the role of business intelligence in your governance, risk, and compliance programs
DESCRIPTION
http://spr.ly/SBOUC_VP - Governance, risk and compliance (GRC) programs advance in response to added compliance requirements and the need for further risk oversight. Successful GRC programs have leveraged business intelligence to meet monitoring, analytical and reporting needs. Learn how BI innovations may allow GRC to be managed more strategically in real time and with predictive analytics. Presenter: Bruce McCuaig, SAPTRANSCRIPT
The Role of Business Intelligence in Your Governance, Risk
and Compliance Programs
Bruce McCuaig Director SAP GRC Solution Marketing
© 2012 SAP AG. All rights reserved. 1
Agenda
• GRC – History, Importance, Definition
• SAP Solutions for GRC
• Current State of the GRC Profession
• A Practical Approach to a GRC Discipline
• The Role of BI in GRC
• Wrap-up
SAP
Solutions for GRC
Current State of
GRC
A Practical Approach
Role of BI Wrap up Why GRC Is
Important
© 2012 SAP AG. All rights reserved. 2
GRCHistory: Lessons from the Financial Crisis (OECD)
... the financial crisis can be to an important
extent attributed to failures and weaknesses in
corporate governance arrangements. When
they were put to a test, corporate governance
routines did not serve their purpose to
safeguard against excessive risk taking in a
number of financial services companies.
―
© 2012 SAP AG. All rights reserved. 3
GRC History: From the OECD report
Information about exposures did not reach the board and even senior levels of
management.
Risk management was activity rather than enterprise-based.
Boards approved strategy but did not establish suitable metrics to monitor its
implementation.
Remuneration systems have not been closely related to the strategy and risk
appetite of the company and its longer term interests.
© 2012 SAP AG. All rights reserved. 4
Decisions may be made based on unreliable or untimely information
Employees don’t understand how the strategy affects them, and how their
decisions impact others
It’s unclear who is accountable for ensuring execution of initiatives, projects,
and tasks
GRC Importance: Other reasons for corporate failures
© 2012 SAP AG. All rights reserved. 5
There’s no link between budgeting and strategy
There’s no link between strategy and risks
o Risks are not addressed and managed, during strategy
definition, planning, execution, or monitoring
Incentive systems aren’t linked to strategy, individual goals are not aligned with
the company’s
Plus … there needs to be Executive Commitment and a culture that embraces
performance management
GRC Importance: Other reasons for corporate failures
© 2012 SAP AG. All rights reserved. 6
Question: Isn’t There a Role for BI Somewhere Here?
© 2012 SAP AG. All rights reserved. 7
GRC Defined
A capability that enables an organization to reliably achieve objectives while
addressing uncertainty and acting with integrity
Source: OCEG
© 2012 SAP AG. All rights reserved. 8
understand and prioritize stakeholder expectations;
set business objectives that are congruent with values and risks;
achieve objectives while optimizing risk profile and protecting
value;
operate within legal, contractual, internal, social and ethical
boundaries;
provide relevant, reliable and timely information to appropriate
stakeholders; and
enable the measurement of the performance and effectiveness of
the system.”
GRC: “A system of people, processes and technology that
enables an organization to:
Source: OCEG
© 2012 SAP AG. All rights reserved. 9
Agenda
• GRC – History, Importance, Definition
• SAP Solutions for GRC
• Current State of the GRC Profession
• A Practical Approach to a GRC Discipline
• The Role of BI in GRC
• Wrap-up
SAP
Solutions for GRC
Current State of
GRC
A Practical Approach
Role of BI Wrap up Why GRC Is
Important
© 2012 SAP AG. All rights reserved. 10
SAP solutions for GRC Manage, Protect, Perform
Optimize global
supply chain and
ensure compliance
Confidently manage
and reduce access
risk enterprise-wide
SAP
Access
Control
SAP
Process
Control
SAP Risk
Management
SAP Global
Trade
Services
Align enterprise
risks with business
value
Ensure effective
controls and
ongoing compliance
© 2012 SAP AG. All rights reserved. 11
Key Competencies For Success
SAP solutions for GRC
SAP solutions for GRC
Manage
Monitor
Analyze Dashboards &
Visualization
Interactive
Analysis Exploration Reports
KRIs Controls Transactions Privileges Events
Risk Compliance Audit Policy Access Exception
GRC for LoBs
IT Supply Chain Sales and Marketing
Finance …
GRC for Industries
Ban
kin
g
Uti
liti
es
Mfg
Oil
& G
as
…
CP
G
Enterprise Applications
Legacy Apps
IT Infrastructure
© 2012 SAP AG. All rights reserved. 12
SAP Process Control Ensure effective controls and ongoing compliance
Automate compliance and control
management
Continuously monitor control
effectiveness
Embed compliance and control
activities in business processes
© 2012 SAP AG. All rights reserved. 13
SAP Risk Management Align enterprise risks with business value
Protect the fundamental
business value drivers
Insight into the changing
levels of risk
Visibility into catastrophic
value destroying risks
© 2012 SAP AG. All rights reserved. 14
Agenda
• GRC – History, Importance, Definition
• SAP Solutions for GRC
• Current State of the GRC Profession
• A Practical Approach to a GRC Discipline
• The Role of BI in GRC
• Wrap-up
SAP
Solutions for GRC
Current State of
GRC
A Practical Approach
Role of BI Wrap up Why GRC Is
Important
© 2012 SAP AG. All rights reserved. 15
GRC Current State: Board Perspective
© OCEG. All rights reserved.
