SAP GRC For Dummies

Governance, risk, and compliance—these three big letters can add up to one giant headache. But GRC doesn't have to be a boil on your corporate behind. SAP GRC For Dummies untangles the web of regulations that confronts your company and introduces you to software solutions the not only keep you in compliance, but also make your whole enterprise stronger. This completely practical guide starts with a big-picture look and GRC and explains how it can help your organization grow. You'll find out why these regulations were enacted; what you can do to ensure compliance; and how compliance can help you prevent fraud, bolster your corporate image, and envision and execute the best possible corporate strategy. This all-business handbook will help you: Understand the impact of Sarbanes-Oxley Control access effectively Color your company a greener shade of green Source or sell goods internationally Keep your employees safe and healthy Ensure that data is kept secret and private Manage information flow in all directions Enhance your public image through sustainability reporting Use GRC as the basis for a powerful new corporate strategy Complete with enlightening lists of best practices for successful GRC implementation and conducting global trade, this book also puts you in touch with thought leadership Web sights where you can deepen your understanding of GRC-based business strategies. You can't avoid dealing with GRC, but you can make the most of it with a little help from SAP GRC For Dummies.

Table of Contents:
Introduction 1 About This Book 1 Foolish Assumptions 2 How This Book Is Organized 2 Part I: Governance, Risk, and Compliance Demystified 3 Part II: Diving into GRC 3 Part III: Going Green 3 Part IV: Managing the Flow of Information 3 Part V: The Part of Tens 4 Glossary 4 Icons Used in This Book 4 Where to Go from Here 5 Part I: Governance, Risk, and Compliance Demystified 7 Chapter 1: The ABCs of GRC 9 Getting to Know GRC 9 Getting in the Business Drivers’ Seat 11 Getting Motivated to Make the Most of GRC 14 Complying with financial regulations 14 Failing an audit 15 Experiencing a rude awakening 17 Going from private to public 17 Managing growth 18 Taking out an insurance policy 19 Managing risk 19 Reducing costs 19 Struggling with the high volume of compliance 20 Introducing the GRC Stakeholders 20 GRC stakeholders inside a company 21 GRC stakeholders outside a company 21 Understanding GRC by the Letters 22 Governance 23 Risk 23 Compliance 23 C Is for Compliance: Playing by the Rules 25 Controls: Mechanisms of compliance 25 Domains of compliance 27 R Is for Risk: Creating Opportunity 30 G Is for Governance: Keeping Focused and Current 31 Hitting the Audit Trail 32 Designing Your Approach to GRC 33 After the rush to clean up 33 Stages of GRC adoption 34 What GRC Solutions Provide 35 Chapter 2: Risky Business: Turning Risks into Opportunities 39 Discovering Enterprise Risk Management 39 Defining Risk 40 Ignoring Risk (At Your Peril) 42 Sorting Through the Approaches to Risk Management 43 The ad hoc approach 43 The fragmented approach 43 The risk manager’s job approach 46 The systematic, enterprise-wide approach 46 A cultural approach 47 Identifying the Critical Components of a Successful Risk Management Framework 47 A culture that takes risk seriously, from the C-suite down 48 A risk management organization: Distributing responsibility throughout the culture 50 A systematic framework in place 52 Technology that creates a risk picture 53 Taking the Four Steps to Enterprise Risk Management 53 Risk planning 54 Risk identification and analysis 55 Risk response 56 Risk monitoring 57 Analyzing What Went Wrong: When Risk Becomes Reality 57 Automating the Risk Management Cycle 58 Taking the SAP Approach: SAP GRC Risk Management 58 SAP GRC risk management and key risk indicators 59 Monitoring risks and key risk indicators with SAP GRC Risk Management 60 Using SAP GRC Risk Management: A Fictional Case Study 61 Where should we produce? 62 Using SAP Risk Management: An SAP Case Study 63 Gleaning the Benefits of SAP GRC Risk Management 64 Chapter 3: Governance: GRC in Action 67 Getting to Know Governance 67 Gleaning the Benefits of Good Governance 69 Drafting Governance Blueprints 70 Creating a Framework for Great Governance 71 Evaluating Your Governance Framework 76 From a strategic and operational perspective 76 From a legal and regulatory compliance perspective 77 Hurdles to Instituting and Maintaining a Good Framework 78 Avoiding GRC silos 79 Making GRC strategic 79 Justifying the cost of GRC 80 Applying GRC too narrowly 81 Setting up checks and balances 82 Making the Argument for Automation 82 The SAP Approach: Integrated Holistic IT for GRC 83 Coming to Grips with Governance 85 Part II: Diving into GRC 87 Chapter 4: How Sarbanes and Oxley Changed Our Lives 89 Figuring Out Whether SOX Applies to You 90 Discovering Why SOX Became Necessary 91 Who Are Sarbanes and Oxley, Anyway? 