SAP Road Map for Governance, Risk, and Compliance · PDF fileQ4 2016 SAP Road Map for...

Q4 2016

SAP Road Map for Governance, Risk, and

Compliance Solutions

Customer

© 2016 SAP SE or an SAP affiliate company. All rights reserved. 3CustomerThis presentation and SAP‘s strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document isprovided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement

Disclaimer

The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of

SAP. Except for your obligation to protect confidential information, this presentation is not subject to your license agreement or

any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this

presentation or any related document, or to develop or release any functionality mentioned therein.

This presentation, or any related document and SAP's strategy and possible future developments, products and or platforms

directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice.

The information in this presentation is not a commitment, promise or legal obligation to deliver any material, code or functionality.

This presentation is provided without a warranty of any kind, either express or implied, including but not limited to, the implied

warranties of merchantability, fitness for a particular purpose, or non-infringement. This presentation is for informational

purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this

presentation, except if such damages were caused by SAP’s intentional or gross negligence.

All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially

from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as

of their dates, and they should not be relied upon in making purchasing decisions.

Major Trends


TrendsImpacting risk, compliance, and security practices

Streamline compliance

process and reporting

Regulatory

Requirements

New Business

Models

Safeguard profitability

and growth

Economic and Political

Uncertainty

Mitigate external and

strategic risk

Digital

Transformation

Secure transactions and data

across hybrid IT landscapes


Key themesIn risk, compliance, and security practices

Access

Governance

Manage identities,

authorized information

access, data use, and

sharing conditions

Monitor and prevent

access risk violations

Cybersecurity

Risk and

Governance

Protect data, control

access, and detect

threats

Help ensure

compliance with

information security

standards

Three Lines of

Defense

Manage risks and

controls in business

operations

Provide independent

assurance on risk and

compliance standards

International Trade

Management

Manage import and

export compliance in

global supply chains

Help ensure secure

movement of digital

goods and technical

data

Fraud

Management and

Screening

Prevent financial loss

quickly and effectively

with fraud management

Grow your network with

confidence

Solution Portfolio


SAP solutions for GRC, May 2015

Turn business policy into

automated information controls.

SAP Dynamic Authorization

Management by NextLabsSAP Audit Management

Transform the audit function

beyond assurance.Manage regulatory requirements &

align with internal controls.

SAP Regulation Management

by Greenlight

SAP Technical Data Export

Compliance by NextLabs

Automate trade compliance for

digital goods & technical data.

SAP Fraud Management

Better detect and prevent fraud

through in-memory technology.

SAP Access Violation Management

by GreenlightIdentify and quantify the impact of

access risk violations.

SAP Electronic Invoicing

for Brazil

Meet electronic invoicing

requirements for Brazil.

Gain insights into user roles, and

optimize decision making.

SAP Identity Analytics SAP Global Trade Services

Optimize global trade, and screen

restricted parties.

SAP Access Control

Manage access risk, and prevent

fraud.

SAP Risk Management

Focus compliance efforts and

spending on high risk areas.

SAP Process Control

Ensure effective controls and

ongoing compliance.

GRC Core

Global TradeSecurity

Solution Extensions HANA-Native

SAP solutions for GRC, May 2008


SAP solutions for GRC and

security

SAP solutions for governance, risk, and compliance (GRC)Select products included in road map presentation

SAP Access Control

Manage access risk, and prevent fraud.

SAP Process Control

Help ensure effective controls and ongoing compliance.

SAP Risk Management

Focus compliance efforts and spending on high-risk areas.

SAP Audit Management

Transform the audit function beyond assurance.

SAP Fraud Management

Detect and prevent fraud better.

SAP Business Partner Screening

Gain insights into user roles, and optimize decision making.

