SAP GRC RM_PwC Implementation Approach_v2.0

PricewaterhouseCoopers

PwC Governance Risk and ComplianceSAP BusinessObjects Risk Management

SAP LTT group

Aligning SAP GRC Risk Management solutionwith your Risk Management Framework


Table of Contents

1. Risk Management Framework Key Considerations

2. Business drivers & Risk Management approach

3. PwC’s SAP GRC Risk Management methodology

4. Risk Management Operating Model

5. SAP GRC Risk Management Value Proposition

6. SAP GRC Risk Management key implementation considerations

7. Key Benefits of integrating SAP GRC Risk Management with SAP GRC Process Control

8. SAP GRC Risk Management Implementation Case Study Overview

9. Why PricewaterhouseCoopers?

Slide 2


Risk Governance

RiskResponse

Policies,Procedures,

& Risk Limits

Risk Tools,Technology,

Infrastructure

Strategy

Top downguidance (Risk

Appetite)

Risk Organization

Risk Monitoring, Reporting,including Key Risk Indicators

Risk AssessmentProcess

- Identify risks by business objective- Assess, prioritize risks as H, M, L(eg, with RCSA), by likelihood &impact- Define Key Risk Indicators (KRIs)- Define KRI tolerance- Determine risk response

requirements

The business strategy, objectives and risk

appetite should drive risk management

priorities and discipline in the pursuit of

business objectives..

Monitoring and reporting on risks

will enable to anticipate and

respond to changes in its risk

profile.

The risk assessment and

management process must ensure

that risks are identified timely,

assessed consistently, and addressed

in accordance with the organization’s

risk appetite.

Policies, procedures

and risk limits are

intended to provide

consistent guidance

and parameters to the

business to manage

risk within the

organization’s risk

appetite.

Organization and governance must

provide for clear direction, guidance,

and oversight of risk management

activities as part of performance

management.

Tools and technology

facilitate the risk

management process,

particularly the risk

assessment, risk

monitoring and risk

correlation processes

Slide 3

Risk Management Framework Key Considerations


Risk Management principles should be implemented in a progressive manner.Sustainability is enhanced when risk management is embedded in existing processes.

Business drivers and Risk Management approach

Slide 4

Governance

Enhance risk communicationsto the board

• Assess the company’s enterprise riskprofile

• Describe how the risks are to be managed

• Assign accountability for key risks,including consideration of emerging risk

• Begin to formalize risk tolerance & appetite

• Monitor changes in risk profile andpractices

• Modify risk reporting and communications

Strategic

Optimize strategic decisions usingrisk management

• Modify key processes to better incorporaterisk management techniques. Forexample:

o Scenario planning capability isdeveloped and applied to helpdetermine risk impacts and to evaluateimpact of broader, strategic risks(emerging risks).

o Performance measurement: BUs &projects evaluated on a risk-adjustedbasis.

• Risks are correlated and linked to strategicpriorities and business objectives.

Operational

Align risk and performancemanagement

• Start with strategic objectives

• Integrate risk and performance metrics

• Agree on risk tolerances around keymetrics

• Redesign compensation and incentives toincent risk adjusted performance

• Adopt “common” risk assessment and“assurance” reporting standards

throughout the enterprise.

Business drivers

Transform Risk Management process from a silo approach to a more coordinated and oriented approach.

Consolidate risks at higher levels of the organization and evaluate global risk exposure.

Respond intelligently by focusing on key risks, creating cross-organizational resolution strategies and tracking response costs.

Improve visibility and optimize decision making by aligning risks to strategic priorities and business objectives.

Enhance risk communications to the board.

Monitor key risks in a proactive way through a standardized and centralized Key Risk Indicator framework.


Risk Definition, Assessment, Monitoring, Reporting Processes

• Determine key business objectives basedon company strategy.

• Establish Organizational hierarchy anddefine Risk Appetite and Risk Toleranceacross the organization.

• Establish Risk Classification & BusinessActivity hierarchies.

• Identify risks to business objectives acrosskey risk categories, developing a company-wide risk profile.

• Assign driver and Impact categories tocentral risks.

• Align accountability structures formanaging risks.

• Design and conduct surveys to be used fora risk assessment.

Monitor &Re-assess

Monitor Leading riskindicators & mitigation

responses

Respond &Implement

• Using risk profile, assess likelihood andpotential impact of identified risks toestablish risk tolerance levels.

