GRC Tuesdays: Governance, Risk and Compliance securing the Design-to-Operate process

I had just released a blog on Governance, Risk, and Compliance (GRC) securing the Source-to-Pay process when my colleague Neil Patrick – also from GRC Solution Management, raised a very valid point: Source-to-Pay is only 1 of the 4 end-to-end processes in the Intelligent Enterprise. And GRC plays a role in all 4.

As a result, Neil suggested that him and I work on a 4-part series to explain how GRC – and GRC solutions – can support all 4 processes. Challenge accepted!

Even though this is already the 3rd blog of this 4-part series, I just realized that neither Neil nor I actually ever explained what the Intelligent Enterprise was. So, before jumping into the details of Design-to-Operate please allow me to take a step back and start with the framework that brings everything together.

What is the Intelligent (Integrated) Enterprise?

Intelligent Enterprises are organizations “that apply advanced technologies and best practices within agile, integrated business processes to run at their best” (link). They achieve this by integrating data and processes, building flexible value chains, innovating with industry best practices, understanding and acting on customer, partner, and employee sentiment and managing environmental impact with an intent to grow more resilient, more profitable, and more sustainable.

At SAP, we have focused on 4 end-to-end processes to enable transformation to the Intelligent Enterprise:

* Lead-to-Cash which covers the entire business process from initial contact with a prospective customer, to order fulfilment and service delivery

* Recruit-to-Retire where the intent is to help organizations understand, manage, and optimize all aspects of their workforce (internal employees but also external workers) in line with business objectives

* Design-to-Operate which encompasses the entire lifecycle ranging from design to planning, manufacturing, delivery, and operations – and the focus of this blog

* Source-to-Pay which concentrates on optimizing, simplifying, and effectively managing all spend processes and spend categories.

Focusing on Design-to-Operate (D2O)

Design-to-Operate (D2O) covers the entire lifecycle of products in an end-to-end, connected, and interoperable supply chain process from how a product is designed, planned, manufactured, delivered, to how it operates and is maintained within the customer landscape and infrastructure.

As a result, this process is an integral part of the Fourth Industrial Revolution – or Industry 4.0, where businesses are digitizing their supply chain and bringing in advanced technologies such as Robotics, Artificial Intelligence or the Internet of Things for instance to make it smarter and more efficient.

Since a picture – or in this case a video – is worth a thousand words, I have shared below a link to a video providing a high level overview:

Design-to-Operate spans across several subprocesses such as Idea to Market, Plan to Fulfill and Acquire to Decommission:

Illustration%20of%20the%20steps%20of%20the%20Design-to-Operate%20process

Illustration of the steps of the Design-to-Operate process

Supply chain and logistics issues can affect every phase of the business and increase operational and strategic risks resulting in costs and potential deficiencies. Which is what companies strive to avoid of course. And here is where I believe SAP solutions for Governance, Risk, and Compliance can play a role: mitigating some of these risks.

As for other blogs in the series, the intent is not to be exhaustive and provide a long list of potential risks, but rather select some examples that are hopefully relevant and then sharing some thoughts on how to mitigate them. Sub-process by sub-process.

Idea to market

In this part of the process, the Research and Development team for instance would draft the initial idea. Product Management would then work with Engineering on product design, specifications, associated requirements and even collaborate with experts on identifying cost drivers and profit margin objectives.

This new idea could come from customer feedback, white space analysis, etc. Regardless, one of the risks here – especially in sensitive industries, is that unauthorized users get access to the development plans and leak them to competition or to the market. The company would then lose its R&D advantage and its reputation could also be negatively impacted.

Plan to Fulfill

Here takes place the supply and demand planning phase where experts perform an assessment of the market (size, demand drivers, etc.) and work with Planners to assess the companies’ current ability to manufacture and deliver. This phase also includes the procurement aspects – including involvement of 3rd parties when needed.

There are numerous risks in this sub-process, including in relations to delayed production and even downtime, delivery issues, etc. but I have decided to focus on two risks and on one opportunity.

