The Role of Business Intelligence in Your Governance, Risk, and Compliance Programs

The Role of Business Intelligence in Your Governance, Risk

and Compliance Programs

Bruce McCuaig Director SAP GRC Solution Marketing

© 2012 SAP AG. All rights reserved. 1

Agenda

• GRC – History, Importance, Definition

• SAP Solutions for GRC

• Current State of the GRC Profession

• A Practical Approach to a GRC Discipline

• The Role of BI in GRC

• Wrap-up

SAP

Solutions for GRC

Current State of

GRC

A Practical Approach

Role of BI Wrap up Why GRC Is

Important


GRCHistory: Lessons from the Financial Crisis (OECD)

... the financial crisis can be to an important

extent attributed to failures and weaknesses in

corporate governance arrangements. When

they were put to a test, corporate governance

routines did not serve their purpose to

safeguard against excessive risk taking in a

number of financial services companies.

―


GRC History: From the OECD report

Information about exposures did not reach the board and even senior levels of

management.

Risk management was activity rather than enterprise-based.

Boards approved strategy but did not establish suitable metrics to monitor its

implementation.

Remuneration systems have not been closely related to the strategy and risk

appetite of the company and its longer term interests.


Decisions may be made based on unreliable or untimely information

Employees don’t understand how the strategy affects them, and how their

decisions impact others

It’s unclear who is accountable for ensuring execution of initiatives, projects,

and tasks

GRC Importance: Other reasons for corporate failures


There’s no link between budgeting and strategy

There’s no link between strategy and risks

o Risks are not addressed and managed, during strategy

definition, planning, execution, or monitoring

Incentive systems aren’t linked to strategy, individual goals are not aligned with

the company’s

Plus … there needs to be Executive Commitment and a culture that embraces

performance management

GRC Importance: Other reasons for corporate failures


Question: Isn’t There a Role for BI Somewhere Here?


GRC Defined

A capability that enables an organization to reliably achieve objectives while

addressing uncertainty and acting with integrity

Source: OCEG


understand and prioritize stakeholder expectations;

set business objectives that are congruent with values and risks;

achieve objectives while optimizing risk profile and protecting

value;

operate within legal, contractual, internal, social and ethical

boundaries;

provide relevant, reliable and timely information to appropriate

stakeholders; and

enable the measurement of the performance and effectiveness of

the system.”

GRC: “A system of people, processes and technology that

enables an organization to:

Source: OCEG


Agenda






• Wrap-up

SAP

Solutions for GRC

Current State of

GRC



Important


SAP solutions for GRC Manage, Protect, Perform

Optimize global

supply chain and

ensure compliance

Confidently manage

and reduce access

risk enterprise-wide

SAP

Access

Control

SAP

Process

Control

SAP Risk

Management

SAP Global

Trade

Services

Align enterprise

risks with business

value

Ensure effective

controls and

ongoing compliance


Key Competencies For Success

SAP solutions for GRC

SAP solutions for GRC

Manage

Monitor

Analyze Dashboards &

Visualization

Interactive

Analysis Exploration Reports

KRIs Controls Transactions Privileges Events

Risk Compliance Audit Policy Access Exception

GRC for LoBs

IT Supply Chain Sales and Marketing

Finance …

GRC for Industries

Ban

kin

g

Uti

liti

es

Mfg

Oil

& G

as

…

CP

G

Enterprise Applications

Legacy Apps

IT Infrastructure


SAP Process Control Ensure effective controls and ongoing compliance

Automate compliance and control

management

Continuously monitor control

effectiveness

Embed compliance and control

activities in business processes

http://www.istockphoto.com/icons.php


SAP Risk Management Align enterprise risks with business value

Protect the fundamental

business value drivers

Insight into the changing

levels of risk

Visibility into catastrophic

value destroying risks

http://www.istockphoto.com/icons.php


Agenda






• Wrap-up

SAP

Solutions for GRC

Current State of

GRC



Important


GRC Current State: Board Perspective

© OCEG. All rights reserved.

