Serco Group, an outsourcer and service provider for government, public, and private sector organizations, serves a range of markets — including healthcare, defense and aerospace, education, and housing — providing services such as operating transcontinental railroads in Australia, supporting defense systems around the world, and managing nearly 200,000 square miles of airspace in five countries. And this short list only scratches the surface of the wide range of contracts the £5 billion international business fulfills.
In 1988, when it was a much smaller company, Serco started trading on the London Stock Exchange. Its business model was based on each of its contracting organizations being largely autonomous. By treating each contract almost as an independent company, Serco could prioritize personal service and attention, which in turn rewarded the company with additional contracts and a strong brand. That entrepreneurial approach contributed to immense growth; the company now has a forward order book standing at over £17 billion, with more than 120,000 employees providing services and operational support for governments and companies all over the world.
“Serco’s growth reflects the high quality of the services we offer,” says Garry Fingland, Chief Information Officer at Serco. “To support those services, we recognize how innovative IT helps create value for our customers and how access and process controls protect this value in a rapidly changing environment. Consequently, we require a strong controls platform that is flexible enough to keep pace with our growth and can continue to support it.”
From 2006, when Serco consolidated its financial systems to a single SAP ERP instance (in most locations, excluding North America) until 2012 — by which time the company had implemented additional SAP Business Suite components for its global operations — its SAP user base grew from about 6,000 to 50,000 users. This spike in users and further anticipated growth, combined with an increasingly diverse portfolio and complex systems, led Serco to explore an enterprise governance, risk, and compliance (GRC) solution to support a more standardized approach to access and process controls.
“With the combination of the number of users, the organizational and geographic diversity, and the scope of functionality in our systems, we reached the threshold where we recognized we needed to manage our controls in a much more robust way,” says Gerald West, Security and Controls Manager at Serco.
While distributed autonomy helped build Serco’s initial success, the business recognized that the best way to sustain growth and profitability was to adopt shared platforms that offer standardization, controls, and better economies of scale.
A New Security Partner
Serco determined a weighted list of nine key criteria to assess potential partners. Security Weaver was top in the overall scoring and was differentiated by three criteria: total cost of ownership, performance, and flexibility. “One of our requirements was to be able to run segregation-of-duties (SoD) analysis in real time, and Security Weaver’s architecture allowed us to do that and get results in minutes,” West says. “Flexibility was ensured because Security Weaver is tightly integrated and embedded within the SAP system and provides traditional SAP utilities like a workbench, which allows us to create custom controls according to our needs.”
In 2010, Serco purchased and installed the first wave of Security Weaver modules: Separations Enforcer, Secure Enterprise, Process Auditor, Role Deriver, and Emergency Repair. Separations Enforcer, the backbone of the solution, naturally integrates into SAP systems to provide SoD definitions and requirements that are auditable and traceable. Secure Enterprise extends Separations Enforcer for real-time SoD monitoring across applications not written in ABAP code. Adding these two modules alone was a major change in how Serco approached SoD controls. “Previously, we only had a sense for how we were doing from an SoD perspective when we were audited; our auditors would effectively run our data through their controls platform to let us know how effective our SoD controls were,” West says. “We managed a lot of the controls manually, using native SAP functionality and Microsoft Excel spreadsheets. That was our level of maturity at the time, and we recognized it wasn’t sustainable.”
With the implementation of the Process Auditor and Role Deriver modules, Serco could centralize process controls and SAP role management across the enterprise, so that a financial analyst working on a general ledger for a transcontinental railroad in Australia, for example, would be able to receive the same support and safeguards as an analyst working on a defense contract with the UK Royal Navy. Role Deriver allowed Serco to more effectively automate internal role management processes, to manage the building blocks of user access permissions. Previously, role maintenance was complicated by the company’s (financial) organizational structure, which is based on a profit center (contract) hierarchy and made mass role changes difficult to automate effectively. “We were able to reduce the time it took for a full role-build process from what was normally around four hours down to about 20 minutes,” says Stephen Lewis, who runs the SAP security operation at Serco. “That was a game-changer for us in terms of how we managed our roles.”
The Emergency Repair module provided a secure way to ensure users could temporarily access critical transactions when necessary, in a fully controlled, documented, and auditable manner. (For more information about Security Weaver and its offerings, refer to the sidebar at the end of the article.)
