Implementing an integrated GRC approach with SAP GRC Sumit Sanyal(PwC) www.pwc.de GRC Conference 26. November 2013 in Moscow
Implementing an integrated GRC approach with SAP GRC
Sumit Sanyal(PwC)
www.pwc.de
GRC Conference 26. November 2013 in Moscow
PwC
Agenda
iGRC® - An efficient approach to manage Risks, Compliance and Control Systems
From idea to practice - iGRC® and its realization by the help of SAP GRC 10.0
Seite 2
November 2013 GRC Conference
PwC
iGRC®
An efficient approach to manage Risks, Compliance and Control Systems
Seite 3
November 2013 GRC Conference
PwC
Increasing regulatory requirements set new challenges for companies….
Effectively
managing Risk and
Compliance
TransPuG UK Bribery Act
IT Risks
Strategic Business Objectives
IAS/IFRS
GAAP
Companies Act
Compliance Discussion
Corporate Governance Code
BilMoG
Sarbanes Oxley Act
Operational Business Risks
ISO 17799
Dodd-Frank Act
Cost pressure
Regulations on Administration of
Registration of Resident Offices of Foreign Enterprises
(China)
Seite 4
November 2013 GRC Conference
PwC
For years companies have been confronted with increasing regulatory pressure, and therefore higher costs…
Cost of non-Compliance
Increasing regulation
Cost of Compliance
Regulatory Drivers:
• FCPA*
• Data Protection
• UK Bribery Act
• Concrete monitoring duties of the Supervisory Board
• Risk Management...
Dy
na
mic
s i
n t
he
re
gu
lato
ry
e
nv
iro
nm
en
t
Responsible/ethical behavior expected
Increased cost pressure
Ch
an
ge
s in
the
ma
rk
et a
nd
in
cr
ea
sin
g v
ola
tility
* FCPA = Foreign Corrupt Practices Act
Seite 5
November 2013 GRC Conference
PwC
Risk:
Loss of acceptance
and high costs
1. Overlapping
responsibilites
2. Duplication of
work
3. Multiple
interfaces
4. Inconsistent
preparation of
information
5. Use of
inconsistent
methods and
tools
6. Several
individual
processes and
isolated
solutions
…with an organizational impact on the existing GRC structures
Seite 6
November 2013 GRC Conference
PwC
Two strategies to react to increasing costs…
1.
2.
Implementing specific measures („Fire Fighting“)
Due to cost reasons, only specific
measures are implemented for Compliance Programs, Risk
Management Procedures and Internal Control Systems*
Integration strategy
Analysis of the existing organization and cost reduction by integrating the operational and organizational structures
Savings can be used for other necessary measures
* Study on ‘Corporate Crime 2011’, PwC and Martin-Luther-University Halle Wittenberg, October 2011.
Advantages • Reduction of costs by
integrating parallel structures • Prompt consideration of
new requirements possible • Higher acceptance
Disadvantages • Increased risk of Compliance
breaches with potential significant costs
• Difficult to select and justify adequate measures
Advantages • Limited changes to existing
procedures • Low implementation costs
Disadvantages • Initial costs due to structural
changes
Cost of Compliance
Cost of non-Compliance
Cost of Compliance
Cost of non-Compliance
Seite 7
November 2013 GRC Conference
PwC
Ensuring a consistent methodology, clear
responsibilities and the use of explicit terms
Single report to Management and Supervisory Board
presents all topics clearly
Cutting costs by reducing redundancies in the
operational and organizational structures
Single/ annual approach (query) of relevant
companies, business units and departments
Reducing duplication in effort as a result of
clearly defined competences and responsibilities
A group-wide integrated tool is used for support
Flexible operating model facilitates the integration
of potential further regulatory requirements
From our practical experience, not only efficiency but also acceptance could be raised through iGRC®.
