Developing a five-part SAP ERM strategy

Companies can develop a sound governance structure using five key elements in the SAP solution suite.

Organizations have faced an increasing number of challenges with internal processes and external supply chains in recent years, leading to a growing realization among companies that enterprise risk management (ERM) is a necessary business process in its own right. An organization should develop a sound SAP ERM structure using five key elements in the SAP solution suite, including SAP GRC and SAP Business Suite applications.

Examples of supply chain risk over the last five years can be found everywhere. The 2011 tsunami in Japan wreaked havoc on automotive companies worldwide, many of whom depended on vendors in that country. Disney left Bangladesh as a contract manufacturing base after a factory fire, and later a devastating building collapse, which Disney blamed on the government of Bangladesh for lack of regulatory oversight.

At the same time, companies are giving more attention to ensuring correct transfer of internal funds internationally (known as SWIFT accounts) to meet increasing financial auditing requirements. Corporate and institutional governance boards are also taking greater steps to reduce the potential for large scale fraud and low probability, high impact risks also known as "fat tail" or "black swan" risks.

The five elements

SAP customers often get derailed on how to structure business process audits – such as financial audits - using the vast SAP Business Suite and GRC tools available to them. To make that happen, companies should consider five key elements to successfully build out a strong and cohesive ERM program.

The first element of a strong ERM program is the business process itself, which is normally expressed in one or more SAP Business Suite or Line of Business (LOB) applications. In the case of financial closings, companies can use a variety of SAP ERP modules, including Finance (FI), Controlling (CO) or General Ledger (GL) to support closing the books, reconciliations and transfer of funds to organization units. It is very helpful to have some form of step-wise or "stage-gate" structure behind these processes, with corresponding SAP profiles and roles established. If you don't have SAP profiles established for each step of the financial close process, for example, it will be nearly impossible to apply rights and permissions through the entire process.

This introduces the second and third elements of a strong ERM program. With appropriate SAP profiles and roles, GRC Access Controls (AC) and Process Controls (PC) may be applied to ensure the proper individuals have appropriate access to the systems when and where they require. This is important for the segregation of duties (SOD) required by Sarbanes-Oxley (SOX) and for other controls.

Having an umbrella risk management strategy to identify potential or recurring risks, and to mitigate, transfer, avoid or otherwise address those risks, is the fourth element of any good ERM. These can be simple risks like delayed receipt payments (e.g., what happens if a business doesn't get paid within payment term windows) or low-probability, high-impact fat tail risks, such as natural disasters.

SAP Risk Management 10 (RM10) provides this structure and has matured greatly over the past several years to include links to Enterprise Performance Management (EPM) tools, SAP Project Schedule (PS) and even Supply Chain Performance Management 2.0. RM10 also has a nifty "bow-tie builder" graphical facility that allows point-and-click options for users to create and modify risks. This works well for more visually oriented practitioners who want to actually see how risks might impact key scenarios and what the organization should do to address the risk. Visual tools offer risk practitioners a great way to avoid the "all hands grabbing the same table and staring at each other" syndrome by clearly illustrating organizational responsibilities as a part of the risk definition.

Finally, no good ERM program would be complete without a way to check on the performance of business processes. NetWeaver Audit Management is the fifth and final element of a sound ERM program. NetWeaver Audit Management is the "glue" that brings monitoring activities -- a risk-mitigation practice -- to all native SAP Business Suite processes. You can identify audit plans and programs, put them in an annual calendar of activities and include working papers and other evidence, including transaction logs from SAP Business Suite processes. Currently NetWeaver Audit Management ships free with SAP Business Suite, so there are no costly third-party integrations to manage outside of the SAP ecosystem.

Putting the elements in action

Last year I worked with a multinational corporation to plan its initial ERM approach to a number of business processes running on the SAP Business Suite, including Finance. In this case, the audit team not only had a well-established process for inter-company transfers and payments but also for consolidated close and annual reporting. While we approached the ERM program with an audit lens, most SAP customers will approach it from a traditional, top-down model for implementing RM10. The organization already had a mature, well-defined audit process with stage gates. Not only did this allow proper development of SAP roles and profiles to fit both the audit and finance's business processes, it allowed a straightforward definition of the GRC access and process controls. We were able to craft a fairly detailed permissions matrix, identifying which SAP users could participate in both the finance and auditing processes and create, read, update and delete documents based on controls already in place in the organization.

As part of the next phase of it SAP go-live, the client will bring RM10 into the fold and port all of the control documents and plans currently in its third-party risk management system into native SAP. This is normally done at the outset, but given the cost benefit of switching to NetWeaver Audit Management and having GRC Access Control and Process Control both in place, this program sequence made the most sense.

The good news for SAP customers is that there is always more than one way to skin a cat when it comes to trying to accomplish a goal inside the SAP ecosystem. Using these five elements -- SAP Business Suite, RM10, AC, PC and NetWeaver Audit Management -- SAP customers can implement a well-integrated ERM program that mitigates risks and safeguards financial performance.

William Newman is managing principal of Newport Consulting Group, an independent management and technology consulting firm based in Clarkston, Mich. Contact him via email at [email protected] or follow him on Twitter (@william_newman).

Next Steps

Integrate GRC, Financials for better compliance

How to utilize SAP Access Control as a part of a GRC strategy

Why it's hard to pick a GRC platform

Dig Deeper on SAP selection and implementation