The Role of Business Intelligence in Your Governance, Risk, and Compliance Programs

2,206 views

Published on

http://spr.ly/SBOUC_VP - Governance, risk and compliance (GRC) programs advance in response to added compliance requirements and the need for further risk oversight. Successful GRC programs have leveraged business intelligence to meet monitoring, analytical and reporting needs. Learn how BI innovations may allow GRC to be managed more strategically in real time and with predictive analytics. Presenter: Bruce McCuaig, SAP

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,206
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
124
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

The Role of Business Intelligence in Your Governance, Risk, and Compliance Programs

  1. 1. The Role of Business Intelligence in Your Governance, Riskand Compliance ProgramsBruce McCuaig Director SAP GRC Solution Marketing
  2. 2. Agenda• GRC – History, Importance, Definition• SAP Solutions for GRC• Current State of the GRC Profession• A Practical Approach to a GRC Discipline• The Role of BI in GRC• Wrap-up SAP CurrentWhy GRC Is A Practical Solutions for State of Role of BI Wrap up Important Approach GRC GRC© 2012 SAP AG. All rights reserved. 1
  3. 3. GRCHistory: Lessons from the Financial Crisis (OECD)― ... the financial crisis can be to an important extent attributed to failures and weaknesses in corporate governance arrangements. When they were put to a test, corporate governance routines did not serve their purpose to safeguard against excessive risk taking in a number of financial services companies.© 2012 SAP AG. All rights reserved. 2
  4. 4. GRC History: From the OECD report Information about exposures did not reach the board and even senior levels of management. Risk management was activity rather than enterprise-based. Boards approved strategy but did not establish suitable metrics to monitor its implementation. Remuneration systems have not been closely related to the strategy and risk appetite of the company and its longer term interests.© 2012 SAP AG. All rights reserved. 3
  5. 5. GRC Importance: Other reasons for corporate failures Decisions may be made based on unreliable or untimely information Employees don’t understand how the strategy affects them, and how their decisions impact others It’s unclear who is accountable for ensuring execution of initiatives, projects, and tasks© 2012 SAP AG. All rights reserved. 4
  6. 6. GRC Importance: Other reasons for corporate failures There’s no link between budgeting and strategy There’s no link between strategy and risks o Risks are not addressed and managed, during strategy definition, planning, execution, or monitoring Incentive systems aren’t linked to strategy, individual goals are not aligned with the company’s Plus … there needs to be Executive Commitment and a culture that embraces performance management© 2012 SAP AG. All rights reserved. 5
  7. 7. Question: Isn’t There a Role for BI Somewhere Here?© 2012 SAP AG. All rights reserved. 6
  8. 8. GRC DefinedA capability that enables an organization to reliably achieve objectives whileaddressing uncertainty and acting with integrity Source: OCEG© 2012 SAP AG. All rights reserved. 7
  9. 9. GRC: “A system of people, processes and technology thatenables an organization to: understand and prioritize stakeholder expectations; set business objectives that are congruent with values and risks; achieve objectives while optimizing risk profile and protecting value; operate within legal, contractual, internal, social and ethical boundaries; provide relevant, reliable and timely information to appropriate stakeholders; and enable the measurement of the performance and effectiveness of the system.” Source: OCEG© 2012 SAP AG. All rights reserved. 8
  10. 10. Agenda• GRC – History, Importance, Definition• SAP Solutions for GRC• Current State of the GRC Profession• A Practical Approach to a GRC Discipline• The Role of BI in GRC• Wrap-up SAP CurrentWhy GRC Is A Practical Solutions for State of Role of BI Wrap up Important Approach GRC GRC© 2012 SAP AG. All rights reserved. 9
  11. 11. SAP solutions for GRCManage, Protect, Perform SAP SAP SAP Global SAP Risk Access Process Trade Management Control Control ServicesConfidently manage Ensure effective Align enterprise Optimize globaland reduce access controls and risks with business supply chain andrisk enterprise-wide ongoing compliance value ensure compliance © 2012 SAP AG. All rights reserved. 10
  12. 12. Key Competencies For SuccessSAP solutions for GRC GRC for Industries GRC for LoBs Oil & Gas Sales and Banking Utilities IT Supply Chain CPG Marketing Mfg … Finance … SAP solutions for GRC Analyze Dashboards & Interactive Exploration Reports Visualization Analysis Manage Risk Compliance Audit Policy Access Exception Monitor KRIs Controls Transactions Privileges Events Enterprise Applications Legacy Apps IT Infrastructure© 2012 SAP AG. All rights reserved. 11