Efficiency
Quality, acceptance,
culture
Seite 8
November 2013 GRC Conference
PwC
iGRC® helps companies achieve…
…improved management and monitoring…
... through the integration of substantial systems, structures and processes of Governance, Risk and
Compliance Management as well as Internal Control Systems
…ideal integration of the relevant areas…
… in consideration of the strategic business objectives, a more or less close integration is applied
…increased efficiency… … through elimination of redundancies during the
integration process, applying a consistent methodology as well as integrated reporting
…higher flexibility to react to market
requirements…
… through the highly adaptable organization of systems and processes
Seite 9
November 2013 GRC Conference
PwC
From idea to practice
iGRC® and its realization by the help of SAP GRC 10.0
Seite 10
November 2013 GRC Conference
PwC
… and an integration strategy according to iGRC® can be implemented in SAP GRC
Define risk strategy
Monitor risks
Define measures
Identify and
analyze risks
Strategy
Check control
compliance
Analyze Weaknesses/Deviations
Measures to improve processes
Define controls
SA
P-E
RP
da
ta o
r d
ata
fr
om
oth
er s
yst
em
s
Governance/ management
Business
Seite 11
November 2013 GRC Conference
PwC
An Integration Strategy according to iGRC® through…
• Process-related intersections of internal steering and control systems strong concatenation useful
• Example „uniform control process“:
- Common risk analysis for risk identification
- Inventory of identified risk as basis for risk reducing measures, internal controls and focus on compliance program
- Common testing of effectiveness for measures and internal controls
• Supporting process synchronization by various forms of organizational concatenation with different degrees of integration
Concatenation of Risk and Compliance Management and the Internal Control System
Using synergy effects and avoiding duplication of work as well as redundancy
Increasing transparency and security
Performance and control units obtain a broad overview of the entire risk situation
Efficient and effective corporate management and management control
Seite 12
November 2013 GRC Conference
PwC
… and by the help of SAP GRC 10.0
Concatenation of Risk and Compliance Management and the Internal Control System
Create manual test plan
Assign test plan to control
Start End Plan test of
effectiveness
Seite 13
November 2013 GRC Conference
PwC
• Purpose of an integrated reporting: Standardized, transparent and efficient reporting for
management- and control units
• Procedure for an integrated reporting: Standardization resp. combination of the essential processes
• Integration of the existing reporting elements
• Merging of the reporting structures
• Standardizing reporting deadlines and formats
• Standardizing the compression ratio of information and data
An Integration Strategy according to iGRC® through…
Integrated Reporting for GRC
Increasing reporting quality
Management and control units obtain an holistic overview of the company‘s important issues
Efficient and effective corporate-management and control
Seite 14
November 2013 GRC Conference
PwC
An Integration Strategy according to iGRC® through…
Integrated Reporting for GRC
Constant, integrated iGRC©-Reporting
Integrated iGRC©- Standard Process
Early Risk Detection ICS
Identify controls, Prove of effectiveness
Demonstrate preventive measures as addition
Additional information about the compliance status and compliance
incidents
Compliance
Identify risks (incl. compliance risks),
Evaluate risks
Harmonized information about the risk situation as well as the controls’ and actions’ effectiveness (strategy, business
operations, compliance, accounting)
Seite 15
November 2013 GRC Conference
PwC
An Integration Strategy according to iGRC® - a process organization example
Entity Scoping
Issue Scoping
Identification & Evaluation of Risks
and Controls
Monitoring Compliance
Reporting
Integration:
A standardized entity scoping and issue scoping for compliance, ICS and risk management
Integration:
Standardized methodology and terminology ensure “one touch” to divisions
and business units. Support through an
integrated tool.
Integration:
Monitoring (e.g.: by self-assessment) in order to cover all compliance, ICS and risk management topics, applying an across the group integrated tool
and ensuring a standardized methodology
Integration:
One single report entirely covers questions and results for compliance, ICS and risk management
Seite 16
November 2013 GRC Conference
PwC
According to our experience, in addition to efficiency also acceptance can be increased through iGRC®
Cost Reduction
Quality, Acceptance,
Culture
One-time/annual consultation of all relevant entities, business units and
departments
Ensure a standardized methodology, distinct responsibilities and
use a clear terminology
One report board for the management and
supervisory board clearly representing all
topics
Avoiding redundancy in process- and structural organization. Need for
coordination (e.g.: compliance office vs. risk management) decreases
Flexible standard process provides an integration potential for further regulatory
requirements
An across the group integrated tool serves as support
Seite 17
November 2013 GRC Conference
PwC
Contact details – feel free to ask!
PricewaterhouseCoopers AG Wirtschaftsprüfungsgesellschaft Friedrichstr. 14 70174 Stuttgart Telefon + 49 711/25034-1550 Mobil + 49 151 1212 9905 [email protected] www.pwc.com
Sumit Sanyal Governance, Risk & Compliance
Seite 18
November 2013 GRC Conference
PwC
Thank you for your attention!
© 2012 PricewaterhouseCoopers AG Wirtschaftsprüfungsgesellschaft. Alle Rechte
vorbehalten. In diesem Dokument bezieht sich "PwC" auf die PricewaterhouseCoopers
Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, Frankfurt am Main, die eine
Mitgliedsgesellschaft der PricewaterhouseCoopers International Limited (PwCIL) ist. Jede der
Mitgliedsgesellschaften der PwCIL ist eine rechtlich und wirtschaftlich selbständige
Gesellschaft. Seite 19
November 2013 GRC Conference