GRC

SAP GRC Solutions Leverage HANA for Fraud Management

According to the 2012 Report to the Nations on Occupational Fraud and Abuse, published by the Association of Certified Fraud Examiners (ACFE), $3.5 trillion worth of fraud occurs every year. Industries such as insurance, public sector, banking, healthcare and utilities bear more than their share of this risk and often spend millions in their attempt to detect, investigate, analyze and prevent it, with varying degrees of success. Investigators are forced to wade through massive amounts of data, which potential perpetrators count on to shield them from detection and prosecution. To help companies face this challenge, last month SAP announced SAP Fraud Management, leveraging the power of its HANA platform. The goals:

  • reduce the cost and effort of investigation, by providing tools to better detect new and changing fraud behavioral patterns
  • redirect efforts away from false alarms in order to deter and possibly even prevent a fraudulent transaction from being completed
  • and of course… earlier detection by processing high volumes in quasi real-time

What Is It?

SAP Fraud Management is part of SAP’s Governance, Risk and Compliance (GRC) product portfolio, along with Process Control, Access Control, Risk Management and Global Trade Management. It is part tool (for the IT department) and part analytic application (for fraud investigators).

The potential for the solution was demonstrated at the SAP Insider GRC 2013 conference in Las Vegas using an example from the insurance industry. Michael Lortz, Sr. Director, Solution Marketing for the GRC portfolio of products played the role of an investigator tracking down a potentially fraudulent automobile insurance claim. A young policyholder had submitted a claim after an accident that had occurred between 1:00 and 5:00 AM. The detection engine flagged it as suspicious due to the combination of the age of the operator and the time of day the accident had occurred.

The first step Michael, as the investigator, took was to do a “network analysis” to look for the same set of circumstances in any other claims. Come to find out this young claimant, and two others involved in the accident were also participants in four other claims. What are the chances this kid had five different legitimate accidents involving the same people? Slim to none? Obviously the perpetrators of the fraud were counting on the sheer volume of claims processed to mask this. In fact, they were successful the second, third and fourth time. The fifth time around, with the help of some enabling technology, somebody noticed.

As a result, the transaction could be flagged as fraudulent before any payout on the claim was made. But more importantly, the engine that triggered this as a suspicious claim could be recalibrated to change the thresholds that trigger audits that would prevent, if not the second claim, at least the third and fourth. And through recalibration of the rules, the likelihood of any transaction flagged as suspicious turning out to be fraud is increased substantially. Tracking down “false alarms” is costly and unproductive. So the ability to reduce those “false positives” can represent a huge savings.

Part Application, Part Platform

So, is SAP Fraud Management an application or is it a set of tools from which a clever customer or an SAP partner can build an application? The answer is, “Yes.” It is part application and part tool and it relies on the HANA platform for some of its functionality. Of course, this example provides a compelling business case for the insurance industry. While this was automobile insurance, surely it could be tweaked for homeowners and other kinds of liability insurance. The net result is a complete, working application for this industry.

However, the processes of detection, investigation and deterrence are similar in managing any kind of fraud and can be pre-built into a framework:

  • Detection based on a set of rules
  • Analysis of a network of objects looking for similarities (participants in insurance claims in this instance, but just as easily dinner guests on an expense report, deductions on a tax return, etc.)
  • Combined with a timeline (in what period of time were all these claims filed?)
  • Documentation of decisions (e.g. not to pay a claim, to reject an expense or to conduct a tax audit)
  • Add deterrents and refine the process by recalibrating the rules for identifying possible fraud

But the team building SAP Fraud Management didn’t have to create all this from scratch. It also looks to HANA to speed the investigation with its ability to process and analyze massive volumes of data, seemingly in real time since there are no spinning disks to traverse. All data is stored in memory, speeding the process. Rules are defined natively in HANA, while the “calibrator” is a specific tool created for Fraud Management.

Similar scenarios could be constructed for public sectors and the detection of tax evasion or perhaps abuse of social services such as food stamps or disability claims. Or it could help private companies detect fraudulent expense reporting or questionable purchases. Given the ACFE estimates the average organization is at risk of losing up to 5% of its revenue to fraud, the potential payback is more than significant. It can be huge.

Chances are SAP will not speculatively develop these industry-specific versions themselves. It is more likely for some of its partners to develop them. Most notably, we might expect to see some of the larger management-consulting firms with large risk management practices develop these for industries they serve.

Conclusion and Recommendations

If your company is at risk for significant financial loss as a result of fraud, SAP Fraud Management is certainly worth a look. First quantify the risk and then assess the cost of your current efforts to contain and mitigate that risk. If you employ fraud investigators, you must have some measure of their success and chances are you measure the number of potential cases investigated, along with the number of real occurrences of fraud. The goal should not necessarily be to increase the number of cases of fraud detected, but to detect fraud more quickly and to minimize the number of cases you chase that lead to no fraud (fewer cases of false positives). SAP Fraud Management, powered by SAP HANA can help you stop chasing down rat holes. This will allow you to set thresholds of risk lower and investigate more cases that can be proven fraudulent. Ultimately the goal is to maximize the amount of fraud prevented.

