Improve Internal Controls with
Governance, Risk, and Compliance
Solutions
Jay Castleberry
Director, Technology Delivery & Maintenance
Southern California Edison
Southern California Edison
0
WWW.SCE.COM
Southern California Edison (SCE)
Company Overview
One of the largest electric utilities in North
America
More than 14 million customers
More than 17,000 employees
Major organizational units:
– Transmission & Distribution,
– Nuclear Generation,
– Supply Chain Operations,
– Customer Service,
– Information Technology
SAP landscape – HCM, FICO, OS, EAM, SRM,
CRM, SUS, BW, GRC, etc.
Southern California Edison
1
WWW.SCE.COM
Governance, Risk, and Compliance (GRC*) Drivers
Overarching standards, processes, and priorities
Opportunities
Business Drivers
Provide reasonable
assurance
Integrate Compliance
Realize operational
efficiencies
Promote compliance
excellence and personal
responsibility
Enhance executive
visibility
Ensure clear line of sight
Leverage best practices
Leverage best practices
across the company
* In this context, 'GRC' does not refer to 'General Rate Case'
Southern California Edison
2
WWW.SCE.COM
Leveraging Existing SAP GRC Investment
Strategic, long-term investment in SAP’s GRC technology
Expand
Upgrade
Build
Migrate Existing
Functionality to
version 10.0 &
Leverage Inherent
Enhancements
Baseline
Install SAP Access
Control 5.2 and SAP
Process Control 2.5
Southern California Edison
Enhance and Build
onto Existing
Baseline
Functionality
3
Implement SAP Risk
Management 10.0
and Enable
Integrated
Capabilities
WWW.SCE.COM
GRC Maturity at SCE
Stakeholder Value
Past, Current, and Desired Future State
2013+
2012
2009
2010
2011
Stages of GRC Capability Maturity at SCE
SOX Compliance
IT Compliance
Southern California Edison
NERC CIP
4
GRC 10.0 Upgrade,
ERM and ECMS
Access, EH&S,
HR, etc
WWW.SCE.COM
GRC Maturity at SCE – SOX Compliance
SOX Compliance 2009
Benefits
Automated segregation of
duties (SoD)
Continuous controls
monitoring
Workflow automation
Single system of record
Southern California Edison
5
WWW.SCE.COM
GRC Maturity at SCE – IT Compliance
IT Compliance and NERC CIP 2010-2011
Benefits
Enabled monitoring
Enabled automation
Leveraged workflow
Qualifications
Revocations
Access List
Southern California Edison
6
WWW.SCE.COM
GRC Maturity at SCE – Enterprise Compliance
GRC 10.0 Upgrade and ECMS 2012
Benefits
• Catalog
• Workflow / Controls
automation
• Policy management
• Increased performance
and robustness
• Ease of use
• Business role
management
Southern California Edison
7
WWW.SCE.COM
GRC Maturity at SCE – Risk Management
Addition of SAP Risk Management 2012
Benefits
Ability to quickly survey
Focus on most relevant
key risks
Automation of workflow
and data approval
Systematic sign-off of
enterprise risk data
Version control
Customizable reporting
Southern California Edison
8
WWW.SCE.COM
GRC Maturity at SCE
Stakeholder Value
Past, Current, and Desired Future State
2013+
2012
2009
SOX Compliance
2010
IT Compliance
2011
NERC CIP
GRC 10.0 Upgrade,
ERM and ECMS
Access, EH&S,
HR, etc
• Continue to broaden use of
v10.0 to other areas of
compliance and enable
linkage of data elements
• Enterprise Wide Identity
Access Management
Southern California Edison
9
WWW.SCE.COM
SCE’s Vision for 2013 and Beyond
Moving to the Risk-Intelligent Maturity State
Expand continuous control monitoring
Increase visibility to further compliance areas
Enable linkage between data elements
Replace additional legacy compliance systems
Expand and integrate enterprise wide identity access
management capabilities with GRC
Southern California Edison
10
WWW.SCE.COM
Lessons Learned
Ensure adequate level of executive sponsorship
Look for value beyond compliance
Define a roadmap for execution
Start communication early
Involve subject matter experts (SMEs)
Leverage existing assets and investments
Use a common methodology to continuously assess risk
Develop a platform for current and future requirements
Southern California Edison
11
WWW.SCE.COM
Thank You for Attending
Jay Castleberry
[email protected]
www.SCE.com
Southern California Edison
12
WWW.SCE.COM
0