  13. 13. SAP Process ControlEnsure effective controls and ongoing complianceAutomate compliance and controlmanagementContinuously monitor controleffectivenessEmbed compliance and controlactivities in business processes© 2012 SAP AG. All rights reserved. 12
  14. 14. SAP Risk ManagementAlign enterprise risks with business valueProtect the fundamentalbusiness value driversInsight into the changinglevels of riskVisibility into catastrophicvalue destroying risks© 2012 SAP AG. All rights reserved. 13
  15. 15. Agenda• GRC – History, Importance, Definition• SAP Solutions for GRC• Current State of the GRC Profession• A Practical Approach to a GRC Discipline• The Role of BI in GRC• Wrap-up SAP CurrentWhy GRC Is A Practical Solutions for State of Role of BI Wrap up Important Approach GRC GRC© 2012 SAP AG. All rights reserved. 14
  16. 16. Current State GRC Current State: Board Perspective© OCEG. All rights reserved. © 2012 SAP AG. All rights reserved. 15
  17. 17. GRC Current State: Professional Perspective Current StateGaps, overlaps, inconsistent language, different methodology, inconsistent orno standards, wide reporting variations, no collaboration, no common goal,no link to business performance, professional distrust… Operational Audit Risk Enterprise Risk Compliance Financial IT Controls Governance© 2012 SAP AG. All rights reserved. 16
  18. 18. CurrentGRC: Evolving Infrastructure and Environment StateThe infrastructure and environment required to support sustained,value-adding GRC is growing slowlyKey Capabilities for GRC Success Exists (Y/N)Proven implementation strategies and mature oversight practices for Boards NA community of professionals trained and certified in best practices NWidely accepted standards are in place NA consistent methodology exists, has been effectively communicated, and is Nadhered toService providers offer non-proprietary methods and tools NStandard reporting formats exist (e.g., no analogy to balance sheet and P&L) NAn assurance process exists to certify results NTechnology will not succeed in the absence of sound strategy and support© 2012 SAP AG. All rights reserved. 17
  19. 19. Closing the Gap – Comparing Risk Management Current Stateand Financial Management Financial Management Risk Management Steps to AlignFinancial accounting is supported and Risk management is an emerging Support and influence key standarddriven by trained and certified financial profession with ad hoc training at best. setters such as COSO, OCEG, NACDprofessionals around the world. Many risk management professional have and support research and best no relevant training. Many are financial practices through EIU and selected management professions. partnersFinancial accounting is governed by There are few formal, widely accepted Provide sound, simple, logicalspecific rules and principles (GAAP, frameworks guiding risk management. structure for ERM aimed at Boards andIFRS). Diversity in practices is limited. Diversity in practices is enormous. C-Level ExecutivesFinancial statements and internal control Risk disclosures and risk management Ensure ―transparency‖ of ERM throughsystems are audited systems are unaudited reporting, analytics, self assessment, surveys tools and mobilityFinancial management oversight provided Board oversight of risk is emerging and Provide Boards and C-suite execs withby audit committees with strong legal legitimacy of Board role is established simple questions, standards, andmandate reports for their oversight roleStandard reports exist (e.g., Balance No standards exist for what to report or Focus on value, then risk. Link ERMsheet, P&L etc.) how to report. Practitioners are often reporting to business performance. secretive.Enabled by integrated mature technology Enabled by technology in a vacuum of Integrate RM/PC/AC/EPM to supportthat supports content, methodology and content, methodology and reporting. Principled Performance® or objective-reporting. Financial management preceded Technology precedes risk management and based approach.technology and shaped technology can shape it’s standards and practices.solutions. © 2012 SAP AG. All rights reserved. 18
  20. 20. Current StateIntegrating GRC – Aligning Three PerspectivesThree distinctly different views are integrated for fire prevention Fires are inevitable but Document and test1. The Control they can be extinguished controls. Identify Perspective if detected promptly. issues and correct Install fire extinguishers. deficient controls Fires occur when Find the risk drivers2. The Risk flammable material is for risk categories Perspective exposed to a source of and monitor key risk ignition Find and eliminate indicators to avert those causes. Avert fires risk events Careless people cause Develop policy, fires. Persuading people to communicate,2. The Compliance change behavior will motivate and train Perspective prevent fires. to manage risky behavior 19
