space 5 - ferma forum 2019 · 11/19/2019 · 2018 sap se or an sap affiliate company. all...
TRANSCRIPT
General
Space 5
General
General
Risk Management in the Digital Boardroom
Michael Heckner
GRC Center of Excellence SAP
November 19, 2019
General
Why GRC?
5PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Risk-Adjusted ManagementTwo Sides of a Coin
Increase Revenue
Increase Profit
Increase Customer Satisfaction
Increase Customer Retention
Innovate with new products
Expand into new markets
…
Board Objectives
Balance Sheet
Profit & Loss
…
Performance
Risk Report
Controls &
Compliance
Audit Report
Three Lines of Defense
Reputation
Finance
Planning & Innovation
Operations
Cybersecurity
Data Protection
…
Risks
Risk-Adjusted Management
“Companies on average realize only 60% of the financial performance their strategies promise ... more than one-
third of executives surveyed placed the figure at less than 50%.”Source: Harvard Business Review
General
DemoDigital Boardroom
Risk Management in the Digital Boardroom
7PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Holistic risk analysis and embedded controlsReimagine risk and compliance
Real-time risk
analysis
Policy
definition
Real-time
audits
Access
governance
Automated
controls
Transaction
screening
Threat
detection
8PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
SAP 3LoD DemoOne view of risk across the enterprise tied to objectives
Tied to Objectives
• Risk management framework aligned
with business value drivers
• One view of business objectives linked
to related risks, controls, and issues
Increased Accountability
• Clear lines of responsibility across
operations, risk and compliance
management, and internal audit
• Support for an integrated three
lines of defense approach
Improved Alignment
• Risk-based approach to reduce
unneeded effort for controls and audits
• Focused collaboration to leverage
expert knowledge and improve decision
making
General
General
General
General
General
Customer Case Study.
14PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Controls
Integrated
in
Processes
Managing Objectives: Example of an Integrated Risk Management Process
Source: Case Study: Enabling the three lines of defense at Reliance Industries Limited, Maurice Sanden, 10/2018
Risk
Identification
Appraise
Performance
Report
Controls to
manage
risk
Control Self
Assessments
(LoD1)
Policy to set
boundaries
Risk Action
Plan to reduce
risk
Risk
Assessment
Continuous Monitoring Capability
Functional Assurance (LoD2)
Policy
Acknowledgemen
t (LoD1)
Policy
Enforcement
through Controls
Risk Mitigations
Risk and Controls Monitoring
Certification of
progress and
effectiveness
(LoD1)
Strategic
Objective
Operational
ObjectivesReporting
Objectives
Compliance
Objectives
OM
S
PM
S
FM
S
Against
organizational &
process objectives
Strategy
Operating
Plan
Operate /
Execute
15PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Managing Objectives: Example of an Integrated Risk Management Process
Source: Case Study: Enabling the three lines of defense at Reliance Industries Limited, Maurice Sanden, 10/2018
Risk
Identification
Appraise
Performance
Report
Controls to
manage risk
Control Self
Assessments
(LoD1)
Policy to set
boundaries
Risk Action Plan
to reduce risk
Risk
Assessment
Continuous Monitoring Capability
Functional Assurance (LoD2)
Policy
Acknowledgement
(LoD1)
Policy Enforcement
through Controls
Risk Mitigations
Risk and Controls Monitoring
Certification of
progress and
effectiveness (LoD1)
Strategic
Objectives
Operational
ObjectivesReporting
Objectives
Compliance
Objectives
OM
S
PM
S
FM
S
Against
organizational &
process objectives
Strategy
Operating
Plan
Operate /
Execute
SAP
Controls
Integrated
in
Processes
= Activity enabled by SAP GRC solutionsSAP
16PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Summary.
17PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Towards Embedded GRC ManagementGoing From Afterthought to Forethought
18PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Fragmented ApproachGRC is Often Treated as an Afterthought
People – Middleware
USERMANAGEMENT
ARCHIVE
WORK FLOW
ARCHIVE
BUSINESS INTELLIGENCE
WORK FLOW
PORTAL
BUSINESS INTELLIGENCE
WORK FLOW
PORTAL
BUSINESS INTELLIGENCE
WORK FLOW
BUSINESS INTELLIGENCE
ARCHIVE
USER MANAGEMENT
Separate from the
main processes
19PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Unified ApproachBusiness Leaders Build-In GRC as a Forethought
Fragmented ApproachGRC is often Treated as an Afterthought
People – Middleware
ARCHIVE
WORK FLOW
BUSINESS INTELLIGENCE
WORK FLOW
ARCHIVE
PORTAL
BUSINESS INTELLIGENCE
WORK FLOW
BUSINESS INTELLIGENCE
ARCHIVE
USER MANAGEMENT
USERMANAGEMENT
PORTAL
BUSINESS INTELLIGENCE
WORK FLOW
21PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Unified ApproachBusiness Leaders Build In GRC as a Forethought
One common platform
• Leverage S/4HANA (and Central Finance)
• Standardization and Harmonization
(e.g. consistent UI for ERP and GRC)
Resulting in
• Single version of the truth
• GRC management by exception
• Reliably achieve business objectives
General
SAP GRC
15
SAP at FERMA Forum 2019Booth 15
2018 SAP SE or an SAP affiliate company. All rights reserved.
International SAP Conference on Internal Controls, Compliance and Risk Management 2020
We are delighted to share that the International SAP Conference on Internal Controls, Compliance and Risk Management 2020 will be taking place from
3 - 4 March 2020, in Denmark, Copenhagen.
