Drill, Baby, Drill

Governance, risk management, and compliance (GRC) case studies in business magazines rarely probe deeply enough. Most of these articles recount how a company introduced a new process, tweaked the organizational structure, or slapped in a new piece of automation. End of story.

But the truth — the insights and information that might help readers to improve their own GRC capabilities — lies below the surface. Fortunately, depth marks a central component of Aera Energy's GRC success. In this case, Aera Energy — a stand-alone company jointly owned by Shell and ExxonMobil and one of California's largest oil and gas producers — and its highly collaborative team of finance, information technology (IT), and business process experts shed light on important elements of GRC strategy that too rarely see the light of day.

On the surface, the oil and gas producer's story is about technology: The company's use of SAP GRC Access Control and the system's Risk Analysis and Remediation functionality and SuperUser Privilege Management functionality, in particular, helps it to manage risks related to segregation of duties (SoD) issues and system access. The tools also support the company's unique Sarbanes-Oxley compliance needs and overall risk-management processes while making GRC processes more effective and more efficient.

However, when Aera Energy Process and Controls Manager Cindy Hooper and Information Supervisor, Business, Randy Reagan discuss their use of automation (and frequently finish each other's sentences while doing so), it is clear that the software is only the end result of an increasingly refined collection of processes and capabilities. This ongoing GRC monitoring capability would not be possible without a number of other conditions, including:

• Continuous collaboration among finance, IT and business process managers;
• An overall organizational structure designed to standardize business processes and share best practices; and
• Executive leadership's commitment to GRC principles.

The tone at the top serves as the underlying foundation of the company's GRC strategy, which clearly states that GRC activities are to be aligned with, and integrated into, the company's strategic objective of pulling oil from the ground (see Five Steps to Fortifying a GRC Foundation).

"This organization as a whole is very process-driven," adds Reagan. "Having everyone work this that way makes it much easier to do this work and to adapt the tools we use to support our work."

A Process Organization

Although Aera Energy does not need to submit SEC filings directly, its publicly listed parent companies' GRC demands "trickle down," Reagan and Hooper note.

Addressing those demands is no small task, particularly in a highly regulated industry (not to mention one with uniquely complex accounting requirements) and at a company heavy on assets and lean on people. The company, which has roughly 1,100 employees, posts annual revenue north of $2 billion, according to Hoover's. A manufacturing company with similar revenues would likely have 5 to 10 times as many employees.

"If you report up through a public company you are expected to be (SOX) compliant," says Hooper, who reports to Aera Energy's CFO and is responsible for internal controls and risk management across the company. The expectation is communicated in no uncertain terms: A joint internal auditing group from the two parent companies conducts regular audits, and the company also hires external audits to scrutinize a variety of finance and IT processes. "We get audited on a very regular basis, which pushes us to invest in tools to make sure the audits are efficient," Reagan says.

In 2000, the company created a formal process organization to make good on "an overall desire to standardize business processes across our assets, which is what we call our operational units," Hooper explains. The move also helped to address several priorities within the two parent companies, including what now seems like a very prescient focus on addressing segregation of duties issues.

As part of the new structure and approach, process owners and their lieutenants, called process analysts, work closely with their IT counterparts to ensure that business automation supports business needs. The company's IT function, says Reagan, gets its strategic direction and sets its investment priorities based on input from the process owners and analysts.

As with all process-standardization and improvement efforts, the objectives of the operations groups and process groups occasionally compete. To address the potential for conflicting objectives, the process groups continually prioritize their efforts so that they align with and support the company's overarching strategic objective of producing oil and gas. "We're constantly analyzing where we can put our resources to get the biggest bang for our buck," says Hooper.

A Deep Supply of Collaboration

The prioritization Hooper mentions plays out on all levels. For example, Reagan's relatively lean IT group may field a request from operations to address a specific problem, such as making a change in the ERP system. Yet, from a process-standardization perspective, it is not efficient to respond to one-off requests like that. It also poses risk-management and compliance risks because it requires a group of IT professionals to have the ability to make a wide range of changes to the ERP system.

"There was some pushback because operations wanted immediate service from our organization," Reagan says, "and we wanted better internal controls and more standardization." To address this challenge, Reagan's team worked with process owners to develop a standard approach to granting and monitoring access to the financial system (see
Check It Out: Keeping System Access in Balance). The solution is ultimately enabled by software — specifically, the SuperUser Privilege Management capability within SAP GRC Access Control. Yet, the solution would not have been possible without productive collaboration among IT, finance, and operations (which, in turn, is facilitated by the company's process-focused organizational structure).

IT application analysts, who are financial systems experts, work closely with the business process analysts. Reagan points out that 33 percent of the application analysts' knowledge needs to consist of business process while the remaining two-thirds of their knowledge is focused on IT system processes. The process analysts, Hooper agrees, possess a mirror-image mix of knowledge: 33 percent system processes and two-thirds business process expertise. The process analysts are "the bridge, if you will, between what the business wants and making that happen from an IT solutions perspective," Hooper explains.

They gain knowledge of one another's areas by working closely together; in fact, they often sit together in the same office location. "They end up working closely together all of the time," Reagan says. The objective, again, is to ensure that financial system processes and functionality supports business processes, which in turn support the execution of getting oil from the ground.

Hooper emphasizes that the organizational structure, beyond the process organization, helps to cultivate collaboration and IT system-business alignment. "We're almost organized by SAP module," she explains. "We have process owners who have oversight over the modules and the solutions that serve their particular area. And then we have process analysts who work directly with the applications analysts. In an ideal world, those three people work very, very closely together to make sure that we're working on problems together. In some cases, we co-locate and they sit together and solve problems. The beauty of being a smaller company [based on headcount] is that we can do that."

For example, when Aera Energy put in the new SAP GRC tools, it selected one process group — procurement and payment — to pilot the tool. The procurement and payment process analyst worked closely with the application analyst who had learned the new tools cold. The team, which received regular guidance from the procurement and payment process owner, huddled in numerous three-hour workshops for one month as they hashed over the best ways to use the tool to address segregation of duties issues that were popping up in the procurement and payment process. They tried changing specific roles, adding new roles, and deleting roles — and then gaugedhow those decisions would affect the business process.

"Pairing together someone who technically knows the tool with someone who has responsibility for the process in a pilot environment made the ultimate introduction of the tool much more effective and efficient for everyone else," says Reagan.

New Finance Roles

The collaboration also helps to make GRC capabilities — in this case, the process of reducing SoD issues and addressing system access — more effective and efficient, too.

During the past nine months, the company has revamped its system access and also claims to have eliminated all of the SoD issues that the SAP tool, Risk Analysis and Remediation, identified. The SoD work consisted of examining roles (the collection of transactions that an end user may perform in the system) and determining how to adjust them to eliminate the SoD issue. In some cases, the team of process, finance, and IT experts elected not to change a specific role but to accept the risk and put a mitigation process in place.

The SoD process and tool "allow us to see at a much lower level of detail where potential conflicts can occur," says Hooper. "And it has really encouraged us to scrutinize how we've segregated our positions in finance and the specific activities each of our employees is performing."

"We want to make sure that we don't even create the appearance of a problem," Hooper asserts. "Resolving most of these issues was a matter of managing with the SuperUser Privilege Management tool or tweaking specific roles and transactions.

The tools, Hooper summarizes, "give us much better reporting and information, which allow us to better understand where we can make improvements." Aera Energy's implementation and use of the tools would not be possible without other crucial foundational elements of successful GRC.