Transcription
E-BookRevamping and optimizing yourSAP GRC strategyGRC is by now a well-known concept, but processes for keeping trackof it are still in the nascent stages at some companies, with manycompanies still using Excel or SharePoint for reporting purposes. Butdoes your organization need dedicated GRC software? Readers will getadvice on how to get started with GRC software within the SAPlandscape, and how to use the software to achieve a successfulcompliance strategy.Readers will learn: How to assess whether your business needs GRC software Advice what technology or development efforts can help yourbusiness meet common compliance mandates, such as SOX andWal-Mart‟s compliance mandates The basics of data governance in the context of a GRC program Pros and cons of SAP BusinessObjects Access and ProcessControls softwareSponsored By:
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategyE-BookRevamping and optimizing your SAPGRC strategyTable of ContentsDoes your organization’s SAP GRC strategy need software?Aligning your SAP GRC technology strategy with constantly shiftingcompliance requirementsGetting started with data governance for GRCPros and cons of SAP BusinessObjects Access and Process Controls softwareResources by Security WeaverSponsored By:Page 2 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategyDoes your organization’s SAP GRC strategy needsoftware?By: Chris Maxcer, SearchSAP.com contributorAny medium-to-large enterprise that faces government or industry regulations can probablybenefit from GRC software solutions, if not a totally revamped strategy.The days of using spreadsheets or Microsoft SharePoint and a variety of manual checklistsand documentation that's locked up in the bowels of audit departments are far from over,but savvy organizations are definitely looking to save money, cut time, and find answers.Through it all, one thing is consistent: regulation."We always know there will be more regulations," said Tom Eid, vice president of researchfor Gartner. "For instance, we may see more regulations because of what is happening withToyota, which may affect other manufacturing organizations across the globe. It's hard tobe proactive because you don't know what the regulations will be."GRC defined, sort ofAs an umbrella term, governance, risk and compliance (GRC) is about as difficult to naildown as the interconnected compliance, security, governance, and risk managementchallenges it sets out to describe. While GRC might be misused and abused as a term, aloose definition is ultimately more workable than isolating each element because, really, it'sthe interconnectedness of the people, processes, data and technology that describes today'sGRC.Governance leans toward action and processes that work as intended, while riskmanagement aims to help a business weigh reward against possible pain. Compliance isabout ensuring that an organization is meeting a variety of industry or governmentalrequirements. Meanwhile, there are different kinds of GRC even within organizations, whichmakes it harder to assess whether a business needs GRC software in the first place.Sponsored By:Page 3 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategyWhat's your strategy?"We all think that everybody has a strategy in place, but strategy, actually, is justemerging," said Gary Dickhart, vice president of SAP's GRC customer advisory office.While yesterday's GRC efforts were largely reacting, today's most successful GRC strategiesare moving from industry point solutions that meet specific regulations to broader effortsthat cross corporate silos. The main drivers tend to start with cost reduction but quicklymove into opportunity.When the auditors went in with Sarbanes-Oxley, they gave people tools, and a lot of thosetools have aged to the point where they're worn out and unsustainable, Dickhart said.“Businesses are saying, 'Where can we cut? We're spending a lot more here, and I knowwe're compliant, but I also want to know about our own risk -- I want to know about ourstrategic risk,‟” he said. “„I want more information, not just whether we're compliant withexternal regulations.' So the need for this overall risk profile as well as being able tomanage it effectively and efficiently, that's what's driving GRC efforts.”But how do you get started revamping an enterprise's GRC strategy? One answer is value.Chris McClean, an analyst for Forrester Research, recommends that to build a business casefor any GRC software solution, most companies will be well served to consider three areasof value.1. Efficiency"If you consider SAP's Access Control -- or the new data-heavy GRC products -- a lot ofwhat they do is increase efficiency, so that's the first area to look at -- cost reduction andefficiency," McClean said.If you have all of your controls in one place and documented in the same way, that's goingto save a lot of time on both the internal and external audit process, he said. Datagathering, for instance, is a