General

Space 5

General

General

Risk Management in the Digital Boardroom

Michael Heckner

GRC Center of Excellence SAP

November 19, 2019

General

Why GRC?

5PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Risk-Adjusted ManagementTwo Sides of a Coin

Increase Revenue

Increase Profit

Increase Customer Satisfaction

Increase Customer Retention

Innovate with new products

Expand into new markets

…

Board Objectives

Balance Sheet

Profit & Loss

…

Performance

Risk Report

Controls &

Compliance

Audit Report

Three Lines of Defense

Reputation

Finance

Planning & Innovation

Operations

Cybersecurity

Data Protection

…

Risks

Risk-Adjusted Management

“Companies on average realize only 60% of the financial performance their strategies promise ... more than one-

third of executives surveyed placed the figure at less than 50%.”Source: Harvard Business Review

General

DemoDigital Boardroom

Risk Management in the Digital Boardroom

7PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Holistic risk analysis and embedded controlsReimagine risk and compliance

Real-time risk

analysis

Policy

definition

Real-time

audits

Access

governance

Automated

controls

Transaction

screening

Threat

detection

8PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

SAP 3LoD DemoOne view of risk across the enterprise tied to objectives

Tied to Objectives

• Risk management framework aligned

with business value drivers

• One view of business objectives linked

to related risks, controls, and issues

Increased Accountability

• Clear lines of responsibility across

operations, risk and compliance

management, and internal audit

• Support for an integrated three

lines of defense approach

Improved Alignment

• Risk-based approach to reduce

unneeded effort for controls and audits

• Focused collaboration to leverage

expert knowledge and improve decision

making

General

General

General

General

General

Customer Case Study.

14PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Controls

Integrated

in

Processes

Managing Objectives: Example of an Integrated Risk Management Process

Source: Case Study: Enabling the three lines of defense at Reliance Industries Limited, Maurice Sanden, 10/2018

Risk

Identification

Appraise

Performance

Report

Controls to

manage

risk

Control Self

Assessments

(LoD1)

Policy to set

boundaries

Risk Action

Plan to reduce

risk

Risk

Assessment

Continuous Monitoring Capability

Functional Assurance (LoD2)

Policy

Acknowledgemen

t (LoD1)

Policy

Enforcement

through Controls

Risk Mitigations

Risk and Controls Monitoring

Certification of

progress and

effectiveness

(LoD1)

Strategic

Objective

Operational

ObjectivesReporting

Objectives

Compliance

Objectives

OM

S

PM

S

FM

S

Against

organizational &

process objectives

Strategy

Operating

Plan

Operate /

Execute

15PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Managing Objectives: Example of an Integrated Risk Management Process

Source: Case Study: Enabling the three lines of defense at Reliance Industries Limited, Maurice Sanden, 10/2018

Risk

Identification

Appraise

Performance

Report

Controls to

manage risk

Control Self

Assessments

(LoD1)

Policy to set

boundaries

Risk Action Plan

to reduce risk

Risk

Assessment

Continuous Monitoring Capability

Functional Assurance (LoD2)

Policy

Acknowledgement

(LoD1)

Policy Enforcement

through Controls

Risk Mitigations

Risk and Controls Monitoring

Certification of

progress and

effectiveness (LoD1)

Strategic

Objectives

Operational

ObjectivesReporting

Objectives

Compliance

Objectives

OM

S

PM

S

FM

S

Against

organizational &

process objectives

Strategy

Operating

Plan

Operate /

Execute

SAP

Controls

Integrated

in

Processes

= Activity enabled by SAP GRC solutionsSAP

16PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Summary.

17PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Towards Embedded GRC ManagementGoing From Afterthought to Forethought

18PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Fragmented ApproachGRC is Often Treated as an Afterthought

People – Middleware

USERMANAGEMENT

ARCHIVE

WORK FLOW

ARCHIVE

BUSINESS INTELLIGENCE

WORK FLOW

PORTAL

BUSINESS INTELLIGENCE

WORK FLOW

PORTAL

BUSINESS INTELLIGENCE

WORK FLOW

BUSINESS INTELLIGENCE

ARCHIVE

USER MANAGEMENT

Separate from the

main processes

19PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Unified ApproachBusiness Leaders Build-In GRC as a Forethought

Fragmented ApproachGRC is often Treated as an Afterthought

People – Middleware

ARCHIVE

WORK FLOW

BUSINESS INTELLIGENCE

WORK FLOW

ARCHIVE

PORTAL

BUSINESS INTELLIGENCE

WORK FLOW

BUSINESS INTELLIGENCE

ARCHIVE

USER MANAGEMENT

USERMANAGEMENT

PORTAL

BUSINESS INTELLIGENCE

WORK FLOW

21PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Unified ApproachBusiness Leaders Build In GRC as a Forethought

One common platform

• Leverage S/4HANA (and Central Finance)

• Standardization and Harmonization

(e.g. consistent UI for ERP and GRC)

Resulting in

• Single version of the truth

• GRC management by exception

• Reliably achieve business objectives

General

SAP GRC

15

SAP at FERMA Forum 2019Booth 15

2018 SAP SE or an SAP affiliate company. All rights reserved.

International SAP Conference on Internal Controls, Compliance and Risk Management 2020

We are delighted to share that the International SAP Conference on Internal Controls, Compliance and Risk Management 2020 will be taking place from

3 - 4 March 2020, in Denmark, Copenhagen.

