Skip to Content

Are you ready to implement GRC 10?

With the go-live of our Governance, Risk, and Compliance (GRC) version 10 Access Control finally past us (hallelujah!), I have been thinking about the learnings, from my previous GRC 10 projects as well as from this one. Last year at SAP TechEd, I hosted an Expert Networking session , discussed hereThe rest of the story: what else I learned at #SAPTechEd , where the most common response to my question about GRC 10 was that customers  were still thinking about it.  Maybe you, too, are still thinking about it, working on a roadmap, or planning your project. Even if your project is already underway, here are some readiness questions to consider.


What are the pain points of your current GRC related processes?


Be sure to get input from your key users. Pain points could include these:

  • Too many manual hand-offs in the access request process
  • User access reviews tedious due to manual processes, and not particularly value added besides
  • User interfaces for access requests confusing to requesters and approvers
  • Confusing/ inconsistent role names making it difficult to know what role to request
  • Roles not well aligned with either tasks or jobs, leading to a need  to make a big security change, such as complete security rewrite or implementation of Business Roles
  • Manual security team processes like maintaining organizational segregation with manual reviews and hit or miss efforts to manage critical sensitive authorizations
  • Confusing/ inadequate information in firefighter logs, so they are not reviewed timely


What is your long range plan?


If yours will be a brand new GRC implementation, do you have a company policy for Segregation of Duties and critical access rules that can be the basis of your new GRC rule sets, are you planning to start with the rules out of the box, or will you take the time to customize them? If you are on GRC 5.3 (or earlier release), have you been maintaining your ruleset all along with the updates from SAP and custom transactions? A “lift and shift” of your current rules can be fine if they have been maintained; otherwise, it is like bringing dirty, threadbare rugs from your old house into your brand new one. The sooner you get them cleaned up, the better.


Have you thought about your long term roadmap and identified which components you plan to implement? Some customers start out by just implementing Access Risk Analysis, to get the system up and running, and then take on Access Requests and more later. With all the shared master data across Access Control and Process Control, decisions you make early on could come back to haunt you later down the road. If you are planning to use your current GRC system as the model for the new one, has all the master data been maintained, or are there obsolete mitigation monitors who have left the organization, mitigations configured for risks that do not exist, and other bad data that will not work in the new, better integrated, system? It can be a real challenge if you have no “golden” client to use to validate the configuration of the new one.


Do you have the right resources for your project and enough of them?


Colleen Lee wrote an excellent blog about all the friends who helped her on her own GRC projects.

Depending on which components you plan to implement and the architecture, the resources needed for your project could include some who may not have come to mind. Of course you will need security, GRC, and Basis expertise, but you may also need LDAP expertise if your user master data resides there, or HR expertise if you plan to use your SAP HR as the user data source and/or implement HR triggers. But are all your users, including contractors, even in SAP HR? Are you sure? If you plan to use your LDAP, has it been properly maintained, or does it need clean up before you can rely on the data fetched? For implementing Access Request Management, workflow expertise including MSMP and BRF+  is a must , and if an Identity Management system performs your user creation, count those experts in, too.  How will the users access your system – Enterprise Portal, NWBC, something else? Whatever you plan to utilize, be sure to budget for skilled resources on your project team for that, too. If a new rule set is needed, expertise from the business and internal controls will be key.


Then there are the ABAP resources.  As I mentioned in a comment on Colleen’s blog, on my current project we badly underestimated the demands we would make on ABAP resources, needed for implementing the hundreds of corrections into our system. Better to budget for them and not need them than be wishing you had the funds.


And about those hundreds of corrections:  someone needs to stay on top of those issues.  If the people managing the fixes and corrections are also project managers, and also doing system configuration, configuring the workflows, migrating master data from the old GRC system, creating documentation, designing testing and training,  and leading the change management effort – well, good luck with that.  Yes, two resources can wear 8 or 10 different hats, but your project timeline will need to be adjusted accordingly.  If your project management tool tells you that your project’s resources are way over committed, a six month project could run on with slipped deadlines and missed go lives, possibly impacting other projects that they were expected to be working.


On top of that, the longer your GRC project drags on, the likelier that the systems connected to your GRC will be upgrading. If a connected sytem goes to a new NetWeaver release, you may have to install new plug-ins and start testing all over again.


I hope I have provided some food for thought for anyone considering or planning an implementation of GRC 10.  Time spent now in considering these questions will pay off in the long run.

You must be Logged on to comment or reply to a post.
  • Hi Gretchen

    A blog I have been waiting for!!! It was great to read and glad to hear you made it (and beyond) to go-live!!

    Do you feel the implementation was worth it – are you seeing the return on investment? Other than resourcing, is there anything you would change if you had to go through it all over again?



    • Hi Gretchen,

      It is really great. any company must need to consider as mentioned and after go-live GRC maximum users have tendency to get role bypassing GRC. Respective organization projects manager should have good knowledge about GRC and long plant how to re mediate roles and users.

      Also we have to consider that GRC existing role removal process and SoD free is a marathon process.



      • Arif,

        I agree, it certainly is a marathon, not a sprint, and for us, there is still much to be done in an exploitation initiative, as we still need to implement UAR, EAM, and more. There is plenty here to keep us busy.

        Thanks for your comments.


