To provide some answers to possible challenges you may have during an implementation of SAP BusinessObjects GRC 10.0, I interviewed Frank Rambo, director of the GRC practice unit within SAP’s Customer Solution Adoption (CSA) organization, about measures to take to ensure a successful implementation of SAP BusinessObjects GRC 10.0 solutions. Here are his comments.

What configuration issues might arise during an implementation of SAP BusinessObjects GRC 10.0?

Areas that have changed are the setup of multiple compliance initiatives and automated rules in SAP BusinessObjects Process Control 10.0. Enhancements to the multicompliance framework provide better cross-compliance support. [In SAP BusinessObjects GRC 10.0] single control tests or assessments are more easily reflected across multiple compliance requirements. Additionally, more flexibility has been provided in handling regional control requirements and supporting data overrides of standard control definitions to reflect regional requirements. The expanded and enhanced rules framework now supports advanced rule logic, including calculated and logical operations, grouping and aggregation, and currency conversions. There is also improved integration with data sources, including queries, database tables, and reports, allowing for broader automated rules coverage. Of course, some training is required to make optimal use of these new abilities.

What do you think a key area to focus on during an implementation of SAP BusinessObjects GRC applications is?

SAP BusinessObjects GRC is a solution portfolio consisting of four powerful and separately licensed software products: SAP BusinessObjects Access Control, SAP BusinessObjects Process Control, SAP BusinessObjects Risk Management, and SAP BusinessObjects Global Trade Services. There is no right or wrong in the order of implementing them. Companies usually set different priorities for the focus of their GRC implementations. Some companies are looking for tactical solutions to rapidly respond to requirements in the context of the Sarbanes-Oxley Act or foreign trade regulations. Other companies are following a more strategic approach and aim to quantitatively assess risk and compliance across the entire organization and enable their management for a risk-adjusted corporate performance management.

What advice would you give to a project manager or systems analyst who is responsible for implementing SAP BusinessObjects GRC 10.0?

In version 10.0 the three applications SAP Business Objects Access Control, SAP BusinessObjects Process Control, and SAP BusinessObjects Risk Management have been harmonized with respect to underpinning platform technology, data model, and user interface. This allows for migrating installations of previous releases of the three applications into a single system client and running them in a significantly simplified system landscape. The shared data model opens the door for better integrated management of access risk, business risk, and compliance across the three applications. The new user interface significantly improves user experience and makes the three applications appear as one. But project managers and system analysts should also look into the many new, exciting features that were added to version 10.0 such as policy lifecycle management, multicompliance framework, collaborative risk management, and the visual bow-tie builder.

Note
To learn more about the harmonized platform for SAP BusinessObjects GRC 10.0, read Frank Rambo's article titled "An Overview of the New Harmonized Version 10.0 of SAP BusinessObjects GRC Solutions." 

With version 10.0 SAP BusinessObjects Access Control was brought from the Java to the ABAP stack and is now leveraging SAP Business Workflow as the workflow engine. Because of this platform change, configuration and master data must be migrated — that is, exported — from the current installation and imported into a fresh, new installation of SAP BusinessObjects Access Control 10.0 on an SAP NetWeaver Application Server ABAP 7.02. The good news is that the software comes with handy export and import tools that help not only with migrating the data but also with cleansing it. Migration of rule sets, mitigation controls, role-related data, and also firefighter tables usually run very smooth. However, owing to the change in workflow technology, I’d rather advise to reimplement the workflows used in SAP BusinessObjects Access Control. This shouldn’t be a great deal as the real work lies in the design of the approval processes and identification of approvers rather than in their implementation. Companies that also want to upgrade their SAP BusinessObjects Process Control or SAP BusinessObjects Risk Management should do this first and then migrate the SAP BusinessObjects Access Control configuration and master data.

Does implementing or upgrading to one of the SAP BusinessObjects GRC 10.0 applications (say, SAP BusinessObjects Access Control) pose more of a challenge to IT managers or project managers than to other personnel?

IT managers will appreciate the simplified system landscape of SAP BusinessObjects GRC 10.0 as it will lower their TCO [total cost of ownership]. Experienced implementers will need to catch up with new features, but also require some delta training in particular in the areas of workflow in SAP BusinessObjects Access Control and multicompliance as well as automated rules framework in SAP BusinessObjects Process Control. Due to the move of the SAP BusinessObjects Access Control application to the ABAP stack, screens for requesting and approving access will look different. This should be considered when rolling out SAP GRC 10.0 solutions to end users.

In your article titled “How to Migrate Your Current SAP BusinessObjects Access Control Deployment to Version 10.0,” you state that migration of version 5.3 of SAP BusinessObjects Access Control to version 10.0 comprises three stages: preparation, transition, and cutover. Could you briefly describe these stages?

The objective is to organize the migration in a way that minimizes the impact to productive operation. A migration by definition involves exporting all relevant data from the current installation and importing it into a fresh, new installation of SAP BusinessObjects Access Control 10.0. During the preparation stage the target is to meet all technical prerequisites and complete all configuration tasks that don’t require the data to be migrated in order to keep the transition period as short as possible. During the transition stage your target systems are typically connected to both versions 5.3 and 10.0. You are exporting and importing configuration and master data as needed. Then, test your use cases with the migrated data and gain confidence with the new version. In the cutover stage you are closing down operation in the previous release and disabling user access. All users will work with the new version from that point on.

