Risk management is one of the top priorities for organizations of all types. This priority has not changed as companies have transitioned to virtual environments. The need to address risk and compliance concerns is still there, but the virtual world has created new challenges.
In a recent webinar, which is currently available on demand, we discussed how SAP Risk Management and SAP Process Control tackle these challenges, uniquely positioned to automate many enterprise risk management (ERM) activities.
What Is Enterprise Risk Management?
Every organization needs to manage risk, but what exactly do we mean by ‘Enterprise Risk Management’?
First, the organization should have a strategic plan and defined business objectives. With these in place, we can define enterprise risk as the degree of uncertainty that exists in achieving these objectives. ERM can then be defined as a program of identifying, evaluating and managing risks impacting these objectives.
There is no one-size-fits-all ERM program. Some ERM programs consist only of a high-level risk assessment, while others use real-time metrics to create time advantage in pursuing emerging opportunities. It is important for each organization’s leaders to agree on the organization’s ERM value proposition, so they can adopt an approach that best fits their needs. The graphic (right) illustrates an example ERM value proposition maturity scale with the lowest level of maturity starting at the bottom.
It is in the more mature ERM programs (those reliant on the collection and reporting of key data points) that SAP Risk Management and Process Control can add the most value.
How Can SAP Risk Management Help?
SAP Risk Management will help streamline four key elements in today’s remote working environment: risk planning, risk identification, risk assessment and response and risk monitoring.
In the risk planning stage, SAP Risk Management will help business teams design the structure needed to inform key parties of upcoming risks and map those risks to the correct organizational units so that they can be handled by the appropriate stakeholders. At this stage, the system will be configured to calculate risk levels based on the company’s needs, so that more pressing risks can be prioritized. It is also possible to configure multiple risk management roles and assign these roles to users at different levels within the organization depending on intended usage.
Leaders do not need to be highly technical to utilize SAP Risk Management to identify risks that their organization may be facing. The SAP Risk Management graphical user interface (right) provides a view to the organizational units, business activities, risk categories, drivers and impacts created in the risk planning phase of the process. These identifiers can simply be dragged and dropped into the Risk Builder when new risks need to be created. Along with this graphical approach, users can also use the traditional form entry method and administrators can use the mass upload feature.
Risk Assessment and Response
Once a risk is created, it can be sent via Workflow to the risk experts and owners in the company so they can collaboratively assess the risk. Then, subject matter experts can determine which risks are the most critical. These risk assessments can be done live via virtual workshops; alternatively, each expert can finish their assessment individually, in SAP Risk Management, and send it to the risk owner so they can review the results. Individual assessments allow each assessor to choose a time convenient for them to focus on this important task – a key feature for today’s remote workforce.
Each assessment is flexible. One option allows for an assessment to take the form of a survey chosen from a library of pre-defined qualitative questions for experts to complete. Another option allows each recipient to quantitatively evaluate each risk’s impact and probability level. The system can then be configured to automatically calculate risk levels based on the aggregate of assessment responses. The risk owner can also overwrite the calculated values if needed.
A risk response (or mitigation) can be entered for any risk in the form of controls retrieved from the SAP Process Control tool, or responses can take the form of policies. The effectiveness of each response can then also be entered into SAP Risk Management so that a new residual risk level can be calculated by the system and applied.
SAP Risk Management comes with multiple reporting options designed for different levels of your organization. Senior leadership can use dashboards and heat maps for quick review to identify the most critical risks that need to be addressed. Leaders can drill down into these reports if they need more detailed analysis.
How Does SAP Process Control Add Value?
SAP Process Control will help any organization gain visibility into business and compliance processes and put governance around security controls and risks. Features like preconfigured workflows and assessments can ease the burden of not being in direct contact with remote teams.
The lifecycle of Process Control involves four steps: Define, Scope, Evaluate, and Certify.
At this stage, the company must define its organization, processes and the risks related to those processes, centered around the internal control framework. This stage ensures that reporting will be configured to the organization’s needs and that issues are directed to the key players.
In the Scope phase of the process, surveys can be used to derive ratings to prepare for the testing that will occur in the Evaluate phase. Here, SAP Process Control can determine if there is a deficiency in the controls.
In the Evaluate stage, we test for control effectiveness. SAP Process Control enables connections to other ERP systems like SAP S/4HANA to evaluate the data and determine if a control deficiency exists. It can automate compliance testing and continuously monitor and report issues in real-time.
SAP Process Control has a comprehensive suite of predesigned reports to cover master data and assessments that can be tailored to provide customized results. The reports provided in the Certify phase will help determine the health of the company’s internal control framework and help drill down to the real issues the business is facing.
SAP Process Control also works hand-in-hand with SAP Risk Management. Let’s see how that works.
The concept of data harmonization allows SAP Risk Management and SAP Process Control to integrate. Data is shared between the two systems, ensuring risks are not being held in separate silos within the company. This allows for consistent reporting between both of the systems. A Risk Management user will be able to leverage the same data as a Process Control user.
In Continuous Control Monitoring in SAP Process Control, business rules are set up to measure the controls in the target system, telling the monitoring system what it should do when there is an issue that needs to be addressed. Automated control testing allows identification of these exceptions in real-time and routes the issues to the correct control owners.
SAP Risk Management uses Workflow to automate reviews using key risk indicators. Users can create alerts when configured thresholds are met to populate Risk Management dashboards and heat maps and to notify risk owners.
Enterprise risk management enables organizations to achieve their strategic objectives, and SAP Risk Management and Process Control can help automate much of the processes involved to reduce the burden on management.
Contact us or visit Protiviti’s SAP consulting services to learn more about our solutions.