefited from.
GRC 20/20 has evaluated and verified the following quantitative measures of GRC architecture and integration efficiency value:
- SAP has been able to reduce annual internal control and SOX costs, creation of quarterly board risk reports, creation of annual report including quarterly ad-hoc updates to the market, and reduction of risk report consolidation that all were 1.5 FTE higher than they are now.
- Providing GRC reporting repository and dashboards on mobile devices with real-time risk information to the business allows automation in reporting internally as well as externally (e.g. Form 20-F, Annual Report) and leading to 30% gains in efficiency.
- SAP has seen a 50% reduction in control testing efforts.
- With workflow-based exception handling, SAP has seen a reduction in manual effort by 30%.
- SAP has realized a 15% reduction in audit fees from external auditors through enhanced controls that auditors can rely on.
GRC 20/20 has evaluated and verified the following qualitative measures of GRC architecture and integration efficiency value:
- SAP reports efficient resolution of issues through direct workflow routing with predefined issue prioritization to the responsible process owner.
- SAP has seen enhanced detection and response time in the context of control testing, and exception reporting.
- Responsible owners directly manage resolutions of exceptions through remediation in the system.
- Real-time central and mobile reporting from within an integrated GRC information architecture eliminates manual reconciliation effort across all management levels, including board risk reporting.
GRC Architecture & Integration Effectiveness Value
SAP utilizing SAP GRC solutions has been able to identify both quantitative (hard objective facts and figures) and qualitative (soft subjective opinions and experience) measures of value as they pertain to the effectiveness of GRC architecture and integration that the organization has benefited from.
GRC 20/20 has evaluated and verified the following quantitative measures of GRC architecture and integration effectiveness value:
- SAP has achieved 100% control evaluation when it used to conduct random sampling for automated controls.
- With a centralized repository with 20 regulations, 580 organizations, and 1,350 risks allocated to 50 different risk categories associated with 900 activities in 80 activity categories, and more than 120 processes and 350 sub-processes with 2-800 controls, SAP has realized a 20% gain in maintenance efforts.
GRC 20/20 has evaluated and verified the following qualitative measures of GRC architecture and integration effectiveness value:
- SAP has an effective information architecture with workflow-based assessment and remediation of high-risk scenarios.
- SAP now has one integrated GRC architecture that unifies controls, risks, and master data repositories when it used to have stand-alone systems.
- Reusable test plans and surveys supported by workflow and notifications along with control monitoring and assurance has made SAP more effective across GRC areas.
- Higher automation improves GRC process efficiency, supports compliance, improves data security and accuracy, and provides reliable GRC transparency.
- Automated control monitoring of system configuration, business master data, and transactional data is fully integrated in SAP business process and control repositories.
- Proactive analysis of audit violations and monitoring of response effectiveness with risk-based scenario analysis, scoping, and audit has led SAP to reduced audit and risk management costs.
- Pre-defined deficiency criteria have led to exceptions and issue reporting with notification to control owner.
GRC Architecture & Integration Agility Value
SAP utilizing SAP GRC solutions has been able to identify both quantitative (hard objective facts and figures) and qualitative (soft subjective opinions and experience) measures of value as they pertain to the agility and responsiveness of GRC architecture and integration that SAP has benefited from.
GRC 20/20 has evaluated and verified the following quantitative measures of GRC architecture and integration agility and responsiveness value:
- SAP has enabled automated control testing and remediation across 65 automated controls associated with 100 business rules that have measured a 90% increase in speed with 100% accuracy.
GRC 20/20 has evaluated and verified the following qualitative measures of GRC architecture and integration agility and responsiveness value:
- Integration of risk-management relevant data into the customer engagement lifecycle supports SAP’s sales and consulting in a dynamic and distributed business environment. SAP’s ‘high risk scenarios’ approach supports risk assessment in the opportunity phase and enables project managers to use this risk relevant data in the corresponding customer project.
- The use of high-risk scenarios and the corresponding automated pre-screening of opportunities supports a balanced and effective utilization of risk appetite in each region.
- Embedding risk related information directly into the customer engagement lifecycle now allows for significantly faster deal closure in accordance to this risk appetite and a much higher degree of transparency about the risk level of an opportunity that later on turns into a customer project.
- SAP’s integrated GRC architecture enables them to focus internal monitoring and testing analysis on strategic markets and higher risk areas.
- SAP reports increased decision-making capabilities resulting from more timely and accurate data with increased transparency of risk assessments and remediation.
GRC 20/20’s Final Perspective
SAP’s GRC strategy supported by their integrated GRC architecture built on SAP GRC solutions enables them to efficiently and holistically manage business processes and related risks in the context of SAP’s dynamic and distributed business environment. They have effectively enabled a single-source of truth for risk and compliance relevant information that delivers insight and transparency across decision makers at SAP, allowing them to make risk-based decisions at any time and at all levels of the organization.
©GRC 20/20 Research, LLC. All Rights Reserved.
No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of GRC 20/20 Research, LLC. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines established in client contract. The information contained in this publication is believed to be accurate and has been obtained from sources believed to be reliable but cannot be guaranteed and is subject to change. GRC 20/20 accepts no liability whatever for actions taken based on information that may subsequently prove to be incorrect or errors in analysis. This research contains opinions of GRC 20/20 analysts and should not be construed as statements of fact. GRC 20/20 disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. Although GRC 20/20 may include a discussion of related legal issues, GRC 20/20 does not provide legal advice or services and its research should not be construed or used as such.