SAP BusinessObjects GRC 10.0 consists of the main components SAP BusinessObjects Process Control, SAP BusinessObjects Risk Management, and SAP BusinessObjects Access Control. For the first time, all existing GRC components based on a common data model were integrated technically on one platform (SAP NetWeaver ABAP 7.02):

• SAP BusinessObjects Process Control (previous version: 3.0) – supports internal control system and compliance management.
• SAP BusinessObjects Access Control (previous version: 5.3) with the following subcomponents: access risk management (formerly risk analysis and remediation), user access management (formerly compliant user provisioning), business role governance (formerly enterprise role management), and centralized emergency access (formerly superuser privilege management)
• SAP BusinessObjects Risk Management (previous version: 3.0)

Figure 1 shows a simplified view of the integrated approach in SAP BusinessObjects GRC 10.0.

Figure 1

The integrated approach in SAP BusinessObjects GRC 10.0

From a technical perspective, automation of content primarily means reducing the administrative effort required by the internal control system and any persons responsible for compliance. Higher efficiency is achieved owing to a standardized structure and reusable elements such as:

• Centralized documentation templates
• Parallel use of multiple internal control system dimensions (e.g., for compliance and operational controls)
• Mapping of shared services 

Automation provides the following advantages: authorization-controlled access to the individual elements, logging of changes to the elements, and use of the elements in reporting. From the view of the processes, automation primarily relates to various activities that are applied to individual elements of an internal control system framework (Figure 2).

Figure 2

Internal control system process as a series of diverse activities

What does automating the GRC processes mean? Let’s start with the internal control system.

SAP BusinessObjects Process Control

The best way to think about the concept of automating the internal control system is to abstract it to two views that are to be merged in a software-supported solution: the content view and the process view. In SAP BusinessObjects Process Control, content refers to all documentation elements of an internal control system framework (such as processes, risks, controls, and G/L accounts) that are often merged in a risk and control matrix. From an implementation point of view, mass management of the content is relevant. For example, the content can be uploaded using the Master Data Upload Generator (MDUG) or various third-party solutions. It is a component that is delivered free with SAP BusinessObjects GRC and primarily enables a transfer or versioned backup of the GRC content (e.g., from one system to another).

The main activities are a number of recurring, manual internal control system operations, such as confirmation of the execution of controls, design assessment, efficiency test, and risk assessment. Above all, automation of the manual internal control system operations means simple handling, predefined (or guided) procedures, and automated notifications and reminders. Workflows in particular allow individual tasks to be processed very intuitively. They enable you to achieve the main objective of internal control system and compliance management — structured and efficient information procurement and close collaboration with specialist departments.

Efficient planning is the core of the whole application. Here, the user can plan operations en masse. There are two main points:

• Selection of the organizational units: where applicable, the user can select either all reporting units or only selected reporting units based on specific characteristics.
• Selection of the processes, controls, or risks would be the subsequent step. The important issue here is to be able to select objects according to specific characteristics (e.g., risk level, control category).

A further advantage of process automation is the electronic storage of the results of activities. On one hand, this enables fast or real-time reporting of the compliance status. On the other hand, the use of attachments allows you to fulfill the principle of paperless compliance and supporting evidence.

However, the greatest added values in the internal control system process are the automated test and monitoring scenarios (also known as the continuous control monitoring approach). Here, the SAP BusinessObjects GRC system integrated with a business application automatically identifies deviations from the target status by evaluating master data, movement data, and control parameters, as well as update logs, according to specific rules.

In scenarios that focus on compliance and fraud, SAP BusinessObjects GRC generally strengthens the internal control system with higher accuracy and a high capacity for evaluating large quantities of data compared with manual sampling or checks of the system data still sometimes performed by auditors in an old-fashioned manner.

Where the focus is efficiency, scenarios can strive for direct savings, for example, by detecting inefficiencies (e.g., operations that have been shipped but not billed) or by monitoring the quality of master data. To summarize, the main characteristics of an automated internal control system management are represented in Table 1.

Table 1

Automated internal control system management using SAP BusinessObjects Process Control: efficiency drivers

Policy Management

Guideline management is an independent process. Automating this process primarily means designing the entire life cycle of a guideline efficiently. You can use the Policy Management component to do this.

From the internal control system view, however, guidelines can also be seen as important control mechanisms (Table 2). Therefore, integration with the internal control system framework is necessary at this point. Integration options with Risk Management are also of interest if further SAP BusinessObjects GRC modules are considered. Thus, guidelines actively contribute to minimizing risks.

Table 2

Guideline management as part of GRC

Which modules can be used to develop an automated internal control system process further in the direction of a comprehensive GRC approach? Let’s start with the authorization topics covered by the SAP BusinessObjects Access Control component.

