Simplification in Governance with SAP GRC version 10.0
Governance Risk and Compliance for any organization has always meant stronger controls and lesser risks across business. But, how much effort do we really spend on this is unaccountable. The new release of version 10.0 of SAP GRC is a tremendous effort from SAP to reduce our effort and simply our work. Here are few of the examples how life becomes much simpler at work for a GRC stakeholder (Consultant/s, IS Team, Internal Auditor, Business Process Owners, CXOs) with version 10.0 of SAP GRC suite.
Point 1: Bundled Together
Typically for a complete Governance model one would need to implement the 3 core components of SAP GRC namely Access Control, Process Control and Risk Management. The 3 components never used to be deployed together in the earlier version of SAP GRC Access Control 5.3 and PC & RM 3.0. With the new release 10.0 all 3 components can be actually deployed in one go. There is a lot of sharing now in between them because of the common technical platform NetWeaver ABAP. We now have a lot of sharing in terms of the IMG activities. The 3 components can share a common
- Master data
- Reporting settings
- General Settings
What we mean by the above 4 points is that we have a common set of master data around the 3 components of SAP GRC now for risks, controls, business process, sub-process, organization and we can also define a common reporting setting in all 3 of them. This simplifies the software and our work much more than before reducing redundancy when going for all the 3 GRC products.
Another point to note here is that while deploying the 3 bundled software products of SAP GRC in version 10.0 we can configure them together with customizations being made at application level (for AC,PC & RM) or at regulation level customization (for PC).
Point 2: Content Life Cycle Management
There has always been a challenge for a lot of organizations to document and revisit the existing policies and controls. As we grow the policies and controls need tweaking and additions. Content Life Cycle Management is a new feature introduced in the version 10.0 to help us put all our controls, risk, remediation plans at one central place. The best part about it is that we can also import, export these content as we upgrade or migrate from a legacy application thereby making sure that we never loose on any remediation plan/action in the history of an organization! The content can be added not only by the organization itself but can also be contributed by the service provider/external vendor. This feature opens up the doors for industry principals to contribute to setting up the right technical standards and made available to organizations. Needless to say that it will significantly benefit the organizations by not re-inventing it.
We often dreamt of Industry specific GRC standards at a detailed technical level being made available to us here is now a feature to work towards that.
Point 3: Unified Accessibility
All the screens look alike now. There is no difference while we navigate from AC to PC or RM screen. We also have a single launch to all the 3 components sharing a common WorkCenter for all 3 components. It is like having 1 email instead of 3 now J. The authorization is so well maintained across the 3 that we get to access only the components that we are authorized for.
Point 4: Customization in Reporting
There has been a great enhancement in flexibility for a user to generate reports as per his/her requirement. In the new version 10.0 we can now create reports without writing any code and publish in Business Object as Crystal Reports. There are more options as well on the tool which one can pick to report as the data mart feature in SAP GRC version 10.0 is enhanced to send data into various reporting formats, these different formats ranging from Xcelsius dashboards to webdynpro based reporting can be a requirement of different stakeholders in the organization at taking a look at it.
Point 5: Common Components and link between Access, Compliance & Risk
Apart from the common Content Management Lifecycle (CLM) feature newly introduced we also have 2 more common components across SAP GRC version 10.0 products. These 2 components are
- Policy Management
- Ad-hoc Issue Management
The first component helps us create, approve and manage our policies and link them up with the right control, person. Once the policy is accepted it can regularly be checked for compliance through surveys and assessments.
Very often we do have some issues which come up which affect our controls/become a risk and we need to remediate them. The second component becomes useful to handle this situation and provides us the opportunity to link the issue with the process/sub process, organization and risk.
With the evolution of the new version of SAP GRC 10.0 suite we see a strong link coming in work between risk and controls agnostic of the 3 components of SAP GRC 10.0 suite. The GRC solutions from SAP are now not going to be working in silos but closely linked to reduce effort and bring in better risk management by increasing visibility.
More to follow soon,