The company employs approximately 5500 people and had a turnover of £1.63bn in 2012/13. United Utilities Water provides water and wastewater services to a population of approximately seven million domestic customers and 200,000 businesses, from as far north as Carlisle to as far south as Crewe. United Utilities Water keeps the North West flowing with:
The need to develop and implement a security and risk management strategy in SAP was identified by managers at United Utilities. This identification followed on from a plan to implement GRC process and access controls, which had been in the pipeline for some time but was subject to delays.
Gary Flaherty, SAP Project Manager, explains further: “We needed a coherent strategy. We knew that we needed a drive to improve our housekeeping surrounding issues of access and control because of potential security risks in SAP. Alongside these issues, GRC was not working whilst SAP was live and we knew that GRC would help us address these issues,” he said.
“Poor access control was the immediate issue we had to face. As we were operating on manual processes, staff were requesting and getting access to the SAP system without consideration to whether it was relevant to their job. People were also taking legacy access to the system with them when they moved roles. We needed an efficient, automated way of working.
“Our preferred way of working would also eliminate risk control. It was an area we were already aware we had issues with and, like any good business, we knew that automated controls would lead to good practice,” he added.
SAP GRC was originally positioned as part of the Support Processes Project alongside Finance, HR and Procurement. It was originally due to be implemented in November 2012 but went live in the final deployment phase in June 2013.
“We had partnered a SAP consultancy at the start of the programme. SAP and GRC access controls were part of our scope though neither worked properly, so we turned to independent contractors and our own staff. It became clear that we needed to work with a specialist in SAP systems,” said Gary.
Turnkey Consulting and other specialist companies were invited to tender. As a result of the competitive tender, Turnkey Consulting was therefore selected to work on the project. They offer an excellent working knowledge of the area backed up with strong references.
Turnkey Consulting responded to the tender in March, to start in April and with delivery expected in June. “The company came into our workplace to find out more about us,” explained Gary Flaherty. “They wanted to see where we were up to, what we’d done so far and what our plans were. It was a case of ‘That’s what we want to achieve, but can we achieve it?” he added.
The overall aim of the project was to help United Utilities identify, control and, if possible, design out the risks that the company was exposed to across its business processes. After a review, United Utilities and Turnkey agreed on a targeted and phased approach to deliver and implement a fully operational GRC. Phase one provided a solid foundation and enabling technology, including:
In less than three months, a number of milestones were met. The technical deployment of elevated access management for fire-fighting United Utilities’ problems, the infrastructure for process controls with automated monitoring and lastly the platform for BPRC have all been achieved. This will be built on in phase two.
Since go-live, Turnkey has also delivered custom enhancements to the system. These include the integration of process controls for mitigating controls and the presence of automated risk capabilities. The latter includes process control email notifications.
Phase two is now underway. Its aims are to embed the technology into United Utilities’ business processes, through optimised business control definition (BPRC) and therefore give a full risk management solution to the original problem.
“We’ve now got segregation of duty reports in place with access controls. This lets us proactively manage the risks highlighted in reports, which we do by working with business process owners,” said Gary Flaherty.
“We’ve been able to identify actions and work with business process owners to remove them by implementing agreed solutions. Together with Turnkey, we’ve worked well to address, understand and resolve the challenges we faced,” he added.