You are previewing SAP® GRC For Dummies®.
O'Reilly logo
SAP® GRC For Dummies®

Book Description

Governance, risk, and compliance—these three big letters can add up to one giant headache. But GRC doesn't have to be a boil on your corporate behind. SAP GRC For Dummies untangles the web of regulations that confronts your company and introduces you to software solutions the not only keep you in compliance, but also make your whole enterprise stronger.

This completely practical guide starts with a big-picture look and GRC and explains how it can help your organization grow. You'll find out why these regulations were enacted; what you can do to ensure compliance; and how compliance can help you prevent fraud, bolster your corporate image, and envision and execute the best possible corporate strategy. This all-business handbook will help you:

  • Understand the impact of Sarbanes-Oxley

  • Control access effectively

  • Color your company a greener shade of green

  • Source or sell goods internationally

  • Keep your employees safe and healthy

  • Ensure that data is kept secret and private

  • Manage information flow in all directions

  • Enhance your public image through sustainability reporting

  • Use GRC as the basis for a powerful new corporate strategy

  • Complete with enlightening lists of best practices for successful GRC implementation and conducting global trade, this book also puts you in touch with thought leadership Web sights where you can deepen your understanding of GRC-based business strategies. You can't avoid dealing with GRC, but you can make the most of it with a little help from SAP GRC For Dummies.

