Effective Cross-Enterprise Governance, Risk and Compliance: How SAP helps customers achieve a unified approach to GRC Ranga Bodla Governance, Risk & Compliance Solution Marketing
Speakers Ranga Bodla, Sr. Director, Governance, Risk and Compliance SAP Ranga.bodla@sap.com 650.796.8252 Jerry Helton, Sr. Director, Greenlight Technologies Jerry.helton@greenlightcorp.net 407.405.6869 SAP 2008 / Page 2
Agenda Objective overview of how to successfully prioritize, manage and analyze multi-platform compliance initiatives with real life case studies. Attendees will develop an understanding of leading best practices to help organizations stay compliant and manage enterprise risk Attendees will also get an overview of various solutions to achieve a unified view of enterprise compliance
GRC often crosses across the enterprise SOX JSOX FDA ROHS WEEE Revenue recognition Credit risk OSHA MSHA Kyoto U.S. Germany Japan U.K. France China Canada India Governance Risk mgmt. Compliance Governance Compliance Risk mgmt. Governance Compliance Compliance Compliance Risk mgmt. Risk Mgmt. mgmt. Governance Risk mgmt. Risk mgmt. Board of directors Finance Legal Sales Contracts HR Controller IT Policy mgmt. Audit and compliance Treasury HCM Financials Manufacturing Sourcing Supply chain Sales Marketing Service Billing SAP 2008, /4
The IT Management Nightmare CMO CSO VP Customer Service VP R&D VP Mfg / COO VP Supply Chain / COO VP Procurement VP HR CIO CFO SOX NERC Customs Privacy Anti-spam Security Privacy ISO Clean Water REACH Waste / Superfund (SARA) FDA Clean Air RCRA FERC FAA OSHA FMLA ERISA ISO/IEC 27001 AS8015-2005 HIPAA GLBA PCI DSS Basel-II OMB A-123 Labor, Environmental, Health, Industry Specific Financial SAP 2008 / Page 5 All areas of the organization are affected by Regulatory Requirements IT is forced to come up with approaches for all of these driving the cost of compliance Proof of Compliance is required Business Processes are the connector across silo organizations
Typical Approach to Addressing GRC GRC is layered on top of and/or separate from the core business processes PORTAL WORK FLOW BUSINESS INTELLIGENCE ARCHIVE BUSINESS INTELLIGENCE WORK FLOW PORTAL BUSINESS INTELLIGENCE WORK FLOW ARCHIVE USER MANAGEMENT BUSINESS INTELLIGENCE USER MANAGEMENT ARCHIVE WORK FLOW People Middleware SAP 2009 / Page 6
Unified Approach Optimizes Performance Embedding GRC in the Process PORTAL WORK FLOW BUSINESS INTELLIGENCE ARCHIVE BUSINESS INTELLIGENCE WORK FLOW GRC Management By Exception: Proactive & Preventative PORTAL BUSINESS INTELLIGENCE WORK FLOW ARCHIVE USER MANAGEMENT BUSINESS INTELLIGENCE USER MANAGEMENT ARCHIVE WORK FLOW People Middleware SAP 2009 / Page 7
Effective GRC must go across the enterprise Compliance Across Heterogeneous Applications and Systems SAP Cross-Application Support Hire-to-Retire Reconcile-to-Report Procure-to-Pay Order-to-Cash Cross-Functional Production-to-Delivery PeopleSoft Cross-Application
SAP BusinessObjects Solutions for GRC Maximize Strategic and Operational Performance Increase visibility across risk and compliance initiatives Standardize on a common language for risk and compliance Align controls with strategic objectives Monitor performance against requirements Reduce cost Design and implement automated controls to support any framework Move to automated testing of controls Manage the effectiveness of controls at any time, across any system Governance Controls & Compliance Risk Management Manage risk across the enterprise Unify management of strategic, financial, operational and compliance risks Identify and manage risks before they impact the business Proactively monitor risk across end-to-end business processes SAP 2008 / Page 9
Leverage GRC Across SAP and Non-SAP GRC Security Models False Positives ResQ Ad-hoc Reports Controls Content Change Controls Mitigating Controls Business Suite ORCL PSFT JDE HYP Siebel Baan Legacy Real time Integration across all Enterprise Systems
Greenlight Technologies Trusted co-development partner providing leading GRC control automation solutions since 2004 Over 70 Enterprise customers GRC-Middleware solution Industry s most comprehensive automated controls portfolio Oracle, Peoplesoft, Hyperion, JDE, Ariba, I-many and Legacy systems Real-Time, cross platform continuous compliance SAP Relationship Certified SAP software partner Solutions powered by NetWeaver
