The main distinction is that today’s threats are increasingly digital and cyber-related, so a more integrated approach is necessary. Whether this is seen as a case of the Emperor’s new clothes (or not), arguably the real question is whether the intended outcomes of IRM can be achieved with the technology available today. If an organisation is running SAP GRC, we believe the simple answer is yes.
IRM is an approach that brings together the entire risk, control and audit landscapes, breaking down silos to provide a business-wide view on risk to empower decision-making at every level.
As SAP customers seek to reach this risk management nirvana, many could be missing a trick – failing to take full advantage of the tools to which they already have access. Namely, those that form SAP’s Governance, Risk and Compliance (GRC) suite.
SAP GRC is best known for SAP Access Control, and this particular module is the most commonly deployed. It helps organisations detect, manage and prevent access and risk violations, reduce unauthorised access to company data, and helps establish the relevant GRC processes and strategy that feed into the organisation’s overall GRC objectives.
But sitting alongside SAP Access Control – in exactly the same install pack – is SAP Process Control and SAP Risk Management. Despite having a lot to offer, these modules all too often remain in a deactivated state.
For SAP customers looking to improve their overall risk management function, the solutions are often therefore already available – simply waiting to be switched on. Because hardware provisioning is paid for when the organisation implements SAP Access Control, these extra modules won’t incur any extra costs once they’re licensed and activated.
The foundations for IRM and the implications for audit
With the three SAP GRC modules working in unison, the enterprise has a comprehensive solution for identifying and managing risk across its business.
It has controls that are responding to risks – helping the organisation to mitigate and reduce the overall impact. It is able to automatically monitor segregation of duty risks (SoD) that may arise. And it can monitor any changes to configuration across its entire SAP estate – while also identifying any instances of unauthorised access.
In effect, once the foundations for an IRM platform is in place, this can be built out further over time.
This enables the risk management function to help internal audit by surfacing a wealth of information to put process-based audits to an end. Auditors will have visibility across all of the organisation’s business processes, as well as the controls that are implemented across each of the process functions. So, they can assess the level of risk associated to each of these business areas more effectively.
This enhanced visibility is key to helping audit teams understand the ‘live’ state of the business in terms of risk and implemented controls – something that it typically struggles with.
Traditionally, auditors maintain their own spreadsheets with such information, but only update these once they’ve completed an audit against a specific area. With audits coming around perhaps every 12-36 months, the data in those documents can often be significantly out of date by the time it’s used.
By having an IRM (or GRC) platform in place, audit can instead automatically pull down the latest risk information and control status for any business functions. This data can then feed automatically into the audit management solution, for a fully joined-up approach.
The process of being audited is typically a significant drain on enterprise resources. However, capturing audit-relevant data on an ongoing basis via IRM delivers savings in terms of making it smoother and more efficient; the information required by audit teams should be at their fingertips when they come to conduct their assurance work.
Why have some SAP customers not yet embraced IRM?
While IRM is designed to overcome the challenges of a siloed approach to risk, it’s often the siloed set-up that provides the biggest barrier to implementation.
In many organisations, IT manages IT risks, health and safety manages health and safety risks and finance manages finance risk. Not only does that mean there’s no collaboration between functions on risks that affect the entire organisation, it means there’s no central owner of the whole risk picture.
In response to this lack of ownership, some organisations are now seeking to establish group GRC functions, bringing on board departmental leads to establish a consistent and standardised approach to risk and control management.
While this can seem too costly an investment for some businesses, it can be a key first step in breaking down those silos.
By discussing what’s important for each departmental pillar, and learning how they manage and report on their risk and controls in their own area, common ground can be established. This provides the basis for integration between the functions and is often found in the area of reporting because each pillar ultimately shares the same responsibility of reporting risk information to the board.
Using a single platform and a consistent approach to risk and controls means more unified, streamlined reporting – not least eliminating the time it takes to manually aggregate swathes of data from Excel, SharePoint and PDFs.
Top-level risk management and reporting
Reporting is one of the biggest challenges in traditional risk management. Typically the risk management function will spend a significant amount of time collecting data from risk owners (potentially generated through self-assessment, which carries its own risks of human filtering) and consolidating it into reports for the board; in effect reporting on risk but not actively managing it.
Using GRC to adopt an IRM approach facilitates the gathering of information and the automation of reporting in a consistent and repeatable format. These tools therefore free up the risk management team to proactively manage risk within the business. They can also be used to enrich risk reporting with information from multiple data sources throughout the organisation, building in feeds such as controls performance or risk remediation statuses that augment board reporting.
Where to start?
Is the era of GRC over? Is IRM the new dawn? Whatever an organisation believes, those that are SAP customers already have the tools at their disposal to support an integrated risk management function.
The first place to start is to identify what each of its departments needs to manage and report on risk, and then provide a common platform that’s going to address the organisation as a whole.
And in taking this initial step, they may find the answer is right there in front of them.