cancel
Showing results for 
Search instead for 
Did you mean: 

GRC - The bigger picture

Former Member
0 Kudos

Hi guys, what kind of framework or approach do you use when trying to implement GRC in an organization ? Of course we know SAP has access controls, process controls, RM, repository etc... but i do not think any companies can implement all of them together.. is there interesting implementation which you guys like to share?

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
0 Kudos

Wouldn't this be a good topic for a blog on BPX? The discussion forum has its limitations.

Former Member
0 Kudos

Hi Peter,

the questions you raise are very actual and there is no easy answer. I work for one of the big 4 and I can assure you that each company has a different approach to it. You can divide them in two broad categories: tactical and strategic approaches to GRC.

Tactical:

many companies, mostly those still struggling with SOX, buy technology for solving niche problems (SODs, automating controls for decreasing sox costs, documentation tools for control frameworks, etc). Often the need for a quick fix make it impossible to broaden the discussion around the integrated GRC message. It is not uncommon to find corporations using SAP GRC in India and China and Approva in the United States. Or even companies starting to implement GRC Process Controls without having exploited the configurable controls already inherent in their SAP systems. In summary it is a chaotic situation characterized by individual activism (at country/ division/personal level) in which companies tend to create GRC silos inside the company itself. The approach to take is an organizational one: Is there somebody in the organization (at the CxO level) interested in harmonizing and sponsoring the GRC discussion? Is the CIO on board? If yes then you should care about a GRC framework, if no, it is wasted time in my experience, because the tactical forces will disrupt the cohesive GRC approach and frameworks.

Strategic:

There are very few of them at the moment but they are increasing lately. These companies are willing to broaden the discussion about the GRC message and are interested in a GRC framework/approach. What does a GRC framework/approach contain:

- Define the path forward (Where do we want to be in 4 years from now?)

- Provides a clear view for how GRC integrates into core business processes (Yes, this means working with business people to collect GRC requirements, not just automating something in the backoffice and running off. I do not know how many failed SOD projects I have seen in the last year because they were only technology driven)

- Identifies where risk and compliance management procedures can be automated (And above all where it does not make sense)

- An understanding of how information technology should play a critical role in risk management, proactive compliance, and adherence to standards and policies.

- Maximize the use of existing assets and investments (ex: SAP configurable controls, sap reports, etc)

These companies are clearly not only strategic, but they have realized that GRC should be approached with a combination of tactical (pilot projects) and strategic (what do SOX 404, FDA, Basel II, Loi Financiere, Turnbull, etc.. have in common and how can we leverage common GRC processes and IT infrastructure?)

I think it is also beneficial to distinguish between the GRC message as a business message and the SAP GRC message wich is still mainly technology driven. They are definitely interconnected, because they enable themselves mutually, but you need to make sure you have the right people in the projects on both sides. As an example, if you are impementing (in the future ..) the SAP Risk Management component there is a technical part to the omplementation of the module but there is also a fundamental business part in creating the processes and understanding around risk management in the company so that those numbers and risk estimates that go into the tool make business sense and are lived as part of the day to day business. For that you need industry experts on supply-chain risk management for example.

It is a long message and I thank you for having had the patience to read through it. It is a difficult question and a very broad topic, but I hope to have given you some food for thoughts. I am looking forward to have some of your experiences.

Former Member
0 Kudos

Dear Peter,

Access Control : Unfortunately, the cost in money and resources to ensure compliance with access control, segregation of duties, and compliant user provisioning on an ongoing basis can be overwhelming for many companies.

As access control, proper segregation of duties, and compliant provisioning must be managed by a solution that spans all core business processes across all enterprise application software. A central policy repository can then ensure consistency across the enterprise.

Third, the solution must be able to demonstrate compliance across the enterprise. It must maintain auditable records that internal and external auditors as well as regulators can use to verify compliance. Some relevant audit questions in the access control area include the following:

• What access risks are monitored?

• Which access risks have been properly mitigated?

• Who has access to a given system?

• Who granted access and when?

• Was it properly approved?