Join us in the quaint and refreshing city of Copenhagen, one of the most liveable cities in the world, for two days of inspiring keynotes, best practice user case
studies, the latest industry trends and updates, exciting demos and an offsite networking reception. With over 16 hours of interactive content and networking
time, our event represents a unique and world class learning opportunity.
You and your team do not want to miss the return of this international conference for senior business professionals from the fields of Internal Controls,
Compliance, Business Process, Audit and Risk Management. For more information, please see the website: http://www.tacevents.com/ccr2020
March 3-4, 2020 | Copenhagen, Denmark | www.tacevents.com/ccr2020
Connected Controls and Risks
150+Attendees
7+Customer
Case Studies
2Deep
Dive
Worksh
ops
10+Hou
rs of
Con
tent
7+Interactive
Networking
24PUBLIC© 2019 SAP SE or an SAP affiliate company. All rights reserved. ǀ
Find information on SAP Three Lines of Defense solutions
on www.sap.com/grc
GRC in the SAP Digital Boardroom
GRC 20/20 Solution
PerspectiveOxford GRC InfographicIntroducing Three Lines of Defense
Three Lines of Defense E-
Book
GRC Solution Brief
Thank you very much for your attention
General
Please help us improve the quality of our event by
filling in our evaluations
• Directly on our mobile application
• Paper evaluation form to give back to our hostess at
the end of the session
Didier Odorico
Corporate Risk Manager, Tetra Pak
+41.79.370.0516
Our speakerSECTION
General
A Case Study
“Three Lines of Defense” in large, complex, multinational enterprises
The application of the Three Lines of Defense methodology in organizations has provided sound footing for better visibility, accountability, and effectiveness related to risk. Don’t miss out on hearing firsthand how Tetra Pak are deploying the latest technologies and transforming their vision into execution. In this panel session, you will hear real use cases focusing on:
• Primary challenges faced, and game plan developed
• Lessons learned of aligning culture and process to take advantage of new capabilities
• Tips on how functionalities in SAP GRC solutions can support risk reporting processes” ?
GeneralTetra Pak/2019 / 30
The Company: Liquid food Processing and Packaging solutions since 1959…
>25,480Employees
>160Countries
€11.2 billion Net sales
Units delivered
Units in operation
Packaging Processing Downstream
351 2 301 942
>8 700 >81 000 >20 800
>3% of turnoverInvestment in R&D
GeneralTetra Pak/2019 / 31
… with a Global Footprint
93 Sales offices
31 Market companies
5 R&D Centres
11 Technical Training Centres
56 Productions plants
6 Customer Innovation Centres
12 Processing & production sites
10 Product Development Centres
General
Corporate Governance Framework
/ 32
TL Group Board
Tetra Laval International
Tetra Pak
RemCo AuditCo
Charters of ResponsibilitiesCode of Business Conduct
Group Policies and Procedures
DeLaval Sidel
First and second lines defense
Third line of defense
General
Events, internal or external, that
could impact Tetra Pak’s ability to
achieve current objectives or
damage Tetra Pak’s long term
value
Managed via the Corporate
Governance Framework
Uncertainty from the external
environment requiring an adjustment
or change to Tetra Pak’s
strategic direction
Managed via Strategic
planning
Operational, Compliance & Reporting Risks
Strategic Risks
Two different Risk Management processes
General
Jan Feb March April May June July August Sept. Oct Nov Dec
StrategicRisk
Management
Operational Risk
Management
Yearly GRC cycle
Strategy to the TLG Board
Risk Update to the TLG Board
Corporate Risks Compliance, Ethics, Assets, Reporting
Operations Risks -
Compliance, Ethics, Assets, Reporting
Control Assessment(CSA & other Assessments)
3Y Business & Financial Planning
Corporate Functions
Operations
Corporate Risks
Operational
3Y Business & Financial plan in Clusters
Management Declaration
General
Three lines of defense
Executive ManagementOperations
Global Process Teams and Policy Owners
Corporate Risk assessment Q4
Provide Risk Guidelines Q1
SupportChallenge
Align on Key Controls Q4
Operation Risks & Control assessments
Q2-Q3
First line
Corporate Risk Category Owners
Second line
Group Board & Audit Committee
Third lineInternal Audit
Management Declaration
Q1
/ 35
General
A Common Risk & Control Framework
/ 36
A common risk universe
A common control universe
A common set of KPIs
General
Simplify the tool to support decision making
Risk Assessors and Risk Owners
Master Data-
Risk Assessments-
Control Assessments
Visualization
Indicators
VIZUALITION TOOLS
General
Understanding rather than Reporting
General
Risk and Performance Indicators
General
Risk dashboardsLive data for Operational Management
Thank you!
Please help us improve the quality of our event by
filling in our evaluations
• Directly on our mobile application
• Paper evaluation form to give back to our hostess at
the end of the session