Risk management via SAP GRC is a fundamental pillar for the security of your SAP applications. VASPP has developed a simplified control solution

28/03/2022

SAP GRC

WHAT IS GRC AND WHY DO YOU NEED IT ?

10 minutes read

Governance Risk Compliance

It may not ring a bell to you, but this term was invented in the early 2000’s and is today not-to-be-missed in the business world, in particular in the SAP ecosystem

Think about Enron, this American company of the energy sector which bankrupted in 2001 due to some speculative operations and a massive distortion of its bank accounts. 

Would it end like that if the company has a complete GRC approach ? No one could know. Nevertheless, it would have changed the destiny of this big company.

Today, in a changing environment with the boom of the modern technologies and innovations, companies must reorganize, anticipate possible risks and be conformed with the current regulation

The GRC application within your ERP SAP is the ideal management solution which helps you to face it.

What is Behind the Acronym GRC ?

GRC takes part in the business management. It refers to three specific ideas :

G as Governance

It is all the tools implemented to lead and control your organization and its infrastructures such as ERP like SAP. An efficient governance involves controlling and coordinating resources and empowering the employees. 

R as Risk

There are always unpredictable actions or events that might postpone or prevent you from reaching your goals. For a long time, the most important risks were the financial ones (e.g. fraud or misappropriation of money). 

We must add nowadays all risks linked to cybersecurity and malign attacks on the internet. Though it is very important to have a complete and efficient program of risk management. 

C as Compliance

Are you currently working in a start-up ? An SMI ? A big company ? It doesn’t change anything : You have to be aware of the regulations in place. 

Moreover, these past years, investors put a lot of pressure on companies in order for internal controls to be more regular and efficient to improve the stakeholder confidence. Otherwise, you could be exposed to sanctions such as substantial fines.

Thus, GRC is the general term for all the measures and processes which help companies to complete their control goals, to identify possible risks and correct them while they respect applicable laws or rules.

How Does GRC Work ?

GRC is based on controls and audit logic. It can take various forms such as supervising daily operation, processes or complete dashboards. A software can provide a complete GRC Access Control solution. 

Theoretically, every solution should supply a detailed reporting of the compliance process thanks to a real time risk cartography. The analysis of this last gives many options to decide and assure a better productivity for the company.

How can you Implement a GRC Solution in Three Steps ?

STEP 1

Even if you don’t know yet, your current company is aligned with a GRC framework. However, it is possible that the framework operates with many software in a random way with dashboards they don’t even integrate together. It would be necessary to give a clear picture of what you have. 

Then, think about your targets and your demands to put in light your business processes that could be more affected by risks and compliance issues. The only way for your decision maker to choose the appropriate GRC approach in the SAP ERP for your company is an evaluation of deficiencies and security holes.

 

STEP 2

The process can take a long time and can be expensive. In spite of all, it is a long-term investment. An efficient GRC solution adapted to your company will help your employees and managers to be more focused on the development and the productivity of the company. 

VASPP offers certified solutions which improve the use of your current SAP GRC Access Control tool.

STEP 3

Once you have selected your GRC solution and identified your security roadmap (e.g SAP GRC Access Control, one of the most popular tools today), you’ll only have to implement it within your company. It induces : 

 

  • The integration to your existing workflow and tools, your several SAP applications as well as your Non-SAP solutions, either on-premise or cloud applications.
  • The integration and adaptation to an SAP risk model according to the global organization, business units, and business processes rolled-out across your business model. The role and responsibilities to build up your risk cartography, and cla ssification.
  • The monitoring and the evaluation of the performance. It has to be effective no matter the condition.

What is the Secret to Success for a GRC Approach?

To prioritize the risks

Management and evaluation of the risks are mandatory . You will always have some potential threats . It’s impossible for a company to eliminate them all. A good prioritization would allow you to understand better what you have to do (separation of duties, sensitive access tracking, workflow activation) but also to prove the impact of every risk on the organization.

Confidence in the executive

this ranking should be shared with decision makers in order to ensure optimal investment from all the stakeholders. It triggers the decision process to identify what you have to protect, where you have to free your ressources. 

Thus, it is important that the relation between decision makers and the other members of the organization be lasting and confidence based. The leadership is one of the key successes for changing. It includes following actions :

  • Conception : risk identification roadmap in relation to the business unit and business process
  • Implementation : risk management and aligned SoD matrix
  • Exceptions : GRC Framework for the privileged access rights and authorization
  • Action plan : remedial process of risk identified 
  • Onboarding : identity management via a hierarchical validation flow
Mise en place d'une GRC adaptée

Who is Concerned by GRC ?

The answer is simple : everybody can take part in a successful adaptation of GRC. Governance, risk and compliance elements spread from the top level of the organization to departments and work teams

Board members are not responsible to address all the details of the risk management, however, the high level of risk management tracking must be a critical part of their key indicators, SoD monitoring should clearly be part of it, as well as controlling global risks and process compliance. 

We could classify companies according to three level of maturity :

Reactive
Standard processes are non-existing and the issue suffers a lack of management when it happens. Operational risks are not correctly addressed, and responses are not clearly listed and actioned.
Controlled
data and risk analysis and treatment are executed and some SAP GRC tools are implemented to manage the possible issues.
Preventive
The evaluation is complete, eases risk identification and anticipates security breaches as automated business rules are implemented.
Previous
Next

Nowadays, most companies could be classified in the first two levels of maturity, either they are working with only manual processes, and correcting issues when they appear, the other level with the assistance of tools like SAP GRC Access Control

Only few companies have rolled-out a preventive approach with the deep and complete automated rules with GRC Process Control and Risk Management tools. 

