Implementation of a SAP GRC solution at a Swiss Mobile Network Operator. Andreas Eberhardt, Senior Consultant Barcelona,

Transcription

1 Implementation of a SAP GRC solution at a Swiss Mobile Network Operator Andreas Eberhardt, Senior Consultant Barcelona,

2 Agenda Success factors for the implementation of a SAP GRC solution GRC tool selection process and implementation strategy Key benefits and lessons learned 2

3 My person and b.telligent

4 Andreas Eberhardt Education Masters in Business Administration Certified Project Manager (IPMA) Certified Risk Manager (IRM) SAP GRC training Working Experience 6 years of project management experience. 2 years of SAP experience in the areas of Risk Management. 3 years in telecommunications and 3 years in automobile. Project Experience Program Manager (Interims Management) of the prepaid billing program at a Swiss mobile network operator. Project Manager for the implementation of a software solution for the administration, management and controlling of service contracts in Russia at one the five global leading automobile manufacturers (Aftersales). Project Manager for the implementation of a GRC tool solution in SAP supporting SOX compliance and the existing risk framework at a Swiss mobile network operator. Strategic Business Consultant for the conceptual design and reorganization of the corporate business intelligence department at a Swiss mobile network operator. Project Manager for the implementation of a complete product lifecycle considering new / defect materials, materials in transit, second hand materials and loan phones at a Swiss mobile network operator (Aftersales). Project Manager for Implementation of a SOX compliant risk framework and role concept in SAP at a Swiss mobile network operator. 4

5 b.telligent business activities Real-time DWH/ EAI DWH Architecture SAP Process Optimization Improvement in efficiency DWH BI CRM NBC BSC / BPM Reporting Analyse Data Mining Analytical CRM Campaign Management Customer Lifecyle Geo-Analysis Core Competences Strategic orientation 5

6 Success factors for the implementation of a SAP GRC solution

7 Implementation of a SAP GRC solution Project Overview Project profile Swiss Network Provider reporting to one of the global top 5 Telecommunications companies Project Sponsor: Director Business Excellence Project Duration: 5 months Project allocated budget: 360k CHF Project objectives Implementation of an efficient company wide user authorization management process for the user assignment and role maintenance. Compliance to Group directives. Definition and implementation of an appropriated monitoring methodology in SAP. Expected benefits Security aspects: Optimize security level in business for fraud / error prevention Turn risk management from reactive mode in proactive mode Cost aspects: Reduce maintenance costs for risk monitoring Facilitate business risk monitoring 7

8 Disciplines / Standards in domain of GRC and Risk Management Governance SOX, SEC, NYSE, NASDAQ BRT, NACD, Conference Board TIAA-CREF, CalPERS, AFL-CIO, CII OECD American Law Institute Compliance / Legal Management Federal Sentencing Guidelines / Thompson Australian Standards OCEG Standards Various agency guidelines (e.g., HHS OIG) Internal Audit / Anti-Fraud COSO Internal Control (1992), COCO SAS 99 IT Control / Security COBIT SysTrust, WebTrust Performance Management Balanced Scorecard EVA McKinsey; BAH; Accenture Ethics / Corporate Social Responsibility AA1000, SA8000, ISO CSR Global Reporting Initiative ILO Conventions, UN Global Compact, Sullivan Principles Sigma Guidelines (UK) Q-RES (Italian) European Corporate Sustainability Risk Management GARP, PRMIA standards Australian Standards Basel II Guidelines COSO ERM (2004) Human Capital / Training ASTD Bloom s Taxonomy Kirkpatrick Communication / Change Management Quality Management ISO 9000 series Six Sigma Project Management Project Management Institute PMBOK

9 Complexity of Enterprise Risk Management Risks are individual and complex, there is no out-of-the-box solution to cover YOUR risks! Individual risk quantification Significance and probability Risk criticality and financial impact Local specific regulations SOX, German data protection,... Subsidiary specific risk organization Division / department Product / communication channel,... Group specific risk organization Region or area manager, product manager, Context and assessment Ownership Risk Organizational particularities Mitigation processes Individual accountabilities: Risk-, Process- and Control Owner, Individual responsibilities: Control Executer, System Role Wwner, Individual risk mitigation strategies Preventive vs. detective Manual vs. automated Individual policies Altering & mitigation process Evidence management Document management Identity management 9

