This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Overview about a planned newapplication for mySAP ERP
RequirementsAccurate & auditable accountingParallel accountingTransparency of accounting figuresTimely availability of financial informationCompliance with accounting standardsCompliance with corporate governance std.Documentation of tax relevant informationTransparency in treasuryAuditable (operational) processesMid-term planningStrategy outlookTransparency of risk situation
CFO
Auditors
Public authorities(Tax,Regulators,
Stock Exchanges)
Creditors(Banks, Investors)
Analysts &Rating Agencies
Rules and regulations
US-GAAP, IAS, local GAAPs, Basel II, local tax regulations, Corp.Gov Codex, Sarbanes-Oxley Act, LSF, COSO, COSO II, KonTraG, ...
Built-in Control Principles of theSAP ArchitectureInherent ControlsConfigurable ControlsSecurity ControlsReporting Controls
→ SAP NetWeaver & mySAP ERP
System IntegrationReduce complexityReduce custom integrationIncrease company performance
→ SAP NetWeaver
Applications directly supportingCorporate GovernanceManagement of Internal ControlsAudit Information SystemWhistler Blower ComplaintsTransparency for Basel IIOperational Risk Management *
→ mySAP ERP
Additional Capabilities(New) General LedgerFast CloseSupport for IASTransfer PricingSEM Business ConsolidationSEM Business PlanningSEM Strategy & Performance Mgmt.SEM Risk ManagementTreasury
Policies/procedures that ensure management directives are carried out.
Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.
Monitoring
Assessment of a control system’s performance over time.
Combination of ongoing and separate evaluation.
Management and supervisory activities.
Internal audit activities.
Control Environment
Sets tone of organization-influencing control consciousness of its people.
Factors include integrity, ethical values, competence, authority, responsibility.
Foundation for all other components of control.
Information and Communication
Pertinent information identified, captured and communicated in a timely manner.
Access to internal and externally generated information.
Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action.
Risk Assessment
Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities.
All five components must be in placefor a control to be effective.
Rapid and current information on material changes in the financial condition or operations, including trend and qualitative information for protection of investors and in the public interest
409
Annual report should include a report by management on the effectiveness of internal control over financial reporting
404
Certification of contents of SEC reports by CEO and CFO302
RequirementSection
Contribution of a Risk Management system:
Transparency of business risks effecting business unit targets
Audit-proof Risk Management system identifies risks that must be included in disclosure
Drilldown into risk situation of multiple business units
COSO II is the new framework for Enterprise Risk Management
DefinitionEnterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identifypotential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assuranceregarding the achievement ofentity objectives.
3) COSO II and Risk Management: Objective Categories
Objective Categories
Strategic – relating to high-level goals, aligned with and supporting the entity’s mission and vision.
Operations – relating to effectiveness and efficiency of the entity’s operations, including performance and profitability goals. They vary based on management’s choices about structure and performance.
Reporting – relating to the effectiveness of the entity’s reporting. They include internal and external reporting and may involve financial and non-financial information.
Compliance – relating to the entity’s compliance with applicable laws and regulations.
Fundamental concepts of Enterprise Risk Management
Is a process – it's a means to an end, not an end in itself Is effected by people – it's not merely policies, surveys and forms, but involves people at every level of an organization Is applied in strategy settingIs applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risksIs designed to identify events potentially affecting the entity and manage risk within its risk appetite Provides reasonable assurance to an entity's management and board Is geared to the achievement of objectives in one or more separate but overlapping categories.
Event IdentificationManagement identifies potential events affecting an entity’s ability to successfully implement strategy and achieve objectives.
Events with a potentially negative impactrepresent risks, which require management’s assessment and response.
Events with a potentially positive impact may offset negative impacts or represent opportunities which get channeled back into the strategy and objective-setting processes.
A variety of internal and external factors give rise to events. When identifying potential events, management considers the full scope of the organization.
Management considers the context within which the entity operates and its risk tolerances.
