Enterprise Risk Management Process Automation at Sybase
ISACA March Luncheon
March 22, 2012
Presented by: Bruce Carpenter: Sybase John Livingood: Protiviti
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
2008: Three Top Economists Agree Worst Financial Crisis Since Great Depression
1
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What We'll Cover …
• Sybase's Legacy ERM Framework
• Drivers for a GRC Platform
• The SAP BusinessObjects GRC Implementation Program at Sybase
• Sybase's Current ERM GRC Process
• Future GRC Phases
• Wrap-Up
2
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Milestones for Risk Management at Sybase
2006 2008 2009 2010
Regulatory risk assessment conducted
Sybase implements SAP
GRC Phase 1
Treasury Department conducted organization wide risk identification
process (bottom up approach)
• Questionnaire
• Interview Approach
• Qualitative / Judgmental Evaluation of Risks
Strategic risk identification process introduced (top down
approach)
• Executive Leadership Team (ELT) identified key risks associated with meeting strategic objectives for CEO
• Chief Executive (CEO) identified Top 5 risks
• Manual reporting to Audit Committee
• Global legal conducted world wide compliance risk assessment
• Finance and HR teams worked with legal and internal audit to prioritize areas for compliance
3
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Key Building Blocks for Sybase Risk Management
Key Building Blocks
4
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Manual Risk Management Process
Identified and documented risks
that executives needed to manage
to meet performance
objectives for chief executive
Internal Audit conducted quarterly
interviews with ELT & CEO
Included external data (risk from Big
Four, external surveys, current market issues
(e.g. credit crunch))
Manual reporting quarterly to audit
committee. Included concepts
of inherent risk and residual risk,
qualitative risk rating scale
(include details)
Impact Level Color Dollar Amount
High Red Greater than $100 Million
Medium Yellow Between $25 Million and $100 Million
Low Green Between $0 Million and $25 Million
5
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Pre-GRC: Quarterly Risk Reporting
Primary Risks
$100m
$25m
4
3
2
1
5
Inherent – The natural risks of being in a particular business, before assessing the impact of management controls.
Sybase Top 5 Risks: 1. Manage revenue impact of Financial
Services Industry changes 2. Manage risk of declining value in
Balance Sheet (Key Investments) 3. Monitor and adjust forecasts of
revenue and margins during changing economic times
4. Maintain high quality of products and services
5. Navigate changes in / impact of regulatory environment for Telcos
Impa
ct
(fina
ncia
l los
s; h
arm
to re
puta
tion)
Low
H
igh
High Low
KEY
High Risk Exposure
$0m Impact – means the level of financial and/or reputation harm to the firm. Likelihood – means the probability and frequency in which the risk may occur. Likelihood
6
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Sybase Top 5 Risks: 1. Manage revenue impact of Financial
Services Industry changes 2. Manage risk of declining value in
Balance Sheet (Key Investments) 3. Monitor and adjust forecasts of
revenue and margins during changing economic times
4. Maintain high quality of products and services
5. Navigate changes in / impact of regulatory environment for Telcos
Impa
ct
(fina
ncia
l los
s; h
arm
to re
puta
tion)
Low
H
igh
Primary Risks
KEY
$0m
$100m
$25m
High Low
4
3
2
1
5
Impact – means the level of financial and/or reputation harm to the firm. Likelihood – means the probability and frequency in which the risk may occur.
High Risk Exposure
Likelihood
Pre-GRC: Quarterly Risk Reporting (continued)
7
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Risk Management Summary for Audit Committee
Sales iAS S365 Product
Development
Marketing / Corporate
IT HR Legal Finance M&A
• Monitor revenue impact of Financial Services Industry changes
• Risk B • Risk C
• Risk A • Risk B • Risk C
• Understand possible change in business models at Telcos
• Risk B • Risk C
• Ensure quality of products and services
• Risk B
• Risk A • Risk B
• Risk A • Risk B
• Risk A • Risk B • Risk C
• Monitoring financial results, including revenue and margin targets
• Monitor risk of declining value in Balance Sheet
• Risk C • Risk D
• Risk A • Risk B • Risk C
Audit Committee Risk management oversight ELT Ongoing risk identification, review and monitoring Internal Audit Coordination, auditing and reporting Business Function Sales, iAS, S365, Product Development, Marketing/Corporate IT,
HR, Legal, Finance, M&A
8
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Sybase Top Five Risks Quarterly Update: Example
Ref. No.