Current State
© 2012 SAP AG. All rights reserved. 16
Gaps, overlaps, inconsistent language, different methodology, inconsistent or
no standards, wide reporting variations, no collaboration, no common goal,
no link to business performance, professional distrust…
GRC Current State: Professional Perspective
Operational
Risk Enterprise
Risk
Financial
Controls IT
Governance
Compliance
Audit
Current State
© 2012 SAP AG. All rights reserved. 17
GRC: Evolving Infrastructure and Environment
Key Capabilities for GRC Success Exists
(Y/N)
Proven implementation strategies and mature oversight practices for Boards N
A community of professionals trained and certified in best practices N
Widely accepted standards are in place N
A consistent methodology exists, has been effectively communicated, and is
adhered to N
Service providers offer non-proprietary methods and tools N
Standard reporting formats exist (e.g., no analogy to balance sheet and P&L) N
An assurance process exists to certify results N
The infrastructure and environment required to support sustained,
value-adding GRC is growing slowly
Technology will not succeed in the absence of sound strategy and support
Current State
© 2012 SAP AG. All rights reserved. 18
Closing the Gap – Comparing Risk Management
and Financial Management
Financial Management Risk Management
Financial accounting is supported and
driven by trained and certified financial
professionals around the world.
Risk management is an emerging
profession with ad hoc training at best.
Many risk management professional have
no relevant training. Many are financial
management professions.
Financial accounting is governed by
specific rules and principles (GAAP,
IFRS). Diversity in practices is limited.
There are few formal, widely accepted
frameworks guiding risk management.
Diversity in practices is enormous.
Financial statements and internal control
systems are audited
Risk disclosures and risk management
systems are unaudited
Financial management oversight provided
by audit committees with strong legal
mandate
Board oversight of risk is emerging and
legitimacy of Board role is established
Standard reports exist (e.g., Balance
sheet, P&L etc.)
No standards exist for what to report or
how to report. Practitioners are often
secretive.
Enabled by integrated mature technology
that supports content, methodology and
reporting. Financial management preceded
technology and shaped technology
solutions.
Enabled by technology in a vacuum of
content, methodology and reporting.
Technology precedes risk management and
can shape it’s standards and practices.
Steps to Align
Support and influence key standard
setters such as COSO, OCEG, NACD
and support research and best
practices through EIU and selected
partners
Provide sound, simple, logical
structure for ERM aimed at Boards and
C-Level Executives
Ensure ―transparency‖ of ERM through
reporting, analytics, self assessment,
surveys tools and mobility
Provide Boards and C-suite execs with
simple questions, standards, and
reports for their oversight role
Focus on value, then risk. Link ERM
reporting to business performance.
Integrate RM/PC/AC/EPM to support
Principled Performance® or objective-
based approach.
Current State
19
Integrating GRC – Aligning Three Perspectives
Three distinctly different views are integrated for fire prevention
Fires are inevitable but they can be extinguished if detected promptly. Install fire extinguishers.
Careless people cause fires. Persuading people to change behavior will prevent fires.
