PwC's Ray Mastre and Pete Hobson discuss trends in governance, risk, and compliance on the sidelines of the GRC 2014 conference. Included in the discussion are:
- Trends in the business that are driving risk management practices
- The cost of inefficiencies in the GRC processes
- The benefits of having IT and business aligned in GRC projects
- The challenges of automating GRC processes
- Who should own GRC processes and projects
View the video, and read the edited transcript of this conversation with Ray Mastre and Pete Hobson here:
Lucy Swedberg, SAPinsider: Hi, this is Lucy Swedberg with SAPinsider, we’re here live in Orlando for our GRC 2014 event, and I’m pleased to be joined by two speakers, both from PwC. I first have Pete Hobson, and Ray Mastre. Thank you both for joining me.
Ray Mastre, PwC: Thanks for having us.
Lucy: I was hoping you could start off just introducing yourselves, telling me a little bit about what you do and a little bit about your experience.
Pete Hobson, PwC: Absolutely, Lucy, so I’m a director at PricewaterhouseCoopers, based in New York, and my specialties and focus over the last ten years have been SAP security, design, redesign, and GRC Access Control and IDM implementations.
Lucy: Great, thanks, and Ray?
Ray: Yes, and I’m also a manager based out of New York; I’ve been with PwC for nine years, and I also focus in SAP security, design, and redesign, so Pete and I have very similar core competencies.
Lucy: OK, great. So I know you are both are presenting here this week, so maybe you could tell our audience a little about your topic, what you presented about, and maybe some initial feedback that you got from your sessions?
Pete: Absolutely. So my session was a lot about IDM/GRC integrations, role redesigns and how they drive value for the business, beyond just IT. So a lot of the session was what can you do to standardize the tools that you use, the roles that you use, and the processes and the people that you have, in order to be able to better administer your SAP security environment.
Lucy: And it went well?
Pete: I hope so.
Lucy: Any feedback or common questions that you got from the audience?
Pete: Yes, a lot of the questions focused on sustainability and scalability of the design, so one thing was getting the tools in but another big concern was what do we do after we get there, and how do we maintain and continue to receive the value of the solution.
Lucy: Great. And Ray?
Ray: So, I had two sessions. The first session was the basics of SAP security and the basics of SAP GRC, and actually I was personally surprised by how many people came, it shows that there’s still a big market for people that are moving into the GRC world, and there’s still a lot of people, let’s say in internal audit or in the business that really, this is still a point of focus. So we had very strong attendance, almost 130, 140 people came. And then feedback was strong, and then the second session was an advanced session and that session as really beyond the basics, and so it wasn’t just you know, your grandmother’s SAP GRC course, this was the serious stuff, sort of the leading practices or the cutting edge things that we’re doing at clients to help solve the problems that they’re experiencing and the difficulties that they encounter in their organizations.
Lucy: Great. So let’s dig into that point a little bit more, whether it’s here at the event or just in the work that you’re doing, are there any sort of trends out there or things that are happening in the business that are really making security top of mind for these organizations?
Pete: Ray, do you want to take that one first?
Ray: Sure, so, you know, I think obviously compliance is always an issue, and so I think the cost of non-compliance can be pretty brutal for some of these companies, so that’s always going to be a point of focus, but one of the things that we have seen an overarching trend of is just inefficiencies. And just the amount of time and you know, FTEs, the amount of people that they’re spending on compliance, it’s just inefficient, and when you see tools like GRC that really have that ability to eliminate those inefficiencies, it’s really gaining that knowledge of how you can make the process not just good, but great.
Lucy: Got it.
Pete: You know, it’s a really good point that Ray brings up; a lot of people in the past have viewed these type of exercises as compliance only, so something that slows things down and makes them inefficient. And really what you’re starting to see in the market is people are realizing, you know, there is a business benefit, right, that everybody gains from these exercises. So compliance is certainly one of them that makes that easier, but you have IT that can run leaner shops, use less people, drive more automation, and then you also have the business that gains, because at the end of the day, they’re seeing less downtime, so they’re better able to do their jobs.
Lucy: So it seems like what you’re saying is sort of a key would be to make sure that both IT and business are at the table and committed to these types of initiatives?
Pete: Yeah, absolutely, because what you’re looking at is you want to see alignment across the board, right, these types of exercises if you treat them as IT only, they’re going to fail, because the business knows what it needs, it knows what it wants, and they have to work with the IT that know the tools, that are able there to bring it together and get them to where they’re willing to go. It’s definitely something that we’ve been seeing a whole lot more of because of GRC Access Control and similar products, where now the tools are available and they’ve made the things that were traditionally IT more business-facing and more business-focused. As a result, the business now needs to spend more time understanding what those are, and IT needs to drive to make it more business-friendly so that they consume it.
Lucy: Got it. Great, so I know there’s a lot of different people out there, our readers, attendees here who have a whole different array of challenges but maybe if you had to think of, from what you’re hearing here at the conference, what are your top one or two pieces of advice or things that you’d really encourage SAP customers to consider as they’re moving forward?
Pete: You know, I think one of the big things coming up is automation, right, so you’re going from this place where people were analyzing access in the past, and now they’re getting towards a spot where they’re trying to do automated provisioning and start doing end user and business self-service type activities. So then that’s very consistent, is, how do we do this, what are the right tools to get us there, and you know, what are some of the key things that we need to consider if we’re going under one of those types of initiatives?
Ray: Yeah, and from my side, I think the key word and the key message from my side is ownership, so who actually owns these items, so a lot of the things, a lot of the people that we see here are all IT people, and one of the biggest complaints they come to me with is, “I should not own these projects. I might drive them, but I shouldn’t own them.” So that’s a challenge, and you really need to make sure that these projects, in order to be successful, are not just driven by IT, they’re driven by the company as a whole and namely, a mixture of the business and IT.
Lucy: OK, great. So, some great insights, I thank you both for joining me here today, Ray and Pete, and again we’re here live in Orlando for GRC 2014. Thank you so much.