Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
24 October 2012

Taking A Top Down Approach To Your SAP GRC Deployment

Typically GRC deployments have focused initially on Access Controls, maybe followed by Process Controls and then possibly Risk Management. In this blog entry I want to challenge the status quo and think about the most appropriate way to deploy the SAP GRC toolset as an integrated Enterprise Risk Management solution.

One of my colleagues, Marc Jackson, recently delivered a session at the SAP Insider GRC conference titled 'a Risk Based Approach to Security Audits using SAP Solutions'. The session outlined the way that the Big Four take a 'top down' approach to auditing SAP systems, focusing on the corporate objectives, the risks to the achievement of these objectives and the derivation of the controls required to mitigate those risks.

This got me thinking about the way that most companies approach their SAP GRC implementations. Typically a company will start their SAP GRC journey with an Access Controls implementation to address audit issues or regulatory concerns such as Sarbanes Oxley. This is partly due to these tools being the first to market and partly due to the resolution of those issues being the highest profile/priority. Many companies are now looking to build on this with improvements and automation of business process controls through the SAP GRC Process Controls solution. A few have deployed Risk Management, perhaps alongside PC or as a stand alone implementation.

Taking a step back, the overall objective of the SAP GRC solutions is improved risk management and internal controls. If we consider the risk based approach advocated by the Big Four audit firms and many professional bodies (e.g.PCAOB, IIA, and ISACA) then it would follow that a more logical sequence to implement the SAP GRC toolset might actually be the inverse of today's scenario. This question is particularly relevant with v10.0 as the three solutions now offer much better integration.

Starting with the implementation of the Risk Management tool has several advantages. Firstly this solution is targeted at C-Level and Snr Management users. Therefore it should follow that the project has senior level sponsorship from the outset, a key success factor for any GRC initiative. Furthermore the subsequent implementation of Process Controls will inherently align controls with corporate objectives and the risks to the achievement of those objectives since all controls will be derive from those risks identified by management and the board. While Access Controls are often some of the most robust control options available they are only one control option in the overall control environment. It therefore follows that these should be derived from the control framework defined in SAP GRC Process Controls.

Taking a risk based approach is not going to work for everyone. Many companies look to SAP GRC as a spot solution to specific challenges and they may not have the appetite for an Enterprise GRC Solution. However, for those that do it may be worth rethinking the standard deployment strategy for SAP GRC solutions with a little more focus on the overall objective, Risk Management.