 

Tagged , , , , , , , , ,

Lawson/Infor Address GRC Gap With Approva Acquisition

On September 1, 2011 Lawson Software Americas, Inc., an Infor affiliate, completed the acquisition of Approva® Corporation. In doing so, the combined companies add a component previously missing from their product portfolio to address a growing need for Governance, Risk and Compliance (GRC). At the time of the Lawson acquisition in July 2011 Infor promised a fast pace of development and delivery of deeper industry-specific features for key industries. This move signals that Infor is serious about investment in establishing itself as a leader in the enterprise software industry. Integrating yet  another company before the dust has even settled from the prior one is an aggressive move that is not without risk. Yet managing risk is what this merger is all about.

Approva Key Facts

  • Founded in 2002
  • 200+ Customers – including Fortune 500 leaders in key verticals
  • 190 Employees
  • Headquarters in Herndon, VA
  • 120+ employees in Pune, India
  • Previously owned by four VCs – Sierra Ventures, Novak Biddle, NEA, and Columbia Capital

 

Identifying the Need

High profile scandals of the past decade, increased regulatory requirements and security and privacy issues that come with the age of connectivity have heightened the need for all three elements of the broad category of Governance, Risk and Compliance. And yet most companies today still rely on manual processes and have done little to automate controls. This condition itself adds a level of risk in being able to detect fraud, comply with reporting requirements efficiently and perform internal audits in order to prepare for the external ones.

The Enterprise Resource Planning (ERP) solutions offered by both Lawson and Infor are a focal point for gathering data and recording transactions that need to be monitored but do not provide the level of monitoring and control required for GRC purposes. However, to be fair, most ERP solution providers today, with the exception of SAP and Oracle, suffer from the same deficiency.

The Mint Jutras 2011 ERP Solution study looked beyond the realm of core ERP modules and investigated current and planned adoption of 20 different extensions to ERP. These are additional applications which might (or might not) be integrated with ERP. One of the categories included was GRC applications.

Figure 1 compares the current and planned adoption of World Class ERP implementations to all others, not achieving this status. To define “World Class” we use a broad spectrum of metrics. While the study also measures additional key performance indicators (KPIs) that are specific to different industries, we limit the World Class definition to those which can be universally applied to all companies. The definition of World Class performance is based on a composite of three different categories of metrics: results, progress in achieving goals and current performance.

While adoption rates are relatively low (39% for World Class and 16% for all others), World Class ERP implementations are almost 143% more likely to include one or more elements of GRC and 86% less likely to have no plans for adoption.

GRC is a broad category and can mean different things to different constituents in any organization. For the office of the Chief Financial Officer (CFO) “risk” generally refers to both financial risk and the financial impact of operational risks that can be caused by both internal and external factors. Those operational risks can include Information Technology (IT), which largely centers around IT security.

Approva positions its application as Continuous Controls Monitoring (CCM), which is all about monitoring what users “can do” and then analyzing what they “did do” in financial and business systems. Sitting outside of the ERP solution, between the corporate governance layers and the underlying IT infrastructure allows them to provide cross-platform monitoring across any number of different applications.

It has been the experience of Mint Jutras that most companies embarking on implementation of any GRC solution are most likely to start by implementing access control, whether driven by the need for segregation of duties (SOD), security or just good management practices, or for all three purposes.  While most modern enterprise applications today are able to secure access to individual functions in the application, and more and more of them are able to secure access to particular data (e.g. a sales representative can only access order status for his or her own customers, or warehouse personnel can only enter inventory transactions for that warehouse, etc.) the controls are confined to a particular application. What happens when an individual is allowed to add vendors in one particular application but payments are processed by a different application? Without cross-application visibility, there is risk of the same individual creating a vendor in one application and paying the same vendor from another.

The folks from Lawson tell me that while their customers have not articulated the need using references and terms like “access control”, indeed they have identified the need to better support internal audits. A CCM solution directly addresses this concern.

Why Lawson?

So, given that Lawson is the “newbie” in the Infor family, why did Approva land here? The answer has much more to do with the original Lawson S3 legacy than its acquired M3 (Intentia Movex) product line. Selling to and servicing the office of the CFO has always been Lawson’s strong suit. The addition of Infor’s Corporate Performance Management (CPM) suite only added to that strength and there is significant potential with the ION suite. Infor ION at the Center of Providing Immediate Value to Lawson and Infor speaks to this potential.

