by Annie Kennedy, Contributing Writer, SAPinsider
Organizations are under pressure to transform, with goals to reduce the number of risk and loss events that have become more prevalent in our volatile global landscape. Many companies are discussing a migration to SAP S/4HANA or currently undergoing the upgrade as a means to adapt and become more resilient, and the most successful businesses are reimagining how to approach risk and compliance by tying their governance, risk, and compliance (GRC) and security conversations into transformation initiatives. How can all businesses make enterprise risk and compliance management a priority?
The Three Lines Model developed by the Institute of Internal Auditors (IIA) identifies three lines that organizations should take into account.
Management (or actions, including managing risk to achieve organizational objectives) spans both first and second lines and encompasses the following roles:
- First line roles: Operational and support functions that deliver products and services, such as human resources, finance, and manufacturing.
- Second line roles: Functions related to corporate risk, compliance, and quality assurance that provide complementary expertise, support, and monitoring, and challenge the related management of risk.
- Internal audit (or independent assurance) encompasses third line roles, which include independent and objective assurance and advice on all matters related to the achievement of objectives.
When businesses employ risk and compliance across all three lines, they are creating a more efficient approach to risk management. A platform that can integrate with and across core enterprise resource planning (ERP) processes associated with the three lines can help organizations bring together risk management, controls, compliance, and audit, and can support the embedded processes and digital approach needed to achieve intelligent GRC. This article explains best practices that successful organizations have followed to achieve a holistic enterprise risk and compliance management approach.
Make Secure Access a Core Business Value
“If it’s done correctly,” says Aric Quinones, Managing Director and SAP Practice Leader at Protiviti, “risk and compliance activities will be leading business practices that ensure you’re managing the organization optimally to match management’s key risks such as financial privacy or significant potential enterprise concerns.”
Security must be the responsibility of everyone on the leadership team, he says, and it should be embedded in an organization’s overall culture. When COVID-19 hit, businesses needed to quickly pivot to online service and delivery platforms, and they needed to invest in their digital architecture to retain that agility and respond to business disruption. Quinones recommends that businesses apply this same level of urgency and attention to risk management, because a breach — depending on its severity level — could result in significant business disruption, too.
Michael Heckner, Senior Director of GRC Solution Marketing at SAP, also sees more and more customers realizing the importance of GRC being embedded in their core processes to provide stability during times of disruption. “Integrated enterprise risk management should not be considered an issue for only IT or auditors to address. Having transparency into all the business risks that stand in the way of achieving strategy and business objectives is key to accomplish risk-adjusted management and to help carry on performance and keep processes running in any environment,” says Heckner.
According to a recent study, a third of chief audit executives surveyed said that their working hours have increased compared to working hours prior to the pandemic. Taking advantage of tools that provide automation and agility can reduce that human burden and cost to companies.
Leverage Tools and Embed Processes to Protect Your Business
Organizations should be aware of not only what the three lines model is, but perhaps more importantly how to bridge the gaps that, in many organizations, exist between them. The three lines model requires effective alignment, communication, coordination, and collaboration, with all roles operating concurrently.
To apply and scale this model successfully in the day-to-day practice of a typical organization, SAP has developed GRC solutions to help companies seek and address vulnerabilities caused by these gaps. By integrating all three lines, organizations are better positioned to achieve visibility into their risks, view their mitigations and controls, and respond quickly to, or even avoid, risks such as loss of customer trust from data breaches or country fines due to export restrictions. SAP’s GRC solutions reduce duplicated efforts across lines through deep integration, sharing and leveraging core data, and facilitating workflow and collaboration across roles. These capabilities are more important than ever when people are working remotely and need to ensure processes work seamlessly between multiple parts of the organization.
Lastly, it is important to use solutions like those offered by SAP which are modular in design allowing organizations to deploy at their own speed either on premise or in the cloud while sharing data points between solutions and controls.
“Organizations need visibility at all levels so they can navigate new opportunities and be complaint, responsible, and act with integrity,” says Bruce Romney, Senior Director of Product Marketing for SAP GRC and Security Solutions.
In terms of the specific risk of cybersecurity threats, vigilance is key, and by monitoring applications for suspicious activity and by monitoring activity through logs, analyzing keystrokes and data, businesses can combat a bad actor. “The SAP Enterprise Threat Detection solution (also part of GRC) empowers users to normalize these logs, achieve meaningful insights, and then create alerts based on that,” says Romney. The GRC solutions can also reduce duplication of effort and controls by understanding when compliance issues affect one area and sharing that knowledge across controls. Organizations can help reduce risk by employing SAP Code Vulnerability Analyzer to scan an application layer and find potential security vulnerabilities in coding. For example, the solution can focus on code vulnerability analysis (CVA) and will better discover vulnerabilities in custom code at the ABAP. That code can be scanned before being put into production, helping protect the organization from risk.
