GRC 10.0 - Risk Management

for Mining and Metal

Paul Petraschk, SAP

September 2012

© 2012 SAP AG. All rights reserved. 2

The Risk Management process starts always with knowing

your business

Your business?

© 2012 SAP AG. All rights reserved. 3

Do You Really Know Your Business?

What risks currently impact

your ability to perform?

What is the actual status of

your planned responses?

Do some of your activities

or projects deliver any

indications for higher risks?

What will be the overall

impact if multiple risks

occur and how will they

influence each other?

© 2012 SAP AG. All rights reserved. 4

Proactively identify and control risks to reduce likelihood and

impact

Holistic overview about the overall risk situation into all

operations 1

2

3

Top 5 Requirements

Fast and easy way to involve the operational business as

knowledge key persons into risk assessments

4 Easily maintained risk structure to fulfill the requirements of

corporate reporting and operational risk management

5 Clear defined accountabilities and responsibilities for risks and

responses

© 2012 SAP AG. All rights reserved. 5

Risk Management Overview

Description:

Reporting and analytic capabilities are essential for management in order to obtain a real time overview of business

critical risk information.

The overview introduces these important features along the Risk Management process which are implemented with

SAP GRC Risk Management

Risk Management Process

Risk Planning

Strategic Objective Setting

Align strategic objectives

to organizational entities

Define risk classification

(types)

Define risk relevant

business activities

Identify risks and

opportunities

Identify risk drivers and

impacts (condition and

consequences)

Assign Key Risk Indicators

(KRIs – out of scope for

pilot)

Analyse risk using

quantitative or qualitative

methods

Document risk

relationships

Built risk scenarios and

and determine risk

exposure

Perform Monte Carlo

simulations

Prioritize risks based on

risk level

Document preventive

responses for risks

Assign response

ownership and actions

Perform control

assessments and tests

Plan re-assessments and

approval cycles

Analyze company’s risk

situation

Monitor Key Risk

Indicators (KRIs)

