SAP Signavio Solutions | PUBLIC

7 Step Guide to Risk and Compliance

Safeguard the future of your organization and make risk
and compliance management a top priority
© 2022 SAP SE or an SAP affiliate company. All rights reserved.

1 / 11
Table of Contents

3 Introducing the 7 Steps

4 Step 1 - Define and Communicate

5 Step 2 - Identify and Document

6 Step 3 - Design and Educate

7 Step 4 - Deploy and Test

8 Step 5 - Remediate and Refine

9 Step 6 - Monitor and Mitigate

10 Step 7 - Manage and Improve

11 Conclusion

2 / 11

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

Introducing the 7 Steps

Technology can empower compliance professionals. The following seven-step model suggests ways in
But to most effectively safeguard your organization which organizations can maximize their business
from potential reputational damage and other returns by investing in compliance. We recommend
unwanted risks, harnessing the potential and that for each step you consider the suggested
capacity of your whole team is imperative. outcomes, review the suggested actions, and then
ask what mechanisms you already have that
With the correct tools to assess impacts of could be repurposed or reinvigorated
regulations on the business and operating model, to achieve your goals.
and to communicate information effectively,
compliance becomes a company- wide endeavor.

The pace, complexity, and impact of change

is affecting every industry and company.
Incorporating new regulatory requirements
directly into your processes will safeguard
the future of your organization and make
risk and compliance management a top priority.
Dr. Gero Decker
Co-Founder, Signavio
Co-General Manager, SAP Signavio, SAP

3 / 11

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

Step 1
Define and Communicate

This first step is about creating a structure to workers were informed of their compliance
allow for agile and effective management of obligations, and may even be required to produce
‘regulations. Setting your organization up with a formal acknowledgement and record of this.
“good bones” in the form of a well-designed The volume and frequency of changes make the
regulatory system is key. This system must meet task of assessing the impact of a regulation
the requirements of the particular in dustry of on business operations a time-consuming one.
operation, as well as allow for flexibility, trans- Fortunately, compliance managers are no longer
parency, and scalability to future-proof your forced to rely on manual workflows and
organization and ensure it is able to adapt to untraceable e-mail communication to keep track
changing regulatory and audit requirements as of changes. Organizations can work to build
they happen. In other words, your compliance single sources of knowledge that allow them to
system must be set up to be and remain compliant update workers about changes quickly and
itself. easily, reducing the risk of noncompliant activities.

When designing and defining this type of framework, Ineffective company cultures are a major source
it is essential to anticipate and cater to the audit of risk for organizations. Organizational culture
requirements of the current environment, as well will affect risk-taking behavior, both negatively and
as those in the future. Many industries are positively. This is why integrating a framework
required to keep detailed documentation showing based on legal and standardized requirements
exactly how industry regulations are translated into a workflow tool is crucial as a means of
into the company’s day-to-day operational keeping everyone involved in your risk-prone
workings – its business processes. A company may processes up to date and communicating to
also be required to prove exactly how and when stakeholders what the necessary controls are.

Define a framework
based on legal
and standardized
requirements.

4 / 11

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

Step 2
Identify and Document

Risk identification is the foundation of risk objectives. On a more specific compliance level,
management, as you cannot manage a risk you it means identifying, prioritizing, and assigning
don’t know about. To ensure this process is accountability for managing compliance in regard
thorough and effective, it is essential to involve a to particular laws and regulations. It is essential
range of both subject matter experts and that the right people are involved and consulted,
stakeholders – these are the people actually and their feedback is factored into the compliance
carrying out the work. They are best positioned system. Doing this means setting up the basis
to identify opportunities to improve the business for communication and collaboration across the
process overall, and they can offer insights whole system – meeting the needs of both
into why work may be completed incorrectly or management and the workers executing trans-
noncompliantly. For example, if certain steps actional tasks for customers.
required for compliance conflict with activities
related to KPIs and bonuses, you may find As both broad and more specific risks are
higher instances of noncompliant behavior. constantly changing, it is important that you define
a compliance framework that can adapt quickly
On a broader level, strategic, operational, to protect your organization from risk. This
financial, and reputational risks must also all be should include not only staying informed about
defined and documented (with clear linkages the latest regulatory updates, a huge job in itself,
between strategic, tactical, and operational but also incorporating the updates into business
processes and associated risks). This means processes and activities, and training and
identifying, prioritizing, and assigning accountability educating your team accordingly to ensure a
for managing any risk significantly impacting strong compliance culture.
the organization’s ability to achieve its strategic

Identify, document,
and prioritize risks
in collaboration
with subject matter
experts and
stakeholders.