    Table of Contents

    1. Copyright
    2. About the Authors
    3. Authors' Acknowledgments
    4. Introduction
      1. About This Book
      2. Foolish Assumptions
      3. How This Book Is Organized
        1. Part I: Governance, Risk, and Compliance Demystified
        2. Part II: Diving into GRC
        3. Part III: Going Green
        4. Part IV: Managing the Flow of Information
        5. Part V: The Part of Tens
        6. Glossary
      4. Icons Used in This Book
      5. Where to Go from Here
    5. I. Governance, Risk, and Compliance Demystified
      1. 1. The ABCs of GRC
        1. 1.1. Getting to Know GRC
        2. 1.2. Getting in the Business Drivers' Seat
        3. 1.3. Getting Motivated to Make the Most of GRC
          1. 1.3.1. Complying with financial regulations
          2. 1.3.2. Failing an audit
          3. 1.3.3. Experiencing a rude awakening
          4. 1.3.4. Going from private to public
          5. 1.3.5. Managing growth
          6. 1.3.6. Taking out an insurance policy
          7. 1.3.7. Managing risk
          8. 1.3.8. Reducing costs
          9. 1.3.9. Struggling with the high volume of compliance
        4. 1.4. Introducing the GRC Stakeholders
          1. 1.4.1. GRC stakeholders inside a company
          2. 1.4.2. GRC stakeholders outside a company
        5. 1.5. Understanding GRC by the Letters
          1. 1.5.1. Governance
          2. 1.5.2. Risk
          3. 1.5.3. Compliance
        6. 1.6. C Is for Compliance: Playing by the Rules
          1. 1.6.1. Controls: Mechanisms of compliance
          2. 1.6.2. Domains of compliance
            1. 1.6.2.1. Financial compliance
            2. 1.6.2.2. Trade management compliance
            3. 1.6.2.3. Environment, health, and safety compliance
            4. 1.6.2.4. Risk management compliance
            5. 1.6.2.5. Data privacy and security compliance
            6. 1.6.2.6. Sustainability reporting
        7. 1.7. R Is for Risk: Creating Opportunity
        8. 1.8. G Is for Governance: Keeping Focused and Current
        9. 1.9. Hitting the Audit Trail
        10. 1.10. Designing Your Approach to GRC
          1. 1.10.1. After the rush to clean up
          2. 1.10.2. Stages of GRC adoption
        11. 1.11. What GRC Solutions Provide
      2. 2. Risky Business: Turning Risks into Opportunities
        1. 2.1. Discovering Enterprise Risk Management
        2. 2.2. Defining Risk
        3. 2.3. Ignoring Risk (At Your Peril)
        4. 2.4. Sorting Through the Approaches to Risk Management
          1. 2.4.1. The ad hoc approach
          2. 2.4.2. The fragmented approach
          3. 2.4.3. The risk manager's job approach
          4. 2.4.4. The systematic, enterprise-wide approach
          5. 2.4.5. A cultural approach
        5. 2.5. Identifying the Critical Components of a Successful Risk Management Framework
          1. 2.5.1. A culture that takes risk seriously, from the C-suite down
          2. 2.5.2. A risk management organization: Distributing responsibility throughout the culture
          3. 2.5.3. A systematic framework in place
          4. 2.5.4. Technology that creates a risk picture
        6. 2.6. Taking the Four Steps to Enterprise Risk Management
          1. 2.6.1. Risk planning
          2. 2.6.2. Risk identification and analysis
          3. 2.6.3. Risk response
          4. 2.6.4. Risk monitoring
        7. 2.7. Analyzing What Went Wrong: When Risk Becomes Reality
        8. 2.8. Automating the Risk Management Cycle
        9. 2.9. Taking the SAP Approach: SAP GRC Risk Management
          1. 2.9.1. SAP GRC risk management and key risk indicators
          2. 2.9.2. Monitoring risks and key risk indicators with SAP GRC Risk Management
        10. 2.10. Using SAP GRC Risk Management: A Fictional Case Study
          1. 2.10.1. Where should we produce?
            1. 2.10.1.1. Considering China
            2. 2.10.1.2. Considering Romania
        11. 2.11. Using SAP Risk Management: An SAP Case Study
        12. 2.12. Gleaning the Benefits of SAP GRC Risk Management
      3. 3. Governance: GRC in Action
        1. 3.1. Getting to Know Governance
        2. 3.2. Gleaning the Benefits of Good Governance
        3. 3.3. Drafting Governance Blueprints
        4. 3.4. Creating a Framework for Great Governance
        5. 3.5. Evaluating Your Governance Framework
          1. 3.5.1. From a strategic and operational perspective
