Panelists: Jan Gardiner, SAP
Date: Thursday, August 30
SAP’s newest versions of SAP Process Control and SAP Risk Management are planned for release in September. Join a Live Q&A with SAP’s Jan Gardiner, a speaker at the upcoming SAPinsider GRC conference in Prague, to hear about the new features and functionalities of the updates, from visual harmonization to functional enhancements.
Matthew Shea: Hello, and welcome to today's live chat on what's new in SAP Process Control and SAP Risk Management version 12.0. I am excited to be joined by Jan Gardiner (CPA), a Senior Director in SAP GRC solutions at SAP Labs, LLC. She is the solution owner of SAP Process Control for compliance and control management, responsible for product direction and go-to-market activities. She has been involved with compliance software at SAP for over 12 years and has worked closely with customers in a variety of industries and geographies.
Jan Gardiner: Matt, thanks for having me. And thanks to participants for joining — some of them even early.
For this chat, I'm going to avoid answering questions that relate to your specific system and prior versions.
Comment From Rambabu: Does this version of SAP Process Control contain any new features pertaining to SAP Celonis Process Mining?
Jan Gardiner: No, SAP Celonis Process Mining is a separate product that is not impacted by this upgrade. Of course, you can use this and SAP Process Control to get a better handle on your processes and controls.
Comment From Zanele: I have a question on SAP Process Control. I am relooking at the information within the SAP GRC system and need to know if it would be possible to extract all risk categories and risk template information into Excel so that we can analyze it and clean it out. Can this be done?
Jan Gardiner: This is a bit off topic, but I'll quickly answer that depending on your version you can extract selected information using the MDUG export capability.
In addition, consider getting the information from reports and dumping to Excel.
Comment From JHervey: We have mitigating controls set up with those controls we also use for management testing. Currently, if a control fails, it doesn't prevent the use of it as a mitigating control. Will this be linked in version 12.0?
Jan Gardiner: Sorry, there is no change in version 12.0 to my knowledge. But it is best if you check with support or solution managers on the SAP Access Control side.
Comment From JHervey: We have continuous controls monitoring (CCM) set for the year. Most of our system monitoring runs monthly, and the first month in the set runs without issue. The subsequent months don't run. Will this be addressed in version 12.0?
Jan Gardiner: Sorry, this issue sounds like a support problem. Please raise an incident.
Comment From Alex: What are the prerequisites and upgrade essentials?
Jan Gardiner: For this release, you are required to upgrade to SAP NetWeaver version 7.52 and SAP User Interface Technology (SAP_UI 752) Support Package 02. You also need to install component UIGRRMPC 100 (SAP Fiori for SAP Risk Management and SAP Process Control) and follow the configuration steps per the Security Guide.
Full documentation is available at http://help.sap.com/pc or http://help.sap.com/rm. Luckily, this is a "same-box" upgrade process, and no data migration steps are required. The only requisite configuration is for additional functionality and setup of SAP Fiori.
Comment From Miguel Núñez: How much of an impact will SAP GRC 12.0’s new interface have on end users and consultants? Will most of the functionalities be migrated to SAP Fiori apps, or will the upgrade process be more in the direction toward SAP Fiori launchpad linking old SAP NetWeaver Business Client (SAP NWBC) applications with an SAP_Belize theme?
Jan Gardiner: Well, it's true that we will use more SAP Fiori apps, but we also have Fiori-like screens (similar in layout and colors to SAP Fiori). But that's very easy to get used to. You can choose to use the SAP Fiori launchpads or keep SAP NWBC.
Note also that some applications such as SAP Process Control's manual control performance and the new manual test of effectiveness require SAP Fiori.
Comment From Hugh Fraser: What do you see as the top three benefits organizations would get from a migration to version 12.0?
Jan Gardiner: Speaking primarily for our topic SAP Process Control and SAP Risk Management 12.0, I would point out the visual harmonization (that is, applications with a more modern, SAP Fiori look and feel that are easy to personalize and more in line with other SAP S/4HANA applications) is one.
In addition, there are a number of functional enhancements: risk aggregation, more flexible CCM, connectivity with SAP S/4HANA Cloud, etc.
And finally, there are performance enhancements.
