It’s now been 17 years since the passage of the Sarbanes-Oxley Act (SOX), which was…
Managing risk is a big part of your job if you are an executive. Any number of threats can potentially reduce the value of your company’s earnings and assets. Enterprise Risk Management is about reducing such risks. What is Enterprise Risk Management (ERM)? It’s a broad discipline, but ERM has a lot to do with managing compliance risk – the area of risk associated with laws and other regulations that affect how your business operates and reports on its activities. For companies that run on SAP, ERM means finding an efficient but effective way to manage risk through controls that affect the SAP landscape.
What is Enterprise Risk Management?
ERM comprises a business strategy that seeks to identify, assess and prepare for any threats and events that can interfere with operations and objectives. In practicality, much of ERM involves establishing controls over information technology (IT).
Compliance risk, for instance, occurs when your company falls out of compliance with applicable regulations. For example, if your controls over financial reporting are judged to be deficient, you will not pass your Sarbanes-Oxley audit.
How big a risk is this? The answer is “not so bad” if you get a jump on remediation right away. But the risk is not nothing, and it can get a lot worse if the control deficiency isn’t remediated right way. In addition to the cost of the actual remediation, compliance risk in this case can balloon into more serious problems, such as:
- Penalties and negative impact on share prices as control deficiencies are disclosed
- Reputation damage
- Possible misstatement of financial results in earlier periods, triggering accounting fees and potential share price impact from restating financials
- Possible fraud that occurred due to a lack of effective controls
Some of these risks may cost millions of dollars in avoidable losses. This is why ERM is so critical to businesses.
Control Effectiveness In Enterprise Risk Management
Managing compliance risk requires having controls in place. And, they have to work. For the sake of simplicity, let’s define a control as a mechanism that enforces a specific policy. In the pre-digital world, the paper tape coming from a cash register was a control over financial reporting. It provided a way to check that the amount of cash in the register drawer matched the sales for the day. Today, controls are mostly digital in nature.
Segregation of Duties (SoD) is an example of a control over financial reporting. SoD means splitting the handling of financial transactions between different people and departments as a way to avoid fraud or errors. For example, with SoD, the same person cannot create a vendor and then pay that same vendor. If one person can perform both duties, there is the risk of payments being made for fraudulent reasons. Software like SAP has the ability to define and enforce SoD policies through user roles and access controls.
Making SoD work is primarily a matter of identity management and access control. This is also known as identity and access management or IAM. IAM requires creating a definitive list of users, usually through an IAM system like Microsoft Active Directory. Then, these identities are matched up with roles in the ERP system. So, with ERP access controls, User A might have the role of “Create Vendor” while User B is “Pay Vendor.” Through their roles, their duties are segregated.
ERM in SAP Environments
SAP has an enterprise risk management module that helps you establish and enforce controls for risk management. We take the capabilities of this module further with our ControlPanelGRC® ERM solution. ControlPanelGRC gives your internal auditors peace of mind. It ensures that your most current controls are in place and actively mitigating risks. The software lets you configure Libraries for different types of Controls. Users can then upload control documentation. ControlPanelGRC enables infrastructure for documenting, monitoring, and testing controls. It lets you build defined audit plans, giving your users an automated workflow-based way to test controls.
ControlPanelGRC Risk Analyzer gives you the ability to conduct real-time risk analysis and mitigation of authorizations. It contains an expandable, predefined Rulebook that can be customized based on business or auditor requirements. Risk Analyzer furthers the enterprise risk management process by documenting and assigning approved mitigating controls. This capability helps filter and monitor risks. There are other features within Risk Analyzer that can monitor sensitive role and profile assignments, such as SAP_ALL or SAP_NEW.
Putting enterprise risk management into practice, Risk Analyzer integrates with ControlPanelGRC Usage Analyzer to identify the last execution dates of risk transactions, assisting in remediation in the process. It offers Modeling Analysis, which identifies potential risks upon the assignment of roles to new users as well in when transactions are assigned to roles.
Risk Analyzer enables enterprise risk management, emphasizing attention to compliance risks through its dashboard, whose reports provide a “state in time” view of compliance. The tool also automates the notification of mitigating control executions along with risk monitoring with notification of incidents.
Stay Ahead of Compliance Concerns in SAP
Enterprise risk management for SAP can be challenging, but the stakes are high, especially with serious compliance risks and audit failures on the line. Tools like ControlPanelGRC and its Risk Analyzer give you the ability manage risks and stay on top of the compliance and audit process. To learn more about ControlPanelGRC and its potential to help you with your enterprise risk management goals, contact us today.