Managing Risk in a Microsoft Dynamics GP Environment

Managing Risk in a Microsoft Dynamics GP Environment

Written By: Andy Snook - FastPath

from July 8, 2014

Imagine this scenario: Hackers break into a retailer’s payment system and troll through customer credit card data for nearly eight months. Because they’re using sophisticated hacking software that deletes itself every day, the company’s security system never catches onto the breach. Before it’s over, the hackers have obtained more than 300,000 credit card numbers.

Think this sounds like something that could never happen? It already has – at Neiman-Marcus over an eight-month span in 2013. Of the card numbers that were stolen, more than 9,000 have been used to make fraudulent purchases.

Neiman Marcus isn’t alone. Target’s CEO recently stepped down after hackers broke into the retailer’s system and stole nearly 40 million credit card numbers. The hackers also obtained email addresses and phone numbers for an additional 70 million customers.

Enterprise risk management is the process of analyzing and managing business risks. It involves identifying all possible risks, data and otherwise. Companies then determine the probabilities of the risks occurring and the potential damage that the risk could inflict. The final step is to design and implement a plan for managing the risks and mitigating any damages should they occur.

This formal approach to risk management helps companies react faster and make more informed decisions. With a comprehensive approach, companies can quickly determine which risks are priorities and what steps should be taken. Is the cloud safe? What safeguards should we put in place? Does this expansion threaten our financial viability? These are all difficult questions that require a formal system. Microsoft Dynamics GP is often the most effective system for the enterprise risk management process.

Your company may not talk explicitly about risk management, but risk plays a part in every decision that is made. If you have ever built a list of pros and cons, you are engaging in risk management. When companies take a more formal approach to risk, they can react faster and make more informed decisions. Do we have enough money to acquire that company? Can we hire additional staff? Should we move our Microsoft Dynamics implementation to the cloud.

Beyond better strategic decisions, there are many other reasons why risk management is important to a company using Microsoft Dynamics GP. Some companies fall under regulatory compliance such as Sarbanes-Oxley (SOX), FDA, HIPAA, or DCAA. Each of these regulations mandates that companies have a risk management system in place for protecting things like the accuracy of financial statements, personal data privacy, credit card data security, and the protection of public health. Each of these regulations comes with a periodic, mandatory audit of a company’s risk management for the affected areas. Failure to pass one of these audits can lead to a drop in stock price, negative publicity, loss of ability to process transactions, fines, and even jail time. Essentially, the government is requiring companies to have and demonstrate a risk management strategy.

Many companies think they are too small for risk management or think that they escaped it because they do not fall under the aforementioned regulations. But even small companies and nonprofits benefit greatly from formalized risk management. Consider a few common but unexpected benefits:

  • Banks are more willing to offer loans to small companies who have audited financials, and larger companies are more willing to acquire companies that demonstrate an understanding of risk.
  • A $150,000 embezzlement is a rounding error for a Fortune 500 company. An event of that size may put a small company or nonprofit out of business.
  • Nonprofits can protect their nonprofit status as well as donor confidence in the organization by mitigating risks. Fraud will quickly put an end to even the best of causes.

Building a Risk Framework for Your Microsoft Dynamics Environment

Taking a risk-based approach to auditing Microsoft Dynamics GP is not only a best practice, but it also will save you a tremendous amount of time and money during internal and external audits.

The first step in building a successful risk management environment is building a risk framework.

A common challenge we see in many Microsoft Dynamics GP environments is difficulty identifying which risks are relevant to the company.  These companies end up implementing excessive controls or auditing excessive amounts of data because they do not understand where their risks truly exist. This has a major impact on productivity and costs.  To avoid these misdirected activities, companies need to implement effective risk management which begins with knowing thy corporate self.

Every company faces a unique set of risks based on industry, size, location, etc., and every company should conduct risk assessment workshops to identify the specific risks that they face.  To ensure a comprehensive evaluation of risk, the workshops should include key stakeholders and business process owners who have an in-depth understanding of each area of the business.  Separate workshops may be conducted for each business process, but it is advisable to include business process owners from related areas like finance and IT in each session.  The output of these workshops will be a prioritized list of risks and the necessary mitigation strategies to minimize risk where it cannot be eliminated.

The first step in the workshop is brainstorming all of the risks that each area of the business may face.  No risk should be discounted at this point because risks that are seemingly insignificant can be found to have far reaching consequences across business processes.  Once the risks have been identified, they need to be scored based on probability and impact.  Probability is the likelihood that a situation will occur.  For a company based in Fargo, North Dakota, there is a very low probability of a hurricane but a very high probability of a blizzard.  The exact opposite would be true for a company based in Miami, Florida.  For impact, a company needs to consider the consequences of the event.  Does a blizzard knock your Fargo data center offline for 10 minutes or does it destroy your Florida orange crop, putting you out of business permanently?