Risk AssessmentRisk assessment allows an entity to consider the extent to which potential events might have an impact on achievement of objectives.
Management should assess events from two perspectives − likelihood and impact − and normally uses a combination of qualitative and quantitative methods.
The positive and negative impacts of potential events should be examined, individually or by category, across the entity.
Potentially negative events are assessed on both an inherent and a residual basis.
Risk ResponseHaving assessed relevant risks, management determines how it will respond.
Responses include risk avoidance, reduction, sharing and acceptance.
In considering its response, management considers costs and benefits, and selects a response that brings expected likelihood and impact within the desired risk tolerances.
Expanded responsibilities of the Executive Board according to §91 Abs. 2 AktG
Requirement to establish a control systemTake action to detect risks that endanger the existence of an enterprise as an early stage.
Inspection of the Risk Management System through external auditors according to §317 paragraph 4 HGB
Has action been taken according to § 91 Abs. 2 AktGIs the Risk Management System adequate for its purpose
Depiction in the audit report according to §321 paragraph 4 HGBAssessment of the Risk Management System in a separate chapter of the auditors reportAssessment if an enhancement of the Risk Management System is required.
Unlimited number of hierarchy levelsBased on Balanced Scorecard Framework: One BSC represents one Organizational Unit
Unlimited number of hierarchy levelsOrg. Units represent legal entities, business units and departments.
… Performance Metrics of an Organizational UnitExamples: Net Sales, EBIT, …Performance Metrics can be linked to strategic objectives on the Org. Unit
… Activities within an Org. UnitActivities can be Processes, Projects and other activities
Based on “impact”, representing deviations from the Performance Metric target amount.Instead of Probability, the impact can be expressed in categories like “expectation value” and others
Impact is quantified as “Total Loss” in monetary unitsQualitative impacts can be expressedProbability of occurrence expressed as a percentage
Risks are not assigned and analyzed at the level of Organizational Units, but on the level of Activities that take place within an Organizational Unit.
Risks can occurwithin business processesduring the course of a projectin other activities and objects that are neither processes nor projects
Within ORM, Risks will be identifiedassessedmanaged by applying appropriate response strategies
The ORM will provide defined Roles to support an appropriate authorization conceptWorkflows between Roles to support the necessary interaction when approvals are needed.
The ORM will provide predefined online ad-hoc analysis, as well as data warehouse structures for flexible multidimensional reporting
Activitiesa specific operation that may lead to risks in an organization unitThree types of activities can be assigned to Organizational Units:
Processes: potentially all operational and admin processeswithin an enterprise
Projects: potentially all internal and customer projectsObjects: generic activity that is neither a project nor a
process (e.g. “Production Plant A”)
Arranged in an Org. Unit hierarchy, e.g. according to HR-OrgHeaded by a named Org. Unit ManagerMain entry point for analyzing the risk situation
named uncertain event or condition that has a negative effect onthe business.Risks are assigned to Processes Projects or Objects within a certain Organizational Unit
Building Blocks of the Operational Risk Management
1. Configuration and Structure set up:Set up Organizational UnitsCreate Common Activity Catalogs (Projects, Processes, Objects), Common Risk Catalog, Risk-ProposalsDetermine other settings like Risk Levels, Risk Priorities,…
2. Risk Assessment Process:Enter BU-specific ActivitiesDetect and enter Risks, assess impact, probability, time frame, calculate Risk Level, Risk Priority, …Interaction between roles supported by workflowPropose and execute Risk Responses
3. Risk Analysis and Reporting:View ad hoc reports of the risk situation of Organizational UnitsUse OLAP reporting for detailed multidimensional analysisCreate mandatory standard reports per Org. Unit
perform Risk Assessments: overall identification, analysis, and response planning of all Risks assigned to an Activity act at different organizational levels, with access only to those Activities and Risks with which he is personally involvedtypically: Line Managers, Project Managers, Internal Audit, and others assigned at the level of the specific Organization Unit
analyze Risks, initiate Risk response action and follow-up on Risk response actions. Usually nominated by the Assessment Owners if a special knowledge is required for Risk handling purposes. act independent of their organizational assignment but with access only to those responses where they are personally involved
validate and approve or reject the Risk Assessments, reject individual Risks, and set the “sensitivity level” of a Risk (access to the Risk and its details is then further restricted).check the risk documentation, analysis, response strategy, and individual responses of all risks of an activity the real person may be the organization unit manager who has thebudget responsibility for the response execution
ORM Entities in Detail: Activity Master Data – 1 –
Activities *
comments added by the Validator of the activity while approving it. Can be used by the Activity Owner to send comments back to the Validator when the Activity is sent for validation.
