ranga bodla, sap - treasury & risk · 2011. 4. 21. · ranga bodla, sap governance, risk &...

Managing Risk in Perilous Times

Ranga Bodla, SAPGovernance, Risk & Compliance Solution Marketing

Michael Rasmussen, Corporate Integrity

December 1, 2009

Speakers

Ranga Bodla, Sr. Director, Governance, Risk and Compliance – SAP

Michael Rasmussen, J.D., President, Risk & Compliance Advisor – Corporate Integrity

© SAP 2008 /

Agenda

• How to integrate risk management into your organization's

operations and strategic decision-making processes

• How to consolidate risk factors so that they are visible across

the entire organization

• How to develop robust scenario planning to help manage

unanticipated events

© 2009, Corporate Integrity, LLC www.Corp-Integrity.com

Leading Strategies for Enterprise Risk Management

Michael Rasmussen

© 2009, Corporate Integrity, LLC www.Corp-Integrity.com(c) OCEGAssess & Align

“Risk is like fire: If controlled it will

help you; if uncontrolled it will rise up

and destroy you.”

Theodore Roosevelt


Are you focused only on what you see?

“Never in all history have we harnessed

such formidable technology. Every

scientific advancement known to man has

been incorporated into its design. The

operational controls are sound and

foolproof!”

E.J. Smith, Captain of the Titanic

Risk

Awareness

Risk

Ignorance


Silos Lead to Greater Risk

• A reactive and siloed approach to risk management is a recipe for disaster and leads to . . .

– Lack of visibility. A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture.

– Wasted and/or inefficient use of resources. Silos of risk and compliance lead to wasted resources.

– Unnecessary complexity. Varying risk and compliance approaches introduce greater complexity to the business environment.

– Lack of flexibility. Complexity drives inflexibility - the organization is not agile to the dynamic business environment it operates in.

– Vulnerability and exposure. A reactive approach leads to greater exposure and vulnerability.


Defining Our Terms

• Risk

The probability of something happening that will have an impact on objectives; most importantly, but not exclusively, an adverse impact.

• Risk Management

A system of processes and structures that enable an organization to

• identify, evaluate, analyze, optimize, monitor, improve, or transfer risk

• communicate risk findings and decisions to stakeholders

• realize potential opportunities while managing adverse effects of risk


Defining Our Terms

• Effective Risk Management

– addresses opportunities, obstacles and threats in a holistic fashion

– continually identifies obstacles and threats,

– assesses the potential impact of threats,

– identifies opportunities for further assessment,

– assures risk-intelligent decisions and

– implements structures to enable the organization to appropriately pursues opportunities while addressing the obstacles and threats.


Instead Of This…

Risk A Risk B Risk C

A1 A2 A3

C1 C2

C3 C4

C5 C6

C1 C2

C3 C4

C5 C6

C1 C2

C3 C4

C5 C6

DiscreteRisks, Regulations& Standards

DiscreteRequirements

DiscreteControls& Activities

SiloedFunctions& Departments

B1 B2 B3

C1 C2

C3 C4

C5 C6

C1 C2

C3 C4

C5 C6

C1 C2

C3 C4

C5 C6

C1 C2 C3

C1 C2

C3 C4

C5 C6

C1 C2

C3 C4

C5 C6

C1 C2

C3 C4

C5 C6

IT Business

Integration

IT

IT Business

Integration

IT

IT Business

Integration

IT

No Linkage Weak Linkage


Full Linkage Strong Linkage

Do This…

Risk A Risk B Risk C

A1 A2 A3

C1 C2

C3 C4

C5 C6

C1 C2

C3 C4

C5 C6

C1 C2

C3 C4

C5 C6

DiscreteRisks, Regulations& Standards

B1 B2 B3

C1 C2

C3 C4

C5 C6

C1 C2

C3 C4

C5 C6

C1 C2

C3 C4

C5 C6

C1 C2 C3

C1 C2

C3 C4

C5 C6

C1 C2

C3 C4

C5 C6

C1 C2

C3 C4

C5 C6

IT Business

Integration

IT

IT Business

Integration

IT

IT Business

Integration

IT

AB1

C1 C2

C3 C4

C5 C6

C1 C2

C3 C4

C5 C6

CommonRequirements

CommonControls& Activities

IntegratedFunctions& Departments


RISK:in Business Perspective


Risk questions organizations need to ask

• Do you know you know your risk exposure at the business process, operations, as well as enterprise levels?

• How do you know you are taking and managing risk effectively to achieve optimal operational performance and hit strategic objectives?

