“There are many companies that could make our system sing, but Turnkey Consulting could also work out what tune we needed to play."
— Arthur Williamson, Lead
“Although the company had nearly 100 separate implementations of SAP to support different businesses in different countries, we realised we needed a single global HR system,” says Arthur Williamson, Lead Programme Manager. Although the group had a lot of SAP skills internally, they found that none of their suppliers could provide competent people in all the areas needed. This was particularly prevalent in the controls and authorisations area. “We had to rely on word of mouth, and this is how we identified Turnkey Consulting,” continues Williamson. “Really good authorisations consultants are rare, and it was refreshing to find an organisation that could support our global HR implementation.”
In particular, the challenge was to manage what an employee or supervisor can do or see (a hierarchical view) alongside what an administrator can see or do. Everything is controlled by the role and, to further complicate this situation, the role of administration also exists. These are individuals who execute processes for large groups of people such as running a payroll or executing the holiday leave process. “As well as being employees, these administrators can also be supervisors. Conceptually this was technically difficult to make happen,” explains Williamson.
This complexity is further compounded by the need to take into account data privacy rules for each country. Although there are standards in place, there are always exceptions to the rule, and these needed to be dealt with in SAP.
Turnkey’s client needed people at the peak of their technical expertise, who could understand the processes, navigate the politics and appreciate the legislative challenges of working in a global environment. Williamson goes on to say, “We turned to Turnkey in 2005 to work with our project teams, advising on the impact of the design choices being made around privacy and access control.”
Turnkey was also asked to design the organisational hierarchy within the system, and assign the different scenarios needed to execute different transactions and access different populations. While really understanding how the organisation and process design needed to work, Turnkey also supported the change managers and business stakeholders, providing the information needed to configure the system correctly
Turnkey used their in-house rule set and quick start accelerators to help Sodexo get the basic system in place quickly, with the system going live in under 3 months. The foundation rule set provided a platform to build on, making it a much quicker approach than having to build the rule set from nothing.
Sodexo has now implemented SAP GRC Access Control including emergency access and risk analysis. They are moving onto remediation projects, and will then implement the automated workflow provisioning.
Turnkey ensured the systems were compliant with data privacy requirements across all countries, while ensuring users had the right access to the system. “For example Turnkey ensured the correct Segregation of Duties (SoD) were in place to support our payroll, so people running payrolls couldn’t change bank details, and people who change bank details, couldn’t run payrolls,” explains Williamson. Turnkey built SAP roles and groups of SAP access to support the business operationally, whilst managing SoD risk, and supporting internal controls. This included the configuration of SoD monitoring tools to ensure this was enforced.
Williamson emphasises the overall problem solving element of the task in hand. “It is a lot more than a technical activity. It’s
problem definition, solution design and change management combined in one, and Turnkey ensured their expertise was
leveraged.” It was a major exercise to configure the system. With thousands of roles, Turnkey needed to think how to rationalise and maintain the huge amount of configuration data.
During the HR rollout, Turnkey was instrumental in defining a “cookie cutter” approach. Instead of each country being treated
independently, they aligned the security rollout with the overall global rollout. “Turnkey ensured each country adopted the
standard methodology, with accelerators to help speed up the process,” says Williamson. “By running a workshop with each
country, everyone understood the template, what was expected of them and the choices they needed to make.” By the end of the workshop, they would know who should be mapped to each role.
Following the core HR rollout, Turnkey was engaged in the upgrade programme, ensuring all aspects of security were successfully upgraded to SAP ECC6. This included the SAP access roles and new functionality, as well as scoping and defining the new roles needed and upgrading the global data privacy requirements. Their credibility has meant Turnkey has been engaged in a number of security streams across the organisation. “We trust Turnkey, and have been more than happy for them to take accountability and ownership for these series of steps in the process. They have certainly earned the increased responsibility,” highlights Williamson.
“We are happy to outsource the basic administrative tasks of our system, but as soon as we hit anything difficult in our roles and authorisations, we immediately turn to Turnkey,” explains Williamson. “If it’s not routine, you need the next level of expertise.”
Williamson concludes, “Their priority is always our best interests. Turnkey is a very honourable consultancy ensuring we get value for money at every step. As experts in the field of authorisations and controls, I take pleasure in recommending them.”