Transcript from GRC 2011 post conference Ask-the-Experts

by Allison Martin

March 25, 2011

Recently, leading GRC experts and GRC 2011 speakers Ken Lauver of Lockheed Martin and Bhavesh Bhagat of EnCrisp answered questions from Insider Learning Network members about various GRC topics in an exclusive GRC forum on March 18, 2011. 

The following is an edited excerpt of the full forum.

Featured Experts & Topics
Ken Lauver, Lockheed Martin
SAP BusinessObjects Access Control

Bhavesh Bhagat, EnCrisp
Security architectures, governance, sustainability, carbon and green impact, risk management, compliance, auditing, SAP BusinessObjects GRC solutions training and education, SAP BusinessObjects Process Control, SAP BusinessObjects Access Control, identity management, authorizations

Sponsored by GRC 2011 and GRC Expert

Allison: Welcome to the GRC 2011 online Ask-the-Experts forum on Insider Learning Network in the GRC Conference Group. Thanks for joining us!

To post your question, please be sure to first log in to Insider Learning Network, and don't forget to refresh this page to see the most recent posts.

To begin, I want to begin by introducing our featured GRC 2011 speakers:

Ken Lauver, Lockheed Martin
Bhavesh Bhagat, Encrust

Thank you both for being here today.
-----------------------------------------------------------------------------------------------------------Bhavesh Bhagat: Hi GRC colleagues,

I just come fresh from the SAP Run Better Tour in Philadelphia yesterday.  It was very exciting to see latest SAP initiatives across the board and I had an opportunity to connect and interview Diane Fanelli, Senior Vice President for Industry Solutions in North America.  Diane shared her perspectives on In Memory computing, HANA, Cloud Computing and latest SAP strategies at executive level which are all encouraging for SAP customers.

SAP GRC 10.0 certainly is a key strategic component in enhancing overall value and product portfolio of SAP investment in Business Objects.  All in all it was a great day connecting with Sr. SAP leadership.

Ken Lauver: Hello everyone, this is my first time participating in a text based Q&A session, so please bare with my slow responses!

I had a lot of opportunities to speak with fellow GRC attendees and while there was a lot of interest in V10, most of the attendees were concerned with:

  • How long will their current implementations of GRC access controls remain viable and what support they will receive from SAP.
  • Most of the attendees were still concerned with their 5.3 implementations and looking for information regarding the CURRENT release!
  • There was a great concern about the impact of support packs creating new issues as they fix old problems.

I would suggest that next years event should support issues, tips and trick of the current releases as strongly as the new releases.  Maybe as separate tracks under the GRC umbrella.

Bhavesh Bhagat: Dear Ken,

I fully agree.  Many companies WILL NOT be on GRC 10.0 until later part of 2012/2013 with their constraints.  Plus there's a hesitation to change when process is working and you just spent a year on making AC 5.3 functional.

So while SAP GRC 10.0 is announced now its adoption will take a while like ECC 6.0 upgrades and hence we cannot lose sight of existing SAP GRC 5.3 version.  We need to highlight Change Control and Migration issues and have equal coverage of these in 2010 sessions.

Allison: To begin the Q&A, I’d like to open with a more general question:
Coming off last week's GRC 2011 conference, what functionality has the most attention right now from SAP customers?  What were attendees talking about while you were there?

Bhavesh Bhagat: Allison,

It was a great event and as I indicated I have had a follow up event yesterday at SAP RBT in Philadelphia meeting with the SAP executives here are few key themes from two perspectives; SAP and Customer that we see.

SAP Key Themes and focus areas in next five years:

1 - Focus on improved Analytics at all levels with HANA and In Memory Computing concept

2 - Make SAP easy to use and expand it into open "Cloud" enabled areas

3 - Enhance BOBJ to support step 1 and GRC 10.0 is key component of this in helping to navigate through business with lowest optimal risk and maximum efficiency.

