Skip to Content

3/Nov/2016 blog updated for re-tagging due to SCN migration

On one of my first projects as the lead architect I needed to prototype GRC. I had supported GRC components before (albeit 5.3 version), attended the GRC300 training course and passed my certification. I was excited: finally a GRC 10.0 implementation. I was at a client and they had a need for it. I had the skill and enthusiasm to see it implemented. The client accepted my business case of lowering user administration and support cost, and I had the confidence to see this project through. Fantastic!! Woo-hoo GRC implementation here I come!!!!!!!!

Before I got my hands on the system, the business-process minded part of me had mapped out the strategy and approach. I put pen to paper and drew up my view of the access control processes: who would approve and what would they approve. My design integrated as much of Access Controls as possible.  I found my Internal Controls buddy to assist me in keeping this business orientated: yes I found my first friend. I realised at the beginning, this implementation would not be possible if my team did not include a business stakeholder who could define business requirements and help design what an unacceptable risk to the business is and what the business was prepared to do about it. This friend of mine came from an Audit background (yes, auditors are friends too!) and could provide valuable input on compliance requirements we needed to adhere to.

We were able to work together to not only define the process but identify the roles and responsibility (in the form of a RACI model). In doing this, we identified organisational changes which then led me to another group of friends known as the Change Managers.  We have not even got the system built and I am now spending more time with an ex-Auditor/Internal Controls expert and a Change Manager to properly define how the business would use GRC.  The Change Manager then asks ‘Will end users be impacted’? Well, of course they will be as we are trying to automate user access provisioning and we have segregation of duties and risk and so on. My next group of friends became the Trainers. Internal Controls, Change Managers and Trainers oh my! And still no system!

It came time to submit the high level design for approval. My awesome pretty crap process designs were too high level. What I thought was three or four business processes were rebuilt by my next friend: The Business Analyst. This friend knew how to model business processes and took my diagrams (really PowerPoint slides) and broke them down to a much lower level. The business analyst identified logical gaps and incorrect assumptions without even knowing what GRC is (that soon changed).  Had this friend not stepped in at the beginning I would have been in a world of pain with the workflow configuration and ultimately resulted in rework, project delay and additional cost.

Finally my system was built by my friend Basis. This team became my first-and-best-techy-friend (hey they always are). Until I started GRC, I had never raised a SAP message incident (I did not even know how to).  SAP Marketplace and SCN contained my answers so it was never necessary. However, solution to most of SAP incidents I raised was in the form of a heap of notes and support stacks to apply and Basis were there for every step of the way. In addition, I had them assist me with appropriate system settings: system parameter; RFC connections; trusted systems; LDAP connections and NWBC. Yes, I could go configure them myself but if this was an ERP system would a Functional Consultant be allowed to do the same?

As I started to prototype the solution and came across the business workflow I learned more about the flexibility and powerfulness of GRC. I was able to configure MSMP (I’m quite a fan of it) but then I realised, it would be great to make friends with the Workflow and ABAP Developers, especially if they have the BRF+ skills and pick their brains. These developers would know how best to configure the workflow rules (do I use a decision table or a case statement?); build new launch pads and customise screen layouts. They would have a great naming convention for custom objects. They would also allow me to sit and help debug to find why I am getting that short dump (i.e. confirm I need to raise a SAP incident).

I continued to prototype and refine some of the design as we all discovered what the system would be capable of. It then dawned on me how best to document the configuration and build. I reached out to a new group of friends and they were Functional Consultants who worked on the ERP system. My view was: we might be configuring different systems but we’re both doing configuration via IMG and maybe there is something I can leverage from them (via our Solution Architect).

So before I even go to the development system, I became friends with Internal Controls; Change Managers; Trainers; Basis; Workflow and ABAP developers; and Functional Consultants. Most of my friends were included on my project plan so that management knew up front the true effort and people necessary for a GRC implementation to be successful. Management knew that GRC was not a support tool but enabled business process. Internal Controls was my key business representative who had their own set of friends to determine business requirements that I could translate to technical deliverables.

My motivation in finding friends was a concern I had: if I relied only on my own skills we may deliver a workable solution but it may not be the most effective and efficient solution. Without calling on all friends here, I might have a solution that works for day one but what happens next year or the year after? What happens when business requirements change? What happens when support stack and enhancement packs are necessary?

I’m sure there are more friends. Had I continued on this project I would have met up with Change and Release Managers to migrate changes and thinking through planning for enhancement packs, system refreshes and overall landscape design in conjunction with Basis. Oh, and if you’re wondering why no security – I did not forget them as that was me.

My advice – depending on the size of your project you may not need all these friends. Consider them in your planning based on your own strengths and weaknesses. Leverage where you can as it will benefit your solution in the long term.

Do you have any recommendations for who’d you make friends with and leverage for a successful GRC implementation?  I would love to hear your thoughts in the comments below.

Regards

Colleen

P.S. I would like to make a special thank you to Gretchen Lindquist for all your valuable feedback and encouragement to me for this blog.

To report this post you need to login first.

27 Comments

You must be Logged on to comment or reply to a post.

