Managing a business is good, doing it ethically is even better. Corporate governance is an important part of CRM, and
Governance Risk Compliance
It may not ring a bell to you, but this term was invented in the early 2000’s and is today not-to-be-missed in the business world, in particular in the SAP ecosystem.
Think about Enron, this American company of the energy sector which bankrupted in 2001 due to some speculative operations and a massive distortion of its bank accounts.
Would it end like that if the company has a complete GRC approach ? No one could know. Nevertheless, it would have changed the destiny of this big company.
Today, in a changing environment with the boom of the modern technologies and innovations, companies must reorganize, anticipate possible risks and be conformed with the current regulation.
The GRC application within your ERP SAP is the ideal management solution which helps you to face it.
What is Behind the Acronym GRC ?
GRC takes part in the business management. It refers to three specific ideas :
G as Governance
It is all the tools implemented to lead and control your organization and its infrastructures such as ERP like SAP. An efficient governance involves controlling and coordinating resources and empowering the employees.
R as Risk
There are always unpredictable actions or events that might postpone or prevent you from reaching your goals. For a long time, the most important risks were the financial ones (e.g. fraud or misappropriation of money).
We must add nowadays all risks linked to cybersecurity and malign attacks on the internet. Though it is very important to have a complete and efficient program of risk management.
C as Compliance
Are you currently working in a start-up ? An SMI ? A big company ? It doesn’t change anything : You have to be aware of the regulations in place.
Moreover, these past years, investors put a lot of pressure on companies in order for internal controls to be more regular and efficient to improve the stakeholder confidence. Otherwise, you could be exposed to sanctions such as substantial fines.
Thus, GRC is the general term for all the measures and processes which help companies to complete their control goals, to identify possible risks and correct them while they respect applicable laws or rules.
How Does GRC Work ?
GRC is based on controls and audit logic. It can take various forms such as supervising daily operation, processes or complete dashboards. A software can provide a complete GRC Access Control solution.
Theoretically, every solution should supply a detailed reporting of the compliance process thanks to a real time risk cartography. The analysis of this last gives many options to decide and assure a better productivity for the company.
How can you Implement a GRC Solution in Three Steps ?
Even if you don’t know yet, your current company is aligned with a GRC framework. However, it is possible that the framework operates with many software in a random way with dashboards they don’t even integrate together. It would be necessary to give a clear picture of what you have.
Then, think about your targets and your demands to put in light your business processes that could be more affected by risks and compliance issues. The only way for your decision maker to choose the appropriate GRC approach in the SAP ERP for your company is an evaluation of deficiencies and security holes.
The process can take a long time and can be expensive. In spite of all, it is a long-term investment. An efficient GRC solution adapted to your company will help your employees and managers to be more focused on the development and the productivity of the company.
VASPP offers certified solutions which improve the use of your current SAP GRC Access Control tool.
Once you have selected your GRC solution and identified your security roadmap (e.g SAP GRC Access Control, one of the most popular tools today), you’ll only have to implement it within your company. It induces :
- The integration to your existing workflow and tools, your several SAP applications as well as your Non-SAP solutions, either on-premise or cloud applications.
- The integration and adaptation to an SAP risk model according to the global organization, business units, and business processes rolled-out across your business model. The role and responsibilities to build up your risk cartography, and cla ssification.
- The monitoring and the evaluation of the performance. It has to be effective no matter the condition.
What is the Secret to Success for a GRC Approach?
To prioritize the risks
Management and evaluation of the risks are mandatory . You will always have some potential threats . It’s impossible for a company to eliminate them all. A good prioritization would allow you to understand better what you have to do (separation of duties, sensitive access tracking, workflow activation) but also to prove the impact of every risk on the organization.
Confidence in the executive
this ranking should be shared with decision makers in order to ensure optimal investment from all the stakeholders. It triggers the decision process to identify what you have to protect, where you have to free your ressources.
Thus, it is important that the relation between decision makers and the other members of the organization be lasting and confidence based. The leadership is one of the key successes for changing. It includes following actions :
- Conception : risk identification roadmap in relation to the business unit and business process
- Implementation : risk management and aligned SoD matrix
- Exceptions : GRC Framework for the privileged access rights and authorization
- Action plan : remedial process of risk identified
- Onboarding : identity management via a hierarchical validation flow
Who is Concerned by GRC ?
The answer is simple : everybody can take part in a successful adaptation of GRC. Governance, risk and compliance elements spread from the top level of the organization to departments and work teams.
Board members are not responsible to address all the details of the risk management, however, the high level of risk management tracking must be a critical part of their key indicators, SoD monitoring should clearly be part of it, as well as controlling global risks and process compliance.
We could classify companies according to three level of maturity :
Nowadays, most companies could be classified in the first two levels of maturity, either they are working with only manual processes, and correcting issues when they appear, the other level with the assistance of tools like SAP GRC Access Control.
Only few companies have rolled-out a preventive approach with the deep and complete automated rules with GRC Process Control and Risk Management tools.