Current State


Gaps, overlaps, inconsistent language, different methodology, inconsistent or

no standards, wide reporting variations, no collaboration, no common goal,

no link to business performance, professional distrust…

GRC Current State: Professional Perspective

Operational

Risk Enterprise

Risk

Financial

Controls IT

Governance

Compliance

Audit

Current State


GRC: Evolving Infrastructure and Environment

Key Capabilities for GRC Success Exists

(Y/N)

Proven implementation strategies and mature oversight practices for Boards N

A community of professionals trained and certified in best practices N

Widely accepted standards are in place N

A consistent methodology exists, has been effectively communicated, and is

adhered to N

Service providers offer non-proprietary methods and tools N

Standard reporting formats exist (e.g., no analogy to balance sheet and P&L) N

An assurance process exists to certify results N

The infrastructure and environment required to support sustained,

value-adding GRC is growing slowly

Technology will not succeed in the absence of sound strategy and support

Current State


Closing the Gap – Comparing Risk Management

and Financial Management

Financial Management Risk Management

Financial accounting is supported and

driven by trained and certified financial

professionals around the world.

Risk management is an emerging

profession with ad hoc training at best.

Many risk management professional have

no relevant training. Many are financial

management professions.

Financial accounting is governed by

specific rules and principles (GAAP,

IFRS). Diversity in practices is limited.

There are few formal, widely accepted

frameworks guiding risk management.

Diversity in practices is enormous.

Financial statements and internal control

systems are audited

Risk disclosures and risk management

systems are unaudited

Financial management oversight provided

by audit committees with strong legal

mandate

Board oversight of risk is emerging and

legitimacy of Board role is established

Standard reports exist (e.g., Balance

sheet, P&L etc.)

No standards exist for what to report or

how to report. Practitioners are often

secretive.

Enabled by integrated mature technology

that supports content, methodology and

reporting. Financial management preceded

technology and shaped technology

solutions.

Enabled by technology in a vacuum of

content, methodology and reporting.

Technology precedes risk management and

can shape it’s standards and practices.

Steps to Align

Support and influence key standard

setters such as COSO, OCEG, NACD

and support research and best

practices through EIU and selected

partners

Provide sound, simple, logical

structure for ERM aimed at Boards and

C-Level Executives

Ensure ―transparency‖ of ERM through

reporting, analytics, self assessment,

surveys tools and mobility

Provide Boards and C-suite execs with

simple questions, standards, and

reports for their oversight role

Focus on value, then risk. Link ERM

reporting to business performance.

Integrate RM/PC/AC/EPM to support

Principled Performance® or objective-

based approach.

Current State

19

Integrating GRC – Aligning Three Perspectives

Three distinctly different views are integrated for fire prevention

Fires are inevitable but they can be extinguished if detected promptly. Install fire extinguishers.

Careless people cause fires. Persuading people to change behavior will prevent fires.

1. The Control

Perspective

2. The Risk

Perspective

2. The Compliance

Perspective

Document and test

controls. Identify

issues and correct

deficient controls

Develop policy,

communicate,

motivate and train

to manage risky

behavior

Fires occur when flammable material is exposed to a source of ignition Find and eliminate those causes. Avert fires

Find the risk drivers

for risk categories

and monitor key risk

indicators to avert

risk events

Current State


Integrated GRC – Shifting from Belief to Knowledge

Current State – Belief Based • Managed in silo’s

• Reactive

• Project or program approach

• Separate from mainstream processes and

decision-making

• Fragmented use of technology

Future State- Knowledge

Based • Enterprise approach

• Proactive

• Systemic approach

• Embedded within mainstream processes and

decision-making

• Architected solutions © OCEG. All rights reserved.


Agenda






• Wrap-up

SAP

Solutions for GRC

Current State of

GRC



Important


A Practical Approach to a GRC Discipline: Shift the Focus

of GRC to Value

Where is the fundamental value of the business?

• GRC solutions and practitioners must align on value drivers

What drives that value?

• GRC activities must create knowledge on how value is added/destroyed

What can destroy that value?

• GRC must create

knowledge on

how emerging

risks and

opportunities

impact value.


Example: Oil and Gas — Finding the Value

Where is the value of the Oil and Gas

business?

Inventories?

Refineries?

Pipelines?

Management expertise?

Service stations?

Oil and gas reserves?



Example: Oil and Gas — Finding the Value (cont.)

Personal Anecdote: Matching Value and ERM Resources in Oil

and Gas

• 90 % of ERM resources are spent on:

• Refineries

• Inventories

• Inventory accounting systems

• Inventory computer systems

• Crude and natural gas allocation systems

• In an integrated oil and gas company 90-98% of value is in proven

developed and undeveloped oil and gas reserves in the ground



What Processes/Activities Drive Value?

What processes drive value (reserves) in Oil and Gas?