  21. 21. Integrated GRC – Shifting from Belief to KnowledgeCurrent State – Belief Based Future State- Knowledge• Managed in silo’s Based• Reactive • Enterprise approach• Project or program approach • Proactive• Separate from mainstream processes and • Systemic approach decision-making • Embedded within mainstream processes and• Fragmented use of technology decision-making • Architected solutions © OCEG. All rights reserved. © 2012 SAP AG. All rights reserved. 20
  22. 22. Agenda• GRC – History, Importance, Definition• SAP Solutions for GRC• Current State of the GRC Profession• A Practical Approach to a GRC Discipline• The Role of BI in GRC• Wrap-up SAP CurrentWhy GRC Is A Practical Solutions for State of Role of BI Wrap up Important Approach GRC GRC© 2012 SAP AG. All rights reserved. 21
  23. 23. A Practical Approach to a GRC Discipline: Shift the Focusof GRC to Value Where is the fundamental • GRC solutions and value of the practitioners must align on value drivers business? • GRC activities must What drives create knowledge on that value? how value is added/destroyed • GRC must create What can knowledge on destroy that how emerging risks and value? opportunities impact value.© 2012 SAP AG. All rights reserved. 22
  24. 24. Example: Oil and Gas — Finding the Value A Practical ApproachWhere is the value of the Oil and Gasbusiness? Inventories? Refineries? Pipelines? Management expertise? Service stations? Oil and gas reserves?© 2012 SAP AG. All rights reserved. 23
  25. 25. Example: Oil and Gas — Finding the Value (cont.) A Practical ApproachPersonal Anecdote: Matching Value and ERM Resources in Oiland Gas• 90 % of ERM resources are spent on: • Refineries • Inventories • Inventory accounting systems • Inventory computer systems • Crude and natural gas allocation systems• In an integrated oil and gas company 90-98% of value is in proven developed and undeveloped oil and gas reserves in the ground © 2012 SAP AG. All rights reserved. 24
  26. 26. A PracticalWhat Processes/Activities Drive Value? Approach What processes drive value (reserves) in Oil and Gas?  Inventory management  Royalty management  Joint venture/partner management  Refinery maintenance  Finding and development Land acquisition Exploration Development Reservoir management © 2012 SAP AG. All rights reserved. 25
  27. 27. A PracticalFinding the Killer Risks ApproachWhere are the killer risks in Oil and Gas? Commodity prices Political Pipeline explosions and spills Refinery explosions and spills Well blow outs© 2012 SAP AG. All rights reserved. 26
  28. 28. Example: Utilities — Finding the Value A Practical ApproachWhere is the value of an Electrical Utility? Fixed Assets? Human Resources? Spare parts inventories? Billing systems? Environmental controls? Reliability?© 2012 SAP AG. All rights reserved. 27
  29. 29. Example: Utilities — Finding the Value (cont.) A Practical ApproachPersonal Anecdote: Matching Value and ERM Resources in ElectricalUtilities• 75-90% of ERM resources are spent on: • Service parts inventories • Spare parts inventories • Procurement systems • Billing systems • Capital expenditures • SOX• Electrical Utilities are valued largely based on their reliable generation, transmission and distribution of power © 2012 SAP AG. All rights reserved. 28
  30. 30. A PracticalWhat Processes/Activities Drive Value? ApproachWhat processes drive value (reliability) in anElectrical Utility? Payables/inventory Payroll Financial reporting Customer billing systems Energy Supply Energy Generation Transmission/Distribution© 2012 SAP AG. All rights reserved. 29
  31. 31. A PracticalFinding the Killer Risks ApproachWhere are the killer risks in electricalgeneration and transmission? Commodity price volatility Commodity supply Energy availability Extreme weather Grid failure© 2012 SAP AG. All rights reserved. 30
  32. 32. Example: Health Care — Finding the Value A Practical ApproachWhere is the value of a Home Health CareProvider? Billing systems? Skilled people? Contracts with nursing agencies? Medical record systems? Client health outcomes?© 2012 SAP AG. All rights reserved. 31
  33. 33. Example: Health Care — Finding the Value (cont.) A Practical ApproachPersonal Anecdote: Matching Value and ERM Resources in HomeHealth Care• 90-95% of ERM/GRC resources are spent on: • Vendor selection • Invoice processing • Invoice verification • Time and service tracking • Financial reporting• Home health care agencies provide value based on their ability to keep clients safe in their home. © 2012 SAP AG. All rights reserved. 32
