Turnkey Consulting often finds that GRC is allocated as an additional responsibility to the SAPSecurity team, which, in itself has frequently been misrepresented as just another element of the Basis function. That really acts as a constraint on the organisation maximising their GRC solution as GRC is considered simply another technical module rather than a mechanism to improve and enhance the overall management of risk and controls across the business. It is often difficult to justify a full time dedicated GRC role but when taking all of the required technical and non-technical activities into account; it is actually more common to require more than one person. This adds significant cost to the operating model as there is effectively an ongoing additional FTE or equivalent cost added to the implementation and licensing costs for ongoing operations.
A significant cost of operating a GRC solution is the ongoing support and maintenance, not just of the infrastructure but of the functional expertise in the support organisation to be able to troubleshoot issues and deliver business improvement projects. Although there is often capability in the non-differentiated SAP technical skills within the existing support team, it is not often that an organisation has inherent SAP GRC functional skills to be able to make best use of the product
However, even if the requirement is recognised and the resourcing increase approved, it is difficult to find the balance of skills in a single person who can easily switch between detailed technical access-orientated discussions and discussing key risks and controls in a business operational context.
By consuming GRC as a Service, the availability of internal skills is no longer a factor. By virtue of our experience in implementation, support and advisory services, we can feed that experience into the service for the consumption of all customers as part of the platform. Infrastructure, hosting, maintenance and support is inherent within the service thus removing the requirement to add incremental capacity onto existing teams.
Customers can also gain access to the breadth of skills within the Turnkey Consulting organisation to support on demand expertise across the spectrum of SAP security, GRC and business risk and controls advisory services. Customers no longer need to make the compromise on the available skills in the market, nor risk a poor quality implementation by trying to reduce the capital expenditure costs from a systems integrator or trying to learn GRC skills on the job with a support team who are already busy with their core business as usual activities.
By failing to recognise the importance of implementing a quality solution from the outset, the likely outcome is a solution which is under-valued and under-used across the business.
There are also a number of other factors to consider when thinking about GRC as a service.