Monitor response

effectiveness and

completeness

Update risk exposure for

strategic objectives and

risks

Document occurred

incidents and losses

Risk Identification Risk Analysis Risk Response Risk Monitoring

Define the risk structure

for corporate reporting

and operational risk

management

Holistic overview about

overall risk and incident

situation

Proactively identification

of risks

Involve operational

business as knowledge

key persons

Clear defined

accountabilities and

responsibilities for taking

actions

Holistic overview about

overall risk and incident

situation

© 2012 SAP AG. All rights reserved. 6

Risk Planning – Define Risk Management Framework

Risk Planning

Risk

Identification

Risk Analysis

Risk Response

Risk

Monitoring

1. Establish Risk Management Goals

Define Risk Management Process

Structure and views

Align organizational goals and strategic

objectives

Identify risk management process users

2. Develop Risk Taxonomy

Identify risk activities and business

processes

Define hierarchal risk classifications

Document risk templates

3. Document Risk Criteria

Document risk appetite

Document risk thresholds

Define user roles and authorizations

Group

EMEA

North

South

APJ AMERICA

© 2012 SAP AG. All rights reserved. 7

Risk Identification – Detect operational risks

Risk Planning

Risk

Identification

Risk Analysis

Risk Response

Risk

Monitoring

1. Collect new Risks

Propose new risks with only view clicks

Report incidents

Receive alerts if key risk indicators hit

defined thresholds

2. Increase visibility of Risks

Use incidents for risk detection

Document known risks

3. Improve effective learning process

Connect organizations, people, systems and applications

Involve all employees

1

10

30

100

600

Documented risks

Known risks

(Near) incidents

Board risks

Unknown risks

© 2012 SAP AG. All rights reserved. 8

Risk Analysis – Single and collaborative Analysis

Risk Planning

Risk

Identification

Risk Analysis

Risk Response

Risk

Monitoring

1. Analyze Risks

Assess risks with quantitative, qualitative or

score based Methods

Perform single or collaborative risk analysis

Collect data for risk analysis in the SAP GRC

application or offline via Adobe Interactive

Forms

Schedule risk assessments via workflow

Receive alerts if key risk indicators hit

defined thresholds

Steps performed by Risk Management Steps performed by workflow Recipient

Determine risks

in scope

Trigger

workflow to

recipient

Monitor

Collaborative

Risk Assessment

Collaborative

Assessment

Recipient 1

Collaborative

Assessment

Recipient 2

Collaborative

Assessment

Recipient …

Automatic

result

consolidation

Consolidator

Review

Collaborative Risk Assessment

© 2012 SAP AG. All rights reserved. 9

Risk Response – clear defined status and responsibilities

Risk Planning

Risk

Identification

Risk Analysis

Risk Response

Risk

Monitoring

1. Aggregate Risks

View aggregated risks by risk classification, activities and business processes

Identify risk dependencies

2. Scenario (what-if and Monte Carlo) Analysis

Create business scenarios and run simulations to visualize impacts and total

loss for different probabilities

3. Assign Responses and

Controls

Document responses and

ownership

Assign Controls from

Internal Control System

Define Effectiveness and

Completeness

Monitor response plan

progress

© 2012 SAP AG. All rights reserved. 10

Risk Monitoring – Report on overall risk status

Risk Planning

Risk

Identification

Risk Analysis

Risk Response

Risk

Monitoring

1. Flexible Reporting

Interactive Dashboards like Risk Heatmap which easily allows to filter and drill

down into risks details as required

Add customized static Reports in Crystal Reports and provide Reports for

Corporate Level, Management Level and Operational Level

Integrate Risk Management data into BI Reports

Analyze companies risk situation and monitor mitigation status

© 2012 SAP AG. All rights reserved. 11

Risk Planning

Risk Identification

Risk Analysis Risk Response

Risk Monitoring

Risk Management Cycle

Risk Planning

Risk Identification

Risk Analysis Risk Response

Risk Monitoring

The Risk Management Process is not ending with Monitoring. It is more like a continuous Risk

Management Cycle. Enhanced requirements for Monitoring and Reporting as well as organizational

changes lead to changes in Risk Structure, Organizational and Activity Hierarchy. These are addresses in

risk planning phase where the Risk Management Cycle starts from the beginning.

Demonstration Operational Risk Management Overview

© 2012 SAP AG. All rights reserved. 13

MANAGE BETTER PROTECT BETTER PERFORM BETTER

Proactively Balance Risk and Opportunity SAP GRC Risk Management

© 2012 SAP AG. All rights reserved. 14

MANAGE BETTER PROTECT BETTER PERFORM BETTER

Proactively Balance Risk and Opportunity SAP GRC Risk Management

Automate manual tasks

Employ best practices

Reduce effort and cost

Automate monitoring

Real-time analysis

Industry-specific solutions

Align with strategy and planning

Embed analytics

Scenario modeling

© 2012 SAP AG. All rights reserved. 15

SAP GRC Risk Management Align enterprise risks with business value

Protect the fundamental

business value drivers

Insight into the

management of risk

Visibility into catastrophic

value destroying risks

Thank you

Paul Petraschk GRC Senior Consultant

KM Champion - GRC Process Control

SAP Deutschland AG & Co. KG

Phone +49/ 6227/ 7-56751

Mobil +49/ 160/ 470 33 52

Paul.Petraschk@sap.com

http://www.sap.com/grc

© 2012 SAP AG. All rights reserved. 17

© 2012 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose

without the express permission of SAP AG. The information contained herein may be

changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary

software components of other software vendors.

Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are

registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,

System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power

Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA,

pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP,

RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli,

Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the United States and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered

trademarks of Adobe Systems Incorporated in the United States and other countries.

Oracle and Java are registered trademarks of Oracle and its affiliates.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin

are trademarks or registered trademarks of Citrix Systems Inc.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®,

World Wide Web Consortium, Massachusetts Institute of Technology.

Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C,

Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.

IOS is a registered trademark of Cisco Systems Inc.

RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry

Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App

World are trademarks or registered trademarks of Research in Motion Limited.

Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps,

Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync,

Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are

trademarks or registered trademarks of Google Inc.

INTERMEC is a registered trademark of Intermec Technologies Corporation.

Wi-Fi is a registered trademark of Wi-Fi Alliance.

Bluetooth is a registered trademark of Bluetooth SIG Inc.

Motorola is a registered trademark of Motorola Trademark Holdings LLC.

Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,

StreamWork, SAP HANA, and other SAP products and services mentioned herein as well

as their respective logos are trademarks or registered trademarks of SAP AG in Germany

and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal

Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services

mentioned herein as well as their respective logos are trademarks or registered trademarks

of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase

products and services mentioned herein as well as their respective logos are trademarks or

registered trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are registered trademarks

of Crossgate AG in Germany and other countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of their respective

companies. Data contained in this document serves informational purposes only. National

product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be

reproduced, copied, or transmitted in any form or for any purpose without the express prior

written permission of SAP AG.