Comment From James: What are the biggest changes in functionality in SAP Process Control and SAP Risk Management 12.0 that will make it more attractive to potential customers?
Jan Gardiner: This overlaps with the question above, so let me just add that I like the personalizable SAP Fiori screens and the new SAP Fiori-based manual test of effectiveness and related overview page graphics.
And for SAP Risk Management, I think it's great that risks can automatically be aggregated so that when an underlying risk changes, the aggregated amounts change.
Comment From Steve Biskie: Jan, can you speak more to the flexibility improvements in controls monitoring?
Jan Gardiner: Hello, Steve. Of course.
First of all, you can now use CCM rules and manual test plans together. So the business rule can return results and exceptions that you can use as the basis for your testing. After you complete the test plan, you have both together.
Also, you can now run CCM business rules standalone — that is, without assigning them to controls. And with the latest support package for version 12.0, you can also see a separate queries work center for easy execution of business rules.
Comment From Mike B: Do you have version 12.0 release notes detailing the new SAP Process Control features. In the past, this had been done to help companies become more aware of features versus stumbling across the features or finding out from other companies. For example, I was intrigued by "more flexible continuous control monitoring," but did not know what this meant.
Jan Gardiner: This information is all available at http://help.sap.com/pc in the 12.0 area and related links.
Comment From Alan: Are there any major improvements to SAP Process Control reporting or analytics?
Jan Gardiner: Well, performance has been improved for sure. In addition, there are some new SAP Fiori-based reports such as Monitor Issue Status and an enhanced Monitor Control Status. The overview page for manual test of effectiveness shows some nice graphics with details.
Comment From Emily Damson: You mentioned that we can choose to use the SAP Fiori launchpad or keep SAP NWBC. Is it an either-or situation? Can we use both? And as a follow-up to this question, if we choose the SAP Fiori launchpad, what about all the other links in the different tabs (such as master data links)? How are those accessed?
Jan Gardiner: Yes, you can do both. In my demo system, I access SAP Fiori with one link and the traditional SAP NWBC with another link.
And with the SAP Fiori launchpads, you can set them up how we want them. To ease the transition with our demo system users, we set them up similar to the SAP NWBC work centers.
Comment From Carolyn Linton: How many SAP Process Control users are on the early adoption program, and how has their experience been?
Jan Gardiner: I don't know off the top of my head, Carolyn, but we maxed out for all three products. I believe we had around 10.
As for any early adoption program, the users are all in various stages of implementation, and certainly, they've found some issues, but not many. I think it's looking good, and I believe we are still on target to release on September 21.
Comment From Guest: Hello, Jan....Is there a full list of functionality or screens that will transition to SAP Fiori in version 12.0? What is meant by the "new" MTOE (manual test of effectiveness)? Is the functionality redesigned as well?
Jan Gardiner: I think it is best for you to check out the help links I provided earlier. As I mentioned earlier, not all existing products became part of SAP Fiori, but everything that is not part of SAP Fiori became "Fiori-like."
And, yes, the "new" MTOE was completely redesigned in SAP Fiori. So it now includes more information, more color, and an overview page called My Compliance Tasks with graphics showing status, due dates, and results.
Comment From Carolyn Linton: Are there any new predelivered dashboards?
Jan Gardiner: The new My Compliance Tasks overview page I mentioned for manual test of effectiveness is essentially a targeted dashboard. That's it for SAP Process Control and SAP Risk Management 12.0 at this time.
Comment From James Low: It doesn't appear that there are major changes in functionality then. Why should companies that don't currently have SAP Process Control and/or SAP Risk Management replace their current systems and implement either or both of these applications?
Jan Gardiner: Well, there are some important differences if you need and want them, but keeping on a current version will ensure that you get the latest features. We are continuing to add enhancements in support packages, and most of those will not be backward compatible.
Comment From Carlos Ochoa: Hello, Jan. What is the difference between CCM and legacy control monitoring? And how many new automatic controls does version 12.0 have compared with version 10.1?
Jan Gardiner: Hello, Carlos.
Well, that's kind of an old question. Legacy control monitoring used the rule engine from SAP Process Control 3.0. That was on its way out when SAP Process Control 10.0 was introduced. Since then, we've got about 55-60 delivered automated business rules specifically designed for the 10.X rule engine.
