SAP GRC Risk Management, Process Control, and Access Control provide integrated governance, risk, and compliance management capabilities. They help create improved visibility of risks, lower the cost of risk management through automation, and increase efficiencies. SAP GRC Risk Management provides holistic risk visibility and intelligence. SAP GRC Process Control offers centralized controls management and testing. SAP GRC Access Control enables sensitive access and segregation of duties management. Together they support an integrated approach to GRC.
The presentation sheds light on the concept of GRC (Governance, Risk and Compliance). Features associated to GRC, such as - its history, its impact on businesses, types etc are covered here.
Here is the list of the topics covered:
1. How was GRC developed?
2. What exactly is GRC?
3. The role of GRC in ISMS
4. Impact of GRC
5. Types of GRC
6. The role IT-GRC in IT-RMC
7. IT-GRC Foundation
8. Why to deploy IT-GRC Management System?
Governance, Risk, and Compliance ServicesCapgemini
Capgemini’s integrated and centralized approach to Governance, Risk, and Compliance (GRC) breaks through traditional functional silos to deliver effective enterprise risk management and compliance as a continuous process. We help organizations manage a range of enterprise risks in the areas of IT, finance and accounting, operations, and regulatory compliance with flexible solutions comprised of a highly qualified CPA and CISA talent pool, innovative tools, and our unique collection of GPM best practice processes and controls.
The presentation sheds light on the concept of GRC (Governance, Risk and Compliance). Features associated to GRC, such as - its history, its impact on businesses, types etc are covered here.
Here is the list of the topics covered:
1. How was GRC developed?
2. What exactly is GRC?
3. The role of GRC in ISMS
4. Impact of GRC
5. Types of GRC
6. The role IT-GRC in IT-RMC
7. IT-GRC Foundation
8. Why to deploy IT-GRC Management System?
Governance, Risk, and Compliance ServicesCapgemini
Capgemini’s integrated and centralized approach to Governance, Risk, and Compliance (GRC) breaks through traditional functional silos to deliver effective enterprise risk management and compliance as a continuous process. We help organizations manage a range of enterprise risks in the areas of IT, finance and accounting, operations, and regulatory compliance with flexible solutions comprised of a highly qualified CPA and CISA talent pool, innovative tools, and our unique collection of GPM best practice processes and controls.
What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
Facilitated Risk Analysis Process - Tareq HanayshaHanaysha
One of the most popular methods to perform a risk analysis is called Facilitated Risk Analysis Process (FRAP),FRAP will allow any organization to implement risk management techniques in a highly cost-effective way,develop an efficient and disciplined process to ensure that information-related risks to business operations are considered and documented.
Data security, quality and process transparency are areas that are posing risks for organisations in the age of Big and Small Data. In this presentation I define the problem and present some solutions to bridge the Data Governance chasm.
What is GRC – Governance, Risk and Compliance BOC Group
A simple guide to learn what Governance, Risk and Compliance (GRC) is all about, why it’s important and how you can use it to help drive enterprise objectives.
For more information visit: https://www.boc-group.com/governance-risk-and-compliance/
Facilitated Risk Analysis Process - Tareq HanayshaHanaysha
One of the most popular methods to perform a risk analysis is called Facilitated Risk Analysis Process (FRAP),FRAP will allow any organization to implement risk management techniques in a highly cost-effective way,develop an efficient and disciplined process to ensure that information-related risks to business operations are considered and documented.
Data security, quality and process transparency are areas that are posing risks for organisations in the age of Big and Small Data. In this presentation I define the problem and present some solutions to bridge the Data Governance chasm.
Software AG was top ranked in current offering and received among the highest scores in the strategy category in the Forrester Wave. webMethods Hybrid Integration Platform combines traditional on-premise integration with cloud integration capabilities to support a wide range of integration patterns for the modern digital enterprise.
Kellton Tech’s Digital Connected Enterprise (DCE) is a leader in enterprise-level integration, API management and multi-speed IT strategy, leveraging Software AG’s Digital Business Platform Kellton Tech empowers world’s best-known brands to effectively use Software AG’s Digital Business Platform to innovate, differentiate and win in the digital world.
In this session, we will discuss
- Details about webMethods 9.12 release
- Significant features and enhancements in webMethods 9.12
- Kellton Tech’s upgrade methodology and modernization offering
SAP Risk Management
www.auditbots.com
Organizations increasingly prefer their SAP operations to be assessed/audited during implementation as well as post-implementations to make sure all the business controls are in place and compliance with statutory/legal & other regulatory requirements such as Sarbanes-Oxley, etc. Auditbot offers SAP Risk Management (ERM) services to its customers to meet these needs.
