We may not know exactly what the federal U.S. government’s latest plans are for banks, healthcare and the environment may, but one thing is clear: more regulation is on the way.
So it’s not surprising that SAP has been pushing its GRC software as of late, most recently holding a press roundtable inviting us to listen to how customers are using the software.
Many organizations are still using Microsoft SharePoint and a variety of manual checklists and documentation for compliance, according to reporting by SearchSAP.com contributor Chris Maxcer. But others have taken a more proactive approach moving beyond ensuring compliance to uncovering and avoiding risk by establishing a GRC strategy.
Case in point, all of the customers who participated in the roundtable discussion (Becton, Dickinson and Company, Pearson North America and Allegheny Energy) initially adopted SAP’s GRC software to ensure compliance with SOX. But once users figured out that the software really made things like ensuring segregation of duties easier, there was momentum for rollout of other modules.
What they discussed provided a pretty good overview of how to get started with an SAP GRC software project – a place many of you might be.
What’s in SAP’s GRC software suite?
SAP counts SAP BusinessObjects Access Control (which enforces segregation of duties) and Process Control (which monitors controls in IT and business) as part of its GRC suite. It also includes Global Trade Management, the environment health and safety management product, and the sustainability performance management product.
What do companies implement first?
Becton, Dickinson and Company (BD) started with a rollout of a part of the SAP BusinessObjects Access Control product — Risk Analysis and Remediation, according to Mark Lubas, who works in financial and internal controls management. BD manufactures medical equipment and supplies.
The software provided insight into risk, he said, and gave the global SOX compliance team a more efficient way of analyzing segregation of duties.
“Success breeds success,” he said. “With the initial success with our SOX project, management recognized the fact that if this is good for finance, it will be great for other processes. Even if not part of the SOX universe, it makes good business sense to implement in other areas.”
Governance, risk and control needed to be looked at as a process discipline unto itself, he said. As a result, along with its reimplementation of SAP ECC 6.0 (BD was using 4.0B, and couldn’t upgrade because the version was simply too old) it’s implementing all modules in SAP BusinessObjects Access Controls.
Who should be involved with the project?
BD brought together representatives from IT, the internal audit continuous assurance group, and business users from the locations where the segregation of duties analysis tools were used to oversee the project, Lubas said.
Do you have to buy any new hardware?
BD did an entire landscape analysis, and bought new hardware to support the project, Lubas said.
How do you justify the cost?
From a cost standpoint, BD was already spending an enormous amount on manpower on compliance efforts. It had been putting information in Access and SQL server databases and using Excel spreadsheets and then using email.
“So much time was spent on data gathering, there was no time spent on critical analysis,” Lubas said.
The project reduced manual processes, saving the company money.
In turn, at Pearson, North America, a publishing company, it was cost avoidance that helped justify the project, according to Frank DiPentima, vice president Financial Compliance.
At the most basic level, they were able to remove the consultants and manual parts of segregation of duties management – immediately. Doing this manually, took three months, and it was nearly impossible to do it cleanly and correctly.
“ROI may be part of the study, but it shouldn’t be the driving force,” DiPentima said.