GRC Applications supporting compliance needs in the ... · PDF fileGRC Applications supporting...

GRC Applications supporting compliance needs in the financial services industry

Gero Mäder and Josef Schlenkrich

SAP AG

© 2013 SAP AG. All rights reserved. 2

Legal Disclaimer

This presentation is not subject to your license

agreement or any other agreement with SAP.

SAP has no obligation to pursue any course of

business outlined in this presentation or to

develop or release any functionality mentioned in

this presentation. This presentation and SAP's

strategy and possible future developments are

subject to change and may be changed by SAP at

any time for any reason without notice.

This document is provided without a warranty of

any kind, either express or implied, including but

not limited to, the implied warranties of

merchantability, fitness for a particular purpose,

or non-infringement.

SAP assumes no responsibility for errors or

omissions in this document, except if such

damages were caused by SAP intentionally or

grossly negligent.


Multilateral

Instrument

52-111

Toxic Substances

Management

(ITAR) International

Traffic in Arms

Regulations

22 CFR 120-130

FCPA (Foreign

Corruption Practices

Act)

FDA compliance

GxP

21 CFR

International

Emergency Economic

Powers Act (S. 1612)

Sarbanes-Oxley

Data Privacy Laws

CA-SB 1386, HIPAA

Gramm-Leach-Bliley

Act, COPPA

Switzerland: - Corp. Governance SWX

- Code of Obligations

EU: Foreign Trade

Administration Act

EU Company Law

Directives 4, 7, and 8

EU: REACH Registration, Evaluation,

and Authorization of

Chemicals

UK Anti-Bribery Act

European Data

Protection Directive

Foreign Exchange

Order

JSOX

Hong Kong:

Code on Corporate

Governance Practices

PNEMEN

National Policy of

Exports of Military

Goods

King II Report

Clause 49

of the Listing

Agreement

Regulation 13E of the

Customs (Prohibited

Exports) Regulations

Corporate Law

Economic Reform

Program (CLERP) 9

Hazardous Waste Act

Air Toxics NEPM

EU Company Law

Directives 4, 7, and 8

What our customers and the marketplace are saying Increasing regulations and risks challenge growth

F.E.R.C. / N.E.R.C.


MANAGE BETTER

PROTECT VALUE

OPTIMIZE PERFORMANCE

Automate manual tasks

Employ best practices

Unify the platform

Automate monitoring

Report and analyze

Leverage predefined content

Provide timely information

to decision makers

Gain business process insights

Link to value drivers

Why governance, risk, and compliance solutions from SAP Proactively balance risk and opportunity


SAP solutions for governance, risk, and compliance Manage, protect, and perform

Optimize global trade and

screen restricted parties

Manage access risk and

prevent fraud

SAP Access Control

SAP Process Control

SAP Risk Management

SAP Global Trade Services

Preserve and

grow value

Ensure effective controls and

ongoing compliance

SAP Nota Fiscal Eletrónica

Meet electronic invoicing

requirements for Brazil

Audit Management

Drive a unified audit

management function

SAP Fraud Management

Achieve effective

fraud management

SAP GRC Access Approver (mobile)

SAP GRC Policy Survey (mobile)

SAP Sanctioned-Party List (mobile)


Monitor emergency access

and transaction usage

Certify access assignments are still warranted

Define and maintain roles in business terms

Automate access

assignments across SAP

and non-SAP systems

Find and remediate SoD and critical access violations

SAP Access Control Manage access risk and prevent fraud

SAP_ALL

X

Legacy


Investments into new UI (FIORI)


Monitor thresholds, effectiveness

of risk responses, and corrective

actions

Respond to risk after

balancing costs and

benefits

Analyze risk via scenarios, modeling,

and other factors to understand

exposure

Link risks, risk drivers,

risk indicators, impacts

and responses

Plan risk management within

the context of value to the

organization

SAP Risk Management Preserve and grow value


Risk Mitigation

Operational Risk Management (ORM) for Banking and

Financial Institutions – how does it fit together?

Differentiators

SAP Solution

Define the context within which

business risks are to be managed

Identify and assess the impact of

risk events

Prioritize the risks to be

addressed and create risk

responses

Monitor risk, risk responses, issue

resolution on a continuous basis

Provide extensive reporting and

analytics for qualitative and

quantitative measurements

Continuously monitor key risk indicators across end-to-end business processes

In-depth, automated risk mitigation and prevention capabilities integrated with business systems

Data/Org.

