GRC Applications supporting compliance needs in the ... · PDF fileGRC Applications supporting...
-
Upload
nguyendieu -
Category
Documents
-
view
216 -
download
1
Transcript of GRC Applications supporting compliance needs in the ... · PDF fileGRC Applications supporting...
GRC Applications supporting compliance needs in the financial services industry
Gero Mäder and Josef Schlenkrich
SAP AG
© 2013 SAP AG. All rights reserved. 2
Legal Disclaimer
This presentation is not subject to your license
agreement or any other agreement with SAP.
SAP has no obligation to pursue any course of
business outlined in this presentation or to
develop or release any functionality mentioned in
this presentation. This presentation and SAP's
strategy and possible future developments are
subject to change and may be changed by SAP at
any time for any reason without notice.
This document is provided without a warranty of
any kind, either express or implied, including but
not limited to, the implied warranties of
merchantability, fitness for a particular purpose,
or non-infringement.
SAP assumes no responsibility for errors or
omissions in this document, except if such
damages were caused by SAP intentionally or
grossly negligent.
© 2013 SAP AG. All rights reserved. 3
Multilateral
Instrument
52-111
Toxic Substances
Management
(ITAR) International
Traffic in Arms
Regulations
22 CFR 120-130
FCPA (Foreign
Corruption Practices
Act)
FDA compliance
GxP
21 CFR
International
Emergency Economic
Powers Act (S. 1612)
Sarbanes-Oxley
Data Privacy Laws
CA-SB 1386, HIPAA
Gramm-Leach-Bliley
Act, COPPA
Switzerland: - Corp. Governance SWX
- Code of Obligations
EU: Foreign Trade
Administration Act
EU Company Law
Directives 4, 7, and 8
EU: REACH Registration, Evaluation,
and Authorization of
Chemicals
UK Anti-Bribery Act
European Data
Protection Directive
Foreign Exchange
Order
JSOX
Hong Kong:
Code on Corporate
Governance Practices
PNEMEN
National Policy of
Exports of Military
Goods
King II Report
Clause 49
of the Listing
Agreement
Regulation 13E of the
Customs (Prohibited
Exports) Regulations
Corporate Law
Economic Reform
Program (CLERP) 9
Hazardous Waste Act
Air Toxics NEPM
EU Company Law
Directives 4, 7, and 8
What our customers and the marketplace are saying Increasing regulations and risks challenge growth
F.E.R.C. / N.E.R.C.
© 2013 SAP AG. All rights reserved. 4
MANAGE BETTER
PROTECT VALUE
OPTIMIZE PERFORMANCE
Automate manual tasks
Employ best practices
Unify the platform
Automate monitoring
Report and analyze
Leverage predefined content
Provide timely information
to decision makers
Gain business process insights
Link to value drivers
Why governance, risk, and compliance solutions from SAP Proactively balance risk and opportunity
© 2013 SAP AG. All rights reserved. 5
SAP solutions for governance, risk, and compliance Manage, protect, and perform
Optimize global trade and
screen restricted parties
Manage access risk and
prevent fraud
SAP Access Control
SAP Process Control
SAP Risk Management
SAP Global Trade Services
Preserve and
grow value
Ensure effective controls and
ongoing compliance
SAP Nota Fiscal Eletrónica
Meet electronic invoicing
requirements for Brazil
Audit Management
Drive a unified audit
management function
SAP Fraud Management
Achieve effective
fraud management
SAP GRC Access Approver (mobile)
SAP GRC Policy Survey (mobile)
SAP Sanctioned-Party List (mobile)
© 2013 SAP AG. All rights reserved. 6
Monitor emergency access
and transaction usage
Certify access assignments are still warranted
Define and maintain roles in business terms
Automate access
assignments across SAP
and non-SAP systems
Find and remediate SoD and critical access violations
SAP Access Control Manage access risk and prevent fraud
SAP_ALL
X
Legacy
© 2013 SAP AG. All rights reserved. 8
Monitor thresholds, effectiveness
of risk responses, and corrective
actions
Respond to risk after
balancing costs and
benefits
Analyze risk via scenarios, modeling,
and other factors to understand
exposure
Link risks, risk drivers,
risk indicators, impacts
and responses
Plan risk management within
the context of value to the
organization
SAP Risk Management Preserve and grow value
© 2013 SAP AG. All rights reserved. 9
Risk Mitigation
Operational Risk Management (ORM) for Banking and
Financial Institutions – how does it fit together?
Differentiators
SAP Solution
Define the context within which
business risks are to be managed
Identify and assess the impact of
risk events
Prioritize the risks to be
addressed and create risk
responses
Monitor risk, risk responses, issue
resolution on a continuous basis
Provide extensive reporting and
analytics for qualitative and
quantitative measurements
Continuously monitor key risk indicators across end-to-end business processes
In-depth, automated risk mitigation and prevention capabilities integrated with business systems
Data/Org.
