Paving the Way for ROI with a Successful SAP GRC Process Controls POC

“Turnkey Consulting has clearly got a set-up to provide the kind of capabilities that we’re looking for."

— Richard Green, SAP GRC Team Lead

Challenge

The company had no common repository for storage of controls-related information outside, and even within, its Finance division. Reporting was unreliable and took too long to produce because of a very manual process. Each of the divisions within the company was using different terminology to manage controls with no common methodology. “We didn’t have a common approach to the management of incidents and we felt we were not learning from control failures and incidents,” says Richard Green, SAP GRC Team Lead.

This meant it was difficult to get the necessary insights into controls required to enable senior management to get a clear picture of the vital controls and compliance information.

The company wanted to take the opportunity to undergo a Proof of Concept project using SAP GRC Process Control 10.0 to standardise its approach and use a single tool to underpin its controls management processes, as well as moving towards a continuous controls monitoring solution.

Green explains, “We’ve been looking for opportunities and testing them to standardise the process and use the SAP Process Control product to apply workflow, automate and improve compliance so that evidence is more readily accessible using a common approach.”

Solution

Turnkey Consulting helped setup and run workshops to scope out the processes to be covered by the POC and to finalise the approach to the ongoing work. Turnkey Consulting then worked with the company’s project team and focal points to draw up a full set of requirements and establish a series of comprehensive, traceable scenarios for testing the capability of SAP GRC Process Control 10.0 against the proof of concept.

The result was a set of test scripts endorsed by the focal points of the business that formed the basis for a week-long conference room pilot that included around 15 people from across the company.

This phase of the project was split into two parts. One focused on building scenarios within the SAP Process Control tool and demonstrating functionality using company data, and the other centred on assessment. Green explains, “We looked at requirements that we couldn’t deal with using the tool, and either assessed the system functionality if it existed, or determined what the gap was. We then decided whether to adapt our processes to fit in with the way the tool worked or develop the product to provide the capability that didn’t match our requirements.”

During the pilot, Turnkey Consulting documented the assessment outcomes and ensured feedback was captured accurately. Green comments, “They did a thoroughly good job of doing that and feeding back to the focal points, so there were no issues at the end of the week with anyone challenging our conclusions.”

Following the POC the project team concluded that SAP GRC Process Control 10.0 fit the company’s requirements, with certain modifications to processes or tooling. “Essentially it was a tick in the box at this stage to say that we would move forwards with it” says Green.

The outcomes input into the company’s proposals for next steps, which need endorsement from a steering committee and the company’s Group Controllers Leadership Team. Green is confident of a positive outcome and concludes, “Throughout the course of the work we got a lot of positive feedback and recognition from the business focal points about the way things were managed. This included the development of the test scripts and the quality of all that work.”

Benefits 

• Confirmation of the right solution: The Proof Of Concept project was a necessary and vital step in the process of developing controls management within the organisation. “It’s a fundamental tick in the box, because if we didn’t think the tool was going to support our requirements we wouldn’t be progressing one step further with the work,” explains Green. “The foundation work on the controls management side has been done and the case has been proven that we can make this technology work for us; it will support what we want to do.” 
• Solution will provide multiple benefits for CCM: Feedback from senior stakeholders within the business suggested that if controls management was the only area to benefit from using SAP GRC Process Control 10.0 it would not be worth replacing the existing system. However, the POC project demonstrated that the tool would provide real return on investment through continuous controls monitoring, by automating controls and strengthening the controls framework. Green says, “That’s where the business case is really. The integration with the CCM is where we’ll start to see the value and having one tool is definitely going to be a benefit, providing standard processes across the business.”
• Keeping controls within SAP makes strategic sense: The company already has a strategy of using SAP tools wherever possible, so there was a strong motivation to use the POC to prove that Process Control would be the right choice to handle the controls management and continuous controls monitoring functions. “SAP is a default from a strategic approach point of view,” explains Green. “SAP has been involved throughout the process and see that we’re serious about what we’re doing. It’s a proper partnership, where we all benefit from collaboration”. 

• No evidence of ‘showstoppers’ going forwards: The main objective of the six month POC project was to thoroughly investigate whether the SAP GRC Process Control tool was appropriate and whether there were any potential ‘showstoppers’ that would prevent them from proceeding. Green comments, “A very positive outcome of the POC is that this is not the case. There are areas where we would like to develop reporting and instances where we’d actually like the methodology built into the tool to be changed, but we had all the right people involved in the POC and none of them considered any of those things to be in the ‘showstopper’ category.” 

Summary

“What I see from Turnkey Consulting are individuals with a broad skills set: an audit background, combined with an understanding of the controls environment, as well as functional knowledge of the product. For me it’s having these rounded characters that can offer several competencies, having people that can fulfil a combined role that has a bit of business analysis, a bit of functional consulting and a bit of stakeholder management.”

“The next stage for us will be looking at these competencies that we’ve identified for the subsequent phase of the initiative and starting to put together our plans for how we might best resource them internally and externally. Turnkey Consulting has clearly got a set-up to provide the kind of capabilities that we’re looking for.”

Richard Green, SAP GRC Team Lead