Upload
doannga
View
221
Download
3
Embed Size (px)
Citation preview
E-Book
Revamping and optimizing your
SAP GRC strategy
GRC is by now a well-known concept, but processes for keeping track
of it are still in the nascent stages at some companies, with many
companies still using Excel or SharePoint for reporting purposes. But
does your organization need dedicated GRC software? Readers will get
advice on how to get started with GRC software within the SAP
landscape, and how to use the software to achieve a successful
compliance strategy.
Readers will learn:
• How to assess whether your business needs GRC software
• Advice what technology or development efforts can help your
business meet common compliance mandates, such as SOX and
Wal-Mart‟s compliance mandates
• The basics of data governance in the context of a GRC program
• Pros and cons of SAP BusinessObjects Access and Process
Controls software
Sponsored By:
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 2 of 21
E-Book
Revamping and optimizing your SAP
GRC strategy
Table of Contents
Does your organization’s SAP GRC strategy need software?
Aligning your SAP GRC technology strategy with constantly shifting
compliance requirements
Getting started with data governance for GRC
Pros and cons of SAP BusinessObjects Access and Process Controls software
Resources by Security Weaver
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 3 of 21
Does your organization’s SAP GRC strategy need software?
By: Chris Maxcer, SearchSAP.com contributor
Any medium-to-large enterprise that faces government or industry regulations can probably
benefit from GRC software solutions, if not a totally revamped strategy.
The days of using spreadsheets or Microsoft SharePoint and a variety of manual checklists
and documentation that's locked up in the bowels of audit departments are far from over,
but savvy organizations are definitely looking to save money, cut time, and find answers.
Through it all, one thing is consistent: regulation.
"We always know there will be more regulations," said Tom Eid, vice president of research
for Gartner. "For instance, we may see more regulations because of what is happening with
Toyota, which may affect other manufacturing organizations across the globe. It's hard to
be proactive because you don't know what the regulations will be."
GRC defined, sort of
As an umbrella term, governance, risk and compliance (GRC) is about as difficult to nail
down as the interconnected compliance, security, governance, and risk management
challenges it sets out to describe. While GRC might be misused and abused as a term, a
loose definition is ultimately more workable than isolating each element because, really, it's
the interconnectedness of the people, processes, data and technology that describes today's
GRC.
Governance leans toward action and processes that work as intended, while risk
management aims to help a business weigh reward against possible pain. Compliance is
about ensuring that an organization is meeting a variety of industry or governmental
requirements. Meanwhile, there are different kinds of GRC even within organizations, which
makes it harder to assess whether a business needs GRC software in the first place.
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 4 of 21
What's your strategy?
"We all think that everybody has a strategy in place, but strategy, actually, is just
emerging," said Gary Dickhart, vice president of SAP's GRC customer advisory office.
While yesterday's GRC efforts were largely reacting, today's most successful GRC strategies
are moving from industry point solutions that meet specific regulations to broader efforts
that cross corporate silos. The main drivers tend to start with cost reduction but quickly
move into opportunity.
When the auditors went in with Sarbanes-Oxley, they gave people tools, and a lot of those
tools have aged to the point where they're worn out and unsustainable, Dickhart said.
“Businesses are saying, 'Where can we cut? We're spending a lot more here, and I know
we're compliant, but I also want to know about our own risk -- I want to know about our
strategic risk,‟” he said. “„I want more information, not just whether we're compliant with
external regulations.' So the need for this overall risk profile as well as being able to
manage it effectively and efficiently, that's what's driving GRC efforts.”
But how do you get started revamping an enterprise's GRC strategy? One answer is value.
Chris McClean, an analyst for Forrester Research, recommends that to build a business case
for any GRC software solution, most companies will be well served to consider three areas
of value.
1. Efficiency
"If you consider SAP's Access Control -- or the new data-heavy GRC products -- a lot of
what they do is increase efficiency, so that's the first area to look at -- cost reduction and
efficiency," McClean said.