In terms of SAP Access control, cybersecurity management for cloud access (SaaS), there remains several gaps to fill to cover this type of access rights,and authorizations.
Regardless of the size of your company, an active practice of the GRC is compulsory. Obviously, it won’t be the same if you work in a small company or in a very large enterprise.
Thus, according to a 2009 study published from the French anti-corruption agency (in La fonction conformité anticorruption dans l’entreprise), 72% of CAC 40 companies had created a function of compliance within their organization.
Some are totally independent whereas others are related to risk service and intern control. This tendency highlights an evolution for the company (more mature).
For the smaller companies, it’s most of the time the juridic direction who is in charge of the compliance and possibly even from the financial department. But this could bring drawbacks as these people are not getting used to interacting with other departments (internal control, human resources, IT, …)
What are the Main GRC Certifications and Regulations ?
Considered as the central element of a company today, GRC applies with different forms. Nevertheless, it needs to respect some rules and can be optimized.
To understand the process better, we would advise to clear one of the various certifications. We are going to help us to get a clearer picture among the existing options.
What are the Best Certifications and Who Can Pass Them?
There are all kinds of certifications in the market. Each one possesses its characteristics. Here is our list of five different certifications :
CRISC : Certified in Risk and Information Systems Control. You will improve your GRC skills with a specification in cyber risks. It is a 3 hour exam with 150 questions in 4 areas : risk identification, risk evaluation, risk attenuation and reporting.
ITIL : IT Infrastructure Library. It will help to develop all concepts around IT service management, major process identification and new technology management. To obtain it, you will have to validate all levels (ITIL Foundation, ITIL Expert, Master ITIL…) .
CGEIT : Certified in the Governance of Enterprise IT: Mainly aimed at new technology managers, it deals with the governance of a company’s new technologies and their alignment with the needs and goals of the company. 4 main areas: IT service governance, IT resources, profit realization and risk optimization.
GRCP : GRC professional. It is offered by the organization OSBL OCEG pour to understand the basics of GRC process and acquire the skill you need to integrate the governance, the intern control and the evaluation of the performance.
CRMA : Certification in Risk Management Assurance. It recognizes those involved in risk management and assurance, governance and self-assessment of controls and thus positions them as trusted advisors to senior management. This is a two-part exam: 125 questions on the basics of internal auditing (2.5 hours) and 100 questions on auditing practices.
These certifications address all IT professionals, security specialists, business analysts and of course, compliance responsible. Some could only interest one specific position such as the CRMA for risk managers.
The GRC Regulations
Until the beginning of the 90s, GRC wasn’t really recognized with a law. The first two internal control referrals came from the United States. Thus, the COSO (Committee Of Sponsoring Organizations of the Treadway Commission) and the COBIT (Control Objectives for Information and Related Technology), created respectively in 1992 and 1993 were the first true frameworks for the internal control and its audit evaluation.
Finally, in France, big financial scandals in the 2000s lead to the creation of one institution and the vote of two laws which still govern GRC today :
- The financial security law of France (LSF) was published on the official journal nᵒ 177 (August 2, 2003). It brought a real national legal policy about the control and the monitoring of the financial flow processes. It emphasizes the involvement and the responsibilities with significant financial penalties in case of serious infringement.
- The French Financial Market Regulator (Autorité des marchés financiers) governs all financial products and players to ensure a good operation of the market. It also deals with the penalties when the regulation and laws are broken.
- The law “Sapin 2” : the law on transparency, the battle against corruption, bribery and the modernization of economic flow in 2017 in France. Companies must create a corruption heatmap, alert the employees without forgetting the transparency in the business decision.
Our VASPP experts helps you to implement an SAP GRC solution adapted
At VASPP, we do everything we can to assist and support your company towards the implementation of GRC solutions aligned to your risk and control needs.
With SAP GRC Access Control, let’s be more mature with your SoD risk prevention and evaluation. In a brief period of time, your organization will reach a continuous compliance level with a clear roadmap.
Forget the fastidious and endless user access forms which require deep technical knowledge…
With our SAP GRC extension, you will gain time and simplify all the authorization processes, from the access request demand during the onboarding of an employee, to the retirement phase of this employee.
Do you also need to grant privilege access requests ? Then Firefighter outil is perfect for you. Our solution gives you the possibility to provide privileged access in a simple way through your SAP environment.
Finally, GRC Analytics offers you turnkey dashboards which give you the SoD risks and the sensitive access rights in real time and at glance. With an easy-to-use interface, this professional solution helps you to follow audit requirements regarding the user management process.
Les derniers articles publiés :
More and more companies are obliged to implement internal controls to protect assets, follow the laws and prevent risks. But
The ERP and the CRM allow the management and the exchange of the data of the companies but are appreciably
Managing a business is good, doing it ethically is even better. Corporate governance is an important part of CRM, and translates into
More and more companies are obliged to implement internal controls to protect assets, follow the laws and prevent risks. But these controls
The ERP and the CRM allow the management and the exchange of the data of the companies but are appreciably different by
ERP (Enterprise Resource Planning) is a central system for managing all the data of a company. From finance to inventory or sales,