Lawson is also the home for products that specifically address two of the industry sectors most sensitive to GRC issues today – healthcare (and associated HIPAA requirements) and the highly visible public sector. Approva fills a notable gap in addressing these issues.

Two Distinct Markets

This begs the question of whom and what will be the target market for the acquired CCM product. It would seem there would be two separate and distinct targets.

First of all, there is the cross-sell and up-sell opportunity in the existing Lawson and Infor installed bases. Since there is no product in the current portfolio that competes in any way, there seems to be ample opportunity here. The Lawson S3 base would appear to have the most low-hanging fruit. Lawson already has a relationship with those most likely to perceive the need for this solution, and also those that control the budget which would fund the investment – namely the office of the CFO. And, according Lawson’s Darci Snyder, Director FS and Public Sector Product Management, its customer base has been asking them to fulfill that need.

Whether the remaining customers using Lawson M3 and other Infor products see that same need remains to be seen. To date, large enterprises have been most likely to invest in GRC solutions. Smaller companies don’t have deep pockets when it comes to investments in GRC or CCM and while Infor’s customer base does include very large corporations, it also includes small and midsize companies as well.

Lawson has always taken a very industry focused approach in its product development and its marketing. Expect to see this industry focus spread through all the Infor product lines over the coming months. This focus had already begun before the Lawson acquisition across 10 specific industries and the acquisition simply added three more industries. Lawson and Infor are already working to integrate Approva’s applications into existing financial suites (yes, there are still multiple) and to address industry-specific requirements. So adding CCM as a feature/function to those solutions will be a priority and will simply give representatives selling these solutions more to offer.

Yet the cross-platform, cross-application capabilities of Approva have always been its strength and therefore it would be not be in Lawson/Infor’s best interest to walk away from that business. And while there is some overlap in customers, there are a lot of Approva customers running applications that are in neither the Lawson nor Infor portfolio. It has an obligation to those companies as well. Yet expecting the existing sales teams that are focused on selling a complete ERP solution to be successful selling stand-alone CCM is unrealistic…which brings us to questions that are normally associated with any acquisition.

Integrating the Companies

How will Approva be integrated into the Lawson/Infor corporate structure and strategy? It is still too early in that process to answer all the burning questions about branding and about sales, and even development teams. It would certainly make sense to have a dedicated team that specializes in marketing and selling this type of solution, since Lawson/Infor does not have experience in this realm. Yet this may be entirely separate or managed more as an overlay team.

Infor has already broken rank, so to speak, in absorbing Lawson. Infor combined Lawson with SoftBrands, Inc., an affiliate company which was acquired back in 2009. This represented a bit of a divergence from past acquisition strategies. Until it acquired Softbrands, Infor had generally executed mergers where the staff was fully integrated and the acquired company’s brand was subsumed by the Infor brand. The combination of Softbrands and Lawson seemed to simply be an internal organizational decision and has nothing to do with branding, selling or supporting and Lawson staff does appear to be working closely with their counterparts on the Infor side. Now Approva is being included in the Softbrands/Lawson affiliate company. It remains to be seen whether the Approva brand will survive and what level of integration we’ll see in the coming months.

Summary and Key Takeaways

In summary, CCM is a logical extension to the Lawson and Infor applications. The product itself is complementary to financial applications, and indeed fills a gap that at least some of the company’s customers have noted. This provides opportunity to Lawson/Infor in allowing sales teams to add functionality and intelligence into existing accounts.

Infor is committed to developing and deploying industry-specific functionality, allowing for tighter fit with existing customer base and sales teams while creating a complete solution that is both broad and deep, while still being industry-focused and yet can compete in the office of the CFO.

Yet preserving a level of independence will be necessary if Infor wants to continue to be able to sell stand-alone CCM and also maintain the loyalty of the Approva customer base.

This move was quick and aggressive, given the very recent acquisition of Lawson by Infor. All eyes will be on managing the risks associated with this type of bold move.

 

Tagged , , , , , , , , ,

SAP GRC 10.0 delivers value. The voice of the SAP customer has never been stronger

