EXPLORE magnify
    Integrated Risk Management
    Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
    Related insights
    ON-DEMAND WEBINAR
    Secure or Sorry: Your Security Responsibilities in RISE with SAP
    ON-DEMAND WEBINAR
    Half Truths, Whole Truths, and Nothing but the Truth About Moving to RISE
    Identity and Access Management
    We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
    Related insights
    ON-DEMAND WEBINAR
    Secure or Sorry: Your Security Responsibilities in RISE with SAP
    ON-DEMAND WEBINAR
    Half Truths, Whole Truths, and Nothing but the Truth About Moving to RISE
    Cyber & Application Security
    Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
    Related insights
    ON-DEMAND WEBINAR
    Secure or Sorry: Your Security Responsibilities in RISE with SAP
    ON-DEMAND WEBINAR
    Half Truths, Whole Truths, and Nothing but the Truth About Moving to RISE
    Bedrock Managed Service
    Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
    Related insights
    ON-DEMAND WEBINAR
    Secure or Sorry: Your Security Responsibilities in RISE with SAP
    ON-DEMAND WEBINAR
    Half Truths, Whole Truths, and Nothing but the Truth About Moving to RISE
    About us
    A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
    Partners
    Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
    Corporate Social ResponsibilityCSR
    We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
    Related insights
    ON-DEMAND WEBINAR
    Secure or Sorry: Your Security Responsibilities in RISE with SAP
    ON-DEMAND WEBINAR
    Half Truths, Whole Truths, and Nothing but the Truth About Moving to RISE
    Get in touch
    We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
    Related insights
    ON-DEMAND WEBINAR
    Secure or Sorry: Your Security Responsibilities in RISE with SAP
    ON-DEMAND WEBINAR
    Half Truths, Whole Truths, and Nothing but the Truth About Moving to RISE
    Careers
    We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
    Related insights
    ON-DEMAND WEBINAR
    Secure or Sorry: Your Security Responsibilities in RISE with SAP
    ON-DEMAND WEBINAR
    Half Truths, Whole Truths, and Nothing but the Truth About Moving to RISE
    Webinars & eBooks
    All of Turnkey's webinars, guides and other insights available in one place.
    Related insights
    ON-DEMAND WEBINAR
    Secure or Sorry: Your Security Responsibilities in RISE with SAP
    ON-DEMAND WEBINAR
    Half Truths, Whole Truths, and Nothing but the Truth About Moving to RISE
    Blogs
    Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
    Related insights
    ON-DEMAND WEBINAR
    Secure or Sorry: Your Security Responsibilities in RISE with SAP
    ON-DEMAND WEBINAR
    Half Truths, Whole Truths, and Nothing but the Truth About Moving to RISE
    Press Coverage
    See all the publications where Turnkey, our experts and our successes have been noted.
    Related insights
    ON-DEMAND WEBINAR
    Secure or Sorry: Your Security Responsibilities in RISE with SAP
    ON-DEMAND WEBINAR
    Half Truths, Whole Truths, and Nothing but the Truth About Moving to RISE
    Key events
    See the key industry conferences on GRC, SAP security and risk management which we are attending.
    Related insights
    ON-DEMAND WEBINAR
    Secure or Sorry: Your Security Responsibilities in RISE with SAP
    ON-DEMAND WEBINAR
    Half Truths, Whole Truths, and Nothing but the Truth About Moving to RISE
    Case Studies
    Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
    Related insights
    ON-DEMAND WEBINAR
    Secure or Sorry: Your Security Responsibilities in RISE with SAP
    ON-DEMAND WEBINAR
    Half Truths, Whole Truths, and Nothing but the Truth About Moving to RISE
    15 April 2026

    Five questions to guide your move to GRC for HANA 1.0

    The launch of SAP GRC for HANA 1.0 (SAP GRC 2026) brings six previous solutions into a more user-friendly combined platform: Access Control, Process Control, Risk Management, UI Masking and Logging, Business Integrity Screening, and Audit Management. But to make the most of the efficiency, security, and compliance benefits this integration brings, you’ll need to embed with S/4HANA and ensure your target architecture is S/4 foundation 2025 or later. 

