Reducing IT’s Role in SAP GRC Through Simplified Experiences
Meet the Experts
SAP GRC tools often require SAP expertise to use, and at many organizations that means that IT staff tend to be the ones doing much of the GRC work. That can lead to some shortfalls in identifying risk, particularly when it comes to adding or updating employees.
“GRC is a business tool not an IT tool,” says Mohamed Benadja, President at VASPP, an SAP partner that produces SAP Fiori-based SAP GRC extensions and add-ons. “The business is onboarding people, they know exactly what is a risk and what is not a risk. IT shouldn’t decide that because they can’t know every business process enables in SAP solutions.”
How can IT be relieved of this GRC burden? By making GRC tools more accessible to business users who aren’t fluent in SAP. That’s where SAP Fiori comes into play, and vendors like VASPP are utilizing Fiori and SAP UI5to create interfaces that can access SAP GRC data through consumer-grade experiences.
Benadja says the goal of Fiori-based add-ons and extensions for SAP GRC is to give something companies can install quickly and that employees can adopt with short training.
How Greater Business Involvement Improves SAP GRC Processes
Limiting risk is the ultimate goal of many GRC solutions—that can include areas such as SoD risk, critical risk, , access risk, security risk, fraud risk, and financial risk. Knowing the risk factors associated with these various areas often takes specific expertise, and that’s why it’s common to see GRC roles embedded within departments rather than in a centralized group.
Given that the expertise in specific areas is so important, it doesn’t make sense if IT is ultimately in charge of managing that risk information in the SAP GRC solution. However, that can be the case if experts on the business side don’t have the knowledge to work in traditional SAP interfaces.
If IT oversees approving roles, for example, they may not have all the business context to make the decisions. As Benadja notes, it’s more likely that a business user would know if certain rules are no longer valid, and more generally they will know the type of access a person needs to conduct their day-to-day job.
That’s why making it easier for subject-area experts to make decisions can have a better overall to a company’s risk management because it’s more likely that the right people are getting the right access to the right systems. Using Fiori, interfaces can be built that connect directly with SAP GRC, but offer more business-user-friendly capabilities.
So, if an interface gives the business user an easy way to approve roles, that means IT is no longer involved. This can also have benefits to the flow of business. It removes the process of putting in a ticket with IT, meaning the approval process speeds up. According to Benadja says that some companies will take as many as eight to 10 days to get through approvals when it’s up to IT, while the goal should be less than five days.
Five days can make a big difference when it comes to role approval—an extra five days waiting for access means that person can’t fulfill all their job responsibilities, and that has a ripple effect on other employees connected to the same processes.
For more insight into improving your GRC process, download our GRC State of the Market benchmark report.
What This Means for SAPinsiders
Examine how your current GRC-related processes are impacted by your GRC tool’s accessibility. Does your GRC tool require technical expertise, meaning business users need to create IT tickets to access important information? This may be slowing down processes such as risk assessment and access, which could be negatively impacting your business.
Enable more business involvement in GRC. Would consumer-grade interfaces allow your subject area experts to be more involved in decision-making around risk? If so, explore how that could affect—potentially positively—your risk management overall.