Event Recording

Interview with Hernan Huwyler

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Welcome to this talk. And I tried very much your keynote, you just have been giving. So I think were many very interesting points in that keynote. And one slide I really like particular was the one where you said, okay, there are some, some form nature areas to look at, which were the, the sub-business integrity screening, the business partners screening, the risk management and the tax compliance. And when looking at this, I'd like to put a little bit of focus on this business partner risk management, because what we really see these days is that this is getting a bigger and bigger, bigger topic in all areas when it comes to concrete security, risks of cyber supply chain, risk management, when it comes to other types of supplier risks. And, and so, so maybe you can elaborate a little bit more on, on, on your thoughts about, and your experience and how share seats really can help in mitigating these risks.
First, thank you, Martin, for the invitation to be here, it's a pleasure to share these ideas and experience working with SAP and having this forum. Well, we are having a lot of challenges in the way that we are managing certain parties right now, particularly we need to be very focused on monitoring the solvency and also being able to assess the capabilities of the partners to deliver on the control that we are enforcing in our own policies. And also in the contrast at the end of the day, SAP CRC can help us in order to ensure that these controls are properly certified in terms of the attestation, whether we can send the surveys to the third parties in order to get some level of assurance on their control that they are performing. And also in the way that we are monitoring our internal controls on for instance, accesses to subcontractors accesses for other applications into the SAP platform.
So basically we are getting a lot of attention here in the, in the way that we can monitor this internal answer party controls in SOPs and SOP. CRC is the right way to centralize all this information related to which of the standards, which are the risks, which are the level of assurance that we define to, to have, and also manage the documentation. We are seeing that in the, in the way that we are izing activities, we need to be very, very, very efficient in the way that we are getting certificates from our parties and how we challenge those certificates. SAP is the right tool to have this holistic management.
So, so talking about efficiency from your experience, what, what do you get so to speak out of the box when it comes to, to the supplier risk or third party risk management, what is what you need to add, where you need to bring in your own own perspectives? Because I think we know a lot of, lot of that is at the end, pretty much standard because there are certain types of certifications. When I look at it from a security anglers, whatever ISO 27,000, there are various other types of certifications and, and controlled frameworks you expect your suppliers to have, have in place. But so, so to which extent, can you, from an efficiency perspective working standard and where, where you really need to put a lot of work into to deliver this risk approach,
There is a full universe of different certificates and standards that we can get, even with the I or the so two umbrellas. We may have a different universe of controls. I like your ideas about using the ISO ISO for MES the baseline for having this 114 ISO controls and information security that everybody understands. However, when we are going to a specific requirements, particularly for cloud computing, that now is also so important, this strategy to go to the cloud, eh, those standards are very generic, generic. So having other framework that can support the ISO are becoming more critical. For instance, we have a nice framework with control from the cloud Alliance and they can provide a, a right standard for those control to have visibility.
Maybe the best way to be efficient here is being sure that the contractual clause are standardized. They're required to have the third parties to comply with our internal policies and procedures. And it's aligned to a common vocabulary based on ISO. Then we can discuss, which is the right standard for the certificates, but Howard, we need to have like an efficient centralized way. Yeah. That is keeping everybody on the same page.
Yes. And, and I think that is where we're ISO standards. I think it's the same when you look at quality control with ISO 9,000 and our, that definitely helps because it's a, a good baseline. And, and clearly also, when we look at, for instance cloud, then when we talk about providers, then we are talking about so two, so free stuff like that. Then we are looking at, at even more concrete standards. And clearly we also have the, depending on which industry you're in, we have the industry specific regulations and stuff like that. But what you're saying is at the end, you can sort of, of map all these standards and also your contractually closes clauses behind. You can map this to the GRC tool.
Absolutely. So that is why we need to have this hierarchy of the controls, for instance, physical security controls, operational controls, and then data security controls. And then in the data security control, you can have other type of controls that are applicable to a type of assets, like a cloud service, a contract, which may not be relevant for other controls. That is the beauty of having this high of the controls in SAP, CRC that we can manage the different standards quite nicely.
Yeah. So, so going back 12 months, roughly you new organization, as most other organizations, and probably observed a new thread, which is different work style, different work environment. So people needing to work from home, which, which means more or less from one day to the other, you have, you need to implement controls for you and probably also suppliers because the environment is changing. So, so how do you deal with the fraud, the risk and the changes in such a situation? I think you definitely gone through it and, and what would be also what you'd like to share with the audience.
It's very important that we are monitoring the security of endpoints right now for the, for the employees. And also that we are reinforcing our capabilities to get red flags for fraud. We are expecting everywhere to have an increase in that flood because we are coming from a period that operational activities were highly distracted. And we have a lot of issues coming from being able, not being able to physically receive goods or to certify services. Our plans, our budgets were completely wrong. So we are missing this high level control saying, okay, the management reviews and the budgets. Now there are discrepancies everywhere. So one of the, of my recommendation here for she, for SAP CRC is to look for the right business intelligence queries, understand in terms of the SAP tables, which will be for your organization, the early warnings of the, of the discrepancy of a fraud of, we have also a lot of issue with the accesses. Many rules, many segregation duties were broken because of these changes, restructuring of organizations are also affecting the, the right balance between the segregation of duties. And in that direction, you need to understand in your tables, in your recipe for your operations, what is making sense and what is not making sense, not only focus on the values also on the time of the transactions. Yeah. Which is a normal delay for the transaction to have how many days you're expecting between the purchase order and the delivery slip,
Which could have been by the way, an interesting issue during the pandemic, because we learned, so the first two or three months, a lot of organizations looked a little or appealed, a little paralyzed in, in that process took way longer than they usually take, which was interesting. But, but I think one of the learnings also, I, you had to for areas on this slide, number seven in your, your deck dad, one of the interesting learnings from my perspective was from pandemic is that it is, I think it's not really new, but rarely implemented. It's so important to have a comprehensive risk perspective because, you know, looking just at sort of the standard classical financial fraud risks and stuff like that turned out not to be sufficient anymore, that the type people work and the ability to change the style of work became a risk. And, and I trusted a discussion with my wife today, who, who is working at the governmental or governmental organization.
