Quick facts

	At VCP, we have evolved from a risk-correction culture to a risk-mitigation culture. Now, all our business areas are fully aware of the potential impact of unmanaged risk
Celso Yao, Risk Manager, Votorantim Celulose e Papel S.A.

Votorantim Celulose e Papel S.A. (VCP) – one of Brazil’s largest pulp and paper producers – is known for its leading business practices. And since VCP trades on the New York Stock Exchange, this includes complying with the Sarbanes-Oxley Act (SOX). To help meet the SOX regulations, the company implemented the SAP® GRC Access Control application as part of a culture-changing risk management initiative. In doing so, VCP reduced its overall risk exposure and lowered the cost of compliance.

• Industry: Mill products – pulp and paper
• Revenue: US$1.5 billion
• Employees: More than 2,700
• Headquarters: São Paulo, Brazil
• Web Site: www.vcp.com.br
• SAP® Solution and Services: SAP® GRC Access Control application
• Implementation Partner: PricewaterhouseCoopers
• Key Challenges:
  Implement a structured access governance model to ensure Sarbanes-Oxley Act (SOX) compliance
  Establish a culture of proactive risk management
  Gain greater visibility into access conflicts
  Eliminate labor-intensive, manual controls
  Improve interdepartmental cooperation around access control
• Implementation Best Practices:
  Had strong executive support and active participation of business areas
  Trained key business users in SOX regulations before project start
  Reviewed governance model, processes, and profiles prior to software implementation
  Created SOX-compliant compensating controls for conflicts that could not be eliminated
• Financial and Strategic Benefits
  Certified SOX compliance
  Company-wide awareness of the importance of effective risk management
  Ability to identify access vulnerabilities and exception cases
  Automated, rules-based tools used across corporation, reducing costs
  Ability to assess risks on a continuous basis across all business departments
  Improved productivity using self-service portal for faster conflict resolution
• Why SAP Was Selected?
  Proven solution with strong industry references
  Integration with existing SAP® software landscape
  Clear road map for future development
  Embedded best practices
  Cost-effective alternative to in-house development
• Low Total Cost of Ownership:
  Completed project in 8 months, on schedule and within budget
  Replaced costly manual processes (and widespread use of spreadsheets) across the company
  Reduced number of ongoing conflict tickets requiring resolution
  Avoided development and maintenance costs associated with an in-house solution
• Operational Benefits
  Key Performance Indicator
  Number of access conflicts: –91% (from 11,000 to 1,000)
  Conflict resolution time (typical case): +80% to +90% faster
  Internal audit cycles: +75% faster*
  External audit cycles: +75% faster*
* In 1 week versus 1 month

Managing Risk for Global Compliance

Brazil’s Votorantim Celulose e Papel S.A. (VCP) – part of the diverse Votorantim Group – manufactures pulp and paper products. This award-winning company manages the entire process, from growing the pulpwood to distributing the finished goods to more than 50 countries worldwide. And it performs these operations with a firm commitment to sustainable development, social responsibility, and good corporate governance.

With its international presence, VCP’s business practices include compliance with the Sarbanes-Oxley Act (SOX). But manual risk management controls were making it difficult for the company to maintain the level of access security required by the regulations. Reliance on lengthy spreadsheets, for example, limited visibility. “We did not have a clear view of all the access conflicts,” says Persia Machado, a risk manager at VCP. “This made our overall risk less manageable.” Moreover, without clearly defined rules across the enterprise, it often took risk managers and process owners up to two weeks to resolve security issues. VCP executives wanted to ensure regulatory compliance by introducing a companywide culture of proactive risk management.

Planting the Seeds of Change

To institute a new access governance model, company executives chose the SAP® GRC Access Control application. Tight integration with VCP’s existing SAP software landscape was a key factor in their decision.

VCP completed the project in eight months – on schedule and within budget – by focusing on strategic partnerships, staff development, and quality assurance. Implementation partner PricewaterhouseCoopers, for example, trained key business users in access control and SOX compliance to mitigate risk across the company. In addition, the project team rigorously reviewed all processes and role profiles before rolling out the software.

Harvesting the Benefits

Changes at the paper company have been dramatic. During the project’s initial remediation phase, VCP identified and eliminated 10,000 access conflicts from its processes. Today, the rules-based SAP software continuously checks for access vulnerabilities (such as lack of segregation of duties) and specifies measures to mitigate or prevent them.

The automated system has boosted productivity, efficiency, and cooperation among VCP’s various departments. These days, all business areas can use the software’s preconfigured rules functionality to diagnose internal risks, manage access profiles, and streamline operations. Risk Manager Celso Yao cites a good example. “The software proposes several options for conflict resolution,” notes Yao. “This allows business owners to rectify many issues without direct support from the risk managers.” As a result, a typical conflict is now resolved in less than a day – often, almost instantaneously.

The system has also helped VCP slash external audit times by 75%. “Auditors spend less time because they can collect all the information they need from a single source,” Yao explains. And, Machado adds, “The scope and frequency of our own reviews have increased too, as internal auditing tasks have become easier.” In total, these results reflect a true culture shift from risk correction to risk mitigation.

Recognizing Success

Today, VCP is listed at Corporate Governance Level 1 on the São Paulo Stock Exchange, and the company is certified SOX compliant. This success has not gone unnoticed: other business units in the Votorantim Group are considering access control projects of their own. And recently, VCP won a prize for corporate governance in the ‘Prêmio Intangíveis Brasil’ competition – which honors companies whose internal investments have generated significant value for both clients and shareholders.