In this exclusive podcast, Werner van Haelst Joint Managing Director of Integrc, provides some insight into SAP GRC Risk Management.
Werner covered topics he also touched on in his GRC 2013 Amsterdam session: how to re-think your approach to an integrated GRC solution suite, the latest on Risk Management functionality in 10.0 and 10.1 , advice on where and when to automate risk management, and the business case for an integrated GRC suite.
Listen to the full podcast in our archives, or read our edited transcript here:
Dave Hannon, SAPinsider: Hello, this is Dave Hannon with SAPinsider. Joining me now is Werner van Haelst. He is the joint managing director of Integrc and a presenter at SAPinsider’s GRC 2013 conference in Amsterdam. Welcome, Werner!
Werner van Haelst, Integrc: Thank you very much.
Dave: Werner, one of your presentations at GRC 2013 focuses on integrating SAP GRC solutions. I know that’s an area you’re an expert in. I wanted to start our discussion there. What do you see as the benefits of the integrated IT platform from a risk management perspective?
Werner: Thank you for the question. Let’s talk about integrating the platform from a risk management perspective.
If you look at the different components into GRC, if you talk about risk management, the focus is mainly of course on managing risks, where process control is focused on managing your internal controls. And next to that of course, we have access control, which is focusing on the access risk itself and multiple access controls.
Typically, in a top-down approach, you would start from a risk management perspective and then top-down, you go to process control and access control.
Actually, however, what we see in the practice is that most companies follow a bottom-up approach. That is more like starting with access control, then the next step is process control, and at the end, they go back to risk management.
In both approaches, the top-down and the bottom-up approach, it’s important that in the end, you have an integrated solution.
Because all three components working in a silo is not an optimized situation.
You would like to have an integrated solution because it delivers synergy, and that synergy results in a scenario where your entire internal control frameworkcan be implemented and is well supported by restricting day-to-day internal controls. This is very important to understand that these three components can work on their own. But the ultimate benefit is when they are integrated and I’ll explain a little bit more about it later on, how this integration could work.
Dave: Another one of your presentations provides a deep dive in the SAP GRC Risk Management solution.
How does that solution integrate specifically with the other GRC solutions? What sort of data do they share and how can they all combine to drive a more holistic risk strategy?
Werner: If you talk about integration, then especially, the master data is a specific part of the solution -- where data is shared, where this data can be used by different components.
So if you look into master data, a typical example is when you talk about the organization. The organizational structure can be shared between process control risk management as well as the access control. Some of that organization data can be shared, but also, you have the option to actually use it only for a specific component. Compared to the old ECC way of explaining it, we called it the A and the B segments. So, the A segment is shared, and the B segment is organization-specific.
On the other hand, we have controls that can be shared between process controls and access controls of course.
The risk catalogue is a third example. This can be used by both process controls and risk management, where also part of the risks, say the main part of the risks — the header data as you want to call it — can be used by both and risk management can actually add some more attributes to the risk data. So you see, especially the master data, there is data that is shared among the different components. It’s clear that the more modules you use, the more optimal ways you can make use of the shared data.
We talk about integration between the components, especially from a process point of view, then Process Control and Risk Management, they definitely integrate.
For example, Risk Management can use existing SAP GRC process controls as a risk response. So if in Risk Management, you define certain risks, and you would like to have a risk response, you can use the ones that are also in Process Controls. Vice versa, Rrisk Management can also propose new controls that can be used in Process Controls.
So, if you identify a risk in Risk Management and you want to define and mitigate a control in Risk Management, then you can use that control as well in Process Control. And of course, in Process Control, you can set up the process to evaluate this proposed control that in the end can be used in both, let’s say, GRC modules.
Finally, risk management can also use process control evaluation results. So there are definitely a number of areas where you see integration from a data point of view, as well as from a process point of view between the different modules.
Dave: What other suggestions do you have for organizations looking to make risk assessment, risk management, more automated or more efficient in their organizations?