          2. 3.5.2. From a legal and regulatory compliance perspective
        6. 3.6. Hurdles to Instituting and Maintaining a Good Framework
          1. 3.6.1. Avoiding GRC silos
          2. 3.6.2. Making GRC strategic
          3. 3.6.3. Justifying the cost of GRC
          4. 3.6.4. Applying GRC too narrowly
          5. 3.6.5. Setting up checks and balances
        7. 3.7. Making the Argument for Automation
        8. 3.8. The SAP Approach: Integrated Holistic IT for GRC
        9. 3.9. Coming to Grips with Governance
    6. II. Diving into GRC
      1. 4. How Sarbanes and Oxley Changed Our Lives
        1. 4.1. Figuring Out Whether SOX Applies to You
        2. 4.2. Discovering Why SOX Became Necessary
        3. 4.3. Who Are Sarbanes and Oxley, Anyway?
        4. 4.4. Breaking Down SOX to the Basics
          1. 4.4.1. Sections 302 and 906: Threatening management with a big stick
          2. 4.4.2. Section 404: Ensuring a healthy immune system
          3. 4.4.3. What does Section 404 mean for business?
        5. 4.5. Information Technology: SOX in a Box
          1. 4.5.1. IT frameworks: Your template for compliance
          2. 4.5.2. COSO's control framework
          3. 4.5.3. The SOX ripple effect
        6. 4.6. Paying Up: What's SOX Going to Cost You?
          1. 4.6.1. SOX Costs Then
          2. 4.6.2. SOX Costs Now
        7. 4.7. Setting the Record Straight
        8. 4.8. Other Laws You Need to Know About
        9. 4.9. We're All In This Together: Convergence
          1. 4.9.1. Japan's J-SOX
          2. 4.9.2. Australia's CLERP-9
          3. 4.9.3. Canada's C-11
          4. 4.9.4. Basel II
        10. 4.10. Sorting Out the Benefits of SOX
      2. 5. Fraud, Negligence, and Entropy: What Can Go Wrong and How to Prevent It
        1. 5.1. Defining Fraud
          1. 5.1.1. Motivations for fraud
          2. 5.1.2. Sowing the seeds of fraud
          3. 5.1.3. Some common examples of fraud
          4. 5.1.4. The Barings Bank scandal: Operations risk extraordinaire
        2. 5.2. Negligence: More Likely Than Fraud
        3. 5.3. Entropy: Errors, Omissions, and Inefficiencies
        4. 5.4. Cleaning Up: The Mop-Up Operation
          1. 5.4.1. Thinking like an auditor
          2. 5.4.2. Making the computer your auditor
      3. 6. Access Control and the Role of Roles
        1. 6.1. Understanding Access Control and Roles
        2. 6.2. Getting a Handle on Access Control
          1. 6.2.1. Users and permissions
          2. 6.2.2. The roles revolution
        3. 6.3. How Access Control Got Messy
          1. 6.3.1. Every user is different
          2. 6.3.2. Virtual things are hard to track
          3. 6.3.3. IT and business don't speak the same language
          4. 6.3.4. Exceptional circumstances dictate exceptional access
          5. 6.3.5. Large scale increases complexity
        4. 6.4. Getting Clean
          1. 6.4.1. Figuring out where you stand
            1. 6.4.1.1. Starting the conversation
            2. 6.4.1.2. Examining the org chart
            3. 6.4.1.3. Defining auditable roles
            4. 6.4.1.4. Mapping the business roles to technical roles
            5. 6.4.1.5. When you can't segregate duties
        5. 6.5. Staying Clean
        6. 6.6. Managing Exceptional Access
        7. 6.7. The SAP Approach: SAP GRC Access Control
        8. 6.8. Where Do You Go from Here?
      4. 7. Taking Steps toward Better Internal Controls
        1. 7.1. Understanding Internal Controls
        2. 7.2. Exploring the Benefits of Better Controls
          1. 7.2.1. Benefit one: Business process improvement
          2. 7.2.2. Benefit two: Management by exception
          3. 7.2.3. Benefit three: Real-time monitoring
          4. 7.2.4. Benefit four: Mindset changes
        3. 7.3. Seeing How Automating Controls Makes Things Easier
        4. 7.4. Taking Five Steps to Better Internal Controls
          1. 7.4.1. Documentation: The mapping exercise
          2. 7.4.2. Testing: Real-time and historical
          3. 7.4.3. Remediation: Fixing the problem
          4. 7.4.4. Analysis: Reports for management
          5. 7.4.5. Optimization: Barring risk
        5. 7.5. Getting to Know the SAP Approach: SAP GRC Process Control
          1. 7.5.1. Single system of record
          2. 7.5.2. Continuous monitoring
          3. 7.5.3. Out-of-the-box monitoring
          4. 7.5.4. End-to-end internal controls