Once the risks have been identified and scored, a risk appetite or tolerance may be defined. Something that has a high probability and high impact should be avoided/eliminated or minimized as much as possible with the appropriate mitigation. Conversely, an event that scores low on both scales may be small enough that it is acceptable to the business and would only require periodic evaluation for change in threat level but no ongoing action.

Now that the risks have been identified and prioritized according to the risk appetite, each risk is assigned to a business process owner.  This individual is now responsible for developing a mitigation strategy for the risk.  The mitigation should be a component of the business process so that it has a minimal impact on productivity while minimizing both the probability that the risk would occur and its impact if it did. The best way to build this type of mitigation is to map it to the business process.

 

Visualizing Risk in Microsoft Dynamics Using Business Process Mapping

If implementing Microsoft Dynamics is like building a house, then business process maps are the blueprints. You shouldn’t start hammering without blueprints, and you shouldn’t start implementing without process maps. They provide a clear overview into how the business operates, the individuals responsible for each step in the process, and the systems required to complete the activities. A well-developed process map is the baseline for system configuration, end user security and training, product documentation, and system customization.

Evidence for the importance of process maps in implementation success can be found in the investment Microsoft has made in the Microsoft Dynamics Lifecycle Services Business Process Modeler. This is a free tool for Microsoft Dynamics GP customers and partners that provides template maps linked to end user training and security.

Another benefit of business process maps is that they clarify how risks manifest themselves in key business processes and systems including Microsoft Dynamics. One of the main challenges in auditing Microsoft Dynamics is that it sits between key teams, finance and IT. Is payables risk management finance’s responsibility because it is an AP process, or is it IT’s because it involves Microsoft Dynamics GP and SQL Server? A business process mapping session helps individuals visualize that the risk belongs to both teams and helps them agree that their responsibilities are inexorably linked.

Using the risk framework we discussed as a guide, pick the highest risk processes to map first. In many organizations, this will involve the procure-to-pay or order-to-cash business cycles.

The key players in a business mapping session are the business process owner, the team members who execute the process, IT team members who understand the related systems, a facilitator who understands the business at a high level, and a scribe. The key tools in the session are a roll of butcher paper, a stack of Post-it notes, and a set of markers. Here are the key steps in running a session:

  • First, tape a long piece of butcher paper to the wall and begin to describe the roles involved in the process.
  • For each role mentioned, write it on a sticky note and create a column on the far left of the paper. Remember that there are roles internal to your company (AR clerk) and external (customer).
  • Do the same for each system, such as Microsoft Dynamics GP and Microsoft Dynamics CRM, that is included in the process, and add it under the roles.
  • Now proceed to describing each step and decision in the process. For a step such as “order created”, add a box and stick it in the row of the role that performs the step. For a decision such as “was the order cancelled”, use a diamond. Using the sticky notes is key because they are easy to move around as the process evolves during the discussion.
  • Once the team is confident in the process map, tape each sticky note to the butcher paper so that they do not fall off prior to transcription.
  • Now transfer your map into Microsoft Visio.

Now that the processes and systems are finalized, take your risk framework and apply it to the maps. If management of vendor data is a high priority risk, identify any step on the process map that includes maintaining vendor data. This could be during vendor setup or it could be updating vendor information during purchase order entry. In adding the risk to the process, it may be obvious that a control or mitigation is already in place. In this case, the vendor setup/change process may include a workflow for approval. Take this mitigation and add it to your risk framework for the vendor data risk to complete the documentation. However, it may become obvious that there is no mitigation or control for the risk and one needs to be added.

When discussing mitigations, it is important to consider the impact they will have on a process. Will a workflow approval adversely affect the timing of a process? Can we afford to wait for manager approval? Conversely, can we afford to let a mistake out the door? Is it something that must be incorporated to the process like a workflow, or would a periodic review suffice? Examples of periodic reviews would be reviewing access to vendors and changes to vendor data on a monthly basis.

The business process map will help drive the mitigation discussion and decision. When a mitigation is finalized, add it to the risk framework. If you decide to use a periodic review, define who is responsible for the review, the frequency of the review, and be prepared to show evidence that the review has been completed.

The better you understand your business and risks, the easier it will be to configure, implement, and document the control features and the security in Microsoft Dynamics GP. If you want to learn more, be sure to attend Dynamics GRC Day in Atlanta on March 16. Visit www.dynamicsgrc.com for more information.