Customer Key Themes at GRC:

1 - Understand the strategy and focus on latest SAP GRC 10.0 ABAP stack release

2 - Manage existing cycles of compliance and make them efficient

3 - Enhance Access cycles and move into proactive Process Controls life cycles

4 - Keeping SAP GRC current with upgrades and managing change within SAP GRC

5 - Convincing and moving management towards investing in these proactive ideas on GRC

The above are few key themes and while not all exhaustive I saw lot of attention on these areas.
Andrea Haynes: Hello –
Do you see companies overlooking any key functionality of SAP solutions to enhance security or improve audit processes? And what changes do you see with GRC 10.0?

Thank you.
Andrea Haynes

Ken Lauver: Andrea,
When the SOX requirements were being developed and all of the publically traded companies were rushing to be SOX compliant I believe that your feelings were real.  Now that the storm has passed and SOX reporting has found its way into our O&M processes I believe that there is too little emphasis on security and GRC activities.

The tools that we have implemented for SOS 404 reporting are gathering a lot of data that can be used to provide insights regarding corporate risk management and automating manual controls using GRC Process Controls.

Bhavesh Bhagat: Hi Andrea,

The key focus that we see is still on immediate compliance or short term needs to fix/remediate/mitigate issues.  There is more education and knowledge on moving to Process Controls now as opposed to 5 years ago but this is an area of improvement that is evolving for most clients.

Other basic missing link I see is many companies are using these tools and software but inbuilt Audit capabilities of SAP are completely ignored or are un-leveraged.  These are free reports and free functionality that have to be enabled and put into daily audit processes before you start automating lot of things.  I find extremely small number of companies doing this as it’s not often talked about but is most common sense way to save money and get better educated before doing other GRC cycles.

Third area I see as lacking is engagement of operation effectiveness and operational controls as part of audit cycles and their integration into GRC life-cycle.  Because most focus has been in past on compliance this area needs to evolve so LOB is driving GRC as opposed to just Audit alone or Security alone.
Davin Wilfrid: When SAP announced GRC 10, part of the message was that it would help the various GRC practice groups translate their needs better to the business side. Obviously this is a good idea, since GRC practices must be pervasive to be effective. However there are still plenty of organizational challenges to driving GRC practices out to the organization at large. Do you have any suggestions for how to convince those outside the core risk, compliance, and governance teams to get with the program? Do you sell them on the fear factor or is there a better way?


Bhavesh Bhagat: Davin,

That's a great point.  In our experience Fear Factor definitely does not work.  It was OK to play the Compliance card and Fear Factor in old SOX days etc.  But this narrow vision kind of limits the usefulness of GRC and certainly limits the future usefulness of the investment in this area.

What we have found useful is to have a Sr. Management led dialogue which starts with "Good Governance is Good Business" and here's why we are moving towards process driven and business driven GRC life-cycle as opposed to just Compliance driven mindset which most companies start with.

To move from old Access Controls/Compliance mindset into new Business Driven/Proactive GRC 10.0 mindset you must engage business and Line of business upfront.  It has to be governance to drive strategic objectives and the implementation must give back tools and visibility to line of business that helps them in 'improving' their operational life rather than just compliance steps.

Challenge will be to do this in a phased approach and keep the business attention engaged as they have other priorities and also resources / budgets are not infinite while the GRC life-cycle is ongoing.

Kristine Erickson: It's interesting that the Fear Factor approach is less effective than it used to be.

But as we're all watching the recent events in the Middle East and the tragic news from Japan, we're seeing some dramatic implication for business, supply chains, markets - not to mention the individuals on the ground. At the risk of going far afield of the current topic, when you look at these events, do you see any lessons or reminders about risk management?