1. The Control
Perspective
2. The Risk
Perspective
2. The Compliance
Perspective
Document and test
controls. Identify
issues and correct
deficient controls
Develop policy,
communicate,
motivate and train
to manage risky
behavior
Fires occur when flammable material is exposed to a source of ignition Find and eliminate those causes. Avert fires
Find the risk drivers
for risk categories
and monitor key risk
indicators to avert
risk events
Current State
© 2012 SAP AG. All rights reserved. 20
Integrated GRC – Shifting from Belief to Knowledge
Current State – Belief Based • Managed in silo’s
• Reactive
• Project or program approach
• Separate from mainstream processes and
decision-making
• Fragmented use of technology
Future State- Knowledge
Based • Enterprise approach
• Proactive
• Systemic approach
• Embedded within mainstream processes and
decision-making
• Architected solutions © OCEG. All rights reserved.
© 2012 SAP AG. All rights reserved. 21
Agenda
• GRC – History, Importance, Definition
• SAP Solutions for GRC
• Current State of the GRC Profession
• A Practical Approach to a GRC Discipline
• The Role of BI in GRC
• Wrap-up
SAP
Solutions for GRC
Current State of
GRC
A Practical Approach
Role of BI Wrap up Why GRC Is
Important
© 2012 SAP AG. All rights reserved. 22
A Practical Approach to a GRC Discipline: Shift the Focus
of GRC to Value
Where is the fundamental value of the business?
• GRC solutions and practitioners must align on value drivers
What drives that value?
• GRC activities must create knowledge on how value is added/destroyed
What can destroy that value?
• GRC must create
knowledge on
how emerging
risks and
opportunities
impact value.
© 2012 SAP AG. All rights reserved. 23
Example: Oil and Gas — Finding the Value
Where is the value of the Oil and Gas
business?
Inventories?
Refineries?
Pipelines?
Management expertise?
Service stations?
Oil and gas reserves?
A Practical Approach
© 2012 SAP AG. All rights reserved. 24
Example: Oil and Gas — Finding the Value (cont.)
Personal Anecdote: Matching Value and ERM Resources in Oil
and Gas
• 90 % of ERM resources are spent on:
• Refineries
• Inventories
• Inventory accounting systems
• Inventory computer systems
• Crude and natural gas allocation systems
• In an integrated oil and gas company 90-98% of value is in proven
developed and undeveloped oil and gas reserves in the ground
A Practical Approach
© 2012 SAP AG. All rights reserved. 25
What Processes/Activities Drive Value?
What processes drive value (reserves) in Oil and Gas?
Inventory management
Royalty management
Joint venture/partner management
Refinery maintenance
Finding and development Land acquisition
Exploration
Development
Reservoir management
A Practical Approach
© 2012 SAP AG. All rights reserved. 26
Finding the Killer Risks
Where are the killer risks in Oil and Gas?
Commodity prices
Political
Pipeline explosions and spills
Refinery explosions and spills
Well blow outs
A Practical Approach
© 2012 SAP AG. All rights reserved. 27
Example: Utilities — Finding the Value
Where is the value of an Electrical Utility?
Fixed Assets?
Human Resources?
Spare parts inventories?
Billing systems?
Environmental controls?
Reliability?
A Practical Approach
© 2012 SAP AG. All rights reserved. 28
Example: Utilities — Finding the Value (cont.)
Personal Anecdote: Matching Value and ERM Resources in Electrical
Utilities
• 75-90% of ERM resources are spent on:
• Service parts inventories
• Spare parts inventories
• Procurement systems
• Billing systems
• Capital expenditures
• SOX
• Electrical Utilities are valued largely based on their reliable
generation, transmission and distribution of power
A Practical Approach
© 2012 SAP AG. All rights reserved. 29
What Processes/Activities Drive Value?
What processes drive value (reliability) in an
Electrical Utility?
Payables/inventory
Payroll
Financial reporting
Customer billing systems
Energy Supply
Energy Generation
Transmission/Distribution
A Practical Approach
© 2012 SAP AG. All rights reserved. 30
Finding the Killer Risks
Where are the killer risks in electrical
generation and transmission?
Commodity price volatility
Commodity supply
Energy availability
Extreme weather
Grid failure
A Practical Approach
© 2012 SAP AG. All rights reserved. 31
Example: Health Care — Finding the Value
Where is the value of a Home Health Care
Provider?
Billing systems?
Skilled people?
Contracts with nursing agencies?
Medical record systems?
Client health outcomes?
A Practical Approach
© 2012 SAP AG. All rights reserved. 32
Example: Health Care — Finding the Value (cont.)
