Although not the glitziest module in an SAP installation, SAP Governance Risk and Compliance (GRC) is a module that if not done right can nearly ruin a company.  Similarly, if proactively and robustly implemented, it can mitigate risks and help the business run more smoothly.

What is GRC?

SAP Governance, Risk and Compliance is an SAP solution that ensures organizations comply external and internal regulations while also helping to remove risks in managing organizations’ key operations.

Identity and Access Governance: Verifying Users to ensure they are who they say they are and what they are allowed to do or see on an SAP system.

• SAP Access Control
• SAP Cloud Identity Access Governance
• SAP Identity Management
• SAP Single Sign-On

Enterprise Risk and Compliance: Ensuring business processes follow agreed procedures, best practices and that the decisions involving increasing risk are approved at the appropriate level of the organization.

• SAP Risk Management
• SAP process Control
• SAP Finance Compliance Management
• SAP Business Integrity Screening

International Trade Management: Compliance to regulations in the area of international trade.

Cybersecurity, Data Protection, and Privacy: Protecting the Data and reducing threats over internet.

• SAP Enterprise Treat Detection
• SAP Privacy Governance
• SAP Data Custodian

Often SAP enterprises hesitate to invest in a GRC solution, and only do so after disaster strikes.  Maybe they are in the press for selling products to banned countries, a data breach of customer data, or an internal hacker takes down their system entirely. Once they react, they implement only a part of GRC, targeting the one issue and the effort typically stops there. A GRC implementation plan that is more proactive, and encompassing, can be worth its weight in gold and becomes increasingly valuable as your enterprise grows. A well planned and well maintained GRC system can provide a business with limitless benefits in terms of proactive monitoring, automation, and insuring compliance to best practices.  This means the disasters are avoided and the company is kept out of the news. Many SAP Enterprises Are Not Maximizing their GRC Investments Even with a GRC solution, many enterprises are finding that their team has a skill gap that prevents them from  taking advantage of the range of benefits that their GRC system provides.  Most customers limit the scope of GRC implementations either due to lack of expertise or because they cut corners to limit initial costs. Properly getting the full range of capabilities out of your GRC system is vital for minimizing business disruption and empowering your organization.  As risks multiply and change, a limited static GRC approach no longer works; a proactive approach is required to drive the most value out of your GRC solution. What Are the Benefits of a Robust, Proactive GRC Approach?

• Confidence: A continuous monitoring and automated data collection GRC gives assurance to the risk and audit teams, the board and organization overall that your GRC strategy is rigorous.
• Quickly mitigates risk: Capturing data accurately and automatically identifies potential problems and risks that can be spotted swiftly and rectified.
• Reduces workload and costs: Automation in many areas of GRC minimizes the need for manual and labor-intensive data gathering, increasing efficiency, and cutting costs.

Certainly, not every feature of every SAP module is not needed by every company.  That said, it is important to spend time, effort and money on your GRC modules, even though the other areas of SAP might appear to have higher payback in the very short term. Highlighting the Access Control Module of GRC. In my GRC experience nearly every customer begins their GRC journey with SAP Access Control. For most people, SAP Access Control is so ubiquitous that it is often thought of as the entirety of GRC. But now you know better.  Below is a highlight of this module as an example of a limited and short sited approach vs a robust implementation in the world of GRC and its benefits. The following are critical SAP GRC Access Control modules that must be configured and managed correctly:

• Access Risk Analysis (ARA)
• Emergency Access Management (EAM)
• Access Request Management (ARQ)
• Business Role Management (BRM)
• User Access Review (UAR)

The first module in the Access Control suite to activate is Access Risk Analysis, it helps prevent internal fraud by insuring “SOD” which means Segregation of Duties.  For example, a company should not allow the same user to create a vendor and also approve payment to the vendor.  The Access Risk Analysis module is the foundation for the other modules in Access Control. Most organizations only activate Access Risk Analysis and then Emergency Access Management (to allow, for example, a consultant to debug an issue).  At many organizations Access Request Management, Business Role Management and User Access Review are left under or under-utilized. As part of the underutilized GRC modules applied to Access Control, this limited implementation of access control is short-sighted.  Whether due to lack of knowledge of the benefits, poor planning or money, when a company limits their Access Control to only these 2 components, they are using GRC ineffectively and waste time and money in the long run. Actionable Ways to Maximize GRC Benefits.