I’ve just spent a full day at the SAP Insider GRC 2011 event, where over 700 GRC professionals from all over the world gathered to network, share experiences and hear about new developments from SAP.  This is an annual event, co-located with SAP Insider Financials 2011 and HR 2011, the 9th of its kind, and my 4th. As a conference within a conference, the message from SAP had a dual focus for GRC 2011, but with a common theme – delivering more value to its customers by listening carefully to their needs. Previews of the upcoming release of GRC 10.0 (currently in ramp-up with general availability planned for Q2) were a testament to the fact that the voice of the SAP customer has never been stronger.
Sanjay Poonan, SAP’s President of Global Solutions & Go-to-Market, delivered the general keynote entitled Creating Competitive Advantage with Business Analytics. It was refreshing in that the keynote itself was less about the latter (SAP’s products) and more about the former. It’s really all about
·         seeking operational excellence
·         providing visibility for better decision-making, including analytics and performance monitoring
·         supporting a risk-aware and compliance culture
·         developing a people and talent agenda
How can SAP help its customers gain this advantage both in general and in the context of GRC specifically? Over the past few years SAP has built an impressive portfolio of solutions under the umbrella of GRC. While a convenient “category,” GRC has never been crisply defined as evidenced by all the different definitions that are floating around. Indeed over the course of the day I spent at the conference, I heard several speakers refer to GRC as Governance, Risk and Confusion. If you are looking for definitions, the OCEG Group Red Book (Standards and guidelines | by OCEG the Open Compliance and Ethics Group) is a good place to start.
For SAP, GRC is a convenient grouping of solutions that have been developed and acquired over time. However, although its GRC portfolio is extensive, it has been more of a collection than a true suite of products. As far back as March 2008 when SAP announced new versions of products across this portfolio it referred to this launch as a “unified approach to GRC”. This launch included new versions of the SAP GRC Access Control, SAP GRC Process Control and SAP GRC Global Trade Services applications. In addition, the SAP GRC Risk Management application was integrated with the SAP Strategy Management application, which was then separated as part of SAP’s enterprise performance management (EPM) solutions. The goal even back then was to enable organizations to drive an integrated corporate strategy that synchronizes the management of enterprise risks, business controls and global trade compliance.
But the solutions were still separate applications built on different technology platforms, without a common user interface. They did not share data or workflows. They felt like different products. They behaved like different products. Therefore as an existing customer who may have started with Access Control, and was looking for a trade compliance or process control or risk management solution, there really wasn’t a significant advantage in sticking with the SAP family of products.
That all changes with GRC 10.0. SAP has transformed a collection of disparate applications into a platform for GRC. There is a common look and feel. Master data can be shared across Access Control, Process Control and Risk Management. For example, the rich organizational structure that was available in Process Control can now be used in Access Control. All use the same workflow structure, supporting integrated monitoring. And perhaps just as important, is the embedded (SAP Business Objects) BI. Excelsius-based dashboards are pervasive throughout the solution and navigational tools such as Explorer are available as well.
Acknowledging the confusion over GRC and relatively low adoption rates (as compared to other enterprise applications), as a platform provider, SAP’s objectives are to simplify the message of what it will deliver, while providing a lot of meat and not just sizzle behind the messaging. SAP knows its goals need to align with the goal of the GRC professional. Simply put, that goal is to proactively balance risk and opportunity to:
  1. Better manage compliance and risk
  2. Better protect value – proactively avoid risk events;  reduce cost of violations
  3. Better perform – actively  link risk and performance management and objectives
In order to do this, the platform must support the ability to analyze, manage and monitor. One key advantage SAP will have over GRC point solutions is in making the connection back to operational systems of record (think ERP). Not only is SAP uniquely positioned to do this with its own ERP solutions, but it is also proactively working with a partner (Greenlight Technologies : Solutions : SAP GRC Cross-Platform : RTA Design Studio for Access Control) to also connect to other business systems such as legacy applications and other commercially packaged solutions.
These are all great enhancements, and create an incredibly comprehensive solution and significant market advantage in turning a collection into a platform. The old SAP probably would have stopped here. But the new SAP took two additional steps.
While SAP has been concentrating on developing the GRC platform and focusing on the technology, management understands a platform is simply a tool. Nobody looks to buy a platform. They look to solve a business problem. So the value of these efforts will be lost if the customer cannot go that last mile to connect to the business, sometimes with very industry-specific requirements. And often that specific expertise must be both deep and broad. The proliferation of regulatory requirements alone these days makes it difficult for any one company to provide this level of knowledge and expertise across a wide range of businesses. So while SAP focuses on technology and platform, it lets partners focus on the domain expertise for consulting as well as the development of plug-in applications through its Ecohub (http://ecohub.sdn.sap.com/irj/ecohub/home ).
And finally, and likely most important for the customers, has been the active listening process. Eighty six customers from the GRC customer advisory council would not have showed up for a daylong meeting with product management and development if they did not feel their voice was being heard. In the course of these types of conversations, three things have emerged: the effort required to manage GRC, the elimination of manual processes and reduction of cost. While in the past SAP may have simply concentrated on offering those high profile but often under-utilized leading edge features, this time it also included a lot of the mundane and boring features that simply can lead to improved day-to-day efficiencies. As a result it has made GRC 10.0 much more appealing to its existing customers. In many cases, the customer can justify implementation based on just one new feature.
Each new customer that moves to GRC 10.0 will be another testament to the value of listening to the voice of the customer.
Tagged , , , , ,