  34. 34. A PracticalWhat Processes/Activities Drive Value? ApproachWhat processes drive value (health outcomes)in Home Health Care? Claims management? Facilities management? Procurement/Payables? Case management! Vendor management!© 2012 SAP AG. All rights reserved. 33
  35. 35. A PracticalFinding the Killer Risks ApproachWhat are the big risks in Home HealthCare? Pandemic Aging population Obesity Diabetes Vendor performance© 2012 SAP AG. All rights reserved. 34
  36. 36. Example: Airlines — Finding the Value A Practical ApproachWhere is the value of an airline? Reservation systems? Route structure? Aircraft fleet? Landing rights? Human resources?© 2012 SAP AG. All rights reserved. 35
  37. 37. Example: Airlines — Finding the Value (cont.) A Practical ApproachOne equity analyst prepared aresearch report and made buy/sellrecommendations based entirely ontheir HR practices• Value was driven by customer experience• Customer experience was driven by how they were treatedWhat % of ERM focus is on peoplemanagement? © 2012 SAP AG. All rights reserved. 36
  38. 38. Agenda• GRC – History, Importance, Definition• SAP Solutions for GRC• Current State of the GRC Profession• A Practical Approach to a GRC Discipline• The Role of BI in GRC• Wrap-up SAP CurrentWhy GRC Is A Practical Solutions for State of Role of BI Wrap up Important Approach GRC GRC© 2012 SAP AG. All rights reserved. 37
  39. 39. The Role of BI in GRC - ExamplesThree distinctly different views are integrated for fire prevention Fires are inevitable but Document and test1. The Control they can be extinguished controls. Identify Perspective if detected promptly. issues and correct Install fire extinguishers. deficient controls Fires occur when Find the risk drivers2. The Risk flammable material is for risk categories Perspective exposed to a source of and monitor key risk ignition Find and eliminate indicators to avert those causes. Avert fires risk events Careless people cause Develop policy, fires. Persuading people to communicate,2. The Compliance change behavior will motivate and train Perspective prevent fires. to manage risky behavior 38
  40. 40. The Role of BI in GRC: Creating a Value DashboardPriority SAP KPI’s Align Risk Create Reliable Act on Emerging Support Management With Insight into How Risks And Your Unique Value Value is Created Opportunities Drivers and Destroyed % of value drivers identified ► % of value adding or preserving ► ► ► activities/processes identified % of value driving activities with complete risk assessments and ► ► responses Internal audit opinion on reliability of risk ► ► management process # of unanticipated risk events occurring ► ► # of risks identified by management vs. ► ► GRC professionals % of risk, audit, compliance, financial ► reporting professionals using RM for ► planning, analysis, reporting etc. Number of Key Risk Indicators, KRI’s per Risk Driver ► ► KRI’s within range, KRI alerts Priority KPI’s ► Sources <source names> ► ► outstanding ISO 31000 Ability of SAP to Percent of controls, policies etc. notCOSO 2010 Report on ERM support this KPI ► ► Mapping of KPI to Value risks linked to Prop© 2012 SAP AG. All rights reserved. 39
  41. 41. The Role of BI in GRC – Controls in Oil and Gas Findingand Development ProcessesWhat Information is Required Possible sources1. Are budgets approved? Budget and planning system2. Is spending approved? Capital expenditure system3. Are expenditures Capital expenditure system over/under budget? for AFE tracking4. Are vendors approved? Approved vendor list5. Are contractors qualified? Public safety records6. Is reported production Comparison to production accurate? history/planned profile© 2012 SAP AG. All rights reserved. 40
  42. 42. The Role of BI in GRC – Controls in Oil and Gas Findingand Development ProcessesWhat Information is Required Possible sources7. Are wells classified Analysis of well location to properly? reserves locations8. Are reserves booked Comparison of well properly? classification to reserves Analysis of well costs to9. Are F&D costs calculated reserves booked properly? Analysis of access logs/10. Is seismic and other key unauthorized access data secure? attempts/incidents11. Is land position secure and Comparison of land to public valid? records© 2012 SAP AG. All rights reserved. 41
  43. 43. The Role of BI in Control Documentation andTestingQuestion: Can BI reduce the cost ofcontrols in GRC by aligning thembusiness performance? – is knowledge of business performance evidence of control effectiveness?© 2012 SAP AG. All rights reserved. 42
  44. 44. The Role of BI – Client Safety Risks in HomeHealth CareWhat Information is Required Possible Sources1. Are service providers Complaints - missed nursing meeting SLA? visits - caregiver certification2. Are clients receiving care at Hospital emergency admissions home? for clients/non-clients3. Are clients safe? Reported safety issues/incidents Rates of non-essential4. Are hospitals discharging hospitalization (ALC rates) on time? Benchmark against other home5. Is case management health care providers equitable? Track % of high need 75+ age6. Are priority clients served Resources allocated by category7. What are the risk drivers – diabetes, dementia, obesity© 2012 SAP AG. All rights reserved. 43
