you ever played the game Jenga? You start with a small tower of neatly stacked “logs”. The players each take turns pulling out logs trying NOT to be the one who pulls out the log that causes the whole tower to collapse. Think of enterprise GRC as the Jenga tower and various elements of your enterprise GRC strategy each of the logs. And guess what, to win, you are going to need a strategy. This is being discussed onsite at SAPPHIRE NOW but for those who couldn’t make it you can understand more below.
What are the typical aspects, or elements of a GRC Strategy?
- Access Control – Manage and control user authentication against an organizational standard and
authorization to a specific transaction, report or specific data for a specific authenticated user. Access Control software is often the manager of the business rules, roles and workflow as well as the gatekeeper to key organizational data.
- Process Control – Attempts to establish ownership and accountability for compliance initiatives by documenting and configuring processes, roles and data to meet specific organizational and/or regulatory needs.
- Risk management – Aligns risks and their mitigation plans with an organization structure by creating and maintaining risk and activity catalogs that document an organization’s propensity for risk.
A number of related tools focus on specific organizational GRC needs but are also related:
- Fraud Management Tools – Use business rules to enumerate an organization’s propensity for a specific kind of risk – that of being a victim of systematic fraudulent behavior by vendors, partners, customers, employees or other stakeholders. Fraud Management tools
along with predictive analytics can be used to predict when and how specific fraudulent activity is likely to occur.
- Corporate (Internal) Audit tools – Perhaps the ultimate GRC body within an organization, Internal Audit exists to confirm that specific standards are
being met and that existing systems of compliance are operating effectively.
- Trade Management Tools – This might be a stretch from a pure GRC perspective, but certain GRC tool sets focus on identifying where an organization is engaging in risky, unethical or even illegal trade practices that could force that organization into a larger compliance problem.
The key point here is that management of enterprise risk, and compliance with key governance and regulatory initiatives is not unlike the game of Jenga. If you remove any one of the components of your enterprise GRC system, you often run the risk that the whole enterprise GRC tower may collapse. This is why it is a good idea to consider your system of GRC management and compliance tools as exactly that – a system! and to seriously consider your strategy for their deployment.
Over the years, SAP has built a robust portfolio of GRC tools to enable customers to take this enterprise view of GRC. But unlike a children’s game, assembling the components is seldom as simple as opening a box and stacking some pieces. SAP usually recommends a strategy of “Think
big, but always act incrementally”. In other words consider GRC as a discipline – not just as a project but build your GRC “tower” with components that contribute especially at the core with solid fundamentals that all add incremental value to the larger GRC system. Consider the tower your outline and introduce components to the tower that promise to work together rather than to compete with one another. Further, focus on building foundational functionality within each component and then growing the components over time. Just like in your organization in its entirety, all of the parts of an enterprise GRC system need to complement – rather than compete with – one another. The key to this is to ensure that all of the little things are done well before you begin to tackle the big things.
This can be difficult at best or utterly impossible at worst in a GRC strategy that is built on some “best of breed” tools, along with a few spreadsheets and departmental databases. For this reason, SAP offers a range of rapid deployment solutions for SAP GRC software. SAP offers RDS for Access Control, RDS
for Process Control and an RDS for Global Trade Services that offer foundational solutions for GRC. These solutions do not attempt to anticipate and solve every GRC problem that may occur, but rather to build a solid foundation. There is even a rapid-deployment solution for GTS for Trading in China. In addition to the SAP RDS solutions, there are also partner led rapid-deployment solution for Risk Management that build on a foundational deployment of RM. This is a robust stable of implementation accelerators that complement and support SAP’s broad portfolio of GRC solutions.
Let me know your thoughts on this topic. Also if you have any questions about our GRC RDS products – feel free to drop me a line!
Follow me @blawsBI on Twitter