1. Identify manual processes to automate. Manual processes can be time-consuming, inaccurate and by extension, costly. Worst yet, manual mistakes can lead to a major risk exposure when it comes to GRC. Some of the manual processes that can be automated are:

• Audit requirements
• Role Management
• Identifying SOD risk at role and user level
• Keep role owners and approvers updated
• Define, assign and review mitigating controls

2. Identify resources needed by GRC area. As stated above, SAP GRC is an SAP solution with many layers of complexity. For many SAP enterprises, their team may lack knowledge in a certain layer of this complexity.

Without the right resources available to assist with the GRC implementation, it can be easy for teams to let it go to the wayside. This creates an environment where GRC resources are not used properly. In large companies, you might be able to find an internal GRC expert from another already implemented subsidiarity. The reality for smaller companies, on a timeline, would be to find an external expert to ramp up or supplement your internal team and get the process automated to where your internal team can take over.

3. Other Components of Access Control to Optimize and Configure:

Access Request Management (ARM) For many organizations, access to certain users was granted after completing paper forms and approved by IT security. This, of course, was a manual process that required the manager and role owner's approval. It was also a limited process concerning checking for compliance and cybersecurity threats. Finally, this process has typically been slow, taking several days to complete, depending on the complexity of the enterprises’ operations. With ARM, users can request access and submit it for immediate approval. With ARM, compliance and security checks are performed automatically to identify risks before assigning the authorization to users. This allows companies to be proactive and remove or mitigate risk in advance. ARM can be customized based on your enterprise policies for access provisioning. With the use of ARM, all the access requests and approval tasks are logged, which keeps a record of changes for future analysis and auditing.  One of the main issues with the manual process is the delays on approval due to changes in org structure. Forms may not updated and approvals may be sent to the wrong people. With ARM, you can set up rules for approval back up, out of office and escalations to approve and complete the requests on time. Best of all, SAP enterprises can customize the workflow to reflect their companies’ access policies. Roles and authorizations are logged in SAP, to help with future audit references. In these ways, ARM ensures corporate compliance with laws and regulations. Business Role Management (BRM) – A centralized tool to manage and deploy business roles to other SAP Systems in complex landscape. Like ARM controls user access, BRM controls business roles and characteristics. BRM empowers IT, administrators, to build roles, run risk analysis before this role is deployed and documents this process. However, some organizations only activate BRM to upload the roles and attributes to be used in Access Request management, without taking advantage of all functions offered as follows:

• Manage the lifecycle of roles centrally, including role creations, managing naming conventions, role updates.
• Maintain role owners and involve them in all aspects of building roles.
• Run Risk Analysis before a role is deployed to check if the role has SOD risk.
• Log role changes to be reviewed by auditors.
• Create System-independent roles to be assigned to backend systems. With this concept, a technical role created in GRC Access Control can be distributed and assigned to users in other SAP systems, once shared with SAP Identity Management.

To summarize, BRM is the perfect tool to simplify technical role assignments in the backend systems. User Access Review (UAR) Some companies have manual processes to review the Role Assignments to Users and others don’t. UAR is the GRC tool that helps the company comply with audit requirements. You need to take advantage of this delivered component of SAP Access Control. It provides a workflow and approval process. Users and Role Assignments are sent to a Role Owner or Managers for verification of access. This allows SAP enterprises to periodically review their system's internal control policies. This helps both IT and the administrators and it further reduces the need for manual reviews on high-risk accounts. In addition, this helps in decision making when it comes to terminating user accounts or removing access. Some of the advantages of activating UAR are:

• Reduce the time to run periodic access reviews by automation
• Minimize incorrect assignment of access to users
• Remove unnecessary elevated access from users
• Improved efficiency and visibility of the internal control process
• Automatic role removal
• Provide history reports assisting in monitoring the review process
• Audit trail and reports for support are available for internal and external audits