integration ofrisk management withinternal · pdf fileintegration ofrisk management...

Integration of Risk

Management with Internal

Control System

Eduardo Barrera

11.04.2013

SAP GRC Risk Management

and Process Controls

SAP Finance Excellence Day Confidential. © 2013 BearingPoint | 2

Introduction

Eduardo Barrera

�More than 20 years management consulting, background,

serving large and mid-size companies both globally and locally

�Thereof more than 5 years audit experience (one of the big4

companies)

�Responsible for Governance Risk and Compliance at

BearingPoint Switzerland

�Background in business administration and audit


Contents

Introduction

Companies Overview

Some Governance Risk and Compliance background

information

Project experience and lessons learned

Summary

Questions


BearingPoint Overview

AproachCollaborative and Flexible

Characterized by flexibility and result-orientation, we find the

best way forward for our customers

PeopleDedicated and experienced

Through our extensive industry knowledge and our

outstanding commitment we achieve exceptional customer

satisfaction.

ResultsMeasurable and sustainable

We deliver practical, measurable and sustainable solutions

to the problems of our customers.

BearingPoint – Globally

� 15 countries

� 140 Partners

� About 3,400 employees

� Ex KPMG / Arthur Anderson


� Definition of business strategies

� Control mechanisms and balanced

scorecards

� Market analyses, cost accounting

� Regulatory analyses

� Product, processes and IT benchmarking

� Process and IT outsourcing analyses

� Quality management (SIX Sigma)

� Information management strategies

� Business continuity management

� IT architecture evaluation

� Scenarios for in-house developments /

purchase of IT solutions

� Project- and Program-Planning

� Design of process optimization and

standardization

� Implementation of regulatory

requirements

� Key business indicators and key data for

quality improvement

� Business intelligence concepts

� Information management governance

� Post merger integration

� CRM Design / implementation plan

� Optimization of operational and

organizational structure

� Implementation of project and program

management

� Analysis, design, development and

operation of applications (Enterprise

Application Integration)

� Data warehousing

� Business intelligence

� Master data management

� Data migration

� Digitalization

� Document management

� Test management

� Integration management

� System integration

� Implementation of IT security key data

System integrationBusiness- and IT Strategy Business processes

DesignDecision Implement

Process optimizationStrategic planning System integration

Our consulting approach and expertise supports clients from strategy

to implementation


Enterprise SOAThought Leadership

Regional ExcellenceEMEA

Special Expertise Partnerships

� SAP Enterprise Portal

� SAP CRM

� SAP Master Data Management

� SAP NetWeaver ESOA

� SAP Process Integration/ Exchange Infrastructure

�SAP Business Intelligence

… and many more

Selected SAP Special Expertise Partnerships

� SAP Netweaver BI

�SAP BusinessObjectsEPM Plattform

� SAP ERP Financial

Further SEPs und Awards

Global Service Partner

We have a long partnership with SAP and have been awarded multiple times for

our excellence

BearingPoint

Switzerland was

selected as the

solution partner

2012 for SAP

Switzerland..


Schaeffler GmbH Overview

Manufactoring

Sales organization

Employees Revenues (FY 2011) 180 locations

Globally around 74.000 Globally around 10,7 Mrd. Euro in more than 50 countries


Schaeffler Gruppe AutomotiveProduktpalette Automotive (INA, FAG, LuK)

Motorsysteme

● Motorenelemente

● Riemen- und Kettentrieb

Fahrwerksysteme

● Fahrwerkanwendungen

● Nebenaggregate

Getriebesysteme

● Getriebeanwendungen

● Kupplungssysteme

● Getriebetechnologie


Schaeffler Gruppe Industrie

Geschäftsbereiche und Branchen

Lineartechnik

Kegelrollen-lager

Kugellager

Nadellager

Pendelrollen-lager

Zylinderrollen-lager

Energie-erzeugung

Motorrad

Fluid/Pneumatik

Windkraft

Aerospace

Schwer-industrie

Antriebs-technik

Consumer Products/Medizin

Bahn

Produktions-maschinen


Die Entwicklung der Schaeffler GruppeVon 1946 bis zur Gegenwart

Gründung der Industrie GmbH in Herzogenaurach

Rasches Wachstum: weitere Werke und Niederlassungen in Deutschland und weltweit

Übernahme aller LuK-Anteile

Übernahme der FAG Kugelfischer Georg Schäfer AG

INA, LuK und FAG bilden die "Schaeffler Gruppe“.

Markterschließung und neue Standorte in Osteuropa

Gründung der Schaeffler AG, Aufsichtsratsvorsitzender ist Georg F. W. Schaeffler

Schaeffler wird Mehrheits-aktionär der Continental AG

Nach dem Tod von Dr. Ing. E. h. G. Schaeffler übernehmen seine Gattin M.- E. Schaeffler und Sohn G. F. W. Schaeffler die Verantwortung.