Definition Risk Management Initiative Status Q2'09 Responsibility Status Q4'09
1 Manage revenue risks arising from changing financial condition of financial services industry customers (e.g., acquisitions, mergers).
Sales Pipeline Review identified mergers and acquisitions of FSI customers to assess impact on future revenues.
License revenue: The formation of larger FSI companies will potentially allow bigger deals, which will be easier to negotiate. Results: Plan upside for 2009. Ongoing monitoring by FSI team.
ELT Members 2009 target from top 20 global accounts is $xxx million. Forecast to achieve goal.
…but what is missing?
9
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Credit Crisis Example Risk Category Risk Management Initiative
Conduct Investment Analysis
Revalue Auction Rate Securities
Critical Service Providers Evaluate Counterparty Risks
Monitor Sales Pipeline Mergers of FSI Customers
Manage Deferred Revenue
Analyze Exposure to Stockholder Volatility Shareholder Stability Risks Analyze Top 50 Shareholders to Identify Potential Exposures
Analyze Accounts Receivable FSI % FSI Customer Financial
Stability Calculate FSI % of Doubtful Accounts
Evaluate Extended Payment Terms FSI %
Monitor Other Credit Granting Exposure Financial Stability of Other
Customers
Insurance Company Stability Identify Potential Exposure to Insurance Company Failure
Evaluate Potential Risks for Payroll
Mission Critical Suppliers Evaluate Potential Risks for Data Center & Networks
Evaluate Potential Risks for SAS 70 Providers
…in the future, how many of these could be automatically monitored?
1
2
3
4
5
6
7
10
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Dashboard: Regulatory Risks
…But this reporting format is inconsistent with other risk management reporting
Priority Compliance Risks Scope Defined
Responsibility for
compliance assigned
Risk Assessment Conducted
Policy / Process Defined
Communication and Training
Compliance Monitoring
and Reporting
Defined penalties for
breaches
Process to ensure
continuous improvement
Financial Compliance
FCPA 1Insider Trading
Litigation Holds - IT Backup 2Political Contributions/Gifts; Lobbying Rules
Export Control Requirements (US and Foreign) 3Data Privacy (of customers, employees, third parties)
Antitrust 4Related Party Transactions
Copyright (Infringement of Third Party Rights)
Patent Infringement
Notes: 1. Review APO Entertainment Policies in high-exposure countries. In Progress 2. E-Vault implementation will facilitate improved ability to locate e-mail and related documents. In Progress 3. Review export controls world wide. In Progress 4. Consider annual training or reminder for all sales managers, salespeople and controllers involved in
indirect channel sales. Awaiting automated survey capability in SAP
Immediate action needed Improvement opportunities identified Compliance effort assessed as adequate
11
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What We'll Cover …
• Sybase's Legacy ERM Framework
• Drivers for a GRC Platform
• The SAP BusinessObjects GRC Implementation Program at Sybase
• Sybase's Current ERM GRC Process
• Future GRC Phases
• Wrap-Up
12
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Implementing GRC – Key Drivers
Lack of real-time reporting
Could not relate controls to risks
Difficult to manipulate data
Hard to develop data analytics to enable data driven risk monitoring
Need to keep pace with developments in ERM • Risk appetite • Risk velocity
13
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Implementing GRC – Key Drivers
14
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
License Key
Downloads
Key Risk Indicators and Data Analytics: Channel Stuffing
15
Risk: The ability to monitor ongoing software downloads to detect channel stuffing
Sybase Partner B Partner A System Integrator End User
Product ASE
Report generated to show software
activation
SALES
SHIPPING
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Risk: Software Inventory "Stuck" in the Channel
Source: SAP
16
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Sybase Risk Management Maturity Model
Link Risks to Controls
Periodic Quantification Evaluation and Reporting
Building Awareness Defined Process
Real-Time Monitoring of KRI
Risk Informed Decision Making
Drive Revenue by Being Able to Demonstrate Compliance
Identification of KRIs
17
Risk Management Maturity Model
Business Policies
Business Processes
People and Organizations
Management Reports Methodologies Systems