huge area of wasted effort.Sponsored By:Page 4 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategy"If you have 10 people gathering data for a month, if you buy a solution, you might be ableto cut that in half. And the same goes for conducting risk assessments,” McClean said. “GRCsoftware can definitely help with efficiency."2. Risk mitigationRisk, of course, can emerge from the cost of non-compliance with a regulation, but it canalso arise from the failure of a business initiative. Consolidated processes can help identifynot just areas of exposure but also areas of opportunity, he said, because information iscollected in one place rather than scattered and lost across departmental silos.3. Business decision supportIf a company is choosing between India and China for outsourcing or looking at severalpotential partners, product lines, or acquisitions it should be making, if the company has alot of good risk and compliance content, that can help make those decisions better, McCleansaid."It's a hard area of value to meet,” he said, “and it usually takes a long time before GRCprograms are at that level.”At first glance, GRC optimization is a daunting task -- monumental, even -- but SAPcustomers, it turns out, have increasingly good options that are helping them gain valueacross multiple areas of their enterprises.Historically, in the areas of segregation of duties and super-user/developer access, PearsonNorth America used a combination of manual processes and consulting services to achievecompliance results. However, they quickly recognized the value of implementing anautomated solution that would ensure a more consistent, cohesive and stable globalbusiness environment, according to Frank Di Pentima, vice president of financialcompliance/systems integration for Pearson North America."Additionally, we wanted to build on the company‟s strong risk awareness culture andenhance our ability to continuously monitor and assess sensitive access for Functional andSponsored By:Page 5 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategyBasis environments by creating an automated/preventative control environment withoutimpacting system performance," Di Pentima said.“By implementing SAP's BusinessObjects Access Control solution, Pearson North Americagained a variety of benefits. Through the use of preventative and detective controlsimplemented with our GRC solution, they were able to automate processes and controlsfurther by eliminating potential audit risks associated with complex user accessrequirements within our ERP environments,” he said. “Additionally, they were able to createa seamless process that allowed for Super-user/Development access to be granted andmonitored, further reducing risk associated with sensitive access.""We achieved this without affecting system performance and helped drive down the cost ofcompliance,” Di Pentima said.Who needs to be involved?At the SAP Customer Advisory Office, Dickhart's GRC teams recommend that enterprises gettheir business departments, IT department and audit departments all involved as anorganization looks to consolidate, streamline and build upon its aging GRC processes."A lot of companies still have their audit department driving GRC strategies,” Dickhart said,“but until GRC is recognized and adopted by the business people as part of their everydaylivelihood, it's not going to be part of the business -- it'll always be an adjunct process. Sogetting that alignment between the three areas is something we emphasize.”Getting different stakeholders involved in an SAP GRC revitalization project is a start towardembedding GRC into the fabric of the enterprise, but what's next?Before engaging a vendor for GRC software solutions -- even SAP -- companies need togather their stakeholder departments and isolate what it is they want to improve. Are youtrying to get ROI by reducing audit costs? Are you trying to improve your understanding ofyour risk exposure? Do you need a better compliance management process or reportingprocess?Sponsored By:Page 6 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategy"Figure out those objectives first," McClean said, noting that GRC software has matured tothe point where most of what organizations need right now is available. "If you start bytalking with the vendors, you'll more likely come up with a whole list of requirements orcapabilities that may fit in but may not be what you needed in the first place. Definitely getyour list of requirements really strong before you start talking to vendors."Sponsored By:Page 7 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategyAligning your SAP GRC technology strategy withconstantly shifting compliance requirementsBy: Chris Maxcer, SearchSAP.com contributorIf there's one thing that's consistent about the world of GRC, it's that compliancerequirements are always changing -- and if a compliance mandate itself doesn't change,enterprises are seeing guidance on compliance requirements