And she said, they, they currently don't have enough WebEx and zoom licenses. So they can't schedule calls with external parties and then things like that become a risk. But on the other hand, we also had, I think we had a lot of learnings about the risks for club global supply chains and the well known limits of trust in time production. So, so how would you address this and how would you, you, you, you recommend people or, or, or educate people to, to move more, to a comprehensive risk perspective, which takes into account all the things that can put your business at risk.
It's a very good question because we are losing a lot of relevance from the previous data trends. Our business intelligence platform with the alarms are well not relevant for the new COVID operations. So right now we need to start looking at the new risk without being able to fully use the previous data and the previous reaches and the previous incident, because it's a new normal, the alarms that we have for red flags for fraud, for new diligence, they, they may not be relevant anymore. Now, the services are delayed in longer than we expected in that direction. I am pushing the better re assessment technology, and we have the golden standard in SAP. CRC. We have the capability to use Monte Carlo in SAP, which is the, my preferred technique in order to assess contractual risk in order to assess business risks based on data, based on the, this is the assumption that we have for planning. This is the volatility that we have, and this is what we expect. SAP is able to accommodate this approach that is more mature that having a finger in the air and saying rev five catastrophic without really analyzing a scenario.
And especially if you bring in humans. And, and I remember, you know, steering boards meetings with a couple of board members in where, where, where they're not tried to, to really understand the risk, but to rate down the risk so that they don't need to take action. So if this risk is only that if we can argue, it's not as big, then, then, then we don't need to spend that much money. So a little bit the sinking. And I think that that's something you avoid with things like the Monte Carlo simulation, which is a, a very proven and established method at the end to move from uncertainty to risk. So where you, you know, about a concrete risk. And so, yes, I I'm fully with you. And I think that that definitely makes sense. And I, I think the ability to, to add new controls and to, to review and verify and, and change baselines we are working against is super important and, and taste in times with such a high volatility and in everything we, we are phrasing today.
Absolutely. We have complete questions from decision makers. Is this one, the right price? Is this the right beating? Is this the right level of insurance coverage? Is this the liability that we can take? Do I need to get the reserve for this project? You cannot answer those question by saying red, green, yellow, five catastrophic or not. They really want to have a level of assurance that this is the right way. This is the way that we can invest in control. This is the way that we can invest on insurance. This is the way that the, the price this client is paying us enough to take the risks. And definitely SAP is able to accommodate this approach very nicely, but it's also requires a different skills. And this is something that we also need to leverage the SAP by the knowledge of the users. And that is where the consultancy come into place. Being able to let the people in the organization to fully get the value from those ideas, from those platform, from SAP, from having the, the, a CRC tool at the end.
So, so the risk managers role is changing a little bit, the same way a controller's role has or should have changed in the past where the controller not only puts together a nice Excel sheet and says, oh, these numbers, you didn't hit your target, but the controller provides recommendations and acts as an internal consultant. So the risk manager also should act as a consultant saying, okay, this is what we can learn from the data. This is what we can learn from the risks that, and all the information. And this is, these are the ways you could act on that. Maybe more with an assurance, more with mitigating measures or at the end, by not doing something or by accepting risks.
We cannot use a lack of data anymore. We got plenty of data and the key, our own capability to get insight for decision making and choose the right tool. SAP, CRC is never gonna be able to compensate the lack of talent of the people using this information. The, and this is the, the main constraint right now. How can we develop the tools, the idea, and also the aspiration to use data, to have a centralized way to challenge our colleagues, to challenge our business plans, to challenge our third parties in a very positive way that we can provide at the top of the organization, the right picture to articulate a new strategy. And I think that COVID accelerated this process.
Okay. We, we were already not that far from the end of the time we have for this talk. So one question I'd like to raise. So even if, if you manage to be the data scientist, so to speak for risk, the risk scientist, however you'd like to phrase it. So really making value out of the data and how, how do you finally make people act on these risks? Because we still have, I think a tendency and, and I think the tendency comes up when you use manual controls, where people have a tendency to cheat, if things go wrong. But also when does something on the table and say, this is the risk. How do you, do you ensure that people really act on these risks that take the right measures,
Influence is key explaining things and how objectives are compromised is, is key. But we are paying more attention when we think about the risk for our own careers, the right now for the companies.
So thinking about talking to the risk owners in a very direct way, saying for you, that is gonna be the effect for your career for your future. This is gonna be the effect. If you are not doing anything. And then also talking about the tolerance, will you accept this client that in 20% of the scenarios will create a loss? Do you think that that is making sense? So we need to start talking about this scenarios in which there are confidence levels that they can decide in, in an, our centering assumption that they can really see that there is not one single scenario for the risk, but also a comprehensive view.
Okay, great. I think this is a good closing for this session. I found it very interesting. Our audience also likes this interview as much, or just talk as much as I did. Thank you very much for taking the time. And I hope you manage managing the risks. Well,
I am learning as long as you are learning. You're always managing uncertainties. Thank you Martin, for sharing these ideas for, for this audience is extremely important that the wood word that you are doing is really impacting decision makers. Thank you. Welcome.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00