and Data
Opt
imiz
ed
Man
aged
D
efin
ed
• Risk strategies in place
• Continuous improvement focus
• Fully integrated risk & strategic management
• Inefficiencies removes, using formal cost / benefit analysis
Risk management is aligned with: • Individual performance metrics
• Knowledge and skill upgrades
• 'What if' scenarios are identified and tracked
• Special reports are defined for key risk areas
• Risk quantification integrated into business decisions
• Prioritize mitigation efforts using risk analysis
• Integrated risk measurement systems are continuously improved
• Special purpose systems quantify portfolios of risk
• Risk tolerance limits effective
• Allocated to operating units
• Risk management integrated with line management activities
• Corrective actions are taken when limits exceeded or procedures are violated
• Strong teamwork in place
• Role models evolving • Prepared for contingencies
• Expertise fully in place
Integrated risk reporting:
• Risk-adjusted profitability measure
• Linked to KPIs • Exception reporting
• Integrated risk models used
• Early warning systems • Exposures anticipated through time-tested models and analytics
• Capital allocation techniques applied
• Enhanced functionality & expanded risk coverage
• Risk data collected as part of normal business routines
• Database systems support risk management of risk
• Enterprise-wide policies and guidelines documented and allocated to org units
• Uniform risk management processes
• Mitigation & oversight are documented & applied
• Modeling process exists
• Defined accountabilities • Integrated teams, backup capabilities, standard roles, training
• Central coordination function
• Enterprise-wide reports
• Exceptions and 'near misses'
• Track action plans
• Improved, consistent measures of performance variability exist
• Systematic approach to loss exposures
• Risk coverage expanded based on formal risk assessment
Use of: • Stable client service application to leveraged decision making
• Scalable and reliable architecture
• Web-enabled processes for data organization, extraction, analysis and reporting
• Risk policies are articulated and followed
• Risk tolerance limits established
• Policies documented and stable
• Process gaps identified and corrected
Risk owners have: • Clearly defined roles • Support • Training
• Regular consistent reports
• Some key metrics
• Improved risk measures evolving
• Consistent risk-related assumptions
• Use specified methods
• Systematic data collection exists for some risks
• Independent spreadsheet models are used as opposed to a centralized application
• Improved system security / data integrity exists, fostering improved confidence in models
• Policies and risk tolerance limits undocumented and vague
• No formal processes • Event responses reactionary and ad hoc
• Event response characterized by individual heroics
• No individual accountability
• Ad hoc management reports
• Incomplete, inconsistent untimely
• Rough risk measures • Over simplification of risk prevalent
• Methodology lacks key risk characteristics
• Spreadsheets used to manage risk-related information
• Poor data quality
Initi
al
Rep
eata
ble
Source: SAP
Risk Management Maturity Model – Past
Business Policies
Business Processes
People and Organizations
Management Reports Methodologies Systems
and Data
Opt
imiz
ed
Man
aged
D
efin
ed
• Risk management integrated with line management activities
• Corrective actions are taken when limits exceeded or procedures are violated
• Enterprise-wide policies and guidelines documented and allocated to org units
Risk owners have: • Clearly defined roles • Support • Training
• Regular consistent reports
• Some key metrics
• Rough risk measures • Over simplification of risk prevalent
• Methodology lacks key risk characteristics
• Spreadsheets used to manage risk-related information
• Poor data quality
Initi
al
Rep
eata
ble
Source: SAP
Business Policies
Business Processes
People and Organizations
Management Reports Methodologies Systems
and Data
Opt
imiz
ed
Man
aged
D
efin
ed
• Risk management integrated with line management activities
• Corrective actions are taken when limits exceeded or procedures are violated
• Enterprise-wide policies and guidelines documented and allocated to org units
• Defined accountabilities • Integrated teams, backup capabilities, standard roles, training
• Central coordination function
• Enterprise-wide reports
• Exceptions and 'near misses'
• Track action plans