SAP BusinessObjects Access Control

Even though, from the internal control system view, controls in business processes and access authorizations should form a standardized framework, in practice, these two areas often represent two independent silos. This is due above all to their organizational nature:

• The access authorizations are usually managed in IT (security departments).
• Responsibility for the content of controls in business processes (even if these are completely IT-based) lies with the specialist departments (e.g. accounting, purchasing etc.).

In user and authorization management, GRC automation therefore consists primarily of designing the operative processes so that they conform to the internal control system and supplementing them with additional internal control system-relevant activities. For example:

• Analysis of existing and simulation of potential segregation of duties (SoD) violations
• Approval process for granting authorizations

Access Risk Management

Efficient detection of authorization risks is impossible without the use of tools. The primary objective of the access risk management component of SAP BusinessObjects Access Control is to detect critical authorizations or combinations of authorizations (segregation of duties [SoD]). The content (SoD rules) can be uploaded or maintained in the system directly, whereby in the maintenance process, even the traceability of changes and the dual control principle (e.g., through notifications or release procedures for changes) are guaranteed.

In the risk analysis, the efficiency results from the following points:

• Fast processing of vast quantities of data: broken down into authorization objects and values, millions of lines are analyzed.
• A cross-system risk analysis: authorizations are often spread across several different systems. User access management enables you to harmonize different instances of access logic and concepts at a central point.
• The organizational rules allow you to avoid false positives in situations where, in the case of functional SoD violations, organizational separation compensates.

As already stated, from the internal control system view, authorization topics should form a standardized framework. Therefore, the existing integration of SAP BusinessObjects Access Control with SAP BusinessObjects Process Control is important for the following reasons:

• Risk analysis results can be passed on from SAP BusinessObjects Access Control to SAP BusinessObjects Process Control, meaning that from the internal control system view, SAP BusinessObjects Process Control plays a central role.
• Controls used in access risk management for the purpose of risk mitigation can, at the same time, be part of the overall internal control system framework in SAP BusinessObjects Process Control and can thus be involved in a standard compliance management process.

From the process view, the benefit of the analysis of authorization risks and the mitigation of these risks are more visible in the interaction of access risk management with other SAP BusinessObjects Access Control components when considered as part of the workflow.

User Access Management and Business Role Governance

Project experience shows that the process of assigning access authorizations is faster and more reliable when it is supported by a workflow. This is implemented via the component user access management. Integration with Organizational Management (e.g., SAP ERP HCM OM) and Identity Management offers additional synergies where existing information can be reused beyond the boundaries of the organizations to which the user belongs. Integration with OM allows to make some provisioning decisions automatically deriving the information needed (e.g. from an HR position). Integration with Identity Management,  among others, allows for provisioning authorizations other than in ERP systems.

Efficient management of roles (also supported by a workflow) in business role governance is primarily achieved by the use of mapping rules for specifying organization-specific authorization objects and by other features.

From a compliance point of view, workflows also enable all approval steps to be traced and audited. They also enable you to perform a risk analysis, and, where necessary, mitigate risks during the authorization assignment process.

User access management also offers workflows designed specifically for compliance purposes: the User Access Review Workflow and the SoD Review Workflow. You can use them to assign pure security and compliance tasks to the persons responsible and to monitor the processing of these tasks.

Centralized Emergency Access

Users have access to a simple and intuitive option for automating the emergency user concept; for example, to meet the requirements of auditors and to avoid having to follow an impractical approach using sealed envelopes with passwords and safes.

Table 3 summarizes the most important elements in the GRC integration of user and authorization management.

Table 3

User and authorization management as part of GRC: efficiency drivers

SAP BusinessObjects Risk Management

As part of compliance management, the SAP BusinessObjects Process Control component already offers a risk-oriented approach based on qualitative risk assessments or control risk assessments as part of the scoping process. If you want to take the risk analysis further (for example, in the direction of quantitative analysis, collaborative risk assessments, simulations, bow-tie risk builders, or risk heat maps), then I recommend the use of the SAP BusinessObjects Risk Management component.

If you look at risk management in the context of integrated GRC processes, you can recognize further synergy effects: on one hand risks play an important part in the internal control system (e.g. during the risk-based scoping of controls), and on the other hand, depending on the level (strategic or operative), they are included directly in various procedures in the risk management process.

The integration of SAP BusinessObjects Risk Management with business applications when setting up key risk indicators (KRIs) is a further efficiency driver: risky developments in business processes can be detected and addressed at an early stage. From the perspective of content and process as mentioned at the beginning, I list the most important efficiency drivers in Table 4.

Table 4

SAP BusinessObjects Risk Management: efficiency drivers

The procedure presented for GRC automation, in which four important elements represent self-contained processes but also offer sufficient integration points with regard to a comprehensive GRC approach, has become reality with SAP BusinessObjects GRC 10.0. Integration means not only close linking of the individual GRC components with one another but also with business applications. Figure 3 shows a summary of the most important integration points.

Figure 3

Integration points in SAP BusinessObjects GRC 10.0