change.While financial requirements have been all the rage during a recession and time ofstruggling banks, there's so much more going on."In other industries -- for example, with consumer product companies -- the U.S. ConsumerProduct Safety Commission is not really changing requirements, but they are upping theante as far as scrutiny," said Chris McClean, an analyst for Forrester Research. Moreresources for investigation are becoming available, and enterprises are facing larger finesand increased risks in getting called out for business practices that fall on the wrong side ofregulatory -- or even public -- favor.Moving targetsWhat started out as something that was thought to be fairly straightforward -- certificationof financial results with SOX 404 -- has developed into a number of different GRC solutionsand corporate strategies, according to Tom Eid, a vice president of research for Gartner.Solutions that dive into the financial elements of GRC are the most mature, Eid said, but inrecent years solution providers have been coming at GRC problems from other angles, mostnotably IT GRC, which is focused on infrastructure-related technologies and requirements.IT GRC covers things around segregation of duties, configuration auditing, security andidentity access management, and secure event and identity monitoring, he said.Sponsored By:Page 8 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategyIn turn, there is operations GRC, which tends to be aligned with revenue producingactivities, transaction monitoring, quality management, and environmental health andsafety regulations and requirements.Understanding the three major types of GRC -- financial, IT and operational -- is critical tohelping an organization start mapping out a revamped GRC strategy. While everyorganization is different, the major departments within an enterprise will have their ownareas of compliance to address. For instance, a CFO may typically face SOX, Basel-II orOMB A-123, while the CIO may be concerned with HIPAA, ISO/IEC27001, AS8015-2005,GLBA and/or PCI DSS.The vice president of HR may have to worry about FMLA or ERISA, while the vice presidentof procurement may need to straddle aspects of OSHA, REACH and Clean Air, the last two ofwhich may also be shared with the vice president of an enterprise supply chain and/or COO.The vice president of manufacturing (and COO), may also need to worry about regulationswith NERC, Clean Water, SARA and the FDA. A vice president of customer service or chiefmarketing officer may have to maintain a handle on a variety of privacy and anti-spamregulations.Meanwhile, new business partner requirements are creating new areas of compliance, andwhile failure to comply may not lead to jail time for executives or painful fines, businesspartners have the power to choke off key revenue streams. Take, for example, the retailgiant, Walmart. With 405 billion in sales earned across more than 8,400 retail outlets in 15countries, the company is one of the most important partners for its 100,000 suppliersaround the world.Back in 2004, Walmart shook up its top suppliers with its RFID tagging and trackingmandate, and now the company is at it again with its new "green" initiative. Firstannounced in July 2009, the effort started with Walmart asking its suppliers 15 questionsabout their companies‟ sustainability, including key areas such as greenhouse gasemissions, factory locations, water use, and solid waste produced. Next, the information(and more details) will generate a database of information on the lifecycle of each product,from raw materials to disposal, ultimately ending with a consumer product index rating thatwill help consumers choose more environmentally friendly and sustainable products.Sponsored By:Page 9 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategyWhat are the net effects on suppliers? They‟re still unclear, but failing to play along withWalmart could very well lead to a major drop in sales.Technology to the rescueBecause most organizations operate in a fragmented and siloed fashion, IT departmentshave often been tapped to help acquire and support an outright mess of different point -and homegrown compliance -- solutions. Even so, many compliance requirements getpushed back to business or operational departments, where they are effectively lost to theorganizational leaders as a whole. In this situation, a board of directors, for example, can'tget a level of transparency necessary to assure compliance across an enterprise, much lesshave a real understanding of everyday and strategic risk."In the software market, products start out as point solutions, but over time they developinto platforms or suites, and that's what we're seeing now -- this marketplace is still bestof-breed in finance, operations and IT GRC, and at the same time we're seeingdevelopments where the GRC vendors can specialize in two but not three of these areas,"Eid said.GRC companies like OpenPages, Paisley, BWise, Protiviti, Aline, Archer