Approval Comment
Validator for this ActivityValidator
Assessment Owner for this ActivityAssessment Owner
Currency in which the risk values will be expressedCurrency
If during the Validation phase the Validator determines that this Risk is “sensitive”, she/he will mark it as such. This designation limits the viewing of this Risk to a select audience
Sensitivity
By default the user who created the Risk. Can be changedRisk Owner
Current “live cycle” status. Includes options like “Draft” and “Released for validation”, “Finished”, “Occurred”. For a new Risk, “Draft” is the default status setting.
Risk Status
Activity to which the Risk was assignedActivity ID
Free text. Additional detail about the RiskComment
Free text. Existing incident or action that influences the probability that a particular Risk event will occur
Event Driver
Free text. The possible negative outcome of the current condition that is creating uncertainty
Consequence
Free text. The key circumstance, situation, etc. that is causing concern, doubt, anxiety, or uncertainty
Condition
Marking a risk as external will exclude the Risk from reporting. This allows the capturing of risks that, for example, exist at a customer in a project context but that only impose an impact on the customer without impact on the own company.
Global Risk level is derived from Global qualitative Impact and ProbabilityLocal Risk level is derived from Local qualitative Impact and ProbabilityUser defined matrix identifies Risk LevelsRisk Level is later on used for Risk PrioritizationExample Matrix for derivation of Risk Level:
Medium risks… indicate that some disruption could occur. No immediate management action required for medium risks, but continuous risk monitoring has to be initiated and future action may be needed.
High risks:… are considered unacceptable risks where major disruption is likely. Priority management attention is usually required for high risks to bring the situation under control.
Impact level
MLLLL0-20%1
Probability
54321
MMLLL21-40%2
HMMLL41-60%3
HHMML61-80%4
HHHMM81-99%5
%level
Low risks… mean minimum impact where no management action is required.
Prioritizing risks is important when it comes to the questions which risks should be dealt with first, especially when the allocation of significant resources is required to manage the risk.Derived from the combination of „Risk level“ and time frame, grouped in categories like
short (e.g. within 3 month), medium (e.g. within 6 month), long (e.g. within 9 month)
User defined Matrix identifies Risk Priority
Example Matrix for derivation of Risk Priority:
125short
Expected date of occurrence
347medium
689long
highmediumlow
Risk levelRisk Priority from 1 - 9
Based on the Risk Priority, a “Top N-Risks” – list could be produced as part of the Risk Reporting !
Activities – especially Projects – usually offer an opportunity, which can be expressed in a currency value.In this case, a Net Opportunity Value can be calculated, which is based on the Opportunity value of the activity and the Risk situation:
Opportunity Value- Expected Loss
= Net Opportunity Value
The Net Opportunity Value can be compared with other risk related values like Total Loss, Expected Loss or Response Costs to better understand the risk situation of an activity
The magnitude of the actual loss value accrued when a risk event occurs, measured in a monetary amount
Total Loss
Counter measures to handle the Risk, described with:Risk Response type (Close, Accept, Watch, Research, Transfer, Delegate, Mitigate)Response OwnerAction dateResponse costResponse descriptionExpected Risk reduction (Probability and/or Quantitative and/or Qualitative Impact)Contingency Plan (Document attached to the risk holding the details of what are the consequences and subsequent actions when the risk response fails)
Risk Response
Timeframe is the period when action is required to respond to a risk. Will be given in intervals like (example): Short 1 – 3 monthMedium 3 – 6 monthLong 6 – 9 month...
