In this interview, PwC's Brian Rizman and Jonathan Levitt talk with SAPinsider's Lucy Swedberg about changes in the GRC landscape and the increased need for a centralized compliance organization. Topics covered include:
- The need to tailor risk management to your specific organization
- How the GRC technology market is responding to the new risks seen by organizations
- The benefits of integrating GRC solutions in the new SAP GRC environment
- Efficiencies gained by implementing SAP Process Control
Lucy Swdberg, SAPinsider: Hi, this is Lucy Swedberg, with SAPinsider. We’re live in Orlando for our GRC 2014 event, and I’m very excited to be joined by two folks from PwC, I have Brian Rizman and Jonathan Levitt, thank you both for joining me here today.
Brian Rizman, PwC: Thanks Lucy.
Jonathan Levitt, PwC: Yeah, thank you.
Lucy: So just to get started, can you give me a little bit of an introduction to yourselves, your background and experience?
Brian: Sure, of course, thanks Lucy. My name’s Brian Rizman, I’m a manager in our PwC risk assurance practice, I have a specialization in focusing on SAP GRC technology, as well as security, risk, and controls, I’ve been working in this industry for about eight years now, actually spent some time abroad in London, actually where I met Jonathan, so I’ve known Jonathan for quite a while now, and had a chance really to work with a lot of large multi-national organizations to integrate and adopt GRC technology into their overall organization, and I have a couple of those projects going on at the moment.
Lucy: Great, nice, thank you. Jonathan?
Jonathan: Yeah, my name’s Jonathan Levitt, I’m also a manager with PwC based out of our Orange County office, so yeah I actually started life over in the UK as Brian—
Brian: As you can tell.
Jonathan: And, yes, joined PwC there in Manchester, and that’s where I started you know, my SAP career, and again, focus on risk, controls, and security, basically more on the technology side and also kind of focus on the controls aspect. But yes, had a lot of opportunities to work with some organizations with many different issues which we’ve had to kind of work around and find solutions, so yes, yeah.
Lucy: So you obviously both have a lot of experience so maybe we could start off with some common challenges or common trends you’re seeing across the clients that you work with?
Brian: Yeah, absolutely. As I’m sure our clients are seeing, one of the reason they’re probably here is that there’s definitely an increased focus on regulations, and that regulatory environment I would say overall is kind of increasing, you know, we go back to the early 2000s, it was all about financial compliance and SOX and organizations took years upon years to kind of get their arms around that, and I’d say most organizations have done a good job, I remember looking at audit reports, whether it was like three pages, four pages of issues, now we’re down to like you know, handfuls of them if you will. But there are so many other things out there from a regulation standpoint, whether it be export compliance, FCPA, the Dodd-Frank Act, whether there’s operational centers like ISOs and things like that that companies want to comply with, there’s just such a further need for some kind of a centralized compliance organization to leverage technology to support them in navigating all of those regulatory requirements.
Lucy: Got it. Jonathan, how about you?
Jonathan: Yeah, no, I think in general in terms of risk that has changed just as Brian was saying because of all this and really organizations need to, I’ve noticed, in terms of the challenges, is trying to tailor the risks and what are being defined, you know, around the organization and what that considers and cares for as being a risk. And I think that’s kind of in particular is one of the challenges, that organizations aren’t tailoring those risks and kind of finding those efficiencies, you know, in terms of being able to address it, specifically what they care about.
Lucy: Great. So you see these changes, these trends happening, how does that translate into their technology landscapes, maybe what are some emerging things, projects, that you’re seeing there?
Brian: I’m seeing a lot more integration, you know before, and I’ve been talking to some new GRC technology, you know customers even this week here at the conference and they all first are obviously start with, kind of Access Control as the beginning of their journey if you will, but really we’re seeing so much more integration of Access Control and Process Control happening, you know customers who’ve had AC for a while, have gotten their arms around it, are fully integrated into the organization, now want to bring PC on board, because if you think about it, at least from my standpoint, security and Access Control is just another type of business process control if you will so, really seeing that integration play together between the two and having this kind of holistic AC/PC landscape now that they’re in the same environment with 10, which is really making that kind of integration more seamless, which is great.
Lucy: Great. It’s interesting cause I know the PC product’s been out for a little while but to see that now it feels like there’s this new energy around it—
Brian: Yeah absolutely, cause it’s the same platform, you know what I mean, there’s no need to have a separate you know landscape and stuff like that, format, it’s, I think the integration’s there, you know, and I think organizations are realizing that and starting to take advantage of that opportunity.
Lucy: Definitely. Great.
Jonathan: Yeah, I mean to just kind of lead on to that PC element, I mean, you know, we talk about the opportunities that brings, in terms of the automation of testing, etc. And really the leveraging of access controls, and actually leveraging that to really create that more efficient environment to streamline processes to reduce controls to really focus on what’s key, definitely that I see as kind of a project which has definitely become more appealing to our clients.
Lucy: Ok, so we have the trends, we have the changing technology landscape; if you were to grab an attendee right now and give them a bit of advice, something that you really think, from what you’ve seen across your experience, what might that be, what’s a salient point that they could really embrace?
Brian: I think not doing it alone is probably the advice I would give, I mean I see some customers here are here alone, you know, and they’re kind of spearheading or championing the GRC kind of agenda at their organization, which is great, that someone’s at least trying to drive it forward, at the same time then there are some organizations who have 12 people here, for example, and they’re not going at it alone because I think the real value comes you know really when you have so many organizations and pillars kind of all bought in to how we can integrate this fully into the organization, is really when that ROI starts coming into play, is now if you’re going to have your financial controllership organization, your internal auditors, those from IT and security using it, your compliance, you know all kind of working together with a common platform, that makes it a lot easier.
Lucy: Right, and that tends to be when you get the most out of the investment too, the more that you have utilizing it.
Jonathan: And I would say take a step back, see where you want to be in three to five years, and basically put together that roadmap, so that you know you can select your GRC tool and you can implement, you can take a phased approach in terms of that implementation, so that you know where, how to get there, should I say. I see far too many people kind of in the detail implementing tooling, without really considering, you know, that bigger picture.
Lucy: Bigger goal, right. Great, excellent. Some very helpful insights here, I thank you both for sharing them with me, again we have Brian and Jonathan, thank you so much, and again we’re live from GRC 2014!