If you have all of your controls in one place and documented in the same way, that's going
to save a lot of time on both the internal and external audit process, he said. Data
gathering, for instance, is a huge area of wasted effort.
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 5 of 21
"If you have 10 people gathering data for a month, if you buy a solution, you might be able
to cut that in half. And the same goes for conducting risk assessments,” McClean said. “GRC
software can definitely help with efficiency."
2. Risk mitigation
Risk, of course, can emerge from the cost of non-compliance with a regulation, but it can
also arise from the failure of a business initiative. Consolidated processes can help identify
not just areas of exposure but also areas of opportunity, he said, because information is
collected in one place rather than scattered and lost across departmental silos.
3. Business decision support
If a company is choosing between India and China for outsourcing or looking at several
potential partners, product lines, or acquisitions it should be making, if the company has a
lot of good risk and compliance content, that can help make those decisions better, McClean
said.
"It's a hard area of value to meet,” he said, “and it usually takes a long time before GRC
programs are at that level.”
At first glance, GRC optimization is a daunting task -- monumental, even -- but SAP
customers, it turns out, have increasingly good options that are helping them gain value
across multiple areas of their enterprises.
Historically, in the areas of segregation of duties and super-user/developer access, Pearson
North America used a combination of manual processes and consulting services to achieve
compliance results. However, they quickly recognized the value of implementing an
automated solution that would ensure a more consistent, cohesive and stable global
business environment, according to Frank Di Pentima, vice president of financial
compliance/systems integration for Pearson North America.
"Additionally, we wanted to build on the company‟s strong risk awareness culture and
enhance our ability to continuously monitor and assess sensitive access for Functional and
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 6 of 21
Basis environments by creating an automated/preventative control environment without
impacting system performance," Di Pentima said.
“By implementing SAP's BusinessObjects Access Control solution, Pearson North America
gained a variety of benefits. Through the use of preventative and detective controls
implemented with our GRC solution, they were able to automate processes and controls
further by eliminating potential audit risks associated with complex user access
requirements within our ERP environments,” he said. “Additionally, they were able to create
a seamless process that allowed for Super-user/Development access to be granted and
monitored, further reducing risk associated with sensitive access."
"We achieved this without affecting system performance and helped drive down the cost of
compliance,” Di Pentima said.
Who needs to be involved?
At the SAP Customer Advisory Office, Dickhart's GRC teams recommend that enterprises get
their business departments, IT department and audit departments all involved as an
organization looks to consolidate, streamline and build upon its aging GRC processes.
"A lot of companies still have their audit department driving GRC strategies,” Dickhart said,
“but until GRC is recognized and adopted by the business people as part of their everyday
livelihood, it's not going to be part of the business -- it'll always be an adjunct process. So
getting that alignment between the three areas is something we emphasize.”
Getting different stakeholders involved in an SAP GRC revitalization project is a start toward
embedding GRC into the fabric of the enterprise, but what's next?
Before engaging a vendor for GRC software solutions -- even SAP -- companies need to
gather their stakeholder departments and isolate what it is they want to improve. Are you
trying to get ROI by reducing audit costs? Are you trying to improve your understanding of
your risk exposure? Do you need a better compliance management process or reporting
process?
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 7 of 21
"Figure out those objectives first," McClean said, noting that GRC software has matured to
the point where most of what organizations need right now is available. "If you start by
talking with the vendors, you'll more likely come up with a whole list of requirements or
capabilities that may fit in but may not be what you needed in the first place. Definitely get
your list of requirements really strong before you start talking to vendors."
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 8 of 21
Aligning your SAP GRC technology strategy with constantly shifting compliance requirements
By: Chris Maxcer, SearchSAP.com contributor
If there's one thing that's consistent about the world of GRC, it's that compliance
requirements are always changing -- and if a compliance mandate itself doesn't change,
enterprises are seeing guidance on compliance requirements change.
While financial requirements have been all the rage during a recession and time of
struggling banks, there's so much more going on.