In terms of SAP Access control, cybersecurity management for cloud access (SaaS), there remains several gaps to fill to cover this type of access rights,and authorizations.

Regardless of the size of your company, an active practice of the GRC is compulsory. Obviously, it won’t be the same if you work in a small company or in a very large enterprise. 

Thus, according to a 2009 study published from the French anti-corruption agency (in La fonction conformité anticorruption dans l’entreprise), 72% of CAC 40 companies had created a function of compliance within their organization.

Some are totally independent whereas others are related to risk service and intern control. This tendency highlights an evolution for the company (more mature).

For the smaller companies, it’s most of the time the juridic direction who is in charge of the compliance and possibly even from the financial department. But this could bring drawbacks as these people are not getting used to interacting with other departments (internal control, human resources, IT, …) 

Vaspp Analyse GRC et tableaux de bord

What are the Main GRC Certifications and Regulations ?

Considered as the central element of a company today, GRC applies with different forms. Nevertheless, it needs to respect some rules and can be optimized

To understand the process better, we would advise to clear one of the various certifications. We are going to help us to get a clearer picture among the existing options.

What are the Best Certifications and Who Can Pass Them?

There are all kinds of certifications in the market. Each one possesses its characteristics. Here is our list of five different certifications :

CRISC : Certified in Risk and Information Systems Control. You will improve your GRC skills with a specification in cyber risks. It is a 3 hour exam with 150 questions in 4 areas : risk identification, risk evaluation, risk attenuation and reporting.

ITIL : IT Infrastructure Library. It will help to develop all concepts around IT service management, major process identification and new technology management. To obtain it, you will have to validate all levels (ITIL Foundation, ITIL Expert, Master ITIL…) .

CGEIT : Certified in the Governance of Enterprise IT: Mainly aimed at new technology managers, it deals with the governance of a company’s new technologies and their alignment with the needs and goals of the company. 4 main areas: IT service governance, IT resources, profit realization and risk optimization.

GRCP : GRC professional. It is offered by the organization OSBL OCEG pour to understand the basics of GRC process and acquire the skill you need to integrate the governance, the intern control and the evaluation of the performance.

CRMA : Certification in Risk Management Assurance. It recognizes those involved in risk management and assurance, governance and self-assessment of controls and thus positions them as trusted advisors to senior management. This is a two-part exam: 125 questions on the basics of internal auditing (2.5 hours) and 100 questions on auditing practices.

These certifications address all IT professionals, security specialists, business analysts and of course, compliance responsible. Some could only interest one specific position such as the CRMA for risk managers.

The GRC Regulations

Until the beginning of the 90s, GRC wasn’t really recognized with a law. The first two internal control referrals came from the United States. Thus, the COSO (Committee Of Sponsoring Organizations of the Treadway Commission) and the COBIT (Control Objectives for Information and Related Technology), created respectively in 1992 and 1993 were the first true frameworks for the internal control and its audit evaluation.

Finally, in France, big financial scandals in the 2000s lead to the creation of one institution and the vote of two laws which still govern GRC today :

  • The financial security law of France (LSF) was published on the official journal nᵒ 177 (August 2, 2003). It brought a real national legal policy about the control and the monitoring of the financial flow processes. It emphasizes the involvement and the responsibilities with significant financial penalties in case of serious infringement. 
  • The French Financial Market Regulator (Autorité des marchés financiers) governs all financial products and players to ensure a good operation of the market. It also deals with the penalties when the regulation and laws are broken.
  • The law “Sapin 2” : the law on transparency, the battle against corruption, bribery and the modernization of economic flow in 2017 in France. Companies must create a corruption heatmap, alert the employees without forgetting the transparency in the business decision.

Our VASPP experts helps you to implement an SAP GRC solution adapted

At VASPP, we do everything we can to assist and support your company towards the implementation of GRC solutions aligned to your risk and control needs. 

With SAP GRC Access Control, let’s be more mature with your SoD risk prevention and evaluation. In a brief period of time, your organization will reach a continuous compliance level with a clear roadmap.

Forget the fastidious and endless user access forms which require deep technical knowledge… 

With our SAP GRC extension, you will gain time and simplify all the authorization processes, from the access request demand during the onboarding of an employee, to the retirement phase of this employee. 

Do you also need to grant privilege access requests ? Then Firefighter outil is perfect for you. Our solution gives you the possibility to provide privileged access in a simple way through your SAP environment.

Finally, GRC Analytics offers you turnkey dashboards which give you the SoD risks and the sensitive access rights in real time and at glance. With an easy-to-use interface, this professional solution helps you to follow audit requirements regarding the user management process.

Let’s find our GRC solution directly in our dedicated page in our website.

Les derniers articles publiés :

THE CORPORATE GOVERNANCE

Managing a business is good, doing it ethically is even better. Corporate governance is an important part of CRM, and

Managing a business is good, doing it ethically is even better. Corporate governance is an important part of CRM, and translates into

More and more companies are obliged to implement internal controls to protect assets, follow the laws and prevent risks. But these controls

The ERP and the CRM allow the management and the exchange of the data of the companies but are appreciably different by

ERP (Enterprise Resource Planning) is a central system for managing all the data of a company. From finance to inventory or sales,

Scroll to Top