• Can you accurately gauge the impact of risk taking on business strategy as well as loss?

• Does the business get the information it needs to take timely action to risk exposure to seize opportunities while avoiding or mitigating negative events?

• Does your business monitor key risk indicators across key systems and processes?

• Are you optimally measuring and modeling risk?


Multi-Perspective Risk Analysis

• As organizations build risk management programs it is important that they build a360-degree multi-perspective risk analysis framework that allows an organization to think outside the box and look at risk from a variety of perspectives.

• The challenge is for organizations to develop processes to harness internal and external information to be intelligent about their risk and regulatory environments so they can make wise business decisions. This involves gathering information from the internal environment such as:

• Losses.

• Issues/events.

• Success & performance.

• Controls.

• Policies.

• Risk appetite.

• Risk management.

• Compliance.

• Culture.

• Business relationships.


Aligning Risk & Performance

• Effective risk management can only be achieved if key risk indicators are set in a business context and mapped over to corresponding key performance indicators.

• The goal of a business strategy and performance aligned risk management program is effective because it:

• Addresses opportunities, obstacles and threats in a business context.

• Continually identifies obstacles and threats,

• Assesses the potential impact of threats,

• Identifies opportunities for further assessment,

• Assures risk-intelligent decisions and

• Implements structures to enable the organization to appropriately pursue opportunities while addressing the obstacles and threats.


GRC Capability Model: High Level View of OCEG Red Book 2.0

INFORM &INTEGRATE

DETECT & DISCERN

ORGANIZE & OVERSEE

ASSESS & ALIGN

MONITOR & MEASURE

PREVENT & PROMOTE

RESPOND & RESOLVE

8 INTEGRATED COMPONENTS 8 UNIVERSAL OUTCOMES

Enhance Organizational Culture

Increase Stakeholder Confidence

Prepare & Protect the Organization

Prevent, Detect & Reduce Adversity

Motivate /Inspire Desired Conduct

Improve Responsiveness & Efficiency

Optimize Economic & Social Value

Achieve Business Objectives


Element View Of The GRC Capability Model


RISK:in Business Perspective


Enterprise Risk Management

Strategic Risks

•Geo-Political Risks

• Industry Risks

• Succession Planning

•Competitive Environment

•Corporate Governance

•Business Strategy

•Reputation/Brand

• Stakeholder Expectations

•Market Demands

Financial/Treasury Risks

•Market risks

• Interest, foreign exchange

•Equity risks

•Hedging/Diversification

• Liquidity

•Credit risks

Operational Risk

•Physical Assets

• Information Assets

•Business Relationships

•Technology

•Human Resources

• Finance & Treasury

•Products & Services

•Business Resiliency & Continuity

•Marketing, Communications & Sales

Legal & Compliance

•Ethics & Culture

• Litigations

•Regulatory Compliance

• Liability

•Reporting requirements

•Policies & Procedures

• Investigations

•Environmental

•Health & Safety

•Contracts

•Privacy

Corporate Social Responsibility, Sustainability, Triple Bottom Line Reporting

Social Accountability – Financial Responsibility – Environmental Stewardship

RISK: A Taxonomy of Risk


RISK: Risk Management Process

Establish the Context

• Internal context

• External context• Risk mgmt context• Develop criteria• Define the structure

Identify Risks

• What can happen?

•When and where?•How & why?

Analyze Risks

• Identify existing

controls•Determine

consequences & likelihood

•Determine level of risk

Evaluate Risks

•Compare against criteria

• Set priorities

Communicate & Consult

Monitor & Review

Treat Risks

•Identify options•Assess options•Prepare &

implement plans•Analyze and

evaluate residual riskTreat

Risks

Source: AS/NZS 4360:2004 and ISO 31000


Ultimate Risk Platform

• Organizations continue to manage risk in silos, where distributed business units and processes maintain their own data, spreadsheets, analytics. modeling, frameworks, and assumptions.

• Risk platforms (if deployed) are typically not equipped to capture the complex interrelationship among operational risks that span global operations, business relationships, lines of business, and processes.

Do you know you know your risk exposure at the business process as well as enterprise operations levels?

How do you know you are taking and managing risk effectively to achieve optimal operational performance and hit strategic objectives?

Can you accurately gauge the impact of risk taking on business strategy as well as loss?

Does the business get the information it needs to take timely action to risk exposure to seize opportunities while mitigate negative events?

Do you have repetitive and inefficient controls, documentation, processes, testing, and risk measurement / management?