"In other industries -- for example, with consumer product companies -- the U.S. Consumer
Product Safety Commission is not really changing requirements, but they are upping the
ante as far as scrutiny," said Chris McClean, an analyst for Forrester Research. More
resources for investigation are becoming available, and enterprises are facing larger fines
and increased risks in getting called out for business practices that fall on the wrong side of
regulatory -- or even public -- favor.
Moving targets
What started out as something that was thought to be fairly straightforward -- certification
of financial results with SOX 404 -- has developed into a number of different GRC solutions
and corporate strategies, according to Tom Eid, a vice president of research for Gartner.
Solutions that dive into the financial elements of GRC are the most mature, Eid said, but in
recent years solution providers have been coming at GRC problems from other angles, most
notably IT GRC, which is focused on infrastructure-related technologies and requirements.
IT GRC covers things around segregation of duties, configuration auditing, security and
identity access management, and secure event and identity monitoring, he said.
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 9 of 21
In turn, there is operations GRC, which tends to be aligned with revenue producing
activities, transaction monitoring, quality management, and environmental health and
safety regulations and requirements.
Understanding the three major types of GRC -- financial, IT and operational -- is critical to
helping an organization start mapping out a revamped GRC strategy. While every
organization is different, the major departments within an enterprise will have their own
areas of compliance to address. For instance, a CFO may typically face SOX, Basel-II or
OMB A-123, while the CIO may be concerned with HIPAA, ISO/IEC27001, AS8015-2005,
GLBA and/or PCI DSS.
The vice president of HR may have to worry about FMLA or ERISA, while the vice president
of procurement may need to straddle aspects of OSHA, REACH and Clean Air, the last two of
which may also be shared with the vice president of an enterprise supply chain and/or COO.
The vice president of manufacturing (and COO), may also need to worry about regulations
with NERC, Clean Water, SARA and the FDA. A vice president of customer service or chief
marketing officer may have to maintain a handle on a variety of privacy and anti-spam
regulations.
Meanwhile, new business partner requirements are creating new areas of compliance, and
while failure to comply may not lead to jail time for executives or painful fines, business
partners have the power to choke off key revenue streams. Take, for example, the retail
giant, Walmart. With $405 billion in sales earned across more than 8,400 retail outlets in 15
countries, the company is one of the most important partners for its 100,000 suppliers
around the world.
Back in 2004, Walmart shook up its top suppliers with its RFID tagging and tracking
mandate, and now the company is at it again with its new "green" initiative. First
announced in July 2009, the effort started with Walmart asking its suppliers 15 questions
about their companies‟ sustainability, including key areas such as greenhouse gas
emissions, factory locations, water use, and solid waste produced. Next, the information
(and more details) will generate a database of information on the lifecycle of each product,
from raw materials to disposal, ultimately ending with a consumer product index rating that
will help consumers choose more environmentally friendly and sustainable products.
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 10 of 21
What are the net effects on suppliers? They‟re still unclear, but failing to play along with
Walmart could very well lead to a major drop in sales.
Technology to the rescue
Because most organizations operate in a fragmented and siloed fashion, IT departments
have often been tapped to help acquire and support an outright mess of different point --
and homegrown compliance -- solutions. Even so, many compliance requirements get
pushed back to business or operational departments, where they are effectively lost to the
organizational leaders as a whole. In this situation, a board of directors, for example, can't
get a level of transparency necessary to assure compliance across an enterprise, much less
have a real understanding of everyday and strategic risk.
"In the software market, products start out as point solutions, but over time they develop
into platforms or suites, and that's what we're seeing now -- this marketplace is still best-
of-breed in finance, operations and IT GRC, and at the same time we're seeing
developments where the GRC vendors can specialize in two but not three of these areas,"
Eid said.
GRC companies like OpenPages, Paisley, BWise, Protiviti, Aline, Archer Technologies, and
MetricStream -- most of these best-of-breed companies are either finance GRC vendors that
are building out additional IT GRC capabilities or they are IT GRC providers now building out
more financial GRC capabilities, he said.