• Improved, consistent measures of performance variability exist
• Systematic approach to loss exposures
• Risk coverage expanded based on formal risk assessment
Use of: • Stable client service application to leveraged decision making
• Scalable and reliable architecture
• Web-enabled processes for data organization, extraction, analysis and reporting
Initi
al
Rep
eata
ble
Risk Management Maturity Model – Current
Source: SAP
Business Policies
Business Processes
People and Organizations
Management Reports Methodologies Systems
and Data
Opt
imiz
ed
Man
aged
D
efin
ed
• Risk strategies in place
• Continuous improvement focus
• Fully integrated risk & strategic management
• Inefficiencies removes, using formal cost / benefit analysis
• Risk quantification integrated into business decisions
• Prioritize mitigation efforts using risk analysis
• Integrated risk measurement systems are continuously improved
• Special purpose systems quantify portfolios of risk
• Strong teamwork in place
• Role models evolving • Prepared for contingencies
• Expertise fully in place
Integrated risk reporting:
• Risk-adjusted profitability measure
• Linked to KPIs • Exception reporting
• Enhanced functionality & expanded risk coverage
• Risk data collected as part of normal business routines
• Database systems support risk management of risk
Initi
al
Rep
eata
ble
Risk Management Maturity Model – Future
Source: SAP
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What We'll Cover …
• Sybase's Legacy ERM Framework
• Drivers for a GRC Platform
• The SAP BusinessObjects GRC Implementation Program at Sybase
• Sybase's Current ERM GRC Process
• Future GRC Phases
• Wrap-Up
22
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
SAP BusinessObjects GRC Modules
Access Control
Process Control
Governance, Risk,
and Compliance
Global Trade Services
Environment, Health and
Safety
Risk Management
23
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Integrated Governance Risk & Compliance
24
Acce
ss R
isk
Man
agem
ent
Develop and Package External Content
Proc
ess C
ontro
lRi
sk M
anag
emen
t
Enterprise Risk: Fraud
Responses
ReduceControlAvoidAccept Transfer
RegulationsProcess
Procure to Pay
Vendor Mgmt
AP Invoicing
Process RisksFraudulent invoices
paidValid
invoices not entered
Access RisksUser can
enter vendor & PO User can
enter invoices & payments
ControlsReview of new vendors and
related invoice support
AP SOD rules in AC
Review of uninvoiced
goods receipts
Monitor Access Status
Mitigate Access
Violations
Policies
Update and roll out strengthened security policy
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
SAP GRC Roadmap – Discussion Document
25
25
SoD Analysis/Reporting
Risk Register & Response Plans
Repository of Manual Controls
Firefighter Access Mgmt
Automated User Provisioning
Role Mgmt & Administration
Automated Controls
Controls Test Workflow
Surveys & Certifications
Survey / Automate Workflow
Risk Simulation
Acce
ss
Cont
rol
Proc
ess
Co
ntro
l Ri
sk
Man
agem
ent
Phase II
Automated KRIs
Phase III Phase I
eGRC Platform Integration
eGRC Integrated Control Library
Manual Key Risk Indicators
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Refining and Developing Methodology
26
Risk Management
Respond
Identify and assess all key risks across
the enterprise
Create resolution strategies for top risks that maximize return on capital
Build proactive monitoring into existing business
processes and strategies
Plan
Identify and Analyze Monitor
Drive agreement on top risks, thresholds,
and appetite
Source: SAP
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Specific Sybase Challenges
Challenges
! Defining risk categories, risk drivers, and impact categories
! Defining key risk indicators
! Ensuring system flexibly handles both regulatory compliance and other enterprise risks
27
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Methodology Refinement: Development of Risk Categories
28
Compliance Financial and Tax Strategic (Business)
• Regulatory (Legal)
• Contractual Liability
• Professional Services
• S365 (Regulatory (Legal))
• Financial Compliance
• FCPA Compliance
• SOX Compliance
• SEC Filing • SEC
Compliance • Federal /
State / Local • EMEA Tax • APO Tax • HR Compliance • Data Privacy • Sybase 365
• Intercompany Pricing
• Interest Rate Risk
• Liquidity • Balance Sheet • Foreign
Exchange • Credit Risk
• Managing Profitability
• Sybase • Sybase 365
(Managing Profitability)
• Technology • Protection of IP • Product Quality &