Bhavesh Bhagat: Kristine,

You bring a very appropriate subject and an important one that we can't ignore.  I was just Keynoting at an ISACA Emerging Technology event earlier this week on this.  We MUST learn the lessons from ALL things surrounding us in life and RISK Management is especially relevant here.  Before we close today I want you to think of four key points and the implications of GRC in your companies for those from current Japanese and Middle East events;

  1. Middle East teaches us a lesson that Risk in GRC Must be dynamically managed.  It can't be frozen in time as things in interconnected world SHIFT fast.  So don't be fooled into believing everything is under control.  Being Paranoid is good in Risk Management.
  2. Social Media - DO NOT ignore Social Media and Risks and Opportunities surrounding this.  Social Media and challenges around it for Privacy are crucial in future GRC, but a medium that can topple governments can not be ignored.  So embrace it but with caution and monitor it.
  3. Resilience - With all human tragedy in Japan our hearts go out to them.  But Japan teaches us most important example on how to be Resilient.  It’s not perfect but one must just see the order in the society and the fact that most connectivity is running normally despite triple whammy of mis-fortune is something to look up to.
  4. Cloud Computing - This is fact of Life in IT in next 20 years and Japan has proven a good positive use case.  How so you may ask.  Well the traditional client server models at TEPCO and Japanese Govt were overwhelmed initially by demand in early days.  What kept them going and able to be connected and communicate was Cloud Based Social media like Twitter and Facebook.  That's power of distributed Cloud Computing and its resilience in face of disasters.  It has its challenges in security and GRC but its here to stay and survive.

Just make sure you DO NOT Build your DATA CENTER in Seismically ACTIVE zone.  If you research all our West Coast and IT is exposed.  Something to chew on until we connect in our next GRC Live Q&A session.


Ken Lauver: Davin,

In addition to Bahvesh's comments, my plan is to start my first implementation of V10 from a straight Access Controls standpoint, then since PC & RM will be installed already, begin taking some of the mitigating controls and demonstrating how they can move our manual controls and automate them using Process Controls.

A live demonstration should help them to see the value of the tools that we have been unable to afford/install in the past.

They do make me think about leveraging this new 'Fear Factor' to help me fund some lower level access and security functionality like implementing some of the Alert Enterprise solutions to look below application security and add physical security monitoring and tracking.
Daniel Werner: Hello,

I have two technical based questions to the topic of RAR of GRC V10:

Why is the organization a mandatory field at the controls and why is the selection of the organization only a two-stage? Is this the same with Process Control and Risk Management?

In AC 5.3 there are two possibilities to import and to export data. In V10 an import for rules is available. Question:  What is the name of the export programs for rules; what is the name of the export and import programs for controls and control allocation?

Thank you,

Bhavesh Bhagat: Hi,
I checked for the rules management questions with some technical Basis/NW folks who had installed GRC 10.0 in sandbox last week and the answer I found was there's is very little clear documentation on GRC 10.) publicly available now.  Its still on limited Ramp Up links so there was no clarity on the Rules Change Management (Upload/Download) you describe.

The basic premise and biggest improvement in my opinion on ABAP stack GRC 10.0 is that it moves away from manual upload/download steps of 5.3 and moves to well controlled CCTS normal ABAP change and transport cycle.  I like this a lot from audit point of view.  As soon as we get more documentation and details we will share with you.

As for Organization information being mandatory, its essential because the core GRC 10.0 backbone is same for PC and RM and they need this.  The big shift is on AC, so here in order to TIE all controls and rules together Organization acts as common hierarchy.  These are absolutely needed for driving this down to business and make them more accountable via reporting driven at Org Hierarchy levels.

Kurt Hollis: The controls are related to organization.  Organization is hierachial and contains multiple levels.  This is now same for all components AC/RM/RM in 10.0.

In Access Control 10.0 the rules are delivered in a BCSET which you can activate, or you can load the same set that you use with Access Control 5.3 from files.  Or you can export using the export migration tool and then import these.
The export migration tool is installed on the Access Control 5.3 system and launched using URL http://:50<#>00/webdynpro/dispatcher/

This tool reads the database tables based on your selection and exports the data into CSV files on the Access Control server.  It is not separate programs for each object.


