Exploring Capabilities and Processes of SAP BIS Solution

Objective

After completing this lesson, you will be able to explain the capabilities and processes of SAP BIS solution.

SAP BIS Key Capabilities

SAP Business Integrity Screening is a solution for detecting, investigating, and analysing irregularities in data, as well as for preventing fraud in ultra-high volume environments. 

Powered by SAP HANA and the SAP Business Technology Platform, this solution can be used in any industry, including Public Sector, Banking, Health-Care, Utilities, and High-Tech. 

This solution offers the following features and benefits to help ensuring your business integrity: 

  • Create detection strategies that sift through ultra-high volumes of data for clues of fraud and irregularities 
  • Screen master data and business transactions against screening lists 
  • Investigate the detected irregularities using efficient alert management 
  • Perform issue remediation and risk mitigation activities 
  • Integrate into business processes to prevent fraud and compliance issues 
  • Continuously improve detection accuracy by minimizing false positives with real-time calibration and simulation capabilities 
  • Identify common patterns with deterministic rules and predictive algorithms 
  • Leverage machine learning to quickly react to permanently changing patterns 

Let's see how an organization can leverage the SAP BIS solution capabilities to prevent financial fraud by identifying and stopping suspicious payments. 

Key Benefits of SAP BIS solution include:

End-to-End Process in SAP BIS

SAP Business Integrity Screening covers the end2end lifecycle for implementation detection use cases and working with the results. 

This starts with the design phase, which is used to implement the data model and use case specific logic for the detection. 

The detection rules implemented in the design phase can be fine-tuned in the simulation and calibration. 

After the fine-tuning the use case can be automatically executed in the detection phase. 

If the detection finds suspicious patterns of data, the use case will create alerts which can be analyzed in the investigation phase. 

In the last phase you can monitor KPIs which are important for your management. 

Let's have a look at each phase. 

Design

In this phase you define the automated controls, which are to be implemented in the SAP BIS solution to monitor your data and business processes. 

You can use controls, available in standard for different scenarios or create custom controls using different approaches. 

SAP Standard Content

SAP provides out of the box content for internal audit, compliance and risk management, which provides multiple automated controls for main business areas (O2C, P2P and R2R) and covers scenarios like Vendors, Accounting Documents, Purchase Orders, Invoices, Claims etc. 

SAP Standard Content examples

The content can be used to regularly analyze already posted transactions and existing master data records, to identify suspicious cases, perform investigation and remediation activities if needed.

This content was built by SAP via the deterministic approach and most of these use cases based on the SAP ERP data model. 

In addition to the detective controls, SAP BIS also offers integration into payment processes, which allows to execute controls in preventive mode to stop suspicious payments and to perform investigation before the payment is sent to a bank. 

The following integrations are available  

  • SAP S/4HANA Payment Run (F110, F111) 
  • SAP Advance Payment Management 

In both scenarios the check is performed during the payment processing, suspicious payments are blocked and not sent to a bank. 

These scenarios are available for S/4HANA only.

Address Screening

SAP Business Integrity Screening provides features to run an address screening of your business partner and transactions. 

A business partner could be your customer, vendors, employees, etc.

A transaction can be payments, sales orders, etc. 

The List contains entity names and addresses that you want to match against name and address data in the business partner data or transactions. 

The matching happens via a Fuzzy matching feature of the SAP HANA technology. 

Any kind of list can be screened with any kind of transactional or master-data. 

For sanctions screening respective sanctions lists are used (OFAC, EU, etc.), for other scenarios like KYC politically exposed persons (PEP) or adverse media lists can be used.

With the help of SAP Business Integrity Screening, you can manage the lists efficiently. 

Lists may be obtained from one of our data providers. Or you may also download the lists from government websites and upload to Business Integrity Screening using BoBj data services. 

You may also create and upload your own list. 

You can classify, sub classify lists into various groups etc. and prepare them for the screening process. 

Custom detection rules

SAP Business Integrity Screening provides two fundamental approaches to implement the control logic. 

  • One approach is via deterministic approach. That means you do have an expert in a certain domain and this expert knows by heart how to find suspicious patterns in the dataset. 
  • The other approach is via predictive insight. Here you do not have the expertise which tells you how to find suspicious patterns, but you have a dataset about your scenario. This dataset is either classified (supervised-learning) or un-classified (unsupervised-learning). 

For both approaches there are technically multiple ways of implementing the use case. 

