Latest News

Update from GRC2014 Conference 

Last week’s GRC 2014 conference in Orlando was another good opportunity to catch-up with experts around the world and to share knowledge with a community of like-minded people.

Over 85 sessions took place during the 3 days and around 65 exhibitors joined well over 1,000 delegates. The conference highlights were:

Top 3 most talked about GRC subjects 

1. Dashboards: There’s no doubt we’re in the era of the user experience. Dashboards were a really hot topic at this years’ show. It’s clear that more GRC practitioners are looking for ways to get both their business leaders and users more engaged in risk management and control.

2. Faster implementations: We heard from many companies that they’d love to implement GRC but it’s just not getting priority – it’s seen by others as taking too long or costing too much, or not exciting enough in terms on value delivered (though we met several who remarked how quickly a risk incident revises that view!). We talked lots about how RouteONE is proven to address this and make GRC faster and cheaper to deploy 

3. The differences between SAP GRC Access Control 10 to 10.1: The user interface in Access Control 10.1 offers more personalisation and there’s a new side panel which provides more information when you need it, along with a request screen enabling more self-service. The new 10.1 remediation view provides more insight and historic transactional data. Now available on a HANA database, 10.1 empowers users with lightning fast analytical data for better decision-making. Finally it’s important to note that the underlying system has not been changed too much, so a technical upgrade will not be too onerous.

General thoughts on the show:

It’s clear to see that it is very important to GRC practitioners to understand what others are doing and to learn what others have done well, and not so well. The case study presentations were easily the ‘standing room only’ sessions.

The event was also more GRC and Finance focused and HR, BI and CRM were not part of the conference as before. Whilst this reduced the number of attendees, nearly all those who were present were interested in GRC. As far as we’re concerned the US event is a great warm-up for it’s European sister event, taking place towards the end of May.

SAP Fraud Management – The Latest Addition to the SAP GRC Family 

Fraud Management is an exciting new addition to the SAP GRC family and adds a number of capabilities to the existing SAP GRC solution set. In this blog we explore some of these features and also discuss some of the possibilities that SAP GRC Fraud Management might open up for the future.

A HANA Backbone

The first thing to note about Fraud Management is that it is based on SAP HANA technology. We have been asked several times by customers about whether Fraud Management is available without HANA. The answer, unfortunately is no. HANA is a pre-requisite. That is not necessarily bad news though as the next release of SAP GRC, 10.1 - scheduled to enter ramp-up in June, will also be (optionally) available on HANA.

With HANA as the backend engine Fraud Management is able to offer some of the real-time transaction monitoring capabilities that were either difficult or in some cases impossible with SAP GRC Process Controls. The Fraud Management analytical engine also enables more effective management of alerts, suspected fraud cases, etc.

How it Works

Fraud Management is essentially an application or use-case of SAP HANA. Data relevant for Fraud analysis (from an SAP or non-SAP source) is extracted into the HANA database. This data is then interrogated using pre-defined fraud patterns and detection rules. The output is used to monitor and report on the likelihood of fraudulent activity through KPIs and KRIs and to trigger responses and/or alerts where appropriate.

Alerts can take the form of an RFC call to the backend ECC system, for example triggering a workflow or calling a BAPI to block a suspicious business transaction in real-time.

An example might be the analysis of vendor payment transactions within a certain tolerance % of purchasing approval limits. E.g. if multiple payments of £19,950 were found to the same vendor authorised by an approver with an approval limit of £20,000 these payments might be blocked pending further investigation.

What Does the Future Hold?

Fraud Management can already be combined with SAP Predictive Analytics to perform more advanced pattern analysis of fraud relevant data and to explore more complex modelling scenarios. In addition to further enhancements of these capabilities we would hope to see standard BAPIs available to enable pre-configured responses to fraud incidents. Another key functionality gap that we would expect to be available in the next release is configuration wizards for the fraud detection rules, currently these are defined manually using SQL queries.

From a customer perspective I think that applications of Fraud Management could extend well beyond fraud analysis, leveraging the capabilities of the tool for continuous transaction monitoring scenarios. For example the capabilities of the tool might be used to optimise working capital by highlighting and postponing vendor payments that were made prior to payment terms.

Conclusion

Our initial assessment of the Fraud Management module is that the key to getting benefit from it is a strong understanding of the indicators of fraud in your environment. This will be a combination of three things:

• An understanding of the key risk factors specific to your organisation
• A knowledge of any past incidents or fraud exposures.
• Content from your implementation partner.