How managed services can revolutionise SAP GRC operations This blog post was authored by Sajib Biswas - Senior Manager, Business Platform Transformation and Brad Euell - Senior Manager, Business Platform Transformation on Protiviti's technology insights blog.This blog is an update to an earlier post: Achieve Seamless, Efficient SAP GRC Access Control Operations through Managed Services.As organisations transition to SAP S/4HANA and SAP cloud solutions, they often discover that GRC capabilities and processes also need to be updated on a more frequent basis. One example of a continuously changing dataset is the segregation of duties (SoD) ruleset. With S/4HANA, the GRC ruleset now supports monitoring many new access types including Fiori apps and HANA database access. While an implementation or upgrade project would typically include the relevant set of Fiori apps in the ruleset at a specific point in time, the continued effort of keeping the ruleset up to date with newly implemented Fiori apps is equally important. Additionally, as the landscape shifts to cloud applications, there’s an increasing need to integrate existing security and access governance processes via add-on solutions like SAP IAG Bridge. Ongoing specialised activities such as these and more are required to support and manage this evolving landscape and can be efficiently performed by a GRC Managed Service provider. Topics Technology Enablement What is GRC Managed Services?GRC Managed Services provides a specialised workforce that can perform strategic activities and initiatives. In addition to identifying and deploying incremental changes on demand, GRC Managed Services can perform many ongoing operational activities such as managing daily or periodic GRC reporting and ongoing monitoring of key performance metrics. The improved data availability in HANA based applications helps enable these frequent reporting activities, but for many organisations, having a GRC administration resource pool dedicated to these types of activities is not feasible, or simply not necessary as an outsourced managed services team can provide greater value and drive efficiency through specialised skillsets.SoD and sensitive access managementThe day-to-day operations of access risk analysis (ARA) varies from one organisation to another. However, there is a common theme of reporting risk analysis results periodically while helping executives and reviewers interpret the issues in business context to ensure appropriate risk remediation or mitigation of the risks. SAP GRC applications ship with a handful of dashboards but occasionally, it is necessary to leverage data visualisation software like Power BI or Tableau to create custom visualisations tailored to an organisation’s needs.A few other key daily or periodic activities related to risk analysis are:Monitoring synchronisation and batch risk analysis jobsOn-demand ruleset updates, including new Fiori apps and custom transaction to the rulesetOptimising risk analysis results by maintaining exclude objects and critical roles / profilesContinued remediation and mitigation efforts to improve security complianceEnsuring optimum performance through periodic clean-up jobs and appropriate system usage Image Example: Access risk dashboardsEmergency access managementAlso known as the firefighter module, emergency access management (EAM) can mostly be set to autopilot through firefighter access provisioning and firefighter log review workflows. A managed services team can be leveraged to provide:Proper master data maintenance to support the workflowsOn-call support to address or workaround any unexpected errorsSupervision of workflow SLAs and follow ups as neededTrend analysis reviews and optimisation of firefighter usageMonitoring of EAM background jobsEnsuring log review workflows are completed timely Image Example: firefighter access and usage dashboardsUser provisioning and role managementAccess request management (ARM) workflows facilitate a compliant SAP user access request process and automated provisioning of access. While business role management (BRM) has its own workflow and methodologies for role maintenance, it is more commonly used as the technical and business role repository to support ARM workflows. A managed services team can help implement and optimise ARM and BRM functional scope based on the organisation’s needs and complexity. Once implemented, the key tasks of a GRC managed services team might include:Maintaining an up to date BRM library, including new business rolesProviding trend analysis and optimisation of workflow usageAddressing workflow enhancement / optimisation needsMonitoring background jobs and active workflow instancesUser access review and SoD reviewThe successful execution of key periodic review rounds is one of the most important responsibilities for a GRC managed services team. SAP GRC offers two automated