AuditBOT has been successful in addressing the SAP Audit & Controls and Compliance issues. We have been involved in projects typically involving Basis Security Review, Program Change Control, SAP Basis Authorizations, Legacy System interface controls, IT Environment review, Functional Configuration & Business Process review, User-access and segregation of duties.
SAP GRC online Training on Access Control , which includes all the four components Access Risk Analysis( ARA), Emergency Access Management ( EAM), Access Request Management(ARM), Business Role Management( BRM).
GRC 12 online training
SAP GRC 10 Online Training
Studio di Ingegneria Dott. Ing. Felicetto MassaFelicetto Massa
Brochure - Studio di Ingegneria Dott. Ing. Felicetto Massa
Attività di Energy Management, Consulenza e Progettazioni per Smart Buildings e Smart Cities
Governance risk compliance framework by Isorobot,
GRC Framework presentation.
Ensure Reduced Risk and Excellent Compliance with Better Governance
what is GRC?
138
مبادرة
#تواصل_تطوير
المحاضرة ال 138 من المبادرة
دكتور مهندس / أكرم حسن
استاذ إدارة المشاريع
بعنوان
"أنظمة الرقابة المؤسسية المتكاملة
Governance, Risk management and Compliance integrated systems
الإثنين 29 نوفمبر2021
السابعة مساء توقيت القاهرة
الثامنة مساء توقيت مكة المكرمة
وذلك عبر تطبيق زووم من خلال الرابط
https://us02web.zoom.us/meeting/register/tZwofu-sqTspH9a04XXVZe1FIhkVKqbnTSVG
علما ان هناك بث مباشر للمحاضرة على القنوات الخاصة بجمعية المهندسين المصريين
ونأمل أن نوفق في تقديم ما ينفع المهندس ومهمة الهندسة في عالمنا العربي
والله الموفق
للتواصل مع إدارة المبادرة عبر قناة التليجرام
https://t.me/EEAKSA
ومتابعة المبادرة والبث المباشر عبر نوافذنا المختلفة
رابط اللينكدان والمكتبة الالكترونية
https://www.linkedin.com/company/eeaksa-egyptian-engineers-association/
رابط قناة التويتر
https://twitter.com/eeaksa
رابط قناة الفيسبوك
https://www.facebook.com/EEAKSA
رابط قناة اليوتيوب
https://www.youtube.com/user/EEAchannal
رابط التسجيل العام للمحاضرات
https://forms.gle/vVmw7L187tiATRPw9
ملحوظة : توجد شهادات حضور مجانية لمن يسجل فى رابط التقيم اخر المحاضرة
--
A New Era of Compliance: Innovations in ServiceNow GRC Aelum Consulting
ServiceNow GRC automates various GRC processes, reducing the manual effort and time required for tasks such as risk assessment, audit management, and compliance reporting. This automation not only saves resources but also enhances the speed and accuracy of GRC activities.
This paper is a primer on the RSA GRC Reference Architecture, a visual representation of the GRC framework needed within an organization to meet today's governance, risk, and compliance needs. The architecture provides a starting vision of how an organization should view GRC, its guiding principles, and its final objectives.
When GRC is done right, the benefits accrue. Organizations that integrate GRC processes and technology across all silos have:
o Reduced costs
o Reduced duplication of activities
o Reduced impact on operations
o Achieved greater information quality
o Achieved ability to gather information quickly and efficiently
o Achieved ability to repeat processes in a consistent manner
Even in today’s heavily regulated environment, company oversight organizations may not substantially cover several operational functions important to managing the business’s top-tier risks. In other instances, internal and external oversight groups redundantly monitor business processes. Additionally, simultaneously occurring assessments often burden and may overwhelm the company’s operational staff. Consequently, there exists a need to better align assessment activities with business risks and coordinate audits between oversight groups. StrategyDriven’s Risk Assurance Maps address all of these challenges.
StrategyDriven’s Risk Assurance Maps enable visualization of the relationships between enterprise risks and their associated operational processes. Concurrently, they reveal the degree of oversight applied to these processes and the residual risk remaining based on the outcomes of these assessments and the performance revealed by the organization’s performance measurement system.
To learn more, visit: http://www.strategydriven.com/risk-assurance-maps/
ServiceNow's customer service management training objective is to comprehend and acquire a comprehension of current help designs and decide normal issues that can be effortlessly mechanized in their ServiceNow framework. Our coaches are here to make you construct skill in you.Want to have an astonishing profession in ServiceNow? You’re perfectly located. We are accomplished in especially on this ServiceNow stage for different sorts of administrations presented by ServiceNow organization and preparing something similar to hopefuls. Go along with us to construct your vocation.