Structures
Management
Issue
Management
Risk Assessment
– R.C.S.A.s
Risk
Monitoring/Key
Risk Indicators
Compliance/
Controls
Management
Policy
Management
Loss Event
Management
Access
Risk
Scenario
Analysis/Risk
Engine (AMA)
Risk
Reporting
and
Analytics
© 2013 SAP AG. All rights reserved. 10
Support decisions and promote
accountability with insightful
analytics and sign-off
Perform automated,
exception-based
monitoring of ERP systems
Evaluate control design and
effectiveness; raise and
remediate issues
Perform periodic risk
assessments to determine
scope and test strategies
Document controls and policies
centrally; map to key regulations
and impacted organizations
SAP Process Control Ensure effective internal controls and on-going compliance
© 2013 SAP AG. All rights reserved. 11
SAP Process Control Continuous Control Monitoring with
SAP HANA
Business Data
Continuous Control Monitoring
HANA
Business Rule Control
Monitoring
Common Connector Interface (CCI)
Ad Hoc Query
Job Runtime
Exception
Calculation Views
Column Tables
Store Procedures
Exception Business Rule
ERP CRM Data
Business Data
Legacy
© 2013 SAP AG. All rights reserved. 12
Further Roadmap for GRC Applications
Social GRC, Big Data and Cloud as
new topics in the GRC space
Further investments into core
applications
New solutions will extend the core
End user focus for new developments
(FIORI)
Constant shipments in shorter cycles
1
3
4
2
5
© 2013 SAP AG. All rights reserved. 13
http://service.sap.com/influence
How to influence GRC’s product development
Source: GUGO, Marketing
What about GRC and HANA?
1. GRC on HANA as the DB
2. GRC using HANA
3. New GRC Applications on HANA (Audit
Management, Fraud Management)
© 2013 SAP AG. All rights reserved. 15
How can we use SAP Process Control to identify duplicate
invoices across multiple SAP instances running accounts
payable? Q:
How can we use SAP Process Control to ensure end-to-end
processes are consistent across multiple SAP and non-SAP
systems? Q:
How can we use SAP Process Control to search across huge data
volumes for suspect or irregular transactions? Q:
How can we use SAP Process Control to provide flexible query
options to access “difficult data types,” like clustered and pooled
tables? Q:
Enhancements using SAP HANA will provide the answer for high-
volume, cross-system, automated control monitoring A:
Use Case 1: High-Volume, Cross-System Monitoring with
SAP HANA
© 2013 SAP AG. All rights reserved. 16
Can I process tens of millions of data records to derive KRIs?
Q:
How do I make use of information across different systems to
derive KRI alerts? Q:
Can I stay in my used KRI environment without a new tool?
Q:
Risk Management is able to derive KRI information also from
HANA-based systems, processing millions of records in short
times
A:
Use Case 2: High-Volume, Cross-System Monitoring of
Key Risk Indicators with SAP HANA
© 2013 SAP AG. All rights reserved. 17
How can I manage HANA-based systems?
Q:
There is a different authorization model than in ERP, how to treat
this? Q:
How can I use the same principle for data access protection if
there is nothing like “PFCG” or “SU01” in HANA-DB? Q:
Access Control has been enhanced to provision user and roles to
HANA systems as well and include those authorizations into SOD
analysis
A:
Use Case 3: Managing HANA-based infrastructure access
in a compliant manner with Access Control
© 2013 SAP AG. All rights reserved. 19
SAP HANA-Based Analytics HTML5-Based Applications
SAP HANA Analytics Foundation also serves as the foundation for a new class of
analytic applications, such as SAP Access Control Role Analytics
© 2013 SAP AG. All rights reserved. 20
SAP Audit Management Product Description
SAP Audit Management unlocks the enterprise information for Internal Audit departments and supports audit
experts in their day-to-day activities with an easy to use. collaborative, and risk-based approach towards
audit solution leveraging cloud and mobile technologies. It will be designed by and developed for audit
practitioners across the world.
• The easy-to-use UI which will significantly
improve the auditors’ efficiency
• Intelligent system & search that provides
active suggestions based on historic audit
information
• Mobile scenarios which allow the auditors
to focus on analyzing the data, rather than
collecting the information
• Strong analysis capability and continuous
auditing powered by HANA
© 2013 SAP AG. All rights reserved. 21
Follow through with analysis
Findings and corrective actions
Conducting and
reporting on the audit
Planning and conducting
Audit Management Driving a unified audit management function
© 2013 SAP AG. All rights reserved. 22
FA
VO
RIT
ES
E
MP
LO
YE
ES
P
OL
ICIE
S
HE
LP
HPA Audit powered by SAP HANA Mark Wilson Help
UNIVERSE CALENDAR HOME COMMUNITY CAPACITY
UNIVERSE: All Open Risks (16) New
Search Filter
# Risk
2013-23 Supplier selection process US
2013-02 Intellectual property Russia
2013-03 Hiring of external employees France
2012-56 Policy documentation process HQ
2013-12 Business Plan for Sales Department
2013-11 Mid-term acquisition strategy
2013-01 Partner enablement in Russia
2013-15 Order to Cash in the Middle-East
2013-18 Hire to retire in EMEA
2012-30 IRFS Compliance (HQ)
2011-04 Supplier selection in NA
2012-24 SOX Compliance in the US
2013-19 Purchase to Pay Corporate Finance
2013-34 Code of Conduct (Employees)
2013-35 Code of Conduct (Managers)
2012-45 Vendor selection in Spain
Risk Exposure
Re
leva
nce
Very Low
Low
Medium
High
HOT TOPICS
Supplier US
Russia
Compliance
Suspect Inc.
