Increasing Threats Highlight the Need for Robust Enterprise Risk Management

by Fred Donovan, Senior Editor, SAPinsider

In the face of challenging micro and macro events companies need to be able to anticipate and better manage the impacts on their core business objectives. Additionally, legacy business models and IT landscapes don’t contain all of the capabilities necessary to manage risk across the entire enterprise. For example, intelligent technologies like robotic process automation are not available in older ERP systems. As a result, there is an urgent need for a new approach to risk and compliance by incorporating governance, risk, and compliance (GRC) and security in digital transformation initiatives.

This innovative approach requires an integrated enterprise risk management (ERM) program. “Integrated enterprise risk management should not be considered an issue for only IT or auditors to address,” Michael Heckner, Senior Director of GRC Solution Marketing at SAP says.

“Having transparency into all the business risks that stand in the way of achieving strategy and business objectives is key to accomplish risk-adjusted management and to help carry on performance and keep processes running in any environment,” he adds.

Integrated ERM Trends

The integrated ERM trend is accelerating, with 98% of organizations saying they have a full or partially integrated ERM program, an increase of 26% from 2017, according to a recent survey by the Risk Management Society (RIMS).

Three-quarters of senior leadership teams and boards are applying ERM insights for business decisions, and close to half of respondents said that “meeting strategic and operational objectives” is ERM’s greatest value to the organization.

More than half of ERM programs have shifted their focus to health and safety and business continuity as a result of the COVID-19 pandemic, and 22% of respondents said there has been an increase in resources allocated to ERM in response to COVID-19.

“Enterprise risk management is now an accepted mainstream business discipline. That said, work still needs to be done to make ERM fully integrated, agile, and proactive,” according to RIMS.

SAP Solutions and the Three Lines Model

SAP bases its GRC solutions on the Three Lines Model (Figure 1), which provides a framework for managing GRC:

  • Operational management: identify, assess, document, and respond to risks in business operators; comply with laws, regulations, and internal policies; monitor risk, responses, and compliance status; raise, report, and respond to incidents and breach events; accept advice from the internal audit team.
  • Corporate risk and compliance: set the context and provide frameworks for GRC; oversee risk and compliance management methods; monitor risk and compliance outcomes; aggregate and report GRC insights and conclusions; accept advice from the internal audit team.
  • Internal auditors: manage audit activities for the first and second lines; plan and perform audits to support assurance requirements; communicate the results of engagements; and report on the reliability of work performed in the first and second lines.

Source: SAP

The model provides a self-correcting framework in which each line collaborates with the others to provide integrated and reliable information and response. SAP supports the framework with its SAP Digital Boardroom built on SAP Analytics Cloud.

To secure its systems, SAP offers a GRC solutions suite that includes SAP Risk Management, SAP Process Control, SAP Access Control, SAP Business Integrity Screening, SAP Audit Management, and SAP Tax Compliance.

SAP’s GRC solutions help enterprises simplify their GRC processes, gain insights from detailed reports, and enable continuous monitoring of risk and controls.

To learn more about managing enterprise risk and SAP’s GRC solutions, read SAPinsider’s recent article “How to Manage Enterprise Risk in Remote and Digital Environments.”