How does Fraud Management stack up against Process Control CCM
Lately during discussions with some customers and partners, the topic of differences between SAP Fraud Management and Continuous Control Monitoring Framework in Process Control came up. In other words the customer (sometimes the partner representing the customer) is looking for a justification for having a dedicated Fraud Solution, given that the customer has an existing instance of SAP Process Control. This question arises because sometimes the customer has a perception that CCM, a monitoring framework within PC, can fully meet their Fraud detection and prevention related requirements.
Before I delve into the details, below is a list of abbreviations that will be used, and the corresponding elaborations. I have added hyperlinks for each item below which would be helpful in case you wish to explore these in more detail.
1. CCM: Continuous Control Monitoring
2. FM: Fraud Management
3. PA: Predictive Analytics
4. PC: Process Control
5. GTS: Global Trade Services
As a customer it is important to understand that both these solutions (SAP PC and SAP FM) are complimentary and play an important role in addressing your overall compliance requirements. Whilst PC helps in documenting, testing and design assessing your controls, Fraud Management can scan through a large volume of data for potential Fraud and flag suspicious records. Both these solutions are integrated, which is exemplified by integration scenarios such as ability to create issues in PC from FM.
Fighting organizational Fraud requires a multi-pronged approach and having a dedicated Fraud detection software solves just one piece of the puzzle , additional measures such as ensuring SOD free access and ensuring all key controls are effective at all times are also a must. Such requirements can be managed by implementation of additional solutions such as SAP GRC Access Control and Process Control, however for more specific requirements, such as managing trade compliance, other solutions such as SAP GTS would be necessary.
Now coming back to the question. How does SAP FM stack up against SAP PC CCM? Below is a list of some key differentiators.
1. Fraud Management can perform online detection.
If you wish to read in depth about online detection, click here. To put it simply, it’s a feature that allows calling the Fraud Algorithms from an external application, in which you are performing a business process such as your ECC system, and stopping the transaction in case a Fraud check is positive. This is a powerful feature which allows you to embed Fraud Detection within your business process. However enabling this feature also requires calibration and fine tuning of Fraud Rules, something that a customer should discuss in detail with the implementation team. CCM on the other hand is built for Control Monitoring and hence does not facilitate online detection out of the box.
2. Integration with Predictive Analytics.
Fraud Rules consist of a detection strategy, which in turn comprises of one or more detection methods. These detection methods are procedures in HANA that contain the logic of data retrieval, Fraud detection and rendering of the results. Although the logic of Fraud detection can be generated manually (by coding directly these HANA procedures) Fraud Rules can also be generated using the Predictive Analytics software. What that means is that while implementing a rule in process control CCM, you must be fully aware of the logic beforehand but for Fraud Management you can generate the rule logic by presenting a set of data containing confirmed Fraud records to SAP PA and use the SQL generated by the PA Solution in your execution procedure in FM. Predictive Analytics is a separate solution and more details about it can be found here.
3. Enhanced Simulation.
In PC CCM, one can perform simulation using the ad-hoc query option within a business rule and that is quite sufficient if the objective is to view the results of a query, as is required for control monitoring. However in Fraud Management a lot more can be done for simulating results. For instance, you can check the results of a simulation by providing different weightage to each of the detection methods and also see the breakdown of generated alerts based on each detection method.
To summarize, SAP Process Control CCM is an important feature within PC that facilitates control monitoring and corresponding issue remediation .However if the requirement is to scan data in a transactional system for potential fraud, corresponding remediation and performing online detection, Fraud Management is a better fit.
Great Post Sharad!! Thanks for highlighting these key differences in PC & FM!!
Thanks for the feedback Saksham .
Ah, but in this comparison it would have been helpful to also mention those items where SAP Process Control has capabilities that Fraud Management--as good as it is--does not have. You are right on target that comprehensive fraud management can benefit from a complete integrated system such as that provided in our SAP solutions for GRC.
Thanks for the feedback Jan .The intention of this blog is to compare CCM and FM and not PC as a whole. I think its quite clear ( to customers using PC atleast) that FM does not facilitate control testing , assessment and sign off related activities etc and it's just the CCM that falls into that gray area. However I don't see any issue describing those differences as well in detail and I'll do that in a separate post.
Good Informative Read. Very useful to help client understand FM domain and intersections with PC -CCM. Thanks for the post Mr Sharad.
Thanks Rahul !
Thanks for sharing insights into the use case scenarios of PC & FM.
Like PC, does FM has built in rules per business process?
Naveen Murthy SK