GRC Strategies in a Business_ Trends and Challenges.pdfbasilmph
GRC services are primarily about governance, risk, and compliance. However, GRC strategies go beyond that. GRC revolves around every capability required to
support principled performance at different levels of an organization.
=>Concept of Governance
=>Risk and Control (GRC) as applicable to IT operational risk
=>Importance of documentation
=>DATA FLOW DIAGRAM for every application
=>Review of changes in the Data flow, reporting, etc.
=>Parameters for review
=>Importance of review on SLA compliance
=>Reporting to IT Strategy committee, Board etc.
How does Operational Risk Management fit into an organization's Strategic Planning? This presentation attempts to provide a functional and implementable response.
Embedding RCSA into Strategic Planning and Business StrategyAndrew Smart
Embedding RCSA into Strategic Planning and Business Strategy
This presentation was prepared for the New Generation Operational Risk: Risk Culture and Business Conduct Behaviour conference in Helsinki, Finland.
In this presentation, Ascendore CEO, Andrew Smart outlines how to integrate Risk & Control Self Assessment into the Strategic Planning and Business Strategy.
Based on the Risk-Based Performance Management approach, during this presentation an integrated approach to strategy and risk management is outlined, with risk appetite playing a central role.
Embedding RCSA into Strategic Planning and Business StrategyAscendore Limited
Embedding RCSA into Strategic Planning and Business Strategy
This presentation was prepared for the New Generation Operational Risk: Risk Culture and Business Conduct Behaviour conference in Helsinki, Finland.
In this presentation, Ascendore CEO, Andrew Smart outlines how to integrate Risk & Control Self Assessment into the Strategic Planning and Business Strategy.
Based on the Risk-Based Performance Management approach, during this presentation an integrated approach to strategy and risk management is outlined, with risk appetite playing a central role.
Designing Enhanced Supervision for the Evolving Wealth Management Ecosystemaccenture
Converging and rapidly evolving industry trends are creating a new wealth management environment demanding Wealth Managers redefine supervisory governance to best support the firm’s growth strategies while balancing strong risk management. In this new Accenture Finance & Risk presentation we explore the evolving wealth management trends and challenges and outline four key business supervision design questions to support sustainable, long-term growth.
Exploiting Artificial Intelligence for Empowering Researchers and Faculty, In...Dr. Vinod Kumar Kanvaria
Exploiting Artificial Intelligence for Empowering Researchers and Faculty,
International FDP on Fundamentals of Research in Social Sciences
at Integral University, Lucknow, 06.06.2024
By Dr. Vinod Kumar Kanvaria
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Normal Labour/ Stages of Labour/ Mechanism of LabourWasim Ak
Normal labor is also termed spontaneous labor, defined as the natural physiological process through which the fetus, placenta, and membranes are expelled from the uterus through the birth canal at term (37 to 42 weeks
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
Delivering Micro-Credentials in Technical and Vocational Education and TrainingAG2 Design
Explore how micro-credentials are transforming Technical and Vocational Education and Training (TVET) with this comprehensive slide deck. Discover what micro-credentials are, their importance in TVET, the advantages they offer, and the insights from industry experts. Additionally, learn about the top software applications available for creating and managing micro-credentials. This presentation also includes valuable resources and a discussion on the future of these specialised certifications.
For more detailed information on delivering micro-credentials in TVET, visit this https://tvettrainer.com/delivering-micro-credentials-in-tvet/
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
1. Unlocking the power
of SAP’s governance,
risk and compliance
technology
Insights on
governance, risk
and compliance
March 2013
2. iii Insights on governance, risk and compliance | March 2013
Introduction......................................... 1
Governance, risk and
compliance defined.............................. 2
Value of GRC technology...................... 6
SAP GRC technology solutions............. 8
SAP GRC Risk Management...........................9
SAP GRC Process Control........................... 10
SAP GRC Access Control............................ 11
Conclusion.........................................12
Contents
3. 1Insights on governance, risk and compliance | March 2013
Introduction
Risk management is no longer an ad hoc activity; it is an integral part of the day-to-day
operations of organizations. External and internal risk management requirements are
becoming increasingly complex and intrusive, while the demand for more comprehensive
and actionable governance, risk and compliance (GRC) information continues to increase.
The historic approach of managing risk in silos across different functions, processes,
methods and infrastructure cannot keep up with these requirements; and, in many
cases, risk management has become a growing operational and financial burden,
limiting the organizations’ ability to keep pace with essential business growth and
transformational initiatives.
In order to manage these challenges, leading organizations are driving technology-enabled
GRC transformation programs that can:
• Create improved visibility of enterprise risks and how these are mitigated
• Lower the cost of risk management through the reduction of manual processes
and controls
• Increase efficiencies through standardization, simplification, automation and
end-to-end process centralization
In this paper we will consider the scope of GRC; elaborate on what value GRC technology
can bring to the table; and demonstrate how SAP GRC software supports risk management,
process control and access control.