Flexibility is key
While older regulations like SOX are understood and now have good guidance on how to
implement controls, every company is still unique.
"Flexibility with GRC systems is routinely one of a customer's top one or two key points they
are looking for," McClean said. "It needs to adjust to their workflow, their documentation,
their organizational structure -- and that flexibility is absolutely essential.”
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 11 of 21
That said, even without a GRC technology, companies have a fairly good handle on their
business requirements most of the time, whether it's their business partner requirements,
SOX, privacy legislation, or environmental health and safety, McClean added. The
companies have had to deal with the requirements for a long time, and the controls are
fairly well understood.
"It's being able to mold the GRC product around the business processes, the workflow and
the organizational structure that really matters," he said.
Enter SAP
For SAP, business processes represent the linkages across enterprise silos, and these basic
processes can be adapted to meet a variety of compliance requirements.
"If everyone in an enterprise came to IT and said, 'Hey, I need a solution for this, for that,'
it would be a nightmare because you would have more to buy than you would ever have
budget for and more to implement than you would ever have time for," explained SAP's
Dickhart. "What we try to do is provide one process, whether it's compliance to an external
regulation or its compliance to an internal policy, so that the same process can be used
across all those entities -- and that's the basis for SAP's Process Control product."
It sounds so easy -- one process to rule them all. But there are more dimensions of the
problem. Not only do these processes go horizontally across organizations, they need to be
able to delve deeply into IT systems to make any sort of monitoring effective.
“SAP‟s GRC solution sits on the NetWeaver stack independently, then we provide agents
that sit in the processes -- or other systems -- that enable us to monitor information or
events that let us trigger exceptions against the rules that sit on our NetWeaver platform,”
Dickhart said.
"For example, in a heterogeneous environment, we have a customer who has Oracle, SAP
and a legacy system, and we can gather information from all of those systems,” he said.
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 12 of 21
“But the rules -- from a business process or segregation of duties perspective -- can be
normalized and stated in one way.”
SAP's strategy is not to replace dozens of other GRC tools and solutions but to utilize what a
customer has that's working already. For instance, SAP has partnered with Novell for down-
in-the-trenches event monitoring and identity management that can, for example, actually
give access control policies some teeth.
"We don't want to replace everything that the customer already has,” Dickhart said. “What
we're trying to do is find the spots in the business processes where we can supply the risk
information to the risk owner or business person and let them take action at the same time,
not as a process or report they have to review separately.”
MTU Detroit Diesel manufactures heavy-duty diesel engines for off-road use, and the
manufacturer is both an importer of mechanical parts and a global exporter of its products.
The company used to rely on manual processes for complying with federal import and
export regulations, requiring labor-intensive and time-consuming screening and licensing
processes. By implementing the SAP BusinessObjects Global Trade Services application,
however, MTU Detroit Diesel automated the processes, eliminated dependence on third
parties for regulations adherence, enhanced visibility into its international transactions,
benefited from improved compliance ratings, decreased the risk of noncompliance, and
decreased its cost of conducting compliance-related processes.
"The SAP BusinessObjects Global Trade Services application equips us with the tools we
need to maintain the level of compliance that U.S. Customs expects," said Adam Wood,
director of logistics for MTU Detroit Diesel. "It puts us in the driver's seat on issues that
could greatly affect our compliance. This is important to us because noncompliance can
result in audits, fines and penalties."
The fastest way tosecurity compliance!
Register for a demo at https://securityweaver.webex.com
www.SecurityWeaver.com 1.800.620.4210
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 13 of 21
Getting started with data governance for GRC
By: Chris Maxcer, SearchSAP.com contributor
Data governance is nearly as expansive and confusing as GRC, and like GRC, it comes in
overlapping categories with terms that are poorly defined.
For example, the data quality and master data management (MDM) initiatives that
organizations have launched for use in data warehousing and business intelligence efforts
are tangential to data governance for financial reporting and compliance. The aims are
similar -- ensuring that data is not only accurate but also put to work accurately -- but the
solutions that ensure accurate data for BI may have little to do with the people and
processes needed to ensure correct financial reporting or compliance with environmental
health and safety regulations.
