An Integrated Approach to GRC

Cybersecurity is top of mind for finance and governance, risk, and compliance (GRC) professionals, and for good reason — cyberattacks are in the news on a near-daily basis. Regardless of company or industry, cyberattacks are coming at an increasing frequency, and for one clear reason: The value of companies’ data is growing. Because companies can store more data of more types than ever before, they hold information that could be valuable to nearly any kind of nefarious agent, whether it’s the personal information of employees, the company’s internal financial data, or transactional data of business partners.

Some might think technology measures alone are the solution to cyberattacks. And while solutions targeted at cybersecurity specifically, like SAP Enterprise Threat Detection, do a great job at mitigating these risks, a more holistic GRC approach is the only way for companies to protect themselves in the digital age. Holistic enterprise risk management is the core of a company’s proactive, sense-and-respond, risk mitigation capability.

Building 3 Lines of Defense — and Beyond

This need for an integrated approach is why SAP believes in the three lines of defense¹ — protecting an enterprise’s operations, providing risk and compliance policies and oversight, and, as the last line of defense, ensuring that auditors can track and verify the first two lines. SAP’s traditional GRC solutions — such as SAP Process Control, SAP Risk Management, and SAP Audit Management — map clearly to the three-lines-of-defense approach.

Closely related are access governance issues. While much of the talk around cybersecurity focuses on external threats, internal threats are in some cases even more dangerous, which is why access needs to be closely controlled. SAP Access Control, SAP Identity Management, SAP Enterprise Threat Detection, and SAP Single Sign-On can help companies keep their system access under control, but with the proliferation of cloud solutions and network connections outside the business, additional governance is needed.

This was the motivation behind SAP Cloud Identity Access Governance, which combines features of identity and access solutions into an easy-to-use interface that more closely meets the needs of companies relying on cloud solutions. Built on SAP Cloud Platform and introduced in 2016, SAP Cloud Identity Access Governance will offer flexible capabilities for today’s hybrid landscapes. 

Managing Fraud in Today’s Business Environments

But just as threats — and the fraudsters and hackers who perpetrate them — have become more sophisticated, so too have solutions to combat those threats; SAP’s portfolio is expanding in its coverage. Fraud, for example, has been an issue that businesses have had to combat for years. In the past, they’ve had to rely principally on locating fraudulent activities after the fact, and then taking action.

With SAP Business Integrity Screening, companies can deter fraud by scanning activities in real time. And since SAP Business Integrity Screening is powered by SAP HANA, companies are able to rely on real-time response to keep up with potential risks. Anomalies can be filtered via advanced machine-learning capabilities, and high-probability risks can be investigated and even be flagged for a full audit. 

It doesn’t stop there, however — you can monitor performance and create reports that map to key performance indicators (KPIs) to ensure that your program is on track as time goes on. And those KPIs and other threat detection criteria will be refined over time, as you can perform what-if analysis on historical data, allowing you to more precisely determine what actions are correlated with, or lead to, fraudulent activities. All of this functionality leads to faster and better detection, quicker response time, and, ultimately, less downside exposure to the business.

An important feature of SAP Business Integrity Screening is that it is not just focused within or outside the organization — it can monitor across the entire business network. It can easily process diverse lists of questionable business partners, high-risk geographies, and adverse media information, as identified by governmental agencies or private organizations, to address third-party risk.

A Holistic Approach to Today’s Threats

A good GRC program has never been solely about checking the right boxes for compliance, but in today’s business climate, it’s even more critical that organizations approach it holistically.

With GRC functions like risk management, fraud monitoring, and access governance, companies can be confident that their programs are not just compliant, but are driving real business benefit. This is encapsulated in a three-lines-of-defense approach that makes the GRC function provide a strategic benefit to the company. For more information, visit SAP.com/grc.

^{1 For more information, see Bruce McCuaig’s article “Gain Control and Mitigate Risk” in the April-June 2016 issue of SAPinsider (SAPinsiderOnline.com). [back]}