In what could be said to be a conspicuous pattern, software vendors are gradually shifting to Integrated Risk Management (IRM) from Governance, Risk, and Compliance (GRC). Naturally, this change in emphasis leads us to the question – what is the difference between the two?
The main difference is that today’s threats are increasingly digital and cyber-related, so there needs to be a more integrated approach. The real question is whether the anticipated results of IRM can be attained with the technologies available today. If an individual runs SAP GRC, we think the simple answer is yes.
IRM is an approach that combines the entire risk, control, and audit environment, breaking down silos to provide a risk perspective across the company and empowering decision-making at all levels.
SAP Access Control is a well-known feature of SAP GRC, but SAP Process Control and SAP Risk Management sit next to SAP Access Control – in exactly the same collection of installations. In spite of having a lot to give, these modules, many a time, remain in a deactivated state.
Therefore, solutions for SAP customers looking to boost their overall risk management function are also already available – only waiting to be turned on.
IRM Foundations And Audit Implications
With the three SAP GRC modules running in unison, companies have a comprehensive approach to identifying and managing risk through their organization. It has risk-responsive controls that allow the company to mitigate the overall effects and reduce them. The segregation of duty (SoD) hazards that can happen automatically can be regulated. And it can control any changes in the configuration of its entire SAP estate – while also detecting any instances of unauthorized access. This can, in essence, be further established over time once the foundations for an IRM platform are in place.
This makes it possible to assist the internal audit with the SAP risk control process by surfacing a wealth of data to put an end to process-based audits. Auditors can provide insight into all the company’s business processes, as well as the safeguards that are implemented across each of the process’s functions. Therefore, they will assess the degree of risk associated with each of these business areas more accurately.
This increased visibility is critical in terms of risk and enforced controls to help audit teams understand the company’s ‘live’ status – something that it normally struggles with.
Traditionally, auditors retain their own spreadsheets with this knowledge and update them only after completing an audit for a specific region. With audits coming around every 12-36 months, the details in those documents will also be obsolete by the time it’s used.
Instead, by having an IRM (or GRC) platform in place, the audit can automatically pull down the current risk data and control status for every business feature. This knowledge can then be fed automatically into the audit management solution for a fully joined-up approach.
Typically, the process of being audited is a significant drain on business finances. Continuously collecting audit-relevant data through IRM, however, provides savings in terms of making it smoother and more efficient; the information needed by audit teams should be at their fingertips when they come to conduct their assurance work.
IRM Adoption By SAP Customers
While IRM is designed to address the challenges of a siloed risk strategy, the siloed set-up often presents the greatest impediment to implementation. In several businesses, IT manages IT risks, health and safety manages health and safety risks, and so on. There is no communication between risk functions that affect the whole company; it also implies that there is no central owner of the entire risk spectrum.
As a response to this lack of ownership, some companies are now seeking to improve group GRC roles, bringing departmental leads onboard to create a consistent and structured risk and control management strategy. Using a centralized interface and a structured approach to risk and control ensures reporting is more cohesive and streamlined.
Using GRC to incorporate an approach to IRM (SAP risk management) allows information gathering and automation of reporting in a simple and repeatable format. Therefore, these tools free up the risk management team in order to proactively mitigate risk within the company. They can also be used with information from different data sources to strengthen risk analysis in the enterprise, building in feeds such as performance controls or risk remedy statuses that enhance board reporting.
SAP customers already have the required tools at their disposal to support integrated risk management functions. Identifying the needs of each division to manage and report on risk is the first place to begin.