A robust GRC technology solution can help
embed cost-effective risk management
practices into daily business activities.
4. 2 Insights on governance, risk and compliance | March 2013
What is GRC?
GRC is the umbrella term covering an organization’s integrated approach to governance,
risk and compliance. While interpreted differently in various organizations, GRC typically
encompasses activities such as governance, enterprise risk management (ERM), internal
controls, regulatory compliance and internal audit. GRC activities are increasingly being
integrated and embedded into organizational structures, processes, systems and data
structures in order to avoid redundancies, as well as identifying and closing gaps. In other
words, acting as “assurance as a whole” for the entire organization.
Governance improves the alignment of risk activities to the strategic objectives of the
business. The following governance activities enable clearer accountability and reporting,
increase visibility of the risks that matter most to the organization, and enhance decision-
making processes:
Strategy related:
• Setting the business strategy and objectives
• Establishing the organization’s culture and values
Risk related:
• Defining the roles and responsibilities of risk governance bodies
• Determining risk appetite
• Setting standards and policies
Risk management embeds risk activities into business functions and processes and helps to
ensure optimization across the enterprise. The following activities allow the performance
of predictive analytics to correlate driver-based performance management and identify
trends and anomalies for rapid response:
• Identifying and assessing risk that affect the organizations’ ability to achieve business
objectives
• Determining risk response strategies
• Defining control activities
Compliance facilitates controls and processes to meet regulatory and business requirements.
The following activities integrate automated controls measures and continuous monitoring
into the transactional processing cycle, resulting in transparency of risk and controls and
the elimination of transactions “at risk”:
• Testing adherence to control activities, policies, standards and commitments
• Addressing issue management, tracking and remediation
Governance, risk
and compliance
defined
5. 3Insights on governance, risk and compliance | March 2013
The model below sets out Ernst & Young’s leading practice Risk Agenda. Its four components focus on increasing risk performance
management and integrated GRC, providing an end-to-end GRC approach for an enterprise-wide scope.
Improve controls and processes
Better aligned risk coverage,
including the identification of
stronger, more pervasive controls
Reduced level of effort associated
with performing and testing controls
Increased control and process efficiencies enabled
through automation and continuous monitoring
Improved control mix that addresses key business
risks while driving process efficiencies
Embed risk management
Comprehensive and continuous
risk management and monitoring
Central management of financial,
operational and compliance risks
and controls across organization
Enhance risk strategy
Improved alignment to the objectives and
strategy of the business
Improved visibility of risks that matter
most to the organization
Proactive identification of risks
Enhanced decision making
Optimize risk
management functions
ComplianceGovernance
Risk
-
Elimination of duplicate and fragmented
risk management activities
Increased integration and coordination
among business, IT and compliance
Sustainabilityof risk management process
Effective top-down and bottom up reportingReduced cost of control
Turning
risk into
results
Enhance
risk strategy
Embed
risk
management
Optimize risk
management
functions
Improve
controls and
processes
Risk Agenda
Policy management
Risk managementCompliance and audit management
Pro
cess/controls optimization and continuous monitor
ing
D
ata
analytics, security and performance reportin
g
Global Fortune 100 food and beverage company
Implemented a common risk and controls framework and centralized its process controls library
across the organization to gain better visibility over its redundant control activities. Rationalized and
automated the testing process for over 90 SAP automated business process controls.
6. 4 Insights on governance, risk and compliance | March 2013
Governance, risk and compliance defined
Why is GRC important now?
The world is constantly evolving, creating external pressures on
organizations to drive performance and manage risk. A single
negative risk event can destroy a company’s reputation.
External and internal risk management requirements are
becoming increasingly complex and intrusive, while the demand
for more comprehensive, consolidated and actionable GRC
information is also increasing. The historic approach of managing
risk in silos across different functions, processes, methods and
infrastructure cannot keep up with these evolving requirements.
Risk management has become a growing operational and
financial burden limiting its ability to keep pace with business
growth and transformational initiatives.
