Expand +



Prepare a Holistic, Long-Term GRC Strategy to Reduce Risks and Drive Efficiency

by Jonathon Pasquale and Steven Oberhauser | SAPinsider, Volume 15, Issue 4

October 1, 2014

Too often, companies resort to short-term governance, risk, and compliance (GRC) fixes that result in additional vulnerabilities in the future. Find out how to ensure your GRC framework is mature, efficient, and effective and develop a comprehensive, long-term GRC strategy.


Many organizations still address governance, risk, and compliance (GRC) pain points and weaknesses — such as manually executed controls, segregation of duties (SoD) conflicts, or excessive access to SAP systems — with a short-term approach. Such reactionary and tactical methods typically result in “bandage solutions” that may provide temporary relief, but only mask the underlying issues without treating the causes.

These short-term fixes can result in long-term consequences that often require additional efforts to maintain, leaving the company scrambling to keep up. For example, if an SAP system’s security architecture is not optimized for assignment flexibility while minimizing SoD conflicts, there is often a need to mitigate users who have excessive access. Additionally, not taking full advantage of the features provided by a GRC tool may cause process inefficiencies. Ideally, flexible security roles work in conjunction with well-designed control environments to minimize the manual efforts needed to reduce risk.

By developing a broad vision that clearly articulates, quantifies, and proactively manages risk, while assessing potential performance impacts, companies can implement a holistic GRC solution as well as robust supporting processes that align IT, business, and compliance strategies.

Steps Toward a Mature GRC Environment

The first step in this journey is implementing a robust, integrated, and scalable GRC tool — SAP Access Control or SAP Process Control, for example — that will help act as the catalyst for the changes needed to achieve long-term organizational GRC-related goals.

Once the system is in place, the focus shifts to sustaining the technology and procedures implemented, including making intermediate plans for which enhancements and process changes are targeted for implementation. The goals of this phase should be prioritized to help ensure that maximum benefit is achieved while working toward the mature automated GRC state outlined in the original long-term strategic roadmap. Such benefits go beyond the ability to detect, mitigate, and prevent SoD or sensitive access risks before they reach the SAP ERP system.

With a holistic, long-term GRC strategy in place alongside the technology, organizations can realize additional benefits, such as:

  • Highly controlled SAP ERP systems featuring flexible, scalable, and sustainable security roles
  • Automated controls with reduced reliance on manual processes
  • Up-to-date actionable reports that help identify key risk areas before they become an issue 

Cultivating a long-term GRC vision in addition to implementing a powerful GRC platform touches all facets of an organization and will help drive significant efficiencies while reducing risk and improving return on investment.

A Holistic Vision

KPMG offers services and promotes an integrated GRC framework that unifies an organization’s key business and IT elements, from culture and organization to infrastructure and risk management. This integrated approach replaces the piece-by-piece method that many companies use with an enterprise-wide focus on reacting to risks and opportunities with effective GRC solutions and processes.

To learn more, email the authors directly at and or visit

An email has been sent to:


Jonathon Pasquale
Jonathon Pasquale

Manager, Advisory

Steven Oberhauser
Steven Oberhauser

Director, Advisory

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!