Compliance management in process approval and regulatory issues for product manufacturers is increasing every year. Companies in the high tech and consumer products industries have led the way with consumer-friendly “take-back” policies such as printer toner cartridge reclamations and cellular phone and computer peripheral disposals. These actions are examples of new business processes and practices that fundamentally reduce the amount of substances (such as lead) from solid state and integrated circuitry that find their way to incinerators and landfills. Similar to compliance for financial and process controls, SAP solutions for GRC can provide the cornerstone for a product compliance framework.

Many product compliance regulations, particularly those dealing with quality management or material content initiatives, require intensive data gathering and information reporting across the entire value chain, whether to an original equipment manufacturer (OEM) or to a governmental or non-governmental organization (NGO). The European Union has for some years led reduction on hazardous substance (RoHS) reporting requirements by enacting regulatory measures addressing the consumer electronics and telecommunications (waste electrical electronic equipment – WEEE), automotive (end of life vehicle – ELV), discrete industries (RoHS), and process chemical (registration, evacuation, and authorization of chemicals – REACh) industries. Similar regulatory and statutory requirements are increasing on a global basis as are requirements for other “green initiatives” coming from customers to their suppliers as well as industry-focused requirements such as “halogen free.”

You can use role-based responsibilities, executed by stakeholders in the organization, in SAP solutions for GRC to govern product compliance activities. For example, a chief engineer can determine the access and flow of compliance reporting documents, value chain exposure, and downstream responsibilities into product families and mixes across the product development life cycle. To do this, you can identify the actors in SAP HR and create specific compliance roles for these actors, program definitions, reporting forms, and timelines in SAP solutions for GRC.

Similar to financial process controls that govern Segregation of Responsibilities (SoR) found in Sarbanes-Oxley 404(a) reporting, a product compliance framework can use SAP solutions for GRC access modalities to create Delegation of Responsibilities (DoR) in the form of a role-based responsibilities matrix. As an example, the chief engineer can look across the product family set, identify the reporting needed for the compliance requirements for the specific product family, and create a rules-based access layer to appoint actors to address compliance activities within their given area of responsibility.

To stress why this is important, you need to think about the capability maturity model used when implementing similar process controls for financial Sarbanes-Oxley compliance. In the early phases of Sarbanes-Oxley implementation, most companies addressed the new financial compliance requirements by auditing current processes, documenting the active and passive control mechanisms for each business process, and then creating a series of positions within a new compliance focused organization to monitor those controls.

The leading organizations, however, use technology to embed a larger portion of their financial controls into their existing business processes. The development of SAP solutions for GRC is a perfect example. SAP users required a more sophisticated and consistent series of control mechanisms than could be achieved through workflow and customized user code. SAP developed SAP solutions for GRC to close that gap with a consistent technology framework.

Where financial control and product compliance processes diverge, however, is in the sheer number and complexity of external reporting entities and requirements. While Sarbanes-Oxley reporting tends to be largely internally focused and have limited specific external reporting requirements, meeting product compliance requirements generally requires producing very specific external reporting on very discrete elements of your product’s make-up (e.g., its bill of materials or recipe).

Instead of relying on after-the-fact reporting capabilities, SAP solutions for GRC automate the controls mechanisms and push the control points down to the knowledgeable user who can take action. For the product compliance scenarios, this could be as low as the product engineers. You need to configure SAP solutions for GRC to understand which compliance activities (process controls) to enforce. For Sarbanes-Oxley this is a largely internal set of rules, but for product compliance SAP solutions for GRC must take into account all the regulatory requirements covering the products and geographies where the company operates.

It is possible to configure these rules within SAP solutions for GRC, but you can also look for a third-party software extension to your SAP system in this space. These extensions take advantage of the Environmental Health and Safety (SAP EH&S) core application, which considers the regulatory and hazardous substance mix of products. You can see the way in which a combined third-party GRC tool and SAP EH&S solution works in Figure 1. The solution embeds the basic governance model in the business process, eliminating much of the business overhead of a compliance department. Further, by presenting the compliance issues directly to the engineers who can make the changes, a company can both be more proactive in avoiding potential issues and be more responsive if issues do arise.