Inventory management

Royalty management

Joint venture/partner management

Refinery maintenance

Finding and development Land acquisition

Exploration

Development

Reservoir management



Finding the Killer Risks

Where are the killer risks in Oil and Gas?

Commodity prices

Political

Pipeline explosions and spills

Refinery explosions and spills

Well blow outs



Example: Utilities — Finding the Value

Where is the value of an Electrical Utility?

Fixed Assets?

Human Resources?

Spare parts inventories?

Billing systems?

Environmental controls?

Reliability?



Example: Utilities — Finding the Value (cont.)

Personal Anecdote: Matching Value and ERM Resources in Electrical

Utilities

• 75-90% of ERM resources are spent on:

• Service parts inventories

• Spare parts inventories

• Procurement systems

• Billing systems

• Capital expenditures

• SOX

• Electrical Utilities are valued largely based on their reliable

generation, transmission and distribution of power




What processes drive value (reliability) in an

Electrical Utility?

Payables/inventory

Payroll

Financial reporting

Customer billing systems

Energy Supply

Energy Generation

Transmission/Distribution




Where are the killer risks in electrical

generation and transmission?

Commodity price volatility

Commodity supply

Energy availability

Extreme weather

Grid failure



Example: Health Care — Finding the Value

Where is the value of a Home Health Care

Provider?

Billing systems?

Skilled people?

Contracts with nursing agencies?

Medical record systems?

Client health outcomes?



Example: Health Care — Finding the Value (cont.)

Personal Anecdote: Matching Value and ERM Resources in Home

Health Care

• 90-95% of ERM/GRC resources are spent on:

• Vendor selection

• Invoice processing

• Invoice verification

• Time and service tracking

• Financial reporting

• Home health care agencies provide value based on their ability to

keep clients safe in their home.




What processes drive value (health outcomes)

in Home Health Care?

Claims management?

Facilities management?

Procurement/Payables?

Case management!

Vendor management!




What are the big risks in Home Health

Care?

Pandemic

Aging population

Obesity

Diabetes

Vendor performance



Example: Airlines — Finding the Value

Where is the value of an airline?

Reservation systems?

Route structure?

Aircraft fleet?

Landing rights?

Human resources?



Example: Airlines — Finding the Value (cont.)

One equity analyst prepared a

research report and made buy/sell

recommendations based entirely on

their HR practices

• Value was driven by customer

experience

• Customer experience was driven by

how they were treated

What % of ERM focus is on people

management?



Agenda






• Wrap-up

SAP

Solutions for GRC

Current State of

GRC



Important

38

The Role of BI in GRC - Examples

Three distinctly different views are integrated for fire prevention

Fires are inevitable but they can be extinguished if detected promptly. Install fire extinguishers.

Careless people cause fires. Persuading people to change behavior will prevent fires.

1. The Control

Perspective

2. The Risk

Perspective

2. The Compliance

Perspective

Document and test

controls. Identify

issues and correct

deficient controls

Develop policy,

communicate,

motivate and train

to manage risky

behavior

Fires occur when flammable material is exposed to a source of ignition Find and eliminate those causes. Avert fires

Find the risk drivers

for risk categories

and monitor key risk

indicators to avert

risk events


The Role of BI in GRC: Creating a Value Dashboard

Priority KPI’s

Ability of SAP to support this KPI

Mapping of KPI to Value Prop

Sources <source names>

ISO 31000

COSO 2010 Report on ERM

Priority SAP

Support

KPI’s Align Risk

Management With

Your Unique Value

Drivers

Create Reliable

Insight into How

Value is Created

and Destroyed

Act on Emerging

Risks And

Opportunities

% of value drivers identified ►

% of value adding or preserving

activities/processes identified ► ► ►

% of value driving activities with

complete risk assessments and

responses

► ►

Internal audit opinion on reliability of risk

management process ► ►

# of unanticipated risk events occurring ► ►

# of risks identified by management vs.

GRC professionals ► ►

% of risk, audit, compliance, financial

reporting professionals using RM for

planning, analysis, reporting etc.

►

►

Number of Key Risk Indicators, KRI’s per

Risk Driver ►

►

KRI’s within range, KRI alerts

outstanding ► ► ►

Percent of controls, policies etc. not

linked to risks ► ►


The Role of BI in GRC – Controls in Oil and Gas Finding

and Development Processes

1. Are budgets approved?

2. Is spending approved?

3. Are expenditures

over/under budget?

