By Dave Hannon
@Daveatwispubs

I heard a story at one point in my career that I could never verify, so I won't use the company name. But it was perhaps the best lesson in supply chain visibility I've ever heard so I'll share it with you. It went something like this.

The VP of supply chain for a high-end handbag maker is walking through the streets of Tokyo and sees a vendor on the street selling knock-offs of his product. He'd seen this kind of thing before and found it sort of amusing and just for kicks, he picks up one of the bags and examines it. He looks at the materials, he looks at the stitching, he looks at the logo--it's all flawless. Exactly like the real thing. In fact, he buys one from the vendor and brings it back to his VP of manufacturing who examines it and he can't tell the difference between the knockoff and the real thing. "So I thought either these counterfeiters are getting REALLY good or there's something else going on here," he told me.

Can you guess what's going on here?

The handbag maker was using a contract manufacturer in Asia to produce the handbags based on their designs and materials. The only problem was the handbag maker didn't monitor that factory very closely. So the factory would work hard to fulfill the volume required by the handbag maker and then, with whatever time was left over, would continue making the handbags for sale on the black market. So other than flowing through materials a bit more quickly than forecasted, the handbag maker might never have known because all of their customer commitments were being met. (In fact the VP of supply chain told me this factory was one of their favorites because of the speed with which they churned out the handbags--no wonder why!)

It was a very harsh lesson in supply chain visibility and while it's probably 10 years old today, multi-tier supply chain visibility remains elusive for many companies and industries in an era of increasingly outsourced manufacturing. (NOTE: Frequent business travelers may want to skip the next part of this blog post).

Case in point: The aerospace and defense industry. According to a recent survey of aerospace and defense firms by KPMG, "A&D organizations have far less visibility into their supply chains than peers in other sectors. Only 27 percent of A&D organizations said they had visibility past their Tier 1 suppliers (versus 41 percent of non-A&D respondents) while nine percent said they had no supplier visibility at all."

So 9% of the firms making airplanes, spacecraft and missiles have no supplier visibility at all? Without naming names, I think there's one company you've probably got in mind that has seen some major production and PR problems as a result of this lack of supplier visibility. But I won't beat that dead..uhh...slightly wounded aircraft maker here.

And the problem flows both ways in the A&D supply chain. The KPMG survey found that nearly half of A&D suppliers report encountering significant challenges in aligning operations to real-time fluctuations in customer demand, indicating the OEMs aren't providing visibility either.

So if we're going by that one survey, the A&D industry might not be the one to benchmark for supply chain visibility best practices. But never fear--if it's SCM benchmarking you want, it's benchmarking you'll get.

The electronics industry historically has been a leader in the use of supply chain technology to increase visibility. If you're looking to hear some best practices straight from that horse's mouth, you might want to check out this webcast next Wednesday featuring Applied Micro's use of SAP supply chain solutions: bit.ly/153rAf9

SAPinsider Senior Writer Ken Murphy recently interviewed Jabil Circuit's Rocio Timko and Charles Nichols at the SAPinsider SCM 2013 conference to hear more about that company's use of SAP Supply Network Collaboration. Check out the video here. 

And if it's consumer products you're looking to benchmark against, this case study -- Conair Improves Supply Chain Planning Accuracy and Customer Service -- would be a good resource for you.

The overall lesson here is whether you're making airplanes, hair dryers, microchips or handbags, you have to know what your suppliers are doing in today's ever more global market.

Now, if you'll excuse me I have to head downtown and find a knockoff Rolex in time for Father's Day. (Just kidding dad!)

By Dave Hannon
@Daveatwispubs 

SAP's announcement last month that it would recruit and hire more than 600 autistic workers struck a chord with me. Eventually.

As an optimist by nature, I want to believe good news is really good news, but as a business journalist for the past (coughs loudly) years, I know often it isn't quite as good as it sounds. We've all been burned a few times by lines like: "We really want to help low-income people secure mortgages and buy homes." (Translation: We're selling these loans immediately for profit knowing we've just ruined this family's life).  or "We are happy to bring jobs to this economically depressed area of the world." (Translation: We're starting a slave labor camp). 

So, in some of these situations we've been conditioned to skip over these types of initiatives. But SAP's program stuck in the back of mind, so I decided to read a bit more about it and consider both SAP's approach and its motives. And after having done that, I'm happy to say I'm enthusiastically optimistic about the program.