So how does an SAP-based organization get started with data governance for GRC? Here
are three core elements:
1. Don't start with a technology solution
It's not that SAP doesn't have options, and it's not that there aren't third-party vendors
available to help. Technology is only a part of the story, and it's not even in the early
chapters, so avoid the pitfall of thinking a shiny new MDM suite with a "GRC" tag on it will
keep your data-focused activities squeaky clean.
"Data governance can be a monstrous project, and for any large organization, it cannot be
handled simply by licensing a software package," said Chris McClean, an analyst for
Forrester.
Data related to GRC will be used to craft financial statements, submit regulatory filings, and
justify decisions at the highest level of the organization, McClean said. Confidence in that
data is clearly a high priority. Many GRC solutions have good capabilities for tracking how
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 14 of 21
certain information is created, changed or used, but the scope of this oversight is usually
quite limited.
“Comprehensive GRC efforts involve data related to customers, finances, market
information, product, quality, and much more," he said. "To gain confidence that all this
data is accurate and up to date usually requires sophisticated technology solutions as well
as rigorous process controls."
2. Expand your GRC stakeholders
A CFO, CIO or COO, for example, all have different GRC needs stemming from different
regulatory requirements that land on their departmental doorsteps. These stakeholders will
be the critical weight needed to make sure data is not only accurate in and of itself but,
more importantly, that the business processes and the people who interact with the data
actually work together appropriately within the expected business rules.
"Whether talking about data governance or just governance, the people part of the equation
is extremely important. The most successful GRC programs are when the number of GRC
stakeholders is expanded, not reduced," said Ranga Bodla, senior director of governance,
risk and compliance solutions for SAP.
“The way to do this is build a business case with the business that shows how an effective
program can reduce their individual work or make it more effective," Bodla said.
"Especially when it comes to data governance, so much of the focus is on data protection
after the fact; and, as a result, people get information that they then cannot use,” he said.
“Good GRC programs ensure that people only get the data that is appropriate for them, and
then people aren‟t dealing with data barriers."
3. Enlist help to save time and effort
In order to implement an effective data governance plan for GRC, most organizations will
need to go to SAP, to SAP's business partners, or to SAP-savvy data governance consultants
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 15 of 21
for the heavy lifting that will map their specific organization to business-appropriate
solutions. If your company is primed and ready to protect its data assets, consultants can
save you time and money -- not to mention headache and heartache.
It is possible, however, that larger organizations have internal experts who have already
completed similar data-intensive governance efforts in related ERP or CRM projects, and
GRC project managers can tap that experience for GRC-focused governance projects as
well, McClean said.
"However,” he added, “many will have to look for external guidance.”
For SAP customers in particular, SAP works to offer flexible options to help individual
enterprises.
"Most organizations will need some help in planning, deployment or best practices,” Bodla
said. “In that context, the best consultants know the product, can supply content, but also
can relay best practices that avoid elongated or false-start project expenses.”
“SAP‟s customer advisory office is actually providing our customers with a resource that can
suggest 'preferred' practices that can ensure project success,” Bodla said. The SAP
customer advisory office works hand in hand with consultants and the customer to drive the
adoption of these practices, he said.
SAP's BusinessObjects portfolio
SAP's primary GRC solutions are bundled as part of the SAP BusinessObjects portfolio,
which also includes the SAP BusinessObjects information management solutions that not
only support business intelligence efforts but also include solutions for data quality
management, MDM, and other data integration and related services.
SAP‟s GRC suite is part of the broader SAP BusinessObjects portfolio, which includes BI,
information management, and enterprise performance management, according to Gary
Dickhart, vice president of the GRC Customer Advisory Office for SAP.
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 16 of 21
“There's a lot of solutions out there that say, 'Let me look at all orders that were sent to a
sanctioned party list, or let me look for all adjustments made to our financials more than
$10,000 after the end of the period,' and there's all these bad scenarios that people look for
after they happened,” Dickhart said. “Our approach is, don't look for it after, build the
process so that it takes it into consideration within the process -- embed it in the process.”
