Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
Bedrock Managed Service
Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Partners
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Careers
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Blogs
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
2 November 2012

GRC Process Control - It's All About Risk (Part 1)

Controls should be put in place with an objective to mitigate a specific risk, or set of risks. Therefore, risk is a key component to any control framework and, as such, is also key to Process Control. In this blog entry I explore the integration between the Process Controls and Risk Management components of the SAP GRC toolset and how neither one makes much sense without the other.

I appreciate that the title of this blog may cause some confusion among those of you in the GRC community due to its slightly contradictory nature. After all, Process Control is all about controls, whereas Risk Management deals with risks, right? Not entirely. It’s correct to say that GRC Process Control is a tool used by organisations for managing controls at the business process level, to ensure compliance with specific regulations. However, you should never implement controls just for the sake of it, as this will result in an over-controlled environment often leading to operational inefficiencies, as well as unnecessary resource demands and, ultimately, costs.

Controls should be put in place with an objective to mitigate a specific risk, or set of risks. Therefore, risk is a key component to any control framework and, as such, is also key to Process Control. Although Risk Management is perceived as the GRC tool for all things risk-based, it focuses on risks sitting at a higher level in an organisation than those defined in Process Control. It looks at corporate organisations objectives, defines those risks which threaten their achievement, and monitors those risk levels going forward to ensure that any threats can be dealt with in a timely manner. Process Control captures the lower level risks, residing within business processes, which map back to these top-level risks.

For example, a corporate objective might be to improve revenue recognition. The associated corporate-level risk would be “Revenue recognition is not complete and accurate” and should be recorded and monitored in Risk Management. This could be translated into several risks at the business process level such as “Sales invoices are not recorded” and should be recorded and mitigated in Process Control.

For this reason, there’s a valid argument for any company utilising SAP GRC, particularly version 10.0 as there is now much better integration between the individual applications, to start their deployment with Risk Management in order to drive a truly risk-based approach to their internal controls. For more information on this particular topic please refer to the blog ‘Taking a Top Down Approach to your SAP GRC Deployment’ by my colleague Richard Hunt.

Therefore, risk is an extremely important element within Process Control. Developing a control framework without them is the equivalent of building a house without any plans. Risks provide focus, direction and guidance, the foundation of an Enterprise GRC solution. It’s all about risk.

In the final part of this 2-part blog series I will look at the different ways in which you can manage risks within Process Control.