It seems as if we are in a constant race against time to ensure our software stays within the mainstream maintenance window – most notable as of late is the sunsetting of SAP ERP (ECC) 6.0. While organizations may be at varying steps on their S/4HANA journey, we encourage them to not lose sight of their GRC application reaching the end of its mainstream maintenance December 31 of this year (see illustration below). Organizations who are running Access Control, Process Control or Risk Management 10.x should be planning to upgrade to GRC 12 right now. Otherwise, the consequences could include entering the extended maintenance period or customer-specific maintenance (which often equates to higher fees).
With just months to go, we have been working with clients to make sure this upgrade is on the organization’s roadmap for this year. This is more involved than just clicking the “update” button in a cell phone’s app store. It will require time and commitment from multiple parties to ensure a successful upgrade (think back to the key players involved during the initial implementation). A comprehensive plan will include involvement from the business, end users, audit/compliance, the GRC administrator and IT to ensure proper coverage and be successful with all areas of the business.
If the end of mainstream maintenance is not enough reason to upgrade, here is something else to think about: many of our clients are taking advantage of the opportunity to optimize their use of GRC. If there are current features not being used, opportunities to use some of the new GRC 12 features (e.g., Firefighter for HANA database, cloud based application integration, and access analysis for Fiori apps), or improve the overall process, then now is the time to make that change. Incorporating these enhancements during the upgrade will maximize efficiencies, minimize disruption and eliminate duplicative work (e.g., think about the consolidation and streamlining of testing, documentation, training, and deployment). Not to mention, the organization will realize more value from already-existing software and lay the foundation for its overall SAP S/4HANA strategy.
While each organization may be at a different stage of GRC maturity, a few of the common additions and considerations we have heard are:
- Enabling user access review functionality. This feature allows automation of the periodic user access recertification that we all know is a time consuming and tedious manual task.
- Designing GRC business roles. This feature allows streamlining of the security roles end users are requesting access to. Instead of requesting access to multiple roles and waiting on multiple approvals, which can be confusing to the end user, they can now select just one role and receive all the access they need.
- Enabling the “Fiori-like” user experience theme. While the organization does not need to implement actual Fiori apps for this, it allows changes to the screen layouts to look and feel more “Fiori-like.”
Some of the more substantial enhancements we have seen coupled with this upgrade include establishing connections to new target systems and enabling an entirely new module of GRC, such as Process Control. With audit and compliance being a significant consideration at almost every organization today, we see a movement towards continuous controls monitoring, logging and notification of changes to system settings (e.g., purchase order/invoice tolerance limits). By no means does this suggest it is necessary to implement every feature of Process Control. On the contrary, organizations generally take the pilot approach and use this opportunity to explore a subset of available features. When it proves to be beneficial, we have seen full-on implementations being planned as a separate project.
Organizations that decide the “lift and shift” route is all it wants to take on for the time being, can still benefit from some of the newly offered standard features, including improved dashboards, streamlined Firefighter maintenance, additional user access review filters and improved sync job performance.
While there is no one-size-fits-all solution to this, we encourage clients to begin upgrade discussions and planning now. Consider this as an opportunity to enhance how GRC is currently being used (whether big or small), how to gain more value out of the application and how it can minimize manual work.
Although we are in a race against time, embrace it as a marathon and not a sprint. We are still a few months out and with proper planning, we can use this to our advantage. Strategize on how this can save time and money in the long run, whether by enabling additional functionality to automate manual processes or future-proofing for your S/4HANA integration. The marathon continues!
Visit Protiviti’s SAP consulting services page for more information on our solutions.