      5. 8. It's a Small World: Effectively Managing Global Trade
        1. 8.1. Understanding Four Reasons Why Global Trade Is So Complex
          1. 8.1.1. Long supply chains
          2. 8.1.2. New regulations and security initiatives
          3. 8.1.3. Modernization of government IT systems
          4. 8.1.4. Increasing complexity of regulations
        2. 8.2. Figuring Out the Complexities of Importing
          1. 8.2.1. Classifying an item: What is it?
          2. 8.2.2. Making way for the goods: Pre-clearance
          3. 8.2.3. Making it through: Clearing Customs
          4. 8.2.4. Reconciling value: The step most often missed
          5. 8.2.5. Getting the lead out: Brand protection
        3. 8.3. Making Sure You're Complying with All 19,391 Exporting Restrictions
          1. 8.3.1. Knowing who you're dealing with
          2. 8.3.2. Obtaining the right export licenses
          3. 8.3.3. Knowing how the product will be used
        4. 8.4. Taking Advantage of the System: Trade Preference Management
        5. 8.5. Discovering the Different Ways to Manage Global Trade
        6. 8.6. Using the SAP Approach: SAP GRC Global Trade Services
    7. III. Going Green
      1. 9. Making Your Company Environmentally Friendly
        1. 9.1. Discovering the Three Ps of Going Green: People, Processes, and Products
        2. 9.2. Going Green: It's Not Just for Tree-Huggers Anymore
        3. 9.3. Understanding Why Your Company Should Go Green
        4. 9.4. Going Green Is Good Business
          1. 9.4.1. Enhance your image
            1. 9.4.1.1. Hewlett Packard
            2. 9.4.1.2. Wal-Mart
            3. 9.4.1.3. Sun Microsystems
            4. 9.4.1.4. Timberland
            5. 9.4.1.5. DHL
            6. 9.4.1.6. IBM
          2. 9.4.2. Build trust with regulatory authorities
          3. 9.4.3. Influence future events
        5. 9.5. Implementing Green Practices
          1. 9.5.1. Trees matter
          2. 9.5.2. Let there be (green) light!
          3. 9.5.3. Water: To bottle or not to bottle?
          4. 9.5.4. Reduce your risk
        6. 9.6. Going Green Is also the Law
          1. 9.6.1. Compliance
          2. 9.6.2. Risks of noncompliance: Fines and public relations nightmares
        7. 9.7. A Final Word About Going Green
      2. 10. Keeping Employees Healthy and Safe
        1. 10.1. Keeping Your Employees Safe and Healthy: The Big Picture
          1. 10.1.1. Enabling and maintaining good health
          2. 10.1.2. Avoiding accidents
          3. 10.1.3. Healthy benefits equal employee recruitment retention
        2. 10.2. Moving Down the Road to Zero Accidents
          1. 10.2.1. Organizing and managing a comprehensive health and safety program
          2. 10.2.2. Assessing risks
          3. 10.2.3. Standardizing your procedures
          4. 10.2.4. Managing accidents
          5. 10.2.5. Inspecting your sites and creating new safety measures
          6. 10.2.6. Educating your employees
        3. 10.3. Making the Case for Automation and Integration
        4. 10.4. Taking the SAP Approach to Employee Health and Safety
          1. 10.4.1. The Occupational Health module
          2. 10.4.2. The Industrial Hygiene and Safety module
            1. 10.4.2.1. Risk assessment
            2. 10.4.2.2. Standard operating procedures
            3. 10.4.2.3. Accident management
            4. 10.4.2.4. Site inspections
            5. 10.4.2.5. Safety briefing and worker qualification
      3. 11. Making Your Business Processes Environmentally Friendly
        1. 11.1. Discovering Ways in which All Companies Can Go Green
        2. 11.2. Reducing Your Energy Use and Costs
        3. 11.3. Building, Renovating, and Cleaning with Sustainable Resources and Materials
          1. 11.3.1. Begin at the beginning with green design
          2. 11.3.2. Pick the right spot
          3. 11.3.3. Crunch your numbers
          4. 11.3.4. Make friends with your site plan
          5. 11.3.5. Reduce unnecessary strains on your HVAC
          6. 11.3.6. Exploit the advantages of technology
          7. 11.3.7. Command the water
          8. 11.3.8. Use green and recycled building materials
          9. 11.3.9. Build smart, build green
          10. 11.3.10. Renovate green
          11. 11.3.11. Clean green
          12. 11.3.12. Recycle
          13. 11.3.13. Reducing travel
        4. 11.4. Getting LEED Certified
        5. 11.5. Assessing Your Environmental Risks
