Have you unlocked the Power of SAP GRC?

Optimize your SAP GRC investment by enabling key modules and critical functionalities to meet your business requirements and greater end user adoption.

#SAP GRC 12.0 solution is available since last few years, it was released in Mach-2018 and was made available for clients since Sept-2018.There are several benefits of the upgraded version that can accelerate an Organisations #GRC program, the drivers to upgrade to a newer version may be to use its new functionalities, provide enhanced end user experience or improving performance. To some extend the #upgrade drivers signify the state of the current GRC program.

Recently (July-2020) I had created a poll on LinkedIn to understand the key driver for SAP GRC 12.0 upgrade. It was also shared on a LinkedIn Group dedicated to SAP GRC 12. The members of this group adequately represent SAP GRC business users globally who use this solution in their organisations as well as professionals who are engaged in developing, selling, implementing and supporting this solution.

Let’s have a look at the Poll results.

The results are self-explanatory and obvious considering the Dec-2020 deadline for mainstream maintenance. “End of maintenance for old version” with 45% vote is the key driver for SAP GRC 12.0 upgrade project.

What does this mean?

Let me present my perspective and view on the drivers. I will classify them into 2 broad categories as Reactive Drivers Vs Proactive Drivers

Proactive Drivers:

“New functionalities” and “Enhanced user experience” polled 18% and 16% respectively as a key driver for the upgrade project. Combined these drivers constitute 34% and can be labelled as Proactive Drivers.These drivers always conceive projects that attempts continuous improvement and seek operational excellence.

Reactive drivers:

Historically, regulatory requirements were the key drivers for SAP GRC Projects. In the context of the poll, End of maintenance for old version and #S/4Hana upgrade projects constitutes 66% driver for upgrade project.The project where the sole driver is “End of maintenance for old version” are to meet the mandates and may end up as a technical upgrade without unlocking the power of upgraded version. Cases where the driver is “S/4 Hana upgrade” may indicate either lesser business adoption or lack of dedicated solution ownership.

Probable Differentiators for Proactive Drivers and Reactive Drivers

Organisations who had/have Proactive drivers for their SAP GRC Upgrade project majorly shows following traits:

1. Senior management extends its full support and consciously develops a GRC Vision/Goal which is clearly communicated to all the stakeholders with clear definition of roles and responsibilities.
2. Budget is approved for valid GRC Business cases which helps the Organisation progress and sustain its GRC initiatives.
3. Dedicated IT support is made available and held responsible for ensuring continuous availability of the GRC solution.
4. GRC effectiveness is being monitored and any Issues, Findings are highlighted, and remediation activities/projects are initiated
5. There is major focus on end user awareness and trainings. The solution is deployed across the organisation and due attention is provided to end user experience.

Generally, such Organisations want to move in operational excellence phase of GRC maturity rather than reactive, fragmented implementation phase! They proactively explore new functionalities, co-innovate and initiate enhancement and optimisation projects.

How to unlock the Power of SAP GRC

SAP GRC is much more beyond segregation of duties (SoD) management tool. Certainly, it effectively addresses the challenges of user access management, but combined along with its risk management and control monitoring capabilities it helps to address the Enterprise risk and compliance management.

Following are few guidelines that can help to ensure optimal utilisation of the SAP GRC solution:

1. Look beyond Access Controls: Harmonize the Risk and Controls! 

With release of SAP GRC 10.0/10.1 #Harmonisation of Risk and Controls was envisaged with an integrated solution for Risk management, Process control and Access Controls on a common platform.

Access control being the most widely deployed and matured SAP GRC Solution, the focus was to reap the benefits of Integrated GRC with one view of Risk and Controls by implementing SAP GRC Risk Management and SAP GRC Process Control. 

If organisations have missed/delayed the Harmonisation of Risk and controls, SAP GRC 12.0 upgrade project can be a #trigger to initiate this journey!  

a. How are you monitoring the Application security controls?

Organisation always wanted a solution for its #control assessments and #monitoring. SAP GRC Process Control solution can be deployed to meet the control monitoring requirement. It can help organisation in:

• Early detection of configuration and master data changes
• Reduced audit efforts due to a reliable and automated environment
• Real-time notification of potential control failures based on established business rules

b. Where is your Enterprise Risk Register? 

