SAP Governance, Risk and Compliance (GRC) - HubSpot

SAP Governance, Risk and Compliance (GRC)

A roadmap to reduced enterprise risk

A Turnkey Key Insights guide



SAP Governance, Risk and Compliance (GRC) A roadmap to reduced enterprise risk

Contents

Introduction Section 1: Implementing core GRC tools Section 2: Connecting Assurance teams Section 3: Cyber security and GRC Conclusion: Going beyond foundations

E: info@

SAP Governance, Risk and Compliance (GRC) A roadmap to reduced enterprise risk

Introduction

Section 1:

Implementing core

GRC tools As an organisation grows, particularly through merger

and acquisition, internal teams get larger, more

complex and increasingly fragmented - fractured both organisationally and geographically.

The starting point for SAP customers seeking to

formalise their approach to risk is the implementation

For SAP customers, this fragmentation makes risk ever more difficult of core SAP GRC tools, which establish a foundation

to manage, with each function or department attempting to manage its own risks independently, detached from the big picture of the

towards the holy grail of Integrated Risk Management.

business as a whole.

This initial project wave requires three SAP GRC solutions, which, if

It often falls on Chief Risk Officers or Compliance teams to guide the organisation towards reduced risk. But the challenges of multiple reporting formats, disparate tools, varied approaches and often a lack of interdepartmental communication makes the job a tough one.

implemented correctly, help to prove the investment by building a solid platform for more effective and collaborative risk management, improved control assurance, more efficient compliance processes, and closer alignment with other risk functions and audit teams.

At a time when enterprises are grappling with complex regulatory compliance requirements, organisational sustainability and the ever-increasing cyber threat, many are therefore seeking a better way. A way to achieve a more consolidated, enterprise-wide view of risk.

For many, the answer lies in unifying and formalising their approach under the banner of Governance, Risk and Compliance (GRC).

While in reality this means different things to different people, it can broadly be defined as a strategy to manage risk across the organisation, ensure compliance and align IT with business strategy.

So, what are the three tools?

SAP Access Control

SAP Access Control helps identify and remediate access risks (for instance Segregation of Duties), improve access processes and designs, and automates provisioning.

By implementing Access Control, you start to cut away the manual effort required in trying to risk assess and provision user access within SAP - without undermining or compromising the internal controls implemented across the business.

In this guide, we'll identify how a firm can take on the process of GRC transformation, highlighting the key SAP tools to deploy, and providing a roadmap to establishing a strong and stable GRC function.

Make no mistake, the process can appear lengthy, however incremental transformation programmes typically continuously deliver value over two to three years - despite the technical software deployments taking only a matter of months.

The level of involvement, buy-in and process change in the business shouldn't be underestimated, but equally, it shouldn't be shied away from. The benefits of business-wide risk reduction are well worth the journey...

Many organisations start their GRC transformation path at different points, usually as a result of a compelling event or following an audit report. However, the roadmap described is a guide for organisations wanting to commence their transformation without these drivers forcing where to start in the roadmap.

As the best known and most commonly deployed module of the SAP GRC suite, many organisations have typically seen Access Control in SAP as the full solution, but in reality, it covers only a small percentage of a business's overall security challenges.

Indeed, organisations need to go beyond the management of access in SAP to develop an effective integrated GRC function - with two further tools in the same suite helping to provide a more solid base for efficient risk management.

SAP Process Control

SAP Process Control establishes a platform of control frameworks for finance, IT and other business functions, aiming to identify control weaknesses through manual or automated testing.

Establishing a single internal controls platform across each business function helps provide a clear view of which controls are failing - while facilitating greater levels of automation to reduce the overall effort in control management.

"Organisations need to go beyond the management of access in SAP to develop an effective integrated GRC function."



In simple terms, it acts as your organisation's controls hub helping you document, test, evaluate and monitor controls both automatically and manually right across the enterprise.

Duplication of effort is reduced at the same time, allowing risk to be managed centrally, rather than individual functions managing (often the same) risks in their own areas.

SAP Risk Management

Just as SAP Process Control provides a unified platform for business-wide controls, SAP Risk Management establishes a single platform for risk management processes across the organisation.

It breaks down the organisation fragmentation, or `risk silos', commonly found in larger firms, and promotes more effective collaboration and ownership on cross-departmental risks.

Collaboration and cost savings

All part of the same installation package - and compatible with classic databases or on HANA - this core trio of SAP GRC tools can be deployed together - reducing the time and resources required for implementation.

This approach stacks up from a financial perspective too; If you provision a server (on-premise or cloud) to deploy SAP Access Control, you can simply activate the other tools on the same server - sharing the same computing power and reducing the total cost of ownership for hardware.

It should be noted though, that while all solutions can be deployed together, not all functions need to be brought on board in one `big bang'. A gradual transition is ideal, bringing departments into line one by one so that the current processes of each specific function can be properly assessed and accounted for - slowly reducing overall enterprise risk over time.

Section 2:

Connecting Assurance teams

Having cemented a framework for risk and control management processes, the second wave of activity should focus on helping your organisation effectively audit and ensure the controls put in place are correctly sized and addressing the right risks.

As the solutions share the same master data, parallel deployments also help to eliminate data duplication issues - often a root cause of poor collaboration, substandard risk reporting and ineffective control assurance.

This second wave connects Internal Audit and Revenue Protection teams to the operational and departmental risks and controls established, allowing them to draw directly from the risk and control master data.

E: info@

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download