• Determine/evaluate adherence to riskguidance and tolerance.

• Consolidate group of risks.

• Prioritize risks using Global & Local HeatMaps.

• Evaluate analyzed risks & identify patterns.

• Based on risk assessment, align resourcesand accountability structure with initiativesthat fall within company risk tolerance.

• Define risk interdependency model anddetermine risk influence factors.

• Based on risk assessment and definedtolerance level, determine risk responsestrategy.

• Define risk response / action plans to bemonitored to ensure adherence to defined risktolerance levels, including accountability andtimeline.

• Leverage investment in SAP GRC ProcessControl by applying internal controls asresponses to risks.

• Evaluate Completeness & Effectiveness ofresponses and measure residual risk levels.

• Build Risk Indicators for key risk areas(Identify existing metrics, assess gaps,improve metrics, validate & identify trigger-levels).

• Report on risks using dashboards anddetailed reporting tailored to stakeholderrisk information needs.

• Ensure ongoing monitoring of riskresponses.

• Monitor Risk Indicators and establishcontrol plan and escalation criteria.

• Collect and analyze loss data throughthe Incident Loss Database.

• Build and conduct risk scenario planning& analysis.

• Perform re-assessment for all impactedrisks through risk assessment planning.

Continuous assessment of Risk Exposure (feedback loop)Automated & continuous monitoring of Key Risk Indicators.

Re-assess and update risk levels across the organization hierarchythrough the risk interdependency management model.

Slide 5

PwC’s SAP GRC Risk Management implementation methodology

Measure residual risk &Establish risk correlation

Evaluate cross-organization risk

exposure

Plan &Identify

Assess &Prioritize

Identify risks to businessobjectives & Assess

inherent risks

Business / FunctionalLeader (Owners &

Responsible Parties)

• Each Business / Functionwill provide informationrelated to risk events

• Inputs are obtained inmultiple ways, including useof indicators, internalknowledge of business aswell as external sources

• As part of annual planningprocesses, the Business /Function provide risk eventinformation to the risk eventowners based on relevantinputs

• Quarterly, the Business /Function will provide anupdate to the risk eventowner

Input 3

Input2

Input1

Risk Event Owner

• Each risk event has oneowner who compilesreporting

• Risk analysis for each eventfocuses on current status,target status, risk response,corrective action / mitigationplan(risk event slides presentedherein)

Corporate Audit

• Corporate Audit aggregatesinformation obtained from theRisk Event Owners

• Heat map updates andconsolidated reporting will beprepared

• Corporate Audit facilitatesthe ERM process throughoutyear, including assisting riskevent owners):

• Annual risk assessment

• Quarterly specific riskupdates

• Periodic testing of riskmitigation controls toassess effectiveness andareas for improvement

Chief Risk Officer

• Chief Risk Officer reviewscorporate risk report onperiodic basis covering allrisk events

• Risk report includes thefollowing highlights –

- Priority of risk events

- Effectiveness of riskresponse strategies

CEO/Board

Audit Committee

• Reviews outputs of ERMprogram, includingunderstanding howsignificant risks aremanaged

• Review heat maps andperiodic assessments ofspecific risk events andassociated mitigation plans

• Board will have a wellgrounded basis for newSEC proxy reporting relativeto risk oversight (effectivefor 2010)

Corporate

Audit

Chief Risk

Officer

Roles and responsibilities for tracking risk should be assigned to individuals across the organization,facilitating the ongoing monitoring of risk events.

Risk Management Operating Model (1/2)

Slide 6

Global Business Services(GBS)

