An organisation’s GRC effectiveness is measured by how well the business users perform their access risk management activities.
The vast majority of organisations that have implemented a GRC or access control solution are not seeing the value they should from their GRC investment.
Why is This?
By their nature, GRC solutions are very complex and technical solutions. They have been developed to analyse transaction codes, authorization objects and fields available in an SAP user’s ‘user-buffer’. Many of these solutions were developed from a technical audit perspective with very little consideration for its use by business users.
Generally, the more complex the solution, the less uptake from business users. Business users are at full capacity performing their daily jobs, and therefore asking them to perform onerous or cumbersome compliance tasks with complex solutions often leads to business resistance. Business users will keep pushing these activities back onto IT, with the end result being that the GRC solution will be used predominantly as a back-end solution by the security and GRC teams, with minimal business involvement.
It is important to note that access risk is business risk. An organisation cannot manage their access risk effectively without significant business involvement. Therefore, organisations need to ensure that they implement a business-centric GRC solution if they are serious about managing their SAP access risk.
What Is Business-Centric GRC?
Business-centric GRC is putting the business user at the centre of the process. It is all about enhancing business-accountability of access risk through a business-first approach to all SAP security and GRC activities.
By enhancing business accountability of risk, an organisation will become more risk-aware and more effective in their risk management activities. This can be illustrated by using the audit principle covering the three lines of defence.
The first line of defence is your business or operational user. The second line of defence is your risk and compliance department, and the third line of defence is the audit and assurance department.
The first line of defence should be the strongest. These are people who have been in your organisation for 15 – 20 years and understand your business better than anyone else. Yet, this is often the organisation’s weakest line of defence – not because users do not know the risks or the processes involved, but because the current solutions and processes do not lend themselves for the business users to take ownership and become accountable.
As mentioned, to facilitate business buy-in, it is important that the solution is business-centric. Business-centric GRC converts technical GRC language into business-friendly language, allowing the business users to not only understand the risks in their area of responsibility, but also facilitate quicker decision making. More informed and quicker decisions reduce the business downtime of SAP users waiting for SAP access requests to be approved and assigned.
Soterion is a leader in business-centric GRC solutions. All features and functionality has been developed from the perspective of the business user. Soterion also recommends that the access risk management processes are practical for the business users to execute/perform.
To illustrate this, consider the User Access Review process. This is where business users review their users’ SAP access to determine whether this access is still relevant for their job function. The process typically takes the reviewers many hours to perform the review. In addition to the effort required by the business to carry out the user access review, it is often the case that the effort does not justify the value of the exercise.
Challenges such as non-descriptive SAP role names make it difficult for the reviewers to know exactly what access/functionality the role users are entitled to. Soterion enables the User Access Review to be performed by business process, thus eliminating any deficiencies in the SAP role naming convention. Business users are able to perform a more effective review that has a desirable business outcome. A review will take far less time and will have a significant cost savings to the organisation.
Enhancing business accountability of access risk with the use of a business-centric GRC solution will improve the organisation’s overall risk awareness and their ability to manage their risk. Every organisation should therefore be looking to improve their first line of defence by embracing elements of business-centric GRC.
For more information, please contact us on info@soterion.com
Soterion SOD Risk Trends Graph
Soterion SOD Risk Detail Business-Friendly Reporting
Soterion SAP Access Change Request Simulation
Soterion DashboardThis article is sponsored by Soterion
