In the UK & Ireland, Sodexo offers a range of on-site services from construction management, reception and food services through to asset maintenance, security and grounds maintenance for clients in offices, schools, prisons, hospitals, military bases, remote sites and at hospitality events.
In addition, they provide benefits & reward services (including childcare vouchers and public sector reward schemes), and home services.
With over 35,000 people working for Sodexo in the UK and Ireland, Sodexo strives to improve the quality of daily life at over 2,000 client locations across all market sectors.
Sodexo had invested in expanding its SAP environment over a number of years. While this brought greater functionality and additional capabilities, for example through the Employee Self Service (ESS) and the Manager Self Service (MSS) HR modules, it also significantly increased the number of users and the complexity of the system.
SAP Security Consultant, Sodexo explains: “Our business is very diverse and we now have 5000 users which had grown dramatically after the last GRC project. That built in some extra areas of vulnerability that we needed to resolve”.
With a large workforce comes the risk of access creep. Sodexo wanted the ability to monitor and report on their access risk violations internally, rather than depending on external audit. They needed a tool that could run next to the new roles to ensure segregation of duties, and they wanted to transfer knowledge from their internal SAP team into a tool that anyone could run. They also wanted to improve the manual provisioning processes through automation, in order to maximise the SAP team’s efficiency.
“It was time for some automation, and we definitely needed additional assistance. We needed a system that we, Audit, and Control & Compliance could all use inhouse, in order to take a proactive approach,” says Sodexo’s SAP Security Consultant.
Sodexo chose to implement SAP GRC Access Control 10.1 as a cloud solution, delivered through Turnkey’s Bedrock managed service. “A big thing for us about Turnkey was they were very personable. We felt that our key contact’s experience as a security developer, an auditor and now as a director of a company implementing GRC, was excellent. He understood what we needed from the system”, says Sodexo’s SAP Security Consultant.
Turnkey used their in-house rule set and quick start accelerators to help Sodexo get the basic system in place quickly, with the system going live in under 3 months. The foundation rule set provided a platform to build on, making it a much quicker approach than having to build the rule set from nothing.
Sodexo has now implemented SAP GRC Access Control including emergency access and risk analysis. They are moving onto remediation projects, and will then implement the automated workflow provisioning.
Implementing the emergency access module has greatly benefited Sodexo. Previously, whenever a consultant needed emergency access to the SAP system the SAP team had to review what transactions they were planning to do and how they would do them, before manually allowing access – a time consuming process. Now, Access Controls emergency access provides an automated, monitored and auditable process for all emergency access requests. Sodexo’s SAP Security Team Lead says: “Being automated saves us time because we don’t have to do all the investigation side of it”.
“The access risk analysis is key and the firefighter was a huge win for us in terms of monitoring our team’s privileges and having it all auditable. Having that in a workflow process that’s been reviewed and signed off is great,” adds Sodexo’s SAP Security Consultant.