SAP solutions for GRC

Solutions

for security

from SAP

Solution

extensions

Innovation Focus Areas


SAP solutions for governance, risk, and complianceInnovation focus areas

Support for GRC experts and the

business

Co-innovation through customer

connect

Tightly integrated into processes

and business networks

Products and solutions built for

cloud and on premise

Products and solutions built to

“manage” the cloud

Embedded Compliance

Business Processes Integration

User Experience

Across All Devices

Consumption

Cloud or On Premise

Solution Road Map


Today Future directionPlanned innovations

SAP solutions for governance, risk, and complianceInnovation highlights

SAP Access Control – Access risk: find,

remediate, and manage access risk across SAP and

third-party systems

SAP Process Control – Controls and compliance

management: help ensure effective controls and

ongoing compliance

SAP Risk Management – Enterprise risk: identify,

analyze, mitigate, and monitor risk across the

organization

SAP Audit Management – End-to-end audit

management: plan, perform, and follow up on your

audit activities

SAP Fraud Management – Fraud detection and

prevention: detect, investigate, and prevent fraud

SAP Business Partner Screening – Screening

and investigation: effectively screen and decide on

business partners

SAP Cloud Identity Access Governance – Access

compliance: cloud services around access

governance, integrated with SAP Cloud Identity

Service

SAP Access Control – User risk analysis: mass

loading and simulation for roles to reduce access risk

SAP Process Control, SAP Risk Management –

Embedded controls: pre-built control and risk

monitoring capabilities for SAP S/4HANA

SAP Audit Management – Audit analytics: analyze

and build evidence on transactional data

SAP Fraud Management – Machine learning:

improved decision and classification support for

alerts leveraging


extensions: pre-built integration with SAP Master

Data Governance

SAP Cloud Identity Access Governance – Service

enablement: provide identity management,

certification, and role governance services


IT risk and compliance management:

associate risks, and controls with IT assets, support

assessment of IT control failures

SAP Risk Management – Assessment

workshops: organize, perform, and follow up on

results from risk assessment workshops

SAP Fraud Management – Tax compliance*:

analyze VAT compliance, and avoid financial and

legal penalties

SAP Business Partner Screening – Business

network integration: transaction screening for SAP

Ariba solutions, SAP SuccessFactors solutions

* Subject to SAP Executive Board approval






third-party systems



ongoing compliance



organization



audit activities





business partners




Service










alerts leveraging



Data Governance




SAP Process Control, SAP Risk Management – IT

risk and compliance management: associate risks,

and controls with IT assets, support assessment of

IT control failures






legal penalties






Planned

Innovations

This is the current state of planning and may be changed by SAP at any time.

SAP Cloud Identity Access Governance*Business-driven access governance

Scope Key benefits

Access governance solution based on

SAP HANA Cloud Platform

No installation requirements other than a

Web browser

Complements and extends the existing SAP

Access Control application around access

risk analysis

Intuitive user interface design on SAP

Fiori user experience

Minimal to no training for the end user

required

Information can be personalized by the end

user

Graphical views drive analysis and

refinement process

Instant visibility into access issues Improved application security and

compliance

Immediate reaction to issues enabled

through fast response and calculation times

Support for cloud applications Managing access risk centrally across

heterogeneous landscapes

Expanded scope for improved governance

and compliance

* In beta shipment as of Q2, 2016


Planned

Innovations


Scope Key benefits

Simulating access risk evaluations on

large data sets

Easier to run and more easily configured risk

analysis simulations

Access risk analysis embedded in role

management

Helping to ensure that new business roles

are developed with minimal access risk to

improve application security and compliance

Integration with SAP Process Control on

mitigation handling

Sharing control status information from SAP

Process Control to manage mitigations in

SAP Access Control

Increased effectiveness around mitigation

control handling through the ability to update

and manage mitigation controls that are no

longer valid

Interoperability with SAP Cloud Identity

Access Governance* service

Undisrupted user experience and

consumption around user risk analysis on

premise (SAP Access Control) or in the cloud

(SAP Cloud Identity Access Governance*)

SAP Access ControlUser risk analysis

* In beta shipment as of Q2, 2016


Product Roadmap for SAP Access ControlInnovation highlights

Recent innovations Future directionPlanned innovations

New Fiori Apps and Smart Business tiles.

User access review with business role

Business role versioning

Firefighter mass maintenance

Import multiple roles during access request

process

Access request risk analysis upon submission

in background

Manage invalid mitigation

Reporting enhancements

New User Risk analysis features

Add, remove, and mass loading of roles for

simulation.

Mandatory risk analysis during role

methodology.

Leverage control status for access risk

mitigation..

Emergency access new features

Fire Fighter ID Review

Logon customization

Simplified Access Request enhancements

Extend Access Control

Cloud applications along with S/4 HANA SFSF,

Ariba, Concur, C4C.

User Access Review standard notifications to

users on removal


Planned

Innovations


Scope Key benefits

Embedded process controls and risk

indicators in key business processes

supported by SAP S/4HANA

No change to existing SAP S/4HANA

installation required when monitoring

process controls through SAP Process

Control or risk indicators through SAP Risk

Management

Issue resolution Instantly detect, prevent, and mitigate

noncompliant activities in key business

processes supported by SAP S/4HANA

SAP Process Control, SAP Risk ManagementEmbedded controls and KRIs

OPERATIONAL PROCESS(IN SAP S/4 HANA)

COMPLIANCE PROCESS


Facts & figures:

Supported roles:Compliance Manager, Internal

Control Manager,

Prerequisites:NetWeaver 7.40 SP13 and SAP

Process Control 10.1 SP14

Business challenges

Compliance Manager summaries control effectiveness

results and other information from multiple channels are

time consuming. Control effectiveness results cannot be

provided in time. Testers and issue owners do not

complete tasks in time. Testing results overview is hard

to get from system

Value proposition

With this Fiori app, Compliance Manager can get

transparent and complete results from control

effectiveness testing. It helps to save efforts of

summarizing control status from multiple channels.

