Key Takeaways from GRC for SAP S/4HANA and Cloud Applications Report by SAPinsider
SAPinsider is the largest and fastest-growing SAP membership group worldwide, offering useful information to its members through a variety of formats such as events, articles, and podcasts – just to name a few. In their latest benchmark report, sponsored by ERP Maestro, SAPinsider surveyed their global community to understand current strategies and needs for governance, risk, and compliance (GRC).
The report gives a clear picture of the current state of businesses around the world in terms of where they are in their GRC strategy as well as their plans for the future. Among the report’s analysis and recommendations, we found three key takeaways particularly noteworthy.
1. According to the report, “62% percent of the SAP Community feel that their current GRC solutions do not effectively handle risk analysis and mitigation for all their SAP products.”
A significant number of organizations and businesses are using GRC tools that are ill-equipped for their purposes and may be putting themselves at risk. One reason for this dissatisfaction could be linked to the increased usage of multiple could platforms. As noted in the report, 78% of the SAPinsider Community use at least one of SAP’s cloud-based products: SAP SuccessFactors (47.5%), SAP Concur (37%), and SAP Ariba (31%) being the most popular.
Despite the growing adoption of cloud applications, survey respondents indicated that “SAP Access Control does not effectively handle risk analysis and mitigation for cloud-based products without some sort of connector or bridge to a cloud-based access governance solution….” Unfortunately, GRC software is usually a reactionary purchase aimed at resolving an immediate problem. As needs evolve and additional cloud products are added, there is very little alignment in long-term GRC strategies and technology investments. This will be problematic as more and more customers leverage the SAP cloud application ecosystem, as well as cloud applications outside of SAP, and seek multi-application controls for one enterprise-wide view of access risks.
2. Only 22% of those companies using SAP Access Control for GRC have migrated to version 12.0, even though SAP will end maintenance for version 10.x, at the end of 2020.
This point stuck out to us because we have been hearing from many organizations that due to the recent global pandemic, they have had to cut their resources and refocus their IT efforts. With the upcoming transition to S/4HANA and the changes being made to the support of SAP Access Control 10.x, this is probably the best time to re-think GRC strategies and start leveraging cloud applications and automation.
As an IT manager quoted in the report said, “Our model has been to try to leverage everything possible as software as a service (SaaS)…Our strategy is to leverage platforms that do not require as much internal IT resources, and the cloud is self-servicing for IT folks.” In times of global crisis where budgets are being cut, companies need to start working smarter and look to cloud platforms which by design are easier to manage, maintain and reduce the burden on security teams.
Additionally, companies will want the convenience of the cloud for access controls without the need for an added bridge connector, which is required for migrating to version 12.0.
3. The main driver for GRC strategy: “Real-time” risk detection.
Given the rise in fraud and internal breaches, it is not surprising that 43% of respondents stated that the need for “real-time” risk detection and remediation drove their approach to GRC. With real-time information, organizations are better equipped to identify and respond to a risk before it happens. This becomes especially important when teams, roles and access can change day-to-day. It is important to note that a “real-time” response, in this context, means the need to take a proactive approach and identify potential risks to avoid violations before failing an audit or facing fraudulent actions. One survey respondent quoted in the report best explained the importance of this requirement: “You need to be agile when giving access to users, but if you give them too much access that can violate segregation of duties (SoD) regulations. We need a GRC tool that can flag roles that could cause problems in real-time.”