Business /Functional Leaders

Owners &Responsible Parties

CEO / CFO / Accounting/ Treasurer / Tax

Human Resource

General Counsel

Corporate Development

President, BusinessSegments

Corporate Audit

Chief RiskOfficer

• CEO

• Board

• AuditCommittee

SVP. Gen Counsel

EVP CRO-Research

CEO

EVP GBS

Chief Security Officer

Corporate Treasurer

Corporate Treasurer

Corporate Treasurer

Corporate Treasurer

Corporate Treasurer

Corporate Treasurer

Corporate Treasurer

Corporate Treasurer


Chief HR Officer

EVP GBS

CBPIO

EVP GBS

Chief HR Officer

Chief HR Officer

EVP Corp Dev

CFO

EVP CRO-Research

SVP. Gen Counsel

SVP. Gen Counsel

SVP. Global Tax

SVP. Gen Counsel

CFO

EVP CRO-Research


[B1] Customer/Contracts

[B2] Competition

[B3] Conflict of Interest

[B4] Emerging Technology

[B5] Political

[F1] Capital Access

[F2] Liquidity

[F3] Valuation

[F4] Credit Risk

[F5] Foreign Exchange

[F6] Interest Rate

[F7] Benefit Obligation

[F8] Inflation

[O1] Alliance & Vendor Execution

[O2] Ethics & Integrity

[O3] Information Security

[O4] Process Integrity

[O6] People

[O7] Performance & Rewards

[O8] Acquisitions / Divestitures

[O9] Inter Controls over Fin’l Rep

[O10] Modeling

[R1] Compliance / FCPA

[R2] Intellectual Property

[R3] Tax

[R4] Privacy

[R5] Reporting

[B6] Consumer Behavior

[B7] Business Continuity Plan

[O5] Data Integrity

Business andStrategic Risks

Financial Risks

Operational Risks

Regulatory &Compliance Risks

Risk Event Owner Risk Event Corporate AuditDirect Reporting Line

Risk Aggregation Line

[B8] Disaster RecoveryChief Security Officer

Risk Management Operating Model (2/2)

Flow of risk aggregation across the organization:

A bottom-up approach from function to board level, facilitated by corporate audit, would assist in deploying an effective riskmonitoring across the organization.

Slide 7


Re

du

ce

Co

sts

Incre

ase

Vis

ibili

ty

Str

ea

mlin

eR

isk

Ma

na

ge

me

nt • Lower administrative

cost for riskmanagement throughautomation

• Preventive riskresponses throughKey Risk Indicatorsreduce probability ofevent and adverseimpact

• Response costtracking and efficientassessment of NetImpact of Response

• Time spent managingrisks will be reduce ina sustainable way

• Improve visibility ofRisk exposure acrossthe organization

• Clear insight into riskand complianceactivities across theenterprise and riskareas

• Accountability andactions are driven bytransparent and timelyreporting

• Enhance decisionmaking and businessperformance withinformed, risk basedinformation

• End-to-end riskprocesses across thevalue chain

• Plan & agree on toprisks and appetiteacross theorganization

• Understand trueexposure resultingfrom risk analysis andcorrelation

• Respond Intelligentlyby creating resolutionstrategies for criticalrisks

• Stay Informed bybuilding proactivemonitoring intoexisting processes

Ma

na

ge

Ch

an

ge • Risk-adjusted

management becomea driver of businesschange

• Align and leveragerisk and assuranceobjectives duringtimes of changes

• Providesmanagement withinsights on Key risksand responses as thebusiness executes itsstrategy

• Highlight trends andchanges in risk level

Slide 8

SAP GRC Risk Management Value Proposition

PricewaterhouseCoopers Slide 9

SAP GRC Risk Management Value Proposition

Key areas to consider in assessing Risk Managementeffectiveness

SAP GRC RMcoverage

SAP GRC RM value proposition

Risk Management is sponsored and driven by the Board, includingestablishing risk appetite and the policy framework for risk tolerance.

Risk Appetite and Risk Tolerances definition.

Risk profile matrix definition across the organization.

A robust, relevant and meaningful risk assessment is conducted thatcrosses the enterprise and considers relevant categories of risk: (e.g.,strategic, operational, financial and compliance).

Central risk category classification & risk templates.

Risk consolidation & interdependencies.

Risks are identified and linked to strategic priorities and businessobjectives.

Organization’s strategy & business objectives definition.

Link risks to business objectives and prioritize based onbusiness strategy.

A governance structure that supports oversight and execution ofappropriate risk response activities is established and in place.

Document preventive and recovery responses for risks andcreate centralized Risk Response Catalogue.

Respond to certain risks or types of risks through the creationand/or assignment of controls from SAP GRC PC (automatedtracking of response completeness & effectiveness)

Risk ownership is established and management accountability clearlyidentified.

Custom role definition and assignment of flexible workflowsbased on responsibilities.

Guided interface for executing risk management tasks.

Align accountability structures for managing risks.

Identified risk events are monitored on an ongoing basis. Consistent risk monitoring model through a guided interfacefor managing Key Risk Indicators across the organization.