Technologies, andMetricStream -- most of these best-of-breed companies are either finance GRC vendors thatare building out additional IT GRC capabilities or they are IT GRC providers now building outmore financial GRC capabilities, he said.Flexibility is keyWhile older regulations like SOX are understood and now have good guidance on how toimplement controls, every company is still unique."Flexibility with GRC systems is routinely one of a customer's top one or two key points theyare looking for," McClean said. "It needs to adjust to their workflow, their documentation,their organizational structure -- and that flexibility is absolutely essential.”Sponsored By:Page 10 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategyThat said, even without a GRC technology, companies have a fairly good handle on theirbusiness requirements most of the time, whether it's their business partner requirements,SOX, privacy legislation, or environmental health and safety, McClean added. Thecompanies have had to deal with the requirements for a long time, and the controls arefairly well understood."It's being able to mold the GRC product around the business processes, the workflow andthe organizational structure that really matters," he said.Enter SAPFor SAP, business processes represent the linkages across enterprise silos, and these basicprocesses can be adapted to meet a variety of compliance requirements."If everyone in an enterprise came to IT and said, 'Hey, I need a solution for this, for that,'it would be a nightmare because you would have more to buy than you would ever havebudget for and more to implement than you would ever have time for," explained SAP'sDickhart. "What we try to do is provide one process, whether it's compliance to an externalregulation or its compliance to an internal policy, so that the same process can be usedacross all those entities -- and that's the basis for SAP's Process Control product."It sounds so easy -- one process to rule them all. But there are more dimensions of theproblem. Not only do these processes go horizontally across organizations, they need to beable to delve deeply into IT systems to make any sort of monitoring effective.“SAP‟s GRC solution sits on the NetWeaver stack independently, then we provide agentsthat sit in the processes -- or other systems -- that enable us to monitor information orevents that let us trigger exceptions against the rules that sit on our NetWeaver platform,”Dickhart said."For example, in a heterogeneous environment, we have a customer who has Oracle, SAPand a legacy system, and we can gather information from all of those systems,” he said.Sponsored By:Page 11 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategy“But the rules -- from a business process or segregation of duties perspective -- can benormalized and stated in one way.”SAP's strategy is not to replace dozens of other GRC tools and solutions but to utilize what acustomer has that's working already. For instance, SAP has partnered with Novell for downin-the-trenches event monitoring and identity management that can, for example, actuallygive access control policies some teeth."We don't want to replace everything that the customer already has,” Dickhart said. “Whatwe're trying to do is find the spots in the business processes where we can supply the riskinformation to the risk owner or business person and let them take action at the same time,not as a process or report they have to review separately.”MTU Detroit Diesel manufactures heavy-duty diesel engines for off-road use, and themanufacturer is both an importer of mechanical parts and a global exporter of its products.The company used to rely on manual processes for complying with federal import andexport regulations, requiring labor-intensive and time-consuming screening and licensingprocesses. By implementing the SAP BusinessObjects Global Trade Services application,however, MTU Detroit Diesel automated the processes, eliminated dependence on thirdparties for regulations adherence, enhanced visibility into its international transactions,benefited from improved compliance ratings, decreased the risk of noncompliance, anddecreased its cost of conducting compliance-related processes."The SAP BusinessObjects Global Trade Services application equips us with the tools weneed to maintain the level of compliance that U.S. Customs expects," said Adam Wood,director of logistics for MTU Detroit Diesel. "It puts us in the driver's seat on issues thatcould greatly affect our compliance. This is important to us because noncompliance canresult in audits, fines and penalties."Sponsored By:Page 12 of 21
The fastest way tosecurity compliance!Register for a demo at .com 1.800.620.4210