  45. 45. The Role of BI in GRC Risk ManagementQuestion: Can BI drive improvedperformance through better riskmanagement? – can predictive indicators avert or avoid risk and drive down incidents and loss events?© 2012 SAP AG. All rights reserved. 44
  46. 46. The Role of BI: Assessing Human Behavior DrivingAirlines Customer Experience April 2007© 2012 SAP AG. All rights reserved. 45
  47. 47. The Role of BI: Driving Airline Value With Human Behavior• % of employee shareholders • Average training days/year• Key employee departures • % training budget on front line staff• Applications received for • Absenteeism rates advertised position • # and duration of labor disruptions• % of HR staff to total staff • Revenue per employee• Average employee age• Average education level • Overall employee turnover• % of profit sharing to total comp • % of social liabilities unfunded• Frequency of performance reviews • Customer satisfaction surveys• Extent, duration of employee • % HR representation on assistance management committees © 2012 SAP AG. All rights reserved. 46
  48. 48. The Role of BI in Human Capital ManagementQuestion: Can BI help align humancapital with corporate value drivers? – Can BI help measure and improve aggregate human performance?© 2012 SAP AG. All rights reserved. 47
  49. 49. Agenda• GRC – History, Importance, Definition• SAP Solutions for GRC• Current State of the GRC Profession• A Practical Approach to a GRC Discipline• The Role of BI in GRC• Wrap-up SAP CurrentWhy GRC Is A Practical Solutions for State of Role of BI Wrap up Important Approach GRC GRC© 2012 SAP AG. All rights reserved. 48
  50. 50. Wrap Up: The Role of BI in GRC GRC practices have failed to routinely detect or prevent catastrophic losses, corporate failures GRC practices today largely ignore business performance as a variable Todays GRC practices are fragmented, silo’ d and inefficient BI has the potential to transform GRC practices by  Creating dashboards to map GRC activities to value  Reduce the reliance on controls in favor of knowledge of performance  Increase performance by monitoring, predicting and driving down risk events  Aligning human behavior with value creation© 2012 SAP AG. All rights reserved. 49
  51. 51. Thank You!Contact information:Bruce McCuaigDirector, Solution Marketing, Governance Risk and ComplianceBruce.mccuaig@sap.com+1 647 823 8490
  52. 52. © 2012 SAP AG. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjectspurpose without the express permission of SAP AG. The information contained Explorer, StreamWork, SAP HANA, and other SAP products and servicesherein may be changed without prior notice. mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.Some software products marketed by SAP AG and its distributors containproprietary software components of other software vendors. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other BusinessMicrosoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Objects products and services mentioned herein as well as their respective logosMicrosoft Corporation. are trademarks or registered trademarks of Business Objects Software Ltd.IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, Business Objects is anSystem x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, SAP company.zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and otherParallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, Sybase products and services mentioned herein as well as their respective logosPOWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAPBladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, company.Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere,Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM All other product and service names mentioned are the trademarks of theirCorporation. respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.Linux is the registered trademark of Linus Torvalds in the U.S. and othercountries. The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose withoutAdobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or the express prior written permission of SAP AG.registered trademarks of Adobe Systems Incorporated in the United States and/orother countries.Oracle and Java are registered trademarks of Oracle.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, andMultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C ®,World Wide Web Consortium, Massachusetts Institute of Technology. © 2012 SAP AG. All rights reserved. 51

×