How managed services can revolutionise SAP GRC operations

What is GRC Managed Services?

GRC Managed Services provides a specialised workforce that can perform strategic activities and initiatives. In addition to identifying and deploying incremental changes on demand, GRC Managed Services can perform many ongoing operational activities such as managing daily or periodic GRC reporting and ongoing monitoring of key performance metrics. The improved data availability in HANA based applications helps enable these frequent reporting activities, but for many organisations, having a GRC administration resource pool dedicated to these types of activities is not feasible, or simply not necessary as an outsourced managed services team can provide greater value and drive efficiency through specialised skillsets.

SoD and sensitive access management

The day-to-day operations of access risk analysis (ARA) varies from one organisation to another. However, there is a common theme of reporting risk analysis results periodically while helping executives and reviewers interpret the issues in business context to ensure appropriate risk remediation or mitigation of the risks. SAP GRC applications ship with a handful of dashboards but occasionally, it is necessary to leverage data visualisation software like Power BI or Tableau to create custom visualisations tailored to an organisation’s needs.

A few other key daily or periodic activities related to risk analysis are:

• Monitoring synchronisation and batch risk analysis jobs
• On-demand ruleset updates, including new Fiori apps and custom transaction to the ruleset
• Optimising risk analysis results by maintaining exclude objects and critical roles / profiles
• Continued remediation and mitigation efforts to improve security compliance
• Ensuring optimum performance through periodic clean-up jobs and appropriate system usage

Image

Example: Access risk dashboards

Emergency access management

Also known as the firefighter module, emergency access management (EAM) can mostly be set to autopilot through firefighter access provisioning and firefighter log review workflows. A managed services team can be leveraged to provide:

• Proper master data maintenance to support the workflows
• On-call support to address or workaround any unexpected errors
• Supervision of workflow SLAs and follow ups as needed
• Trend analysis reviews and optimisation of firefighter usage
• Monitoring of EAM background jobs
• Ensuring log review workflows are completed timely

Image

Example: firefighter access and usage dashboards

User provisioning and role management

Access request management (ARM) workflows facilitate a compliant SAP user access request process and automated provisioning of access. While business role management (BRM) has its own workflow and methodologies for role maintenance, it is more commonly used as the technical and business role repository to support ARM workflows. A managed services team can help implement and optimise ARM and BRM functional scope based on the organisation’s needs and complexity. Once implemented, the key tasks of a GRC managed services team might include:

• Maintaining an up to date BRM library, including new business roles
• Providing trend analysis and optimisation of workflow usage
• Addressing workflow enhancement / optimisation needs
• Monitoring background jobs and active workflow instances

User access review and SoD review

The successful execution of key periodic review rounds is one of the most important responsibilities for a GRC managed services team. SAP GRC offers two automated workflows that address the periodic SAP user access review (UAR) and SoD and sensitive access review (SoDR) needs, which are typically executed at least semi-annually. After sending the review requests to the reviewers through GRC, the team would typically perform the following activities:

• Daily monitoring of review completions, including providing technical support to the reviewers
• Managing rejected request items
• Scheduling timely reminder emails
• Managing escalations
• Ensuring appropriateness of UAR decisions made by the reviewers
• Identifying and executing optimal SoD resolution based on reviewer input

Putting it all together

In addition to GRC Access Control specific tasks noted above, support pack upgrades, resolving newly identified bugs, evaluating and solutioning new functional requirements, ensuring up-to-date user training materials based on functionality or process enhancement, etc., can lead to IT support bottlenecks or unforeseen consulting costs. Protiviti’s GRC Managed Services are designed to address such needs cost-effectively, enabled by a team with years of GRC implementation and support experience. The service model is scalable and flexible to be customised based on customer-specific needs. Team operations are driven by KPIs ensuring optimum cost and integration with the clients’ overall IT support model.

The service incorporates Power BI and Tableau dashboards to supplement the default dashboards and enables ongoing KPI monitoring, with existing visualisations for over 40 GRC access control KPIs. These dashboards can be custom tailored to existing needs and encourage interaction so each user can filter and focus on the data needed to drive action.

Image

Example: GRC access control KPIs

To learn more about our SAP capabilities, contact us.