Investing in Governance, Risk and Compliance (GRC) is one of the most important business investments you can make. Modern businesses need effective yet efficient risk and compliance management solutions to support growth and sustain operations. Unfortunately, the vast majority of SAP customers that have implemented a GRC solution are not seeing the value they should from their investment.
While this can be influenced by a number of factors, it often comes down to one key reason: lack of business uptake. At Soterion, we have specifically developed a solution that simplifies GRC for SAP customers. However, the principles discussed in this article are just as relevant to users of other ERP solutions as they are those using SAP.
GRC for SAP customers: The link between uptake and ROI
Typically, an organisation’s GRC effectiveness is measured by how well business users perform their access risk management activities.
However, by their nature, GRC solutions are very complex and technical. They have been developed to analyse transaction codes, authorisation objects, and fields available in an SAP user’s ‘user-buffer’. Many of these solutions were developed from a technical audit perspective with very little consideration for their use by business users.
It’s a well-known rule of business that when it comes to technology, the more complex the solution, the less uptake you can expect from users.
Business users are at full capacity performing their daily jobs, and therefore asking them to perform onerous or cumbersome compliance tasks with complex solutions often leads to resistance. Users will typically keep pushing these activities back onto IT, which means that your GRC solution will become a back-end solution used by the SAP security and GRC teams, with minimal involvement from the rest of the business.
Putting business users at the heart of GRC
Business-centric GRC puts the business user at the centre of the process. It is all about enhancing business accountability of access risk through a business-first approach to all SAP security and GRC activities.
By enhancing business accountability of risk, an organisation will become more risk-aware and more effective in its risk management activities. One of the best ways to illustrate this is with the audit principle covering the three lines of defence.
The first line of defence is your business or operational users, the second line of defence is your risk and compliance departments, and the third line of defence is the audit and assurance departments.
Your first line of defence should always be your strongest. These are people who have been in your organisation for 15 – 20 years and understand your business better than anyone else.
Unfortunately, in most organisations, this is typically the weakest line of defence. That is not because those employees don’t know the risks in their area, it is because the organisation has not implemented the correct processes and systems to empower those users to participate in risk management activities.
Practical solutions and processes are key to performance
To facilitate business buy-in, it’s crucial that organisations running SAP use a GRC solution that is business-centric.
Business-centric GRC solutions convert technical language into business-friendly terms, allowing business users to not only understand the risks in their area of responsibility but also facilitate quicker decision making. And faster, more informed decision making reduces the business downtime of an SAP user waiting for long periods for SAP access requests.
It’s also important that your access risk management processes are practical enough that business users can execute appropriate controls.
Take, for example, the User Access Review process. This is where business users review their users’ SAP access to determine whether this access is still relevant for their job function. The process typically takes the reviewers many hours to perform the review. Additional challenges can also present along the way, such as non-descriptive SAP role names making it difficult for the reviewers to know exactly what access or functionality the role users are entitled to.
The process can be so time-consuming that in many cases, organisations discover the effort does not justify the value of the exercise.
Soterion is a leader in business-centric GRC for SAP customers. Each and every feature has been developed from the perspective of the business user. Our GRC solution enables the User Access Review to be performed by business process, thus eliminating any deficiencies in the SAP role naming convention. Business users can perform a more effective review that has a better business outcome. Using a business-centric GRC solution like this means a review typically takes less time, resulting in a significant cost saving for the organisation.
Get your users on board with business-centric GRC solutions
An organisation cannot manage their access risk effectively without business involvement. However, getting your business users on board and accountable for managing risk without the right tools and processes in place is an uphill battle.
Enhancing business accountability of access risk, with the use of a business-centric GRC solution, will improve the organisation’s overall risk awareness as well as their ability to manage their risk.
Soterion is a leader in business-centric GRC for SAP customers. If you don’t feel like you’re getting the most out of your GRC investment, get in touch to discuss how we can help.