For starters, SAP is partnering with a specialist organization to gain business benefit out of this program and they're up front about that. In fact, that's the whole point. SAP's press release says "SAP sees a potential competitive advantage to leveraging the unique talents of people with autism, while also helping them to secure meaningful employment."

And don't take SAP's word for it either. According to research in this article in the New Scientist, "employees with autism bring more to the table than good concentration. Benedetto De Martino at the California Institute of Technology in Pasadena has shown that people with autism make better decisions than "neurotypicals" when it comes to making a rational choice. They are less swayed by emotion." And there is a lot of other evidence out there if you are interested.

Of course, SAP did get some positive coverage in the mainstream media when they announced the initiative. Heck, even my mother said she saw the announcement in the newspaper and commented on it knowing my job is somehow related to SAP. 

So it certainly got the SAP name in front of people that might not otherwise see it --and in a very positive light. For a public company, that's great exposure, sure. But if SAP just wanted a bit of good press, it would partner with some celebrity spokesperson, take out the checkbook and make a big public donation to an autism-related charity, issue the press release, and be done with it. This goes so far beyond that (he said optimistically).

To me, SAP's true "hidden agenda" here is a great one -- to send the message to other major (public) companies and organizations that there are ways you can make the world a better place and gain business value. And today the big companies could use some inspiration. Weighing the benefits of socially conscious (for lack of a better term) programs vs. possible reputational/business risk is a very thorny issue for even the best intentioned companies and organizations. For example, major colleges in the U.S. are struggling with the popular demand by students that schools divest their fossil fuel holdings in their endowments. Sure, colleges and universities want to be on the forefront of the environmental movement, but would they risk financial gain to do so? Well, that's a completely different question.

The message SAP is sending is that if you are creative and if you partner with experts in a given field (Specialisterne in this case) and you don't just jump on the latest cause half-heartedly, there can be a win-win approach. And that "message" is, to me, the real value of SAP's program. In the grand scheme of things, giving 650 autistic people work isn't going to eliminate the challenges the millions of other autistic people face in their search for employment. But if it inspires other companies to change their perception and practices in this area, THAT could have a very big impact. Likely bigger than you might have thought. According to the Centers for Disease Control here in the U.S. in 2008, one in every 88 children -- more than 1% -- has an autistic spectrum disorder. That's up from one in every 150 only six years prior. If we can change the perception of 1% of people from being "unemployable" to being a "competitive advantage" that benefits all of us.

And just to make sure I wasn't being overly optimistic or naive on this whole thing I checked in with the president of the Autistic Self-Advocacy Network, an advocacy organization in the U.S. run by and for autistic adults seeking to increase the representation of autistic people across society. And I'm happy to report he's in support of SAP's program.

"We're very pleased by and applaud SAP's announcement and have reached out to them to learn more about their plans in North America," said Ari Ne’eman, president of ASAN. His priorities for these kinds of hiring initiatives are ensuring that autistic workers are offered the same wages and benefits as non-autistic workers and making sure these hiring opportunities take place within integrated workplace environments.

"We're excited about this development and want to encourage other companies to follow SAP's lead," Ne'eman said.

I couldn't have said it better myself.

In this podcast Simon Persin, senior manager and GRC solution lead at Turnkey Consulting, discusses the benefits of becoming certified in SAP GRC Access Control as well as how to ensure your compliance solutions are compliant. For more information on Persin's session at GRC 2013, visit GRC2013.com.

Dave Hannon, SAPinsider: Hello, this is Dave Hannon with SAPinsider. Joining me now is Simon Persin, a Senior Manager and GRC Solution Lead at Turnkey Consulting. Simon’s also a presenter at the upcoming GRC 2013 conference in Amsterdam, June 11-13th.

Welcome, Simon.

Simon Persin, Turnkey Consulting: Hi Dave.

Dave: Simon, I know at the GRC2013 conference, you’re going to be hosting a discussion form on SAP Access Control certification. I want to start by asking you why that certification in particular is important to organizations running SAP Access Control today.

Simon:  That’s quite a good question. It’s not a massively easy answer, to be honest. But, I suppose it depends on the nature of the organization themselves.

Certainly with the people that I’m seeing out of the marketplace and the customers that we’re working with, we see it differently depending on whether the customer is actually an end user of SAP or a consultancy in their own right.

If I take them both separately…

For customers of SAP - and that’s your end users - the value of the certification is more to provide that assurance that the people they’re employing and the consultancies that they’re using are accredited and have the actual skills that they need to implement the solutions properly.