SAP-Greenlight Partnership Greenlight is global provider for real time, cross platform connectors for SAP GRC Access Control Connectors RTAs Automated GRC Controls Legacy Systems Market Specific Application Specific RTA Design Studio Over 25 Connectors Oracle, PSFT, JDE Hyperion, Siebel, Ariba, Lawson, And multiple third party applications HIPAA FDA FCPA NERC Basel II Order to Cash Procure to Pay GR to production Master Data Transaction Controls Inventory Warehouse and QA Hire to Retire ResQ SOD Risk Analysis Compliant User Provisioning Business Transaction Controls Super User Management
Solution Approach Consolidation and monitoring of enterprise access risk across non SAP systems all from a SINGLE SAP GRC platform Leverage SAP GRC and Greenlight connectors integration to have unified, preventive, automated compliance management for financial andday to day operational controls Real time architecture enables alerts and preventive access controls STOP the violations before they occur Rollout Plan Security setups assessment, role/task based security definitions, user groups etc. SOD risk identification and analysis (ex. Financial, Charge-back, Contracts, FDA risks for Pharma) Residual risk analysis Risk mitigation process, business users empowerment Utilize RTA Design Studio to deploy SOD and Compliant User Provisioning connector for any/all future systems
RTA Design Studio Greenlight introduces a New, Innovative, Patent Pending Technology
SAP & Greenlight Case Study # 1 NEEDS: Significant non SAP landscape Oracle, Hyperion, Legacy systems Automate SOD risk analysis, compliant provisioning and superuser access to non SAP systems Saving of time and resource costs >1700 roles in non SAP (Oracle) makes manual analysis impossible 19,000 users across 7 SAP landscapes including R/3, APO, HR, and SEM RESULTS: Implemented Greenlight Real Time Agent (RTA) solutions for SOD risk analysis, compliant provisioning External auditor helped validate rule set Clean Access process, Moved from detective to preventive Expanding the coverage to Legacy systems and ResQ (superuser-oracle)
SAP & Greenlight Case Study # 2 NEEDS: Significant non SAP landscape Oracle, JDE, Bookmaster and 20+ Legacy systems Integrate SAP GRC with non SAP systems for SOD risk analysis and superuser access for Oracle Automate legacy manual batch extraction for SAP GRC Reliable Audits, Saving of time and resource costs >1400 roles in system (Oracle) RESULTS: Implemented Greenlight RTA solutions for SOD risk analysis for Oracle Clean SOD risk analysis, results validated next phase includes ResQ (Oracle- Superuser) and Greenlight Design Studio for Legacy systems RTAs Automated batch extraction 15,000 users within Oracle
Proven Customer Savings in Cross Platform integration Delivering Significant Reductions in Cost and Labor Reduction in time spent on external/internal audit Reduction in internal/ external audit costs 28% 35% Reduction in time spent managing authorization risk Reduction in costs on managing user authorization risk 36% 44% Reduction in audit report findings for security Reduction in time cleaning up audit report findings for security 41% 39% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Average Value Reported
Value Proposition of Integrated GRC Consistent and Real time visibility of enterprise risk and compliance throughout the enterprise to achieve preventive compliance SOD Risk analysis, compliant provisioning across the enterprise systems from SAP GRC Real time, preventive, Cross-System compliance Optimized and efficient audits SIGNIFICANT savings of costs and time Expanded audit scope and transparency for all the business processes and systems within the company Immediate ROI, Reliable and Consistent compliance Leverage existing IT investment - No additional Hardware
Getting Started: GreenLight Remote Risk Assessment No Cost, No Risk, Partner-Enabled GRC Sales Opportunity Demonstrate the value of cross-platform GRC using the customer s own data Real Time Cross Platform SAP GRC and SOD risks (GreenLight s Access Control demo environment) Supported by both SAP and GreenLight technical resources Jerry Helton Senior Director, Markets Development 270 South Main Street Flemington NJ 08822 Tel: 908-782-5700 x 122 Cell: 407-405-6869 Jerry.helton@greenlightcorp.net
Questions
Contact Info Ranga Bodla, Sr. Director, Governance, Risk and Compliance SAP Ranga.bodla@sap.com 650.796.8252 Jerry Helton, Sr. Director, Greenlight Technologies Jerry.helton@greenlightcorp.net 407.405.6869 SAP 2008 / Page 21