Scenario planning capability is developed and applied to helpdetermine risk impacts and to evaluate impact of broader, strategicrisks (emerging risks).

Link risks and simulate the outcome on impacts through thescenario management functionality (scenario analysis &Monte-Carlo simulation).

Sophistication of Risk Management process (introduction of a thirddimension to risk measurement).

Possibility to take into account other risk criteria into currentRisk Assessment methodology: Risk Velocity (via the use of“Speed of Onset”).


SAP GRC Risk Management key implementation considerations

SAP GRC RM componentimplementation complexity level

High

Risk Management

maturity level

Medium

Low

Level 3

Standardized

Level 4

Integrated

Level 5

Optimized

• A risk framework with standardized qualitativeand quantitative measures as well ascategorization is applied to risks throughout theorganization .

• Risk Management procedures are standardized inan enterprise wide framework that is availableacross the organization. Information on risks isaccumulated in singular repository.

• Major risks are identified and plans developed tocontain risks.

• Risk identification is integrated into standardplanning activities in each business unit.

• Each business unit monitors and documents theresponse plans and/pr controls implemented withintheir own area of responsibility.

• Uniform processes are used to manage riskthroughout the organization.

• Business unit and organization wide risks aremeasured and consolidated across

• An integrated dashboard monitors riskmanagement categories.

• Understanding of the organization’s risk profilehelps drive strategic decision making.

• Effectiveness of controls across theorganization is periodically tested and reported.

• Results of implementation of controlsmeasured. There is a continuous integratedresponse to risks.

• The organization continuously conducts riskassessments; refines and applies best practices.

• Support Risk-Intelligent Strategy Management by leveraging a commonmethodology for managing relationship between KPIs and KRIs.

• Risk information is continuously developed and actively used to improve allorganization processes through a centralized Key Risk Indicator operating model.

• Organization strategic objectives detailed and measured in terms of operationalimpact and urgency.

• Interrelationship between risks via Influence Factors in order to evaluate andcommunicate potential risk exposure changes across the organization (scenarioanalysis)

• Lessons learned from prior risk management events are incorporated (Loss &Incident database)

• Automated conversion of Control Design Assessment and Control EffectivenessTesting results into Response Completeness and Response Effectiveness ratings.

Objectives hierarchy

Risk Classification hierarchy

Organization hierarchy

Risk Response: control(integration with SAPGRC PC)

Inherent Risk Analysis

Risk Response: plan

Residual and Plannedresidual risk Analysis

Activity Hierarchy

Activity Hierarchy(integration with SAPGRC PC)

Global and Local riskheat maps

Risk Consolidation

Risk Surveys/Assessments Loss & Incident database(Loss Matrix analysis)

Risk correlation andInfluence factors

Scenario Management(standard and Monte-Carlo)

Key Risk Indicator model andBusiness rule framework.

Increase the organization’s ability tomake more risk-intelligent decisions bydeveloping a combined approach tostrategy and risk (Integration with SAPStrategy Management).


Key Benefits of integrating SAP GRC Risk Management withSAP GRC Process Control

Slide 11

Most businesses will seek to respond to certain risks or types of risks (e.g. financial and operational processes)through the creation and assignment of controls. These controls have generally been defined in the organization’sinternal control system or framework. It is possible to Respond/Mitigate certain risks or types of risks (e.g. financialand operational processes) in SAP GRC Risk Management through the creation and/or assignment existing internalcontrols defined in SAP GRC Process Control (business process and entity level controls).

By introducing controls already handled by PC into RM, organization will be able to improve the efficiency of their governance,risk and compliance activities. Improved handling of risk responses by including internal controls should improve decisionmaking and overall lower the cost of GRC activities.

Continuous measurement of residual risk in SAP GRC Risk Management based on control design assessment andcontrol effectiveness testing results in SAP GRC Process Control (automated conversion into risk responsecompleteness and risk response effectiveness ratings in SAP GRC Risk Management).

By integrating the two solutions, Risk Managers will be able to use specific Key Risk Indicators (belonging to “Controleffectiveness indicators” KRI category) defined in SAP GRC Process Control. These indicator will be used as “EscalationTriggers” and will track the effective operation of controls that have been considered as “risk response” in SAP GRC RiskManagement in order to mitigate some financial and operational risks.