Future GRC focus
Decentralized
processes
Risk managed
in silos
Fragmented
activities
•
•
•
•
•
•
•
•
End-to-end
processes
Enterprise-wide
Integrated
activities
Historic GRC focus
•
•
•
•
•
Inconsistent approach to capture and
assess risks across the organization
Segregation of duties violations
Lack of confidence in accuracy and
precision of risks identification
Fragmented, manual and
ad-hoc reporting
Inability to produce a
consolidated heat map
Focus on compliance over risk
performance management
•
Lack of process and control
standardization
Multiple and manual risk activities
Significant cost impact on business
•
•
•
Risk activities are consistently covered across all
business units
Centralized risk and risk assessment management
Top-down and bottom-up risk integration
Ability to manage risks at multiple organizational levels
•
Consistent and real-time reporting
Centralized and consolidated heat map
Drill-down capabilities
Significant work-flow automation
Compliant role design and user provisioning activities
•
•
Centralized and consolidated views of end-to-end
processes
Automated risk activities and processes
Significant work-flow automation
Reasonable cost impact on business
•
•
Audit, risk and control functions have grown organically and in
isolation, leading to challenges in alignment and communication
at all levels of the enterprise and the disintegration of risk planning
and performance management. Companies are now being forced
to align in order to close gaps and eliminate overlaps, while focusing
on the risks that matter and create value. Also, cost pressures
in the current economic environment call for enhanced GRC
management in the identification of hidden costs, inefficiencies
in control and compliance structures, and in reducing duplicative
activities at corporate and business unit levels.
7. 5Insights on governance, risk and compliance | March 2013
Technology-enabled GRC transformation
Companies increasingly recognize the business value that GRC
technology-enabled transformation offers. Business functions
that previously focused on their goals in isolation are moving
toward the integration of business, risk, finance and capital
planning management. This enables risk management to focus
on forward-looking developments and on building competitive
advantage. A risk-aware culture should be promoted as a key
value-added activity through all levels of organizations, allowing
a shifting focus from downside to upside risk management.
The following diagram shows the development from historical
focus on risk and compliance functions in isolation through to
a successful GRC transformation. The leading practice in GRC
transformation enables organizations to achieve an integrated
end-to-end and enterprise-wide GRC state of maturity. It focuses
on high-performance levels of risk management that no longer
only protects but creates business value.
Value
creation
Performance
Riskmanagement
Performance
risk management
Future focus
► Centralized and enterprise-wide risk assessment management
► Top-down and bottom-up risk integration
► Consistent and real-time reporting
► Centralized and consolidated heat map
► Consolidated end-to-end risk management processes
► Ability to manage risks at multiple organizational levels
► Automated and integrated risk activities across
business functions
Value
protection
Risk insight and
performance
improvement
Risk identification
and reporting
Historical focus
► Fragmented, manual and ad-hoc
► Inability to produce a consolidated heat map
► High instances of segregation of duties violations
► Inconsistent and fragmented approach to capture
and assess risks across the organization
Expanded focus
Historical focus
Integrate governance, risk
and compliance to create an
end-to-end, enterprise-wide
risk performance improvement
Enhance
risk
strategy
Embed risk
management
Improve control
and processes
Optimize risk
management
functions
The Risk Agenda: Client Agenda
Turning
risk into
results
Compliance
8. 6 Insights on governance, risk and compliance | March 2013
Value of GRC
technology
Traditional GRC technology solutions were aimed at providing organizations with a single
issue solution, but nowadays leading companies utilize GRC technologies for multiple
purposes. Whereas companies in the past focused on meeting a specific requirement,
such as Sarbanes-Oxley compliance, leading organizations these days have other GRC
activities to be considered, such as audit management, regulatory compliance, IT
governance, performance improvement and policy management. Therefore integration,
central databases and reusability are more important than in the past.
Organizations use GRC technology to enable, integrate and optimize their risk management
functions and processes, while focusing on supporting strategic objectives and creating
value. GRC technology is emerging rapidly and is being adopted by leading organizations.
It provides one risk management language, consistency, integration, cost efficiency,
innovation and effective work flows. GRC technology offers solutions to fully integrate
governance, risk management, compliance and process improvement.
GRC technologies successfully transform risk performance levels by:
• Automating and standardizing processes and controls
• Embedding and maintaining one single version of risk and control data
• Managing holistic views of risk and compliance exposures
• Generating dynamic and real-time risk and control intelligence and reporting
• Analyzing risk-driven indicators and exception-based decision making
• Escalating via work flow through different levels of the organization
Global Fortune 500 medical technology company
Rationalized 2,000 global process controls down to a total of 300, resulting in considerable savings
from automation and benchmarking of controls. This company also implemented SAP GRC Access
Control globally, which greatly improved audit results and resulted in considerable reduction in ongoing
testing efforts both internally and externally.
9. 7Insights on governance, risk and compliance | March 2013
Selection process
Due to the increased importance of risk in driving shareholder
value, information technology vendors are now providing more
comprehensive and flexible GRC solutions, enabling companies
to expand their risk management programs and reach a greater
level of risk process maturity, while delivering quick wins in the
short-term.