4. Are vendors approved?

5. Are contractors qualified?

6. Is reported production

accurate?

Budget and planning system

Capital expenditure system

Capital expenditure system

for AFE tracking

Approved vendor list

Public safety records

Comparison to production

history/planned profile

What Information is Required Possible sources


The Role of BI in GRC – Controls in Oil and Gas Finding

and Development Processes

7. Are wells classified

properly?

8. Are reserves booked

properly?

9. Are F&D costs calculated

properly?

10. Is seismic and other key

data secure?

11. Is land position secure and

valid?

Analysis of well location to reserves locations

Comparison of well classification to reserves

Analysis of well costs to reserves booked

Analysis of access logs/ unauthorized access attempts/incidents

Comparison of land to public records

What Information is Required Possible sources


The Role of BI in Control Documentation and

Testing

Question: Can BI reduce the cost of

controls in GRC by aligning them

business performance?

– is knowledge of business performance

evidence of control effectiveness?


The Role of BI – Client Safety Risks in Home

Health Care

1. Are service providers meeting SLA?

2. Are clients receiving care at home?

3. Are clients safe?

4. Are hospitals discharging on time?

5. Is case management equitable?

6. Are priority clients served

7. What are the risk drivers

Complaints - missed nursing visits - caregiver certification

Hospital emergency admissions for clients/non-clients

Reported safety issues/incidents

Rates of non-essential hospitalization (ALC rates)

Benchmark against other home health care providers

Track % of high need 75+ age

Resources allocated by category – diabetes, dementia, obesity

What Information is Required Possible Sources


The Role of BI in GRC Risk Management

Question: Can BI drive improved

performance through better risk

management?

– can predictive indicators avert or avoid risk

and drive down incidents and loss events?


The Role of BI: Assessing Human Behavior Driving

Airlines Customer Experience

April 2007


The Role of BI: Driving Airline Value With Human Behavior

• % of employee shareholders

• Key employee departures

• Applications received for advertised position

• % of HR staff to total staff

• Average employee age

• Average education level

• % of profit sharing to total comp

• Frequency of performance reviews

• Extent, duration of employee assistance

• Average training days/year

• % training budget on front line staff

• Absenteeism rates

• # and duration of labor disruptions

• Revenue per employee

• Overall employee turnover

• % of social liabilities unfunded

• Customer satisfaction surveys

• % HR representation on

management committees


The Role of BI in Human Capital Management

Question: Can BI help align human

capital with corporate value drivers?

– Can BI help measure and improve

aggregate human performance?


Agenda






• Wrap-up

SAP

Solutions for GRC

Current State of

GRC



Important


Wrap Up: The Role of BI in GRC

GRC practices have failed to routinely detect or prevent catastrophic losses,

corporate failures

GRC practices today largely ignore business performance as a variable

Todays GRC practices are fragmented, silo’ d and inefficient

BI has the potential to transform GRC practices by

Creating dashboards to map GRC activities to value

Reduce the reliance on controls in favor of knowledge of performance

Increase performance by monitoring, predicting and driving down risk events

Aligning human behavior with value creation

Thank You!

Contact information:

Bruce McCuaig

Director, Solution Marketing, Governance Risk and Compliance

[email protected]

+1 647 823 8490


No part of this publication may be reproduced or transmitted in any form or for any

purpose without the express permission of SAP AG. The information contained

herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain

proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of

Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5,

System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries,

zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390

Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6,

POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,

BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF,

Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere,

Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM

Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other

countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or

registered trademarks of Adobe Systems Incorporated in the United States and/or

other countries.

Oracle and Java are registered trademarks of Oracle.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and

MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®,

World Wide Web Consortium, Massachusetts Institute of Technology.

© 2012 SAP AG. All rights reserved.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects

Explorer, StreamWork, SAP HANA, and other SAP products and services

mentioned herein as well as their respective logos are trademarks or registered

trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal

Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business

Objects products and services mentioned herein as well as their respective logos

are trademarks or registered trademarks of Business Objects Software Ltd.

Business Objects is an

SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other

Sybase products and services mentioned herein as well as their respective logos

are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP

company.

All other product and service names mentioned are the trademarks of their

respective companies. Data contained in this document serves informational

purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document

may be reproduced, copied, or transmitted in any form or for any purpose without

the express prior written permission of SAP AG.

Documents

The Role of Business Intelligence in Your Governance, Risk, and Compliance Programs