Personal Anecdote: Matching Value and ERM Resources in Home
Health Care
• 90-95% of ERM/GRC resources are spent on:
• Vendor selection
• Invoice processing
• Invoice verification
• Time and service tracking
• Financial reporting
• Home health care agencies provide value based on their ability to
keep clients safe in their home.
A Practical Approach
© 2012 SAP AG. All rights reserved. 33
What Processes/Activities Drive Value?
What processes drive value (health outcomes)
in Home Health Care?
Claims management?
Facilities management?
Procurement/Payables?
Case management!
Vendor management!
A Practical Approach
© 2012 SAP AG. All rights reserved. 34
Finding the Killer Risks
What are the big risks in Home Health
Care?
Pandemic
Aging population
Obesity
Diabetes
Vendor performance
A Practical Approach
© 2012 SAP AG. All rights reserved. 35
Example: Airlines — Finding the Value
Where is the value of an airline?
Reservation systems?
Route structure?
Aircraft fleet?
Landing rights?
Human resources?
A Practical Approach
© 2012 SAP AG. All rights reserved. 36
Example: Airlines — Finding the Value (cont.)
One equity analyst prepared a
research report and made buy/sell
recommendations based entirely on
their HR practices
• Value was driven by customer
experience
• Customer experience was driven by
how they were treated
What % of ERM focus is on people
management?
A Practical Approach
© 2012 SAP AG. All rights reserved. 37
Agenda
• GRC – History, Importance, Definition
• SAP Solutions for GRC
• Current State of the GRC Profession
• A Practical Approach to a GRC Discipline
• The Role of BI in GRC
• Wrap-up
SAP
Solutions for GRC
Current State of
GRC
A Practical Approach
Role of BI Wrap up Why GRC Is
Important
38
The Role of BI in GRC - Examples
Three distinctly different views are integrated for fire prevention
Fires are inevitable but they can be extinguished if detected promptly. Install fire extinguishers.
Careless people cause fires. Persuading people to change behavior will prevent fires.
1. The Control
Perspective
2. The Risk
Perspective
2. The Compliance
Perspective
Document and test
controls. Identify
issues and correct
deficient controls
Develop policy,
communicate,
motivate and train
to manage risky
behavior
Fires occur when flammable material is exposed to a source of ignition Find and eliminate those causes. Avert fires
Find the risk drivers
for risk categories
and monitor key risk
indicators to avert
risk events
© 2012 SAP AG. All rights reserved. 39
The Role of BI in GRC: Creating a Value Dashboard
Priority KPI’s
Ability of SAP to support this KPI
Mapping of KPI to Value Prop
Sources <source names>
ISO 31000
COSO 2010 Report on ERM
Priority SAP
Support
KPI’s Align Risk
Management With
Your Unique Value
Drivers
Create Reliable
Insight into How
Value is Created
and Destroyed
Act on Emerging
Risks And
Opportunities
% of value drivers identified ►
% of value adding or preserving
activities/processes identified ► ► ►
% of value driving activities with
complete risk assessments and
responses
► ►
Internal audit opinion on reliability of risk
management process ► ►
# of unanticipated risk events occurring ► ►
# of risks identified by management vs.
GRC professionals ► ►
% of risk, audit, compliance, financial
reporting professionals using RM for
planning, analysis, reporting etc.
►
►
Number of Key Risk Indicators, KRI’s per
Risk Driver ►
►
KRI’s within range, KRI alerts
outstanding ► ► ►
Percent of controls, policies etc. not
linked to risks ► ►
© 2012 SAP AG. All rights reserved. 40
The Role of BI in GRC – Controls in Oil and Gas Finding
and Development Processes
1. Are budgets approved?
2. Is spending approved?
3. Are expenditures
over/under budget?
4. Are vendors approved?
5. Are contractors qualified?
6. Is reported production
accurate?
Budget and planning system
Capital expenditure system
Capital expenditure system
for AFE tracking
Approved vendor list
Public safety records
Comparison to production
history/planned profile
What Information is Required Possible sources
© 2012 SAP AG. All rights reserved. 41
The Role of BI in GRC – Controls in Oil and Gas Finding
and Development Processes
7. Are wells classified
properly?
8. Are reserves booked
properly?
9. Are F&D costs calculated
properly?
10. Is seismic and other key
data secure?
11. Is land position secure and
valid?
