Part 5: GRC AC/PC 12: What’s Trending? A Report from GRC 2018 and Financials 2018

The 2018 GRC and Finance SAP Insider Conferences took place in mid-February in Las Vegas. Our SAP teams spent time attending conference sessions, and their observations on what’s trending across the industry are compiled here in a five-part series. During the conference, SAP® announced a major update to the Governance, Risk and Compliance (GRC) suite of products, with Access Control (AC), Process Control (PC), and Risk Management (RM) getting a bump to 12.0 with a number of improvements and additional functionality.

One of the major updates across GRC 12.0 is a refresh and alignment of the user interface to be more “Fiori-like,” ensuring a more consistent user experience and visual harmonization across the SAP products portfolio and allowing for mobile capability. The user interface update is an optional change, as there is an organizational change management element to this update, considering the training that may need to occur in large organizations. GRC 12.0 requires upgrades to both the SAP NetWeaver® version and the SAP_UI support pack to enable the new user interface.

Key updates for Access Control include:

• Introduction of “Overview Pages”
  • Provides a dashboard-style view across all the core components of Access Control – access request, firefighter, role management and risk analysis.
  • Data behind the dashboards is driven primarily by existing reports which are summarized in a single page, plus visualizations with drill-through capability.
• Improved out-of-the-box integration with several other SAP products, such as Ariba®, SAP® SuccessFactors®, SAP S/4HANA® Cloud, and Concur®.
  • This is a noteworthy update from SAP and a move to address current customer challenges unifying Access Control functionality into the existing GRC investment.
  • One of the biggest benefits of this integration is the ability to increase segregation of duties risk coverage by performing risk analysis across multiple applications.

Additional updates were also made to the current version of Access Control 10.1 in support pack 19 to include end-to-end integration with SuccessFactors, including HR trigger functionality. Risk analysis functionality has also been updated to handle SAP HANA® and SAP Fiori® permissions and the delivered ruleset is updated to include Fiori, HANA and new S/4 transaction codes.

Key updates for Process Control include:

• New out-of-the-box Fiori launchpads with the ability to create and customize new launchpads using the SAP Fiori Launchpad Designer:
  • Compliance Manager – aligned with the Internal Control Manager role
  • Compliance Specialist – aligned with the Control Owner role
  • Executive – aligned with the CEO/CFO role
  • Manager – aligned with the Organization Owner role
• A Continuous Control Monitoring (CCM) exception will be labeled as an ad-hoc issue instead of a control exception, which will have an effect on some of the PC reporting.
• Ability to run and report on standalone Business Rules for CCMs:
  • Previously, in order to run a CCM, a Business Rule had to be assigned to a Control. In GRC 12.0, the Business Rule can be run by itself.
• Improvements in Test of Control Effectiveness and Subprocess Design Assessments related to test plan execution and survey.

Key updates for Risk Management include:

• New out-of-the-box Fiori launchpads with the ability to create and customize new launchpads using the SAP Fiori Launchpad Designer:
  • Employee – aligned with the Risk Owner / Risk Expert role
  • Risk Manager – aligned with the Central Risk Manager role
  • Risk Management Specialist – aligned with the Risk Unit Manager role
• Risk Aggregation includes automatic aggregation underlying risks and analysis of aggregation reports. Aggregation methods are available in customizing.
• Workflow Enhancements such as the selection of delivery options (work inbox / via e-mail) in risk assessments, introduction of new workflows (key risk indicators manual entry).
• Activity Risk Validation Enhancements give the activity owner the ability to now view risk validation information from other validators.