Functional
requirements
Technical
requirements
Vendor
qualification
Functional
requirements
Vendor
qualification
Technical
requirements
Vendor
qualification
Functional
requirements
Technical
requirements
• Company profile, market position
and experience
Long-term product strategy
Strength of competitive differentiators
Partners
Customers
Implementation approach
Training
Software licensing model, release
strategy and maintenance support services
•
•
•
•
•
•
•
•
•
•
•
•
Product functionality
Data repository management
Reporting capabilities
Work flow management
Review, approvals and issue
tracking functionality
Risk management functionality
Audit management functionality
Controls monitoring functionality
Analytics functionality
•
•
•
•
•
•
•
•
•
Vendor and product information
Technical architecture
Performance and scalability
Product integration
Mobile devices, remote access
Software support model
Information security
•
•
In order to select the right GRC technology that meets risk
management objectives in line with the business’ strategy,
please be guided by this checklist:
Global Fortune 500 oil and gas company
Strengthened its controls environment by standardizing its access management process
globally and implementing SAP GRC Access Control across its 20 SAP strategic systems. This
standardization drove efficiencies (20%—30%) around access management processes and improved
the risk posture by relying more on preventive segregation of duties and sensitive access checks
than on reactive, manual procedures.
10. 8 Insights on governance, risk and compliance | March 2013
In the current market, many information technology vendors offer GRC technology
solutions. In this paper we focus on the GRC technology solutions of SAP:
• SAP GRC Risk Management offers a holistic risk visibility, key risk indicators and
enterprise risk intelligence through dashboards and surveys.
• SAP GRC Process Control provides a central controls repository, self-assessments,
automated process and work flow management, as well as configurable controls
testing and real-time exception based reporting.
• SAP GRC Access Control enables sensitive access management and segregation of
duties, critical and emergency access management, and compliant access provisioning.
• SAP GRC Global Trade Services demonstrate export/import compliance, customs
e-filing and sanctioned party list screening in a global trade environment.
In the remaining part of this paper, we will focus on the first three components:
SAP GRC Risk Management, SAP GRC Process Control and SAP GRC Access Control.
SAP GRC
technology
solutions
GRC Risk Management
Holistic risk visibility, key risk indicators, risk
intelligence through dashboards, surveys
GRC Access Control
Governance, risk and compliance
SAP GRC Risk Management
Formal integration of risk
management with strategy
Repeatable framework to analyze
and mitigate risk
Continuously monitor key risk
indicators across strategic objectives
•
•
•
SAP GRC Global Trade Services
Identify, manage and prioritize
risk exposure across global
supply chains
Automates export license
management and electronic
customs communication
•
•
SAP GRC Access Control
Enables compliant continuous
control of access and
authorization across the enterprise
Proactively protects information
and prevents fraud through
automated access risk analysis
and remediation
•
•
SAP GRC Process Control
Automated continuous control
monitoring across policies and
regulatory requirements
Delivers cross-systems visibility
and a unified repository of
compliance information for
efficient multi-initiative management
•
•
Sensitive access and segregation of
duties, critical and emergency access
management, compliant access provisioning
GRC Process Control
Central controls repository, self-assessments,
automated process and configurable controls
testing, real time exception-based reporting
GRC Global Trade Services
Export/import compliance, customs e-filing,
sanctioned party list screening
Bu
siness process platfor
m
Fin
ance Operati
ons
Producti
on
Sales
P
urchasing
Opt
imize Strate
gize
Analyze
Execute
Plan
Busin
ess performance optim
iz
ation
Business
analytics
Know your business
Decide with confidence
Act boldly
11. 9Insights on governance, risk and compliance | March 2013
SAP GRC Risk Management
SAP GRC Risk Management provides an integrated approach
to understand and manage all of the risks that an organization
faces. Its main purpose is to improve the quality of decision
making. Additionally, it provides management with the visibility
to recognize the interdependency of risks, thereby decreasing the
likelihood that the organization would be surprised by events that
could have been predictable. The benefits are:
• Plan the integration of the management of risks and controls
across the enterprise (strategic planning and business
processes); this will unify the way the organization approaches
strategic, financial, operational and compliance risks.
• Identify, in a proactive manner, risk and quantify exposure
across the enterprise to improve transparency; automatically
identifying and prioritizing risks through proactive alerts and
escalations will provide additional security over regulatory
compliance and prevent loss of reputation and resources.
• Analyze risks better and faster due to the improved decision-
making process and the increased effectiveness and efficiency
of the risk model.
• Respond quickly with risk implementation and mitigation
activities to prevent risks from having negative impact.
• Monitor the impact of risk against performance in an
accessible and visible way; this will provide an effective
reporting work flow.
SAP GRC Risk Management (SAP GRC RM) enables four major components of risk management model: risk governance, risk
management, risk integration, and business process performance.
