Why 10.0 Is a Better GRC Score For Your Business Michael Lortz, SAP Joseph Canady, Bank of America
Nov 08, 2014
Why 10.0 Is a Better GRC Score For
Your Business
Michael Lortz, SAP
Joseph Canady, Bank of America
© 2011 SAP AG. All rights reserved. 2
Agenda
SAP BusinessObjects GRC Solution Overview
Case Study: Bank of America
Top 10 reasons for GRC 10.0
Q&A
SAP BusinessObjects GRC
Solution Overview
© 2011 SAP AG. All rights reserved. 4
Automate manual tasks
Employ best practices
Reduce effort and cost
MANAGE BETTER
Proactively Balance Risk and OpportunitySAP BusinessObjects GRC
© 2011 SAP AG. All rights reserved. 5
Automate manual tasks
Employ best practices
Reduce effort and cost
Automate monitoring
Real-time analysis
Industry-specific solutions
MANAGE BETTER PROTECT BETTER
Proactively Balance Risk and OpportunitySAP BusinessObjects GRC
© 2011 SAP AG. All rights reserved. 6
Automate manual tasks
Employ best practices
Reduce effort and cost
Automate monitoring
Real-time analysis
Industry-specific solutions
Align with strategy and planning
Embed analytics
Scenario modeling
MANAGE BETTER PROTECT BETTER PERFORM BETTER
Proactively Balance Risk and OpportunitySAP BusinessObjects GRC
© 2011 SAP AG. All rights reserved. 7
Key Competencies For Success
SAP BusinessObjects GRC solutions
SAP BusinessObjects GRC
Manage
Monitor
AnalyzeDashboards &
Visualization
Interactive
AnalysisExploration Reports
KRIs Controls Transactions Privileges Events
Risk Compliance Audit Policy Access Exception
© 2011 SAP AG. All rights reserved. 8
Key Competencies For Success
SAP BusinessObjects GRC solutions
SAP BusinessObjects GRC
Manage
Monitor
AnalyzeDashboards &
Visualization
Interactive
AnalysisExploration Reports
KRIs Controls Transactions Privileges Events
Risk Compliance Audit Policy Access Exception
GRC for LoBs
IT Supply ChainSales andMarketing
Finance …
GRC for Industries
Bankin
g
Utilit
ies
Mfg
Oil
& G
as
…CP
G
© 2011 SAP AG. All rights reserved. 9
Key Competencies For Success
SAP BusinessObjects GRC solutions
SAP BusinessObjects GRC
Manage
Monitor
AnalyzeDashboards &
Visualization
Interactive
AnalysisExploration Reports
KRIs Controls Transactions Privileges Events
Risk Compliance Audit Policy Access Exception
GRC for LoBs
IT Supply ChainSales andMarketing
Finance …
GRC for Industries
Bankin
g
Utilit
ies
Mfg
Oil
& G
as
…CP
G
Enterprise Applications
Legacy Apps
IT Infrastructure
© 2011 SAP AG. All rights reserved. 10
Key Competencies For Success
SAP BusinessObjects GRC solutions
SAP BusinessObjects GRC
Manage
Monitor
AnalyzeDashboards &
Visualization
Interactive
AnalysisExploration Reports
KRIs Controls Transactions Privileges Events
Risk Compliance Audit Policy Access Exception
GRC for LoBs
IT Supply ChainSales andMarketing
Finance …
GRC for Industries
Bankin
g
Utilit
ies
Mfg
Oil
& G
as
…CP
G
Enterprise Applications
Legacy Apps
IT Infrastructure
SAP BusinessObjectsPerformance Management
© 2011 SAP AG. All rights reserved. 11
SAP BusinessObjects GRC Solutions
Protection against
fraud, waste, misuse
and errors
Automated
Trade Compliance
Confidently manage and
reduce access risk
enterprise-wide
Risk intelligent
management of
enterprise performance
Enterprise
GRC
Access Risk
ManagementGlobal
Trade Services
Continuous
Transaction Monitoring
Order 456 €135
Order 785 $ 426
Order 123 €698
Process Control
Risk ManagementAccess Control
Global
Trade Services
Continuous
Transaction Monitoring
by Oversight Systems
Case Study: Bank of AmericaLeveraging Technology to Mitigate Business Risk
© 2011 SAP AG. All rights reserved. 13
Bank of America’s Financial Systems Roadmap Project
SAP-enabled consolidation of financial reporting and performance management
platforms focused on risk mitigation through modernizing processes and increasing
data traceability. Includes legacy BAC and Merrill Lynch systems.
