Turning risk into results

Enabling risk management

with SAP GRC
What we are seeing in the market
Organizations today are struggling with managing risks across the enterprise. External and internal risk
management requirements are becoming increasingly complex and intrusive, while the demand for more
comprehensive, consolidated and actionable governance, risk and compliance (GRC) information continues
to increase. The historic approach of managing risk in silos across different teams, processes, methods and
infrastructure cannot keep up with these requirements. Risk management has become a growing operational
and fnancial burden, limiting its ability to keep pace with business growth and transformational initiatives.
This is the right time to learn about opportunities to transform your risk management program by enabling it
through an SAP GRC Risk Management solution that can:
Create improved visibility and integration by linking various risk and control frameworks
Lower the cost of risk management through the elimination of duplicate and fragmented risk
activities and minimization of manual processes
Increase effciencies through automation and end-to-end process centralization
What are the opportunities at your company?
Typical current state Mature state
Our recent Ernst & Young global survey of more than 250 leading organizations found a direct link
between effective risk management practices and improved fnancial performance. Harnessing the
power of GRC technology to improve risk information, streamline processes and reduce cost was
both the biggest challenge and opportunity in achieving the needed risk management maturity.
Increasing
complexity
Simplifed
Reactive Proactive
Fear of
unknown
Visibility
Cost
pressures
Cost-
effcient
Inconsistent
approach
Consistent
Multiple and manual risk
management processes
Signifcant workfow automation
Centralized risk and risk assessment
management
Integration with other SAP GRC modules
Fragmented, manual and
ad hoc reporting
Inability to produce a
consolidated heat map
Consistent and real-time reporting
Centralized and consolidated heat map
Drill-down capabilities
Lack of confdence that all risks
were captured
Consolidated views and end-to-end risk
management processes
Scheduled risk assessment activities
Ability to improve audit activities
Lack of centralization
Signifcant impact on business
Centralized processes
Reasonable impact on business
Ability to manage risks at
multiple organizational levels
Inconsistent approach to
capture and assess risks across
the organization
Central end-to-end process
Automated risk activities
SAP GRC Risk Management can enable your risk agenda
Signifcant workfow automation
Centralized risk and risk assessment
management
Integration with other SAP GRC modules
Resulting in the following
benefts:
Improved alignment to the objectives
and strategy of the business
Central management of fnancial,
operational and compliance risks across
organization and technology platforms
Increased integration and coordination
among business, IT and compliance
Automated risk assessment process
Flexibility to accommodate various
risk models and execute scenario
simulations
Sustainability of risk management
process
User-friendly reporting
Elimination of duplicate and
fragmented risk management activities
Reduced level of effort associated with
performing risk management activities
Streamlined distribution and approval
of risks and surveys
Comprehensive and continuous risk
management and monitoring
Proactive identifcation of risks
Improved visibility and integration
across manual and fragmented risk
activities
Better aligned risk coverage, including
the identifcation of stronger, more
pervasive controls
Improved visibility to risks that matter
most to the organization, enabling
resources to proactively focus on the
most signifcant risks
Improve controls and
processes
Better aligned risk coverage,
including the identication of
stronger, more pervasive controls
Reduced level of effort associated
with performing and testing controls
Increased control and process
efciencies enabled through
automation and continuous monitoring
Improved control mix that addresses
key business risks while driving
process efciencies
Embed risk management
Comprehensive and continuous
risk management and monitoring
Central management of nancial,
operational and compliance risks
and controls across organization
Enhance risk strategy
Improved alignment to the objectives
and strategy of the business
Improved visibility to risks that
matter most to the organization
Proactive identication of risks
Enhanced decision-making
Optimize risk management
functions
Elimination of duplicate and
fragmented risk management
activities
Increased integration and
coordination among business,
IT and compliance
Sustainability of risk
management process
Effective top-down and bottom-
up reporting
Turning
risk into
results
Enhance
risk
strategy
Embed
risk
management
Optimize risk
management
functions
Improve
controls and
processes
Risk agenda
Risk
Cost
Value Risk Value
Cost Cost
Value Risk
Next steps to improve your risk management landscape
Maturity models and leading-practice benchmarks: assist
with assessing the current state against leading practice
(enterprise-wide technology, GRC technology and processes/
controls) and identifying opportunities for improvement.
SAP GRC demo environment: demo environment
for all the latest versions of software, including SAP
GRC 10.0 for Access Control, Process Control, Risk
Management and Global Trade Services.
EY RiskUniverse

