GRC Tuesdays: Governance, Risk, and Compliance & Security Augmenting RISE with SAP
Whether adopting a first Enterprise Resource Planning (ERP) software or migrating from an existing one to the Cloud, organizations can gain many advantages from a complete offering of cloud solutions, infrastructure, and services combined together that helps them thrive. And this is what RISE with SAP is all about.
With this initiative, companies can migrate to a tailored-to-fit cloud solution, at their pace, while safeguarding their investment. Furthermore, they can drive innovation and unlock new efficiencies with intelligent automation.
Some of the key benefits companies can achieve include:
- Future proofing their business by improving their productivity with a best-in-class tool that automates processes and support users
- Driving security, compliance, and scalability by staying secure with relevant cybersecurity and data protection measures based on the latest standards but also by improving transparency into risks and compliance requirements to adhere to local and global regulations with greater confidence
- Migrating with confidence by following a guided implementation approach
In this short blog, I’d like to illustrate how Governance, Risk, and Compliance and Security further augments RISE with SAP and provides additional benefits.
Future proofing the business by improving productivity
Making better and faster decisions based on insights is what can provide companies with a competitive edge, especially in today’s fast-moving business environments. And this is what RISE with SAP is about. And GRC and Security can support this goal.
Indeed, what benefit can an organization get from a list of operational risks that is obsolete and leads to incidents, or from knowing that it has suffered irrecuperable cash leaks many months ago?
Concerning business decision making support, business owners – or any executive for that matter, and their business partners, need reliable financial information and this is one of the key roles of internal control. In addition to providing this assurance, internal control and fraud detection working together can also help prevent malicious or unintentional errors. Including automatically monitoring fraudulent behaviours in the sourcing or purchasing processes, or for travel reimbursement for instance that could lead to monetary losses.
In terms of improving productivity, what good is it to have a best-in-class new Cloud ERP but that users are not able to connect to rapidly as it still need too much time to access it due to lengthy provisioning processes? This is part of the user experience and improving it of course goes through a friendly user interface – which I personally think SAP Fiori delivers on. But it also goes through simple access, both in terms of real-time provisioning triggered by events (such as user self-registration or changes in HR for instance) but also thanks to facilitated authentication with secure single-sign on that makes our lives as end-users much easier!
Driving security and compliance
“Security and privacy”, but also “Compliance risks”, “Monitoring, Analysis and Building Trust” and “Legal issues” have been highlighted by the authors of a paper from Monash University as key external challenges for Cloud ERP systems implementations:
In the area of security and privacy, one of the main requirements most often cited relates to data protection.
For instance, being able to restrict access to sensitive information based on user attributes, by default masking some fields and monitoring who accessed them and all the way up to more technical requirements such as managing encryption keys.
Threat detection and securing the business-critical applications, including detecting any sign of abnormalities or security breaches indicating that a system is under attack, is also a frequently raised topic by companies looking for a Cloud ERP software.
These are all areas that Cybersecurity supports with relevant techniques and approaches.
Last but not least in this “security” category, is user permissions and being able to enforce auditable access controls – including for privileged access.
In an ideal world every task would be assigned to the employee most suited to deal with it and there would be multiple sign offs for sensitive tasks such as setting up and paying vendors, paying employees or reimbursing their expenses.
But this is not always possible. As a result, being able to document and monitor when sensitive conflicting tasks are performed by the same user and reporting on it ensures that appropriate steps are taken to mitigate access risks.
The very same applies to privileged accesses. There will be at one point in time a need to grant a user elevated access to perform urgent modifications in the system. Being able to grant this access and to trace all the activities (including all the modifications of course!) performed during the session will be of the utmost importance. Not just for compliance, but also for integrity assurance.
And these are of course requirements that the Access Governance area of GRC is dedicated to.
When it comes to compliance, legal and regulatory requirements, organizations must be able to document their compliance framework, including the controls and tests and ensure they are performed adequately as mentioned in the previous paragraph. And running the control testing automatically, ensure that this is done compliantly but also effortlessly!
Another example for GRC processes supporting this area relates to due diligence in the sourcing and selection of business partners (vendors, contractors, etc.).
Many companies are overwhelmed by the extensive international anti-corruption legislation and the complex ethics and compliance procedures. To be reactive and help the company remain compliant but also ahead of the game when negotiating and managing agreements with suppliers, due diligence needs to be simple yet effective – and embedded directly into the business process!
As you can read, I am convinced that GRC & Security is key in supporting a true Cloud digital transformation. If automated and traceable so as not to be (too much of) an inconvenience, it brings the building blocks to ensure that the company is on a secure and compliant path to success!
Want to know more?
If you are interested in learning more on how GRC & Security augments RISE with SAP, why not join us next March in Brussels at the SAP for Internal Controls, Compliance and Risk Management Conference event presented by TAC Insights? The theme will be “RISE with SAP GRC”!
In the meantime, I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard
And if you are interested in learning more about SAP solutions for Governance, Risk, and Compliance, feel free to fill-in the demo request form!