workflows that address the periodic SAP user access review (UAR) and SoD and sensitive access review (SoDR) needs, which are typically executed at least semi-annually. After sending the review requests to the reviewers through GRC, the team would typically perform the following activities:Daily monitoring of review completions, including providing technical support to the reviewersManaging rejected request itemsScheduling timely reminder emailsManaging escalationsEnsuring appropriateness of UAR decisions made by the reviewersIdentifying and executing optimal SoD resolution based on reviewer inputPutting it all togetherIn addition to GRC Access Control specific tasks noted above, support pack upgrades, resolving newly identified bugs, evaluating and solutioning new functional requirements, ensuring up-to-date user training materials based on functionality or process enhancement, etc., can lead to IT support bottlenecks or unforeseen consulting costs. Protiviti’s GRC Managed Services are designed to address such needs cost-effectively, enabled by a team with years of GRC implementation and support experience. The service model is scalable and flexible to be customised based on customer-specific needs. Team operations are driven by KPIs ensuring optimum cost and integration with the clients’ overall IT support model.The service incorporates Power BI and Tableau dashboards to supplement the default dashboards and enables ongoing KPI monitoring, with existing visualisations for over 40 GRC access control KPIs. These dashboards can be custom tailored to existing needs and encourage interaction so each user can filter and focus on the data needed to drive action. Image Example: GRC access control KPIsTo learn more about our SAP capabilities, contact us. Find out more about our solutions: SAP Consulting Services As a Gold Partner and 7-time partner of the year, Protiviti helps clients execute their S/4HANA journey. We provide digital transformation and intelligent automation solutions across business processes, analytics, cloud, security, compliance, and managed services. Managed Solutions Protiviti's Managed Solutions provide a unique and flexible delivery model to help you address short-term skill gaps, deliver project results, and transform your organisation by creating the right team that can scale up or down quickly and cost effectively to fit your needs. Leadership Sam Bassett Sam is the country leader for Singapore. With over 25 years' experience, he's primarily worked in financial services with consulting firms or directly in the banking industry to deliver change and support strategic, tactical, and operation goals across Asia, Europe and ... Learn More Bernard Tan Bernard has over 25 years of experience in financial services and consulting, with proven expertise in IT, cybersecurity, digital banking, and operational and anti-money laundering (AML) audits. He has been responsible for the APAC IT Audit and Data Analytics teams. ... Learn More Featured insights and client stories CLIENT STORY Mastering Compliance and Efficiency with SAP GRC Access and Process Control Elevate compliance and efficiency with SAP GRC implementation by Protiviti. Streamline access control and process management for seamless operations. BLOGS There’s a Bright Future for SAP BusinessObjects 4.3 and Beyond What’s ahead for SAP’s BusinessObjects? Customers currently on BusinessObjects 4.2 should know that it will go out of support at the end of this year. Which means that now is the optimum time to make the move to the latest supported BusinessObjects... BLOGS Mastering the Fiori frontier: Crafting secure, intuitive spaces and pages in SAP S/4HANA A well-thought-out Fiori spaces and pages approach establishes a foundation for a user-friendly and scalable design that supports a least-privilege access model. When incorporated with security best practices, spaces and pages provide an intuitive... BLOGS Risk management essentials for SAP S/4HANA projects An SAP S/4HANA transformation project has many risks that need to be managed and often, it is difficult for the project team operating day to day on detailed tasks to “see the forest for the trees.” The PMO has intimate knowledge of the key processes... SURVEY From Cloud Migration to Managed Services, TMT Finance Leaders Tackle Challenges With Multifaceted Strategies Supply chain problems are still lingering. Technology integration, still lagging. And companies still are lacking skilled workers to fill key roles as they contend with high interest rates and a possible recession. Surveying the technology, media and... WHITEPAPER Managed Business Services Overview Companies are seeking innovative ways to address today’s finance and accounting challenges. Unforeseen issues, transaction backlogs, and one-time events that demand a rapid response drive this search for new approaches.Finance leaders now... Button Button