        6. 11.6. Greening Manufacturing
          1. 11.6.1. Green legislation
          2. 11.6.2. EPA Clean Air Act
          3. 11.6.3. EPA Clean Water Act
          4. 11.6.4. Waste Electrical and Electronic Equipment (WEEE)
        7. 11.7. Adopting Green Practices for Manufacturing
          1. 11.7.1. Establish an energy management program
          2. 11.7.2. Reduce emissions
          3. 11.7.3. Reduce waste
          4. 11.7.4. Deal with hazardous substances
          5. 11.7.5. Optimize occupational health
          6. 11.7.6. Promote industrial hygiene and safety
          7. 11.7.7. Ensure product safety
        8. 11.8. Taking the SAP Approach to Making Your Processes Environmentally Friendly
          1. 11.8.1. SAP Environmental Compliance
            1. 11.8.1.1. Building emissions models and analyzing emissions
            2. 11.8.1.2. Managing compliance
            3. 11.8.1.3. Creating reports and documentation
            4. 11.8.1.4. Controlling trading and collaboration
          2. 11.8.2. SAP Waste Management: A core component of SAP Environment, Health, and Safety
      4. 12. Making Your Products Environmentally Friendly
        1. 12.1. Discovering What It Takes to Make Products Environmentally Friendly
        2. 12.2. Figuring Out What Your Materials Are and What They Do
          1. 12.2.1. Defining hazardous materials
          2. 12.2.2. Defining dangerous goods
        3. 12.3. Realizing the Benefits of Compliance
          1. 12.3.1. The benefits of complying
          2. 12.3.2. The risks of failing to comply
        4. 12.4. Using Hazardous Materials Responsibly
          1. 12.4.1. Customer compliance management
          2. 12.4.2. Supplier compliance management
          3. 12.4.3. Compliance reporting
          4. 12.4.4. Comprehensive task management
        5. 12.5. Working with Hazardous Materials
          1. 12.5.1. Packing
          2. 12.5.2. Materials communications
          3. 12.5.3. Transporting materials
        6. 12.6. Keeping Up with Materials Legislation
          1. 12.6.1. Toxic Substances Control Act (TSCA)
          2. 12.6.2. Registration, Evaluation, Authorization of Chemicals (REACH)
            1. 12.6.2.1. What REACH says
            2. 12.6.2.2. Who REACH affects
          3. 12.6.3. Reduction of Hazardous Substances (RoHS)
        7. 12.7. Exploring the SAP Approach to Product Compliance
          1. 12.7.1. Compliance for Products by TechniData (CfP)
          2. 12.7.2. SAP EH&S
            1. 12.7.2.1. Substance volume tracking
            2. 12.7.2.2. Document management and shipping
            3. 12.7.2.3. Bill of materials transfer
            4. 12.7.2.4. Specification information system
            5. 12.7.2.5. Phrase management
    8. IV. Managing the Flow of Information
      1. 13. Sustainability and Corporate Social Responsibility
        1. 13.1. Discovering the Great Power and Responsibility of Big Companies
        2. 13.2. Getting the Lowdown on Sustainability
        3. 13.3. Discovering Why Sustainability Is Good Business
          1. 13.3.1. Managers recognize sustainability as a top priority
          2. 13.3.2. Stakeholders exert pressure
          3. 13.3.3. Sustainable businesses have better access to capital
          4. 13.3.4. Government regulations increasingly require it
          5. 13.3.5. Sustainability helps you manage risk
          6. 13.3.6. CSR protects your brand image
          7. 13.3.7. It helps you attract and keep the best employees
          8. 13.3.8. CSR is ethical
          9. 13.3.9. It helps business planning and innovation
          10. 13.3.10. CSR increases profits
        4. 13.4. Discovering the Possible Downside of CSR
        5. 13.5. Managing Sustainability Performance
          1. 13.5.1. The current reporting process is a mess
          2. 13.5.2. New tactics are required
        6. 13.6. Discovering Why an Automated Solution Is Needed
          1. 13.6.1. Sustainability reporting is a recurring problem
          2. 13.6.2. Huge amounts of data are involved
          3. 13.6.3. Integration is a plus
          4. 13.6.4. Automation creates supply chain transparency
          5. 13.6.5. Automation means auditability
          6. 13.6.6. Automation yields analytics and benchmarks
          7. 13.6.7. An IT solution speeds distribution of data
      2. 14. IT GRC
        1. 14.1. Getting a Handle on What IT GRC Is
