57704560-grc-10-0-top-10-v5

Why 10.0 Is a Better GRC Score For

Your Business

Michael Lortz, SAP

Joseph Canady, Bank of America

© 2011 SAP AG. All rights reserved. 2

Agenda

SAP BusinessObjects GRC Solution Overview

Case Study: Bank of America

Top 10 reasons for GRC 10.0

Q&A

SAP BusinessObjects GRC

Solution Overview


Automate manual tasks

Employ best practices

Reduce effort and cost

MANAGE BETTER

Proactively Balance Risk and OpportunitySAP BusinessObjects GRC





Automate monitoring

Real-time analysis

Industry-specific solutions

MANAGE BETTER PROTECT BETTER






Automate monitoring

Real-time analysis

Industry-specific solutions

Align with strategy and planning

Embed analytics

Scenario modeling

MANAGE BETTER PROTECT BETTER PERFORM BETTER



Key Competencies For Success

SAP BusinessObjects GRC solutions


Manage

Monitor

AnalyzeDashboards &

Visualization

Interactive

AnalysisExploration Reports

KRIs Controls Transactions Privileges Events

Risk Compliance Audit Policy Access Exception





Manage

Monitor

AnalyzeDashboards &

Visualization

Interactive




GRC for LoBs

IT Supply ChainSales andMarketing

Finance …

GRC for Industries

Bankin

g

Utilit

ies

Mfg

Oil

& G

as

…CP

G





Manage

Monitor

AnalyzeDashboards &

Visualization

Interactive




GRC for LoBs


Finance …

GRC for Industries

Bankin

g

Utilit

ies

Mfg

Oil

& G

as

…CP

G

Enterprise Applications

Legacy Apps

IT Infrastructure





Manage

Monitor

AnalyzeDashboards &

Visualization

Interactive




GRC for LoBs


Finance …

GRC for Industries

Bankin

g

Utilit

ies

Mfg

Oil

& G

as

…CP

G

Enterprise Applications

Legacy Apps

IT Infrastructure

SAP BusinessObjectsPerformance Management


SAP BusinessObjects GRC Solutions

Protection against

fraud, waste, misuse

and errors

Automated

Trade Compliance

Confidently manage and

reduce access risk

enterprise-wide

Risk intelligent

management of

enterprise performance

Enterprise

GRC

Access Risk

ManagementGlobal

Trade Services

Continuous

Transaction Monitoring

Order 456 €135

Order 785 $ 426

Order 123 €698

Process Control

Risk ManagementAccess Control

Global

Trade Services

Continuous


by Oversight Systems

Case Study: Bank of AmericaLeveraging Technology to Mitigate Business Risk


Bank of America’s Financial Systems Roadmap Project

SAP-enabled consolidation of financial reporting and performance management

platforms focused on risk mitigation through modernizing processes and increasing

data traceability. Includes legacy BAC and Merrill Lynch systems.


Increase transparency and visibility of

risk mitigation and remediation

activities

Create a common scalable risk management

platform for SAP to monitor, test, and report on

the effectiveness of business controls

Modernize in-scope BAC controls to

leverage SAP platform and decrease

control costs through automation

Rationalize workload of multiple regulatory

testing requirements for a test once satisfy

many approach to compliance

Risk

Mitigation

Eliminate system and

operational risks within the

Finance function

by migrating key Finance

Systems to an integrated

SAP environment

Corresponding GRC Objectives

Bank of America’s GRC Objectives


GRC Access Control Implementation

Bank of America is using the following three Access Control modules:

• Risk Analysis and Remediation (RAR) - Automated Segregation of Duties (SOD)

Analysis tool used for application-level SOD violation monitoring

• Compliant User Provisioning (CUP) - Automates user request, approval, and

provisioning with workflow and proactive SOD compliance checking

• Superuser Privilege Management (SPM) - Eliminates the most common open audit issue

faced by virtually every company – “Who has super-user access?”


GRC Process Control Implementation

GRC Process Control is the platform used to meet controls monitoring requirements as well

as serve as an integrated, end-to-end internal control management solution

Focuses on reducing the cost of compliance and mitigates

financial and operational risks

• Internal control design and documentation

• Inherent workflow delivers standardization

and automation

• Automated testing, tracking and

monitoring of control effectiveness

• Reporting and Analytics

Process Control

Document

Monitor

Remediate

Report


Control Design – Automated vs. Manual Controls

59%

41% Manual

Controls

Automated

Controls

35%

65%

Manual

Controls

Automated

Controls

Pre-GRC Post-GRC

Post-GRC Assessment of Controls

Top 10 for GRC 10.0


Top 10 for GRC 10.0

Leading Access Risk Analysis Engine2

Single GRC Solution1

Closed-loop Emergency Access Management3

Continuous Transaction Monitoring4

Enterprise Risk Management5

Sanctioned Party List Screening7

Compliance and Controls Management6

GTS and Trade Event Management8

Embedded and Extensible Reporting9

Industry Specific GRC Solutions10


Single GRC Solution

Standardized GRC solutions on a common ABAP

technology platform.

