Typically GRC deployments have focused initially on Access Controls, maybe followed by Process Controls and then possibly Risk Management. In this blog entry I want to challenge the status quo and think about the most appropriate way to deploy the SAP GRC toolset as an integrated Enterprise Risk Management solution.
One of my colleagues, Marc Jackson, recently delivered a session at the SAP Insider GRC conference titled 'a Risk Based Approach to Security Audits using SAP Solutions'. The session outlined the way that the Big Four take a 'top down' approach to auditing SAP systems, focusing on the corporate objectives, the risks to the achievement of these objectives and the derivation of the controls required to mitigate those risks.
This got me thinking about the way that most companies approach their SAP GRC implementations. Typically a company will start their SAP GRC journey with an Access Controls implementation to address audit issues or regulatory concerns such as Sarbanes Oxley. This is partly due to these tools being the first to market and partly due to the resolution of those issues being the highest profile/priority. Many companies are now looking to build on this with improvements and automation of business process controls through the SAP GRC Process Controls solution. A few have deployed Risk Management, perhaps alongside PC or as a stand alone implementation.
Taking a step back, the overall objective of the SAP GRC solutions is improved risk management and internal controls. If we consider the risk based approach advocated by the Big Four audit firms and many professional bodies (e.g.PCAOB, IIA, and ISACA) then it would follow that a more logical sequence to implement the SAP GRC toolset might actually be the inverse of today's scenario. This question is particularly relevant with v10.0 as the three solutions now offer much better integration.
Starting with the implementation of the Risk Management tool has several advantages. Firstly this solution is targeted at C-Level and Snr Management users. Therefore it should follow that the project has senior level sponsorship from the outset, a key success factor for any GRC initiative. Furthermore the subsequent implementation of Process Controls will inherently align controls with corporate objectives and the risks to the achievement of those objectives since all controls will be derive from those risks identified by management and the board. While Access Controls are often some of the most robust control options available they are only one control option in the overall control environment. It therefore follows that these should be derived from the control framework defined in SAP GRC Process Controls.
Taking a risk based approach is not going to work for everyone. Many companies look to SAP GRC as a spot solution to specific challenges and they may not have the appetite for an Enterprise GRC Solution. However, for those that do it may be worth rethinking the standard deployment strategy for SAP GRC solutions with a little more focus on the overall objective, Risk Management.