Bhavesh Bhagat: Kurt,

Thanks for your exact technical answer.  I think that should be helpful in clarifying hopefully the question.
Marlen Geissler: Hi,

I have a question regarding Process Control:

For SAP Process Control 3.0, SAP delivers predefined rules and controls. The rules are delivered via the BC-Set’s, the controls with descriptions and attributes are not delivered. Are the controls available as a upload file to upload it directly in Process Control? 

Regarding the provided RKTs: Some of the exercise’s/demo’s of the RKT’s in the SAP Support Portal ( are not available yet. When is the date of the publication of these documents?

Thank you and best regards,

Bhavesh Bhagat: Dear Marlen,

I am not sure of the Date when SAP will make the RKTs available but can always find out and let you know.  If someone at WIS makes a note of this we can follow up with SAP and get this answer.

Ken Lauver: Marlen,

Regarding question one, unfortunately, I am not a PC user yet and don't know the answer to that question.

Regarding your second question, while Bhavesh and I are members of the SAP GRC Customer Advisory Council, we aren't SAP employees and can't help with scheduled release dates.

Allison: Hi Marlen,

I'll look into this for you and find a contact at SAP who can assist you.



Kurt Hollis: Hi Marlen:

PC comes with pre deliverer rules but not controls.  The controls are your own and entered into the system either directly or through the upload tool called MDUG.  MDUG is a mass upload utility which runs on you laptop.  This tool is not available to everyone, just consultants (SAP or Partners).  That tool speeds up the loading process.  Otherwise, you can do it online.

Not sure about the RKT questions, this goes to SAP as Allison mentioned.

Kurt Hollis.
Yonas Makele: Hi guys,

My company is implementing the Access Control V10 solution, do you know if:

Is there any opportunity to maintain the authorizations in GRC so that we are able to assign different authorizations for each stage of approval? Example: Manager has other authorizations on their approval level "Manager". Therefore role owner are not capable to approve on manager!

Furthermore, is it possible to install in the ERM Workflow V10 several approval stages with different approvers?

Moreover, is it possible to close up ERM Workflows audit proof so that no one can make any changes after approval and test?

Thank you in advance for all replies.

Best regards,
Yonas M.

Bhavesh Bhagat: Hi Yonas,

What you describe are very advanced and good use case scenarios of using GRC 10.0.  Unfortunately at this stage the only company that's officially going live is Levis in June and lot of documentation is not public, so I can not answer your exact questions with precise specificity but can put you in touch with SAP Development Directors and they can answer some of your Use Case questions.

Keep in mind that even though GRC 10.0 is announced. NOT all functionality is available on GTA date.  It will slowly evolve.  So exactly to what depth you can finalize your use cases you will have to dig deeper and wait until SAP provides some more tech details.

Dave Hannon: Ken and Bhavesh,

I've spent the last three weeks on a "special project" that leads to my question: Do you foresee the medical industry -- specifically hospitals and hospital chains -- as a potential growth market for SAP GRC or GRC-type solutions in general?  And if so, are there specific applications that come to mind in that setting? (I know University Hospital Aachen is a user, for one).

Dave Hannon

Bhavesh Bhagat: Hi Dave,

Feel free to contact me offline if you have specific questions regarding your special project.  However in general terms with Hospitals and Hospital chains as you can imagine "PRIVACY" of data is of paramount importance.  So without a doubt GRC processes and tools will help you in that regards to have better procedures in place to manage and have visibility as to who has access to what data.

I am seeing more and more non-public entities using GRC tool and processes even though they have no public compliance need and are privately structured either as not for profits or other types of private organizations.  IN all those cases GRC processes have helped tremendously top provide risk visibility to interested parties.

So without a doubt I see huge need and follow up demand for GRC type solutions in Healthcare market.  Hopefully that helps.

Ken Lauver: The medical industry in general is primarily concerned about patient privacy and has introduced specific legislation like HIPA etc.  GRC and the background SAP Security features enable very discrete user access to data.  The data in the ERP financial, CRM and BI applications may contain patient sensitive information, and GRC has some predefined rules that look for SOD in ECC, BI and SRM.  While these don't seem to be tailored to the healthcare industry I'm sure that the existing rules along with customizations added by others are available.