Key Benefits

Reduced TCO – lower

implementation,

administrative and

maintenance costs

Leverage key processes

across the SAP ERP and

GRC suite

Reduced user training

requirements

Optimized for

heterogeneous

environments

1

AC

GTS

PC

RM

Unifies Risk Management, Access

Control, and Process Control data

model on a common technology

(ABAP) platform

Sharing of selected risk and

compliance data and functions

Unified user experience – common

look and feel with configurable role

based access

Seamlessly integrates with SAP ERP

environments

Extends beyond your SAP solutions

Access Risk

Management

Enterprise

GRCGlobal Trade

Services


Leading Access Risk Analysis Engine

Prevent access risk violations before they occur

Key Benefits

Reduce SoD violations and

critical access risks across

SAP and non-SAP systems

Prevent risk with

compliance embedded into

business processes

Facilitate collaboration

between the business and

IT

2

Access Risk

Management

Enables user and role risk analysis,

including business roles and CUA

composite roles

Includes a comprehensive SoD and

critical access rules library

New interface allows targeted risk

analysis as well as importing, editing,

and reusing analysis criteria

New ability to customize and

personalize access risk results


Closed-loop Emergency Access Management

Provides closed-loop emergency access management

for granting and monitoring emergency access

Key Benefits

100% out-of-box, auditable

process

Centrally approve and

manage emergency

access for all SAP systems

Superuser inconsistencies

are resolved and tracked

online

Reduces repetitive

assignments, easing

administration

3

Define Provision Monitor Review

Access Risk

Management


Continuous Transaction Monitoring

Provides continuous protection against fraud, misuse and errors in your

business transactions with powerful investigation, resolution and tracking

capabilities

4

Continuous


Order 456 €135

Order 785 $ 426

Order 123 €698

*SAP EBS Partner Oversight Systems’ Solution

Key Benefits

Reduce errors and

revenue leakage through

continuous monitoring

Deter Fraud and Abuse

by enforcing business

policies in real time

Improve Audit Efficiency

using analytics and audit

trail


Enterprise Risk Management

Supports the complete cycle: risk planning, evaluation, risk response

and monitoring

Key Benefits

Enable communication

between risk owners and the

business

Protect value by preventing

risk events from occurring

Automate key risk

management activities

Create value by integrating

risk into the Enterprise

strategy

5

Enterprise

GRC


Compliance and Internal Controls

Supports multiple compliance & risk initiatives through the automation of

GRC processes, best practice workflows and templates and continuous

control monitoring across heterogeneous systems

6

Enterprise

GRC

Key Benefits

Protect value by preventing

compliance violations and

control failures from

occurring

Automate key compliance

and control management

activities, and reduce their

cost

Increase performance

through sounder control and

compliance embedded in

business processes the

Enterprise strategy


Sanctioned Party List Screening

Revolutionary new web-based user interface and

process improvements for SPL processes

7Global Trade

Services

Key Benefits

Greater user productivity

through drastic increases in

usability

Even more accuracy in

compliance decisions

Increased compliance

through auditable,

collaborative case

management

Lower cost of ownership

Prioritize Review

Co

llab

ora

te

Resolve

Compliance

Specialist

Compliance

Manager


Trade Event Management

Integration with SAP Event Management for end-to-end

supply chain visibility and new event subsystem for

detailed view of customs and other government agency

events within GTS

8Global Trade

Services

Key Benefits

Reduced time to action

Increased visibility and

control for faster

identification and resolution

of supply chain delays

Decreased cycle times and

reduction of buffer stock

Improved customer service

Reduced inventory carrying

costs


Embedded and Extensible Reporting

Hundreds of embedded dashboards, reports, and other

analytics

9Access Risk

Management

Enterprise

GRCGlobal Trade

Services

Key Benefits

Reduces the time spent on

reporting needs

Empowers business users

with the ability to present

information in the desired

format

Removes the need to have

separate data mart for

Access Control or BOE

server for Process Control

and Risk Management


Risk Management - Flash Dashboards

Risk heat map


Risk Management - Flash Dashboards

Risk Dashboard


Process Control - Xcelsius Dashboards

Compliance overview


Access Control - Xcelsius Dashboards

User level access risk analysis


Industry Specific GRC Solutions

We’ve engaged our partner ecosystem to provide the

most complete set of industry-specific GRC solutions

tailored for customers’ risk and compliance needs

10Access Risk

Management

Enterprise

GRCGlobal Trade

Services

Key Benefits

Value content leveraging

best GRC practices in your

industry

Quicker implementation

and deployment for your

enterprise GRC initiatives

Combined SAP Software

and Partner Expertise

Questions?


Learn More

Upcoming Webinar: Sharp Electronics Case Study

• Extending SAP BusinessObjects Access Control across the enterprise and

remediating access risks

• Wednesday, June 16 2011

• 1:00 p.m. ET / Noon CT / 10:00 a.m. PT

• Register: http://fm.sap.com/redirect.asp?id=8645

GRC Insider Conference – Amsterdam

• Date: June 7-9

• Location: Amsterdam Rai Convention Centre

Co-hosted with FI, HR, and BI

• http://www.grc2011.com/?u=sapemployee-europe&s=

To learn more about 10

• SAP.com website

• SAP Business Process Expert (BPX) site

http://fm.sap.com/redirect.asp?id=8645

http://www.sap.com/solutions/sapbusinessobjects/large/governance-risk-compliance/accessandauthorization/index.epx

http://www.sdn.sap.com/irj/bpx/grc

Thank You!

Contact information:

Michael Lortz

Senior Director, GRC Solution Marketing

[email protected]

Contact information:

Joseph Canady

Vice President of SAP Governance Risk &

Compliance, Bank of America

[email protected]

57704560-grc-10-0-top-10-v5

Documents

global trade

continuous

trade event

proactively

practices

single grc

opportunitysap

time analysis