Structures

Management

Issue

Management

Risk Assessment

– R.C.S.A.s

Risk

Monitoring/Key

Risk Indicators

Compliance/

Controls

Management

Policy

Management

Loss Event

Management

Access

Risk

Scenario

Analysis/Risk

Engine (AMA)

Risk

Reporting

and

Analytics


Support decisions and promote

accountability with insightful

analytics and sign-off

Perform automated,

exception-based

monitoring of ERP systems

Evaluate control design and

effectiveness; raise and

remediate issues

Perform periodic risk

assessments to determine

scope and test strategies

Document controls and policies

centrally; map to key regulations

and impacted organizations

SAP Process Control Ensure effective internal controls and on-going compliance


SAP Process Control Continuous Control Monitoring with

SAP HANA

Business Data

Continuous Control Monitoring

HANA

Business Rule Control

Monitoring

Common Connector Interface (CCI)

Ad Hoc Query

Job Runtime

Exception

Calculation Views

Column Tables

Store Procedures

Exception Business Rule

ERP CRM Data

Business Data

Legacy


Further Roadmap for GRC Applications

Social GRC, Big Data and Cloud as

new topics in the GRC space

Further investments into core

applications

New solutions will extend the core

End user focus for new developments

(FIORI)

Constant shipments in shorter cycles

1

3

4

2

5


http://service.sap.com/influence

How to influence GRC’s product development

Source: GUGO, Marketing




What about GRC and HANA?

1. GRC on HANA as the DB

2. GRC using HANA

3. New GRC Applications on HANA (Audit

Management, Fraud Management)


How can we use SAP Process Control to identify duplicate

invoices across multiple SAP instances running accounts

payable? Q:

How can we use SAP Process Control to ensure end-to-end

processes are consistent across multiple SAP and non-SAP

systems? Q:

How can we use SAP Process Control to search across huge data

volumes for suspect or irregular transactions? Q:

How can we use SAP Process Control to provide flexible query

options to access “difficult data types,” like clustered and pooled

tables? Q:

Enhancements using SAP HANA will provide the answer for high-

volume, cross-system, automated control monitoring A:

Use Case 1: High-Volume, Cross-System Monitoring with

SAP HANA


Can I process tens of millions of data records to derive KRIs?

Q:

How do I make use of information across different systems to

derive KRI alerts? Q:

Can I stay in my used KRI environment without a new tool?

Q:

Risk Management is able to derive KRI information also from

HANA-based systems, processing millions of records in short

times

A:

Use Case 2: High-Volume, Cross-System Monitoring of

Key Risk Indicators with SAP HANA


How can I manage HANA-based systems?

Q:

There is a different authorization model than in ERP, how to treat

this? Q:

How can I use the same principle for data access protection if

there is nothing like “PFCG” or “SU01” in HANA-DB? Q:

Access Control has been enhanced to provision user and roles to

HANA systems as well and include those authorizations into SOD

analysis

A:

Use Case 3: Managing HANA-based infrastructure access

in a compliant manner with Access Control


Use Case 4: Utilize HANA for new insights via GRC

Analytics


SAP HANA-Based Analytics HTML5-Based Applications

SAP HANA Analytics Foundation also serves as the foundation for a new class of

analytic applications, such as SAP Access Control Role Analytics


SAP Audit Management Product Description

SAP Audit Management unlocks the enterprise information for Internal Audit departments and supports audit

experts in their day-to-day activities with an easy to use. collaborative, and risk-based approach towards

audit solution leveraging cloud and mobile technologies. It will be designed by and developed for audit

practitioners across the world.

• The easy-to-use UI which will significantly

improve the auditors’ efficiency

• Intelligent system & search that provides

active suggestions based on historic audit

information

• Mobile scenarios which allow the auditors

to focus on analyzing the data, rather than

collecting the information

• Strong analysis capability and continuous

auditing powered by HANA


Follow through with analysis

Findings and corrective actions

Conducting and

reporting on the audit

Planning and conducting

Audit Management Driving a unified audit management function


FA

VO

RIT

ES

E

MP

LO

YE

ES

P

OL

ICIE

S

HE

LP

HPA Audit powered by SAP HANA Mark Wilson Help

UNIVERSE CALENDAR HOME COMMUNITY CAPACITY

UNIVERSE: All Open Risks (16) New

Search Filter

# Risk

2013-23 Supplier selection process US

2013-02 Intellectual property Russia

2013-03 Hiring of external employees France

2012-56 Policy documentation process HQ

2013-12 Business Plan for Sales Department

2013-11 Mid-term acquisition strategy

2013-01 Partner enablement in Russia

2013-15 Order to Cash in the Middle-East

2013-18 Hire to retire in EMEA

2012-30 IRFS Compliance (HQ)

2011-04 Supplier selection in NA

2012-24 SOX Compliance in the US

2013-19 Purchase to Pay Corporate Finance

2013-34 Code of Conduct (Employees)

2013-35 Code of Conduct (Managers)

2012-45 Vendor selection in Spain

Risk Exposure

Re

leva

nce

Very Low

Low

Medium

High

HOT TOPICS

Supplier US

Russia

Compliance

Suspect Inc.