The takeaway here is SAP's progressive strategy for GRC -- data governance and all the
process controls that go along with operating a business are best served when risk and
compliance are addressed from within the moment any action is occurring.
As companies look to gain benefit from their compliance efforts in order to actively reduce
risk and seek out opportunity, data governance is being recognized as a key foundation for
GRC.
This is an increasing issue, McClean said. In some aspects, a lot of the risk and compliance
programs over the last five years have been focused on documentation, so that in terms of
data governance, there‟s an audit trail of when policies were created or when certain data
was collected for risk assessment.
"Those are all important, but companies are looking for more data-centric risk and
compliance -- actually running analysis of key risk indicators and key performance
indicators -- so data governance is definitely becoming more important,” McClean said.
“You're talking about collecting data from hundreds of different locations, from different
business partners, so you must make sure that data is accurate and coming from the right
places."
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 17 of 21
Pros and cons of SAP BusinessObjects Access and Process Controls software
By: Chris Maxcer, SearchSAP.com contributor
Two of the most important core GRC solutions from SAP are part of the company's SAP
BusinessObjects portfolio: Access Control and Process Control.
Both access and process controls, generically speaking, are critical to many GRC efforts, so
these two SAP offerings cut a wide swath of possibilities for many SAP-focused enterprises.
Does this make looking to SAP for GRC solutions a no-brainer decision?
"Definitely not a no-brainer," notes Chris McClean, an analyst for Forrester Research. "If you
have a working relationship or a strategic relationship with SAP and they are running a lot of
your business processes anyway, it is a natural fit because they do have a lot of capabilities
to oversee the products you have in place."
The important thing to remember, even for SAP-focused companies, McClean warned, is
that there's no single platform or solution that's going to cover all of your GRC needs.
Because GRC is such a broad topic and covers so many of the world's largest and best-
funded enterprises, the GRC software landscape is extremely wide.
"The number of vendors that talk about having GRC or GRC-related technology is just
huge," McClean said, noting that most companies have already purchased and implemented
several products across their organizations, covering segregation of duties, risk
management, security, environmental health and safety, and many other point solutions.
While SAP should make your short list, there are other factors at play -- cost, flexibility and
the specific area of GRC you need to focus on, McClean said.
"SAP also has an environmental risk and compliance area as part of their GRC suite, so that
could be important,” he said. “But they don't have everything. For example, if you need
really detailed IT or HR risk and compliance, you might want to consider other solutions."
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 18 of 21
Ask the important questions
One starting point is to look at what collectively you are trying to solve. Ask questions such
as, “Are you still in a tactical mode or are you more proactive?” Tom Eid, a vice president of
research for Gartner, recommended.
For many companies, cost-reduction through streamlined solutions can't be dismissed as a
great tactical move.
One of SAP's BusinessObjects Process Control application customers, Sharp -- the leading
electronic manufacturer -- needed a GRC solution that could help it meet several objectives,
including providing a platform for process and control documentation. The company also
needed to streamline attestation and testing procedures, and to centralize and standardize
controls across the organization.
"SAP BusinessObjects Process Control provides us with an advanced set of tools that are
both sophisticated and intuitive for end users," noted George Dramalis, VP CIO for Sharp.
"The impact has been a more streamlined, transparent control environment that has
ultimately reduced our overall testing efforts. We expect that these improvements will yield
reduced external audit activity, as well as reduced external audit expenditures."
Another key factor is to understand whether your organization is inclined to implement a
short-term or long-term solution.
"Some will say, 'Longer term, we're looking to catch up and integrate in with our ERP, but
right now, this is a short-term problem, so we're looking at best of breed,'" Dramalis said.
Next, you need to know your core type of GRC -- financial, IT or operational GRC? Most GRC
solution providers have competencies in one or two key areas but are not yet savvy with all
three.
