Apart from the introduction of our new US team the most exciting announcement at SAP GRC 2013 in Las Vegas this year was the launch of the new Fraud Management module!
Fraud Management is an exciting new addition to the SAP GRC family and adds a number of capabilities to the existing SAP GRC solution set. In this blog we explore some of these features and also discuss some of the possibilities that SAP GRC Fraud Management might open up for the future.
A HANA Backbone
The first thing to note about Fraud Management is that it is based on SAP HANA technology. We have been asked several times by customers about whether Fraud Management is available without HANA. The answer, unfortunately is no. HANA is a pre-requisite. That is not necessarily bad news though as the next release of SAP GRC, 10.1 - scheduled to enter ramp-up in June, will also be (optionally) available on HANA.
With HANA as the back end engine Fraud Management is able to offer some of the real-time transaction monitoring capabilities that were either difficult or in some cases impossible with SAP GRC Process Controls. The Fraud Management analytical engine also enables more effective management of alerts, suspected fraud cases, etc.
How it Works
Fraud Management is essentially an application or use-case of SAP HANA. Data relevant for Fraud analysis (from an SAP or non-SAP source) is extracted into the HANA database. This data is then interrogated using pre-defined fraud patterns and detection rules. The output is used to monitor and report on the likelihood of fraudulent activity through KPIs and KRIs and to trigger responses and/or alerts where appropriate.
Alerts can take the form of an RFC call to the back end ECC system, for example triggering a workflow or calling a BAPI to block a suspicious business transaction in real-time.
An example might be the analysis of vendor payment transactions within a certain tolerance % of purchasing approval limits. E.g. if multiple payments of £19,950 were found to the same vendor authorised by an approver with an approval limit of £20,000 these payments might be blocked pending further investigation.
What Does the Future Hold?
Fraud Management can already be combined with SAP Predictive Analytics to perform more advanced pattern analysis of fraud relevant data and to explore more complex modeling scenarios. In addition to further enhancements of these capabilities we would hope to see standard BAPIs available to enable pre-configured responses to fraud incidents. Another key functionality gap that we would expect to be available in the next release is configuration wizards for the fraud detection rules, currently these are defined manually using SQL queries.
From a customer perspective I think that applications of Fraud Management could extend well beyond fraud analysis, leveraging the capabilities of the tool for continuous transaction monitoring scenarios. For example the capabilities of the tool might be used to optimise working capital by highlighting and postponing vendor payments that were made prior to payment terms.
Our initial assessment of the Fraud Management module is that the key to getting benefit from it is a strong understanding of the indicators of fraud in your environment. This will be a combination of three things:
- An understanding of the key risk factors specific to your organisation
- A knowledge of any past incidents or fraud exposures.
- Content from your implementation partner.
To this aim we have been working with a well-known forensic accounting specialist, to develop content for our Fraud Management offering. We’ve also been exploring the technology in our own demo environment and are evaluating Fraud Management with several customers.
Real-time transaction analysis is a very welcome addition to the functionality available from SAP GRC solutions and significantly enhances the possibilities for continuous transaction monitoring as well as the obvious fraud management applications. Personally I am looking forwards to the prospect of exploring these possibilities further with our customers.