Time Frame
The local impact level is an estimation of the consequences of a risk on the basis of a configurable qualitative scale. Given as a category from 1 to n which is mapped against a locally valid table containing the values for each category in currency amounts
Local Impact
The global impact level is an estimation of the consequences of a risk on the basis of a configurable qualitative scale. Given as a category from 1 to n which is mapped against a globally valid table containing the values for each category in currency amounts
Global Impact
Probability that the impact associated with the Risk will materialize. Given as a percentage.Probability
When assessing Risk, one or more responses can be created for each individual risk.
Main data entered for each response:Response strategy (Accept, Watch, Research, Transfer, Delegate, Mitigate, see next slide)Response costs later on considered in the overall analysisProbability percentage change to which extent does the response change the probability. Example: “decrease by 5%”Total Loss change to which extent does the response change the total loss. Example: “decrease by 200.000 $”Global Impact changeif not derived from total loss change: to which extent does the response change the global impact. Example: “decrease by 1 level”Local Impact changeto which extent does the response change the global impact. Example: “decrease by 1 level”
AcceptRisk acceptance involves no initial action. The risk will be handled as a problem if it occurs.Watch Risk watch involves monitoring the risks and their attributes for early warning of critical changes in impact, probability, timeframe, or other aspects.Research Risk research is the investigation of a risk until enough detail is known to be able to plan mitigation.Transfer Risk transfer is the allocation of authority, responsibility, and accountability for a risk to another person or organization outside of SAP or the project. See also risk delegation above.DelegateRisk delegation involves the assignment of responsibility for a risk to another person or organization within SAP or the project. See also risk transfer.MitigateRisk mitigation eliminates or reduces the risk by developing strategies and actions for reducing (or eliminating) the impact, probability, or timeframe to some acceptable level. Risk mitigation usually involves the expenditure of resources.
Two ways of doing Risk Analysis:Based on predefined screens in the online ApplicationBased on predefined, yet flexible Reports form the SAP data warehouse (OLAP-reporting)
Online Analysis:Calculation and visualization of all relevant Risk data on aggregated and detail levelsAggregation along
Various predefined views like “local values”, “global values”, “Before Risk Response”, “After Risk Response”
OLAP-Reporting:Predefined business content delivered through the SAP data warehouse (InfoCubes, Extractors, Queries)Data is extracted from the online applicationFlexible reports as usual in the OLAP-world: slice and dice, flexible aggregation, custom calculations,…
Basis of the OLAP reporting are two InfoCubes that are delivered as business content:
InfoCube 1: Data on level of Risk and Organizational UnitInfoCube 2: Data on level of Activity and Organizational UnitA combination of both for a drill down is possible through a „MultiCube Query“
InfoCubes are filled by various extractors for:Master data, including texts and attributesHierarchiesTransactional data
End-User access to the data through predefined Queries (Reports) which can be accessed using a web browser.
New queries can easily be createdCustom calculations if necessaryQueries can be presented in a Portal
As Risks often might affect not only one Org. Unit, Activity or Risk Owner, the solution includes the following collaboration features:
1. Collaborative RisksIf a Risk in Org. Unit A is also relevant for activities in Org Unit B and has presumably also a negative impact on Org. Unit B, this is called a collaborative Risk
2. Linked RisksIf a risk in Org. Unit A is somehow influenced by activities in Org. Unit B, but the impact only hits Org. Unit A, this is called a Linked Risk
3. Invitations for collaborative Risk AssessmentsIf for a Risk in Org. Unit A another person then the original Assessment Owner can contribute a Risk Assessment, this person can be invited to give his/her opinion in a additional Risk Assessment.
Collaborative RisksIf a Risk in Org. Unit A is also relevant for activities in Org Unit B and has presumably also a negative impact on Org. Unit B, this is called a collaborative Risk.