© 2011 SAP AG. All rights reserved. 14
Increase transparency and visibility of
risk mitigation and remediation
activities
Create a common scalable risk management
platform for SAP to monitor, test, and report on
the effectiveness of business controls
Modernize in-scope BAC controls to
leverage SAP platform and decrease
control costs through automation
Rationalize workload of multiple regulatory
testing requirements for a test once satisfy
many approach to compliance
Risk
Mitigation
Eliminate system and
operational risks within the
Finance function
by migrating key Finance
Systems to an integrated
SAP environment
Corresponding GRC Objectives
Bank of America’s GRC Objectives
© 2011 SAP AG. All rights reserved. 15
GRC Access Control Implementation
Bank of America is using the following three Access Control modules:
• Risk Analysis and Remediation (RAR) - Automated Segregation of Duties (SOD)
Analysis tool used for application-level SOD violation monitoring
• Compliant User Provisioning (CUP) - Automates user request, approval, and
provisioning with workflow and proactive SOD compliance checking
• Superuser Privilege Management (SPM) - Eliminates the most common open audit issue
faced by virtually every company – “Who has super-user access?”
© 2011 SAP AG. All rights reserved. 16
GRC Process Control Implementation
GRC Process Control is the platform used to meet controls monitoring requirements as well
as serve as an integrated, end-to-end internal control management solution
Focuses on reducing the cost of compliance and mitigates
financial and operational risks
• Internal control design and documentation
• Inherent workflow delivers standardization
and automation
• Automated testing, tracking and
monitoring of control effectiveness
• Reporting and Analytics
Process Control
Document
Monitor
Remediate
Report
© 2011 SAP AG. All rights reserved. 17
Control Design – Automated vs. Manual Controls
59%
41% Manual
Controls
Automated
Controls
35%
65%
Manual
Controls
Automated
Controls
Pre-GRC Post-GRC
Post-GRC Assessment of Controls
Top 10 for GRC 10.0
© 2011 SAP AG. All rights reserved. 19
Top 10 for GRC 10.0
Leading Access Risk Analysis Engine2
Single GRC Solution1
Closed-loop Emergency Access Management3
Continuous Transaction Monitoring4
Enterprise Risk Management5
Sanctioned Party List Screening7
Compliance and Controls Management6
GTS and Trade Event Management8
Embedded and Extensible Reporting9
Industry Specific GRC Solutions10
© 2011 SAP AG. All rights reserved. 20
Single GRC Solution
Standardized GRC solutions on a common ABAP
technology platform.
Key Benefits
Reduced TCO – lower
implementation,
administrative and
maintenance costs
Leverage key processes
across the SAP ERP and
GRC suite
Reduced user training
requirements
Optimized for
heterogeneous
environments
1
AC
GTS
PC
RM
Unifies Risk Management, Access
Control, and Process Control data
model on a common technology
(ABAP) platform
Sharing of selected risk and
compliance data and functions
Unified user experience – common
look and feel with configurable role
based access
Seamlessly integrates with SAP ERP
environments
Extends beyond your SAP solutions
Access Risk
Management
Enterprise
GRCGlobal Trade
Services
© 2011 SAP AG. All rights reserved. 21
Leading Access Risk Analysis Engine
Prevent access risk violations before they occur
Key Benefits
Reduce SoD violations and
critical access risks across
SAP and non-SAP systems
Prevent risk with
compliance embedded into
business processes
Facilitate collaboration
between the business and
IT
2
Access Risk
Management
Enables user and role risk analysis,
including business roles and CUA
composite roles
Includes a comprehensive SoD and
critical access rules library
New interface allows targeted risk
analysis as well as importing, editing,
and reusing analysis criteria
New ability to customize and
personalize access risk results
© 2011 SAP AG. All rights reserved. 22
Closed-loop Emergency Access Management
Provides closed-loop emergency access management
for granting and monitoring emergency access
Key Benefits
100% out-of-box, auditable
process
Centrally approve and
manage emergency
access for all SAP systems
Superuser inconsistencies
are resolved and tracked
online
Reduces repetitive
assignments, easing
administration
3
Define Provision Monitor Review
Access Risk
Management
© 2011 SAP AG. All rights reserved. 23
Continuous Transaction Monitoring
Provides continuous protection against fraud, misuse and errors in your
