In this podcast, Jonathan Levitt of PwC discusses the future roadmap for GRC solutions with SAPinsider's Dave Hannon. The discussion covers what an organization should know when planning its GRC solution roadmap, what's driving the implementation of controls, and advice for companies just planning their GRC roadmap today.
Dave Hannon: Hello and welcome, this is Dave Hannon with SAPinsider, welcome to our podcast. Joining me today is Jonathan Levitt of PwC, Jonathan is the SAP security controls and GRC solutions manager at PwC, and we’re going to be talking about GRC roadmaps today. Welcome, Jonathan.
Jonathan Levitt: Hi Dave.
Dave: Jonathan, I wanted to start our discussion a little high-level with GRC roadmaps, and I was wondering if overall you think SAP customers have a clear idea of what their GRC roadmap should be today, or do you think there’s some confusion out there?
Jonathan: I think it’s a combination of both, we see clients who have a roadmap and those who don’t, simply implementing GRC solutions because they need a solution. I think generally speaking, though, these GRC programs should complement a business strategy, and this is something we definitely see as missing. What we recommend in order to kind of achieve that business alignment is really kicking off a GRC program with a risk assessment, and this should not only kind of enhance understanding of what is considered a risk to the organization, but also from the Basis, for control analysis and the kind of subsequent phases of the program. The assessment should really cover you know, compliance objectives as well as you know, the operational objectives to achieve more value from the business.
Dave: Ok, great. What area do you see most customers start with GRC technology?
Jonathan: Yes, I mean typically the implementation of GRC technology, from what we see, is really a knee-jerk reaction to compliance issues. We have seen recently kind of clients going back to their roadmap once actually implementing GRC technologies in order to understand and acquire the visibility to move forward in order to achieve operational efficiencies, and these knee-jerk reactions, you know, we see as kind of focusing around segregation of duties and sensitive access, being raised by an audit group. And typically, and hence the, you know that’s why we usually see companies kind of implementing those access monitoring solutions to begin off with.
Dave: Ok, great. I know you specialize in controls so I want to get your perspective on what’s driving the implementation of controls, dig into that a little bit. I know you mentioned compliance is a big driver of GRC technology overall, is it still compliance driving controls implementations, or is that operational efficiency component increasing on the implementation scale?
Jonathan: Yes compliance is still a big driver, but optimization to kind of reduce overdrive certainly appears to be a trend, you know alignment with the business structure as I was mentioning earlier, refreshing kind of risks and performing that risk assessment, you know. Mapping the existing control frameworks to those risks seems to be really popular and you know the output being, is controls which can be eliminated or consolidated, you know controls that could be alternated to the better leverage of kind of current technologies, you know even new controls to cover new risks, or perhaps controls for removal, do not mitigate you know any stocks or operational risks. And then there’s the kind of opportunities to optimize manual report procedures through event-based reporting or workflow enablement.
Dave: Ok, good. I was wondering if you have any examples of companies that have progressed down a well-planned GRC roadmap and what some of the benefits they might have seen are?
Jonathan: Yes, yes, certainly. So a recent client of ours, the roadmap they implemented started off with that risk assessment, you know, updated those controls and streamlined testing. And based upon you know, this revised control framework, management could make decisions on you know, what GRC tooling best suits it, their environment, you know what was really best to support the revised controls, and what that really led to is kind of the reduction in manual controls and you know, the increase in automated controls, and also the reduction in cost to sustain an environment and to operate those controls, because I mean for example, the GRC tooling, that was—I mentioned segregation of duties and sensitive access, you know the rules which comprise that were tailored and customized around the organization, so you know, it allowed very streamlined operation.
Dave: Ok, ok great. What about the future of controls solutions, where do you see that going? What’s next, and how might it benefit the SAP customer specifically?
Jonathan: Yes, I see really optimized Access Control, so most organizations have adopted SAP security and segregation of duties and sensitive access tools, although, as I mentioned, really a knee-jerk tactical reaction to these compliance requirements, so organizations are now optimizing the GRC solutions you know, in terms of being able to sustain security and segregation of duties and sensitive access control through you know, through that use of provisioning emergency access, and role design kind of solutions, so that’s one thing.
I think control repository as a platform, you know the emergence of kind of the dedicated off-the-shelf technology for control repositories has really provided a platform for more efficient control management and you know I see there is that kind of increased demand for enhanced reporting capabilities and workflow-driven events and automated planning and survey and assessment platforms. So, and I’d say another one is really you know the multi-compliance framework, so an increase in regulatory compliance requirements, you know SOX/PCI for example has led really organizations to consider consolidating their internal control framework into a single centralized repository and I think drive this focus on consolidating the planning and testing and the operation of those common controls, are definitely, definitely a trend.
Dave: Ok. Lastly I just wanted to ask if you have any advice for companies that are planning their GRC roadmap, maybe they’re at the very early stages, what advice do you typically give a company in that stage of the game?
Jonathan: I’m going to be really simple and say align with your business strategy.
Dave: Yes, that’s always good advice, definitely, definitely. Good, good. Ok, great. Jonathan Levitt with PwC, thank you very much for joining us today, I enjoyed our conversation on GRC roadmaps.
Jonathan: Oh, cheers, thank you.