The Activity hierarchy in SAP GRC Risk Management is used to define different types of business activities (businessprocess, project, initiatives, etc.) that requires risk management monitoring and action. It is possible to reuse existingbusiness process hierarchy from SAP GRC Process Control in order to classify the organization’s risk bearingbusiness activities in SAP GRC Risk Management.

By integrating the two solutions, you will be able to assign risks to specific business processes defined in SAP GRC ProcessControl without having to manually populate the Activity Hierarchy Master Data in SAP GRC Risk Management. Risk Reportingcan be done at Activity Level (Overview of Risk exposure by Activity Category).


SAP GRC Risk Management Implementation Case Study Overview

Quick facts

•Industry: Electric PowerDistribution/Heavy Construction

•SAP® solutions:SAP GRC Risk Management 3.0 & SAPGRC SAP GRC Process Control 3.0

•Implementation partner:PricewaterhouseCoopers

Current State

• Our client was managing risks in a fragmented environment (extensive manual efforts and

inconsistent processes across the organization) and was looking for a solution to standardize risk

management process and streamline cross-enterprise risk identification, analysis and monitoring.

• Conducting Proof-of-Concept and deployment planning to roll-out SAP GRC Risk Management

solution across all organisations

Objectives

• Consolidate risks at higher levels of the organization (“global” Risk Heat map y Risk Profile) and

incorporate risk management processes in strategic and operational decision making and

planning.

• Implement Key Risk Indicators in order to provide early warning signals for Risk

owners/managers.

• Design a proactive risk management system that will guide Risk Owners in assessing and rating

risk level through a unified and automated approach.

Implementation Highlights

• Developed SAP GRC Risk Management configuration rationale & design document to gain

agreement from stakeholders on the functionality to be implemented.

• Designed and configured complex business rules within the Business Rule Framework

Workbench solution (BRFplus*) in order to appropriately shape the key risk indicator monitoring

and analysis model in SAP GRC Risk Management.

• Conducted functional workshops to enable functional leads to gain insight into SAP GRC Risk

Management key functionalities (including scenario & Monte-Carlo analysis, integration with SAP

GRC Process Control to implement and monitor risk mitigation responses through control

assignment, Incident Management, Key Risk Indicator management, etc.)

• Empowered project core team members throughout the project and provided specific learning to

be incorporated into a full scale roll out plan

* BRFplus is the SAP NetWeaver Rule Engine written in ABAP allowing to build complex calculation andmodelling. The solution is delivered with SAP GRC Risk Management.


Why PricewaterhouseCoopers?

Slide 13

PwC designed the SAP GRC Risk Management Implementation Program to address the challenges facingorganizations who are implementing Risk Management processes in SAP GRC Risk Management. A systematicapproach with incremental steps will help ensure that a sustainable Risk Management program, in line with leadingpractices, is developed in SAP GRC Risk Management and adopted across your organization.

Our Accelerated SAP GRC Risk Management program (AccelerateRM) leverages PwC’s Transform and Global RiskManagement methodologies and is tailored to SAP’s GlobalASAP implementation methodology.

Development of a wide range of intellectual property and accelerators to bring speed and experience to every SAPGRC Risk Management implementation project.

By leveraging knowledge and lessons learned across other SAP GRC projects, our unique Centre of Excellence teamwill assist you throughout the SAP GRC Risk Management implementation life cycle.

Proven SAP GRC Risk Management (version 3.0) implementation experience.

Assess Design Construct Implement Operate &Review

Perform readinesscheck and implement

across selectedorganization and

processes.

Transition ownershipto client.

Build and implementRisk Indicatorframework.

Build and implementRisk Correlation model.

Build and implementbusiness rules as risk

responses.

Design RiskManagement

specific processes andoperating model to be

implemented.

Create Businessblueprint to meet

client’s requirements.

Design ChangeManagement approach

and CommunicationPlan.

Understand "As-Is" riskmanagement model. Build

prototype and developbusiness case.

Define and validateproject scope& team.

Develop AccelerateRMprogram for

implementation.

Go-Live Support.

Develop and executeplan to expand andoptimize systemfunctionalities.

Provide continuousassistance in

developing leading riskindicator.

ProjectPreparation

FinalPreparationRealisation

BusinessBlueprint

14

5

3

2Go Live

& Support

AccelerateRM program

Documents

SAP GRC RM_PwC Implementation Approach_v2.0