Asienoffensive: Investitionen inWerke sowie Forschung und Entwicklung

1946

50er/60er Jahre

ab 1991

1996

1999

2001

2003

2009

2011

Some Governance Risk and

Compliance background

information


Political

Economic

SocialTechnological

Environ-

mental

Legislative

What could go wrong, what will go wrong

Companies face many sources of risk

Company

External Fraud

• Google (Chinese

environment)

• SecureID

Internal Fraud

• Societe General (2008)

• UBS (2011)

• Gate Group

Theft

• Retail companies typically loose about

10% of products because of theft

Non Compliance (with Regulation)

• Collaboration

Incorrect Financial Statements

• Enron (2001)

• Worldcom (2002)

• Parmalat (2003)

Supply Stability

• Bankruptcy of suppliers

Information security

• Swiss National Bank

• LGT

Environmental Risk

• BP Deepwater Horizon

(2010)

• Tepko (Fukushima)

Others (reputation)

• Shell

• Total

• Glencore

• Xtrata

Risk Sources in Context of PESTEL Analysis: Political, Economic, Social,

Technological, Environmental and Legislative:


An Overview

What is Governance, Risk and Compliance?

Governance

Risk Mgmt. Compliance

Risk

appetite

External

Regulation

Internal Policies

• Social responsibility

• Education

• Ethically correct behavior

• Ensure sustainability

Strategy

Technology

People ProcessesIntegrated

Holistic

Organization-wide

• Improve efficiency

• Improve effectiveness

• Operations managed and

supported by suitable technology

• Innovation

• Vision

Strategy

Technology

People Processes


Managing GRC is a challenge

Lack of Transparency

� Poor visibility into enterprise risk exposure

� Processes are too reactive and defensive

� Fragmentation limits effectiveness of risk and

compliance initiaives

Lack of resources

� Limited time and personnel to effectively

manage risk and compliance

� Inefficient and costly manual processes

� Inability to proactively mitigate risk events

Lack of Alignment

� Risk and compliance management processes

are not embedded within the business

� Controls are not aligned to key risks

� Limited risk and compliance influence on

business decisions

Fragmented and manual risk and compliance activities increase cost and fail to provide strategic value

!

Executive

Management

Compliance, Risk

and Audit

Business

Owners!

!


Current State

Heterogeneous

environment• Different concepts and

definitions of risks and controls

Inconsistency • Inconsistent views of

business processes and risks reported to the Board of Directors and senior management

Multiple regulations• Businesses required to address

multiple regulatory and risk management initiatives.

Not harmonized and not standardized


GRC responsibility

BearingPoint study on GRC maturity - results

� As there are GRC responsibilities defined in nearly each company, related tasks so far often are fulfilled by finance area.

� Participants of the survey mostly are located in the second or third management level of the company.

5%

5%

10%

10%

29%

43%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

CxO

Legal responsible

Governance responsible

Risk management responsible

Compliance responsible

Finance responsible


Future State

Governance structure• Clearly defined

responsibilities

• Clear and comprehensive

risk reportingReduction of redundancies• Opportunity to Leverage/

Coordinate with other control

functions

Processes, Organization and

Information Technology• Foundations of convergence

Gain Efficiency and Effectiveness

AND

Increase level of safety (better protection and high assurance)

Project experience and lessons

learned


Political

Economic

SocialTechnological

Environ-

mental

Legislative

ICS is often considered as a financial requirement, the effort of compliance is significant

Risks associated to Internal controls systems (ICS) in the context of Enterprise

Risk Management (ERM)

Company

Where to find risks related to ICS

requirements

Importance of ICS from an

enterprise risk wide perspective

Effort of response activities

Operational

ICS

Operational

ICS

Risks and thereof consideration of

controls from ICS perspective are in

relation to an overall enterprise risk

management low, however, financial

risks due to insufficient compliance

are high

ICS control activities are time

consuming, reporting standards,

documentation level and IT

(especially access controls) lead to a

big effort and could be reduced while

considering those areas integrated


Current and future state of Schaeffler's RMS and ICS environment

� RMS and ICS not integraded,

isoleted processes,

� High manual efforts,

� Lack on transparency, real time

indicators and reporting

� Real time reporting based on

integrated compliance activities

addressing relevant risks


How risks valuation and assessment are considered within Schaeffler

Risk

Localassessments

Global assessment

Division assessment

• First assessment needs to be re-

assessed by a second party

• Risks which are initial assessed

should be historically recorded

• Second assessment could override

initial assessment

• Assessments are period depending

• Comparison between initial and

second assessment required

• Comparison between periods (how

risks changed)


How risk could be assessed with SAP GRC

Risk

riskassessments

riskassessments

riskassessments

riskassessments

riskassessments

riskassessments

riskassessments

Identification and evaluation of risks via

• Collaborative assessments

• Surveys, questionnaire

• Direct entries

Valuation methods

• Professional judgments

• Uploads (different tools)