Are you optimally measuring and modeling risk?



Ultimate Risk

Platform

Risk & Control

Assessment

Internal Loss Events

External Loss Data

Key Risk Indicators

Reporting

Extensible & Flexible Platform

• This includes:

– Risk identification

– Assessment

– Surveying

– Analysis

• To mange risk, an organization will implement a taxonomy of risks and a framework designed to provide a sound and well-controlled operational environment.

• The risk solution needs to be able to integrate with multiple-frameworks.

• Organizations need to manage the balance between the cost of controls and the reduction in risk that the controls effect.

• The platform should support a range of assessment styles including qualitative and quantitative assessments, as well as top-down and bottom-up techniques.

• Risk measurement should cover both inherent and residual risk metrics.



Ultimate Risk

Platform

Risk & Control

Assessment


External Loss Data

Key Risk Indicators

Reporting


• Operational losses are increasing in frequency and impact because business has grown more complex, particularly as transaction volumes have increased.

• Organizations have distributed operations, growth in business relationship, and businesses’ reliance on automated systems outpaces their ability to monitor risk.

• Critical requirements for an ORM process includes capturing loss information. This includes

– Creating a consistent categorization scheme for loss events

– Linking loss to the risk taxonomy which allows an organization to pinpoint the root cause of losses and determine if certain controls are failing.

• Facilitates the continual optimization of risk management as well as the control environment.

• A risk platform needs to combine assessment data with loss event data to support a risk management process.



Ultimate Risk

Platform

Risk & Control

Assessment


External Loss Data

Key Risk Indicators

Reporting


• External losses are a key component of the Ultimate Risk Platform.

• The solution should support automatic up-load and down-load capability for interfacing with external loss consortiums (e.g., ORX) or commercial providers (e.g., Algorithmics, AON, SAS).

• The system should facilitate the use of external loss for capital modeling, scenario analysis and benchmarking.



Ultimate Risk

Platform

Risk & Control

Assessment


External Loss Data

Key Risk Indicators

Reporting


• Continual monitoring and management of key risk indicators - including trending and aggregation of KRIs – is a critical element of a risk management process.

• A risk platform is to support automatic notification to risk owners when KRI values reach thresholds.

• Workflows should automate risk process such as KRI review and analysis.

• KRIs must support thresholding and time-trending.

• The best systems will also allow you to align enterprise performance management with risk management and give you a view into risk optimization as opposed to simply risk mitigation.

• Organizations take risk – they need assurance they are taking the right risk to meet objectives and that risk is effectively monitored and managed.



Ultimate Risk

Platform

Risk & Control

Assessment


External Loss Data

Key Risk Indicators

Reporting


• A risk platform needs to provide timely and accurate information to risk managers, risk owners in lines of business, senior and executive management, board, and external constituencies such as auditors and regulators.

• Risk reports enable management to maintain risk at appropriate levels within line of business, escalate issues and provide consistent data aggregation across business roles and functions.

• With improved visibility into its risk environment, an organization is in a position to make risk intelligent business decisions.

• The risk platform needs to support a variety of risk reports including high-level dashboards, risk models, and detailed reports.

• It has to be able to aggregate data across business entities, relationships, risk categories, event types, and time periods.



Ultimate Risk

Platform

Risk & Control

Assessment


External Loss Data

Key Risk Indicators

Reporting


• Organizations need an adaptable solution and process to meet specific needs, taking into account corporate governance including corporate policies and procedures.

• When choosing a technology platform organizations need to pick an application that can adjust to its process as opposed to adjusting processes to fit the application.

• Important areas for extensibility include. . .

– Business hierarchy.

• Multiple hierarchies (legal, finance, organizational)

• Multiple levels (with no limit),

• asymmetrical hierarchies are all essential to conform risk to the business.

– Localization.

– Risk Framework.


Assess & Align

• Assess risks and optimize the organizational risk profile with a portfolio of initiatives, tactics, and activities

– identify events, forces, and factors that may affect the achievement of organizational objectives

– define the current risk profile by analyzing the inherent risk and residual risk after considering current risk optimizing activities

– evaluate and implement selected options to reduce, avoid or mitigate adverse effects of risk and take advantage of identified opportunities


Assess & Align – Key Principles

• Focus on key organizational objectives, assets, and operations

• Categorize risks to structure the identification process and ensure that the organization identifies risks uniformly across departments and silos

• Risks rarely fall into singular categories, but rather tend to be multi-faceted, so use multiple identification

• Priority risks should include both inherently high risks and unacceptably high residual risks