  1. Steve Rumsby

    Your experience is very much like mine. Our GRC implementation was a team effort, including technical, business analysts and auditors. Of all those, I would say the most important were the auditors. I pride myself on being fairly devious when it comes to testing software to breaking point and beyond, but I was nowhere near as devious as our auditors at breaking financial controls and that input is really important in such a project 🙂 . I learned a lot…!

    Steve.

    (0) 
    1. Colleen Hebbert Post author

      Hi Steve

      Amazing what some Internal Controls experts can find. I have noticed as SAP products have matured auditors are past checklist approach and raising a red flag because an asterisk was put in an activity field of an authorisation.

      I find the auditors/internal controls form a large part of the business case but the business analyst was essential for me as I became too caught up in the product and did not realise the number of assumptions I made resulting in decision points lacking the secondary outcome or processes going to nowhere.

      Even if you know all three topics you still need a subject matter expert to ensure GRC is meeting the business requirements. I am concerned so much focus is on getting the tool to work that is does not actually manage risk properly and forms a false sense of security or a tick in the checkbox for compliance activities.

      Colleen

      (0) 
  2. Madhu Babu Sai #MJ

    Hi Colleen,

    After going through this blog, I understand how I am working up to now and how can I improve myself as consultant by interacting with different people and sharing knowledge as part of GRC design and implementation can bring the best out of the implementation for client 🙂

    Thanks for sharing this 🙂

    Regards,

    Madhu.

    (0) 
  3. Gretchen Lindquist

    Colleen,

    Thank you for the kind mention. I am glad I was able to help.

    I hope everyone who has not yet started their GRC10 implementation/ migration reads your post. I certainly wish we had read such a post before we budgeted our current GRC project. We badly underestimated the demands we would be making on our ABAP resources. We had this foolishly optimistic idea that, 2 years after going GA, that this solution would be more mature and stable than it turned out to be. We certainly did not anticipate putting in hundreds- yes, HUNDREDS- of Notes, manual corrections, pre-requisite corrections, reverting corrections that made matters worse instead of better, and  re-implementing corrections with their new version, and on and on. Our experience is the same:  we would not be anywhere near our GRC10 go-live without the help of the friends you listed. Thanks for a very informative post.

    Cheers,

    Gretchen

    (0) 
    1. Colleen Hebbert Post author

      Hi Gretchen

      We’re all still waiting on your lessons learned blog. It will be a great read to see how you implemented GRC.

      Cheers

      Colleen

      (0) 
  4. Deepanshu Sharma

    Hi Colleen,

    A successfull work always happen with great team efforts and you blog gave a good word for your teams and friedn.

    Yes with work team and friengs moves in / out as well. Good blog

    Regards,

    Deepanshu Sharma

    (0) 
  5. Ursula Gruen

    Hi Colleen, as you asked me to do so – I am doing it here… I did not originally comment on your blog, as I was only pointed to it during the discussion.

    Ok – so the point to start from:

    I am not a GRC person, I am not a passionate blog reader, I do not know you personally.

    So from that point of view, I would have preferred the story to be shorter and more to my personal point of interest. And that is – how do you involve people successfully to make a common vision come true.

    However – as said, this is my personal point of view… Would I know you personally, I would probably be more interested in your background story around it.  Would I be a GRC person, I would probably find the GRC content the most exiting one about this blog. Would I be a passionate blog reader, I would probably love your writing style.

    So – it all depends…

    Is that of any help to you?

    All the best,

    Ursula

    (0) 
    1. Colleen Hebbert Post author

      Thanks Ursula

      You did make a valid point.. something I can find myself to be guilty of and that is length

      When I write, I do have to remind myself of the quote “I didn’t have time to write a short letter, so I wrote a long one instead”.

      Other feedback I have received (externally) is to try to be more visual – break it up with pictures and diagrams. I am terrible at this as I am not a visual person 🙂 …but it is a skill I need to develop.

      Both of these are ideas I will consider in future to reach my audience

      Regards

      Colleen

      (0) 
      1. Ursula Gruen

        Colleen, I love that sentence:

        I didn’t have time to write a short letter, so I wrote a long one instead.

        A former colleague used to say to me that he learned at Heinz (if I remember correctly) to give a presentation with just 5 bullet points. He said that this was the general rule there to make sure that people really come to the point.

        Regards, Ursula

        (0) 
        1. Colleen Hebbert Post author

          5 bullet points – if only this colleague could have reached out to the world so we didn’t experience death by Powerpoint. It is frustrating when someone mistakes Powerpoint for Microsoft Word.

          (0) 
          1. Gareth Ryan

            The hardest challenge for me with writing is keeping it short – verbose is definitely my middle name!


            Colleen Hebbert I’d definitely say think about adding some pictures or diagrams to your writing as IMHO it really helps break the text up and improves the readability, as the view doesn’t just see a slab of text.  I use CC Search to try and find images I can use to pick out key points in my blogs.  Not sure how successful I’ve been so far of course…

            (0) 
  6. Gowrinadh Challagundla

    Hi Colleen,

    You have taken me almost 10 years ago, learning to work as a team. Its been almost two years since I have read a blog in SCN and I found this one interested to read. You made be come back to SCN. Time to research and learn what missed for last couple of years.

