The Role of Business Intelligence in Your Governance, Risk, and Compliance Programs

The Role of Business Intelligence in Your Governance, Risk
and Compliance Programs

Bruce McCuaig Director SAP GRC Solution Marketing

Agenda

• GRC – History, Importance, Definition
• SAP Solutions for GRC
• Current State of the GRC Profession
• A Practical Approach to a GRC Discipline
• The Role of BI in GRC
• Wrap-up
SAP Current
Why GRC Is A Practical
Solutions for State of Role of BI Wrap up
Important Approach
GRC GRC

© 2012 SAP AG. All rights reserved. 1

GRCHistory: Lessons from the Financial Crisis (OECD)

― ... the financial crisis can be to an important
extent attributed to failures and weaknesses in
corporate governance arrangements. When
they were put to a test, corporate governance
routines did not serve their purpose to
safeguard against excessive risk taking in a
number of financial services companies.


GRC History: From the OECD report

 Information about exposures did not reach the board and even senior levels of
management.
 Risk management was activity rather than enterprise-based.
 Boards approved strategy but did not establish suitable metrics to monitor its
implementation.
 Remuneration systems have not been closely related to the strategy and risk
appetite of the company and its longer term interests.


GRC Importance: Other reasons for corporate failures

 Decisions may be made based on unreliable or untimely information
 Employees don’t understand how the strategy affects them, and how their
decisions impact others
 It’s unclear who is accountable for ensuring execution of initiatives, projects,
and tasks


GRC Importance: Other reasons for corporate failures

 There’s no link between budgeting and strategy
 There’s no link between strategy and risks

o Risks are not addressed and managed, during strategy
definition, planning, execution, or monitoring
 Incentive systems aren’t linked to strategy, individual goals are not aligned with
the company’s
 Plus … there needs to be Executive Commitment and a culture that embraces
performance management


Question: Isn’t There a Role for BI Somewhere Here?


GRC Defined

A capability that enables an organization to reliably achieve objectives while
addressing uncertainty and acting with integrity

Source: OCEG


GRC: “A system of people, processes and technology that
enables an organization to:

 understand and prioritize stakeholder expectations;
 set business objectives that are congruent with values and risks;
 achieve objectives while optimizing risk profile and protecting
value;
 operate within legal, contractual, internal, social and ethical
boundaries;
 provide relevant, reliable and timely information to appropriate
stakeholders; and
 enable the measurement of the performance and effectiveness of
the system.”

Source: OCEG


Agenda

• Wrap-up
SAP Current
Important Approach
GRC GRC


SAP solutions for GRC
Manage, Protect, Perform

SAP SAP SAP Global
SAP Risk
Access Process Trade
Management
Control Control Services

Confidently manage Ensure effective Align enterprise Optimize global
and reduce access controls and risks with business supply chain and
risk enterprise-wide ongoing compliance value ensure compliance


Key Competencies For Success

GRC for Industries GRC for LoBs

Oil & Gas
Sales and
Banking

Utilities

IT Supply Chain

CPG
Marketing
Mfg

…
Finance …

Analyze
Dashboards & Interactive
Exploration Reports
Visualization Analysis

Manage
Risk Compliance Audit Policy Access Exception

Monitor
KRIs Controls Transactions Privileges Events

Enterprise Applications

Legacy Apps

IT Infrastructure


SAP Process Control
Ensure effective controls and ongoing compliance

Automate compliance and control
management

Continuously monitor control
effectiveness

Embed compliance and control
activities in business processes


SAP Risk Management
Align enterprise risks with business value

Protect the fundamental
business value drivers

Insight into the changing
levels of risk

Visibility into catastrophic
value destroying risks


Agenda

• Wrap-up
SAP Current
Important Approach
GRC GRC


Current
State
GRC Current State: Board Perspective

© OCEG. All rights reserved.


GRC Current State: Professional Perspective Current
State

Gaps, overlaps, inconsistent language, different methodology, inconsistent or
no standards, wide reporting variations, no collaboration, no common goal,
no link to business performance, professional distrust…

Operational Audit
Risk Enterprise
Risk Compliance
Financial
IT
Controls
Governance


Current
GRC: Evolving Infrastructure and Environment State

The infrastructure and environment required to support sustained,
value-adding GRC is growing slowly