Org. Unit A
Activity 1
Org. Unit B
Risk 1
Activity 2
Risk 1Create collaborative Risk, which is accepted* by Org. Unit B.
* Proposed collaborative Risks can also be rejected, thus preventing that this Risk becomes valid for Org. Unit B
Impact of Risk 1 is shown as assessed by Risk Assessment
Owner of Activity 1 in Org. Unit A
Impact of Risk 1 is shown as assessed by Risk Assessment
Linked RisksIf a risk in Org. Unit A is somehow influenced by activities in Org. Unit B, but the impact only hits Org. Unit A, this is called a Linked Risk
Org. Unit A
Activity 1
Org. Unit B
Risk 1
Activity 2
Risk 1Create Linked Risk, which is accepted* by Org. Unit B.
Accumulated Impact of Risk 1 is shown as in the assessment by Risk Assessment Owner of Activity 1 in Org. Unit A plus Assessment of Risk Assessment Owner from Activity 2 in Org. Unit B.
Assessment is created for of Risk 1 by Risk Assessment
Owner of Activity 2 in Org. Unit B
* Proposed linked Risks can also be rejected, thus preventing that additional Assessments are done for Risk 1 by Risk Assessment Owner in Org. Unit B.
Invitations for collaborative Risk AssessmentsIf for a Risk in Org. Unit A another person then the original Assessment Owner can contribute a Risk Assessment, this person can be invited to give his/her opinion in a additional Risk Assessment.
Org. Unit A
Activity 1
Risk 1Send invitations to other users (with roles RM or AO or AM) to create additional Risk Assessments
Impact of Risk 1 is shown as in the assessment by Risk Assessment Owner of Activity 1 in Org. Unit A.
Impacts from further assessments from invited users are shown separately as “additional…”.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® are registered trademarks of Microsoft Corporation.
IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix and Informix® Dynamic ServerTM are trademarks of IBM Corporation in USA and/or other countries.
ORACLE® is a registered trademark of ORACLE Corporation.
UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.
Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks of Citrix Systems, Inc.
HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
JAVA® is a registered trademark of Sun Microsystems, Inc.
JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.
MarketSet and Enterprise Buyer are jointly owned trademarks of SAP AG and Commerce One.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves information purposes only. National product specifications may vary.
Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die aus-drückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankün-digung geändert werden.
Die von SAP AG oder deren Vertriebsfirmen angebotenen Softwareprodukte können Softwarekomponenten auch anderer Softwarehersteller enthalten.
Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® und SQL Server® sind eingetragene Marken der Microsoft Corporation.
IBM®, DB2®, DB2 Universal Database, OS/2®, Parallel Sysplex®, MVS/ESA, AIX®, S/390®, AS/400®, OS/390®, OS/400®, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere®, Netfinity®, Tivoli®, Informix und Informix® Dynamic ServerTM sind Marken der IBM Corporation in den USA und/oder anderen Ländern.
ORACLE® ist eine eingetragene Marke der ORACLE Corporation.
UNIX®, X/Open®, OSF/1® und Motif® sind eingetragene Marken der Open Group.
Citrix®, das Citrix-Logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®, VideoFrame®, MultiWin® und andere hier erwähnte Namen von Citrix-Produkten sind Marken von Citrix Systems, Inc.
HTML, DHTML, XML, XHTML sind Marken oder eingetragene Marken des W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.
JAVA® ist eine eingetragene Marke der Sun Microsystems, Inc.
JAVASCRIPT® ist eine eingetragene Marke der Sun Microsystems, Inc., verwendet unter der Lizenz der von Netscape entwickelten und implementierten Technologie.
MarketSet und Enterprise Buyer sind gemeinsame Marken von SAP AG und Commerce One.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver und weitere im Text erwähnte SAP-Produkte und –Dienstleistungen sowie die entsprechenden Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und anderen Ländern weltweit. Alle anderen Namen von Produkten und Dienstleistungen sind Marken der jeweiligen Firmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte können länderspezifische Unterschiede aufweisen.