It is imperative that organisations are aware of risks associated with their business. This is not purely for the purpose of mitigation, as there is always a fine balance to be struck between both risk and opportunity, but you need to know what the risks are before you can determine the correct action.
It is equally important that risk management is not perceived as a static one-off exercise as by their very nature risks are inherently fluid. However, without the necessary mechanisms in place organisations are unable to continually identify, document, assess and monitor the required data to effectively manage the ever changing risk landscape.
Managing these risks, whether they be strategic in nature orbusiness process-oriented, requires having the ability to implement and associate appropriate risk responses (i.e. control activities) and monitor key risk indicators (i.e. design and operating effectiveness of related controls) enabling an organisation to react to the internal control environment accordingly. This in turn requires the ability to evaluate controls via testing, assessments or continuous monitoring, and feedback the results for KRI purposes, which will help determine whether additional risk responses are required or not.
Access-related risks are also a significant part of the risk landscape, and should therefore be fed into this cyclical process accordingly. In addition, policies are an important type of risk response, and even though many organisations have policies in place they aren’t able to relate these to underlying risks and therefore take these into account.
Most of the challenges encountered by organisations when managing risks across the enterprise relate to a lack of transparency regarding key information, such as the status of internal controls. In addition, such problems also stem from the required information residing in several different locations, held in disparate systems which are unable to talk to each other.
SAP GRC 10.1 provides the necessary integration capabilities to overcome these traditional challenges with Risk Management, Process Controls and Access Controls being completely aligned and fully supportive of an end-to-end approach to Governance, Risk and Compliance across your entire enterprise.