The Cost of an Incorrect GRC Solution to your Organisation

Are you making this $144,000 mistake with your access control solution?

When it comes to SAP access control solutions, sticking with what you have might seem like a smart decision. The cost and time associated with researching, selecting and getting business approval for a new solution can seem like more effort than it’s worth.

But if your access control solution isn’t a good fit for your company, it could be costing you more than you realise – both financially and otherwise.

It’s not that you chose the wrong solution

There are many different access control solutions in the market that can assist companies with their SAP Security and compliance activities. Each of these tools has its strengths and weaknesses, making finding exactly the right solution challenging.

As a result, many organisations implement an inappropriate access control solution – often because their System Integrator (SI) convinced them it was the right solution. But in fact, the SI was chasing the large implementation revenue often associated with the larger and more complex GRC solutions such as SAP GRC.

A side note here: SAP GRC is a great product for those organisations that have the necessary internal expertise and GRC maturity. However, those organisations that do not have the necessary internal expertise and/or maturity to derive any value from the solution, generally experience a high degree of under-utilisation and/or business resistance.

When organisations complain to their SI that they are not getting value from their GRC investment, the SI will often propose offering more consulting or selling more solutions or modules that will ‘fix’ what is broken.

The challenge though is that if the access control solution is not a right fit for your organisation, possibly due to its complexity, nothing is going to change this. No amount of additional consulting, training or add-on solutions will reduce the complexity of the solution.

Sticking with what you know makes sense

There are many reasons why organisations stick with their current solutions, even if it’s not working for them.

  • The cost of switching seems high
  • The effort associated with switching seems high
  • They believe that all access control solutions have similar functionality and that switching will not bring about any significant change in value
  • They are under pressure from certain departments to stick with the current solution

The last reason is perhaps the most challenging to overcome. Some organisations find it difficult to put the business case together to switch from one solution to another. This is often due to the finance or procurement teams digging their heels in purely from a financial perspective who say, ‘we have already spent X dollars on solution Y – make it work’.

The $144,000 mistake

The costs and associated effort of finding and switching to a new access control solution may seem high, but the cost of not switching can be even higher. Especially when you’re using an inappropriate access control solution.

Let’s look at one simple example – user access reviews.

Organisations across the globe are constantly being put under more pressure by auditors and regulators to perform compliance tasks such as User Access Reviews. US companies have been doing this since the advent of Sarbanes-Oxley. UK companies will see added pressure to introduce such activities as soon as UK SOX kicks in (if they are not doing these types of activities already).

A user access review requires reviewers (often line managers) to review all their user’s SAP access on a bi-annually or annual basis to determine if that access is still relevant for the SAP user’s job function for the next period. It can take the reviewers many hours to perform the review if they are using an inappropriate access control solution.

On top of this challenge, the reviewer may have many users reporting to them, and the SAP role design and naming convention could make it difficult to determine what access is contained in each SAP role.

If the organisation is using an inappropriate access control solution for their User Access Review process, these tasks become very challenging for the reviewers, wasting many hours on an activity that if not done well adds very little value to the organisation.

This all adds up. If you aggregate the wasted man-hours for each reviewer, multiply that by each review set per year, and multiply that by the number of years, it doesn’t take long for this cost to overtake the cost of switching access control solutions.

And, this doesn’t factor in the cost of being more exposed to fraud due to an ineffective GRC capability, as well as the opportunity cost of those reviewers not performing their normal job function during the review period.

Ineffective solutions cost you more than just dollars

The formula above is just one cost associated with not switching solutions. Because it’s a quantifiable cost, it does make you sit up and take notice. But there are other, more intangible, costs associated with not switching your access control solutions.

Increased risk

Access control and GRC solutions are business tools to manage and mitigate risk. Sticking with an inappropriate or complex access control solution often leads to resistance or pushback from the business users, and IT end up performing access risk management activities on behalf of the business.

Access risk is business risk, not IT risk

It is the business users who are best positioned to determine if a specific user should have certain access and whether that risk is acceptable to the organisation. IT do not have the expertise or business knowledge to make such a decision.

Even when business users are given control of access risk management, if they’re using an inappropriate or overly-complex access control solution, you often find that these activities are being done with minimal intent or understanding. Business users carry out these activities to tick an audit box with very little consideration of the actual risk to the organisation.

Both of the above scenarios are terrible for the organisation. The C-Suite will incorrectly believe they have a sound access risk management program in place, but in reality, it is very ineffective.

Wasted hours on manual tasks to compensate for an inappropriate access control solution

Where a company is burdened with an access control solution that is not a good fit, we often see them extract reports from their GRC solution and then manipulate those reports externally to be ‘fit-for-business’, wasting hundreds of support hours.

This wastage is never attributed to the access control solution itself.

Using solutions that provide companies with ‘out-the-box’ valuable reports and recommendations will not only reduce the number of support hours but will also increase the speed at which SAP users are assigned their SAP access (SAP access change requests and the Joiner-Mover-Leaver (J-M-L) process). This will ensure that users are assigned their access more timeously and thus more productive i.e. reducing business downtime.

Time to switch?

When evaluating your current access control solution, look at the business value it is adding to the organisation.

When evaluating a replacement, determine whether the solution will help you achieve your objectives instead of focussing on the software cost that you paid for your existing solution. The cost of change will be minute compared to the savings a company will make through effective access control and risk management.

Soterion is a leading provider of business-centric GRC solutions for companies running SAP. Improve your organisations risk awareness and ability to manage access risk by empowering the business users with business-centric GRC.

You may find this interesting