The business is responsible for establishing the risk profile of the organisation and determining the risk appetite.  SAP security and controls initiatives must be aligned with this top down approach, taking into account the policies and standards that are in place as well as any local variations. 

The success of security and controls projects is dependent on understanding and delivering to business requirements: failure to appreciate such requirements may result in implementing controls that do not address the business risk and only serve to increase overheads. 


Business representatives have ownership of the controls that have been designed or that are being revised, whether they are configurable controls in the system, monitoring controls or access controls managed through security role design.  Any changes will necessitate input and sign off from the business owner.

Engagement from business approvers is critical in order to ensure changes to design and access provisioning are managed in a controlled way. However owners and approvers must understand what they are responsible for, if controls are to be effective

New initiatives may introduce changes to the current ways of working such as streamlining processes through automation, changes to approvers and ruleset development to manage segregation of duties, development and testing of configurable controls.  No initiative will succeed without business involvement, training and education.


Engaging the business can be challenging for a variety of reasons:

  • Security, controls and GRC are seen as an IT not a business imperative
  • Security is often not viewed as a business priority, until there is a breach e.g. fraud, loss of confidential data
  • Project teams underestimate the need to involve business representatives early enough in the engagement and do not get the buy-in required
  • The business does not understand their role in this area
  • Return on investment has not been fully articulated, making it difficult to estimate the benefits of introducing change


Our team of consultants are able to bring their audit and technical experience and translate this into business language. 

Examples of where we can add value are:

  • Developing stakeholder engagement and communications plans
  • Running risk workshops
  • Developing and delivering training.

We are focussed on achieving the right level of business ownership throughout projects to ensure our clients are fully engaged with their SAP solution.