Looking at it from the consultancy perspective, it’s one of the easiest differentiators for why you do or you do not win work. It is something tangible that the end users can looks for.

Depending on where they are with the SAP technology, then it can mean different things to different people.

Dave: Is there a benefit of Access Control certification you think an individual might not be aware of?

Simon:  I think so. Certainly for people who are working at end user sites, then it can contribute massively to some personal development plans and career progression. It can be an easy objective to get on the CV and to demonstrate that you’re learning and growing within the organization. Even to the organizations, it’s quite an easy way of approving to your employees that you value them and you’re progressing them through their career as well.

Again, for consultants, it’s a useful certification to gain. It’s not the easiest one to achieve, so it does demonstrate that you are gaining credible knowledge and able to use those skills on a customer site to implement the technology properly.

Dave: At the conference, you’ll also be hosting a session on “the compliance of your compliance solutions.” Could you provide an example of a time when compliance solutions may be out of compliance and what the potential impact to the business may be?

Simon:  That’s one of my hot topics at the moment.

As a Senior Manager, I go around and I see a lot of implementations of GRC. I get involved in a lot of system reviews and some quality assurance checks as well. It’s become one of my favorite topics, to look at the actual controls in place around the GRC solution. It’s always put in as the solution to issues in SAP systems, and it’s very easy for people to forget that the GRC solution is actually an SAP system in its own right as well -- especially with the technology shift back to ABAP from version 10 release and forward from there.

Often, we’re looking at the same conditions that would be in place for SAP and just making sure that they are still in place for GRC as well: looking for GRC to have the capability to run SAP checks on itself, looking to see that there is GRC-specific content applied to the system to make sure that there aren’t any gaps in the control environment, and introducing any back doors that the GRC system can exploit.

The most common example for that is the use of the Firefighter component. We’re always looking to see that the privileged access and the unrestricted access to GRC is controlled. And the easiest way of doing that is to actually make use of the available GRC tools, such as Firefighter.

Also, because GRC has connections into most of the production SAP systems, we’re also making sure that the access around administration of the RFC destinations and all of the other Basis-level checks are still activated and secure.

Otherwise, you’re introducing potential risk to your organization from GRC as an application tool.

Dave: Who typically within an organization is responsible for monitoring the compliance of the GRC solutions?

Simon:  That’s an interesting question, and one that’s been had on numerous different client sites that we’ve been working with. Trying to set up the governance around GRC and the organization that supports it is a really interesting topic and one that we have also get involved with quite regularly.

In our view at Turnkey, you need to take a more holistic approach to the whole governance and security area. A lot of people think that you can just shoehorn GRC in alongside security and the authorizations teams as an offshoot to the basis activities, when in actual fact, the skillset is significantly different. You need to have much more of a compliance idea and more of an oversight as to what’s going on in the business rather than just technical knowledge of what an authorization issue is or what a technical risk is.

We do like to see a separate GRC team, which is responsible for managing the GRC solution, but that could have a shared reporting line into a technical architect or a GRC architect in its own right, which may well then have links into wider internal audit compliance or a more financially focused remit to guarantee the internal controls are working in the solution.

That becomes even more important if you widen out the technology to include things like process controls and risk management as well. So then rather than just being an Access Control system, you’re starting to look at more organizational compliance, organizational risk management, and really beefing up the technology behind those particular skills.

The governance side of things ultimately still reports into the top CXOs, CFOs, and CIOs for different types of reporting lines, but on the ground, there does need to be that segregation to realize that GRC is slightly different.

Dave: Lastly, what should companies consider when implementing GRC solutions to make sure that they are compliant down the road?

Simon:  There are a lot of tips in my presentation in Amsterdam, so I don’t want to give away all of the crown jewels up front, but... I think the main overriding theme is really that the same rules apply. There shouldn’t be any excuses for putting GRC in without an eye toward compliant processes and procedures.

The technology is similar to the old ABAP stack that SAP has been on for a number of years. With the amounts of experience consultants in that area, the same rules should apply and be rigorously enforced. I know that the auditors, certainly the big four, are starting to look for those sorts of checks, and no longer are the excuses being held that GRC can’t be done in that manner. People are really starting to catch up and therefore, the same rules apply to GRC as you would expect to be anywhere else in your SAP estate.

Dave: Great. To find out more about Simon’s presentations at GRC 2013, you can visit GRC2013.com. Simmon Persin, a General Manager and GRC Solution Lead at Turnkey Consulting, thank you very much for joining us today.

Simon:  No problem, thank you. 