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategyGetting started with data governance for GRCBy: Chris Maxcer, SearchSAP.com contributorData governance is nearly as expansive and confusing as GRC, and like GRC, it comes inoverlapping categories with terms that are poorly defined.For example, the data quality and master data management (MDM) initiatives thatorganizations have launched for use in data warehousing and business intelligence effortsare tangential to data governance for financial reporting and compliance. The aims aresimilar -- ensuring that data is not only accurate but also put to work accurately -- but thesolutions that ensure accurate data for BI may have little to do with the people andprocesses needed to ensure correct financial reporting or compliance with environmentalhealth and safety regulations.So how does an SAP-based organization get started with data governance for GRC? Hereare three core elements:1. Don't start with a technology solutionIt's not that SAP doesn't have options, and it's not that there aren't third-party vendorsavailable to help. Technology is only a part of the story, and it's not even in the earlychapters, so avoid the pitfall of thinking a shiny new MDM suite with a "GRC" tag on it willkeep your data-focused activities squeaky clean."Data governance can be a monstrous project, and for any large organization, it cannot behandled simply by licensing a software package," said Chris McClean, an analyst forForrester.Data related to GRC will be used to craft financial statements, submit regulatory filings, andjustify decisions at the highest level of the organization, McClean said. Confidence in thatdata is clearly a high priority. Many GRC solutions have good capabilities for tracking howSponsored By:Page 13 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategycertain information is created, changed or used, but the scope of this oversight is usuallyquite limited.“Comprehensive GRC efforts involve data related to customers, finances, marketinformation, product, quality, and much more," he said. "To gain confidence that all thisdata is accurate and up to date usually requires sophisticated technology solutions as wellas rigorous process controls."2. Expand your GRC stakeholdersA CFO, CIO or COO, for example, all have different GRC needs stemming from differentregulatory requirements that land on their departmental doorsteps. These stakeholders willbe the critical weight needed to make sure data is not only accurate in and of itself but,more importantly, that the business processes and the people who interact with the dataactually work together appropriately within the expected business rules."Whether talking about data governance or just governance, the people part of the equationis extremely important. The most successful GRC programs are when the number of GRCstakeholders is expanded, not reduced," said Ranga Bodla, senior director of governance,risk and compliance solutions for SAP.“The way to do this is build a business case with the business that shows how an effectiveprogram can reduce their individual work or make it more effective," Bodla said."Especially when it comes to data governance, so much of the focus is on data protectionafter the fact; and, as a result, people get information that they then cannot use,” he said.“Good GRC programs ensure that people only get the data that is appropriate for them, andthen people aren‟t dealing with data barriers."3. Enlist help to save time and effortIn order to implement an effective data governance plan for GRC, most organizations willneed to go to SAP, to SAP's business partners, or to SAP-savvy data governance consultantsSponsored By:Page 14 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategyfor the heavy lifting that will map their specific organization to business-appropriatesolutions. If your company is primed and ready to protect its data assets, consultants cansave you time and money -- not to mention headache and heartache.It is possible, however, that larger organizations have internal experts who have alreadycompleted similar data-intensive governance efforts in related ERP or CRM projects, andGRC project managers can tap that experience for GRC-focused governance projects aswell, McClean said."However,” he added, “many will have to look for external guidance.”For SAP customers in particular, SAP works to offer flexible options to help individualenterprises."Most organizations will need some help in planning, deployment or best practices,” Bodlasaid. “In that context, the best consultants know the product, can supply content, but alsocan relay best practices that avoid elongated or false-start project expenses.”