Top-Down (which is also called Expert knowledge approach or deterministic approach): 

  • You do have an expert in a certain domain and this expert knows by heart how to find suspicious patterns in the dataset. By the knowledge from this expert, you know which tables to look for and how to link the different tables and how to correlate the data to find something suspicious. 
  • All standard content by SAP is implemented via the deterministic approach. 
  • You can either implement use cases via scripted methods (AMDP and CDS) or Business Rule approach (HRF).  

Note

Please note, that approach using HRF is not recommended, since HRF functionality has been deprecated. 

Bottom-Up (which is about predictive): 

  • Here you do not have the expertise which tells you how to find suspicious patterns, but you have a dataset about your scenario. 
  • This dataset is either classified (supervised-learning) or unclassified (unsupervised-learning). 
  • There are many different possible ways to implement the predictive model (SAP PAI, SAP DI, SAP PA, SAP APL, SAP PAL, SAP SAC).  

The Top-Down as well as the Bottom-Up approach will subsequently lead to a Detection Method in BIS. This can be used in a Detection Strategy, which will run the Detection run and eventually create Alerts which needs Investigation.

That means the handling part of the use cases in the Top-Down as well as the Bottom-Up approach is the same (after the technical implementation).

Setup

Automated controls defined in the design phase have to be fine-tuned on the real data to ensure they provide meaning results and do not generate too many false positives.

The following steps are performed in the Setup phase: 

  • Define detection strategies based on fine granular criteria 
  • Define screening strategies for business partners 
  • Real-time simulations and calibration of strategies 

Definition of detection parameters include setting up the screening parameters, defining weighting factors, setting thresholds, etc. 

Here are some example strategies for the business partner screening use case: 

Here are some example strategies for the business partner screening use case

Business partners come from various systems and depending on the underlying transaction they pose different levels of risks. 

For example, risk of a person downloading free manual from your website is completely different from the risk of the same person downloading encrypted software or the same person ordering a product from your website. 

SAP Business Integrity Screening gives you the flexibility to define screening strategies according to lines of business or political and financial risks or any other risk that you may identify. 

System identifies and executes the relevant strategies automatically based on the business data. 

You may ask: Why can't I just keep one strategy? You can sure do that. That would mean that all the business partners in any system will be matched against all the list. 

So if you screen all your business partners against METI list (which is a Japanese). You will get alerts for the business partners in the transactions in US, which might increase the false positives tremendously. Not only that a real hit in that scenario may not be useful from compliance perspective. 

Also, If you decide to use one single strategy and are too strict you may find yourself resolving endless false positives of people downloading free manuals. If you are too lenient, you may have a compliance risk in other parts of the organization. 

In the next steps the simulations are to be performed.

Business users are enabled to change the use case within boundaries which are given by the usecase implementation specific requirements. 

A business user may run the entire use case in this step against productive dataset and get a What-If Analysis

Detect

In the Detection Phase SAP Business Integrity Screening allow you to detect suspicious pattern either via a Mass-Detection (which is a batch execution and allows detective control execution), or via a Online-Detection (which is a synchronous webservice call from the source system and allows preventive control execution). 

Execution mode depends on the business case and business requirements. 

For transactions and master data records, which have been identifies as suspicious during the detection runs, system automatically creates alerts, which are to be investigated and decided by the responsible team. 

Investigate

In this phase investigation of the alerts is performed by the responsible team.  

In case of confirmed issues, the required issue remediation and risk mitigation activities could also be performed in this phase. 

SAP BIS offers the following functionalities to support the above-mentioned processes: 

  • Comprehensive alert management with advanced inquiry and analysis features  
  • Collaborative and faster investigation and intuitive capture of findings 
  • One-click resolution for simpler screening alerts (business partners) 
  • Task lists for investigation and remediation based on task list templates 
  • Task management with workflow integration, status management and automated task processor determination 

Analyze Performance

In the Analyze Performance phase you can track the KPIs of your solution, which includes metrics like efficiency, trend and others. 

SAP Business Integrity Screening provides multiple options to implement the analytical reporting: 

  • Standard application (Investigation Overview): 
  • Out of the box analytical CDS views, which provide all important datasets of the solution and which you can consume in your reporting solution to integrate SAP BIS data into your existing risk reporting solution. 

Also, some key KPIs can be monitored from the homepage itself. Some examples include

  • The Average Processing Time - tells how much time the compliance team is taking on average to resolve the alert. It is also an important KPI to watch if you are stopping the business transaction due to Business Integrity Screening.  
  • The Efficiency - tells the screening efficiency of the various screening strategies. 

Learning

SAP FacebookSAP YoutubeSAP LinkedIn