EMEA
Partner
Strategy Purchase to Pay
Strategy
IFRS
Pete Jones created a new risk
Supplier selection process US.
HISTORY
System created an alert for
Suspect Inc.
2d
1d
UNIVERSE CALENDAR HOME COMMUNITY CAPACITY REPORT FINDINGS FIELD WORK CALENDAR PREPARATION
GENERAL INFORMATION
HISTORY AUDIT TEAM
Planned Date: 03/31/2013 – 01/04/2013
Status: Planned
Supplier selection
process US
PLANNING STAKEHOLDER WORK PROGRAM
Mark Wilson
Audit Manager
Tracey Fox
Audit Lead
John McClain
Auditor
OVERVIEW
Cancel Save
SCOPE
Review the current supplier selection process in North America and how orders are
approved (e.g. Suspect Inc.).
SUGGESTED SCOPE
Supplier selection in NA
…Unclear how supplier Suspect
Inc. was determined….
Code of Conduct (Employees)
…adhere to Code of Conduct
when working with Suppliers…
LOCATION
Pete Jones created a new risk
Supplier selection process US.
System created an alert for
Suspect Inc.
2d
1d
AUDIT
Amy Craig
Auditor
SUGGESTED TEAM MEMBERS
# Scope Objective Work Package Approved
1. Supplier
Selection
Review of supplier
selection process
Collect information on current supplier
selection process, interview Unit Head.
2. Supplier
Selection
Identify top suppliers for
the region
Identify top suppliers for the region
using transaction MC$4 take postings
into consideration that don’t go through
invoice verification (FB60).
3. Approval
Process
Review of approval
process
Identify approvers and review the
current approval process (collecting
Process Description).
Josef Schlenkrich, SAP
Solution Manager GRC and Fraud Management
Influence of technological Innovations for
Risk & Compliance Management
© 2013 SAP AG. All rights reserved. 25
FRAUD
Fraud Management: Use Cases
… Regulators and supervisors have put pressure on financial institutions to integrate their anti-fraud and AML/Compliance programs and investigative teams. They see the integration of the functions as an important way to improve financial crime prevention in general.
Anti-Money Laundering Solutions; Chartis 2013
“
Anti-Money
Laundering +CTF
3. AML Directive
§ 25 GWG
FATF
Op. Compliance &
Efficiency
Avoid redundant
Invoices
Master Data
Governance
Saving
Potential/Profit
Internal
Fraud
Insider-Trading
LIBOR-
Manipulation
(Procurement)
External
Fraud
Online Banking
Phishing
Payment Fraud
Credit Fraud
Identity Theft
Legal
COMPLIANCE
Operational
COMPLIANCE
© 2013 SAP AG. All rights reserved. 26
SAP Fraud Management
Fraud Detection
Fraud Investigation
Sanctions Lists
Terrorism Lists
Money Laundering
Flexible, easy Analysen &
Methoden
SAP-Approach – From Detection to Prevention
In-
Memory
Inhouse
Development
3rd Party
Solutions
SAP-
Applications
SAP HANA
Real-Time and
Near-Time Analysis
• Losses could be
reduced and avoided
• Criminal Activities could
be detect faster
• New Patterns could be
detected and analysed
more effectively
Supporting a new Paradigm
Fast in-
memory Data
Management
Open and flexible
Data Model
With bidirectional
Communication
1 System
For all Use
Cases
© 2013 SAP AG. All rights reserved. 27
Real-time-Simulation and Calibration
Standard-
solution
10 Mio. Customers
20 Mio. Accounts
1 Bn. Transactions
SAP
Higher
Accuracy
Based on
Sample
Data
3 h
Real-time-Simulation and Calibration of Typologies
10 Sec
© 2013 SAP AG. All rights reserved. 28
Outlook
Today
Fra
ud
Ma
na
ge
me
nt
GR
C
Q4, 2013
Fraud Management
Platform
HANA
HANA
GRC Banking
Int./ext
Fraud
AML &
CTF
Operational
Compliance
Financial Crime
Risk Management
Platform
HANA
Quarterly releases
Chance to influence
development!
Options for configuring
content
GRC Banking
&
Financial Crime
Risk Management
Platform HANA
+ =
Access
Control
Process
Control
Op.
Risk
*2014
Fraud Management
Audit Management*
PLAN PREP EXEC REP. F.-UP
Gero Mäder
Product Management
GRC
Dietmar-Hopp-Allee 16
69190 Walldorf, Germany
E-mail: [email protected]
Thanks a lot!
Josef Schlenkrich
Solution Owner
GRC & Fraud Management
Dietmar-Hopp-Allee 16
69190 Walldorf, Germany
E-mail: [email protected]