Innovation – Sybase – Sybase 365 – Ianywhere
• Suppliers • Reputation • Integration Risk • Acquisitions • Software Platforms • Customer Satisfaction • Information for Decision
Making • Market Risk • Workforce Quality • Communication of
Strategy – Sybase – Sybase 365 – Revenue Growth
Political Operational
• War / Civil Unrest
• Government Action
• Protectionism • Anti-globalism • Terrorism
• Personnel • Business
Continuity Planning
• Delivery of Software
• Criminal
• Information/Data • IT Infrastructure • Sybase 365 IT
Infrastructure • Physical Damage
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Methodology Refinement: Developing Impact Categories
Description Impact Category Loss of revenues Revenue
Increased cost Cost
Impact in customer satisfaction Customer Satisfaction
Damage to reputation / brand Reputation
Loss of Product / IP Value Product / IP Value
Environmental Impacts Environmental
Inability to effectively manage cash, or collect receivables; Reduced credit worthiness in market Cash / Capital
Loss of intangible value Intangibles
Markets overall view on companies future sustainability. Market Perception
29
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Methodology Refinement: Quantification of Impact Categories
Impact Level Quantitative Impact (in 1000 € )
Insignificant € 0 € 200
Minor € 200 € 1,000
Moderate € 1,000 € 5,000
Major € 5,000 € 25,000
Business Critical Over € 25,000
30
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Project Risks to Consider
Common Pitfalls • Failure to obtain "buy-in," involvement, and support from Executive Management • Risks are managed in "silos" leading to decisions that are not always well coordinated • Risk awareness is low due to limited management focus or communication across
business or functional units • Risk management activities are not linked to strategy and current process is not clearly
defined
Leading Practices • Approach in phases, taking advantage of visionaries and high value pilots before
proceeding to ERM • A risk management advocate drives the process but business units own risk with periodic
audit / compliance review • Embed risk management into existing processes and performance scorecards • Identify risk interrelationships and assumptions; refine common language and standards
over time • Instill a risk management culture (awareness, recognition, etc.)
31
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What We'll Cover …
• Sybase's Legacy ERM Framework
• Drivers for a GRC Platform
• The SAP BusinessObjects GRC Implementation Program at Sybase
• Sybase's Current ERM GRC Process
• Future GRC Phases
• Wrap-Up
32
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Key Advantages vs. Manual Process
Siloed Manual Risk Registers Standardized Risk Management
New Capabilities
• Merged Excel risk registers into the central SAP BusinessObjects Risk Management database
• System promotes common language and standard interpretations for risks
• Risks automatically plotted in heat map
Value Added
• Transparent view of comprehensive risks allows for greater consistency and knowledge sharing across regions
• Executive can weigh decisions based on a normalized risk equation, rather than multiple interpretations
• Focus can shift from formatting and spreadsheet errors to true analysis for exposure and profitability, as well as active response plans
33
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Key Advantages vs. Manual Process (continued)
• Multiple views available depending on role and interest:
– Risk Category – Drivers – Impacts – Exposure, etc
• View entire organization, a region, a specific country at once
• Quickly and effectively highlight top risks to management for investigation and intervention
• SAP BusinessObjects Risk Management dashboards and heat maps can be viewed by executives whenever and wherever needed
# Definition Risk Manage-ment Initiative Status Q3'09 Respons-
ibility Status Q4'09
1 Manage revenue risks arising from changing financial condition of financial services industry customers (eg, acquisitions, mergers)
Sales Pipeline Review identified mergers and acquisitions of FSI customers to assess impact on future revenues
License revenue: The formation of larger FSI companies will potentially allow bigger deals, which will be easier to negotiate. Results: Plan upside for 2009. Ongoing monitoring by FSI team.
ELT Members
2009 target from top 20 global accounts is $xxx million. Forecast to achieve goal.