SAP GRC RM provides the following functionality:
• Common risk definition (risk profile, risk appetite,
risk tolerances, strategy, objectives, etc.)
• Risk repository and classification
• Automated risk assessment process
• Centralized and consolidated risk heat map
• Risk correlation and simulation
• Automated and work-flow driven risk management
end-to end process
Monitor
risks
Plan
risks
Respond
to risks
Identify
risks
Analyze
risks
12. 10 Insights on governance, risk and compliance | March 2013
SAP GRC Process Control
SAP GRC Process Control enables an organization to automate
its internal control model (automatic and manual controls and
testing/approval work flows) and compliance monitoring, thereby
reducing the efforts taken by the organization and increasing the
security in the operations for the directive committee.
• Control repository centralization: creates a repository that
centralizes all the documentation processes and management
of the internal control model. This allows an early detection of
configuration and master data changes.
• Integration: increases integration and coordination among
business, IT and compliance, allowing the embedding of
internal controls into the business processes (functional
areas take a more relevant role).
• Automation: ensures the compliance of the internal control
model (continuous control monitoring (CCM)) and real-time
control exception reporting, which increases the confidence
in the effectiveness of controls by eliminating the “human
error” factor and improves the efficiency of the internal
control model. By reducing the cost of compliance (less time,
less people) and increasing the effectiveness, the number of
manual controls required in processes will be minimized.
• Periodic and continuous monitoring: manages real-time
notification of potential control failures based on established
business rules; identifies production change anomalies that
may indicate fraud through alerts; improves test effectiveness
through configured controls with 100% coverage; and increases
operational efficiency through standardization and policy
management. Processes associated with the preparation and
analysis of configured controls show higher efficiencies. Costs
associated with audit failure are avoided.
• Cross-system visibility: enables a unified repository
of compliance information for efficient multi-initiative
management and enhanced visibility to process-related risk
exposure and controls testing throughout the enterprise.
SAP GRC technology solutions
SAP GRC Process Control enables organizations to execute coordinated, transparent and automated compliance and risk
management activities.
Key activities
Sign-off
andreport
Analytics and reports
Certify, signoff and
provide evidence
Monitor
Monitor exceptions Remediate issues
Evaluate
Test automated
controls
Test manual
controls
Perform
assessments
Scope
Materiality
analysis
Risk
assessments
Test
strategies
Set-upand
manage
Control
environment
Regulations,
policies
and audits
Enterprise
integration
Functionality
• Interactive, multi-format control, testing, exception and
remediation status across processes, policies, geographies
and accounts
• Policy and certification management
• Near real-time notifications of control exceptions and
associated impact
• Workflow-enabled activity and response rules
• User defined multi-step control effectiveness test plans
• ERP integration through 120+ delivered scripts or
customizable SAP queries/ reports for continuous
control monitoring
• Centralized entity, process and control maps
• Risk assessment utilities and customizable testing
strategies definitions
• Compliance support for multiple mandates and for
strategic, financial, operational and IT risks
13. 11Insights on governance, risk and compliance | March 2013
SAP GRC Access Control
This suite of solutions is made up of various tools that allow the
automation of the access control model of the organization,
through a dual system that initially allows the organization to
detect and clean the segregation of duties (SoD) violations (“get
clean”), and then keep it clean in the future (“stay clean”) by an
automated process.
SAP Access Control enables the four major components of access
management: risk analysis and remediation, enterprise role
management, super-user privilege management and compliant
user provisioning.
SAP GRC Access Control provides the following functionality:
• Role centralization: centralized and consolidated role design
and definition that is business centered and compliance enabled;
including a sensitive segregation-of-duties rule library.
• Access monitoring and control: automated emergency
access management with integrated monitoring and
reporting. Access anomalies indicating possible fraudulent
activities are identified through alerts and access request
scenarios; they can then be stimulated across business
processes and applications.
• Automation: automated work flows that facilitate the access
management end-to-end process, such as self-service user
access request and related approval processes.
• Compliance: compliant continuous control of access
(including authorization), helping to enable the segregation
of duties (SoD) management across the enterprise.
• Protection: proactively helping to protect information and
preventing fraud through automated access risk analysis
and remediation.
SAP GRC Access Control (SAP GRC AC) enables four major components of access management: risk analysis and remediation,
enterprise role management, superuser privilege management and compliant user provisioning.