    Because of this, and because organizations are starting from different legacy environments, it can be difficult to pinpoint the right course of action. This blog will explore five key questions to guide your journey toward upgrading or migrating to SAP GRC for HANA 1.0. 

    1: Where are you now? 

    The first step is to understand your current GRC architecture position. As a starting point, there are three vital areas to take into account: 

    • Access management effectiveness: How efficient is your management of access requests (including emergency access)? Are your current multi-step, multi-process workflows too complex? 

    • Integration of Identity and Access Management (IAM): Which IAM solutions do you use, and how will they affect configuration and testing during migration? 

    • Controls framework usage: How is GRC supporting your controls, such as Emergency Access Management (EAM) and Segregation of Duties (SoD) rulesets? 

    In this discovery phase, processes and governance considerations are just as important as the solutions themselves. It’s vital that these are part of the migration/upgrade design from the outset, and that all relevant stakeholders are positively engaged on the journey. This means considering: 

    • Process and governance module: Is there clear ownership of roles and the SoD rulebook? Are audits finding any recurring problems?

    • Reporting and audit requirements: Are the reports relied on by auditors standard or customized, and are they helping effectively track risk remediation?

    • Organizational readiness: Do your teams have the expertise to configure and troubleshoot GRC? Are current processes fully documented? 

    Having this understanding in place gives your organization a solid foundation for establishing the right way forward. Ultimately, your current state, and understanding what works within it and what doesn’t, will drive what your new state should be. 

    2: Where are you going? 

    With that current state established, you can then go on to ask some more technical questions as well as determine what your upgrade/migration objectives should be. These include: 

    • Timing: Should the migration take place before, during or after the S/4HANA conversion? Given that GRC for S/4HANA is embedded within your S/4 environment, consider whether or not you want your GRC instance embedded within your S4 environment or on a separate instance. The question is the same if you are moving to RISE.

    • Product and strategy alignment: Does the project fit in with your long-term strategic objectives business-wide — for example, pursuing AI capabilities?

    • Architecture and technical landscape: How easy will it be to integrate with your existing technology, accounting for key integration points such as SuccessFactors, IDM, and SIEM? 

    • Role and security models: GRC for HANA will bring some updates to SoD rulesets, so this is an opportune time to consider your current role design, and if you would benefit from reviewing your SoD ruleset as well. Can you utilize some of the new rulesets that will be delivered? 

    • Access requests and workflows: Review your current workflows within Access Request, Process Control, and Risk Management by asking current reviewers if the current workflows are cumbersome or just a rubber-stamp approval. Your migration / upgrade presents an opportunity to review, streamline, and reretrain business approvers.  

    • Change management and adoption: Can the new reports within GRC be used beneficially for your business? Ensure any new enhancements and reporting are reviewed early and often to ensure stakeholders, such as internal and external auditors, can ask questions and are comfortable with any new functionality (especially around reporting). 

    3: What should your migration or upgrade look like? 

    There are some important distinctions between a migration and an upgrade here. The technical considerations between an upgrade of existing GRC solutions differ substantially from a migration of GRC solutions within an embedded S/4HANA or standalone environment. 

    • If you’re upgrading… 

      … you’ll need to perform the upgrade through an ‘uninstall-install’ procedure using Software Update Manager (SUM). The SUM will upgrade all SAP GRC software components to new versions and upgrade SAP NetWeaver to S/4 Foundation 2025. Your underlying database will be converted or switched, and your on-premise system will be lifted and shifted into Private Cloud Edition. 

      All your data and configurations will be preserved, and the system state won’t change post-upgrade. After the upgrade is completed, you may need to execute SAP-delivered reports, and you’ll need to set up Fiori Launchpad if you don’t use it already.

    • If you’re migrating…

      …SAP GRC will be installed on your existing S/4 Core System, and SAP will provide all the necessary documentation on the migration process and the objects involved. SAP recommends using the Data Management and Landscape Transformation (DMLT) service to execute the migration.  

      Your data and current configurations will be migrated into the new S/4 Core System, and data can be adjusted to avoid any conflicts. You’ll need to manually prepare HR Infotypes and tables for Customer-Defined fields and manually recreate any customer-developed tables and custom code. 

    Whichever journey applies to you, with so many different factors to consider, all testing scenarios should be accounted for throughout the process. Through all of this, it’s vital to keep relevant stakeholders in the loop, including auditors, so that any potential compliance issues that crop up along the way can be addressed proactively.  

    4: How can I get the most out of the GRC platform? 

    Because you’re required to be on the S/4HANA database post-migration, you’ll automatically be able to take advantage of the HANA architecture, which delivers speed and processing improvements. 

    This is just one of the key plus points of migrating to GRC for S/4HANA. From a technical perspective, you can gain enhancements such as additional Fiori content, AI capabilities through Joule, and a combined platform for the six previously disparate GRC solutions, making for easier and more efficient technical management. 

    User experience can also be transformed by embracing the Fiori UX and the ability to have everything in one place to improve user experience. Furthermore, being able to use Joule, SAP’s artificial intelligence assistant, directly within GRC can add further efficiency, accuracy, and speed across core functions. 

    Fiori and AI will perhaps be the most noticeable day-to-day by improving their user experience. Emphasizing these points to stakeholders, and demonstrating real-world day-to-day benefits, can make a real difference in maximizing business buy-in and generating the largest possible ROI from your migration.

    5: What are the pitfalls I should look out for along the way? 


    The most common pitfalls in GRC migration and upgrade journeys come from a lack of appreciation of the importance of processes and governance, alongside the technology itself. There are three particular pitfalls that stand out, but with the right approach, planning, and partner in place, all of them are solvable: 

    Problem 1: The migration is treated purely as a technical one 

    Impact: Legacy complexity, over-customization, old inefficiencies making it through to the new environment. 

    Solution: Fully evaluate workflows, governance roles, and responsibilities, and redesign them as appropriate. 

    Problem 2: Some stakeholders aren’t engaged in the project from the beginning 

    Impact: Long lead times for RISE connectivity, longer approval processes for workflows and CCMs. 

    Solution: Involve the network team from the beginning to work with SAP and achieve buy-in during the scoping and design stages. Also check in regularly with Internal Audit and Controls to ensure alignment. 

    Problem 3: Underestimating the need for change management 

    Impact: Lack of familiarity with Fiori updates, workflows, and reports across the business, increasing the time demand for training and adoption. 

    Solution: Proactively provide training and documentation, including for Internal Audit and Controls teams, encompassing walk-throughs of the new environment after unit and UAT testing. 

    In summary: Leave no stone unturned 

    The theme that unites all these steps is taking a holistic view, whether that’s considering every existing workflow and user, or ensuring that every stakeholder is positively engaged with the change. 

    Of course, what this might look like for your organization may vary substantially from others — which means that taking expert advice from an experienced third-party along the way can be invaluable in keeping your migration or upgrade on the right track for your business objectives. 

     To get more in-depth and technical advice on how to progress through your SAP GRC migration or upgrade journey, watch this on-demand webinar cohosted by Turnkey Consulting and SAP experts.

     

    FAQ’s

     Do you need to clean up roles and controls before moving to SAP GRC 1.0? 

    In most cases, yes. Carrying forward existing roles and rulesets without review often means bringing legacy complexity into a new environment. Rationalizing roles and addressing known control gaps upfront can reduce risk and avoid rework later. 

    How closely should SAP GRC for HANA 1.0 be aligned with your S/4HANA or RISE program? 

    GRC is tightly linked to your core S/4 environment, so timing and architecture decisions will affect access, identity management, and audit processes. Aligning programs can drive efficiency — but also introduces dependencies that need careful management. You can deploy your GRC for HANA as an embedded solution or deploy a separate S4 system that can then integrate into your other SAP instances.   

    What typically causes GRC transformations to fall short?

    More often than not, it’s not the technology. Legacy processes, unclear ownership, and poor stakeholder engagement are the biggest issues. Taking a structured approach to governance and change management is critical to long-term success. 

    Category Filter

    Get our latest case studies, e-guides & white papers!

    Protection your enterprise. Drive performance.

    Get to know Turnkey