Comment From Miguel Núñez: Will the Monitor Issue Status SAP Fiori app be able to replace the old work inbox interface? I am asking if it will be possible to assign the different status to line items after opening a remediation plan. This would be a huge step forward for end users.
Jan Gardiner: Not really. That's essentially a report, whereas the work inbox includes all tasks for a user of SAP Access Control, SAP Process Control, or SAP Risk Management regardless of whether they are related to issues or not.
Thanks for the comment, though.
Comment From Srikanth Rama: Does SAP GRC 12.0 support CCM with graphical views set up on SAP HANA? This functionality is not supported with the current version.
Jan Gardiner: If you are talking about SAP HANA studio calculation views, SAP Process Control and SAP Risk Management 10.1 and beyond support them. However, you should know that we are moving to Core Data Services (CDS) views.
Comment From Jon Pryor: In future support stacks with version 12.0 will the plug-ins be backward compatible for version 10.1?
Jan Gardiner: To my knowledge, yes, but I admit I don't memorize plug-in versions and such. I think it is best to get the latest information from our various help documents.
Comment From Steve Biskie: Are you seeing or hearing any interesting use cases that might not be initially obvious? For example, at the last GRC conference, Eli Lilly talked about how it was using SAP Process Control to monitor GRC itself (for example, did the interface job between GRC and ERP complete successfully), which is an interesting, but obvious use case. Any other interesting use cases you are seeing or hearing?
Jan Gardiner: Well, I've heard of companies using it as a tool for auditors (whether or not they have SAP Audit Management). One auditor I talked to runs business rules from a sandbox, but accessing production data because production is locked down. I thought that was pretty novel. Of course, the standalone business rules and Queries Center will make that even easier.
And I have an example of using SAP Process Control business rules with SAP Enterprise Threat Detection to get a better handle on possible data breaches for General Data Protection Regulation (GDPR) compliance.
Comment From Emily Damson: Are there any changes or improvements to user replacement or assignment functionality in SAP Process Control (meaning assignment or replacement of control or organization owners)?
Jan Gardiner: Thanks, Emily. I had forgotten to mention the new mass role assignment/replacement functionality for entity-level roles within the application (that is, not using transaction code PFCG). It's actually a pretty interesting way to replace n:n with, of course, the ability to review and confirm your choices.
This won't be the last you hear from us on how to make this easier.
Comment From Miguel Núñez: Is there somewhere in the roadmap of GRC that explains how to have a work inbox functionality in SAP Fiori (I know there is some Inbox generic app for an SAP system), or we are likely to keep in the current SAP NWBC application?
Jan Gardiner: Well, it's been discussed, but not specifically in the roadmap. Of course, you can access it from the SAP Fiori launchpad, but when it comes up, the screen is Fiori-like.
Comment From Jon Pryor: For the ramp-up customers, what are some of the strategies they used for implementing the plug-ins on the back-end systems (assuming they are on 7.50 and above SAP NetWeaver version)?
Jan Gardiner: I'm afraid I haven't had specific conversations about this, and of course, during an early adoption program customers proceed at different rates. So I just don't know yet, but I'll try to find out.
Comment From Emily Damson: Based on what we're reading about new features on SAP GRC 12.0, it appears that the ABAP scenario business rules will allow monitoring of values. Does this improvement mean that this scenario is no longer "review required"?
Jan Gardiner: Sure. It's a separate entry point, and you select a business rule, choose the fields you want to show, put in filter and deficiency criteria, and then run the rule ad hoc. You can download results.
And yes, the "review required" becomes optional.
Comment From Prashant Agarwal: Jan, Is there a change/modification in Adobe form support?
Jan Gardiner: SAP Interactive Forms by Adobe remain fully available in version 12.0 of SAP Process Control and SAP Risk Management. There are no changes.
Comment From Srikanth Rama: Does SAP GRC 12.0 offer inclusion of other organization level values in Organization-Level System Parameters (OLSPs) apart from the four organization values currently given as part of standard functionality?
Jan Gardiner: I suspect you're on an older version of 10.1 or lower. With the introduction of business rule parameters, you can define your own parameters, and it can greatly decrease the maintenance of business rules that can be deployed across multiple organizations. For more information, go to the help.sap.com/pc area.