: industry-specifc risk universes,

process-normative models and key business risks
linked to application-specifc controls that can be
used to customize SAP GRC demos.
Baseline enterprise-wide GRC technology maturity model

Optimize enterprise application landscape
Single ERP vendor as primary choice for
global corporate functions
Aggressively rationalize application portfolio
and licensing
Centrally developed architectural blueprints
and standards adopted
Simplify enterprise application landscape
Rationalize application portfolio and
licensing alignment
Single ERP vendor by function
Architectural standards and blueprints
alignment
Leverage enterprise application landscape
Some application rationalization
Leverage unused ERP functionality and
integration
Limited adoption of architectural standards
Deployment options
Application rationalization/
Decommissioning
Point solutions and custom applications
Inconsistent architectural landscape
Maximize IT organizational efficiency
Status quo
Maximize cost reduction
Maximize organizational effectiveness Deploy
technology
Leverage
technology
Simplify
technology
Optimize
technology
T
e
c
h
n
o
lo
g
y
e
n
a
b
le
m
e
n
t
Benefits
Simplify
Deploy
Leverage
Optimize
Where is
Co? X
What is your
future state?
GRC technology benchmarking metrics

Top
66% 9% 20%
Metrics Low Median
Percentage (%) of primary controls that are
automated.
46% 17% 30%
Percentage (%) of IT budget related to
providing IT support services.
30 Days 74 Days 55 Days
Average cycle time in days (including
weekends) from identification of a change in
risk till risk response.
2 Days 14 Days 5 Days
Average cycle time in days (including
weekends) from the identification of a control
violation until its reported.
0.2 3.8 1.1
Technology cost associated with reporting on
internal controls and compliance per
$100,000 revenue.
Co X current state
Note: Cross-industry technology, internal controls, and process benchmarks obtained fromAPQC.
Automation
Portfolio rationalization
Automation
Automation
Portfolio simplification
Rapid GRC technology diagnostic provides
accelerated current state assessment of your
GRC processes and technology, allowing you to
identify realizable value and develop a future
state road map to achieve it.
SAP GRC demo facilitates mapping
of business requirements to SAP GRC
functionality and could be used to develop
an initial business case for implementing
SAP GRC.
Why Ernst & Young?
Global and fexible approach with
a focus on SAP GRC
Knowledgeable team with
practical experience in process,
risk and technology disciplines
Industry-specifc content and
enablers
Leading-practice assessment
diagnostics and leverage models
Service delivery model design and
key performance indicators
Ernst & Young
Assurance | Tax | Transactions | Advisory
About Ernst & Young
Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000
people are united by our shared values and an unwavering commitment to quality. We make a difference by
helping our people, our clients and our wider communities achieve their potential.
Ernst & Young refers to the global organization of member frms of Ernst & Young Global Limited, each of which
is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide
services to clients. For more information about our organization, please visit www.ey.com.
2012 EYGM Limited.
All Rights Reserved.
BSC No. 1204-1353150 | EYG No. AU1190
This publication contains information in summary form and is therefore intended
for general guidance only. It is not intended to be a substitute for detailed research
or the exercise of professional judgment. Neither EYGM Limited nor any other
member of the global Ernst & Young organization can accept any responsibility for
loss occasioned to any person acting or refraining from action as a result of any
material in this publication. On any specifc matter, reference should be made to the
appropriate advisor.
ED 0113
Our services
Rapid GRC technology diagnostic
GRC technology vendor selection
GRC technology implementation and assessments
Risk transformation enabled by GRC technology
RiCAP: collects and analyzes process, risk and
controls data to help align risk spend to strategic and
business objectives by maximizing risk coverage and
identifying control cost drivers.