Labor Intensive Periodic Reporting On Demand Risk Views
New Capabilities Value Added
34
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Heat Map Dashboard Overview
Risk Event Organization Activity Person Inherent Risk
Residual Risk
Inherent Risk Amount
Residual Risk Amount
Currency
EXAMPLE
35
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Reporting: Old Style Im
pact
(fi
nanc
ial l
oss;
har
m to
repu
tatio
n)
Likelihood
Low
H
igh
Primary Risks
High
$0m
$100m
$25m
Low
4
3
1
5
4
3 2
5
1
2
Old style reporting
• Qualitative measurement
• Limited supporting data to justify ratings
36
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Reporting: New Style
New style reporting: Inherent Risk before impact of management strategies ! Clearer use of color ! Incorporates reporting on all risks, not just Top 5 ! Clearly shows numbers of risks in each cell
(continued next page)
Insignificant Minor Moderate Major Business Critical
Near Certainty 2 8 8
Highly Unlikely 1 4
Likely 6 4
Unlikely 2 4
Remote 1 1
37
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Reporting: New Style
New style reporting: Residual Risk showing impact of current management strategies ! Assessments supported by more quantitative data ! Easier recognition of risk reduction ! Note: Management strategies are in initial stages of implementation
(continued next page)
Insignificant Minor Moderate Major Business Critical
Near Certainty 6 1 4
Highly Unlikely 4 1 2
Likely 1 2 2 1
Unlikely 1 5 6
Remote 1 2
38
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Reporting: New Style New style reporting: Expected impact of planned management strategies ! Clearer visual picture of expected impact of risk management
strategies ! Allows management to clearly visualize risks which may need
additional strategy development
Insignificant Minor Moderate Major Business Critical
Near Certainty 1 1
Highly Unlikely 1 1
Likely 2 4
Unlikely 1 1 6 6 5
Remote 1 1 3 4 3
39
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Reporting New Style: Example Risk Overview by Dollars
Reporting new style: Residual Impact • Allows management to consider whether they would like to accelerate
current strategies, or implement additional strategies based on dollar impact
40
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Reporting New Style: Overview Dashboard
EXAMPLE Examples of new additional interactive reporting styles
Risk Event Organization Activity Risk Category Inherent Risk Residual
Risk Inherent Risk
Amount Residual
Risk Amount Currency
41
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Reporting New Style: Driver Categories
Now we are able to consider whether any single driver constitutes a major risk, allowing management to consider the need for additional strategy development
Risk Event Organization Activity Risk Category
Inherent Risk
Residual Risk
Inherent Risk Amount
Residual Risk Amount Currency
42
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Reporting New Style: Impact Categories
EXAMPLE Now we are able to relate impacts to drivers and consider whether
this suggests a need to adjust management strategy
Risk Event Organization Activity
Risk Category
Inherent Risk
Residual Risk
Inherent Risk Amount
Residual Risk Amount Currency
43
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Current State of Sybase ERM
Has a more quantitative framework
Holds managers more accountable to action plans because they have a clearer understanding of the risk
Is more auditable and more cost effective to operate
44
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Impact on Executive Team Risk Management Behavior…
"Get my attention to what is required to achieve best industry practice with regard to risk management"
"There is a person (you) and a process (the company
process) and people know that this is important"
"The risk management process creates the pressure of knowing that we have to get things done
45
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What We'll Cover …
• Sybase's Legacy ERM Framework
• Drivers for a GRC Platform
• The SAP BusinessObjects GRC Implementation Program at Sybase
• Sybase's Current ERM GRC Process
• Linking Risks to Controls
• Future GRC Phases
• Wrap-Up 46
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Linking Compliance Risks with Controls: Pilot Implement Link
Implement Process
Controls: Pilot
• Automate monitoring of SOX control testing
• Identify controls which contribute to demonstrating compliance
Link Risk Management
Data to Process Controls: Pilot
• Link controls (PC) to risks (RM)
• Conduct pilot to link data privacy risks to existing controls
PC = SAP BusinessObjects Process Control RM = SAP BusinessObjects Risk Management
47
An initial pilot study was conducted to link data privacy compliance risks with existing internal controls (Entity level controls and IT General Controls) The objective was to demonstrate the capabilities of GRC 10.0 to link risks with controls
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What Got Us Started? May 2010 Bank No. 1, located in Germany, requested compliance with approximately 50 diverse requirements relating to German banking regulations, data security requirements, and data privacy.
