Rebecca Hodge of Stanley, Black & Decker joins Steve Biskie of High Water Advisors at the SAPinsider GRC 2016 event to discuss her company’s GRC journey with SAP Access Control.
This is an edited transcript of the discussion:
Steve Biskie, High Water Advisors: Hi, I’m Steve Biskie, Managing Director of High Water Advisors, here with Rebecca Hodge from Stanley, Black & Decker at the GRC 2016 event. I’ve been coming to this event for a long time Rebecca, it’s great to have you here, and I was sitting in one of your sessions last year where you were talking about the transformation you’ve gone through at Stanley. Before we get into that transformation, tell us a little bit about your role and how you stepped into this role.
Rebecca Hodge, Stanley, Black & Decker: I’m the Global Controls and Compliance Leader for Stanley, Black & Decker. I’ve been with the organization since 2008 and pretty much have been on the GRC journey since my starting date there.
Steve: And tell us a little bit about that journey. It’s been a year now since you and I had a chance to catch up, and I’m sure some things have really evolved over the course of the past year. Can you talk us through what that journey has looked like over the last few years?
Rebecca: Sure, and this is my fourth time at the conference, so I first came to the GRC conference in 2013 it was actually here at the MGM Grand, so it’s nice to be back here this year.
Steve: You’re coming home.
Rebecca: I know, right? My first conference I was just a regular attendee and really felt like I experienced the SAP magic and came back really reinvigorated with a real purpose and direction in mind of roadmap strategy for the organization. Since then the last three conferences I’ve had the opportunity to present and kind of share my journey with others and it’s been a great experience.
Steve: That’s great, and you went to that first GRC event and you were energized – how did you get started on your program?
Rebecca: I’ll be honest, it was a slow start. SAP Access Control was on a critical path of a larger ECC implementation that ended up not going live so we kind of fell off the radar a little bit, but our corporate controller at the time saw the value of SAP Access Control and had me continue to work on it kind of unfunded, a little covert op, and trying to keep it alive. We knew we wanted to get there it just took us a little longer than we anticipated.
Steve: Actually that’s probably a good message for some of the people listening to this session; it’s not always easy right? You listen to some of these sessions and organizations did it the first time and you had to work at it.
Rebecca: We had to work hard. And it’s hard because I don’t think you realize what you need to do to get where you want to be. So for us, it wasn’t just implementing the tool it was redesigning our entire SAP security structure from the ground up.
Steve: And I know that’s been an involving process for you. If you were to step back now and give advice to those that are just starting on the journey that you embarked on a few years ago, what would that advice be?
Rebecca: First and foremost, this is a project that is really all-encompassing and affects everybody in the organization down to a material handler, an end-user in SAP, all the way up to your C-suite people. So you have to make it visible, be very transparent and you have to get buy-in and support for what you’re trying to accomplish.
Steve: Are you starting to see some of the benefits of your efforts?
Rebecca: Absolutely, so our first go-live was back in 2014. I think we had about 2,400 users when we implemented Access Control. Since then we continue to roll more businesses onto the SAP platform, it’s our platform for growth. So as we fold all these thousands of users in, we’re folding them into a compliant structure and platform. It’s been a big win. We’ve seen our risks stay very steady and we’ve been able to maintain our new security design.
Steve: That’s good news, you didn’t necessarily start with a bang, there was some work to get going but after a few years and you pushed through that pain you’ve been able to see some tangible benefits. What does the future hold?
Rebecca: We’re going to continue our roll-out of Access Control. We have five instances of SAP right now and there’s talk about Instance Rationalization, so (that) may be last but we’re going to kind of stay aligned with our IT department and be sure that our strategy for Access Control aligns with what they’re doing. We’re also looking to implement Access Violation monitoring for the next evolution of our journey.
Steve: That’s an interesting one; the Greenlight product that allows you to not just identify the segregation of duties weaknesses, but see who did what.
Rebecca: Yeah, I like to say it’s you’re not looking for the needle in the haystack anymore, you’re just getting the needles delivered to you really with that tool.
Steve: Nice. Well Rebecca it was great to see you again and great to have you at the conference, I’m looking forward to hearing your updates next year.
Rebecca: Thanks Steve.