GRC Certification - is it worth the paper its written on?
Monday, 16 July 2012
Posted by Simon Persin
The SAP GRC Access Controls certification (C_GRCAC_10) was released early in 2012. In this blog, we’ll look at the quality of the certifications and its relevance and usefulness for both clients and consultants.
SAP has a difficult job in setting content for the training courses and indeed the examinations. The most common complaint is that the content is generic and very theoretical. The exercises can often feel worthwhile given the classroom conditions but not particularly relevant for real world examples or use cases. Every customer uses SAP applications in their own particular way and therefore, it is impossible to provide specific examples to cater for each and every scenario.
GRC is no different in that regard especially when you consider the possibilies available for a workflow based user provisioning process. So how can you set an examination based upon all of the particular requirements of each and every different SAP customer?
How much is certifiable?
To my mind, the only way that SAP can really do this is to focus on the technology; how to use and configure it. Whilst we all know that technology is only a small part of the wider GRC projects, it is the only area of the project which can be adequately assessed.
Actually defining the business use cases and process designs cannot be simply taught or certified through traditional multiple choice exam questions as there is never a single correct answer. It is the experience of having worked in and around the technology for a number of projects which differentiates the quality of individual consultants, consultancies and ultimately the success of the customer project. SAP has recognised the limitation in their current certification tracks and has worked to fill that by providing the Professional and Master qualification levels. Rather than certifying these through traditional examinations, these are based more on implementation experiences based focussing on applied knowledge rather than retained technical information.
Does the Exam test the knowledge?
Given that the SAP GRC Access Controls associate certification has to be technology focussed how well does it test this area? Having implemented the technology numerous times and taught the pre-requisite course (GRC300), my belief is that the examination does provide a stern test to all delegates.
The questions really get into details and are worded in such a way that you do need to have an understanding of the actual technology and SAP terminology rather than simply the themes involved. That is not to say that there aren’t a few “freebies” thrown in there to cover the more straight-forward application areas and the wider areas of business integration.
There are also elements where exam techniques can help. Understanding the way that SAP approach a subject rather than the way in which you might tackle it in a specific project is paramount to lead you to the correct answer. With multiple choice exams, there will always be the possibility to be able to work towards the correct answer by a process of applying logic, common-sense or a process of elimination and that will still work in some cases. However, I do believe that SAP has improved the quality of the examinations to accurately test against the technology.
Many of my colleagues and contacts have taken the certification and many of them have returned similar thoughts on the content; it is a tricky exam where you need to be on top of the theory and the details of the system configuration to be able to navigate it successfully. It is easy to get confused by the wording of the questions and therefore, it does seem to achieve the objectives of testing the SAP technology underpinning the GRC Systems.
The worth to consultants and customers
There is often a debate in the market as to whether customers really appreciate and respect the certification. Many great application consultants have never taken the SAP endorsed application certification and similarly many consultants who have that cetification really do not have much more to offer a customer other than that. So is it simply a rubber stamp or can it be trusted?
From a consultancy perspective, it is a fairly clear cut decision. Certification is an important differentiator, demonstrating a baseline level of technical competence and is a good way to provide that assurance that all of the consultants offered into client work have met the minimum standards set bySAP.
Individual consultants may also wish to take the certification exam for their own personal development or to be able to market themselves more clearly to clients. In this way, it is a good way for their parent organisation to demonstrate support for their development by supporting their desire to undertake this. Certainly, with this certification, the successful consultant should take some pride from passing the exam as it is certainly not a given that passing is guaranteed.
Customers do seem to like the tangible endorsement afforded by SAP certification. It can play a part in the decision process when selecting a supplier or indeed a contractor. I’m not convinced that it should play a major role and care should be taken to ensure that appropriate attention is placed upon delivery experience and references. However, it is still a very quick and easy comparison to make.
It is easy to become cynical about the SAP certification process, especially once you have attained the qualification but it does seem to be viewed positively within the market. My view is definitely that it is a useful qualification but it should not be relied upon in isolation to guarantee that the holder is right for all GRC projects. As mentioned earlier in this blog, its scope is limited to the “easy” bits of a GRC project and does not test the real agility of the consultant in implementing the customer solution. However, it still presented me with a sufficient challenge that I am proud to call myself a SAP Certified GRC Consultant and to congratulate my peers once they pass the exam.