Compliance Manager can also use it to make sure

control testing is performed and identified issues

are remediated, and enable responsible person to

complete task in time.

Monitor Control Status Fiori application

Key features

Monitor control effectiveness testing status and

results

Analyze the results from both organizations and

processes view

Remind responsible person to take action


Planned

Innovations


Scope Key benefits

Shared reporting across the three

lines of defense

Enables the company to have a unified

view of risks and allows better

collaboration on mitigation

Harmonize user interfaces across

SAP GRC solutions and SAP

S/4HANA

Minimizes learning curve and provides

better user experience with support for

multiple devices

Enhanced Harmonization


Planned

Innovations


Enhanced policy management

Scope Key benefits

Cloud-based policy management offered on a

subscription basis

Rapid and efficient deployment of user-friendly

publishing and acceptance of policies for use

with multiple devices

Integrate with SAP SuccessFactors Learning to

track policy-related training requirements

Improved policy compliance and support for

regulatory training requirements

Determine relevant policy and training by role

and hiring status from HR system integration

with SuccessFactors

Reduced effort and timely policy dissemination

and acceptance as employees are hired or

change roles within an organization

Policy compliance dashboard showing status

and overdue policy acceptance for all policies

• Easy visibility of current status and potential

acceptance issues to improve enforcement and

auditability


Planned

Innovations


SAP Audit ManagementAudit analytics

Scope Key benefits

Integrated analytics capability

Audit analytics powered by the SAP

HANA platform

Leverage Big Data to increase the audit

efficiency and expand audit coverage

Examine higher data volumes at greater

speed

Open interface to consume analytical

results

Predefined analytical audit

procedures

Reduce effort for auditors to execute

audits, increase collaboration between

auditor and process owner

• User-friendly creation of custom

analytical audit procedure

Increase auditor insight, minimize

noncompliance issues

Elevate auditor to trusted advisor role


Planned

Innovations


Scope Key benefits

Decision support and scoring for new

alerts

Learning algorithms analyze past

transactions and resolutions in high volume,

which allows fraud investigators to focus on

value-adding tasks

Better and more efficient decisions lead to

significantly increased proven fraud (true

positives)

• Automatic classification through “one

size fits most” algorithms

Incorporate learnings from closed

investigations to free up time for fraud

investigators and optimize their workloads

SAP Fraud ManagementMachine learning


Planned

Innovations


Scope Key benefits

Pre-delivered integration with SAP

Master Data Governance

Improve business partner compliance with

checks during on-boarding or change

process in SAP Master Data Governance

Resolve alerts in SAP Business Partner

Screening for checks arising from SAP


Feed additional context information on

screened business partner back to SAP


Additional screening fields, such as

Bank Identifier Code (BIC), date of birth,

and e-mail address

Enable additional screening scenarios for

SAP Business Partner Screening, including

the screening of payments on BIC

SAP Business Partner ScreeningScreening extensions






third-party systems



ongoing compliance



organization



audit activities





business partners




Service










alerts leveraging



Data Governance





IT risk and compliance management: associate

risks, and controls with IT assets, support

assessment of IT control failures






legal penalties






Enhanced user experience and productivity with optimized access definition – YouWYN (You get

everything What You Need)

Role designer service

Reduce complexity in managing access for business applications

Bottoms up role design based on role mining and activity

Ensuring users have optimized appropriate access assignments

Rule-based role design and access refinement

Integrated processes for design and management of business roles

SAP Cloud Identity Access Governance Access Compliance - Role designer service


Mine Roles• Roles, privileges and

authorizations.

• User access

• Usage activity

Optimize Access• Analyze mined Access

information

• Discover optimal granularity of authorizations

Refine Access• Propose optimal user

access

• Orchestrate access for an end to end business process

Impact Analysis• Proposal to adjust role

content to remediate risks

• Mitigate risks as applicable

Provision Users• Assign the access to users

• Notify users

Future

Innovations


Streamlined access certification process, automates periodic/adhoc access review process and

reduces access maintenance activity when there are organizational changes that impact user access.

