GRC 10.0 - Risk Management for Mining and Metal Paul Petraschk, SAP September 2012
GRC 10.0 - Risk Management
for Mining and Metal
Paul Petraschk, SAP
September 2012
© 2012 SAP AG. All rights reserved. 2
The Risk Management process starts always with knowing
your business
Your business?
© 2012 SAP AG. All rights reserved. 3
Do You Really Know Your Business?
What risks currently impact
your ability to perform?
What is the actual status of
your planned responses?
Do some of your activities
or projects deliver any
indications for higher risks?
What will be the overall
impact if multiple risks
occur and how will they
influence each other?
© 2012 SAP AG. All rights reserved. 4
Proactively identify and control risks to reduce likelihood and
impact
Holistic overview about the overall risk situation into all
operations 1
2
3
Top 5 Requirements
Fast and easy way to involve the operational business as
knowledge key persons into risk assessments
4 Easily maintained risk structure to fulfill the requirements of
corporate reporting and operational risk management
5 Clear defined accountabilities and responsibilities for risks and
responses
© 2012 SAP AG. All rights reserved. 5
Risk Management Overview
Description:
Reporting and analytic capabilities are essential for management in order to obtain a real time overview of business
critical risk information.
The overview introduces these important features along the Risk Management process which are implemented with
SAP GRC Risk Management
Risk Management Process
Risk Planning
Strategic Objective Setting
Align strategic objectives
to organizational entities
Define risk classification
(types)
Define risk relevant
business activities
Identify risks and
opportunities
Identify risk drivers and
impacts (condition and
consequences)
Assign Key Risk Indicators
(KRIs – out of scope for
pilot)
Analyse risk using
quantitative or qualitative
methods
Document risk
relationships
Built risk scenarios and
and determine risk
exposure
Perform Monte Carlo
simulations
Prioritize risks based on
risk level
Document preventive
responses for risks
Assign response
ownership and actions
Perform control
assessments and tests
Plan re-assessments and
approval cycles
Analyze company’s risk
situation
Monitor Key Risk
Indicators (KRIs)
Monitor response
effectiveness and
completeness
Update risk exposure for
strategic objectives and
risks
Document occurred
incidents and losses
Risk Identification Risk Analysis Risk Response Risk Monitoring
Define the risk structure
for corporate reporting
and operational risk
management
Holistic overview about
overall risk and incident
situation
Proactively identification
of risks
Involve operational
business as knowledge
key persons
Clear defined
accountabilities and
responsibilities for taking
actions
Holistic overview about
overall risk and incident
situation
© 2012 SAP AG. All rights reserved. 6
Risk Planning – Define Risk Management Framework
Risk Planning
Risk
Identification
Risk Analysis
Risk Response
Risk
Monitoring
1. Establish Risk Management Goals
Define Risk Management Process
Structure and views
Align organizational goals and strategic
objectives
Identify risk management process users
2. Develop Risk Taxonomy
Identify risk activities and business
processes
Define hierarchal risk classifications
Document risk templates
3. Document Risk Criteria
Document risk appetite
Document risk thresholds
Define user roles and authorizations
Group
EMEA
North
South
APJ AMERICA
© 2012 SAP AG. All rights reserved. 7
Risk Identification – Detect operational risks
Risk Planning
Risk
Identification
Risk Analysis
Risk Response
Risk
Monitoring
1. Collect new Risks
Propose new risks with only view clicks
Report incidents
Receive alerts if key risk indicators hit
defined thresholds
2. Increase visibility of Risks
Use incidents for risk detection
Document known risks
3. Improve effective learning process
Connect organizations, people, systems and applications
Involve all employees
1
10
30
100
600
Documented risks
Known risks
(Near) incidents
Board risks
Unknown risks
© 2012 SAP AG. All rights reserved. 8
Risk Analysis – Single and collaborative Analysis
Risk Planning
Risk
Identification
Risk Analysis
Risk Response
Risk
Monitoring
1. Analyze Risks
Assess risks with quantitative, qualitative or
score based Methods
Perform single or collaborative risk analysis
Collect data for risk analysis in the SAP GRC
application or offline via Adobe Interactive
Forms
Schedule risk assessments via workflow
Receive alerts if key risk indicators hit
defined thresholds
Steps performed by Risk Management Steps performed by workflow Recipient
Determine risks
in scope
Trigger
workflow to
recipient
Monitor
Collaborative
Risk Assessment
Collaborative
Assessment
Recipient 1
Collaborative
Assessment
Recipient 2
Collaborative
Assessment
Recipient …
Automatic
result
consolidation
Consolidator
Review
Collaborative Risk Assessment
© 2012 SAP AG. All rights reserved. 9
Risk Response – clear defined status and responsibilities
Risk Planning
Risk
Identification
Risk Analysis
Risk Response
Risk
Monitoring
1. Aggregate Risks
View aggregated risks by risk classification, activities and business processes
