Sometimes the most valuable thing an IT organization can do for the business is to put more control in the hands of business users. Achieving this end — providing these users more autonomy and decision-making capabilities — certainly involves deploying the right IT systems and applications. But more importantly, businesses need to make sure the right people are receiving the correct level of access to those systems.
Levi Strauss & Co., a well-known clothing manufacturer of jeans and casual wear for over 150 years, has done just that by providing its business units with the ability to manage users’ access to the company’s SAP ERP system without relying on its IT organization nearly as much.
The key to this success was the business’s well-managed implementation of SAP BusinessObjects governance, risk, and compliance (GRC) solutions — the results of which include dramatically shorter provisioning processes, significantly fewer segregation of duties (SoD) violations, and a decreased number of complaints coming into the IT organization.
And Levi Strauss’s recent upgrade to the latest SAP BusinessObjects GRC solutions — it’s one of the first companies to implement version 10.0 — is intended to bring even more capabilities to its business users. The new solutions, which were slated to go live across Levi Strauss’s business units in May 2011, aim to improve the efficiency and productivity of the entire company, an organization that employees more than 16,000 people worldwide throughout three divisions based in San Francisco, Brussels, and Singapore.
Speeding the Process for Onboarding New System Users
Levi Strauss first went live with SAP BusinessObjects GRC solutions in 2009 — specifically for the functionality around access control, risk analysis and remediation, and compliance management. At the time, the process for giving users access to the SAP system was very IT-intensive. The IT organization first had to establish the level of access the business wanted for that new user and then determine if the new user’s access would create any conflict with other users or any SoD violations within the system.
It was a slow process, in part because there was a lot of back-and-forth communication between IT and the business side. Eric Peoples, Director of Global SAP Controls, Compliance, and Tools at Levi Strauss, says, “An IT person may not know the specific duties of the different types of roles in our company — such as an accounts receivable analyst, for example — so it can take a while for IT to figure out the correct access to provide users.”
In addition, the process of adding new users to the system included a review from both help desk personnel and the security team. The result: It took an average of 14 days to get a new user access to a production system in the SAP environment. And, according to Peoples, the IT organization was getting a lot of complaints from frustrated business units about the delays. Imagine hiring a finance employee who would not be able to access the finance system for his or her first three weeks on the job.
Giving the Business More Control
The IT organization at Levi Strauss did some research and found that by automating some of the onboarding process and designing specific workflows and rules — specifically leveraging SAP BusinessObjects Access Control — the task of bringing a new user onto SAP ERP could be put safely in the hands of the business units. This move would reduce the process from 14 days to as few as three, by IT’s best estimates. With that information in hand, the company’s IT leadership went to the controller’s group and presented a strong business case for a process redesign project that centered on both the access control and the business efficiency benefits. The project was endorsed by the controller and green-lighted for implementation based on the strong business benefits outlined.
“As soon as we got the project approved and underway with a joint IT and business sponsorship, we started a communication campaign to educate business users about the ability they would soon have to control users’ access rights and get expedited access to their data,” says Peoples. “We emphasized that the business units should own their data and control access to it — not the IT organization.”
The key to giving the business more control was standardizing user roles and permissions and building workflows and rules that guide users through the access process. Today, any user with a valid network ID can request his or her own access to SAP ERP, or do so on behalf of another valid user for a specific role in a particular department. After the user makes the request, the software automatically initiates a built-in custom workflow that requires one to three approvals.
“The end-state goal is that if you request access for an accounts payable clerk, no matter which business unit you work in, you will be provided with the same base level of functionality in the system that will let you do your day-to-day job as an accounts payable clerk — and we can achieve this without using an HR solution,” Peoples says.
Faster, Cheaper, and Safer Access
The efficiency of the new process has exceeded early estimates. According to Peoples, the time it takes to bring a new user onto SAP ERP at Levi Strauss has been reduced from 14 days to 1.42 days, on average. Nearly 65% of new users are granted access in less than a day. Streamlining the process so help desk and security personnel aren’t involved in every case has reduced the cost associated with bringing new users onto the system as well.
There’s an inherent risk in a process that involves solely IT defining and granting user access. For example, an IT professional providing access to a new user may not recognize the risk of having too many people creating vendors in the system, but a business administrator in that area would immediately recognize the risk and limit access to that functionality based on roles. By using SAP BusinessObjects GRC solutions, Levi Strauss has lowered this risk and seen a dramatic reduction of SoD violations at the company — cutting the number of people listed with SoD violations by 99.4%.
“Previously, we lacked visibility into what our violations looked like,” says Peoples. “With the GRC implementation, we can now identify and remediate the few SoD conflicts that arise — because of job transfers and special cases — as well as put a process in place that has systematic preventive controls to help ensure our environment stays clean.”
The workflow implemented also routes those few SoD violations directly to the controller’s group so that it can work to resolve those issues without having IT serve as the middleman.
The Latest and Greatest in GRC
Because of Levi Strauss’s success, in recent years, with SAP BusinessObjects GRC solutions, the company elected to be one of the first adopters of the latest version, 10.0. Perhaps the most important benefit of this new version is that it allowed the business to migrate to a single instance of SAP BusinessObjects Access Control. Previously, Levi Strauss ran two separate instances of the application to accommodate the different rule sets and business processes across the company’s divisions — for example, in Asia.
“Because Asia was our first region to go onto SAP BusinessObjects GRC solutions, the rule set was very vanilla. But later, during the US implementation, we customized the rule set more based on our global finance policy and operational risks,” says Peoples. “The new version of SAP BusinessObjects Access Control is a big advantage for us because it allows us to do parallel workflow where we can have two separate rule sets, and requests are routed via workflow based on the specific rule set for that instance.”
Another benefit Levi Strauss sees in version 10.0 is that it’s ABAP-based rather than Java-based. That switch, according to Peoples, will allow the company to do more of its own updates and customizations because it can leverage its internal ABAP expertise as a longtime SAP customer.
Going forward with 10.0, Levi Strauss plans to roll out some GRC functionality that it did not previously use, including SAP BusinessObjects Process Control and SAP BusinessObjects Risk Management. The business also plans to get the most out of the new capabilities of SAP BusinessObjects Access Control, specifically the added functionality of the user access review feature and the improved central management of the super user privilege management feature.
“We have a number of user access reviews each quarter, and our business units told us one of their pain points was how cumbersome and manual our user access review process was,” says Peoples. “User access reviews took six weeks to complete, and even then, they weren’t 100% accurate because we had to pull data from static tables, and it was only at the transaction level.”
The new GRC version makes user access reviews more automated at Levi Strauss and lets business users either allow a person to keep an existing role or remove the role within the system. So the process is now faster and more auditable.
“Each business unit can decide for itself if a person who changes departments should still have access to his or her data,” says Peoples. “This change drives more ownership to the business, and these people now understand the power they have — and the value of it.”
“The end-state goal is that if you request access for an accounts payable clerk, no matter which business unit you work in, you will be provided with the same base level of functionality in the system that will let you do your day-to-day job as an accounts payable clerk.”
— Eric Peoples, Director of Global SAP Controls, Compliance, and Tools, Levi Strauss