Implementing an integrated GRC approach with SAP GRC · PDF fileImplementing an integrated GRC approach with SAP GRC Sumit Sanyal(PwC) GRC Conference 26. November 2013 in Moscow

Implementing an integrated GRC approach with SAP GRC

Sumit Sanyal(PwC)

www.pwc.de

GRC Conference 26. November 2013 in Moscow

PwC

Agenda

iGRC® - An efficient approach to manage Risks, Compliance and Control Systems

From idea to practice - iGRC® and its realization by the help of SAP GRC 10.0

Seite 2

November 2013 GRC Conference

PwC

iGRC®

An efficient approach to manage Risks, Compliance and Control Systems

Seite 3


PwC

Increasing regulatory requirements set new challenges for companies….

Effectively

managing Risk and

Compliance

TransPuG UK Bribery Act

IT Risks

Strategic Business Objectives

IAS/IFRS

GAAP

Companies Act

Compliance Discussion

Corporate Governance Code

BilMoG

Sarbanes Oxley Act

Operational Business Risks

ISO 17799

Dodd-Frank Act

Cost pressure

Regulations on Administration of

Registration of Resident Offices of Foreign Enterprises

(China)

Seite 4


PwC

For years companies have been confronted with increasing regulatory pressure, and therefore higher costs…

Cost of non-Compliance

Increasing regulation

Cost of Compliance

Regulatory Drivers:

• FCPA*

• Data Protection

• UK Bribery Act

• Concrete monitoring duties of the Supervisory Board

• Risk Management...

Dy

na

mic

s i

n t

he

re

gu

lato

ry

e

nv

iro

nm

en

t

Responsible/ethical behavior expected

Increased cost pressure

Ch

an

ge

s in

the

ma

rk

et a

nd

in

cr

ea

sin

g v

ola

tility

* FCPA = Foreign Corrupt Practices Act

Seite 5


PwC

Risk:

Loss of acceptance

and high costs

1. Overlapping

responsibilites

2. Duplication of

work

3. Multiple

interfaces

4. Inconsistent

preparation of

information

5. Use of

inconsistent

methods and

tools

6. Several

individual

processes and

isolated

solutions

…with an organizational impact on the existing GRC structures

Seite 6


PwC

Two strategies to react to increasing costs…

1.

2.

Implementing specific measures („Fire Fighting“)

Due to cost reasons, only specific

measures are implemented for Compliance Programs, Risk

Management Procedures and Internal Control Systems*

Integration strategy

Analysis of the existing organization and cost reduction by integrating the operational and organizational structures

Savings can be used for other necessary measures

* Study on ‘Corporate Crime 2011’, PwC and Martin-Luther-University Halle Wittenberg, October 2011.

Advantages • Reduction of costs by

integrating parallel structures • Prompt consideration of

new requirements possible • Higher acceptance

Disadvantages • Increased risk of Compliance

breaches with potential significant costs

• Difficult to select and justify adequate measures

Advantages • Limited changes to existing

procedures • Low implementation costs

Disadvantages • Initial costs due to structural

changes

Cost of Compliance


Cost of Compliance


Seite 7


PwC

Ensuring a consistent methodology, clear

responsibilities and the use of explicit terms

Single report to Management and Supervisory Board

presents all topics clearly

Cutting costs by reducing redundancies in the

operational and organizational structures

Single/ annual approach (query) of relevant

companies, business units and departments

Reducing duplication in effort as a result of

clearly defined competences and responsibilities

A group-wide integrated tool is used for support

Flexible operating model facilitates the integration

of potential further regulatory requirements

From our practical experience, not only efficiency but also acceptance could be raised through iGRC®.

Efficiency

Quality, acceptance,

culture

Seite 8


PwC

iGRC® helps companies achieve…

…improved management and monitoring…

... through the integration of substantial systems, structures and processes of Governance, Risk and

Compliance Management as well as Internal Control Systems

…ideal integration of the relevant areas…

… in consideration of the strategic business objectives, a more or less close integration is applied

…increased efficiency… … through elimination of redundancies during the

integration process, applying a consistent methodology as well as integrated reporting

…higher flexibility to react to market

requirements…

… through the highly adaptable organization of systems and processes

Seite 9


PwC

From idea to practice

iGRC® and its realization by the help of SAP GRC 10.0

Seite 10


PwC

… and an integration strategy according to iGRC® can be implemented in SAP GRC

Define risk strategy

Monitor risks

Define measures

Identify and

analyze risks

Strategy

Check control

compliance

Analyze Weaknesses/Deviations

Measures to improve processes

Define controls

SA

P-E

RP

da

ta o

r d

ata

fr

om

oth

er s

yst

em

s

Governance/ management

Business

Seite 11


PwC

An Integration Strategy according to iGRC® through…

• Process-related intersections of internal steering and control systems strong concatenation useful