Analysis of well location to reserves locations
Comparison of well classification to reserves
Analysis of well costs to reserves booked
Analysis of access logs/ unauthorized access attempts/incidents
Comparison of land to public records
What Information is Required Possible sources
© 2012 SAP AG. All rights reserved. 42
The Role of BI in Control Documentation and
Testing
Question: Can BI reduce the cost of
controls in GRC by aligning them
business performance?
– is knowledge of business performance
evidence of control effectiveness?
© 2012 SAP AG. All rights reserved. 43
The Role of BI – Client Safety Risks in Home
Health Care
1. Are service providers meeting SLA?
2. Are clients receiving care at home?
3. Are clients safe?
4. Are hospitals discharging on time?
5. Is case management equitable?
6. Are priority clients served
7. What are the risk drivers
Complaints - missed nursing visits - caregiver certification
Hospital emergency admissions for clients/non-clients
Reported safety issues/incidents
Rates of non-essential hospitalization (ALC rates)
Benchmark against other home health care providers
Track % of high need 75+ age
Resources allocated by category – diabetes, dementia, obesity
What Information is Required Possible Sources
© 2012 SAP AG. All rights reserved. 44
The Role of BI in GRC Risk Management
Question: Can BI drive improved
performance through better risk
management?
– can predictive indicators avert or avoid risk
and drive down incidents and loss events?
© 2012 SAP AG. All rights reserved. 45
The Role of BI: Assessing Human Behavior Driving
Airlines Customer Experience
April 2007
© 2012 SAP AG. All rights reserved. 46
The Role of BI: Driving Airline Value With Human Behavior
• % of employee shareholders
• Key employee departures
• Applications received for advertised position
• % of HR staff to total staff
• Average employee age
• Average education level
• % of profit sharing to total comp
• Frequency of performance reviews
• Extent, duration of employee assistance
• Average training days/year
• % training budget on front line staff
• Absenteeism rates
• # and duration of labor disruptions
• Revenue per employee
• Overall employee turnover
• % of social liabilities unfunded
• Customer satisfaction surveys
• % HR representation on
management committees
© 2012 SAP AG. All rights reserved. 47
The Role of BI in Human Capital Management
Question: Can BI help align human
capital with corporate value drivers?
– Can BI help measure and improve
aggregate human performance?
© 2012 SAP AG. All rights reserved. 48
Agenda
• GRC – History, Importance, Definition
• SAP Solutions for GRC
• Current State of the GRC Profession
• A Practical Approach to a GRC Discipline
• The Role of BI in GRC
• Wrap-up
SAP
Solutions for GRC
Current State of
GRC
A Practical Approach
Role of BI Wrap up Why GRC Is
Important
© 2012 SAP AG. All rights reserved. 49
Wrap Up: The Role of BI in GRC
GRC practices have failed to routinely detect or prevent catastrophic losses,
corporate failures
GRC practices today largely ignore business performance as a variable
Todays GRC practices are fragmented, silo’ d and inefficient
BI has the potential to transform GRC practices by
Creating dashboards to map GRC activities to value
Reduce the reliance on controls in favor of knowledge of performance
Increase performance by monitoring, predicting and driving down risk events
Aligning human behavior with value creation
Thank You!
Contact information:
Bruce McCuaig
Director, Solution Marketing, Governance Risk and Compliance
+1 647 823 8490
© 2012 SAP AG. All rights reserved. 51
No part of this publication may be reproduced or transmitted in any form or for any
purpose without the express permission of SAP AG. The information contained
herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain
proprietary software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of
Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5,
System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries,
zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390
Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6,
POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF,
Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere,
Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM
Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other
countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or
registered trademarks of Adobe Systems Incorporated in the United States and/or
other countries.
Oracle and Java are registered trademarks of Oracle.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and
MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®,
World Wide Web Consortium, Massachusetts Institute of Technology.
© 2012 SAP AG. All rights reserved.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects
Explorer, StreamWork, SAP HANA, and other SAP products and services
mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal
Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business
Objects products and services mentioned herein as well as their respective logos
are trademarks or registered trademarks of Business Objects Software Ltd.
Business Objects is an
SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other
Sybase products and services mentioned herein as well as their respective logos
are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP
company.
All other product and service names mentioned are the trademarks of their
respective companies. Data contained in this document serves informational
purposes only. National product specifications may vary.
The information in this document is proprietary to SAP. No part of this document
may be reproduced, copied, or transmitted in any form or for any purpose without
the express prior written permission of SAP AG.