By Dave Hannon
@Daveatwispubs 

While there's certainly be a lot of talk about damaging weather here in the US lately, if you still think enterprise risk management means preparing for the next weather event, then you've got some catching up to do.

Today, the enterprise risks that have the C-suite losing sleep include things like increased regulatory pressure, market slowdowns, and government pressure to reduce spending. For example, according to a recent KPMG survey, 59% of C-suite executives at financial services companies and 53% of those in the energy and natural resources executives identified regulation as their top threat. And executives across all industries said regulatory risk is a bigger concern than reputational, credit, supply chain or those security risks that grab all the headlines.

"We found that risk management is not advancing fast enough at most companies in the face of an array of threats in an increasingly complex global economy," said Mike Nolan, KPMG International's Global Leader for Risk Consulting. "But companies can transform these challenges into a competitive advantage. All of their competitors are in the same boat, but very few are going to take advantage of the regulatory onslaught to become more competitive. The companies that do will be in a strong position to turn regulatory risk into an advantage."

So the question becomes "how." How do you turn these issues from ulcer-causing concerns to something that gives you a leg up over your competition? While I might not have the exact answer to that very big question, I'm convinced that the answer should include the terms "aggregated data" and "integrated IT platform" in it somewhere.

At a very high, global, "avoid another major economic meltdown" level, the Basel Committee on Banking Supervision in January released guidance for central banks "intended to strengthen banks' risk data aggregation capabilities and internal risk reporting practices." While there is a lot to take in here one of the recommendations includes: "A bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles...A bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimise the probability of errors."

In fact the Basel guidlines provide 15 points and various sub-points on risk data aggregation for banks. While they all make sense, in a blog post on the Basel guidelines, Steve Culp, leader of Accenture’s Risk Management practice globally, pointed out that might not be as easy as it sounds for these megabanks. "The enhancement of banks’ IT and infrastructure capabilities, including upstream and risk systems, risk data and reporting, will most likely require significant investment and change management. This is especially challenging as banks implement other change programs and align these efforts to other regulatory changes."

Why all this talk about global banks' risk management practices? Well I figured if I started you off by thinking about the challenges THEY face, then the challenges you face in your organization to aggregate risk data might not seem quite so daunting. (Did it work?) For SAP customers, it's still a big challenge, but there's a more direct path to aggregating risk data and defining responses to certain risks for those seeking these answers.

According to a report insiderRESEARCH compiled earlier this year polling SAP customers about their risk data, we found "there are pockets of information being collected at the local level that can be used to identify risks that could affect the entire enterprise. The information simply needs to be housed in a central repository and exposed to the right people in the right format...currently, this is not happening. More than half (55%) of the professionals surveyed say that their organizations are using Microsoft Excel or Word to manage their risk programs locally, while another 39% use homegrown systems that have varying levels of integration and automation."

For SAP users the data is available. A suite of integrated solutions is available. They just need, what -- more convincing of the benefits of integrated solutions and aggregating data? Try this: In a recent interview, Werner van Haelst Joint Managing Director of Integrc and I discussed the benefits of an integrated platform for SAP GRC suite users, including the integration of the SAP GRC Risk Management solution. For example, sharing data between organizations and between the various solutions in the GRC suite can bolster that data's value.

"For example, SAP GRC Risk Management can use existing SAP Process Controls as a risk response," he told me. "If Risk Management defines a certain risk and you want to have a certain risk response you can use those in Process Control."

If you need more convincing, don't take it from me. At the GRC 2013 conference next month you can hear from companies like GlaxoSmithKline, Exxaro, and Ericsson as well as see demos and hear solution-specific details from SAP and its partners.

Lastly, just to end off with some fear factor, I'll leave you with this extended quote from the Basel Committee report:

"One of the most significant lessons learned from the global financial crisis that began in 2007 was that banks’ information technology (IT) and data architectures were inadequate to support the broad management of financial risks. Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines and between legal entities. Some banks were unable to manage their risks properly because of weak risk data aggregation capabilities and risk reporting practices. This had severe consequences to the banks themselves and to the stability of the financial system as a whole."

In this interview recorded live at GRC 2013, Steve Biskie of High Water Advisors provides his take on the newly released SAP Fraud Management application powered by SAP HANA, which was unveiled at GRC 2013. Biskie also gives his advice on who in the organization should review the SAP instance in preparation for an audit and how to use SAP solutions to detect SOD violations before an auditor does. To find out more about GRC 2013 in Amsterdam in June, visit this site.