Business
role
management
Access risk management
Access
request
Emergency
access
management
SAP GRC Access Control
Prevent Detect
Design roles
and prevent
violations
Provision
regular access
Provision
emergency
access
Identifyand
remediate
violations
SAP GRC AC provides:
• Business-centered and compliance-enabled role
design and definition
• Emergency access management with integrated
monitoring and reporting
• Self-service user access request and approval process
• Centralized and consolidated sensitive and
segregation of duties rule library
• Rapid identification of access violations and ability to
simulate access request scenarios
• Automated and workflow driven access management
end-to end process
14. 12 Insights on governance, risk and compliance | March 2013
GRC technology creates value, reduces costs and improves your risk performance. It
enables your organization to automate, standardize, streamline processes, create holistic
views of risk and compliance, and analyze real-time business intelligence, and it allows
your decision making to really make a difference. The following model helps to assess
your organization’s GRC technology maturity level.
Conclusion
Aligns and integrates the management of risks and controls across the enterprise (strategic
planning and business processes)
Aligns and integrates the management of risks and controls across the enterprise
(strategic planning and business processes)
Unifies the management of strategic, financial, operational and compliance risks
Increases the effectiveness and efficiency of risk model
Increases visibility into the impact of risk against performance
Provides an additional security over regulatory compliance and prevents reputation and
resource loss
Proactively identifies risk and quantify exposure across the enterprise to improve transparency
Improves the decision making process and provides an effective reporting workflow
Automatically identify and prioritize risks through proactive alerts and escalations
Implements risk response and mitigation activities to prevent risks from having a negative impact
GRC Risk Management
SAP GRC
Implements a real balanced scorecard over SAP enhancing automated controls and
monitoring techniques
Allows business areas to detect, prevent, monitor and approve unusual operations and transactions
Real-time notification of predefined rule-based exceptions in order to obtain an effective response
Control automation significantly reduces audit execution, documentation and tracking
exception times
Reduces the effort time to manage the internal control model in the whole organization
Establishes a “cost-effective” combination of resources designated to perform internal control testing
Changes the traditional and reactive internal control model to a proactive and dynamic model
that is exception based
Optimizes financial and operational processes to gain a higher internal control level (increase
control confidence and effectiveness)
GRC Process Control
GRC Access Control
Real-time diagnostic of segregation of duties risks over applications
Real-time monitoring of critical t-codes and user activity
Provides a centralized control repository and a monitoring risks dashboard
Prevention of the risk of segregation of duties conflicts propagation
Automatic and controlled approval of the accesses by the different data owners
User management optimization in all the systems (granting/revoking/modifying user privileges)
Compliance with the “best practices” in terms of roles and profiles management, ensuring their
definition, documentation, creation, testing and maintenance in a consistent way throughout
all the administration process
Automatic management of the emergency access in a controlled and auditable environment
With SAP solutions for GRC, companies can turn risk into results and improve financial performance by embedding consistent
and sustainable risk management practices while improving management’s ability to make decisions. The value of GRC integration
is outlined in the recent Ernst & Young article for the special report on GRC in SAPinsider, published December 2012:
http://www.ey.com/Publication/vwLUAssets/10-2012_GRC/$FILE/10-2012_GRC_Ernst&Young.pdf
15. 13Insights on governance, risk and compliance | March 2013
Want to learn more?
Insights on governance, risk and compliance is an ongoing series of thought leadership
reports focused on IT and other business risks and the many related challenges and
opportunities. These timely and topical publications are designed to help you understand
the issues and provide you with valuable insights about our perspective.
Please visit our Insights on governance, risk and compliance series at
www.ey.com/GL/en/Services/Advisory/IT/IT-risk-library-page
The future of internal audit is now: increasing
relevance by turning risk into results
We explore actions internal audit can take to realize
strategic alignment, increase business relevance
and achieve a risk maturity that accelerates
financial performance.
Risk management
Turning risk into results: enabling risk management
with SAP GRC
Ernst & Young’s GRC Risk Management (RM) solution paper
focuses on enabling risk management. It highlights what
we see in the market, opportunities, benefits and related
next steps.
Smart Control: transforming controls to reduce
cost, enable growth and keep the business safe
Balancing value, cost and risk in processes and
controls helps create a competitive advantage.
Becoming streamlined helps you anticipate and
respond to changes.
Process control
Access control
A risk-based approach to segregation of duties
Read clear guidance on a sound risk-based methodology
that integrates IT and financial controls, resulting in an
approach that is both manageable and cost effective.
Turning risk into results: enabling access
management with SAP GRC
Ernst & Young’s SAP GRC Access Control (AC) solution paper
focuses on managing access risks. It looks at how you can lower
cost and effectively sustain access management through
centralization,standardization, automation and integration
with other GRC modules.
Turning risk into results: enabling compliance and
process management with SAP GRC
Ernst & Young’s SAP GRC Process Control (PC) solution paper
focuses on enabling compliance and process optimization. It
covers the Rapid SAP process and control diagnostic which
provides accelerated current state assessment of
SAP processes, controls and technology.