By Dudley Cartwright, CEO of Soterion.
This article explains what we at Soterion believe is needed for effective Governance, Risks and Compliance (GRC). What do we mean by effective GRC?
Many companies make the mistake of thinking that the GRC or access control tool alone is the silver bullet to solve all their SAP security challenges. And because of this, many organisations have an access control solution which it is not adding much value. In essence, these companies have GRC, but it is not effective.
When measuring your organisation’s GRC effectiveness, it is important to measure this in relation to the organisation’s business objectives. The most common of these are:
- Having a secure SAP solution
- Complying with regulations, in particular, the data privacy regulations
- Improving efficiencies (JML process)
- Enhancing business accountability of risk
Enhancing business accountability of the organisation’s risk is fast becoming a key business objective. Not only is access risk a business risk, but many organisations are realising that enhancing business accountability of risk is making the organisation more risk-aware and more effective in their risk management activities. This can be illustrated by using the audit principle of the three lines of defence.
The first line of defence are your business or operational users. The second line of defence are your risk and compliance departments, and the third line of defence are the audit and assurance departments.
The first line of defence should be the strongest line of defence. These are people who have been in your organisation for 15 – 20 years. They understand your business better than anyone else. Yes, it is often the organisation’s weakest line of defence – not because users do not know the risks or the processes, but because the environment is not set up for these business users to take ownership and become accountable.
To facilitate business buy-in, organisations need to look further than just the GRC or access control solution. They need to look at all the associated components collectively and understand the inter-relationships. To illustrate this, we will use what we call the ‘Effective GRC Pyramid’.
At the base of the pyramid is the SAP role design. This forms the foundation of all things GRC. If the role design is not good, the entire GRC capability will be diminished. The middle section is the rule set and GRC or access control solution. And at the top are the internal processes.
GRC effectiveness is measured by how well business users carry out their access risk management activities, such as the review and approval of SAP access change requests, user access reviews, rule set reviews and business role reviews.
There are generally two reasons why organisations struggle to get the business to take ownership of access risks. The first is a lack of senior management support for such initiatives. It is very difficult to achieve business buy-in and accountability without significant support from senior management. The second reason why organisations struggle to achieve access risk ownership is due to the complexity and technical nature of each of the components in the pyramid.
To explain this, let’s work through each layer.
The Role Design: This is a very technical component made up of transaction codes, authorisation objects, fields and values. Yet it is the business users who need to understand the level of access contained in each role if they are expected to review and approve access, or when performing a user access review.
The Rule Set: Again, this is a technical component consisting of risks, risk functions, transaction codes, authorisation objects and field. Yet, these are business risks and need to be understandable by the business users.
The GRC Software: GRC or access control solutions are generally very technical in nature. Yet the ultimate user is a business user. Therefore, the risk assessment results need to be understandable to the business users.
The Internal Processes: This is partly technical in setting up the configuration and workflow, yet it needs to be practical and effortless for business users.
While business users are not expected to carry out many functions, it is important that the few tasks they are expected to do is presented to them in such a manner that they can perform these with maximum ease and with the data presented to them in such a manner that they can easily understand and interpret it, and make an informed business decision.
In summary, your entire GRC effectiveness will be measure by how well your business carries out these functions.
If you’d like more information or would like to discuss your companies GRC needs, feel free to email us on [email protected].