Maybe someone on line can contribute?
Marlen Geissler: Hi

I have a question regarding ERM, Role Creation:

One of the mandatory fields when creating a role is “Landscape”. Connector Settings in SPRO (General setting and access control) are set but entries are not available when creating a role. Do you have a hint?

Where can I define mandatory fields?

Thank you,

Kurt Hollis: Hi Marlen:

I am guessing you are setting up a connector for GRC Access Control 10.0.  For this there are two parts.  The first part is under SPRO --> GRC --> Access Control --> Maintain Connector Settings.  Enter your connection to SAP system, use logical systems name, type =  1 (SAP), Environment = Development.

Second part is under SPRO --> GRC --> Common Component Settings --> integration framework -->  maintain connectors and connection types

Here you need to define the connector as SAP type and fill in the target connector as the correct name of the RFC connector which connects to your ERP system, make sure you enter the local GRC system logical system name as the source connector and enter the target logical system name as the logical port.  Logical port is the critical piece.  Then define the connector groups like SAP_R3_LG for the R3 systems and assign the connector to it.  Then under SPRO --> GRC --> Common Component Settings --> integration framework --> maintain connection settings, here you must select integration scenario "ROLMG" for role management and make sure the connector is assigned under task scenario-connector-link.

Regards, Kurt Hollis
Ken Lauver: As a general post to all participants, the only portion of V10 content that I have any experience with at this point is the CUP template functionality, sorry.

While we are waiting for new questions I would like to discuss an opportunity to all of you.

I am trying to start a user based content library.  It could include:

  • SAP and customer reports used to monitor mitigating controls
  • Function and rule set additions for industry specific use
  • Tips and tricks similar to my use of templates to simplify CUP requests and our tip that lets you customize the banner at the top of your AC screens to use your customer LOGO's etc.
  • Reports that you may have developed using 5.3's Data Mart capabilities
  • Others?

If you are interested in contributing and participating let me know at

While we're hanging out I would like to share one of my favorite SSM notes that provides a great guide to GRC AC information on the SSM site:

Scott Wallask: Hi everyone --

Do either of you have any best practices for creating a more transparent evidence trail in system and business process audits?


Bhavesh Bhagat: Hi Scott,

This is a very common and a must have ideal need.  However the question is very broad in terms of "transparent".  Can you please define or specify exactly what are you trying to audit and how you are trying to collect evidence and we can help with tips for making the process more transparent and easy.  In other words can you describe some "As-Is" so we can guide further.


Ken Lauver: Scott,

If you look at the attachments included with my presentations you'll find some step by step processes that we defined to standardize the audit and walkthrough requirements.

Each step is documented and specific evidence requirements are provided if required.

These may help you start up your own process.

Allison: For those of you who attended the conference, you can find Ken's presentation in the conference materials section of the website. It's listed under GRC 2011 Track 5.
Aja Norton: Hi

How can our readers perform a technical assurance audit within their existing SAP ERP implementation? And what do you recommend as essential SAP security and audit roles for technical audits?

Thanks, Aja

Ken Lauver: Aja,
That's a bit of a broad topic, but I'll answer by recommending a SAP Press book, since they are the hosts of this, named 'Surviving an SAP Audit' by Steve Briskie, there are a lot of suggestions regarding the necessary steps to prepare your system for an audit.

Bhavesh Bhagat: Hi Aja,

I have written an article on this for SAP GRCExperts publication which should be helpful.  IN the present conference there was a session that I did which also talked about this exact topic. - I don’t have a link but if someone from WIS can post a link to your GRCExpert publication or that article I think it would be useful here.

Basically in order to do technical assurance audits one would need to enable the Role Based Audit feature set within SAP.

Customize the technical SAP Audit roles to suit company's needs and then assign them to right users.

Scope the audit using the steps in the role based audit guidelines and then start the technical audit. 

One of the key challenges in technical audits is knowing where to find the needed technical information at the given point in time without going crazy.  And the inbuilt SAP Audit roles come in very handy for narrowing down the scope here.

