Listen in as Wyatt McManus and Ralph Russo from Sharp Electronics discuss being the first company to move to a production environment for SAP GRC 10.1.
Topics covered in the interview include:
- The customer validation process for SAP solutions
- Why Sharp Electronics wanted to be an early adopter of SAP GRC 10.1
- Sharp's current SAP GRC landscape
- The overall timeline for customer validation
Lucy: Hi, this is Lucy Swedberg with SAPinsider, we’re here live in Orlando for our GRC 2014 event, and I’m really excited to be joined today by the team from Sharp, we have some exciting things to discuss today about their GRC implementation. I have Wyatt McManus, who’s the associate director of information security at Sharp Electronics, and Ralph Russo, the senior manager of internal controls. Thank you both for joining me today.
Ralph and Wyatt: Thank you.
Lucy: Great, so the session that you’re here to present this week is about Sharp being a customer validation partner for the 10.1 release of GRC. First of all, you’re the first company globally to be in the production environment for GRC 10.1 and I wanted to say congratulations, that’s quite an accomplishment! Can you talk to me a little bit about what it means to be a customer validation partner with SAP, and sort of why Sharp got involved with that?
Wyatt: Sure, so maybe I’ll explain a little bit how the progression goes in the development lifecycle for SAP, once they’re ready to release a product they go into what they call customer validation. Following customer validation, they go into a ramp-up process and then followed by general release. So the customer validation process can be thought of as a pre-rehearsal for ramp-up where they choose a very select set of customers, customers who have used other versions of that product that they’ve been successful with to go through the process to do almost like a pre-beta type process, and once you progress from customer validation, the expectation is you’ll move into ramp-up and eventually go live on the product.
Lucy: Great. So why was this attractive for Sharp, when it comes to the 10.1 release?
Wyatt: Ok, so there are a couple of reasons, one of the big benefits is you get to use your own data, your own system to see what the new features in the product are going to look like on your system. Another big reason is there’s a big cost savings, you get to get support from SAP directly with the development team who is working on developing that product to work through any of the issues that you might have, so you have a direct feedback loop to the development team so when you get a final product, hopefully it will include some of those corrections or enhancements or features that you wanted to adjust in the customer validation phase.
Lucy: Makes sense, for Sharp it seems like it was a good move. So let’s talk about the specific solutions that you’re using in 10.1, maybe talk a little bit about those solutions and the business reasons why you were looking to move forward and go with the new upgrades?
Wyatt: Ok, so on the 10.1 platform we’re using both Access Control and Process Control, and a couple of the features that we’re using in each of those, in Access Control we’re using RAR, which is the Risk Analysis and Remediation which is used for SoD monitoring and compliance, we’re using Emergency Access Management, which is the fire—what most people know as the firefighter functionality, for, in Sharp’s case we just give it to our IT users and they go into productive systems to fight fires or fight emergencies. On the Process Control side, it’s really our repository, our central repository for all of our internal control framework. We use self-assessments, all of the test of design and test of effectiveness features, and some of the new features we’re looking at were disclosure surveys so we could fully round out our internal audit process using that solution.
Lucy: That makes sense, great. Let’s talk a little bit about some of the business cases, can you talk about sort of what’s happening in your organization as to you know, how these tools are being incorporated from a business standpoint?
Wyatt: Yeah, so I’ll go back to disclosure surveys, that’s a good feature. Today, or not today, yesterday, before 10.1, our internal audit team would use Process Control test of design and test of effectiveness and they would do all of their work for our J-SOX compliance needs in the system. If they encountered an issue that was outside the scope of J-SOX, they would manually go out and do the work, so we would still, we would have the controls from an internal controls perspective in the system, but they wouldn’t use it for their testing or off-cycle type of a disclosure survey they were looking for. This feature in 10.1 allowed them to fully perform their function in the system.
Lucy: Got it. So talk about maybe an outline for the timing of this project, you know, you started to hear a bit about 10.1, how did you sort of get started and what’s the length of the timeline for a project like this?
Wyatt: Maybe I’ll kick it over to Ralph on this one, you can just talk about the timeline for CUV and ramp-up and how long that took us.
Ralph: Yeah sure, on the customer validation side it was a roughly a three month project that we went through, the same thing for the ramp-up on, in both cases, three months per each instance.
Lucy: Great, and that’s from start to finish?
Ralph: Start to finish.
Lucy: Nice. Can you talk a little bit maybe about the personnel that were involved in the project, you know, who did you bring to the table for that?
Ralph: Sure, it was a Process Control functional team, a one-person Access Control functional, a coach, a Sharp coach, and an SAP ramp-up coach, or customer validation coach, and also there was a Basis, one on the Sharp side, one on the SAP side, that did the installation on the customer validation. But on the ramp-up project it was only a high-level coach on the SAP side and on the Sharp side it was fully in-house, which is a big accomplishment.
Wyatt: So that was actually one of the major benefits, when we get there, right, one of the major benefits cause we had all that knowledge transfer and knowledge learning from the SAP team that was supporting us during customer evaluation, when we got to ramp-up, we didn’t need to go out and get consulting effort, we could do it ourselves.
Lucy: That’s pretty impressive. Great. So let’s talk maybe about some key lessons learned, that strikes me as maybe one of them, but key lessons that you’ve taken away from this project and that you might, you know, I know every case is different but maybe something here could be applicable to others who are interested in this?
Wyatt: Sure, I mean one of the lessons that I learned was in customer validation, because it’s such a new product and because, you know, it’s essentially a pre-beta or last-stage-beta product, there’s not a lot of documentation, part of the responsibilities of the customer validation is to provide that feedback on the documentation so it can be developed as they move into the ramp-up phase, so we were, you’re at a slight disadvantage from a documentation perspective, and I think that I would have put a little more upfront onus on the SAP team to bring some of their draft documentation to the table that we could have read that in advance.
Lucy: Ok, great. Makes sense. So, we’ve followed Sharp’s story for a while and we’ve spoken at a few events and I know we’ve featured you in our magazines as well, and I’m always really impressed at how much at the cutting edge of GRC that you are, and I know that sometimes when I speak with attendees they’re really eager to move forward, they want to be at that cutting edge but maybe organizationally they’re not quite there yet. So, can you speak to that a little bit, about sort of, the Sharp culture, and how you know, you guys have been able to really stay at the forefront when it comes to GRC?
Wyatt: Sure, yeah, I’ve been really lucky, we’ve been really lucky, to work in a company that has a culture where they’re not so risk-averse that they won’t take a chance with a new technology. Not to say that it’s an overwhelming risk in this case, GRC is a non-transactional system, it’s a non-financial system, so we’ve been lucky enough to have management that is willing to take those calculated risks and wants to be on the leading edge, they want to be an innovative company, in the products they deliver and the solutions that they use to run the business to deliver the products and services to our customer base. So our CFO, Bill Flynn, and our CIO, John Kavak, very strong leaders, very good at taking calculated risks and focusing us on areas where they believe we can be successful using cutting edge technology.
Lucy: Interesting, sounds like an exciting environment for sure.
Lucy: I thank you both for sharing your experience with the GRC 10.1 project, and again we’re live from Orlando for GRC 2014, and I thank you both again for taking the time to speak with us. Thank you.
Wyatt: Thank you very much.
Ralph: Thank you.