Process Control :The solution must enforce accountability and enable transparency so that business owners and executives can ultimately sign off on their attestations with confidence. As a result, compliance issues such as access control, proper segregation of duties, and compliant provisioning must be managed by a solution that spans all core business processes across all enterprise application software. A central policy repository can then ensure consistency across the enterprise.

From an IT perspective, this enterprise readiness translates into a number of requirements. First, IT managers want an application delivered with a predefined best-practice library of comprehensive cross-process and cross-application policies. On one hand, this vast number of policy rules must be easy to enhance and to adjust as the business changes. On the other hand, rules must be granular

enough to address all of the details of enterprise application software, catching all the violations without producing false positives.

Second, the solution must empower employees across the enterprise. Efficient and effective collaboration between business and IT is one of the keys to success here. Automation and dynamic workflow options not only ensure reliability and repeatability of the solution by avoiding manual errors and establishing institutional

knowledge; they also accelerate processes and increase efficiency. Third, the solution must be able to demonstrate compliance across the enterprise. It must maintain auditable records that internal and external auditors as well as regulators can use to verify compliance. Some relevant audit questions in the access control area include the following:

• What access risks are monitored?

• Which access risks have been properly mitigated?

• Who has access to a given system?

• Who granted access and when?

• Was it properly approved?

Repository: A central policy repository can then ensure consistency across the enterprise.

From an IT perspective, this enterprise readiness translates into a number of requirements. First, IT managers want an application delivered with a predefined best-practice library of comprehensive cross-process and cross-application policies. On one hand, this vast number of policy rules must be easy to enhance and to adjust as the business changes. On the other hand, rules must be granular

enough to address all of the details of enterprise application software, catching all the violations without producing false positives. Second, the solution must empower employees across the enterprise. Efficient and effective collaboration between business and IT is one of the keys to success here. Automation and dynamic workflow options not only ensure reliability and repeatability of

the solution by avoiding manual errors and establishing institutional knowledge; they also accelerate processes and increase efficiency.

Third, the solution must be able to demonstrate compliance across the enterprise. It must maintain auditable records that internal and external auditors as well as regulators can use to verify compliance.

Some relevant audit questions in the access control area include the following:

• What access risks are monitored?

• Which access risks have been properly mitigated?

• Who has access to a given system?

• Who granted access and when?

• Was it properly approved?

Based on the above facts you can decide whether or not you will have implement all or not.

Regards,

Naveen.

Former Member
0 Kudos

Hi,

The risk is evaluated using COSO etc.This is the first step.

Having the control objectives on hand,we can use either COBIT or AS2 approach in implementing GRC.[ soon AS2 is being replaced by AS5]

The starting point is practically the access controls.Later on the Assurance dept.in tandem witht the users and the quality assurance dept.slowly evolve the best practices in the areas of process control etc.These are implemented in phases and is subject to extensive testing.

The control self assessment [ CSA]is another handy tool in assesing the efficacy of the implemented controls etc, in sense,the users who are experiencing the pulse of the risk - control can come with sensible suggestions.In fact this is catching up fast in all the big corporate companies.This tells the priority,timing etc of the various controls within the GRC_implementataion.Nevertheless as CSA is based on the experience,this happens after 1-2 years of the implementation of the controls which were implemented in the initial phase.

The financial position of the firm - in fact many SMBs are yet to implement SOX owing to a heavy one time expenditure-is another factor that influences the implemantation of the controls,its timing etc.

Hope this helps.

Regards,

Ramesh.

Former Member
0 Kudos

Hi Peter,

I don't suppose you had a chance to check out the SAP GRC 2007 conference in Las Vegas in March? There was a whole 'track' of information about top-down GRC approaches describing just what you mentioned. It includes case studies, as well as presentations from the consulting companies such as PWC, Deloitte etc.

If you didn't attend, then unfortunately most of the materials aren't available to you as they were supplied on DVD, but some of them have been posted up here:

<a href="http://www.sapinsideronline.com/downloads/March11-14-2007/index.cfm">SAP Insider Online</a>

If you can get hold of one of the DVDs though, the entire Track 1 was top-down, enterprise-wide GRC.