Controls should be put in place with an objective to mitigate a specific risk, or set of risks. Therefore, risk is a key component to any control framework and, as such, is also key to Process Control. In this blog entry I explore the integration between the Process Controls and Risk Management components of the SAP GRC toolset and how neither one makes much sense without the other.
I appreciate that the title of this blog may cause some confusion among those of you in the GRC community due to its slightly contradictory nature. After all, Process Control is all about controls, whereas Risk Management deals with risks, right? Not entirely. It’s correct to say that GRC Process Control is a tool used by organisations for managing controls at the business process level, to ensure compliance with specific regulations. However, you should never implement controls just for the sake of it, as this will result in an over-controlled environment often leading to operational inefficiencies, as well as unnecessary resource demands and, ultimately, costs.
Controls should be put in place with an objective to mitigate a specific risk, or set of risks. Therefore, risk is a key component to any control framework and, as such, is also key to Process Control. Although Risk Management is perceived as the GRC tool for all things risk-based, it focuses on risks sitting at a higher level in an organisation than those defined in Process Control. It looks at corporate organisations objectives, defines those risks which threaten their achievement, and monitors those risk levels going forward to ensure that any threats can be dealt with in a timely manner. Process Control captures the lower level risks, residing within business processes, which map back to these top-level risks.
For example, a corporate objective might be to improve revenue recognition. The associated corporate-level risk would be “Revenue recognition is not complete and accurate” and should be recorded and monitored in Risk Management. This could be translated into several risks at the business process level such as “Sales invoices are not recorded” and should be recorded and mitigated in Process Control.
For this reason, there’s a valid argument for any company utilising SAP GRC, particularly version 10.0 as there is now much better integration between the individual applications, to start their deployment with Risk Management in order to drive a truly risk-based approach to their internal controls. For more information on this particular topic please refer to the blog ‘Taking a Top Down Approach to your SAP GRC Deployment’ by my colleague Richard Hunt.
Therefore, risk is an extremely important element within Process Control. Developing a control framework without them is the equivalent of building a house without any plans. Risks provide focus, direction and guidance, the foundation of an Enterprise GRC solution. It’s all about risk.
In the final part of this 2-part blog series I will look at the different ways in which you can manage risks within Process Control.