Key Capabilities for GRC Success Exists
(Y/N)
Proven implementation strategies and mature oversight practices for Boards N
A community of professionals trained and certified in best practices N
Widely accepted standards are in place N
A consistent methodology exists, has been effectively communicated, and is N
adhered to
Service providers offer non-proprietary methods and tools N
Standard reporting formats exist (e.g., no analogy to balance sheet and P&L) N
An assurance process exists to certify results N
Technology will not succeed in the absence of sound strategy and support


Closing the Gap – Comparing Risk Management Current
State
and Financial Management
Financial Management Risk Management Steps to Align
Financial accounting is supported and Risk management is an emerging Support and influence key standard
driven by trained and certified financial profession with ad hoc training at best. setters such as COSO, OCEG, NACD
professionals around the world. Many risk management professional have and support research and best
no relevant training. Many are financial practices through EIU and selected
management professions. partners
Financial accounting is governed by There are few formal, widely accepted Provide sound, simple, logical
specific rules and principles (GAAP, frameworks guiding risk management. structure for ERM aimed at Boards and
IFRS). Diversity in practices is limited. Diversity in practices is enormous. C-Level Executives

Financial statements and internal control Risk disclosures and risk management Ensure ―transparency‖ of ERM through
systems are audited systems are unaudited reporting, analytics, self assessment,
surveys tools and mobility

Financial management oversight provided Board oversight of risk is emerging and Provide Boards and C-suite execs with
by audit committees with strong legal legitimacy of Board role is established simple questions, standards, and
mandate reports for their oversight role

Standard reports exist (e.g., Balance No standards exist for what to report or Focus on value, then risk. Link ERM
sheet, P&L etc.) how to report. Practitioners are often reporting to business performance.
secretive.

Enabled by integrated mature technology Enabled by technology in a vacuum of Integrate RM/PC/AC/EPM to support
that supports content, methodology and content, methodology and reporting. Principled Performance® or objective-
reporting. Financial management preceded Technology precedes risk management and based approach.
technology and shaped technology can shape it’s standards and practices.
solutions.


Current
State
Integrating GRC – Aligning Three Perspectives

Three distinctly different views are integrated for fire prevention

Fires are inevitable but Document and test
1. The Control they can be extinguished controls. Identify
Perspective if detected promptly. issues and correct
Install fire extinguishers. deficient controls

Fires occur when Find the risk drivers
2. The Risk flammable material is for risk categories
Perspective exposed to a source of and monitor key risk
ignition Find and eliminate indicators to avert
those causes. Avert fires risk events

Careless people cause Develop policy,
fires. Persuading people to communicate,
2. The Compliance change behavior will motivate and train
Perspective prevent fires. to manage risky
behavior
19

Integrated GRC – Shifting from Belief to Knowledge

Current State – Belief Based Future State- Knowledge
• Managed in silo’s Based
• Reactive • Enterprise approach
• Project or program approach • Proactive
• Separate from mainstream processes and • Systemic approach
decision-making
• Embedded within mainstream processes and
• Fragmented use of technology decision-making
• Architected solutions © OCEG. All rights reserved.

Agenda

• Wrap-up
SAP Current
Important Approach
GRC GRC


A Practical Approach to a GRC Discipline: Shift the Focus
of GRC to Value

Where is the
fundamental • GRC solutions and
value of the practitioners must
align on value drivers
business?

• GRC activities must
What drives create knowledge on
that value? how value is
added/destroyed

• GRC must create
What can knowledge on
destroy that how emerging
risks and
value?
opportunities
impact value.

Example: Oil and Gas — Finding the Value A Practical
Approach

Where is the value of the Oil and Gas
business?
 Inventories?
 Refineries?
 Pipelines?
 Management expertise?

 Service stations?
 Oil and gas reserves?


Example: Oil and Gas — Finding the Value (cont.) A Practical
Approach

Personal Anecdote: Matching Value and ERM Resources in Oil
and Gas
• 90 % of ERM resources are spent on:
• Refineries
• Inventories
• Inventory accounting systems
• Inventory computer systems
• Crude and natural gas allocation systems

• In an integrated oil and gas company 90-98% of value is in proven
developed and undeveloped oil and gas reserves in the ground


A Practical
What Processes/Activities Drive Value? Approach

What processes drive value (reserves) in Oil
and Gas?
 Inventory management
 Royalty management
 Joint venture/partner management
 Refinery maintenance

 Finding and development
Land acquisition
Exploration
Development
Reservoir management


A Practical
Finding the Killer Risks Approach

Where are the killer risks in Oil and Gas?
 Commodity prices
 Political
 Pipeline explosions and spills
 Refinery explosions and spills
 Well blow outs


Example: Utilities — Finding the Value A Practical
Approach

Where is the value of an Electrical Utility?
 Fixed Assets?
 Human Resources?
 Spare parts inventories?
 Billing systems?
 Environmental controls?
 Reliability?