EMEA

Partner

Strategy Purchase to Pay

Strategy

IFRS

Pete Jones created a new risk

Supplier selection process US.

HISTORY

System created an alert for

Suspect Inc.

2d

1d

UNIVERSE CALENDAR HOME COMMUNITY CAPACITY REPORT FINDINGS FIELD WORK CALENDAR PREPARATION

GENERAL INFORMATION

HISTORY AUDIT TEAM

Planned Date: 03/31/2013 – 01/04/2013

Status: Planned

Supplier selection

process US

PLANNING STAKEHOLDER WORK PROGRAM

Mark Wilson

Audit Manager

Tracey Fox

Audit Lead

John McClain

Auditor

OVERVIEW

Cancel Save

SCOPE

Review the current supplier selection process in North America and how orders are

approved (e.g. Suspect Inc.).

SUGGESTED SCOPE

Supplier selection in NA

…Unclear how supplier Suspect

Inc. was determined….

Code of Conduct (Employees)

…adhere to Code of Conduct

when working with Suppliers…

LOCATION

Pete Jones created a new risk

Supplier selection process US.

System created an alert for

Suspect Inc.

2d

1d

AUDIT

Amy Craig

Auditor

SUGGESTED TEAM MEMBERS

# Scope Objective Work Package Approved

1. Supplier

Selection

Review of supplier

selection process

Collect information on current supplier

selection process, interview Unit Head.

2. Supplier

Selection

Identify top suppliers for

the region

Identify top suppliers for the region

using transaction MC$4 take postings

into consideration that don’t go through

invoice verification (FB60).

3. Approval

Process

Review of approval

process

Identify approvers and review the

current approval process (collecting

Process Description).

Josef Schlenkrich, SAP

Solution Manager GRC and Fraud Management

Influence of technological Innovations for

Risk & Compliance Management


Innovations and Innovators

FRAUDSTERS


FRAUD

Fraud Management: Use Cases

… Regulators and supervisors have put pressure on financial institutions to integrate their anti-fraud and AML/Compliance programs and investigative teams. They see the integration of the functions as an important way to improve financial crime prevention in general.

Anti-Money Laundering Solutions; Chartis 2013

“

Anti-Money

Laundering +CTF

3. AML Directive

§ 25 GWG

FATF

Op. Compliance &

Efficiency

Avoid redundant

Invoices

Master Data

Governance

Saving

Potential/Profit

Internal

Fraud

Insider-Trading

LIBOR-

Manipulation

(Procurement)

External

Fraud

Online Banking

Phishing

Payment Fraud

Credit Fraud

Identity Theft

Legal

COMPLIANCE

Operational

COMPLIANCE


SAP Fraud Management

Fraud Detection

Fraud Investigation

Sanctions Lists

Terrorism Lists

Money Laundering

Flexible, easy Analysen &

Methoden

SAP-Approach – From Detection to Prevention

In-

Memory

Inhouse

Development

3rd Party

Solutions

SAP-

Applications

SAP HANA

Real-Time and

Near-Time Analysis

• Losses could be

reduced and avoided

• Criminal Activities could

be detect faster

• New Patterns could be

detected and analysed

more effectively

Supporting a new Paradigm

Fast in-

memory Data

Management

Open and flexible

Data Model

With bidirectional

Communication

1 System

For all Use

Cases


Real-time-Simulation and Calibration

Standard-

solution

10 Mio. Customers

20 Mio. Accounts

1 Bn. Transactions

SAP

Higher

Accuracy

Based on

Sample

Data

3 h

Real-time-Simulation and Calibration of Typologies

10 Sec


Outlook

Today

Fra

ud

Ma

na

ge

me

nt

GR

C

Q4, 2013

Fraud Management

Platform

HANA

HANA

GRC Banking

Int./ext

Fraud

AML &

CTF

Operational

Compliance

Financial Crime

Risk Management

Platform

HANA

Quarterly releases

Chance to influence

development!

Options for configuring

content

GRC Banking

&

Financial Crime

Risk Management

Platform HANA

+ =

Access

Control

Process

Control

Op.

Risk

*2014

Fraud Management

Audit Management*

PLAN PREP EXEC REP. F.-UP

Gero Mäder

Product Management

GRC

Dietmar-Hopp-Allee 16

69190 Walldorf, Germany

E-mail: [email protected]

Thanks a lot!

Josef Schlenkrich

Solution Owner

GRC & Fraud Management

Dietmar-Hopp-Allee 16

69190 Walldorf, Germany

E-mail: [email protected]

GRC Applications supporting compliance needs in the ... · PDF fileGRC Applications supporting...

Documents

Transcript of GRC Applications supporting compliance needs in the ... · PDF fileGRC Applications supporting...