2020 will be remembered as the year that the majority of the world’s population was forced to work remotely from home, with companies facing the risk of reduced data security.
It’s now a time when Governance, Risk and Compliance (GRC) is coming to the fore more than ever before. Data breach risks continue to increase almost daily as home workers face the risk of compromised GRC access from outsiders and colleagues.
In 2019, a WEF report on global threats listed cyber attacks and data fraud as high-impact threats in the near future. This underscores the fact that Governance, Risk and Compliance (GRC) is becoming increasingly critical within organizations. The stakes are high should businesses fail to get it right.
Successful organizations are becoming more agile in their ways of working with GRC. Agile thinking encompasses the idea of “clock speed” i.e. the pace at which an organization is able to move, react, adapt and so forth. It’s estimated that today’s average large organization requires a clock speed 3-5 times faster than the equivalent organization a decade ago.
It’s a reality that GRC practitioners are facing a continuous barrage of SAP access complexities, as well as regulatory and business change. Michael Rasmussen, a highly regarded GRC thinker, says “Often, existing SAP access risk tools are dated, cumbersome, too costly to own and maintain, and lack the ease-of-use and intuitiveness that the business needs to understand SAP access risk and related processes.”
The point is clear: A more agile approach is required in the face of accelerating change, it cannot be “business as usual” for GRC practitioners.
Soterion has reimagined GRC from the ground up to oﬀer an unparalleled GRC solution to organizations running SAP. Its popular features combine with an award-winning user experience, delivering a solution that’s quick to install, easy to learn and S/4HANA ready.
New-generation GRC practitioners are seeing the opportunity for GRC to play a greater role in proactive value creation and are embracing new agile technologies and methodologies.
GRC principles fit well with the ‘agile’ approach and are today more relevant and important than ever before. Getting GRC right in an agile environment depends on having the correct mindset, approach and tools.
Many new-generation GRC practitioners find themselves operating in a traditional organization. They face a decision to either be an advocate for change or simply go through the motions and deliver the kind of GRC the organization requires.
Could someone in GRC influence organization-wide change? We believe they can. With a ‘courageously pragmatic’ approach one could advocate for company-wide change, possibly finding kindred spirits within the company, whilst at the same time pragmatically delivering GRC requirements within the prevailing framework.
So, what is the correct approach then for agile GRC? Given that organizations vastly differ by industry, regulatory environment and GRC maturity, amongst others, there is no ‘one-size-fits-all’ answer.
Here are a few agile GRC descriptors. Agile GRC realizes the need for engaging business users, and therefore puts business users at the heart of the process. GRC language is converted into a language that business users can understand. This is further achieved through more intuitive tools such as introducing business process visualizations that help contextualize and understand risks.
A lack of engaged business users has always been the Achilles heel of GRC. Research shows it is the leading cause of GRC implementation projects floundering. Engaged business users are more vital today than ever given the fluidity of organizational environments. GRC must become a team sport.
The GRC team needs to ensure that access risk remains healthy if business users are not engaged. This is usually done in an episodic fashion, frequently timed to coincide with an audit.
Traditional GRC tools are built on static rule sets, which should be reviewed ‘from time to time’ to adapt to any changes in business process flows. The traditional paradigm assumes that such process flows seldom change. With today’s pace of change and agile ways of working, access risk simulations are performed against rule sets that are increasingly out of touch with an organization’s reality. Business users become frustrated by this and their buy-in diminishes accordingly.
New-generation GRC applications are typically implemented at least 50% faster than traditional applications. This translates into lower total cost of ownership, less business disruption and quicker establishment of GRC capability.
Agile GRC vendors are connecting their applications with other vendors from similar but different fields to provide a more holistic offering. Examples of this are integrations with Identity Access Management solutions, Enterprise Risk solutions, Process Control solutions and Business Process Mining solutions.
In addition, GRC solutions need to be able to analyse non-ABAP-based solutions as SAP moves more functionality to the cloud (SuccessFactors, Ariba, Concur, etc.) and customers start replacing non-core SAP products with 3rd party solutions (Salesforce.com and WorkDay). Agile GRC solutions are future proof, in that they will be able to seamlessly analyse access risk from traditional SAP systems (ABAP), as well as SAP cloud and 3rd party solutions.
In our increasingly fast-paced world, there is a strong correlation between successful GRC and levels of business-user engagement in SAP organizations. Therefore, the evaluation of tools in terms of attributes which contribute to business user engagement is an appropriate evaluation tactic to employ.
To download the Agile GRC eBook, click here
Company Name: Soterion
Contact Person: Media Relations
Country: South Africa