10 4 Key Success Factors for the GRC project Senior Management Buy in (!) Ability to implement new roles and responsibilities in company organisation (e.g. Risk, Control Owner) Ability to prioritize GRC projects against Significant costs not sure about benefits attitude Ownership models Ability to proactively maintain a dynamic staffing model Understanding company processes Key Success Factors Risk Framework Ability to support evolving procedures and identify significant changes to processes and policies Ability to adapt proactively to new corporate events, e.g. outsourcing or acquisitions Tool Usability Flexibility is key in order to respond to legal, corporate or organizational changes! Usability is key in order to get tool acceptance! Define a OCH risk management strategy with clear responsibilities in organisation. 10

11 GRC tool selection process and implementation strategy

12 GRC tool evaluation process Supplier alternatives Market Leader - SAP GRC (Virsa) Best competitor - Approva Tool presentation Functional questionnaire Offers Commercial questionnaire Winner External Auditor Internal Workshop Best challenger Further Considerations - Conteliga Results Primary investigation Recommendation from SAP SOX Security project (Virsa) Approva as main competitor in US market Conteliga: Prototypical development Workshop result Criteria: Technical part Customizing effort Integration effort Functional fulfilment Workshop impression Further consideration Technical compliance matrix Offer result Criteria: Price - Implementation - Customizing - Licences Supplier risk analysis Contractual aspects Criteria: Presentation of evaluation results: - Technical compliance matrix - Commercial - Legal, contractual 12

13 Overview about evaluation criteria for GRC tool selection Define for each relevant component criteria and weights for the final decision making 13

14 Example of functional Questionnaire 14

15 Implementation strategy Phase -Control Implementation- Phase -Control Automation- Phase -Continuous Control- Tool evaluation Tool recommendation TRB Finalize RFP T1 Role Level Analysis (Naming convention, SoD simulation, remediation actions) User Level Analysis (SoD conflict, sens. Transactions access, remediation actions) Gap analysis Immediate risk reduction (GC-IT controls, critical Z/Y T-Codes) Impl. Conflict free Role Concept Impl. User provisioning Impl. Extended user access Impl. Review Processes Activate individual alerting, reporting Audit Tool Impl. of Compensating controls Enforce Change Mgmt. Controls Process controls validation Impl. Process controls Audit process 15

16 Key benefits and lessons learned

17 Implementation of a SAP GRC solution Top 4 key benefits! Individual Process Controls Example 1: Automatic alerting to risk owner in case of incompliance in PO change (change of currency, total amount above certain limit, etc ) Example 2: SoD conflict analysis takes 18 months into consideration (outsourcing of departments, movers in the company with changing rights) Tasklist Control Owners / Risk Owner have complete overview about their domain Enables communication between stakeholders (IT authorization expert and Business Owner) Preventive Control strategy Automatic block of incompliant transports Naming convention allows SoD conflict management on role level Block of critical transaction execution Role on Demand Process Minimizing user access without impact business performance for one time executed transactions (monthly end closure) Automatic tracing of user 17

18 Implementation of a SAP GRC solution Lessons Learned focus GRC tool An efficient ICS tool provides controls on all relevant levels, processes and applications. Establish Risk Framework Identify the risks Analyse the risks Evaluate the risks Treat the risks Monitoring and review Communication & consultation Enterprise Risk Management process Change Management User & roles Management Reports and Dashboards Application Level Privilege Management Identity Management Process automations Identified & assessed risks Basic functionality Workflows & alerting Change histories ICS tool Determination Engine Workflow Engine Generic instruments Process repository Rule set repository Best Practices Document Management Evidence Management Content Management Cross functional controls Cross application controls 18

19 b.telligent GmbH & Co. KG Lichtenbergstraße Garching / München Phone + 49 (89) Fax + 49 (89) info@btelligent.de Thank you very much for your interest!