    • Colleen,

      So far,so good; access requests are getting processed, but we are working through a few browser issues. We have had a lot of positive comments from the request submitters, who really like my EUP templates much better than the 5.3 templates, so I am happy for that.

      I wish we had done a roadmap effort before jumping into this project, but it is water over the dam now. I am a bit concerned that  we have boxed ourselves in with our landscape group configuration, but we will deal with it when we must, maybe when we upgrade to 10.1.

      I am glad you enjoyed the post!



  • Hi Gretchen,

    agree with the others, a nice guide for people looking at GRC 10.

    Some tips from our GRC 10, one of the Roles of the GRC system is password reset self service and Roles/Authorisations self service, and with more than 100,000 Users we’ve had to do a lot of performance tuning and resizing as the scope of the GRC implementation has grown.

    The tip for others is, put some good effort into the sizing of the GRC system with a forward looking perspective. I know this is a no brainer but it doesn’t hurt to be reminded.

    Best regards,


    • Andy,

      Great tips! To be honest, we did the sizing so very long ago (Q4 2012), it seems like another lifetime, and only time will tell how well we did, but I agree completely that taking the long view is important.

      I’m glad you enjoyed the post, and thanks for your comments!


  • Nice article Gretchen, thanks for sharing your experience.

    I’d like to add that organisations who want to implement Process Control or Risk Management next to Access Control at a later date will have to keep this in mind too, not only for the configuration but also for the sizing. Its the medium/long term view which is really important to make GRC a success. 


  • Gretchen Thanks for sharing your experience,

    well elaborated checklist for GRC 10 ,but haven’t seen any comments on the previous version and new version functionality with SAP BW ,if you are aware of it ,can you share your insight on this as well.


    • Kiran,

      I’m not clear on your question. Are you inquiring about access request provisioning to BW or GRC reporting using BW functionality? We are provisioning BW roles successfully, no issues so far. We are not yet using the BW reporting functionality, so I cannot comment on that.

      At this point we are following up with some wish list items that came out of our user acceptance testing, but they are relatively minor.  Email notifications to a delegate approver is probably the biggest improvement we hope to deliver later this year.

      I am glad you liked the post.



      • Gretchen,

        Acutally we are intending to do reporting in BW system,which you not using it seems 🙂 .

        I can see in that in GRC 5.3 via UD connect data is extracted to BW,so was wondering what is the process for GRC 10. also I can see that there is change in the dataelements as well.



        • Kiran,

          The GRC 10 project that I did back in early 2012 was for a client who had data extractors into BW for their 5.3 reporting. At that point, SAP did not even have a data map to offer us, so I spent about a month ferreting out in which tables the data was that they needed. By now I would expect that you will have an easier time of it. Good luck!


  • Hi Gretchen,

    quick stupid question:

    Has GRC 10 become SAP Business Objects Process Control 10 ?

    I mentioned further up in this thread ongoing performance and sizing issues as the GRC’s scope keeps growing, and SAP have provided their latest sizing guide for GRC 10 which is entitled SAP Business Objects Process Control 10.

    If GRC 10 has become SAP Business Objects Process Control 10 then I missed that and I am wondering if anyone else noticed it.

    Ok I am contributing towards trying to answer my own question now, section 1,2 of the above linked document says:

         Architecture of SAP BusinessObjects Process Control

              SAP BusinessObjects Process Control consists of the following principal           components: 

                   SAP GRC Process Control Core 

                   SAP Portal

    This could be worth a blog to share with the world the evolution of the product and its name 🙂

    What do you make of it, conclude ?

    Ok update again… the sizing guide for 10.1 is using the term SAP GRC

    We’re still GRC 🙂

    Best regards,


    • Andy,

      It is not a stupid question, thank you for asking for that clarification. No, GRC10 has not “become” SAP Business Objects Process Control 10. For starters, SAP dropped the “Business Objects” branding from the GRC suite, and Process Control is one of the components of the GRC suite, which also includes Access Controls, Global Trade Services, Risk Management, Nota Fiscal Electronica, and in 10.1, there is a new component called Fraud Management. I didn’t really plan to write a post about the architecture of the solution; it keeps changing, and the products section of has a solution brief posted that seems to cover it pretty well.



      • thanks Gretchen for the comprehensive explanation and the solution brief, I didn’t know GTS was part of the suite.

        Best regards,


        • Andy,

          Well, GTS is installed separately, but it is considered a compliance solution. I know, it really is confusing! Read the brief, and as soon as you get it all sorted out, SAP will introduce another new component or change the brand names again 🙂


          • yep, but it’s this constant change that keeps us all young, imagine how dusty and boring it would be if everything stayed the same for ever 🙂

            Maybe in the coffee corner we could start a new sweep stake to guess the future names of SAP components.


          • interestingly my work has bought me into the GRC area today and I am trying to solve the riddle of SSL protocol when doing User provisioning between GRC and LDAP, which as far as I can see is still not supported out of the box – who knows why not in the year 2014. Clearly from the XSearch on the SMP I can we’re not the first ones wanting this, but why is it not yet supported anyway that’s another story.

            On my travels while looking for supporting doco and information, I came to the GRC Security Guide and the menu for the different Governance, Risk and Compliance suite of products, here’s the list:



            Best regards,