5 / 11

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

Step 3
Design and Educate

Once the initial work to identify, prioritize, and Designing collaboration into your compliance
get input on risks in your organization has been system is indispensable. Rules, although necessary
completed, the next step is to define how the and important to define, can also in some cases
organization will assess and control each risk, have the opposite of the desired effect, by inhibiting
and create the supporting process and test independent thought and discussion, which can
structure to accompany this. Again, this step lead many organizations to overlook or misread
should make good use of iterative design of the ambiguous threats. In these cases, rather than
control system, and the deep knowledge your mitigating risk, organizations actually incubate
people already have regarding the reality of how risk as they learn to tolerate apparently minor
work gets done. This means that the structure failures and defects and treat early warning signals
of controls created to manage the risks identified as false alarms rather than alerts to imminent
during the identification stage must be tightly danger.
bound to the ways in which your employees
actually work. It is also a reminder to ensure Creating and nurturing a culture of transparency,
collaboration is designed into the system. questioning, and open communication across
all levels of an organization are essential not just
for productivity and performance but also for
compliance and risk mitigation.

Define and
assess controls
with supporting
processes,
procedures, and
test activities.

6 / 11

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

Step 4
Deploy and Test

Once the design of exactly how risk and compliance To effectively respond to incidents and to ensure
will be measured has been completed, it is time that reported breaches are escalated correctly,
to automate the actual workings of the system as an incident model that streamlines the process
much as possible. This has obvious benefits, as and reduces risk should be defined.
automation allows you to do more with less.
Incident-handling routines and escalation pathways
Being able to respond in a timely way to incidents should include defining the sequence of steps,
is imperative to mitigating risks and compliance the individuals responsible for their execution,
breaches. Ensuring effective, reactive action and the precautions to be taken prior to resolving the
defining responsibilities, thresholds, and deadlines incident, time scales for resolution, review
are crucial to resolving risk issues before they procedures, and evidence preservation.
blow up and cost far more money (and potentially
far more reputational damage) to fix. Potential Completing this work manually is possible but
risk incidents within an organization are often can consume a huge amount of resources and
quite similar, or follow a similar structure and time – and with the constant deluge of new
response pattern. Defining incident models will regulations requiring assessment, this can be
ensure a standardized and comprehensive tricky to provide for. Many organizations are now
response process. To ensure your framework is beginning to use workflow solutions to take the
fireproof, it is necessary to implement workflow heavy lifting out of risk system deployment and
processes to manage risks as well as implementing management, leaving those responsible more
controls and testing against a variety of scenarios. time to dedicate to higher-value work.

Implement workflow
processes to manage
risks and controls and
test against scenarios.

7 / 11

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

Step 5
Remediate and Refine

Detecting compliance deviations based on your An efficient deviation-handling system should

previously defined and documented framework also implement a mechanism to categorize
will allow you to more easily compare “as-required” incidents of compliance deviation based on their
processes with “as-implemented” processes. relevance. Figuring out whether a compliance
At this point, your current state will still require deviation will result in damage to your company,
some testing in order for you to recognize gaps your product, or your reputation, and whether
and see where certain processes are failing to it will result in financial or legal repercussions, are
adequately address and mitigate risks. This is important parts of the detection process,
where identifying compliance issues across your allowing you to then manage and correctly escalate
implemented compliance framework, processes, incidents and to ultimately identify any potential
and procedures comes in. As with step 4, this can for “process hardening.” In this case, you may
be made much more efficient with technology that want to consider adding extra steps to existing
allows you to use the data your business processes. This makes compliance deviation less
systems are already generating, to alert risk likely and adds an extra firewall to ensure that
managers to breaches and issues before they end users do not accidentally act in a noncompliant
become huge and expensive problems. way due to lack of documentation or discrepancies
in your compliance framework.

