What are the main oversights when using SAP GRC or deciding whether to use it or not?

What is SAP GRC?

It's an acronym that means Governance Risk and Compliance. Below this area, SAP has included a whole range of tools. Some of these related to access management, others related to regulatory compliance.

Which are the main systems involved in this area:

• SAP GRC Access Control
• SAP GRC Process Control
• SAP GRC Risk Management
• SAP Nota Fiscal Elettronica NF-e
• SAP Global Trade Services
• SAP EHS (Environment, Health and Safety)

Some of these also have sub modules. For example, Process Control contains a sub module to automate the testing phase of SAP GRC Process Control Automated Monitoring (AM) controls, which is also useful to the internal auditing team.

In a variety of cases, it is possible to misuse these tools. There are several reasons for this:

• Lack of knowledge of SAP's "big picture" on governance products
• Little experience of the system integrator
• Replication of legacy systems in GRC systems (without taking advantage of what SAP, by standard, makes available)

Finally, not to be overlooked are the suite products called SAP Business Integrity Screening for S/4HANA:

• SAP Audit Management
• SAP Fraud Management
• SAP Business Partner Screening

What you shouldn't do with GRC?

It's not a ticket management system

• GRC, especially the Access Control system, in the Access Request Management (ARQ) module, is not a ticketing system. Although it has functionality that may resemble it. In fact, it allows you to create requests, to which you can assign Service Level Agreements.

• In the case of using the GRC Access Control ARQ, users should handle role assignment/removal requests directly in the tool. Alternatively, in case of centralized scenarios, the reference ticket can be entered in the access request.

It's not an Identity Management system

• Yes, there is an overlap between SAP GRC Access Control, ARQ module and SAP IDM (Identity Management). In fact, both can perform provisioning (automatic creation in their related systems and assignment/removal of entitlements) of users in their related systems (backend systems).

• SAP IDM is designed to be potentially connected to any target system. GRC is designed to be able to manage primarily SAP systems, in the user provisioning phase.

• Usually in a landscape with both tools, GRC is used solely to control the Segregation Of Duties, leaving identity management to manage the user lifecycle (User Provisioning).

Not needed to do process mapping (i.e. Process Control)

• Despite the terminology, which might lead you astray, the SAP GRC Process Control system is not used to do process mapping, such as ARIS or Solution Manager systems.

• It is, in fact, used to define an organizational structure for the use and consumption of corporate risks and controls (potentially on any relevant regulations, called regulations) on the processes present in the company.

Do not invent unsupported processes and workflows

• These are tools that contain pre-defined workflows within them. They can certainly be customized, but they already have a definite structure, especially in the Process Control system. Avoid defining totally custom workflows not provided by the tool if possible, but leverage the standard to improve your processes.

Do not customize the system

• Custom solutions bring with them management issues in the long run in several aspects: performance, security, and scalability.

• It may be physiological to have special case histories and thus introduce custom into these systems as well. But it should certainly not exceed a certain threshold, otherwise it is better to evaluate other types of tools

It is not used to detect fraud in real-time (i.e. SAP Fraud Management)

• The suite of GRC systems does not allow for the detection of fraud in real time. One works mainly in detective mode after the fact then. The tools that allow you to work in real time are those in the Business Integrity suite and SAP Business Assurance

If you have never tackled a SoD management process, start tackling it even without the support of an SAP GRC system, following use of the tool

• Starting to manage segregation of duties without the aid of a tool can be a way to formalize processes, even on paper

• Activation of SAP GRC's systems will allow automation of processes already in place while reducing management costs

If you acquire the product, attend the SAP course.

It can always be helpful, before installing a product, to see and understand all the possible functionalities as they are designed by SAP.

Indeed, it may happen that some functions are used improperly.

Read here to learn more on SAP courses.

Try to take advantage of all the modules you have purchased

The GRC suite contains many systems and many sub-modules. Often these are not exploited, even if paid for. For example, in many Access Control installations the Access Request Management (ARQ) and Business Role Management (BRM) modules are not exploited. Just as in Process Control the functionality of automated controls is not enabled

Grasp the use and structure that SAP GRC Process Control and Risk Management proposes.

Although the current management of controls may be different from what the SAP standard proposes, the opportunity can still be taken to evaluate the approach proposed by SAP. Thus avoiding building parallel worlds to the standard within the tool