How SAP Process Control can help you measure process adherence

There is a common perception that the solution serves a unique purpose: manage and monitor the internal control environment.

Well, the good news is that SAP Process Control is not only a compliance-driven solution. It can also be deployed to meet another very important goal: deliver some sort of business value. As its name actually suggests, the solution can allow you to stay in control of your business processes by ensuring operational discipline.

I have been privileged to work on a few projects where SAP Process Control has been deployed to measure the operational effectiveness of a range of business processes supported by SAP transactional systems. This time, however, the initiative was led by business process owners and the main objectives were to increase visibility and ultimately drive operational excellence.

The intention of this post is to provide a high level overview of how the solution can be extended to continuously monitor and measure adherence with established policies and procedures governing your processes.

Define and categorise process adherence metrics

Process adherence metrics are generally implemented to respond to repetitive and well-known process deviations. They should be defined based on your pain points and priorities.

If you are already using the continuous monitoring platform for other purposes, most of the foundational structure should be available to quickly enable the process adherence environment.

In order to keep a clean and well-organised solution, a dedicated framework should be created (e.g. Process Adherence). The "control" master data element should be used to document your metrics and linked them to the dedicated framework.

You can leverage an existing control attribute to help categorise your metrics into 3 classes: quality of data, stability of configuration and effectiveness of activities.

The objective of the first two classes is to verify the accuracy, completeness or integrity of master data and configuration settings, which are the foundation of business processes. Some illustrative examples of these metrics: number of duplicate vendor bank details, number of times GL accounts have been switched from automatic to manual posting, number of customer master data records with blank value in critical fields, number of times invoice tolerance limits have changed, etc.

The objective of the third class is to inspect transactions in order to identify business process deviations. Some illustrative examples of these metrics: number of journal entries that don't adhere to established free text policy, volume of retrospective purchase orders, number of payment proposals using inappropriate payment methods, volume of parked journal items pending approval for a long period, etc.

In terms of operating model, probably the most efficient model will be to have a centralised group (or a few regional ones) residing in offshore locations that will receive and aggregate various reports for all entities. Consolidated results can then be shared with process owners for subsequent decisions and action selections. The definition of the right operating model obviously depends on how operations are managed in each organisation.

Measure process adherence metrics via automated mechanisms

Needless to say that in order to enable continuous and automated measurement routines, the extensive usage of the continuous monitoring platform is a must. Relevant business rules need to be properly designed and subsequently linked to your metrics and organisation units. In general, business rules defined to monitor the integrity of master data and configuration settings leverage the change log check monitoring category. The value check mechanism remains however the best option for performing completeness and accuracy checks. The analysis type “number of changes” can be used to count the number of times a particular master data and/or configuration setting has changed over a given period.

The measurement of the effectiveness of process activities is generally achieved by using value check monitoring mechanisms and defining complex conditions and calculations (through the selection of appropriate BRFplus functions and formulas, such as field aggregation, field concatenation, pattern matching, substring operation, IF statement, etc.).

In any case, one size does not fit all. The selection and definition of business rules category and analysis type should follow a formal decision tree to ensure that the right monitoring mechanism is selected in order to get the best results.

With respect to the definition of filter and deficiency criteria, business rule parameters should be extensively used in conjunction with appropriate measurement thresholds. In general, deficiency criteria are defined in terms of number or amount in order to be able to quantify and compare. Calibration should ensure that analysis results are automatically classified into 3 threshold categories: high (red flag), medium (amber flag) and low (green flag) process deviations. The definition of metrics is probably the most difficult part but it is absolutely essential to get this right.

Report and benchmark process adherence metrics

Once metrics have been analysed and results consolidated (ensuring that residual false positive have been removed), the next step is to generate fact-based insights about the level of process adherence.

You can run the standard report “control monitoring history with ratings” for a specific time frame in order to check the state of effectiveness of your metrics against entities and processes. Results will be displayed following a RAG status reporting mechanism with the ability to drill-down to see detailed results. If some metrics are “green” in most of your markets but are consistently failing in a particular one, you can create ad-hoc issues in order to perform a root cause analysis (via CAPA plan) and define suitable response actions (such as increase training initiatives, adjust local procedures, implement additional control mechanisms, etc.).

Pre-delivered reports are not always the best way to present information so you can obviously enhance reporting capabilities by using specialised visualisation tools on top of SAP Process Control (Lumira, Tableau, Spotfire, QlikView, etc.).

Reporting is important but often isn't enough. The key in this kind of initiative is to establish a consistent benchmarking process. Internal benchmarking is possible because metrics are measured by taking into account the "company code" dimension as a common reference. You can produce, distribute and publish a set of summary reports (on a monthly basis) comparing the overall process adherence results (per process, metric, class, etc.) between different organisational levels (by region, division, market, country, legal entity, etc.).

This will definitely push those in the red zone to instil more local discipline and get back to acceptable process adherence levels (you don't want to be at the bottom of the list !)

Closing note

Just think about SAP Process Control as a powerful rule engine that can allow you to automatically measure how effectively your users are adhering to existing or newly redesigned business processes. SAP Process Control can simply be used under different circumstances (during a business transformation programme or as part of a continuous process improvement initiative) to ensure that your SAP transactional systems remain aligned with your policies and procedures.

I would be very interested in hearing your thoughts.

Thank you for reading my post. If you would like to receive my future posts then please follow me.

If you want to learn more about 12 functionalities in SAP Process Control that in my view can make a real difference, please check my post SAP Process Control: 12 little things that can make a big difference.

If you are already using SAP Access Control solution and have the intention of deploying (or have already deployed) SAP Process Control, please check my post 5 ways to boost SAP Access Control by using the full power of SAP Process Control

If you have enabled automating monitoring in SAP Process Control (or have the intention to do so) and would like to know more about 18 must-do's to get the buy-in from your auditors, please read my post Automated monitoring in SAP Process Control: what you must do to get the buy-in from your auditors (and you can't hide from them!)

Opinions expressed are solely my own and do not necessarily express the views or opinions of my employer.?