Certification service

Automate periodic access reviews

Enable reviews specific to organizational needs

Ability to support large scale reviews

Management of the review process

Data driven views for review process


Define Review•Select users by group, system, organization

•Security reviews by activity

•Usage activity

Review Type•User access review

•Risk review

•Role review

Admin Review•Check reviews prior to distribution

•Edit review items

Distribution•Send review notices to managers

•Review Instructions

Monitor•Resolve review issues

•Track review progress

Update Access• Incorporate access, risk, role changes

•Audit reporting

SAP Cloud Identity Access Governance Access Compliance – access certification service

Future

Innovations


SAP Cloud Identity Access Governance

Sensitive/privileged access monitoring

Policy–based authorizations

Business risk–based authorizations


Future

Innovations


Future

Direction


Scope Key benefits

Associate IT assets with controls, policies,

and risks

IT-focused documentation and reporting of

risks with potential impact on IT assets

Review the effectiveness of defined

mitigations by controls and policies to

detect gaps in the IT control framework

Integration with SAP Regulation

Management application by Greenlight, cyber

edition

Comply with IT regulatory and best-

practice frameworks to strengthen IT

practices

Integration with SAP Enterprise Threat

Detection application

Integrate summarized threat details with

continuous control monitoring information

in SAP Process Control

Help business experts – in addition to IT–

to understand the potential impact of

cybersecurity issues

Provide additional insight on the

effectiveness of IT controls

SAP Process Control, SAP Risk ManagementIT risk and compliance management


Future

Direction


Enhanced continuous control monitoring (CCM)

Scope Key benefits

Continuous auditing by sharing CCM capabilities

of Process Control with SAP Audit Management

Improved assurance and planning with reduced

cost and more timely reporting of weaknesses

Shared CCM rule framework with SAP Risk

Management (KRIs)

Easier and more flexible creation of KRIs and

other metrics from a single rule engine

Use of SAP HANA analytic content for SAP ERP

and other applications with CCM

Improved time-to-value by leveraging existing

content


Future

Direction


Scope Key benefits

Management of risk assessment workshops

from setup, execution, and follow-up

Link workshops with day-to-day risk

management approach to fully embed this

part of the process

Documentation and consolidation of the

information

Management of follow-up sessions

Facilitate follow-up and monitoring of

workshops

SAP Risk ManagementAssessment workshops


Future

Direction


SAP Fraud ManagementTax compliance – customer co-innovation project*


Scope Key benefits

• VAT analysis Enables companies to analyze their VAT

compliance to avoid financial and legal

penalties

Detection and reconciliation Flexible definition of rules to detect

irregular tax postings

Initiation, execution, and documentation of

mitigation tasks to correct wrong postings

Reconciliation support for tax declaration

Scheduling and monitoring Continuous monitoring and reduction of

wrong postings to minimize risk of

financial and legal penalties

Identifying and fixing root cause(s) for

wrong postings, such as incorrect master

data

Results in a simplified, fastened, and

confident period-end processing


Future

Direction


SAP Business Partner ScreeningBusiness network integration

SAP Business Partner

Screening

Scope Key benefits

Screening extended to business networks,

such as SAP Ariba solutions and SAP

SuccessFactors solutions

Provide assurance and transparency

around business partner compliance in

business networks

More Information

More Information

Explore our solutions.

Find additional SAP road maps on the SAP

Service Marketplace extranet (logon required).

Enterprise Information Management External


https://www.sap.com/grc

http://service.sap.com/roadmap

http://go.sap.com/solution/platform-technology/data-management/enterprise-information-management-eim.html

Thank youContact information:

Jochen Thierer

VP Development

LoB FIN – GRC


© 2016 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP SE or an SAP affiliate company.

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate

company) in Germany and other countries. Please see http://global12.sap.com/corporate-en/legal/copyright/index.epx for additional trademark information and notices.

Some software products marketed by SAP SE and its distributors contain proprietary software components of other software vendors.

National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for informational purposes only, without representation or warranty of any kind, and SAP SE or its

affiliated companies shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP SE or SAP affiliate company products and

services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as

constituting an additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to pursue any course of business outlined in this document or any related presentation, or to develop

or release any functionality mentioned therein. This document, or any related presentation, and SAP SE’s or its affiliated companies’ strategy and possible future

developments, products, and/or platform directions and functionality are all subject to change and may be changed by SAP SE or its affiliated companies at any time

for any reason without notice. The information in this document is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. All forward-

looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place

undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.

http://global12.sap.com/corporate-en/legal/copyright/index.epx

SAP Road Map for Governance, Risk, and Compliance · PDF fileQ4 2016 SAP Road Map for...

Documents

Transcript of SAP Road Map for Governance, Risk, and Compliance · PDF fileQ4 2016 SAP Road Map for...