Increasing Business Agility: An Integrated Approach to Governance, Risk, and Compliance Management


Published on

This SAP Executive Insight focuses on helping executives determine: What are the consequences of today’s typical GRC approaches? Where do their organizations stand from a GRC maturity perspective? How can they lay the foundation for an effective GRC strategy?

Published in: Business, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Increasing Business Agility: An Integrated Approach to Governance, Risk, and Compliance Management

  1. 1. SAP Executive Insight IncreasIng BusIness agIlIty an Integrated approach to governance, rIsk, and complIance management
  2. 2. today’s business climate is complex and increasingly difficult to predict. stakes are rising in a global market in which compe- tition is fierce and brand loyalty is fickle. across all industries, companies are grappling with high expectations and margin pressures. and at the same time, businesses face unprece- dented numbers of legal, regulatory, and business partner man- dates, as well as value chain requirements that affect nearly every aspect of their operations. according to a september 2006 benchmarking survey con- ducted by the americas’ sap Users’ group (asUg) and sap on governance, risk, and compliance (grc), most organiza- tions today have a reactive approach to grc management – a fire-drill method of channeling precious resources and manage- ment attention to address specific regulatory mandates inde- pendently in isolation from each other. the end result is a se- ries of fragmented grc activities and data sources that increase costs, limit visibility into business risks – and ultimate- ly hinder business agility. to help companies become less reactive – and increase their organizational agility – executives need a clear path to grc maturity. this sap executive Insight focuses on helping executives determine: • What are the consequences of today’s typical GRC approaches? • Where do their organizations stand from a GRC maturity perspective? • How can they lay the foundation for an effective GRC strategy? 2 SAP Executive Insight – Increasing Business agility
  3. 3. eXecutIVe agenDa at a glance Overcoming Barriers to Enabling Integrated GRC Capturing the Value of Business Agility Integrated GRC to address these requirements, for- In today’s business environment, the ward-thinking organizations are taking a organizations that have moved to an most successful organizations are broader, more integrated approach integrated approach have been able to often the most agile. It’s this agility that to managing interrelated strategic plan- realize a new level of confidence allows organizations to sense and ning activities and business risks. the and transparency regarding compli- respond to opportunities with ease and path to reaching grc maturity typically ance. In addition, businesses have real- stay competitive in the midst of turbu- leads through four phases: ized significant benefits: lent and fast-changing business condi- • Blissful unawareness • optimized risk-return portfolio tions. But for most, this doesn’t come • reactive, fragmented implementation • reduced grc costs easily. according to a recent sap sur- • consolidation • Improved business performance and vey conducted with the economist • operational excellence predictability Intelligence Unit of more than 4,000 • Business sustainability corporate executives, more than 33% essentially, this approach is an evolu- • greater business agility ranked “ability to change” as their top tion toward an integrated program of challenge, ahead of “speed of innova- grc management and away from the tion” or even “maintaining customer current fire-drill method of channeling loyalty.” precious resources and management attention to address specific regulatory major trends of the last five years – mandates independently. such as globalization and radical shifts in business models – have escalated the need for business agility while simultaneously throwing up roadblocks. the impacts of these trends have trig- gered ripple effects from a governance, risk, and compliance (grc) perspec- tive. the problem is that most busi- nesses today are taking far too narrow an approach to managing grc, leaving them slow to respond, driving up costs, and leaving them open to unexpected and potentially harmful business risk. SAP Executive Insight – Increasing Business agility 3
  4. 4. takIng a common anD IntegrateD approach to grc From sIlos to cohesIve strategy In september 2006 the americas’ sap vides complete visibility across the processes in response to new opportu- Users’ group (asUg) and sap organization and automates manual nities and regulatory mandates. launched a benchmarking survey tasks. this approach eliminates frag- focused on grc. their findings indi- mentation and dramatically simplifies GRC Challenges Rating cate that grc initiatives today are management and execution of grc ini- necessary information is contained 3.88 largely driven by government mandates tiatives. companies should also define in complex and heterogeneous It and reactive in nature. In other words, their governance strategy before deal- landscapes. these initiatives are primarily focused ing with purely compliance issues. governance, risk, and compliance 4.00 on addressing the latest compliance management is fragmented at issues, with minimal attention on risk Embedded GRC Applications a departmental, divisional, or and governance, and are usually exe- regional level, making it difficult cuted and managed in “silos” by indi- as illustrated in Figure 2, an integrated to attain enterprise-wide business vidual departments (see Figure 1). this approach also assumes that grc man- transparency. approach typically results in fragment- agement is built into all core business control activities are manual and take 4.18 ed grc activities and data that drive processes, not treated as a separate too much time. up costs and hinder visibility into busi- process. this means that grc applica- collaboration between It, business 4.31 ness risks. the following survey results tions are embedded in day-to-day activ- process managers, finance, and point to the consequences of this ities, drive the automation of routine auditors is weak. approach: activities, and ensure information and governance, risk, and compliance 4.53 • compliance-focused grc invest- process consistency across the busi- management effectiveness is difficult to quantify and measure. ments are starting to generate value. ness. this makes it easy to compile 1 = most challenging; 10 = least challenging In fact, more than 85% of survey data for a comprehensive perspective respondents believed that their grc on overall risk exposure, monitor com- Figure 1: GRC Challenges investments helped them reduce the pliance and risk, and adjust business (source: asUg/sap Benchmarking) number of significant deficiencies and material weaknesses, and control vio- Cross-Enterprise GRC lations within their businesses. • however, more than 75% of respon- Legacy SAP® Software 3rd Party dents said that the associated costs hire-to-retire still outweigh the benefits. • more than 48% indicated that they Cross-Functional GRC had increased their grc investments reconcile-to-report the year prior. In reality, governance, risk, and compli- procure-to-pay ance are interdependent and must be managed holistically in an integrated order-to-cash approach. a single set of applications deployed together support a cohesive production-to-delivery strategy for ensuring compliance and monitoring, identifying, and managing Cross-Application GRC risk across the enterprise. Ideally, all applications operate using a single, Figure 2: Supply Chain Benchmarks for Semiconductor Companies shared grc data repository that pro- (source: asUg 2007 semico Benchmarks) 4 SAP Executive Insight – Increasing Business agility
  5. 5. a clear path to grc maturIty FoUr phases to operatIonal excellence each organization needs to chart its – there is a limited understanding of own grc course. Figure 3 illustrates the real cost of compliance, cur- Rohm and Haas the typical phases of grc maturity and rent risk exposures, and lost Industry: chemicals the types of activities that organiza- opportunities. Summary tions in each phase typically engage in. • phase III: consolidation rohm and haas company is a global • phase I: Blissful unawareness – organization is ready to initiate a manufacturer of specialty materials – organization is unaware of grc strategic change based on one used in industries such as paint and interdependencies and focuses consistent, enterprise-wide grc coatings, electronics, water treatment, only on the obvious and most criti- framework. and plastics. rohm and haas needed cal (or mandatory) compliance – successful pilot initiatives validate to establish a global approach to com- issues. the grc framework approach. ply with regional volume-based restric- – limited investment is made in tools – executives have a well-balanced tions such as the european Union’s and policies to support grc. enterprise-wide view of all compli- registration, evaluation, authorization • phase II: reactive, fragmented ance and risk issues and know and restriction of chemicals (reach) implementation where the “hot spots” are. regulation. – organization responds to local • phase Iv: operational excellence Results with SAP® Software regulatory compliance issues by – managers have a balanced grc • positioned company for long-term engaging in disjointed, tactical view across all processes and compliance with volume-based grc approaches. projects. regulations – a large number of independent – grc is absorbed at all organiza- • Improved accuracy and quality of teams deals with specific regula- tional levels across the enterprise. compositional data tion, risk, or other governance – a common language and set of • Improved ability to identify the issues. metrics are in place for use with all regulation-defined volume bands for initiatives. the company’s substances I. Blissful II. Reactive, III. Consolidation IV. Operational Unawareness Fragmented Phase Excellence Phase Phase Implementation Phase rationalize Identify business projects improvement Initiate move towards opportunities strategic change enterprise grc Maturity continuous create inventory process of g, r, and c improvement initiatives Identify high-risk establish cross- projects as pilots ad hoc, functional teams “must-have” design integrated track technology activities grc framework and business changes rush projects to react to mandates Time Figure 3: SAP Supply Chain Benchmarks for Semiconductor Companies (source: asUg 2007 semico Benchmarks) SAP Executive Insight – Increasing Business agility 5