June 2010 Bank No. 2, also located in Germany, provided list of approximately 40 compliance requirements – not identical, but similar to Bank No. 1
November 2010 Bank No. 3, located in Czech Republic, provides a list of approximately 30 compliance requirements. Again, similar to Bank No. 1, but not identical.
48
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Common Thread: Making Risk Management Relevant and Useful
Regulatory Compliance Requirements • Data privacy and protection compliance • European banking laws
Common Internal Control Requirements • IT General Controls
• Data security • User access • Physical security
• Entity Level Controls • Data confidentiality • Code of conduct
Applied to Sybase’s third-party service providers as well as internal operations
Driven by customer business needs 49
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
The Pilot: Data Protection and Privacy Part 1: Resolving Issues from Initial External review: e.g.,
" Strengthen governance and risk management around data privacy. " Implemented policies to govern the management of personal
information.
• Strengthened role of data protection officer • Revised Data Protection and Privacy Governance
Structure • Reviewed and revised 15 related internal policy
documents • Communicated policy requirements as appropriate • Conducted specific training where relevant
Specific Sybase Actions
• Largely completed Current Status
50
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
The Pilot: Data Protection and Privacy (cont.)
• Part Two: Ensuring current internal controls match all identified compliance risks
• Internal Risk Assessment • External advice • Customer contractual requirements
Identifying Compliance
Risks
• Entity level controls • IT General Controls
Matching with Controls
• Within Sybase 365 • At Service Provider Locations
Identifying Control
Locations
51
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Update with
Test Results
Process Control (PC)
IT General Control 1 Risk Statement 1
IT General Control 2 Risk Statement 2
IT General Control 3 Risk Statement 2
Entity Level Control 1
Entity Level Control 2
Risk Management (RM) Response Plan
Risk Statement 1 IT General Control 1
Risk Statement 2
IT General Control 2
Response Plan Mitigation
Risk Statement 3 IT General Control 3
Entity Level Control 1
Entity Level Control 2
Link Compliance Risks to Control Requirements
Response Plan Controls
52
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Process Control (PC) Compliance Risk:
Unauthorized physical access to data centers by unauthorized users may
result in unauthorized use, disclosure, modification, damage or loss of data.
AS002 Physical Access – The Systems Engineering
Team will maintain complete lists for each data center and any internal core processing
systems of all personnel granted on going access.
Update with
Test Results
Link Compliance Risks to Control Requirements (cont.)
Risk Management (RM)
Response Plan Control AS002 Physical Access – The Systems Engineering Team will maintain complete lists for
each data center and any internal core processing systems of all
personnel granted on going access.
Mitigation – Awareness campaign conducted. Encryption policies
implemented. Training audiences identified and training conducted.
Enterprise Risk: Maintain Data Security & Privacy
53
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Understanding the Current Picture
54
Risks
Controls
Workflow Control Testing
Version Control
Mitigation Strategies
Compliance Requirements Reporting
Current Picture?
Risk Assessment
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Understanding the Current Picture (cont.)
Risks
Controls
Control Testing Mitigation Strategies
Compliance Requirements
Reporting #Current Picture#
Risk Assessment
Risk Management Process Control
Defined Workflow! No version control issues !