Data, considered to be a new form of currency and therefore an increasing target for thieves, should also be prioritized as an asset to protect and manage. Privacy regulations have put more control in the hands of customers, meaning that business processes need to be effective and efficient in responding to customer requests regarding their data. According to Quinones, “it’s more important than ever to understand how to manage the risk and compliance of data and how to use it effectively.” To avoid exposing data to the wrong individuals, Quinones recommends continuing to make progress toward the best security you can provide for your organization’s needs and assets. In recent years, he says, some interesting new technologies and tools, such as SAP Data Mapping and Protection by BigID, have emerged with capabilities to isolate and manage data, which in turn helps organizations more effectively adhere to regulations such as General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Simplify GRC Activity with Automation and a Single View of Risk
Innovative customers responding to the COVID-19 pandemic are using automation to manage compliance by exception and reduce the reliance on manual audits. “Audit management solutions have to be better at supporting remote audits, having better management of resources, streamlined capture of all types of evidence on smart devices, and integration to ERP data and other control and risk management information across the organization,” says Romney.
For organizations running multiple ERP landscapes, involved in different verticals, and often across regions and borders, a single view of risk is particularly critical to GRC investments, and acquiring tools that integrate provides crucial visibility. For example, Honeywell gained a single view of risk supported by SAP GRC solutions such as SAP Process Control, SAP Access Control, and SAP Risk Management, which all integrated with ECC and access rights, allowing the organization to reduce the number of audited and reviewed processes by 40% while allowing customized views for different users, enhanced risk tolerance, and compliance visibility by customers. Organizations like Honeywell have employed SAP software to integrate the three lines to work together, while integrating reporting across ECC and SAP S/4HANA to identify risks and make them part of audit planning and assessment.
“Achieving transparency into risks can help companies understand their current exposure, whether it exceeds their risk appetite and which objectives are at risk. And this is where the three lines model and its communication, coordination, and collaboration across roles comes into play. To mitigate the risks, you’ll also need internal controls as well as the independent review that audit provides,” Heckner says. Although the pandemic has reduced the number of people in the office for many organizations, risk, control, and audit processes still need to continue operating, making operational tools even more important. Organizations should connect to solutions that help identify cybersecurity intrusions in their SAP S/4HANA or ERP systems and that can flag anomalous behavior. Solutions that connect to higher levels of controls and operations can also help with data privacy and user access among other business controls, screen for tax compliance on a global trade scale, or watch for fraud, money laundering, or bribery.
“Overall, when GRC is embedded in the overall business platform, your risk and controls/compliance strategy move away from being a limited, offline, sample-based approach where you have to pull and review select transactions manually. The strategy moves toward becoming a near real-time, full-population approach where your SAP GRC solution does the screening of every transaction continuously and you can move to managing by exception. This adds value not only by protecting it, but also by creating it,” Heckner says.
All Aboard: Collaborative Management of Enterprise Risk
Effectively managing enterprise risk requires addressing all the key layers, according to Quinones:
- Cyberspace layer — which typically focuses on areas such as network, communication protocols and infrastructure;
- Application layer — which focuses on user roles, access and identity management, and segregation of duties (SoD);
Data layer — which focuses on data encryption, database security (e.g. SAP HANA), data exchange, and patch management; and
- People layer — Includes organizational complexity, governance, training, and change management.
“The most significant issue that we’re seeing when talking to executives is the people layer,” says Quinones. If employees aren’t properly trained or if they don’t have an easy user experience with these compliance tools, risk management and overarching strategies, they will not understand their day-to-day responsibilities as it relates to managing enterprise and compliance risks. “Leadership needs to acknowledge and communicate that enterprise risk isn’t a destination — it’s a constantly evolving journey requiring investment to be successful,” says Quinones. He recommends that enterprise risk management include a simple interface for end users to drive the right actions and continuous education to help people understand their role in risk management.
Heckner says that it’s important to acknowledge all layers of risk, and “not just manage risk for top or senior management, but assist managers at all levels of management with the right risk insight and decision support.” By embedding solutions across all lines, SAP is helping organizations collaborate across different disciplines and between the lines of business, allowing visibility across risk function, controls, and audit, to avoid gaps in control or duplicated work.
People on the first line (operations) may respond to risk only on occasion, requiring a simplified process. SAP meets this need with its SAP Fiori interface and streamlined response capabilities. “Alternatively, occasional SAP GRC users can respond through PDF forms attached to an email and not even know they’re talking to a GRC system,” Heckner says. “There’s a very flat learning curve for the occasional users. And automation takes a lot of that work away the rest of the time.”