In this step where companies connect closely with suppliers, working with a sanctioned party is not impossible. Especially when sanction lists change regularly. This would lead to investigations, potential fines and possible shutdown of the operations which would be significantly detrimental to the business.

Another risk relates to issues arising from political, economic and societal uncertainty. Better known as “Country risk”, this is a multiform threat that could have causes and impacts: civil unrest could lead to a closing of borders whilst a product is in transit and therefore blocking its delivery, political changes could act nationalizations that include some of the company’s own infrastructure or even radical change in labour laws directly impacting profitability, etc.

Nevertheless, this phase also offers significant opportunities. One of which is the optimization of the supply chain costs resulting in an increase in profit margins. As companies increase participation in global trade, they face ever-evolving labyrinth of regulatory requirements, but also tariffs, and free trade agreements changes. If leveraged optimally, special customs procedures can provide substantial savings on duties, taxes, and customs fees. Leveraging foreign trade zones, for example, can not only reduce costs but also provide a buffer against periods of duty and tariff variability.

Acquire to Decommission

This step focuses on the lifetime of the asset from when it is received onsite by the end customer to when it is onboarded in its infrastructure. It also covers the maintenance aspects.

To be able to be effective and move from reactive to proactive maintenance – which is less costly and increases customer satisfaction, intelligent enterprises continuously monitor plants, components, and processes and use predictive indicators as early warnings so that action can be taken before a damage is detected on the asset.

Industry 4.0 relies on interconnected systems and this continuous monitoring is performed with support from connected devices via the Internet of Things (IoT). Security risks and data breaches are therefore a major potential threat. Incidents can result in data leakage, but also in operational impairments in case of a targeted cyber-attack on the monitoring systems. For instance, by altering the readings and providing false information back, an attack could paralyse the entire chain.

How solutions for Governance, Risk, and Compliance & Security can help

GRC solutions are not at the core and heard of Industry 4.0 of course. This would be the solutions from SAP’s Supply Chain Management portfolio. Nevertheless, SAP solutions for Governance, Risk, and Compliance & Security can help secure the Design-to-Operate process and mitigate the risks identified earlier in this blog.

Summary%20of%20selected%20risks%20from%20the%20Design-to-Operate%20process

Summary of selected risks from the Design-to-Operate process

For the Idea to market subprocess, SAP Data Custodian gives organizations control of their data by enforcing data protection policies. Access control and data masking for instance enables the creation of contextual access control policies to block access to specific applications and mask sensitive data under given conditions. To provide an additional layer of data protection – including preventing unauthorized access by cloud providers, organizations can also leverage the Key Management Service to control their own encryption keys.

In Plan to fulfill, SAP Watch List Screening helps companies avoid high-risk businesses, individuals, and entities by screening their business partners against restricted or denied party lists flagged by governments and institutions like the United Nations or World Bank for instance. This simplifies 3rd party compliance and reduces the cost and effort of associated due diligence activities

Still in this subprocess, SAP Global Trade Services helps organizations accelerate cross-border supply chain by automating and streamlining trade processes so they can control costs, reduce the risk of penalties and fines, and clear customs faster. For example, SAP Global Trade Services offers comprehensive functionality for trade preference management using content-based rules of origin in preferential trade agreements to determine which products are eligible for reduced import duty rates.

Concerning the identification, assessment and response strategies in relations to country risk, SAP Risk Management is designed to integrate and coordinate risk management activities – including by linking risk drivers, key risk indicators, and related impacts, in order to gain a deeper understanding of risk, and plan timely, reliable responses.

Finally concerning Acquire to Decommission, SAP Enterprise Threat Detection can help organizations identify, analyze, and neutralize cyberattacks in their SAP applications as they happen and before serious damage occurs. Hence securing the information flow used for the predictive maintenance decisions.

What about you, how does your company ensure that it’s Industry 4.0 initiative isn’t under threat of operational risks and cyber-attacks? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard

PS: you can find the other blogs in this GRC and Intelligent Enterprise processes series listed below: