GRC Tuesdays: Just Because It’s Pre-delivered Doesn’t Mean You Have To Use It—Build What You Want!
When I present SAP’s governance, risk, and compliance solutions to customers, I’m often asked about the content we deliver. It’s always nice to have a starting point to get people thinking about the types of anomalies, patterns, and issues that they can uncover using technology to query an entire universe of data rather than rely on manual, sample testing. While I can show customers various lists, categories, and Internet pages to find out more information about what content we provide, I make sure to let them know that the pre-delivered content isn’t the only type of investigations that they can do on their data.
Just because we have content for procurement doesn’t mean that the rules we deliver are the only ways that procurement data can be examined. We give you some content to whet your appetite and provide you with an engine so that you can extrapolate or customize a rule that’s perhaps more meaningful for you.
You’d need to revisit the rules anyway to set up various parameters so that you can deem a Process Control issue as High, Medium, or Low— so if you need to tweak a rule to make it more meaningful for your business, why not do so as well?
Customize Your Build
I liken the pre-delivered content in solutions such as SAP Access Control, SAP Process Control, and SAP Business Integrity Screening to a set of Legos. My son is only 17 months old now and he likes dumping the Legos out of the box because of the sound it makes when the pieces hit the floor. He likes holding the pieces and seeing that some are bigger than others and he likes disconnecting pieces I put together. Eventually he’ll want to build things. I can buy him a set that will create a pirate ship—but maybe with those pieces he’d rather create something else. It’s his prerogative to customize his “build” to whatever specifications he likes to suit his purpose. All of the pieces fit together in some fashion. Just because the set is designed for a pirate ship to be created, doesn’t mean that a pirate ship MUST be the outcome.
With SAP Business Integrity Screening (formerly known as SAP Fraud Management), some people were under the wrong impression that fraud was what was to be uncovered using the tool and that to buy SAP Fraud Management was to admit that there was fraud rampant in your organization. This couldn’t be further from the truth.
Using the content that was delivered, some customers were able to determine that they were also able to use the solution to determine waste and abuse. Suppose an employee used his/her employee discount more often and for multiple items much more frequently than any other employee. Wouldn’t you like to know and uncover this “slow bleed” and determine whether this is a potential abuse of an employee benefit?
Now, SAP doesn’t provide content for every single scenario that can be articulated by a customer but I believe that if you can articulate the rule to me that you want in the system—provided that you have the data being collected in your system—that you can design a detection strategy to find the anomaly because you have all of the pieces there and you have a flexible “Lego” type system to build with.
One of the leaders in my line of business referred to the building of content “as an arms race.” He said we didn’t want to get into an arms race with other vendors, because what’s the point in creating rules and content that may or may not be used by our customers, since as a vendor we’d also be forced to maintain and update the content. Instead, we focus on providing customers with flexibility in order to build/create content that’s applicable to their business.
Another analogy would be a menu at a restaurant. Do you want to consume everything on the menu at every restaurant that you go to? I don’t. I simply don’t like or don’t need certain things. Same thing goes for content that can be delivered by a vendor. All of the SAP solutions natively integrate with an SAP back-end.
Just think about all the modules your organization is using and the possibilities of what you can uncover increase tremendously compared to a list of pre-delivered content that you may review. Further, most of the pre-delivered content is based around financial activities (Procurement, Order to Cash, Financial Closing). What about the customers that want to explore non-financial scenarios? Are they limited to only finance/accounting topics? Absolutely not.
Tips for Your Custom Build
Remember when you purchase the SAP governance, risk, and compliance solutions you will have starter, pre-delivered content that you’ll have to modify to fit any customizations in your own environments. For example, even SAP Access Control (AC) rulesets will need to be updated to address any custom “Z” transactions you may have. SAP Process Control (PC) rules will need to be parameterized and configured to meet your needs as well.
SAP Business Integrity Screening is a game changer for those customers who are familiar with SAP Process Control because there’s even greater flexibility with what anomalies can be uncovered along with the potential to suspend suspicious transactions from occurring. Prevention is better than detection any day of the week, provided of course that any alerts can be examined in enough time so that business can proceed without inappropriate disruption (for example, non-fraudulent activities can be processed).
As a final thought, I want to reiterate that pre-delivered content is only meant to be a starting point. It’s not a template/blueprint as to what you must create. Just because the Lego box has a pirate ship on it, doesn’t mean that that’s the ONLY thing that can be built. You know what pieces you have, so build what’s meaningful for you and your business.