92 Breaking Down SOX to the Basics 93 Sections 302 and 906: Threatening management with a big stick 93 Section 404: Ensuring a healthy immune system 96 What does Section 404 mean for business? 97 Information Technology: SOX in a Box 98 IT frameworks: Your template for compliance 99 COSO’s control framework 99 The SOX ripple effect 100 Paying Up: What’s SOX Going to Cost You? 100 SOX Costs Then 100 SOX Costs Now 101 Setting the Record Straight 101 Other Laws You Need to Know About 102 We’re All In This Together: Convergence 102 Japan’s J-SOX 102 Australia’s CLERP-9 103 Canada’s C-11 103 Basel II 103 Sorting Out the Benefits of SOX 103 Chapter 5: Fraud, Negligence, and Entropy: What Can Go Wrong and How to Prevent It 105 Defining Fraud 106 Motivations for fraud 107 Sowing the seeds of fraud 107 Some common examples of fraud 108 The Barings Bank scandal: Operations risk extraordinaire 109 Negligence: More Likely Than Fraud 111 Entropy: Errors, Omissions, and Inefficiencies 111 Cleaning Up: The Mop-Up Operation 112 Thinking like an auditor 113 Making the computer your auditor 113 Chapter 6: Access Control and the Role of Roles 115 Understanding Access Control and Roles 115 Getting a Handle on Access Control 116 Users and permissions 117 The roles revolution 118 How Access Control Got Messy 118 Every user is different 118 Virtual things are hard to track 119 IT and business don’t speak the same language 119 Exceptional circumstances dictate exceptional access 120 Large scale increases complexity 120 Getting Clean 121 Figuring out where you stand 121 Staying Clean 123 Managing Exceptional Access 124 The SAP Approach: SAP GRC Access Control 125 Where Do You Go from Here? 126 Chapter 7: Taking Steps toward Better Internal Controls 127 Understanding Internal Controls 127 Exploring the Benefits of Better Controls 128 Benefit one: Business process improvement 129 Benefit two: Management by exception 129 Benefit three: Real-time monitoring 129 Benefit four: Mindset changes 131 Seeing How Automating Controls Makes Things Easier 131 Taking Five Steps to Better Internal Controls 134 Documentation: The mapping exercise 134 Testing: Real-time and historical 135 Remediation: Fixing the problem 135 Analysis: Reports for management 135 Optimization: Barring risk 136 Getting to Know the SAP Approach: SAP GRC Process Control 136 Single system of record 136 Continuous monitoring 137 Out-of-the-box monitoring 137 End-to-end internal controls 138 Chapter 8: It’s a Small World: Effectively Managing Global Trade 141 Understanding Four Reasons Why Global Trade Is So Complex 142 Long supply chains 143 New regulations and security initiatives 144 Modernization of government IT systems 145 Increasing complexity of regulations 146 Figuring Out the Complexities of Importing 148 Classifying an item: What is it? 148 Making way for the goods: Pre-clearance 149 Making it through: Clearing Customs 149 Reconciling value: The step most often missed 149 Getting the lead out: Brand protection 150 Making Sure You’re Complying with All 19,391 Exporting Restrictions 150 Knowing who you’re dealing with 150 Obtaining the right export licenses 151 Knowing how the product will be used 152 Taking Advantage of the System: Trade Preference Management 153 Discovering the Different Ways to Manage Global Trade 153 Using the SAP Approach: SAP GRC Global Trade Services 154 Part III: Going Green 157 Chapter 9: Making Your Company Environmentally Friendly 159 Discovering the Three Ps of Going Green: People, Processes, and Products 160 Going Green: It’s Not Just for Tree-Huggers Anymore 161 Understanding Why Your Company Should Go Green 162 Going Green Is Good Business 164 Enhance your image 164 Build trust with regulatory authorities 166 Influence future events 166 Implementing Green Practices 167 Trees matter 167 Let there be (green) light! 167 Water: To bottle or not to bottle? 