“Achieving over £250,000 in savings on one control is wonderful, but it is more important to sustain a controls environment that reduces risk and adds value.” — Gerald West
A CURE for What Ails
Had Serco’s implementation stopped after going live with only the initial modules, the company would have achieved one of its main objectives: compliance. But it was clear that the controls platform offered more
Enter CURE, an acronym for Controls/Usability/Reporting/Engagement. CURE is a strategy used at Serco to help the business view and experience its SAP landscape (and, by proxy, its controls platform) as more of an asset than simply a necessary cost of running the business. “CURE was initiated to show the business that SAP software and compliance investments are assets that can be managed to release recurring value to the business,” West says.
The value realization impact of CURE is:
- Controls protect the value by ensuring the right things happen and the wrong things don’t.
- Usability drives user adoption and productivity (making it easier to consume the SAP asset is essential).
- Reporting provides the insight that often represents SAP value.
- Engagement helps to sustain the value by empowering and educating the users.
The controls transformation program Serco ran in 2013 to strengthen controls on its core finance system embedded the use of the CURE framework as follows:
- Controls: Using modules like Separations Enforcer, Emergency Repair, and Process Auditor, Serco can continually lower the likelihood of transactional errors, which ultimately translates to increasing
levels of efficiency.
- Usability: By treating Security Weaver like just another SAP component and by leveraging the same usability strategies that are being applied to SAP software, managing and using Security Weaver continues to get even easier. This is also reflected in the product roadmap, with features such as approvals by email already present in later versions.
- Reporting: In addition to the extensive suite of Security Weaver reports that provide insight into risks and controls, Serco has also integrated Security Weaver content with its standard suite of user and controls reports (again exploiting the SAP nature of Security Weaver). To extend this insight beyond the controls community, Serco has also purchased Risk Visualizer, a tool that surfaces up risks and controls in an easy-to-consume dashboard with drill-down capabilities.
- Engagement: A critical factor in the success of the controls transformation program at Serco was the engagement with the business-process owners, divisional representatives, and shared service operators, all of whom played key parts in defining and establishing the solutions and processes. This close collaboration is essential for a sustainable controls environment and is central to the Serco controls strategy.
“The same principles that apply to looking at SAP software as a value proposition for the business apply to a controls platform, in this case Security Weaver,” West says. “So it’s not just about checking the box to reach audit requirements, it’s about ultimately helping the business operate better by creating value.”
One particular success was the implementation of a custom process control that helped identify duplicate invoices, which saved the company more than £250,000 in the first four months. “Intrinsically, we expected that there would be some benefits here, but even the project team members were surprised by the magnitude of savings achieved in a short space of time,” says Julie Bryer, Serco’s Finance Director, Process and Controls.
According to West, the success of the controls initiative made it easier to re-invest in Security Weaver — the business acquired the Secure Provisioning module in May 2012 and upgraded to an enterprise license agreement in March 2013. In October 2013, Serco began implementing two additional modules, Transaction Archive and License Management.
Transaction Archive provides user intelligence based on granular user activity information that supports training, incident management, forensics, process compliance, and other user-oriented opportunities. Serco is in the early stages of using this module, but the initial indications show promise of a significant opportunity.
License Management provides real-time reporting on compliance to SAP license agreements as well as optimization opportunities to save license costs. This reporting is critical for ensuring the best contract negotiating position when renewing or adjusting SAP support and licensing levels. Going forward, because License Management will integrate seamlessly with Secure Provisioning to automate SAP license management processes, users get a real-time view into how provisioning affects the company’s license portfolio via a license check run with each provisioning request — ensuring license compliance (similar to SoD compliance). The solution also tracks license contracts and costs so managers can understand the cost implications of their user access provisioning decisions — for example, it can provide cost data to access approvers regarding any cost implications (including chargebacks) associated with a particular access request.
As Serco continues to grow its user base, West says he expects even more dramatic returns on the investments made in Serco’s controls platform. He predicts an increasing library of custom process controls to improve additional financial and operational processes and to deploy the standard controls offered with Process Auditor. He also envisions tighter integration across Security Weaver applications, similar to how License Management integrates with Transaction Archive, so that user information drives provisioning and license optimization.
“We have the entire suite now, and that speaks to our core objective of deriving recurring value by making more and more use of the Security Weaver portfolio,” West says. “We have improved our controls culture in a sustainable way, and this allows us to continue to reduce our risk and ultimately add value.”