        2. 14.2. Understanding IT Governance in Terms of Risk and Compliance
          1. 14.2.1. In terms of risk
          2. 14.2.2. In terms of compliance
            1. 14.2.2.1. COBIT
            2. 14.2.2.2. COSO
          3. 14.2.3. Keeping up with the pace of change
        3. 14.3. Securing Your Software Applications
          1. 14.3.1. Taking basic application security measures
          2. 14.3.2. Consolidating security solutions
          3. 14.3.3. Making friends with the IT department
        4. 14.4. Keeping the Kimono Closed: Data Privacy
        5. 14.5. Protecting Key Corporate Assets: Intellectual Property
          1. 14.5.1. Cinching up the kimono
          2. 14.5.2. Leveraging the network
          3. 14.5.3. Other ways data can walk away
          4. 14.5.4. Protecting IT assets
          5. 14.5.5. Communication
      3. 15. Turning On the Lights with GRC and CPM
        1. 15.1. Turning On the Lights with CPM
        2. 15.2. Making the Case for CPM and GRC Integration
          1. 15.2.1. Understanding obstacles to integration
          2. 15.2.2. Instrumenting the enterprise
          3. 15.2.3. Collecting the payoff from CPM and GRC integration
          4. 15.2.4. Supplier concentration
          5. 15.2.5. Loan processing
        3. 15.3. Seeing CPM and GRC Integration in Practice
          1. 15.3.1. The intersection of actuals
          2. 15.3.2. Strategy, risk, and planning
          3. 15.3.3. Governance and strategy
        4. 15.4. Discovering the Reusable Technology of GRC
          1. 15.4.1. Repository
          2. 15.4.2. Document management
          3. 15.4.3. Case management
          4. 15.4.4. Workflow
          5. 15.4.5. Process modeling
          6. 15.4.6. Policy engine
          7. 15.4.7. Rule engine
          8. 15.4.8. Controls
          9. 15.4.9. Reporting
          10. 15.4.10. Standardized interfaces to components
          11. 15.4.11. Composite apps on the platform
    9. V. The Part of Tens
      1. 16. Top Ten GRC Strategies
        1. 16.1. Evaluate Which of the Most Prevalent GRC Issues Apply to You
        2. 16.2. Adopt Best Practices
        3. 16.3. Implement Key GRC Strategies
        4. 16.4. Set Yourself Up for Success
        5. 16.5. Watch Out for Danger Signs
        6. 16.6. Define GRC Roles and Responsibilities
        7. 16.7. Shake Down the People Who Know
        8. 16.8. Move to Strategic Adoption of Automated Controls
        9. 16.9. Adopt Strategies for Cleaning Up Access Control
        10. 16.10. Getting Your GRC Project Going and Keeping It Going
      2. 17. Ten Best Practices in Global Trade
        1. 17.1. Automate or Else
        2. 17.2. Don't Go to Pieces
        3. 17.3. Make Sure You Can Trust Your Partners
        4. 17.4. Avoid Importing Delays
        5. 17.5. Get On Board with the Government's High-Tech Documenting Processes
        6. 17.6. Know Who Is Allowed at the Party
        7. 17.7. Know Who You're Shipping to
        8. 17.8. Get the Right Licenses
        9. 17.9. Take the Free Money
        10. 17.10. Leave a Paper Trail
      3. 18. Ten Groups of GRC Thought Leadership Resources
        1. 18.1. GRC Resources
          1. 18.1.1. Web sites
          2. 18.1.2. Blogs
          3. 18.1.3. Online journals
        2. 18.2. Risk Resources
          1. 18.2.1. Web sites
          2. 18.2.2. Blogs
          3. 18.2.3. Books
        3. 18.3. SOX Resources
          1. 18.3.1. Web sites and forums
          2. 18.3.2. Books
        4. 18.4. Financial Compliance Resources
          1. 18.4.1. J-SOX
          2. 18.4.2. Basel II
          3. 18.4.3. Foreign Corrupt Practices Act
        5. 18.5. Access Control and Process Control Resources
          1. 18.5.1. Web sites
          2. 18.5.2. Articles
          3. 18.5.3. Wikis
        6. 18.6. IT GRC Resources
          1. 18.6.1. Blogs
        7. 18.7. Global Trade Resources
          1. 18.7.1. Web sites
          2. 18.7.2. Blogs
        8. 18.8. Employee Health and Safety Resources
          1. 18.8.1. Web sites and online journals
          2. 18.8.2. Blogs
          3. 18.8.3. Articles
        9. 18.9. Going Green Resources
          1. 18.9.1. Web sites
          2. 18.9.2. Wikis
          3. 18.9.3. Articles
          4. 18.9.4. Blogs
          5. 18.9.5. Books
        10. 18.10. Sustainability Resources
          1. 18.10.1. Web sites
          2. 18.10.2. Articles
          3. 18.10.3. Blogs and books
    10. Glossary