168 Reduce your risk 168 Going Green Is also the Law 169 Compliance 169 Risks of noncompliance: Fines and public relations nightmares 170 A Final Word About Going Green 171 Chapter 10: Keeping Employees Healthy and Safe 173 Keeping Your Employees Safe and Healthy: The Big Picture 174 Enabling and maintaining good health 175 Avoiding accidents 175 Healthy benefits equal employee recruitment retention 176 Moving Down the Road to Zero Accidents 177 Organizing and managing a comprehensive health and safety program 177 Assessing risks 178 Standardizing your procedures 179 Managing accidents 180 Inspecting your sites and creating new safety measures 181 Educating your employees 182 Making the Case for Automation and Integration 183 Taking the SAP Approach to Employee Health and Safety 184 The Occupational Health module 184 The Industrial Hygiene and Safety module 185 Chapter 11: Making Your Business Processes Environmentally Friendly 189 Discovering Ways in which All Companies Can Go Green 190 Reducing Your Energy Use and Costs 190 Building, Renovating, and Cleaning with Sustainable Resources and Materials 192 Begin at the beginning with green design 192 Pick the right spot 192 Crunch your numbers 193 Make friends with your site plan 193 Reduce unnecessary strains on your HVAC 194 Exploit the advantages of technology 194 Command the water 194 Use green and recycled building materials 194 Build smart, build green 196 Renovate green 196 Clean green 196 Recycle 197 Reducing travel 198 Getting LEED Certified 198 Assessing Your Environmental Risks 201 Greening Manufacturing 202 Green legislation 202 EPA Clean Air Act 203 EPA Clean Water Act 204 Waste Electrical and Electronic Equipment (WEEE) 206 Adopting Green Practices for Manufacturing 208 Establish an energy management program 208 Reduce emissions 209 Reduce waste 210 Deal with hazardous substances 210 Optimize occupational health 210 Promote industrial hygiene and safety 211 Ensure product safety 211 Taking the SAP Approach to Making Your Processes Environmentally Friendly 211 SAP Environmental Compliance 212 SAP Waste Management: A core component of SAP Environment, Health, and Safety 215 Chapter 12: Making Your Products Environmentally Friendly 217 Discovering What It Takes to Make Products Environmentally Friendly 218 Figuring Out What Your Materials Are and What They Do 219 Defining hazardous materials 220 Defining dangerous goods 221 Realizing the Benefits of Compliance 222 The benefits of complying 223 The risks of failing to comply 224 Using Hazardous Materials Responsibly 225 Customer compliance management 226 Supplier compliance management 226 Compliance reporting 226 Comprehensive task management 226 Working with Hazardous Materials 227 Packing 227 Materials communications 228 Transporting materials 228 Keeping Up with Materials Legislation 229 Toxic Substances Control Act (TSCA) 229 Registration, Evaluation, Authorization of Chemicals (REACH) 230 Reduction of Hazardous Substances (RoHS) 234 Exploring the SAP Approach to Product Compliance 235 Compliance for Products by TechniData (CfP) 236 SAP EH&S 238 Part IV: Managing the Flow of Information 243 Chapter 13: Sustainability and Corporate Social Responsibility 245 Discovering the Great Power and Responsibility of Big Companies 246 Getting the Lowdown on Sustainability 247 Discovering Why Sustainability Is Good Business 250 Managers recognize sustainability as a top priority 250 Stakeholders exert pressure 251 Sustainable businesses have better access to capital 253 Government regulations increasingly require it 254 Sustainability helps you manage risk 254 CSR protects your brand image 255 It helps you attract and keep the best employees 256 CSR is ethical 256 It helps business planning and innovation 256 CSR increases profits 257 Discovering the Possible Downside of CSR 258 Managing Sustainability Performance 258 The current reporting process is a mess 259 New tactics are required 259 Discovering Why an Automated Solution Is Needed 260 Sustainability reporting is a recurring problem 260 Huge amounts of data are involved 260 Integration is a plus 261 Automation creates supply chain transparency 261 Automation means auditability 262 Automation yields analytics and benchmarks 262 An IT solution speeds distribution of data 263 Chapter 14: IT GRC 265 Getting a Handle on What IT GRC Is 266 Understanding IT Governance in Terms of Risk and Compliance 267 In terms of risk 268 In terms of compliance 269 Keeping up with the pace of change 271 Securing Your Software Applications 272 Taking basic application security measures 272 Consolidating security solutions 273 Making friends with the IT department 274 Keeping the Kimono Closed: Data Privacy 275 Protecting Key Corporate Assets: Intellectual Property 276 Cinching Up the Kimono 276 Leveraging the network 277 Other ways data can walk away 278 Protecting IT assets 279 Communication 280 Chapter 15: Turning On the Lights with GRC and CPM 281 Turning On the Lights with CPM 282 Making the Case