Werner: If you look at, for example, at customers nowadays, if they do risk management, typically, companies use emails, telephone, and Excel spreadsheets to send out surveys to ask for risk proposals.
If you compare that to what SAP Risk Management can deliver, then I think it’s very clear that more automation will definitely bring more efficiency in this process.
Think about the fact that you have automated workflows in risk management, with Adobe Interactive Forms, you have notifications, automated reporting, alerts, all of those automated tools and functionality you have, will definitely improve your efficiency related to risk management. Especially Adobe Interactive Forms, I want to mention, is a very interesting and powerful tool that will help users to enable them to be more involved in risk management.
Finally also, centralized reporting capabilities across the whole year-end data is a very powerful tool which is available for end users.
Dave: You’ve got a lot of experience with SAP GRC Risk Management. Are there any features or functionalities in that solution that you think are underutilized or something that users might not be aware of?
Werner: In my personal opinion, even Risk Management, as such, is underutilized. There is so much powerful functionality available, where many companies don’t realize what it is capable of.
As I mentioned in the beginning, most companies start with a traditional approach from Access Control to Process Control and then go to Risk Management. Well, it would be better to do it top-down. So in that way, overall Risk Management is more underutilized.
Adobe Interactive Forms is moving forward as new functionality. And if you look a little bit more into the detail of the functional features that SAP has brought to us in the latest version that’s coming up — version 10.1 — there are a number of innovations that are worth mentioning from a Risk Management perspective is the enablement for ISO 31000 terminology support. Let’s think about ad hoc risk escalation functionality. The introduction of HANA is interesting because it can help us for key risk indicators that will bring us alerts.
I’ll give you a practical example. If you have a project and your company running and that project has a certain budget, let’s say 100,000 euro, and you want to have an indication at the moment that the budget has been used for 80%. You want indication or an alert that you’ve reached that status.
Then, you can imagine, that’s a simple example that that alert will help you in managing the risk of that project. If you have many projects with lots of data, then those KRIs can become more complex. And HANA will definitely help us in a risk management perspective to identify those key KRIs and produce them more easily. Also, doing impact calculation based on KRIs can improve.
Overall functionality in 10.1 that is interesting to mention is the fact that there are entry pages coming in and side panels, which makes it more easy for the end user to use the solution. And finally, the whole ODP enablement, which makes it much easier from a reporting point of view to use Risk Management. So definitely there are interesting functionalities coming up in 10.1, apart from all the ones that are already there in 10.0.
Dave: Last, I wanted to ask if you have any advice for a CIO that’s trying to sell their executive board on the value of GRC solutions to the business.
Are there still challenges in getting non-IT folks to understand the connection between these solutions and reductions in risk?
Werner: That’s an interesting question. I would say there are definitely challenges there.
As I mentioned before, I don’t think companies use Risk Management to the maximum value that it could bring. There’s a lot to do about clear communication, explaining what functionality and what can add value. It’s important of course to build the business case and make it very clear to C-level where this risk management can help and can add value.
One thing that is important to note is that external stakeholders also are more risk aware, so they ask for more explanations on how the company is behaving from a risk management perspective.
So, companies need to give more insight and have to show that they are risk aware and how they manage risk. Either it can be strategic risks, technical risks, or operational risks. There’s definitely a tendency coming from external stakeholders as well. That helps a bit. But there is still a challenge to bring this to the right level. Current economic times are not always very helpful in this area.
Finally, to include that we should try to think in efficiency and effective results, what can we bring. How many controls can you automate, how can you automate the risk management process, how can you use surveys to gather information. How can we go into a single source of truth, company-wide, that can help you manage your controls and risk in a better way.
Just to make it practical, I would say start to think big. Think about the end game you want to play from a risk management perspective. Think big and maybe start small if that helps.
Dave: To find out more about Werner’s presentations at GRC 2013 in Amsterdam, June 11-13, you can go to grc2013.com. Werner van Haelst, joint managing director of Integrc, thank you for joining us today.
Werner: Thank you. My pleasure.