Identify compliance
issues across the
implemented
compliance frame-
work, processes,
and procedures.

8 / 11

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

Step 6
Monitor and Mitigate

Once you have set the wheels in motion and your The benefit in having your compliance framework
framework is in place, it is of equal strategic mapped out and documented in workflows and
importance that you continue to monitor and processes is that you can collect data over time to
report on compliance-related behavior, while ensure that nothing goes undocumented, and
mitigating noncompliance and identified risks. ensure evidence related to any incident is kept on
Responding to incidents consistently and in a record. Not only is this often a legal requirement
timely fashion should go hand-in-hand with the when it comes to auditing and external checks, it
continuous reassessment of risks. is also useful to ensure that your compliance and
risk-related processes are operating at an optimum
level and that, ultimately, you stay well ahead of
the competition.

Monitor and report

continual compliance,
while mitigating
noncompliance and
identified risks.

9 / 11

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

Step 7
Manage and Improve

Within a holistic and ongoing risk and compliance Mitigating noncompliance and identified risks is
management system is a consistent focus also a continual task, as the regulatory landscape
on seeking out and acting upon ideas to improve. is constantly in flux.
Monitoring and reporting on continual compliance
allow you to have an overview of where your As part of this holistic approach, it’s crucial to
organization currently stands in terms of desirable ensure that HR policies encourage mutual
behavior and what the current state of compliance accountability and promote open communication,
is – meaning you can start working on closing the appropriate escalation, and whistleblowing.
gap between your current and future state. You Personal accountability, as well as the involvement
can also reward and promote compliant behavior of suppliers, investors, clients, and regulators
and improvements. in creating and developing action plans, will aid in
the promotion of a transparent compliance
culture.

Continuously monitor
and measure
performance; identify
and act on areas for
improvement.

10 / 11

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

Conclusion

These steps are not the definitive or final word on context, while taking note of the underlying
how to undertake an organizational transformation themes of communication, inclusion, collaboration,
towards better risk and compliance management. and smart monitoring.
They are, however, based on expert knowledge
and lessons learned over the course of decades Effectively translating strategy into action is the
of compliance system design. They are intended cornerstone of transformation. We hope this
to provide you with the mindset and insights guide will support you in creating positive behaviors
to steer your organization through the complex, and mitigating threats you will encounter as your
often messy, but ultimately rewarding process organization embarks on this journey, by providing
of transformation. We encourage you to adapt and insights from others who have gone before.
augment the steps to match your organizational

FIND OUT MORE

If you want to learn more about how SAP® Signavio® solutions can enhance your organization’s
activities around risk and compliance, sign up for one of our free Webinars, or come and chat with us
at one of our events in your area.

If you are ready to take the products for a test-drive and really see what they can do, register for a
free personalized demo at: www.signavio.com

11 / 11

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

Follow us

www.sap.com/contactsap

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company.

The information contained herein may be changed without prior notice.

Some software products marketed by SAP SE and its distributors contain
proprietary software components of other software vendors. National
product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.

In particular, SAP SE or its affiliated companies have no obligation to

pursue any course of business outlined in this document or any related
presentation, or to develop or release any functionality mentioned therein.
This document, or any related presentation, and SAP SE’s or its affiliated
companies’ strategy and possible future developments, products, and/or
platforms, directions, and functionality are all subject to change and
may be changed by SAP SE or its affiliated companies at any time for
any reason without notice. The information in this document is not a
commitment, promise, or legal obligation to deliver any material, code, or
functionality. All forward-looking statements are subject to various risks
and uncertainties that could cause actual results to differ materially from
expectations. Readers are cautioned not to place undue reliance on these
forward-looking statements, and they should not be relied upon in making
purchasing decisions.

SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of
SAP SE (or an SAP affiliate company) in Germany and other countries.
All other product and service names mentioned are the trademarks of
their respective companies.

See www.sap.com/trademark for additional trademark information

and notices.