• Statistics methods


How to assess risks

Localassessments

Risk

Division assessment

Global assessment

Risk

Risk

Cross Risk

Response Strategy

Effort

Mitigation

Control

Net Risk


How to evaluate internal controls

Controlcatalogue

Controldescription

Self Assessment and Testing







• Controls are covered within one

central catalogue

• Controls are identified, classified,

documented and shared with the

local entities by HQ

• Design and effectiveness test

procedures are written and

executed by the local entities

• Controls are not linked to ERM

risks


How to evaluate controls and test effectiveness

Results of test of

effectiveness

Head Quarter Local Entities Head Quarter

Providing list of controls and

requesting initial evaluation

Local entities and responsible assessing scope and evaluating

design

Covering results and collecting

evaluations to an overall reporting

Controlcatalogue

Controldescription









Strategic expertise

Project approach and goals to be primarily achieved before an implementation of such a

comprehensive solution

Workshops Workshops

SAP GRC Ready2Go System of BearingPoint

Requirements

of Schaeffler

Workshops Workshops

Risk Management

Audit background

SAP System

knowledge

Be

ari

ng

Po

int'

sca

pa

bil

itie

s

Blueprint


Access Risk

Management

BearingPoint's Ready2Go System was considered from the

beginning of the project

Check Segregation of Duties

Compensating Controls

manual

autom. semi-autom.

Risk

Management

Compliance

Management

Controls

manual

autom. semi-autom.

Response Strategies

Transfer

Avoid

Accept

Control

ERP Systems

ECC CRM SCMNonSAP

3333Heatmap

Policies

Governance

22221111

44445555

6666 7777Report

BUKRS

2139 Process

Process Post Journal Entries to GL

Accounts

Reconcile Bank Statement

FSCP Results

Customer Incoming Payment

Delivery Processing

Enter Customer Credit Memo

Maintain Pricing Conditions

Maintain Sales Orders

Manage Customer Credit

Limit

Process Billing (Invoice

Processing SD)

Sales Order Release or

Release Blocked Documents

O2C Results

Cash Payment Processing

Create and Maintain Vendor

Records

Create Purchase Orders

Create Purchase Requisitions

Post Parked Vendor Invoice

Post Vendor Downpayment

Request

Pricing Master Data

Process Direct (FI) Vendor

Invoices

Process Goods Receipt

Process Incoming Payments

Process Vendor Invoices

(MM)

Release Blocked Invoices

Vendor Downpayment

Request

P2P Results

Bank Maintenance 91 206 297 297

Create and Maintain GL Accounts 85 85 85

Open and Close Accounting Periods 143 143 143

Park Journal Entries 151 151 151

FSCP Results 470 206 676 676

Create Maintain Customer Master Records 151 178 82 206 72 124 211 1024 1024

Customer Incoming Payment 98 80 148 326 326

Delivery Processing 86 206 292 292

Enter Customer Credit Memo 69 97 166 166

Maintain Pricing Conditions 75 142 217 217

Maintain Sales Orders 68 83 151 151

O2C Results 151 178 266 206 502 334 456 83 2176 2176

Approve or Release Purchase Orders 109 126 127 77 101 104 82 726 726

Approve or Release Purchase Requisit ion 84 84 84

Bank Maintenance 118 78 216 412 412

Cash Payment Processing 121 122 197 103 108 651 651

Create and Maintain Vendor Records 140 143 104 91 478 478

Create Maintain Purchase Contract 113 113 113

Create Purchase Orders 104 110 146 270 125 137 892 892

Manage Physical Inventory 86 86 86

Park Vendor Invoice 69 69 69

Post Vendor Downpayment Request 85 85 85

Process Goods Receipt 119 133 252 252

Process Vendor Invoices (MM) 114 114 114

P2P Results 227 247 389 188 146 78 110 587 564 216 633 492 85 3962 3962

Overall Results 470 206 676 151 178 266 206 502 334 456 83 2176 227 247 389 188 146 78 110 587 564 216 633 492 85 3962 6814Overall Results

P2P

O2C

FSCP

FSCP P2PO2C

REGULATION MEASUREMENT

GRC R2Go Systemby BearingPoint

Continuous

Control

Monitoring

effective


SAP GRC enforce to establish a highly mature process landscape – following standards

which allow companies to gain efficiency, effectiveness and more consistence

Controls

Testplans

Risk

Control Objective

1ICS relevant processes to be

considered, identification of relevant

controls and definition of procedures

to mitigate risks, design of testplans

Process Owners (corporate)

Process Owners (local)

Internal Control Owners (corporate)

2Create controls and testplans within

SAP GRC Internal Control Owners (corporate)

3Test of Design (ToD)

Regularly to test design of controls to

ensure that control is designed to

mitigate respective control

4Test of Effectiveness (ToE)

Based on a testplan to audit controls

and to assess operationel effectiveness


Internal Control Owners (local)

Segregation of duties for both process owners

and internal control owners as mentioned in step

1,2 and 3


Internal Control Owners (local)

Summary and closing


To integrade ICS within ERM an harmonized and structured organization needs to be

established

Harmonized, homogeneous

structured and clearly defined:

• Roles and responsibilities

• Competencies

• Communication lines

• Process control processes

• Reporting rules

• Control testing approach

• Remediation actions

Questions?

BearingPoint Switzerland

Thank You