“SAP‟s customer advisory office is actually providing our customers with a resource that cansuggest 'preferred' practices that can ensure project success,” Bodla said. The SAPcustomer advisory office works hand in hand with consultants and the customer to drive theadoption of these practices, he said.SAP's BusinessObjects portfolioSAP's primary GRC solutions are bundled as part of the SAP BusinessObjects portfolio,which also includes the SAP BusinessObjects information management solutions that notonly support business intelligence efforts but also include solutions for data qualitymanagement, MDM, and other data integration and related services.SAP‟s GRC suite is part of the broader SAP BusinessObjects portfolio, which includes BI,information management, and enterprise performance management, according to GaryDickhart, vice president of the GRC Customer Advisory Office for SAP.Sponsored By:Page 15 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategy“There's a lot of solutions out there that say, 'Let me look at all orders that were sent to asanctioned party list, or let me look for all adjustments made to our financials more than 10,000 after the end of the period,' and there's all these bad scenarios that people look forafter they happened,” Dickhart said. “Our approach is, don't look for it after, build theprocess so that it takes it into consideration within the process -- embed it in the process.”The takeaway here is SAP's progressive strategy for GRC -- data governance and all theprocess controls that go along with operating a business are best served when risk andcompliance are addressed from within the moment any action is occurring.As companies look to gain benefit from their compliance efforts in order to actively reducerisk and seek out opportunity, data governance is being recognized as a key foundation forGRC.This is an increasing issue, McClean said. In some aspects, a lot of the risk and complianceprograms over the last five years have been focused on documentation, so that in terms ofdata governance, there‟s an audit trail of when policies were created or when certain datawas collected for risk assessment."Those are all important, but companies are looking for more data-centric risk andcompliance -- actually running analysis of key risk indicators and key performanceindicators -- so data governance is definitely becoming more important,” McClean said.“You're talking about collecting data from hundreds of different locations, from differentbusiness partners, so you must make sure that data is accurate and coming from the rightplaces."Sponsored By:Page 16 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategyPros and cons of SAP BusinessObjects Access andProcess Controls softwareBy: Chris Maxcer, SearchSAP.com contributorTwo of the most important core GRC solutions from SAP are part of the company's SAPBusinessObjects portfolio: Access Control and Process Control.Both access and process controls, generically speaking, are critical to many GRC efforts, sothese two SAP offerings cut a wide swath of possibilities for many SAP-focused enterprises.Does this make looking to SAP for GRC solutions a no-brainer decision?"Definitely not a no-brainer," notes Chris McClean, an analyst for Forrester Research. "If youhave a working relationship or a strategic relationship with SAP and they are running a lot ofyour business processes anyway, it is a natural fit because they do have a lot of capabilitiesto oversee the products you have in place."The important thing to remember, even for SAP-focused companies, McClean warned, isthat there's no single platform or solution that's going to cover all of your GRC needs.Because GRC is such a broad topic and covers so many of the world's largest and bestfunded enterprises, the GRC software landscape is extremely wide."The number of vendors that talk about having GRC or GRC-related technology is justhuge," McClean said, noting that most companies have already purchased and implementedseveral products across their organizations, covering segregation of duties, riskmanagement, security, environmental health and safety, and many other point solutions.While SAP should make your short list, there are other factors at play -- cost, flexibility andthe specific area of GRC you need to focus on, McClean said."SAP also has an environmental risk and compliance area as part of their GRC suite, so thatcould be important,” he said. “But they don't have everything. For example, if you needreally detailed IT or HR risk and compliance, you might want to consider other solutions."Sponsored By:Page 17 of 21
SearchSAP.com E-BookRevamping and optimizing your SAP GRC strategyAsk the important questionsOne starting point is to look at what collectively you are trying to solve. Ask questions suchas, “Are you still in a tactical mode or are you more proactive?” Tom Eid, a vice president ofresearch for Gartner, recommended.For many companies, cost-reduction through streamlined solutions can't be dismissed as agreat tactical move.One of SAP's BusinessObjects Process Control application customers, Sharp -- the leadingelectronic manufacturer -- needed a GRC solution that could help it meet several
SAP GRC strategy GRC is by now a well-known concept, but processes for keeping track . Pros and cons of SAP BusinessObjects Access and Process Controls software Resources by Security Weaver. SearchSAP.com E-Book . "If you consider SAP's Access Control -- or the new data-heavy GRC products -- a lot of