Join us in the quaint and refreshing city of Copenhagen, one of the most liveable cities in the world, for two days of inspiring keynotes, best practice user case

studies, the latest industry trends and updates, exciting demos and an offsite networking reception. With over 16 hours of interactive content and networking

time, our event represents a unique and world class learning opportunity.

You and your team do not want to miss the return of this international conference for senior business professionals from the fields of Internal Controls,

Compliance, Business Process, Audit and Risk Management. For more information, please see the website: http://www.tacevents.com/ccr2020

March 3-4, 2020 | Copenhagen, Denmark | www.tacevents.com/ccr2020

Connected Controls and Risks

150+Attendees

7+Customer

Case Studies

2Deep

Dive

Worksh

ops

10+Hou

rs of

Con

tent

7+Interactive

Networking

24PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ

Find information on SAP Three Lines of Defense solutions

on www.sap.com/grc

GRC in the SAP Digital Boardroom

GRC 20/20 Solution

PerspectiveOxford GRC InfographicIntroducing Three Lines of Defense

Three Lines of Defense E-

Book

GRC Solution Brief

Thank you very much for your attention

General

Please help us improve the quality of our event by

filling in our evaluations

• Directly on our mobile application

• Paper evaluation form to give back to our hostess at

the end of the session

Didier Odorico

Corporate Risk Manager, Tetra Pak

Didier.odorico@tetrapak.com

+41.79.370.0516

Our speakerSECTION

General

A Case Study

“Three Lines of Defense” in large, complex, multinational enterprises

The application of the Three Lines of Defense methodology in organizations has provided sound footing for better visibility, accountability, and effectiveness related to risk. Don’t miss out on hearing firsthand how Tetra Pak are deploying the latest technologies and transforming their vision into execution. In this panel session, you will hear real use cases focusing on:

• Primary challenges faced, and game plan developed

• Lessons learned of aligning culture and process to take advantage of new capabilities

• Tips on how functionalities in SAP GRC solutions can support risk reporting processes” ?

GeneralTetra Pak/2019 / 30

The Company: Liquid food Processing and Packaging solutions since 1959…

>25,480Employees

>160Countries

€11.2 billion Net sales

Units delivered

Units in operation

Packaging Processing Downstream

351 2 301 942

>8 700 >81 000 >20 800

>3% of turnoverInvestment in R&D

GeneralTetra Pak/2019 / 31

… with a Global Footprint

93 Sales offices

31 Market companies

5 R&D Centres

11 Technical Training Centres

56 Productions plants

6 Customer Innovation Centres

12 Processing & production sites

10 Product Development Centres

General

Corporate Governance Framework

/ 32

TL Group Board

Tetra Laval International

Tetra Pak

RemCo AuditCo

Charters of ResponsibilitiesCode of Business Conduct

Group Policies and Procedures

DeLaval Sidel

First and second lines defense

Third line of defense

General

Events, internal or external, that

could impact Tetra Pak’s ability to

achieve current objectives or

damage Tetra Pak’s long term

value

Managed via the Corporate

Governance Framework

Uncertainty from the external

environment requiring an adjustment

or change to Tetra Pak’s

strategic direction

Managed via Strategic

planning

Operational, Compliance & Reporting Risks

Strategic Risks

Two different Risk Management processes

General

Jan Feb March April May June July August Sept. Oct Nov Dec

StrategicRisk

Management

Operational Risk

Management

Yearly GRC cycle

Strategy to the TLG Board

Risk Update to the TLG Board

Corporate Risks Compliance, Ethics, Assets, Reporting

Operations Risks -

Compliance, Ethics, Assets, Reporting

Control Assessment(CSA & other Assessments)

3Y Business & Financial Planning

Corporate Functions

Operations

Corporate Risks

Operational

3Y Business & Financial plan in Clusters

Management Declaration

General

Three lines of defense

Executive ManagementOperations

Global Process Teams and Policy Owners

Corporate Risk assessment Q4

Provide Risk Guidelines Q1

SupportChallenge

Align on Key Controls Q4

Operation Risks & Control assessments

Q2-Q3

First line

Corporate Risk Category Owners

Second line

Group Board & Audit Committee

Third lineInternal Audit

Management Declaration

Q1

/ 35

General

A Common Risk & Control Framework

/ 36

A common risk universe

A common control universe

A common set of KPIs

General

Simplify the tool to support decision making

Risk Assessors and Risk Owners

Master Data-

Risk Assessments-

Control Assessments

Visualization

Indicators

VIZUALITION TOOLS

General

Understanding rather than Reporting

General

Risk and Performance Indicators

General

Risk dashboardsLive data for Operational Management

Thank you!

Please help us improve the quality of our event by

filling in our evaluations

• Directly on our mobile application

• Paper evaluation form to give back to our hostess at

the end of the session