for CPM and GRC Integration 284 Understanding obstacles to integration 285 Instrumenting the enterprise 286 Collecting the payoff from CPM and GRC integration 287 Supplier concentration 288 Loan processing 289 Seeing CPM and GRC Integration in Practice 289 The intersection of actuals 289 Strategy, risk, and planning 290 Governance and strategy 290 Discovering the Reusable Technology of GRC 291 Repository 291 Document management 291 Case management 292 Workflow 292 Process modeling 292 Policy engine 292 Rule engine 293 Controls 293 Reporting 293 Standardized interfaces to components 293 Composite apps on the platform 294 Part V: The Part of Tens 295 Chapter 16: Top Ten GRC Strategies 297 Evaluate Which of the Most Prevalent GRC Issues Apply to You 297 Adopt Best Practices 298 Implement Key GRC Strategies 299 Set Yourself Up for Success 299 Watch Out for Danger Signs 299 Define GRC Roles and Responsibilities 300 Shake Down the People Who Know 301 Move to Strategic Adoption of Automated Controls 302 Adopt Strategies for Cleaning Up Access Control 302 Getting Your GRC Project Going and Keeping It Going 303 Chapter 17: Ten Best Practices in Global Trade 305 Automate or Else 305 Don’t Go to Pieces 305 Make Sure You Can Trust Your Partners 306 Avoid Importing Delays 306 Get On Board with the Government’s High-Tech Documenting Processes 306 Know Who is Allowed at the Party 307 Know Who You’re Shipping to 307 Get the Right Licenses 307 Take the Free Money 307 Leave a Paper Trail 308 Chapter 18: Ten Groups of GRC Thought Leadership Resources 309 GRC Resources 309 Web sites 309 Blogs 310 Online journals 310 Risk Resources 311 Web sites 311 Blogs 311 Books 311 SOX Resources 312 Web sites and forums 312 Books 312 Financial Compliance Resources 312 J-SOX 313 Basel II 313 Foreign Corrupt Practices Act 313 Access Control and Process Control Resources 314 Web sites 314 Articles 314 Wikis 314 IT GRC Resources 315 Blogs 315 Global Trade Resources 315 Web sites 315 Blogs 316 Employee Health and Safety Resources 316 Web sites and online journals 317 Blogs 317 Articles 317 Going Green Resources 317 Web sites 317 Wikis 318 Articles 318 Blogs 319 Books 319 Sustainability Resources 319 Web sites 319 Articles 320 Blogs and books 320 Glossary 321 Index 331

About the Author :
Denise Vu Broady: Denise is SAP’s VP of Strategic Applications. She runs the SAP CFO Center of Excellence, a cross-solution team responsible for enabling customers to use SAP technology and products to transform the Office of the CFO. She has business development responsibility for the entire CFO portfolio of solutions, including Governance, Risk & Compliance (GRC); Enterprise Performance Management (EPM); and Spend Optimization. Denise has over 11 years of SAP-related experience. At SAP she has specialized in bringing new products to market; Denise played a central role in the launch of xApps, NetWeaver, Payroll Change Management, GRC and EPM. She came to SAP via the acquisition of TopTier where she was Product Manager. Earlier in her career, Denise gained hands-on SAP experience as a consultant on multiple R/2 and R/3 technical and functional projects. Denise has a BS in Management Science and Marketing from Virginia Tech and resides in New York City. Holly A. Roland: Holly is the vice president of marketing for SAP’s Governance, Risk and Compliance (GRC) business unit. In this role, she is responsible for product strategy and marketing for SAP’s GRC products. Holly created the industry-leading executive advisory board for GRC, composed of customers, partners, and SAP executives, which facilitates collaboration among business executives and industry leaders to identify common GRC challenges, develop GRC best practices, and conceive of supporting technology solutions. Holly was instrumental in the integration of Virsa Systems and the successful design and execution of SAP’s GRC product launch in 2006. She publishes articles and serves as an expert speaker for international events and forums on GRC topics. Holly has more than 15 years of experience in financial accounting and reporting, regulatory compliance, business analytics, and enterprise software marketing and development. Prior to joining SAP, she led product strategy, marketing, and product management operations at Virsa Systems, Oracle Corporation, Hyperion Solutions, and Movaris. Holly also served as a public accountant for PriceWaterhouseCoopers where she audited large public companies and provided business consulting. Holly graduated cum laude from Santa Clara University with a BS in Commerce. She is based in SAP Labs in Palo Alto, California.