Perhaps the biggest enterprise lesson recently in the area of governance, risk, and compliance (GRC) is that silos don’t work well in this space. As a wider swath of stakeholders comes to the GRC table, a proven way to achieve true GRC effectiveness is to employ a holistic strategy that provides the full picture across the enterprise, not one that focuses on pockets of risk or compliance activity. But to get an effective program started, organizations need to focus on small returns and value propositions, and then let the demand take hold to enable deployment across the enterprise.
For many organizations, this is not welcome news because they are deeply entrenched in a siloed environment. They may have one system and strategy in place for risk management, another for compliance, another for data governance, yet another for security — and no integration or visibility across all of the areas. However, for SAP customers, the goal of a holistic GRC environment is realistically achievable. By having a single, integrated IT platform in place, SAP customers have the technology and infrastructure to build a comprehensive GRC program.
The benefits work both ways. Just as an ERP system can help advance a company’s GRC efforts, more organizations are realizing that implementing a GRC program will actually increase the value derived from their ERP investment in many areas. It has been a lesson that SAP customers are now truly starting to understand.
To put this all in perspective, this article highlights some of the pressing challenges SAP ERP customers are facing and benefits they may achieve from implementing a holistic GRC program.
In any ERP environment, there can be an abundance of labor-intensive processes, including provisioning, access checks, and other manual work that could be automated if only the configuration was set slightly differently. An effectively designed GRC program and technology implementation can enable automation in a number of these areas to ensure that the ERP environment speeds processes within the right confines. As an analogy, think of an ERP system as a high-performance race car and a GRC solution as the brakes. A common view may be that brakes slow down the car. However, the appropriate view is that brakes (or GRC in our analogy) allow the car (ERP and related processes) to go fast. High-performance cars typically have the most advanced braking systems to allow them to speed along and perform at a high level. GRC can do the same for ERP systems.
For example, if the proper controls are not in place, end users can easily find out how to gain unauthorized access to the various functionalities and transactions of nearly any ERP system with a simple internet search. By using a solution like SAP Access Control to deploy and monitor system access, users won’t be led in the wrong direction, but instead guided (or restricted!) to the most useful areas of the system for their role. Thus the race car keeps moving in the right direction.
The breadth of the people and organizational roles involved in GRC strategy is expanding. For example, when the Sarbanes-Oxley Act was introduced, it was primarily internal or corporate audit executives who were focused on GRC policies and the technology to support them. Today, most large companies have chief risk officers, and it’s not uncommon to see representatives from finance, operations, supply chain, and other areas of the business participating in GRC strategy sessions. The benefit is that, as policies and practices are streamlined and enforced via GRC technology, the business processes may also improve across the enterprise. This is achieved through consistency in how risk is defined, clarity in expectations on internal controls, and enforcement through automation in the ERP or GRC technologies.
Rather than simply asking what their group has to do to comply with an auditor’s or regulator’s requests, these business units are looking for ways to manage business risk proactively through automation available in the ERP system or through the use of GRC to manage a process. For example, GRC can help manage provisioning while reducing segregation of duties (SoD) conflicts and, where SoD risks exist and need to be mitigated, GRC can loop back and confirm the mitigation was effective and the risks were reduced. A great deal of that interest has been made possible by the technology that puts these processes in the business units’ hands instead of the auditors’ hands, allowing users to find the unique value in the GRC solution.
One common concern that we hear from our clients is that the cost of ensuring that their systems are compliant with internal and external requirements is spiraling upward. As companies expand and change their IT landscapes through acquisition or divestment, ensuring the compliance of new systems with existing requirements can be a time-consuming and costly proposition. In addition, audit functions, regulatory agencies, and key stakeholders are learning more about ERP systems and the risks associated with them. These stakeholders want assurance that risks are being proactively addressed. Where weaknesses are known and publicized, companies are exposed to violations, fines, and the loss of business, which increases cost concerns even further.
It’s a complexity issue that turns into a cost concern for many organizations that want to decrease the cost of testing automated controls. Many of those companies are realizing they can use GRC technology to streamline much of the compliance work through process efficiency, data management, and reporting capabilities.
Based on discussions with SAP’s GRC product team, SAP has invested in improving its GRC platform over the past few years. Based on reviews from analysts, SAP’s dedication to GRC technology puts its customers in a favorable position. This investment has increased the features and functionality of SAP’s GRC solutions, which are now mature and proven.
With the universe of GRC activity and stakeholders expanding, the challenge is to ensure that there is a place to gain a single, holistic view of GRC-related activity and measure the success of various initiatives. One common way to achieve this view is with dashboards. The ability to instantly pull the state of compliance for one or many required frameworks (such as Sarbanes-Oxley and the Foreign Corruption Practices Act) is extremely appealing to business leaders. For example, identifying SoD violations within a single business unit is beneficial. But realizing that another unit within your company might not have the same issues can also be valuable for benchmarking and for understanding the process differences that allow one unit to operate SoD free. Dashboards facilitate that knowledge sharing and help break down silos.
Fraud is a growing global concern for all companies, regardless of size or location. SAP responded to its customers’ needs and developed an SAP HANA-based solution — SAP Fraud Management — that helps companies analyze and manage information that pertains to fraud risk. Providing the ability to quickly analyze enterprise data for potential indicators of fraud is not something that has been historically simple in any ERP system. This new capability gives management the ability to identify and investigate potential cases of fraudulent activity in a timelier manner.
Many companies are under the impression that a GRC program is an all-or-nothing proposition — but that is not the case. You can realize measurable business benefits without making a massive up-front investment in GRC technology. For example, in about eight weeks, you could have a solution in place to manage SoD conflicts. Process controls is another ideal place to start because automating the testing and providing centralized visibility achieves business benefits and eliminates costly, error-prone manual tasks.
PwC is working with clients on similar “bite-sized” projects using standardized methodologies and an accelerated implementation strategy called “GRC in a Box” to bring quick wins without a long, drawn-out implementation. This strategy exemplifies the value of GRC solutions to the business as a whole to build stakeholder buy-in. For many companies, it makes more sense to start small and achieve quick wins to build the business case for long-term, broader GRC implementations and programs.
There is no official right time to start. A new business transformation project is an excellent opportunity to implement a GRC strategy. Building the compliance and automation requirements into a broader project from the beginning saves a lot of rework later. However, any time is the right time to start thinking about this, and the biggest mistake is to do nothing and assume the challenge of a holistic GRC strategy is being addressed elsewhere in the organization. To learn more, visit www.pwc.com/SAP.