• Example „uniform control process“:

- Common risk analysis for risk identification

- Inventory of identified risk as basis for risk reducing measures, internal controls and focus on compliance program

- Common testing of effectiveness for measures and internal controls

• Supporting process synchronization by various forms of organizational concatenation with different degrees of integration

Concatenation of Risk and Compliance Management and the Internal Control System

Using synergy effects and avoiding duplication of work as well as redundancy

Increasing transparency and security

Performance and control units obtain a broad overview of the entire risk situation

Efficient and effective corporate management and management control

Seite 12


PwC

… and by the help of SAP GRC 10.0

Concatenation of Risk and Compliance Management and the Internal Control System

Create manual test plan

Assign test plan to control

Start End Plan test of

effectiveness

Seite 13


PwC

• Purpose of an integrated reporting: Standardized, transparent and efficient reporting for

management- and control units

• Procedure for an integrated reporting: Standardization resp. combination of the essential processes

• Integration of the existing reporting elements

• Merging of the reporting structures

• Standardizing reporting deadlines and formats

• Standardizing the compression ratio of information and data


Integrated Reporting for GRC

Increasing reporting quality

Management and control units obtain an holistic overview of the company‘s important issues

Efficient and effective corporate-management and control

Seite 14


PwC


Integrated Reporting for GRC

Constant, integrated iGRC©-Reporting

Integrated iGRC©- Standard Process

Early Risk Detection ICS

Identify controls, Prove of effectiveness

Demonstrate preventive measures as addition

Additional information about the compliance status and compliance

incidents

Compliance

Identify risks (incl. compliance risks),

Evaluate risks

Harmonized information about the risk situation as well as the controls’ and actions’ effectiveness (strategy, business

operations, compliance, accounting)

Seite 15


PwC

An Integration Strategy according to iGRC® - a process organization example

Entity Scoping

Issue Scoping

Identification & Evaluation of Risks

and Controls

Monitoring Compliance

Reporting

Integration:

A standardized entity scoping and issue scoping for compliance, ICS and risk management

Integration:

Standardized methodology and terminology ensure “one touch” to divisions

and business units. Support through an

integrated tool.

Integration:

Monitoring (e.g.: by self-assessment) in order to cover all compliance, ICS and risk management topics, applying an across the group integrated tool

and ensuring a standardized methodology

Integration:

One single report entirely covers questions and results for compliance, ICS and risk management

Seite 16


PwC

According to our experience, in addition to efficiency also acceptance can be increased through iGRC®

Cost Reduction

Quality, Acceptance,

Culture

One-time/annual consultation of all relevant entities, business units and

departments

Ensure a standardized methodology, distinct responsibilities and

use a clear terminology

One report board for the management and

supervisory board clearly representing all

topics

Avoiding redundancy in process- and structural organization. Need for

coordination (e.g.: compliance office vs. risk management) decreases

Flexible standard process provides an integration potential for further regulatory

requirements

An across the group integrated tool serves as support

Seite 17


PwC

Contact details – feel free to ask!

PricewaterhouseCoopers AG Wirtschaftsprüfungsgesellschaft Friedrichstr. 14 70174 Stuttgart Telefon + 49 711/25034-1550 Mobil + 49 151 1212 9905 [email protected] www.pwc.com

Sumit Sanyal Governance, Risk & Compliance

Seite 18


PwC

Thank you for your attention!

© 2012 PricewaterhouseCoopers AG Wirtschaftsprüfungsgesellschaft. Alle Rechte

vorbehalten. In diesem Dokument bezieht sich "PwC" auf die PricewaterhouseCoopers

Aktiengesellschaft Wirtschaftsprüfungsgesellschaft, Frankfurt am Main, die eine

Mitgliedsgesellschaft der PricewaterhouseCoopers International Limited (PwCIL) ist. Jede der

Mitgliedsgesellschaften der PwCIL ist eine rechtlich und wirtschaftlich selbständige

Gesellschaft. Seite 19


Documents

Implementing an integrated GRC approach with SAP GRC · PDF fileImplementing an integrated GRC approach with SAP GRC Sumit Sanyal(PwC) GRC Conference 26. November 2013 in Moscow