Well-Controlled: A risk assessment plan for your MDG implementation and operating model (3×3 approach) – Part 1
The ever evolving and increasingly regulated landscape across industries are placing pressure on Internal Controls and Internal Audit leaders to provide real-time assurance to the business stakeholders.
In this Well-Controlled post, I discuss my approach to provide a real-time assurance reporting on an MDG implementation; this approach can be used as a pre go-live or a post go-live assessment. This risk assessment covers the different aspects of data digital transformation streamlined by MDG, including Business Process Engineering, People Planning, Risk Management and Portfolio Management.
The key output of this risk assessment is to generate a Risk Screen to highlight the risk points across the design and implementation of the MDG application that needs to be mitigated or remediated.
Why 3×3 and what are the components of this MDG risk assessment?
First, my approach is called 3×3 because it consists of three main areas, where each area has 3 sub-areas; in other words, there are 9 points in this risk assessments. Risk assessment practitioners need to examine these 9 points to effectively evaluate the business process and security risks around an MDG implementation; hence, the 3×3 approach was born.
(A) Business Process Modelling
Business Process Modelling area covers the ability to obtain an overview of the business processes, while breaking down them into the key sub-processes. Breaking down the processes helps in understanding the key transactions and the detailed flow of how transactions are initiated, interacted with, processed, recorded and archived. To assess this area in MDG, there are three sub-areas that need to be covered:
- A.1 – Data Model: This is an area where system integrators define the structure of the underlying data tables of MDG. A data model in Master Data Governance is comprised of various elements (entity types, attributes, and relationships) to enable the business to model master data structures of any complexity in the system.
- A.2 – Process Model: This is an area where system integrators define the design requirements of data maintenance & governance, including: design details of governance scope, change requests, and workflow.
- A.3 – User Interface (UI) Model: This an area where system integrators define and customize user interfaces to make sure that the UI aligns with the process model and other design requirements (e.g. required fields, or default values).
(B) System Design and Build
System Design and Build area covers the understanding needed to get an overview of the technical setup of the MDG critical components, including security access, workflow setup and any governance and IT controls implemented pre and post go-live of the system. MDG integrity does not only rely on building a working business process models, but also on the technical setup of the application. There are three sub-areas in this area B, which includes:
- B.1 – Authorization and System Access: Like an S4/HANA or ECC environment, Master Data Governance uses the user management and authentication mechanisms of the SAP NetWeaver platform, including the typical transaction codes and Fiori authorization. Appropriate restricted access and segregation of duties violations should be mitigated and remediated and carefully designed by the project team.
- B.2 – Workflow Setup: SAP Business Workflow is used to process change requests in Master Data Governance (MDG). Companies can use the MDG rule-based workflow, which can be based on one generic workflow template. Workflows are usually configured via the change request process with BRFplus decision tables.
- B.3 – System Development and IT Maintenance: Throughout the project lifecycle, system integrators need to place processes to support the roll-out of the new data governance processes across the different regions. Additionally, system integrators must ensure that implementation controls supporting system development, testing and data conversion are established, documented and placed in operation.
(C) Data Access and Quality
The final area in my 3×3 approach is the Data Access and Quality risk assessment. After the business model and technical setup is built, assessing the IT risks around the ongoing flow of data is critical to the MDG system effectiveness. This area covers the understanding of the data flow, implementation of any automated or manual validation checks and management of data access and privacy regulations within MDG. Specifically, this area includes the following three sub-areas:
- C.1 – Data Load, Replication and Reporting: Depending on the criticality of the data transferred, interfaces and associated controls need to be carefully evaluated and designed by project team. Replication models are customized in MDG to support the load and import of data activities between MDG and other target systems
- C.2 – Data Validation Rules (Search & Duplicate Checks): System integrators enable data quality functionalities in MDG to enrich & validate master data as well as to prevent the creation of duplicates. The various search capabilities in MDG are not only used to find master data that can be processed but are also used for matching data to prevent the creation of duplicate information. Other validation rules and checks can be embedded in the technical setup through the usage of BRFplus, process modelling and UI modelling.
- C.3 – Data Access and Privacy: MDG enables read access logging for the various its functions and interface types, including bank details and payment card details. For personal data processed in the Master Data Governance (MDG), SAP Information Lifecycle Management (ILM) can be used to control the blocking and deletion of personal data.
This is only an introduction to the 3×3 approach. In part 2, I will present a detailed risk assessment layout and an example of the Risk Screen (i.e. a risk exposure visualization from this 3×3 approach).
The views, information or opinions expressed in this short article are views of my own. All information in this article is provided “as is”, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information.