Figure 1

Sample GRC product compliance framework supported by SAP EH&S, cProjects, and third-party software

One of the key advantages of leveraging a combined SAP EH&S with SAP solutions for GRC is the responsibility matrix governing DoR. The general solution path provides global role-based access for a compliance manager. This is akin to architecting SAP Financials with one country code for a global company: it is a great pilot starting point but you need to scale the architecture beyond this initial point. You can then define the responsibility matrix established in SAP solutions for GRC by defining the appropriate flow-down requirements based on process and particular roles in that process. This allows for access and security based on a particular role, product category, region, and plant based on a user’s particular profile.

Similar to regulatory compliance, in SAP solutions for GRC you can govern the approval steps by which you develop and market a product in the New Product Introduction (NPI) process. These processes are generally industry-driven in the value chain and include Advanced Product Quality Planning (APQP – automotive), Production Part Approval Process (PPAP – automotive, industrials), and Corrective Action Preventative Action (CAPA – high tech). In these and other scenarios, you establish the responsibility matrix for DoR in SAP solutions for GRC and can then leverage these roles in a process solution.

Various templates exist for use and development of product compliance processes. You can express these templates in relatively short order in a cProjects environment. In this environment, you can manage products or product families by portfolio in SAP solutions for GRC.

A good example of this is the automotive APQP process. This process enables automotive suppliers to ensure the product quality of their design and parts as they are built and then received by manufacturing customers. The templates for APQP are available through the Automotive Industry Action Group (AIAG) in Microsoft Excel format. You can tailor and structure these from Excel tables into the cProjects environment based on stage-phase approach, form content, and compliance documents. You can see an example of such a format in Figure 2. In this example, I accessed the screen by launching the cProjects environment and selecting the project space created for the APQP project team.

Figure 2

Develop a control plan during the APQP compliance process

Similar to the previous example, you can also define the quality manager in the responsibility matrix in SAP solutions for GRC. You do this through developing the role in the project environment and granting access to that role in SAP GRC Access Control. The quality manager then has the access to particular products or product families based on his authorizations inside the SAP system. The quality manager can engage the APQP compliance process for the products, check the status of completion of the compliance documents, assignments to other team members, and other notations. The quality manager can then print the required documents or transmit those via exchange (XML, email, EDI, and so on) per the requirements of the manufacturing customer. In the example shown in Figure 3, I launched a pre-populated control plan in cProjects, which shows the information contained in the project for the particular work step in the APQP process. Often, especially in the automotive and industrial segments, compliance requirements dictate that you do not need to produce printed documents, stipulating that electronic forms archived to shared file or transmitted by EDI or XML protocols suffice.

Figure 3

Control plan document template via cProjects for APQP compliance process

William Newman

William Newman, MBA, CMC is managing principal of Newport Consulting Group, LLC, an SAP partner focused on EPM and GRC solutions. He has over 25 years of experience in the development and management of strategy, process, and technology solutions spanning Fortune 1000, public-sector, midsized and not-for-profit organizations. He is a Certified Management Consultant (CMC) since 1995, qualified trainer by the American Society of Quality (ASQ) since 2000, and a trained Social Fingerprint consultant in social accountability since 2012. William is a recognized ASUG BusinessObjects influencer and a member of SAP’s Influencer Relations program. He holds a BS degree in aerospace engineering from the Henry Samueli School of Engineering and Applied Science at UCLA and an MBA in management and international business from the Conrad L. Hilton School of Management at Loyola Marymount University. He is a member of the adjunct faculty at both Northwood University and the University of Oregon with a focus on management studies and sustainability, respectively.

If you have comments about this article or BI Expert, or would like to submit an article idea, please contact the editor.

You may contact the author at wnewman@newportconsgroup.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.