New-Generation Governance, Risk and Compliance are critical in SAP Environment
By Dudley Cartwright, CEO of Soterion
2020 will be remembered as the year that a virus almost caused worldwide lockdown. What could be next?
The 2019 WEF Report on significant global threats lists cyber attacks and data fraud as high-impact threats in the near future. This underscores the fact that Governance, Risk and Compliance (GRC) is becoming increasingly critical within organisations. The stakes are higher than ever, should businesses fail to get it right.
We’re living through an era hallmarked by a rapid increase in the rate of change in the marketplace. Organisations are being forced to adapt to the new realities. Successful organisations are becoming more agile in their ways of working.
New-generation GRC practitioners are seeing the opportunity for GRC to play a greater role in proactive value creation and are embracing new agile technologies and methodologies.
GRC principles fit well with the ‘agile’ approach and are today more relevant and important than ever before. Getting GRC right in an agile environment depends on having the correct mindset, approach and tools.
Agile thinking encompasses the idea of “clock speed”. This is the pace at which an organisation, in its entirety, is able to move, react and adapt. It is estimated that today’s average large organisation requires a clock speed 3-5 times faster than the equivalent organisation a decade ago.
Whilst agile thinking has brought great benefits in increasing clock speed, it has also brought with it a significant misconception about GRC. In the pursuit of agile delivery, GRC can easily be seen as part of the ‘old paradigm’ and hence ignored or undervalued. Alternatively, even if the GRC function is appreciated by business, GRC practitioners often fail to adapt their approach to the new clock speed realities.
Many new-generation GRC practitioners find themselves operating in a traditional organisation. They face a decision to either be an advocate for change or simply go through the motions and deliver the kind of GRC the organisation requires.
Could someone in GRC influence organisation-wide change? We believe they can. With a ‘courageously pragmatic’ approach one could advocate for company-wide change, possibly finding kindred spirits within the company, whilst at the same time pragmatically delivering GRC requirements within the prevailing framework.
So, what is the correct approach then for agile GRC? Given that organisations vastly differ by industry, regulatory environment and GRC maturity, amongst others, there is no ‘one-size-fits-all’ answer.
Here are a few agile GRC descriptors. Agile GRC realises the need for engaging business users, and therefore puts business users at the heart of the process. GRC language is converted into a language that business users can understand. This is further achieved through more intuitive tools such as introducing business process visualisations that help contextualise and understand risks.
A lack of engaged business users has always been the Achilles heel of GRC. Research shows it is the leading cause of GRC implementation projects floundering. Engaged business users are more vital today than ever given the fluidity of organisational environments. GRC must become a team sport.
The GRC team need to ensure that access risk remains healthy if business users are not engaged. This is usually done in an episodic fashion, frequently timed to coincide with an audit.
The power of engaged business users is manifold: there are many of them, and they know and understand their processes better than anyone. Giving these users the means to monitor and respond to the risks inherent in their processes provides a powerful first line of defence which in turn allows the GRC team to play a more strategic, value-adding role.
In addition, traditional GRC tools are built upon static rule sets, which should be reviewed ‘from time to time’ to adapt to any changes in business process flows. The traditional paradigm assumes that such process flows seldom change. With today’s pace of change and agile ways of working, access risk simulations are performed against rule sets that are increasingly out of touch with an organisation’s reality. Business users become frustrated by this and their buy-in diminishes accordingly.
New-generation GRC tools recognise that business process flows are dynamic and fluid, and hence enable us to build dynamic rule sets with adaptive capabilities. Machine learning technologies often play a role here. Another approach is ‘crowdsourcing’ rule set changes from business users themselves, through intuitive visualisations that keep GRC tools relevant and hence keep business users engaged.
Traditional applications typically have a software-license to implementation-cost-ratio of between 1:3 and 1:5. That is, for every dollar spent on licensing in the first year, the organisation can expect to pay up to $5.00 in configuration costs. The implementation process itself is often the organisational equivalent of open-heart surgery, given the sheer intensity of the process.
New-generation GRC applications are typically implemented at least 50% faster than traditional applications. This translates into lower total cost of ownership, less business disruption and quicker establishment of GRC capability.
Aside from the cost-saving implications of rapid deployment, Agile GRC configurations allow users to “fail faster” in the positive sense by getting vital feedback on access simulations and adverse process changes quicker, which allows for timeous adjustments.
Agile GRC vendors are connecting their applications with other vendors from similar but different fields to provide a more holistic offering. Examples of this are integrations with Identity Access Management solutions, Enterprise Risk solutions, Process Control solutions and Business Process Mining solutions.
The API economy enables organisations to choose the exact applications they require given their current business landscape and to create a “one-size-fits-one” GRC technology ecosystem that fits their needs. This contrasts with the traditional “one-size-fits-all” idea of one monolithic GRC application which caters for every conceivable scenario.
GRC solutions need to be able to analyse non-ABAP-based solutions as SAP moves more functionality to the cloud (SuccessFactors, Ariba, Concur, etc.) and customers start replacing non-core SAP products with 3rd party solutions (Salesforce.com and WorkDay). Agile GRC solutions are future proof, in that they will be able to seamlessly analyse access risk from traditional SAP systems (ABAP), as well as SAP cloud and 3rd party solutions.
Managing access risks is time-consuming and laborious. Using historical data to develop trust relationships will allow GRC practitioners and business users to focus on the exceptions. Examples of this include:
- Monitoring transaction usage activity and highlighting exception transaction codes.
- Knowing which terminal is used by the user to access SAP and highlighting any activity from a different (non-trusted) terminal.
In our increasingly fast-paced world, there is a strong correlation between successful GRC and levels of business-user engagement in SAP organisations. Therefore, the evaluation of tools in terms of attributes which contribute to business user engagement is an appropriate evaluation tactic to employ.
To download the Agile GRC eBook, click here
For more information please email us at [email protected]
Related Tag: Risk Management SAP