Tracking 2024 GRC Trends with Customer Advisory Group

⇨ As business ecosystems expand, these teams need to expand their focus as well and be able to apply established compliance policies, software, and risk detections capabilities to work with non-SAP and cloud systems.

⇨ Identity Management Systems (IDMs) work best when they are used only for their designated purposes.

⇨ Companies need to differentiate between the Access Control and Identity Access Governance solutions as they are independent applications, each with their own dedicated purpose and potential functionality differences.

In 2024, governance, risk, and compliance teams will face new difficulties and trends. New and emerging threats, increasing size and complexity of IT landscapes, and the move to SAP S/4HANA all pose their own unique challenges. To help GRC teams understand some of the new trends for 2024, SAPinsider spoke with the CEO and cofounder of Customer Advisory Group James Roeske. He has more than 27 years of experience in the SAP GRC space. His organization now helps companies design and implement GRC and security strategies that minimize risk and enhance control.

Roeske highlighted three key areas that the GRC experts at Customer Advisory Group are paying special attention to at the outset of 2024 that all SAP GRC practitioners should be aware of.

Expand the GRC Footprint 

For many years, GRC teams have focused intensely on reducing risk and compliance issues within the SAP ecosystem. As business ecosystems expand, these teams need to expand their focus as well and be able to apply established compliance policies, software, and risk detections capabilities to work with non-SAP and cloud systems.

Due to this original focus on SAP system only, as well as having multiple teams owning different systems in today’s complex and divers landscapes, having a single and consistent process or GRC application that support it all can be daunting. This results in users needing to utilize different and potentially multiple processes to accomplish the same task for simple things like requesting access across the landscape or identifying risk across multiple technology platforms. 

Having to use distinctly different processes for these essential GRC tasks leads to frustration and delays for end users, not to mention compliance and GRC administrators alike. There is also the reality of these siloed systems not interacting with each other and requiring manual administration tasks to bridge compliance gaps. Or in the worst-case scenario, having no visibility of that interaction.

“Having a one stop shop with the capabilities to expand the traditional provisioning and SOD analysis that they’ve had for years for SAP ABAP systems just to these additional platforms and systems is very, very significant. Even from an audit perspective, an auditor is no longer just doing an SAP audit anymore. Now they’re doing an entire IT landscape audit, and customers need to be ready for that” said Roeske.

These new and growing demands may entice GRC teams or IT Enterprise Architecture Managers to think they need to look for new compliance software platforms that can expand coverage to non-SAP and cloud systems outside of their current and well established GRC infrastructure. This is especially common if they are not fully aware of SAP GRC’s full capabilities and integration options. Their current GRC solution may have the potential of integrating with these new requirements already and can accomplish the goal of SAP GRC functioning as a “one-stop-shop” if used to its fullest potential. 

Roeske cautions enterprises not to “throw out the baby with the bathwater,” as they may be able to find the solutions and capabilities they need within SAP GRC. Organizations should see if they can extend their established GRC processes and platform integrations, rather than look for new process or platform specific software.

Use Identity Management Systems Wisely

Identity Management Systems (IDMs) are growing in popularity and evolving in functionality becoming essential components of a secure and compliant IT infrastructure. This evolution will accelerate as customers IT landscapes continue to grow in the number of systems they need to maintain user accounts and access privileges in. While IDMs are important, all too often they are seen as a “silver bullet,” a solution that can be used for not only their original design of a centralized identity store and provisioning solution but also are challenged to be compliance or risk identification tools as well.

However, companies may find more success if they use IDMs strictly for tasks that they are designed to excel at. For instance, user identity store, user lifecycle management, and access provisioning capabilities across multiple landscapes, but may struggle if they are tasked with SoD analysis functionality, mitigation assignment and risk identification requirements.

Roeske says companies should find an IDM solution that works in tandem with GRC, rather than expecting the IDM solution to take on more functions than it was designed to.

“We need a lot more granularity when getting risk and compliance to be part of that IDM process. There are hooks and functionality where IDMs can leverage GRC strings and have the two work together to give you that well-rounded type of product,” said Roeske.

Find the Right Access Solution

One other key trend Roeske identified was the need to differentiate between the Access Control and Identity Access Governance solutions. While there is a fair amount of overlap between IAG and Access Control, Roeske says that companies should think of them as independent applications, each with their own dedicated purpose and potential functionality differences, while also knowing they can also work together as well. 

“When people hear about SAP IAG, they think that it is new and therefore is replacing SAP Access Control. That is not the case. They also think that IAG must be exactly what they had but better, brighter, and smarter. That’s human nature. The challenge with that logic is SAP designed IAG differently. They took a step back and they said, ‘We’re going to design this not with a cut and paste approach but rather in a completely different direction and treat it as a separate application with specific purposes without looking back at all the history and the functionality that you had before,’” said Roeske.

Understanding the differences, capabilities, and even integration opportunities between SAP Access Control and SAP IAG is essential for customers to understand if they are deciding which GRC application is right for them. Also, it might not only be a choice of which one is right for them but rather both as IAG integrates and augments SAP Access Control capabilities to expand to the cloud. Understanding that design approach is crucial for SAP users. GRC teams should get in touch with third-party organizations with a deep understanding of the SAP GRC space who can help them to find the right solution to secure their SAP ecosystem.