Take Control of Your Controls
Many companies still depend on too many manual controls, meaning that employees rely on human labor to perform periodic, manual testing that verifies what has happened or been done through sampling and other methods. Consequently, the sample-based approach can lead to latency in detecting issues and does not provide comprehensive coverage.
There are several hundred controls that are ripe for automation in an ERP environment. The primary types of controls can be categorized into controls over transactions, configuration settings, and master data. By setting tolerance levels, monitoring changes, validating values against pre-determined rules, and other methods, SAP has automated in its own environment several hundred business rules that then apply to entity and business-unit level controls that number in the thousands. Primary areas that demonstrate the largest benefits include controls around procure to pay, OTC, financial close, treasury, human resources, IT, and IT general controls.
“Automating controls allows companies to increase the reliability of their business processes because the program always tests with the same precision, as opposed to being subject to human error or deviation,” Heckner says. SAP customers that automate their controls can also program continuous, granular checks into a business process. “Whereas a human being might tolerate being asked once a quarter how many invoices were accidentally paid early, the software can check every week, every day, maybe even every hour to find that early payment before the cash goes out the door and can be stopped,” Heckner says.
Innovative organizations are also combining automation with machine learning, which addresses repetitive errors in accounting. For example, the machine can learn whether there is an explanation for why certain journal entries might be flagged for being overdue and delaying close, and it can help identify patterns that organizations can address with better training for employees or other solutions.
Romney says that 60-70% of process controls can be automated with business rules, creating efficiency and reducing manual workload. “In SAP’s own use case, up to a billion data records in SAP Process Control takes less than 12 seconds, with up to 12 different sources in one step,” says Romney. “This is why innovative companies like Eli Lilly & Company, Hershey, Heineken, The Flint Group, and others are using continuous control monitoring (CCM) when using automated controls with SAP Process Control.”
CCM is an important factor of risk management, allowing people to see when something is abnormal. By catching problems at the root before they have a chance to grow, CCM allows organizations to respond in real time rather than after the event has happened. “It’s not the Big Brother watching and waiting for a mistake,” Heckner says. “Instead, it’s the assistance toward a better business outcome.” For example, a large Dutch customer wanted to reduce its days sales outstanding (DSO) to fewer than 60 days. SAP suggested continuously monitoring key factors such as how many customer credit memos were pending. If the organization had a growing backlog of customer credit memos, SAP’s Process Control solution could provide an early warning that something was amiss, allowing the company to take corrective and preventive action as early as possible.
Manage Enterprise Risk Using Analytics
In recent years, says Quinones, organizations previously accustomed to ad-hoc processes and spreadsheets have started to explore how they can react more quickly, work more efficiently, and benefit from real-time opportunities on a regular basis. “Companies are using tools such as SAP Analytics Cloud to develop strategies that detail what’s going on in their systems from a process perspective,” Quinones says. “Process mining tools are helping companies to gain real-time business transaction insights to manage the business and operational risk, while tools like SAP Access Violation Management by Pathlock (previously Greenlight) are helping them locate actual SoD violations with financial context to better understand whether the access risk is material. These tools can communicate the flow of data within the environment in ways a spreadsheet never could.”
For companies migrating to SAP S/4HANA and the cloud or undergoing any type of digital transformation, it’s important to think about automation and technology as a focus of compliance and risk management throughout, Quinones says. “This really has to come from the top. Bring in executives from the blueprinting phase to leverage a leading practice framework that can be used to review the IT and business processes to understand the core risks and compliance requirements needed during the design phase.” Quinones recommends researching the right tools for your business to ensure compliance for long-term system sustainability, whether leveraging a configuration item, an enterprise tool, or identity management solution.
Heckner adds, “Transforming organizations shouldn’t think of SAP S/4HANA and GRC systems as separate items; they should be thinking that they need an SAP S/4HANA system with embedded GRC capabilities.”
What Does This Mean for SAPinsiders?
In summary, SAPinsiders should consider taking the following steps to ensure risk protection for their intelligent enterprise:
- Embed GRC or three lines model capabilities directly into your core business platform.
- Improve strategy and decision making across all lines of business, from operations through audit, with risk-aware, risk-adjusted management.
- Use real-time risk information from your underlying business platform to focus policies and controls on areas where risks are most significant.
- Use collaborative tools and automation to reduce cost, while increasing assurance.
- Ensure risk and control information is always up to date, transparent, and reliable by automating daily activities and applying CCM.
- Combine rules and predictive analytics to better anticipate and prevent exceptions.
- Provide independent assurance of risk and compliance standards to mitigate exposure to risk and compliance failures.