Comment From Prashant Agarwal: Are there any changes or enhancements in embedded search boundaries?
Jan Gardiner: There is nothing in version 12.0 about this. Have you raised an enhancement request? If so, I hope you added to the Customer Connection project (it's now closed).
Comment From Nagendran G: Is SAP planning to provide a set of predefined CCM controls or business rules for SAP HANA in SAP Process Control 12.0?
Jan Gardiner: SAP does not have anything specifically for SAP Process Control 12.0, but we are working on getting more content for this.
Comment From Carlos Ochoa: This year the Rapid Deployment Solution (RDS) for SAP Process Control was not available any more, do you know if version 12.0 will have an RDS solution, or will it offer something similar?
Jan Gardiner: We have no plans to update or create an RDS solution. The old one can still be had, wink, wink.
Comment From Nagendran G: In SAP Process Control 12.0 has SAP provided additional monitoring features in an SAP HANA sub-scenario? As of now most logic is built in calculation views and building BRFPlus logic within GRC has limitations. If so what functionality is planned for SAP HANA monitoring in version 12.0?
Jan Gardiner: There are no specific changes to that sub-scenario yet in version 12.0. However, I know that when I design the logic of SAP HANA queries, I rely on that rather than BRF since SAP HANA is more robust and orders of magnitude faster.
Comment From Naveen: Do we still need to have a separate TREX server to use embedded search functionality in version 12.0 with SAP HANA?
Jan Gardiner: To my knowledge, there is no change there. But I can check for you and get back later.
Comment From Nagendran G: Scheduling CCM control jobs using external tools is not currently available in version 10.1? Has this functionality to schedule CCM jobs using external tools been provided in SAP Process Control 12.0?
Jan Gardiner: No, external support for scheduling is not provided. However, little by little we are enhancing the behavior surrounding creating and maintaining CCM jobs.
Comment From Emily Damson: Regarding SAP HANA, the direction we've received (from SAP) is that the SAP HANA views should be built as graphical views, which is what our business has been doing. As such, those views are not currently available to SAP Process Control because analytical views are currently supported in version 10.1. Is there going to be a movement to support graphical views as well?
Jan Gardiner: To my knowledge, no. As I mentioned, we're using SAP HANA calculation views for business rules. And CDS views are coming.
Comment From Carolyn Linton: Is CCM just for an SAP system, or does it cover external systems?
Jan Gardiner: CCM can be used for external systems, provided you have either a purchased connector for each system or you use the web services. We provide the inbound web service, and someone on your side needs to create the outbound service.
Comment From Miguel Núñez: Any changes in the alignment between opportunities and risk functionalities? Currently, it is not possible to open a new Opportunity if it is not coming from an Opportunity template
Jan Gardiner: I'm not aware of anything specific in version 12.0, but I'll check with our SAP Risk Management solution manager to be sure.
Comment From Nagendran G: To add on, can we schedule CCM jobs from a back-end GUI in SAP Process Control 12.0 rather than from the front end?
Jan Gardiner: Well, ultimately it is scheduled on the back end, but we do it from the SAP Process Control front end, as you know. There is no change in version 12.0.
Comment From Nagendran G: To convince us to move to SAP GRC 12.0 from version 10.1, which are the most important functionalities that you would place in front of us?
Jan Gardiner: I believe I answered up above, but to summarize:
- New SAP Fiori and Fiori-like screens
- New functionality for SAP Process Control and SAP Risk Management, including risk aggregation, manual test of effectiveness changes, CCM enhancements, and mass role reassignments
- Performance enhancements
- Additional Support Package enhancements to come
- Extended product life until 2024
- And CCM and key risk indicator (KRI) connectivity with SAP S/4HANA Cloud.
And if you want to upgrade to SAP Access Control to version 12.0, that's a whole separate topic.
Jan Gardiner: All, thanks much for your questions. I really appreciate your interest in SAP Process Control and Risk Management 12.0.
Matthew Shea: Thank you, Jan, for all your insightful answers.
Jan will be discussing this topic at SAPinsider GRC 2018 in Prague, October 16-18, in her session “Breaking news: SAP Process Control and SAP Risk Management upgrade.” For more information about this conference, click here.