Identify risk dependencies
2. Scenario (what-if and Monte Carlo) Analysis
Create business scenarios and run simulations to visualize impacts and total
loss for different probabilities
3. Assign Responses and
Controls
Document responses and
ownership
Assign Controls from
Internal Control System
Define Effectiveness and
Completeness
Monitor response plan
progress
© 2012 SAP AG. All rights reserved. 10
Risk Monitoring – Report on overall risk status
Risk Planning
Risk
Identification
Risk Analysis
Risk Response
Risk
Monitoring
1. Flexible Reporting
Interactive Dashboards like Risk Heatmap which easily allows to filter and drill
down into risks details as required
Add customized static Reports in Crystal Reports and provide Reports for
Corporate Level, Management Level and Operational Level
Integrate Risk Management data into BI Reports
Analyze companies risk situation and monitor mitigation status
© 2012 SAP AG. All rights reserved. 11
Risk Planning
Risk Identification
Risk Analysis Risk Response
Risk Monitoring
Risk Management Cycle
Risk Planning
Risk Identification
Risk Analysis Risk Response
Risk Monitoring
The Risk Management Process is not ending with Monitoring. It is more like a continuous Risk
Management Cycle. Enhanced requirements for Monitoring and Reporting as well as organizational
changes lead to changes in Risk Structure, Organizational and Activity Hierarchy. These are addresses in
risk planning phase where the Risk Management Cycle starts from the beginning.
Demonstration Operational Risk Management Overview
© 2012 SAP AG. All rights reserved. 13
MANAGE BETTER PROTECT BETTER PERFORM BETTER
Proactively Balance Risk and Opportunity SAP GRC Risk Management
© 2012 SAP AG. All rights reserved. 14
MANAGE BETTER PROTECT BETTER PERFORM BETTER
Proactively Balance Risk and Opportunity SAP GRC Risk Management
Automate manual tasks
Employ best practices
Reduce effort and cost
Automate monitoring
Real-time analysis
Industry-specific solutions
Align with strategy and planning
Embed analytics
Scenario modeling
© 2012 SAP AG. All rights reserved. 15
SAP GRC Risk Management Align enterprise risks with business value
Protect the fundamental
business value drivers
Insight into the
management of risk
Visibility into catastrophic
value destroying risks
Thank you
Paul Petraschk GRC Senior Consultant
KM Champion - GRC Process Control
SAP Deutschland AG & Co. KG
Phone +49/ 6227/ 7-56751
Mobil +49/ 160/ 470 33 52
http://www.sap.com/grc
© 2012 SAP AG. All rights reserved. 17
© 2012 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may be
changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary
software components of other software vendors.
Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are
registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,
System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power
Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA,
pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP,
RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli,
Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the United States and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered
trademarks of Adobe Systems Incorporated in the United States and other countries.
Oracle and Java are registered trademarks of Oracle and its affiliates.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin
are trademarks or registered trademarks of Citrix Systems Inc.
HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®,
World Wide Web Consortium, Massachusetts Institute of Technology.
Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C,
Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.
IOS is a registered trademark of Cisco Systems Inc.
RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry
Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App
World are trademarks or registered trademarks of Research in Motion Limited.
Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps,
Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync,
Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are
trademarks or registered trademarks of Google Inc.
INTERMEC is a registered trademark of Intermec Technologies Corporation.
Wi-Fi is a registered trademark of Wi-Fi Alliance.
Bluetooth is a registered trademark of Bluetooth SIG Inc.
Motorola is a registered trademark of Motorola Trademark Holdings LLC.
Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, SAP HANA, and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of SAP AG in Germany
and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services
mentioned herein as well as their respective logos are trademarks or registered trademarks
of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase
products and services mentioned herein as well as their respective logos are trademarks or
registered trademarks of Sybase Inc. Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks
of Crossgate AG in Germany and other countries. Crossgate is an SAP company.
All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National
product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be
reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.