business transactions with powerful investigation, resolution and tracking
capabilities
4
Continuous
Transaction Monitoring
Order 456 €135
Order 785 $ 426
Order 123 €698
*SAP EBS Partner Oversight Systems’ Solution
Key Benefits
Reduce errors and
revenue leakage through
continuous monitoring
Deter Fraud and Abuse
by enforcing business
policies in real time
Improve Audit Efficiency
using analytics and audit
trail
© 2011 SAP AG. All rights reserved. 24
Enterprise Risk Management
Supports the complete cycle: risk planning, evaluation, risk response
and monitoring
Key Benefits
Enable communication
between risk owners and the
business
Protect value by preventing
risk events from occurring
Automate key risk
management activities
Create value by integrating
risk into the Enterprise
strategy
5
Enterprise
GRC
© 2011 SAP AG. All rights reserved. 25
Compliance and Internal Controls
Supports multiple compliance & risk initiatives through the automation of
GRC processes, best practice workflows and templates and continuous
control monitoring across heterogeneous systems
6
Enterprise
GRC
Key Benefits
Protect value by preventing
compliance violations and
control failures from
occurring
Automate key compliance
and control management
activities, and reduce their
cost
Increase performance
through sounder control and
compliance embedded in
business processes the
Enterprise strategy
© 2011 SAP AG. All rights reserved. 26
Sanctioned Party List Screening
Revolutionary new web-based user interface and
process improvements for SPL processes
7Global Trade
Services
Key Benefits
Greater user productivity
through drastic increases in
usability
Even more accuracy in
compliance decisions
Increased compliance
through auditable,
collaborative case
management
Lower cost of ownership
Prioritize Review
Co
llab
ora
te
Resolve
Compliance
Specialist
Compliance
Manager
© 2011 SAP AG. All rights reserved. 27
Trade Event Management
Integration with SAP Event Management for end-to-end
supply chain visibility and new event subsystem for
detailed view of customs and other government agency
events within GTS
8Global Trade
Services
Key Benefits
Reduced time to action
Increased visibility and
control for faster
identification and resolution
of supply chain delays
Decreased cycle times and
reduction of buffer stock
Improved customer service
Reduced inventory carrying
costs
© 2011 SAP AG. All rights reserved. 28
Embedded and Extensible Reporting
Hundreds of embedded dashboards, reports, and other
analytics
9Access Risk
Management
Enterprise
GRCGlobal Trade
Services
Key Benefits
Reduces the time spent on
reporting needs
Empowers business users
with the ability to present
information in the desired
format
Removes the need to have
separate data mart for
Access Control or BOE
server for Process Control
and Risk Management
© 2011 SAP AG. All rights reserved. 29
Risk Management - Flash Dashboards
Risk heat map
© 2011 SAP AG. All rights reserved. 30
Risk Management - Flash Dashboards
Risk Dashboard
© 2011 SAP AG. All rights reserved. 31
Process Control - Xcelsius Dashboards
Compliance overview
© 2011 SAP AG. All rights reserved. 32
Access Control - Xcelsius Dashboards
User level access risk analysis
© 2011 SAP AG. All rights reserved. 33
Industry Specific GRC Solutions
We’ve engaged our partner ecosystem to provide the
most complete set of industry-specific GRC solutions
tailored for customers’ risk and compliance needs
10Access Risk
Management
Enterprise
GRCGlobal Trade
Services
Key Benefits
Value content leveraging
best GRC practices in your
industry
Quicker implementation
and deployment for your
enterprise GRC initiatives
Combined SAP Software
and Partner Expertise
Questions?
© 2011 SAP AG. All rights reserved. 35
Learn More
Upcoming Webinar: Sharp Electronics Case Study
• Extending SAP BusinessObjects Access Control across the enterprise and
remediating access risks
• Wednesday, June 16 2011
• 1:00 p.m. ET / Noon CT / 10:00 a.m. PT
• Register: http://fm.sap.com/redirect.asp?id=8645
GRC Insider Conference – Amsterdam
• Date: June 7-9
• Location: Amsterdam Rai Convention Centre
Co-hosted with FI, HR, and BI
• http://www.grc2011.com/?u=sapemployee-europe&s=
To learn more about 10
• SAP.com website
• SAP Business Process Expert (BPX) site
Thank You!
Contact information:
Michael Lortz
Senior Director, GRC Solution Marketing
Contact information:
Joseph Canady
Vice President of SAP Governance Risk &
Compliance, Bank of America