There are some extra steps involved in Business Audits and we will be documenting them in upcoming GRCExpert articles.  I highly recommend this GRCExpert publication to practitioners who might be unfamiliar with this excellent resource.

Allison: For GRC Experts subscribers, the article that Bhavesh is talking about is, "Ensure Success in Your Next SAP Audit with Standard Audit Features".
Laura Casasanto: Hi guys,

Any advice on first steps for building a compliance process that spans across all the business processes in a company (instead of just one business area)? What barriers to this kind of approach do you foresee?


Bhavesh Bhagat: Hi Laura,

In terms of building a compliance process spanning the entire company.  Here are my key thoughts from having been there done that;

NOTE - All of the above we can't do if the Sr. Management does not support the bigger picture initiative and needs to realize that compliance is START and not end.  Its first step on way to getting good GRC process embedded in company.

  1. Engage the business LOB managers upfront and build a case for what's in it for them BEYOND compliance.
  2. Prove your compliance success in baby steps by piloting out your initiative whether on AC/PC or even non-SAP compliance
  3. Make sure the Pilot above becomes your "marketing" arm and spokesperson to engage other business units
  4. Tweak and customize tool/process to meet needs of each business unit then going forward phase-wise
  5. Make sure the business OWNS the controls and hence be it technical or business process your compliance activities need to make them accountable and you cant do this if they are not engaged upfront.
  6. Finally - Slowly make the case and expand from pure compliance into operational effectiveness
  7. Perform the above cycle at high level in one or two BU's and repeat and refine.

The above seems easy in bullets and steps but trust me to execute this in real life is very hard with Two Key ingredients of success and none of them are Technical. - Change Management (Cultural and Process) and Constant Communication.  These are must have for making Compliance embedded across ALL BUS and beyond.

In next GRC conference I'd like to do a Round Table with few customers to talk about their experiences on this exact question and it should be very interesting to hear differing pain points on the above.

Ken Lauver: Laura,

As a company of 130,000 employees that has done this let me make a few suggestions:

  1. Get management by in.  What you are undertaking will probably cause additional work for those who own the processes that you want to control!  You don't want to waste your time and company resources on a process that won't be adhered to.  It is sometimes better from an auditor’s perspective to have informal processes than documented processes that aren't followed!
  2. First and foremost, take small bites!  One process at a time.
  3. Decide on a tool to use for your documentation.  There are many tools from the Audit Manager tool provided by SAP with all NetWeaver releases to plenty of third party applications.  Don't just start from scratch in MS Word.
  4. Get your processes documented before trying to jump right in to GRC Process Controls.  Then pick the processes that are best suited to automated controls and start there.

This is pretty basic, but it really is amazing how much work this can be.  We are still making changes to our processes after four years of use.

Good Luck!

It's nice to know that Bhavesh and I agree on this process!

Bhavesh Bhagat: Ken,

I agree completely.  It is funny typing in from different points of view how similar your and my observation on above turned out to be.  Sounds like we could be separated compliance twins. :)

But above is certainly a best practices state to aspire to and takes lot of patience and refinement to execute.

As we are getting close to the completion of this good informative GRC Q&A, I want to Thank all for participation and if there's any questions beyond this do not hesitate to contact me directly at below;

Bhavesh Bhagat (Our GRC tweet) (My personal entrepreneurship tweet)
Lucy Swedberg: Hello,

Thanks so much for taking our questions. Another one for you:

For companies that see fraud as a significant risk, are there specific steps our  readers should take to ensure a more accurate fraud risk assessment?

Much appreciated,
Thanks to all who posted questions and followed the discussion. A full summary of all the questions will be posted in the GRC Conference Group page.

And thank you again to our speakers -- Bhavesh Bhagat and Ken Lauver

Ken Lauver: Thanks Alison, maybe you should have a forum led by some of the V10 experts, if there are any :D

Let me know and I'll attend as a participant!
Allison: Thanks again to all those that joined the discussion.

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!