Example: Utilities — Finding the Value (cont.) A Practical
Approach

Personal Anecdote: Matching Value and ERM Resources in Electrical
Utilities
• 75-90% of ERM resources are spent on:
• Service parts inventories
• Spare parts inventories
• Procurement systems
• Billing systems
• Capital expenditures
• SOX

• Electrical Utilities are valued largely based on their reliable
generation, transmission and distribution of power


A Practical

What processes drive value (reliability) in an
Electrical Utility?

 Payables/inventory

 Payroll

 Financial reporting

 Customer billing systems

 Energy Supply
 Energy Generation
 Transmission/Distribution


A Practical

Where are the killer risks in electrical
generation and transmission?
 Commodity price volatility
 Commodity supply
 Energy availability
 Extreme weather

 Grid failure


Example: Health Care — Finding the Value A Practical
Approach

Where is the value of a Home Health Care
Provider?
 Billing systems?
 Skilled people?
 Contracts with nursing agencies?
 Medical record systems?

 Client health outcomes?


Example: Health Care — Finding the Value (cont.) A Practical
Approach

Personal Anecdote: Matching Value and ERM Resources in Home
Health Care
• 90-95% of ERM/GRC resources are spent on:
• Vendor selection
• Invoice processing
• Invoice verification
• Time and service tracking
• Financial reporting

• Home health care agencies provide value based on their ability to
keep clients safe in their home.


A Practical

What processes drive value (health outcomes)
in Home Health Care?

 Claims management?

 Facilities management?

 Procurement/Payables?

 Case management!
 Vendor management!


A Practical

What are the big risks in Home Health
Care?
 Pandemic
 Aging population
 Obesity
 Diabetes

 Vendor performance


Example: Airlines — Finding the Value A Practical
Approach

Where is the value of an airline?
 Reservation systems?
 Route structure?
 Aircraft fleet?
 Landing rights?
 Human resources?


Example: Airlines — Finding the Value (cont.) A Practical
Approach

One equity analyst prepared a
research report and made buy/sell
recommendations based entirely on
their HR practices
• Value was driven by customer
experience
• Customer experience was driven by
how they were treated

What % of ERM focus is on people
management?


Agenda

• Wrap-up
SAP Current
Important Approach
GRC GRC


The Role of BI in GRC - Examples

Three distinctly different views are integrated for fire prevention

Fires are inevitable but Document and test
1. The Control they can be extinguished controls. Identify
Perspective if detected promptly. issues and correct
Install fire extinguishers. deficient controls

Fires occur when Find the risk drivers
2. The Risk flammable material is for risk categories
Perspective exposed to a source of and monitor key risk
ignition Find and eliminate indicators to avert
those causes. Avert fires risk events

Careless people cause Develop policy,
fires. Persuading people to communicate,
2. The Compliance change behavior will motivate and train
Perspective prevent fires. to manage risky
behavior
38

The Role of BI in GRC: Creating a Value Dashboard

Priority SAP KPI’s Align Risk Create Reliable Act on Emerging
Support Management With Insight into How Risks And
Your Unique Value Value is Created Opportunities
Drivers and Destroyed

% of value drivers identified ►

% of value adding or preserving
► ► ►
activities/processes identified
% of value driving activities with
complete risk assessments and ► ►
responses
Internal audit opinion on reliability of risk
► ►
management process
# of unanticipated risk events occurring ► ►

# of risks identified by management vs.
► ►
GRC professionals
% of risk, audit, compliance, financial
►
reporting professionals using RM for ►
planning, analysis, reporting etc.
Number of Key Risk Indicators, KRI’s per
Risk Driver ► ►

KRI’s within range, KRI alerts
Priority KPI’s ►
Sources <source names> ► ►
outstanding
ISO 31000
Ability of SAP to Percent of controls, policies etc. notCOSO 2010 Report on ERM
support this KPI
► ►
Mapping of KPI to Value risks
linked to Prop


The Role of BI in GRC – Controls in Oil and Gas Finding
and Development Processes
What Information is Required Possible sources
1. Are budgets approved? Budget and planning system
2. Is spending approved? Capital expenditure system
3. Are expenditures Capital expenditure system
over/under budget? for AFE tracking
4. Are vendors approved? Approved vendor list
5. Are contractors qualified? Public safety records
6. Is reported production Comparison to production
accurate? history/planned profile