    You do have good story writing skills 🙂   and I am sure some day you will get the visual skills as well.

    Regards,

    Gowrinadh

    (0) 
    1. Colleen Hebbert Post author

      Hi Gowrinadh

      😎 thanks for the compliment here and I hope you stick with SCN as I have observed it has evolved a fair bit in the past 18 months. I too joined years ago and was never an active participant.

      The visual skills are more a conscious effort to include but in this blog I could not think of non-copyrighted material to use and lack artist talent to create my own.

      Cheers

      Colleen

      (0) 
      1. Prasant Kumar Paichha

        Hello Colleen,

        It was our pleasure to have gained knowledge from you,

        You have been one of the best supporter always there to help whenver we have queries.

        waiting eagerly for more informative writings from your end ..

        Regards,

        Prasant

        (0) 
        1. Colleen Hebbert Post author

          Thanks Prasant for your kind words – I hadn’t seen you on SCN much so I assume you must be busy on your implementation. Once life is a bit less hectic you could consider writing your implementation experience and lessons learned 🙂

          You may have noticed there are a heap of contributors now on GRC community which is great – I’m learning a lot too and actively participating less as there are so many people here with a lot of knowledge!

          Cheers

          Colleen

          (0) 
          1. Prasant Kumar Paichha

            Yes Coleen, was having nightmare…

            May be my luck i always get critical customization .. learnt a lot. from small enhancement to bigones as well.. finally got 3 weeks of break before i start a new assigment.. again i have got back to back assignment with lot of travel .. coming to your country aswell sometime later probably by october..

            GRC10 has been so huge where evrybody learning new things everyday…

            Regards,

            Prasant

            (0) 
  7. Akshay Gupta

    Hi Colleen,

    Out of all the manifestation that I ever had during my time at SCN, this is the one where it just gets down to the level of my bones and I am like *Whoa!*

    Just right now, in the middle of the Go-live of GRC AC10. My few satellites are already up in the sky live and few are about to take-off. Looking back at how the implementation really manifested to date, makes me truly go through all of what you have written from Requirements gathering, endless /pointless (at least in the beginning) meetings with Business people/auditors per say to be able to patch them to the GRC level of flying things, then provisioning the system (Yes, I did that being a Basis person), freezing the rule sets and the plethora of things that comes along to the day that AC10 is Live and Goodbye Virsa, it was really a kind of voyage on SAP Security Controls. Initally, I was only accountable for technical installation & implementation, but boy I got tempted to get my hands dirty in others business too. My take-away’s => realizing false positives in the Rules, learning business acumen and accepting the fact the business people wont do the vice-versa easily hence you have to become the bridge and unhashed umpteen number of things.. All in all it was enriching experience, and yes all kind of stakeholders were vital for the implementation. I can imagine you getting all fired up and enthusiastic in the beginning to drive the entire thing, same was with me but all in all it turned out to be okay 😆

    Cheers!

    Akshay

    (0) 
    1. Colleen Hebbert Post author

      Hi Akshay

      My take-away’s => realizing false positives in the Rules

      Have you considered writing a blog on your view and recommendation of the rule set? Unless there is a blog out there like that it would be a very interesting read and get some of the business GRC people commenting with their experience.

      From some of the notes I’ve seen and comments around the place it should be taken a starting point. My concern from number of questions in the community and out in the “real world” is that people are configuring GRC and switching on the standard rule set with no further action (attempt to keep their solution as vanilla as possible).

      I can imagine you getting all fired up and enthusiastic in the beginning to drive the entire thing

      Yep… I actually get on my knees in workplaces and beg for friends. There is no value trying to convince management that you can handle it 100% on your own and then fail to deliver or burn out in the process – get over the ego and pride and ask for help! Successful projects needs the right mix of people. GRC is not a one-person team.

      Regards

      Colleen

      (0) 
      1. Akshay Gupta

        Hi Colleen,

        Yes I have been thinking about doing that for quite a while, and had already added up in my action items but was quite overwhelmed by the current things at hand. Now I guess would be the perfect time to share with the community as the well know quote by Maya Angelou says “When you learn, teach! When you get, give!”

        I will be doing that now soon with all the gory details and the real insights I believe i happened to get as my eureka moments during the implementation.

        Yes that’s quite true that GRC Ruleset is being used as Out-of-the-box within the customer’s realm and that is a wrong thing to do. It should be opened up, validated, remove the trivial rules, define the rules which are required for your organization and get going, not to leave out the fact that you should also keep a regular review cycle of the rules as well.

        Well that’s the whole purpose of Access Controls I believe, the show must be put on with as much controls and monitors as possible with all eyes everywhere.

        I would love to share lots of story-lined things that were going on during the implementation.

        Coming up next soon, watch out 😈

        get over the ego and pride and ask for help! Successful projects needs the right mix of people. GRC is not a one-person team.

        Vow, loved the lines above. So true..

        Regards,

        Akshay

        (0) 

Leave a Reply