Spotlight – Industry Packages and ESG for SAP Risk & Assurance Management (RAM)
Contains extracts from an Article published by Neil Patrick on the SAP GRC Tuesday community page here
Dr Neil Patrick is the SAP Solution owner of SAP Risk and Assurance Management (RAM) as well as 3 Lines of Defense Solutions (SAP Process Control, Risk Management, Audit Management and Business Integrity Screening).
Andrew Sawyer is Winterhawks Global Director of Operations and Development. A regular speaker at SAP events. He leads and drives our architectural vision, helping to identify and implement new technologies and processes to drive innovation across Winterhawk.
Andrew Sawyer – SAP RAM provides the ability to execute Risk Assessments linked to Control performance, with some really powerful control automation capabilities, and with native integration with SAP Signavio Process Manager. I feel it offers a truly unique and value-added solution for any organization running SAP, especially in the mid-market.
The challenge we noted our clients facing, was the time it took to gain value from the many SAP Risk solutions (such as Process Control and RAM). So around 18 months ago, we began a journey of building Industry Content Packages for RAM – alongside one for Environment, Social Governance (ESG) as more and more customers were asking us for ESG support.
We also wanted to go a step further and find a way to eliminate deployment costs. We recognized that the cost of implementing SAP solutions, unless you are a very large enterprise, can put these vitally important solutions out of reach for many.
In an era where protecting your data and assets becomes more and more critical, our mission became;
- Create Value added Industry Vertical Content that would provide Day 1 value
- Offer Free Deployments – removing capital expenditure and budgetary challenges
- Provide an ongoing Support Service – removing the need for the customer to become an expert in that solution.
So, let’s talk about Financial Compliance Management RAM, over to you Neil.
Dr Neil Patrick (SAP) – The first thing is to say is that SAP Financial Compliance Management has been renamed to SAP Risk and Assurance Management (RAM)! New Year, New Name!
RAM is now a strong generic internal controls solution. I have to say it has grown leaps and bounds since it was first released to customers almost 3 years ago. I bring this up because:
- With the rise in importance of the office of the CFO to business performance but also business advice and stakeholder management, finance is a very important topic for any business. It spans operations, planning and forecasting. It covers core finance but also for example IT and digital transformation.
What RAM can do already
One of the interesting but subtle points to note is that RAM covers both first line and/or second line controls in the same solution. And I know as I typed the word control, I am using it a bit loosely to also include what some people might call an exception report, rather than a control.
How can RAM be used today?
- Run one of its baseline content automated procedures as a first line business check. For example, checking if journal entries have been posted in a previously closed fiscal period: this could impact how quickly month end / quarter end / annual accounts can be closed. Or looking for blocked suppliers with open items: this could reduce production and/or revenue, or negatively impact supplier relationship.
- Run one of S/4HANA’s control exception reports automatically and put it under a ‘governance process’ (assign an owner, raise issues if anything untoward is found, document remediation if required, make all this transparent for audit). This could be an exception report, or a control, or both!
- Dive into the topic of tax compliance to help companies achieve accuracy by automating tax compliance checks.
- On top of this also perform second line activities for example test of effectiveness and test of design over the above examples.
- Perform a survey / questionnaire / mixed format assessment.
- Integrate automatically with Signavio Process Manager.
What’s new in the pipeline?
We have some exciting content updates, to further reinforce the additional breadth of RAM:
- There are 8x latent IT controls SAP produced, which are deployed in S/4HANA, that RAM can make use of. They focus on S/4HANA user management (e.g. detect users that never logged in, detect expired and locked users that should be deleted). We will formally roll them into FCM baseline content as part of the S/4HANA 2408 release but can already be used.
- Next month as part of our S/4HANA 2402 release we will add to our baseline content with ESG, human rights due diligence and Fraud use cases. To show what is possible. We also plan to release a GDPR certification content pack.
- Key to the RAM strategy is the ready to use content for S/4HANA. And our partners see this too. Across our energetic and innovative partner ecosystem is content covering ESG as a more comprehensive stand-alone topic plus industry-specific content packs covering 23x industry verticals from Winterhawk.
In terms of functional enhancements
- We will be adding an Asset object to RAM in the first half or 2024, thus extending the IT control (and risk) management capabilities. But of course, this is a generic object that I expect can also be used for ESG-relevant assets, finance assets, data assets, and other physical assets (water and energy utilities, oil and gas, transportation etc.)
- We will build an integration to SAP Document and Reporting Compliance during 2024.
- We will build an integration to SAP Sustainability Control Tower during 2024.
- We will add AI use cases.
Move up the Performance, Control, and Risk Maturity Curve
There are obviously financial and roll out benefits of being able to cover more LOB use cases in a single solution.
But I also want to highlight what this can enable for the ‘digital first’ customers – those who are transitioning to a posture where internal information, processes, and customer experience is digitized and virtualization.
To drive performance (financial, operational, non-financial, legal etc.) with processes, risks and controls, if well managed this will enable the business to catch and prevent any downstream impact to the organization or an end customer. Which is a true value add.
RAM can help the first line owning and managing risk via understanding and analyzing the processes of the business and ensuring adequate internal controls over [insert an LOB here] reporting. Supporting first line activities also helps the business grow and by nature is more forward-looking.
This is in addition to value protect activities such as compliance.
- Can already technically cover finance, tax, IT, ESG, HRDD, Fraud and Data Privacy
- Partner Built Industry Content Packages
- Can cover control and risk in the same solution, and automate controls
- Provides transparency into the business
- Helps the business improve performance, and provides real value add
- That’s what I would consider a good return on investment.
Take a closer look at Winterhawks Packages for SAP RAM here
Wider – Winterhawk now offers Free deployments for 19 different SAP solutions.