What is the most important action to take during the preparation, transition, and cutover stages? Are there any pitfalls to avoid during these stages?

During the preparation stage you’ll install SAP BusinessObjects Access Control 10.0 on an SAP NetWeaver Application Server 7.02 and then install the plug-ins on your SAP target systems. You will also need to apply all Support Packages as indicated in SAP Note 1590030 to allow for parallel connectivity of your SAP target systems to both versions of the application. Apart from these technical tasks you should also reflect what the centralized firefighter application in version 10.0 means for your availability requirements. If some of your SAP business systems require firefighter access to be highly available, then you have choices: Ensure high availability of your SAP BusinessObjects Access Control installation, which comes with additional costs; use the role-based mode for firefighting; or use the local firefighter application delivered together with the SAP NetWeaver plug-in.

The key tasks of the transition phase are the migration of configuration and master data and the tests of your use cases in your development and quality assurance systems. It is important to gain confidence that your rulesets deliver correct results and your approval workflows work as expected.

Once you have disabled user access in your productive version 5.3 installation for cutover, don’t forget to export historic transaction data such as closed access requests to keep them available for your auditors. It is not possible to import this data into the version 10.0 application; [instead] external tools such as Microsoft Excel [are needed] to display it.

What challenges would a project manager attempting to implement a change management strategy at an organization upgrading from previous versions of SAP BusinessObjects GRC solutions to version 10.0 face?

If a company plans an upgrade of SAP BusinessObjects Process Control or SAP BusinessObjects Risk Management to version 10.0 in combination with migration of SAP BusinessObjects Access Control into a single system client, then the orchestration of the different project time lines can become a challenge. From a technical perspective the upgrade has to be completed before the SAP BusinessObjects Access Control data can be migrated. If the company opted for an installation of SAP BusinessObjects Access Control in a separate system client, then it’d lose integration scenarios between SAP BusinessObjects Access Control and SAP BusinessObjects Process Control. However, the project time lines for the upgrade might be driven by different factors than for the migration. For example, in large companies compliance testing within the fiscal year may only allow for a small time window for an upgrade of the SAP BusinessObjects Process Control application. These constraints make a thorough planning with all stakeholders necessary.

From a pure SAP BusinessObjects Access Control perspective, project managers should include in their planning end-user training covering the new screens in particular for submitting and approving access requests and new adopted features coming with version 10.0 such as template requests, customizable access request forms, and approval screens. Adoption of new features adds value and often improves user experience significantly.

Note
For more information on the new features and functionality of SAP BusinessObjects Access Control 10.0, read "What’s New in Version 10.0 of SAP BusinessObjects Access Control?"

What security issues should IT administrators be aware of during and after an implementation of SAP BusinessObjects GRC 10.0 solutions? What pitfalls should they avoid?

With version 10.0 we have a far more robust security model for SAP BusinessObjects Access Control in place, whereas SAP BusinessObjects Process Control and SAP BusinessObjects Risk Management already came in previous versions with solid security features that allowed restricting access on all levels of the application. With the move to the ABAP stack in version 10.0, some 30 authorization objects were added to control access to all relevant data objects and actions in SAP BusinessObjects Access Control. In other words, all means for an object-level security model were added to the application such that design and implementation of an authorization concept for the application itself should from now on be part of every SAP BusinessObjects Access Control implementation project.

What is the most commonly asked question that you receive from people you speak with about implementing SAP BusinessObjects GRC 10.0?

People have a lot of questions around the platform itself — upgrade, migration, workflow configuration in SAP BusinessObjects Access Control — as well as around the data model and the integration capabilities. We already covered most of it in your previous questions. People also ask where SAP BusinessObjects GRC 10.0 adds most value compared with previous releases. For me it is the harmonization across the applications with respect to underpinning platform, data model, and user interface on the one hand, and a good number of great new features on the other hand.

What is the most commonly asked question that you receive from people you speak with about implementing SAP BusinessObjects GRC 10.0?

People have a lot of questions around the platform itself — upgrade, migration, workflow configuration in SAP BusinessObjects Access Control — as well as around the data model and the integration capabilities. We already covered most of it in your previous questions. People also ask where SAP BusinessObjects GRC 10.0 adds most value compared with previous releases. For me it is the harmonization across the applications with respect to underpinning platform, data model, and user interface on the one hand, and a good number of great new features on the other hand.

Gary Byrne

Gary is the managing editor of Financials Expert and SCM Expert. Before joining WIS in March 2011, Gary was an editor at Elsevier. In this role he managed the development of manuscripts for Elsevier’s imprint responsible for books on computer security. Gary also has held positions as a copy editor at Aberdeen Group, a Boston-based IT market research company, and as an editor at Internet.com, a publisher of content for the IT community. He also gleaned experience working as a copy editor for International Data Corp., a Framingham, MA-based IT market research company. He earned a bachelor of science degree in journalism from Suffolk University in Boston. He enjoys traveling, sailing as a passenger onboard schooners, and helping his wife, Valerie, with gardening during summer weekends. He’s a fan of all the Boston sports teams and once stood behind Robert Parish in a line at BayBank. He felt small and didn’t ask for an autograph. You can follow him on Twitter at @FI_SCM_Expert. His online footsteps can also be found in the SAP Experts group on LinkedIn.

You may contact the author at gary.byrne@wispubs.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.