"You can enter in with any core GRC area, but make sure that downstream, you are
planning to support all three," Eid said. "Don't buy yourself into a corner so you have to go
through the whole process again in three or four years."
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 19 of 21
Where does SAP fit in?
"Our cut is SAP was being a bit more tactical until 2009, but then in 2009, we feel they've
taken a big step forward to take a more strategic view of the GRC marketplace where they
are really trying to create a linkage between GRC capabilities and overall enterprise
performance management," Eid said. "We anticipate by the end of this year, they'll have
another refresh going into their portfolio, and their GRC portfolio will continue to align with
the overall enterprise performance management strategy they have in place."
Look to the future
One of the important things to understand about SAP's GRC strategy is that it is aimed at
being able to work with solutions you may already have installed. SAP BusinessObjects has
a business intelligence background, and a hallmark of BI solutions is the ability to tap into a
wide variety of data from across corporate silos and then put it to work. This architectural
tie to SAP BusinessObjects helps enable SAP GRC solutions reach effectively across many
SAP and non-SAP systems to tap into data and processes.
"One of those things that is really interesting is that companies are starting to look seriously
at how risk relates to performance," Forrester's McClean said.
Going back to the financial crisis and similar issues, a lot of companies are very focused on
short-term results, making it easier to ignore risk data, he said. He is seeing more
companies that are starting to realize that when they look at the performance of a product
line or a business unit or an office, they can't look at performance without looking at risk
exposure also.
"It's going to take some time to actually implement that concept through processes and
technologies, but a lot of companies are starting to look at risk and performance together --
and that's one area that SAP has a fairly good message and a set of capabilities they are
starting to bring together," McClean said.
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 20 of 21
As part of the GRC software evaluation process, it's a good idea to look beyond the audit,
beyond compliance, and consider how GRC solutions can affect ongoing business.
As a former auditor, Gary Dickhart, vice president of the GRC Customer Advisory Office for
SAP, knows firsthand how many organizations have held onto the SOX-generated division
between consulting and auditing -- auditors could not audit solutions they themselves
recommended, and the effect has been that many executives have looked to audits to
understand their performance.
"What's really been lacking is the infusion of knowledge down into the operation so the
people who are running their business know they are responsible for the controls and they
perform these every day, and know what makes a good or bad control,” Dickhart said.
“That's evolving. The days of knowing whether I was doing bad or good, that was an audit -
- if I got a good audit, I'm doing well, so we can wait until next time."
Next time you might have an operational problem, and that has to do with your controls and
how to manage risk, and that has nothing to do with the audit -- the audit is just a point-in-
time snapshot. Making people realize that the audit is not the control and that it's not
something they should depend on, that's key to actually extending GRC to the enterprise,
he said.
One such company that is extending understanding into real time is BearingPoint, a global
provider of management and technology consulting services that is using the SAP
BusinessObjects Access Control application. In need of a better way to handle analysis
around compliance initiatives like Sarbanes-Oxley, BearingPoint chose Access Control to
replace inefficient, manual processes. The company also needed to reduce the high level of
administrative effort and involvement around managing controls.
"With the SAP BusinessObjects Access Control application, BearingPoint now has real-time
insight into controls," said Serkan Caliskan, a manager for BearingPoint. "We have
approximately 3,000 users of the application spread out over 14 … countries, and it enables
us to conduct real-time analysis and remediation to discover any potential regulatory
violations and provide solutions for them."
SearchSAP.com E-Book
Revamping and optimizing your SAP GRC strategy
Sponsored By: Page 21 of 21
Resources from Security Weaver
Podcast: Improving Security & Accountability in the Public Sector
Case Study: Sunsweet Growers Cultivates Excellence Company Relies on Security
Weaver for Fast, Accurate Reporting
Case Study: Stiefel Laboratories
Skin Care Bellwether Generates Big Benefits with Security Weaver
About Security Weaver
Security Weaver is a leading provider of application controls management software for SAP.
The Security Weaver product suite is engineered to take the guesswork out of compliance in
any SAP environment and delivers actionable results in a matter of days.