In recent articles, we have been discussing the five most frequent SAP change control technology topics of discussion brought up with the team at RSC’s ‘Simplifying SAP Change Control’ booth at SAPPHIRE NOW Orlando 2011. To recap, these were:
No. 2: Degree of Automation
No. 3: Enforceability
No. 4: Ease of Configuration
No. 5: Cost to Implement
In this issue I drill down into the ‘enforceability’ topic discussing its importance in SAP change control technology and its value in reducing the risks associated with delivering change into SAP Production systems.
Topic 3: Enforceability
Enforceability was the third most frequent topics of discussion raised to our booth staff by those interested in or considering an SAP change control technology. There were two main components of interest.
The first being the technology’s ability to enforce users’ use of the technology (enforced use) and the second being the technology’s ability to enforce users to follow the change process and to adhere to any associated process rules (process and process rules enforcement).
Enforced use of the technology
In the first article, we mentioned that a benefit of ‘ease of use’ in a change control software was a reduced user temptation to create a ‘work around’ to create and promote changes outside the use of the technology.
Unfortunately there will always be users who would prefer a simpler, less controlled approach to change control and will look for ways to work around its use. An important question then for any new change control technology discussion is ‘Can the technology enforce its use?’. In other words, is there a way around using it?
If users can find ways to work around using the software, then there can be no guarantee that the software is aware of and thus controlling all change introduced into productive systems. This means no guarantee that the correct processes have been followed and / or the risks managed effectively.
Process and rules enforcement
Next is the matter of enforcing the process and/or process rules. Having created a change and being assured it is being tracked by the software can the predetermined processes and process rules also be assured to have been followed?
Let’s take a relatively simple process and set of process rules that takes a change from change approved through to completion with a number of status steps along the way that require change of status approvals, actions completed and/or documents prepared or signed off. If there is any way a user can avoid a step or avoid an action, then there is a fair chance they will. Unless the software can enforce the user to stick to the process then, not unlike the problems associated with unenforced use, an unenforced process presents similar work around issues.
Unless the means to enforce process and process rules is part of the software, then once again, there can be no guarantee that the process has been followed and thus no guarantee that risk has been managed effectively.
Things to consider
With change process control being an important component of an SAP IT organisation’s risk management strategy, it is very important that both use of the software and the following of process is effectively enforced.
Therefore, when considering the degree of enforcement available consider the following elements:
- Can users work around the software?
- Can all created transports required to be tracked and managed by the software?
- Are all preconfigured processes mandatorily enforced?
In the next issue, I’ll take a close look at the ‘ease of configuration’ question.