• Where appropriate, embed optimizing activities in mainline business planning and processes

• Consider the external as well as internal context of risks

© SAP 2008 /

Continuous

Monitoring of Key

Risk Indicators and

Controls

Strategic dialogs on

Risk (vs. Reward)

Lines of Business

Board and CEO

Lines of Business

The Goal: Make Risk Management Part of the

Business

Internal Audit

Corporate

Finance / PlanningRisk Management

Variance caused

by Risk built

into plans

Control activities

focused on most

risky areas

Head of Strategy

New strategies/

initiatives developed

with risk “built-in”

Continuous

Monitoring of Key

Risk Indicators and

Controls

© SAP 2008 /


Implementation approach

An approach whereby all categories of risk across each program are aggregated at the enterprise

level and treated holistically, while at the same time recognizing the need to maintain levels of granularity.

CEO

CFO

Business Unit BBusiness Unit A Business Unit C

Transparency

• Enterprise-wide view of the

totality of risk

Consistency

• Common risk management

framework and risk

management solution

Enterprise Risk

Framework and ProcessesSAP BusinessObjects

Risk Management

© SAP 2008 /


Risk-adjusted management of strategy and performance

SAP Differentiators

SAP Solution

■ Drive agreement on top risks,

thresholds, and appetite

■ Identify all key risks across the

enterprise

■ Perform qualitative and quantitative

analysis

■ Create resolution strategies for top risks

that maximize return on capital

■ Build proactive monitoring into existing

business processes and strategies

■ Protect Existing Value with Continuous Risk and Control Monitoring

■ Create New Value with Risk-Adjusted Strategy and Planning

Risk Planning

Risk

Identification

Risk

Monitoring

Risk Response

Risk Analysis

Measure

Performance

Define

Strategy

Plan and

Perform

Assessments

and Tests

Construct

Budgets &

Forecasts

© SAP 2008 /

Protect Existing Value with

Continuous Risk and Control Monitoring

Examples of KRI content

already available in SAP

and partner’s operational

systems

Sample content packs

based upon partner and

customer suggestions

Risk KRI Controls Examples of Thresholds

Quality Customer Complaints 10% over trailing 3-month average

Overdue Notifications 5% of all notifications

Product Inspection 10% over trailing 3-month average

Product Returns 10% over trailing 3-month average

Reliability Overall Equipment

Effectiveness10% over trailing 3-month average

Health & Safety Recordable Injuries 5 per month

Safety Near Misses 10% over trailing 3-month average

Overdue Maintenance Orders Overdue by 1 week

Environmental Air, Water & Waste - Number of

permit limits exceeded3 per month

Hazardous emissions 90% of legal limit

Financial Controls Failed Controls 5% of all controls

Segregation of Duty violations 23 violations

Demand and

Supply Mismatch

Inventory (days) above

maximum10% over maximum

Inventory (days) below

minimum5% below minimum

Forecast accuracy 10% below trailing 3-month average

Procurement RiskSingle sourcing

5% increase in spend of

single-sourced material

Service levels 5% below trailing 3-month average

Logistic disruptionDelivery lead times

15% increase in lead times by shipper

relative to 3-month average

© SAP 2008 /

Pro-actively mitigate risks before KPIs change to yellow/red status

Create New Value with Risk-Adjusted Strategy

© SAP 2008 /

Create New Value with Risk-Adjusted Planning

R1

R2

R3

R4

R5

R6

Risks / Risk Categories

+/- 1%

-200

-100

+/- 2%

+/- 5%

+/- 10%

Forecasted P&L 2010

Revenue 1.000

- Material Costs 400

= Profit Margin 600

- Personnel Costs 300

- Other Costs 150

- (incl. Risk Transfer) 5

- DoA 50

= Operating Profit 100

- Interest Expenses 44

- Extra Profit / Loss 0

= EBIT 56

Sales Volume

New Competitor

Material Costs

Personnel Costs

IR Changes

Add. Costs

Managing Enterprise Risks

2.2.1 Foreign Corrupt Practices Act Compliance Risk

Preventive

responses reduce

probability of event

Recovery

responses reduce

impact of event

Code of Conduct and FCPA

or anti- corruption

policies in place

Anti-corruption training in

place

Whistleblower line

SOD – Separate Vendor Maintenance

from Invoice Approval (AC)

Monitor employees that are overdue for

ethics/FCPA training (PC)

Monitor suspicious payment attributes

such as round payments, one time

vendor, etc. (PC)