The Role of BI in GRC – Controls in Oil and Gas Finding
and Development Processes
What Information is Required Possible sources
7. Are wells classified Analysis of well location to
properly? reserves locations

8. Are reserves booked Comparison of well
properly? classification to reserves
Analysis of well costs to
9. Are F&D costs calculated reserves booked
properly?
Analysis of access logs/
10. Is seismic and other key unauthorized access
data secure? attempts/incidents
11. Is land position secure and Comparison of land to public
valid? records


The Role of BI in Control Documentation and
Testing

Question: Can BI reduce the cost of
controls in GRC by aligning them
business performance?
– is knowledge of business performance
evidence of control effectiveness?


The Role of BI – Client Safety Risks in Home
Health Care

What Information is Required Possible Sources
1. Are service providers Complaints - missed nursing
meeting SLA? visits - caregiver certification

2. Are clients receiving care at Hospital emergency admissions
home? for clients/non-clients

3. Are clients safe? Reported safety issues/incidents
Rates of non-essential
4. Are hospitals discharging hospitalization (ALC rates)
on time?
Benchmark against other home
5. Is case management health care providers
equitable?
Track % of high need 75+ age
6. Are priority clients served
Resources allocated by category
7. What are the risk drivers – diabetes, dementia, obesity


The Role of BI in GRC Risk Management

Question: Can BI drive improved
performance through better risk
management?
– can predictive indicators avert or avoid risk
and drive down incidents and loss events?


The Role of BI: Assessing Human Behavior Driving
Airlines Customer Experience

April 2007


The Role of BI: Driving Airline Value With Human Behavior

• % of employee shareholders • Average training days/year
• Key employee departures • % training budget on front line staff
• Applications received for • Absenteeism rates
advertised position
• # and duration of labor disruptions
• % of HR staff to total staff
• Revenue per employee
• Average employee age
• Average education level • Overall employee turnover

• % of profit sharing to total comp • % of social liabilities unfunded

• Frequency of performance reviews • Customer satisfaction surveys

• Extent, duration of employee • % HR representation on
assistance management committees


The Role of BI in Human Capital Management

Question: Can BI help align human
capital with corporate value drivers?
– Can BI help measure and improve
aggregate human performance?


Agenda

• Wrap-up
SAP Current
Important Approach
GRC GRC


Wrap Up: The Role of BI in GRC

 GRC practices have failed to routinely detect or prevent catastrophic losses,
corporate failures

 GRC practices today largely ignore business performance as a variable

 Todays GRC practices are fragmented, silo’ d and inefficient

 BI has the potential to transform GRC practices by
 Creating dashboards to map GRC activities to value
 Reduce the reliance on controls in favor of knowledge of performance
 Increase performance by monitoring, predicting and driving down risk events
 Aligning human behavior with value creation


Thank You!

Contact information:

Bruce McCuaig
Director, Solution Marketing, Governance Risk and Compliance
Bruce.mccuaig@sap.com
+1 647 823 8490

© 2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects
purpose without the express permission of SAP AG. The information contained Explorer, StreamWork, SAP HANA, and other SAP products and services
herein may be changed without prior notice. mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP AG in Germany and other countries.
Some software products marketed by SAP AG and its distributors contain
proprietary software components of other software vendors. Business Objects and the Business Objects logo, BusinessObjects, Crystal
Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Objects products and services mentioned herein as well as their respective logos
Microsoft Corporation. are trademarks or registered trademarks of Business Objects Software Ltd.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, Business Objects is an
System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, SAP company.
zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other
Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6,
Sybase products and services mentioned herein as well as their respective logos
POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF,
company.
Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere,
Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM All other product and service names mentioned are the trademarks of their
Corporation. respective companies. Data contained in this document serves informational
purposes only. National product specifications may vary.
Linux is the registered trademark of Linus Torvalds in the U.S. and other
countries. The information in this document is proprietary to SAP. No part of this document
may be reproduced, copied, or transmitted in any form or for any purpose without
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or
the express prior written permission of SAP AG.
registered trademarks of Adobe Systems Incorporated in the United States and/or
other countries.
Oracle and Java are registered trademarks of Oracle.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and
MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C ®,
World Wide Web Consortium, Massachusetts Institute of Technology.


The Role of Business Intelligence in Your Governance, Risk, and Compliance Programs

Recommended

Recommended

More Related Content

More from SAP Analytics

More from SAP Analytics (20)

The Role of Business Intelligence in Your Governance, Risk, and Compliance Programs