55
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
The Pilot: Multiple Response Plans
56
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
The Pilot: PC Control Response Plan
57
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
The Pilot: Assessment Dashboard
58
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
The Pilot: Failing Physical Access ITGC
59
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What We'll Cover …
• Sybase's Legacy ERM Framework
• Drivers for a GRC Platform
• The SAP BusinessObjects GRC Implementation Program at Sybase
• Sybase's Current ERM GRC Process
• Future GRC Phases
• Wrap-Up
60
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Future State Implement Link Build Refine
Enhance Process Controls
• Build automated SOX control tests
• Develop additional automated compliance testing
Link Risk Management
Data to Process Controls
• Link controls (PC) to risks (RM)
• Relate new risks to existing controls (new regulatory requirements)
Build Automated KRIs Linking to Core SAP ERP
Refine Reporting
PC = SAP BusinessObjects Process Control RM = SAP BusinessObjects Risk Management
61
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Linking Risk-Based Compliance Initiatives with Compensating Controls
Regulatory Requirements • Foreign Corrupt Practices Act (FCPA) Sub-processes & Controls (including test plans) • Monitoring Agent / Third Party
! Review Payments* ! Monitor Wire Transfers* ! SOD: Vendor Maintenance vs. Invoices*
• Awareness and Training ! Code of Conduct ! Hotline
• Due Diligence and Contract Review ! Contract Agreements ! Third-Party Due Diligence
Report • Monitoring Training Status (FCPA Compliance)* Functional Areas • FI / CO • Global Trade Services & Human Capital Management
* Indicates the potential for automated testing linking SAP ERP and SAP BusinessObjects Process Control
(continued next page)
62
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Risk Event: Employee / Agent Involved in Illegal Arrangement (FCPA)
KRIs • # of reviews conducted for due diligence on all foreign business partners and third-party representatives (manual) • % employees with foreign official contact who have had FCPA training (SAP ERP HCM) • Expense % of total compensation for sales agents responsible for international accounts (SAP – Payroll) Drivers • Operate in overseas high-risk markets • Use of third-party representatives to facilitate overseas business • Conduct business with foreign state-run entities
Impacts • SEC & DOJ violations, fines, penalties, remediation • Ineligibility of doing business with foreign entity • Disclosures, investigation, prosecution, oversight Responses • SOD – Separate Vendor Maintenance from Invoice Approval* • Monitor employees that are overdue for ethics / FCPA training* • Monitor suspicious payment attributes such as round payments, one-time vendor, etc.* • Code of Conduct and FCPA or anti-corruption policies in place • Anti-corruption training in place & Whistleblower line
Linking Risk-Based Compliance Initiatives with Compensating Controls
* Indicates the potential for automated testing linking SAP ERP and SAP BusinessObjects Process Control
63
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
What We'll Cover …
• Sybase's Legacy ERM Framework
• Drivers for a GRC Platform
• The SAP BusinessObjects GRC Implementation Program at Sybase
• Sybase's Current ERM GRC Process
• Future GRC Phases
• Wrap-Up
64
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Don't rush.
It's a marathon,
not a sprint.
65
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Resources Links used in preparation
www. protiviti.com/ERM-FAQ ! Guide to Enterprise Risk Management (FAQ)
www. protiviti.com/PRIM2 ! Integrated Performance and Risk Management
www. protiviti.com/RiskOversight ! Board Perspectives – Risk Oversight
www. protiviti.com/Bulletin ! The Bulletin – Corporate Governance and Risk Management
www.service.sap.com/NetWeaver®
! Requires login credentials to the SAP Service Marketplace www.sapsuperusers.com/forums www.sapfans.com/forums www.sdn.sap.com/irj/sdn/bpx-grc
! SAP GRC Risk Management Guide www.sdn.sap.com/irj/sdn/forums
! Follow Governance, Risk, and Compliance (Under Business Process Expert)
66
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
7 Key Points to Take Home ERM operates best under an integrated RM philosophy.
If you cannot relate new risks to your existing controls, you are dead in the water when it comes to compliance.
Don't underestimate the appetite of senior management to get engaged in a risk-based conversation.
Define your organizations elements (risk categories etc) correctly to maximize system effectiveness and flexibility.
Reality check frequently. Review input often to ensure your risk management platform is an integrated component of your ERM processes.
Automation can play a critical role in showing how your existing internal controls to demonstrate compliance with new compliance risks.
The ultimate value of the investment lies in data driven risk monitoring
67
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Your Turn!
Bruce Carpenter [email protected]
925.236.8562
How to contact us:
John Livingood [email protected]
415.402.3682
68
© 2011 Protiviti Inc. An Equal Opportunity Employer. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to any third party.
Disclaimer
SAP, R/3, mySAP, mySAP.com, SAP NetWeaver®,
Duet™®, PartnerEdge, and other SAP products and
services mentioned herein as well as their respective logos
are trademarks or registered trademarks of SAP AG in
Germany and in several other countries all over the world.
All other product and service names mentioned are the
trademarks of their respective companies.
69