Avoid business in

high risk markets

prone to abuse

Maintain legal and

penalty reserve

Contractual

protections with

agents

Performance MeasuresDrivers ImpactKey Risk Indicators

Business Process

Regulatory Compliance (S39)

Risk Event

Employee/Agent

Involved in Illegal

Arrangement

(FCPA)

Operate in over-seas high-risk

markets

# of reviews conducted for due

diligence on all foreign

business partners and third-

party representatives (manual)

Use of 3rd party

representatives to facilitate

overseas business

% employees with foreign

official contact who have had

FCPA training (SAP – HCM)

Conduct business with foreign

state-run entities

Expense % of total

compensation for sales agents

responsible for international

accounts (SAP - Payroll)

Financial – Earnings

(SEC & DOJ violations, fines,

penalties, remediation)

# of payments to foreign

officials characterized as

contributions, consulting

payments or miscellaneous

expenses

Financial – Revenue

(Ineligibility of doing business

with foreign entity)

Reputation

(Disclosures, investigation,

prosecution, oversight)

PC/AC ControlTransfer AcceptAvoidReduce

Responses

© SAP 2008 /

Tangible Benefits* % Impact

Operating Costs

Reduce losses / risk events

Reduce insurance premiums

ERM productivity improvements

Reduce borrowing costs

25-75%

10-30%

30-60%

0-40%

Revenue

Increase success rate of new initiatives/strategies 10-25%

Working Capital

Reduction in reserves to cover risk appetite 10-30%

How to Build the Business Case

SAP Value Engineering Can Assist

* Benchmarks from SAP’s Case Studies and Success Stories

© SAP 2008 /

UHY Advisors, LLP

“SAP GRC Risk Management

provides a best-practice

framework so we can identify,

analyze, respond to, and monitor

obstacles to reaching out firm’s

growth objectives.”

Norman Comstock, Managing Director, Technology Assurance and

Advisory Services (TAAS), UHY Advisors, Inc.

Challenge

Formal solution to identify, analyze, respond, and

monitor risks

Needed to identify and analyze risks to business

performance and strategy

Continuously monitor risk profiles

Why SAP?

Formal risk solution that aligns business processes

and business goals/objectives

Holistic, integrated, enterprise-wide risk management

platform

Ability to leverage operational data to help expose,

manage, and respond to risks

Results

Access to actionable risk management data to make

more informed decisions

Improved level of risk awareness to strategy

Increased consistency in risk management

methodology, communication, and risk appetite

© SAP 2008 /

Challenges and Opportunities

Lack of consistent, structured risk

management processes

Reactive approach to risk management,

resulting in “fire-fighting” instead of

prevention

Requirement to comply with financial

reporting regulations of Sarbanes-Oxley

Act of 2002

Objective

Set up single repository for risk

management data

Increase speed of response to

business threats

Reduce occurrence of issues

resulting in loss

Implementation Highlights

1,400 users across the organization

Assistance from the SAP Custom

Development organization

We Drink Our Own Champagne

GRC Risk Management saves SAP AG €3 million annually

Why SAP

Lack of required functionality in

software offered by other vendors

Benefits

Improved visibility of risk exposure

across the organization

Increased risk awareness, resulting in

better-informed decisions

A cut of €3 million in insurance

premiums year on year

Dramatic reduction in number of

insurance claims annually

Industry recognition for management

excellence – winner of European Risk

Management award

“SAP GRC Risk Management

differentiates us from other high-tech

vendors and helps to drive down our

insurance premiums. As a result,

we’re making annual savings of

approximately €3 million.”

George Haitsch

Vice President, Corporate Risk, Global Risk

Management, SAP AG

QUICK FACTS

SAP AG

Location:Walldorf, Germany

Industry: High Tech

Products and Services: Business software

Revenue: €9.4 billion

Employees: 39,355

Web Site: www.sap.com

SAP Solutions and Services: SAP GRC

Risk Management application

http://www.sap.com/

Questions

Contact Info

Ranga Bodla, Sr. Director, Governance, Risk and Compliance – SAP

Email: [email protected]

Phone: 650.796.8252

For more information: http://www.sap.com/usa/riskmanagement

Michael Rasmussen, J.D., President, Risk & Compliance Advisor – Corporate Integrity

Email: [email protected]

Phone: 888.365.4560

For more information: http://www.corp-integrity.com/

© SAP 2008 /

mailto:[email protected]

http://www.sap.com/usa/riskmanagement








ranga bodla, sap - treasury & risk · 2011. 4. 21. · ranga bodla, sap governance, risk &...

Documents