Risk and compliance
What is GRC?
GRC describes an organization’s integrated approach to governance, risk and compliance. It typically encompasses activities such as governance, enterprise risk management (ERM), internal controls, regulatory compliance and internal audit.
Governance improves the alignment of risk activities to the strategic objectives of the business. Governance activities enable clearer accountability and reporting, increase visibility of the risks that matter most to the organization, and enhance decision-making processes:
- Setting the business strategy and objectives
- Establishing the organization’s culture and values
- Defining the roles and responsibilities of risk governance bodies
- Determining risk appetite
- Setting standards and policies
Risk management embeds risk activities into business functions and processes and helps to ensure optimization across the enterprise. The following activities allow the performance of predictive analytics to correlate driver-based performance management and identify trends and anomalies for rapid response:
- Identifying and assessing risk that affect the organizations’ ability to achieve business objectives
- Determining risk response strategies
- Defining control activities
Compliance facilitates controls and processes to meet regulatory and business requirements. The following activities integrate automated controls measures and continuous monitoring into the transactional processing cycle, resulting in transparency of risk and controls and the elimination of transactions “at risk”:
- Testing adherence to control activities, policies, standards and commitments
- Addressing issue management, tracking and remediation
SAP GRC Process Control enables an organization to automate its internal control model and compliance monitoring, reducing the efforts taken by the organization and increasing the security in the operations for the directive committee.
- Control repository centralization: creates a repository that centralizes all the documentation processes and management of the internal control model, allowing early detection of configuration and master data changes.
- Integration: increases integration and coordination among business, IT and compliance, allowing the embedding of internal controls into the business processes.
- Automation: ensures the compliance of the internal control model and real-time control exception reporting, which increases the confidence in the effectiveness of controls by eliminating the “human error” factor and improves the efficiency of the internal control model.
- Periodic and continuous monitoring: manages real-time notification of potential control failures based on established business rules, identifies production change anomalies that may indicate fraud through alerts, improves test effectiveness through configured controls with 100% coverage and increases operational efficiency through standardization and policy management.
- Cross-system visibility: enables a unified repository of compliance information for efficient multi-initiative management and enhanced visibility to process-related risk exposure and controls testing throughout the enterprise.\
SAP GRC Access Control is a suite of solutions that allow the automation of the access control model of the organization, through a dual system that initially allows the organization to detect and clean the segregation of duties (SoD) violations and then keep it clean in the future by an automated process.
- Role centralization: centralized and consolidated role design and definition that is business centered and compliance enabled.
- Access monitoring and control: automated emergency access management with integrated monitoring and reporting. Access anomalies indicating possible fraudulent activities are identified through alerts and access request scenarios; they can then be stimulated across business processes and applications.
- Automation: automated work flows that facilitate the access management end-to-end process, such as self-service user access request and related approval processes.
- Compliance: compliant continuous control of access (including authorization), helping to enable the segregation of duties (SoD) management across the enterprise.
- Protection: proactively helping to protect information and preventing fraud through automated access risk analysis and remediation.
GRC technology creates value, reduces costs and improves your risk performance, and it enables your organization to automate, standardize, streamline processes, create holistic views of risk and compliance, and analyze real-time business intelligence.