Are you aware of the key enterprise risk facing your organisation? Where are you documenting it? Are they being assessed and reported? SAP GRC Risk management provides answers to all such questions. It enables major components of risk management model: risk planning, risk identification, risk analysis, risk response and monitoring. It can be effectively used for:

• Improved alignment of risk management to the objectives and strategy of the business
• Centralize the Risk Register for a complete view of Organizations Risk profile
• Perform workflow-based automated risk identification, assessment and mitigation process

2. Leverage the enhanced performance to optimise the existing solution! 

Upgrade project should not be pursued as a technical component upgrade but also as an opportunity to optimise the existing solution and deploy new functionalities proactively. 

#SoD Analysis is the heart of SAP GRC Access Control. The solution provides capabilities to do User Risk analysis and Role Risk Analysis. You can perform the risk analysis anytime to review the SoD associated with users or roles. 

SoD Analysis is not a onetime/ad-hoc activity, periodic monitoring helps in understanding the overall SoD Risk profile and prioritise mitigation effort.

Periodic review of user access, SoD Risk and Role content is one of the key access controls and ensures that organisation is proactively monitoring the SoD risks, unauthorised access and stays clean. To effectively manage this periodic reviews, SAP GRC Access control have various automated workflow-based features. 

a. User access review (UAR): 

UAR feature automates and documents periodic user access review by business managers or role owners. #UAR requests are automatically generated and send for review which results in review of user’s access and retention of the existing role and/or removal of unwanted roles based on the reviewer’s decision.        

 b. Segregation of Duties Review:

The Segregation of Duties Review feature automates and documents the review of SoD risk violations by business managers or risk owners. SoD requests are automatically generated and send for review which results in review and acceptance/mitigation of the SoD risks and/or removal of role causing SoD Risks.

c. Role Certification:

This is same as User Access Review, except that, instead of user assignment, the role is certified at a periodic interval.

3. Provide an enhanced user experience 

One of the key enhancements made in SAP GRC 12.0 is its user interface. SAP #Fiori Launchpad, Persona base navigation and flexibility for grouping, moving removing tiles using simple drag and drop has enhanced the user experience significantly. 

Dashboards / Overview pages, Fiori Apps, provides greater and quick insights in the relevant information thus enabling faster response and overall efficient access management program.SAP GRC users can now access transactional apps on the go. Overview Apps are also provided which can give insights into specific functionality.

Following is the list of Access Control Apps:

1. Request Access: Requestor can use this app to submit access request. Ability to search and select required roles for applications is available.
2. Request Access for others: This is like “Request access” app with only difference to submit the access request for other users. 
3. Access Approver: GRC Access Request approver can approve, reject, or forward access requests that have been submitted for approval. He can also get the view of access risks and act on the access request. Provision to record comments is also available.
4. Compliance approver: GRC user can perform risk analysis on access request and can approve, reject, or forward it. Ability to mitigate risks is also available.
5. Check Request Status: Requester will be able to check the status of the submitted access request for self/others.
6. EAM Overview: This app provides an overview of Emergency Access Management (EAM) activities through line graphs and dashboards
7. Role Management Overview: This app provides an overview of roles data and usage reports

4.     Extend the scope of the systems being monitored.

Performing risk analysis for applications is a critical function of access control solution. Extend it to all critical systems and also monitor cross system risks.

SAP GRC 12 can be effectively deployed for performing risk analysis across:

a. Fiori apps/SAP, S/4HANA.

b. SAP Success factor Employee Central.

c. SAP Cloud applications (Ariba, Concur, etc) with the help of SAP Identity Access Governance (IAG)

d. Non-SAP and Legacy systems, with help of #Greenlight Technologies connectors

Thanks for reading! Please do a quick like, share or a comment if you found this article useful! Stay tuned for more such articles in SAP GRC space. 

Disclaimer:

*The perspective shared in this article is based on personal experience and in the context of the Poll, it may not represent the actual GRC state or organisational traits of the Poll respondents.

**The Guidelines are also based on my personal experience and may or may not apply to everyone. The features should be activated based on a valid business case in the context of current program.