  6. 6. realIZIng the BeneFIts transparency and agIlIty regardless of the current level of grc • Reduced GRC costs: transitioning to maturity, there are four cornerstones an integrated grc approach signifi- GRUMA involved in laying the foundation of an cantly reduces the number of people Industry: consumer products effective grc strategy: – and the amount of time – required Summary • get buy-in from the entire manage- to control and address risk. grUma is the worldwide leading pro- ment team, including the board of • Improved business performance and ducer of corn flour and tortillas and directors and the executive team. predictability: this approach enables sells its products in over 50 countries. • Ingrain grc at every level of the transparency across the enterprise grUma required a process and tool to company, as mandated by the senior and beyond, giving management a ensure that its end users had the right team. systematic way to anticipate and con- access privileges to perform day-to-day • drive the adoption of the grc frame- trol risks. managers have tools to business operations without exposing work with select, high-priority determine actions and critical tasks the business to risk. governance regu- initiatives. that will reduce business perfor- lations and increased internal controls • leverage grc as a proactive busi- mance variability. are necessary for grUma. ness optimization instrument. grc is • Business sustainability: an integrat- Results with SAP® Software leveraged to effectively drive compet- ed grc approach provides a clear • greater ability to track compliance itive advantage, based on business path to sustainable compliance and with auditors’ recommendations and transparency and predictability. risk management, even as mandates measure improvements increase and business models and • Better compliance with regulations an integrated grc approach offers processes become more complex. • Internal It audit revision time now many benefits. First, it provides a new • Greater business agility: an integrat- 90% faster and external It audit revi- level of transparency and confidence ed approach to grc increases busi- sion time now 50% faster regarding compliance across the busi- ness agility by helping organizations ness and beyond – delivering value to accelerate decision making and iden- the board, line-of-business manage- tify associated business risks and ment, and external stakeholders. In their interdependencies. addition, businesses realize the follow- ing benefits: • Optimized risk-return portfolios: an effective grc approach provides the transparency and insight that busi- ness executives need to make deci- sions based on risk impact and probability relative to potential return. 6 SAP Executive Insight – Increasing Business agility
  7. 7. the roaD aheaD ACt noW companies should take a broader, more proactive approach to managing interrelated strategic planning activities and business risks by developing an integrated grc management strategy and thinking beyond just compliance with the sarbanes-oxley act. this involves deploying a single set of inte- grated applications that ensure compli- ance and proactively monitor, identify, and manage risk across the enterprise. these applications should operate using a single, shared grc data repos- itory – the key to gaining complete visi- bility across the organization and automating manual tasks. once deployed, companies can eliminate Further Reading fragmentation, reduce compliance costs, make risk-informed plans and to learn more, please visit decisions, and dramatically simplify or contact your management and execution of grc sap representative about the initiatives. following: SAP® White Papers • governance, risk, and compli- ance management: realizing the value of cross-enterprise solutions • an Integrated approach to Benchmarking Services From SAP managing governance, risk, and compliance the asUg/sap Benchmarking and Best practices program provides a sap customer stories and profiles forum for sap customers to track trends, share best practices, and mea- • Bacardi sure value based upon key performance drivers. to date, more than 35 companies have participated in the grc study. the grc Benchmarking ini- • canadian pacific railways tiative addresses the drivers, benefits, investment levels, staffing, challeng- • globalsantaFe corporation es, and general characteristics of grc management. In addition to grc, • molex asUg/sap Benchmarking programs exist for several additional operational • nvIdIa corporation areas, including finance, human capital management, supplier relationship • synopsys management and procurement, supply chain and manufacturing, new prod- • the coleman company uct development and introduction, customer contact centers, total cost of • Wolverine World Wide Inc. ownership, and business intelligence. For more information about the asUg/sap Benchmarking program, visit or • xerox europe contact SAP Executive Insight – Increasing Business agility 7
  8. 8. 50 093 054 (08/12) ©2008 by sap ag. all rights reserved. sap, r/3, xapps, xapp, sap netWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other sap products and services mentioned herein as well as their respec- tive logos are trademarks or registered trademarks of sap ag in germany and in several other countries all over the world. Business objects and the Business objects logo, Businessobjects, crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business objects s.a. in the United states and in several other countries all over the world. Business objects is an sap company. all other product and service names mentioned are the trademarks of their respective companies. data contained in this document serves informational purposes only. national product specifications may vary. these materials are subject to change without notice. these materials are provided by sap ag and its affiliated companies (“sap group”) for informational purposes only, without representation or warranty of any kind, and sap group shall not be liable for errors or omissions with respect to the materials. the only warranties for sap group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. nothing herein should be construed as constituting an additional warranty. /contactsap