Lessons Learned During an SAP Risk Management Implementation

Implementation projects can present a variety of unique occurrences that can have both positive and negative effects on the process. Whether these events are problems to be solved or wins for the implementation team, they are also learning opportunities. Whether good or bad, it is key to take a step back and reflect on how the team addressed these events and how there may be opportunities for improvement. My most recent project implementing SAP Risk Management had its fair share of surprises, both welcome and challenging, at each stage of our process. The first challenge we faced was integrating the SAP Risk Management module into an existing GRC environment with a very active SAP Process Control module. However, the most notable example would have to be leading a fully remote implementation after the abrupt transition due to COVID-19. Each provided opportunities from which to learn.

What is Enterprise Risk Management?

Before taking a deep dive into the lessons learned on this challenging implementation, it is important to understand the solution being implemented and the overall goals of our efforts. Our key objective was to successfully implement the Risk Management module of SAP’s GRC solution to enable the streamlining of the client’s Enterprise Risk Management (ERM) process. This involved integrating a new risk management process to work in harmony with an already live Process Control module. Properly Leveraging SAP Risk Management and Process Control to Streamline Enterprise Risk Management can enable the mitigation of uncertainties that exists in achieving the strategic objectives set by an organization.

This implementation followed a traditional waterfall methodology and approach. Beginning with typical scoping and blueprinting exercises, then moving to configuration and testing activities within development and quality environments, production configuration, training, go-live and hypercare support. The primary rationale for using this model, as opposed to a more AGILE model, is that it allowed the team to take a more structured approach for designing and integrating the SAP Risk Management module. This model also suited this particular engagement due to its smaller size and scope. As mentioned before, each step of the process uncovered learning opportunities for me and my team. The following includes some of the more valuable lessons that I came away with and would like to share.

ERM framework and process maturity

During initial scoping, it was our understanding that an existing risk intake, assessment and approval process was in place and could serve as a basis for a streamlined process supported by the SAP Risk Management technology. However, once we began our discovery and blueprinting workshops, we learned that there was a need for a more mature ERM framework to be developed despite the client understanding their strategic objectives and enterprise risks. This type of scenario is commonly encountered by organizations exploring how to manage their risk. With this understanding, we helped the client implement several process improvements and established the beginnings of a more robust ERM framework. We also were able to identify inefficiencies in their current risk intake and review processes including reducing the quantity of redundant reviews and teams unnecessarily involved in the review process.

The lesson learned from this experience is that taking time to develop a mature ERM framework prior to implementing technology to support the framework is key. Having leadership agreement on the organization’s ERM value proposition and established strategic objectives will allow the organization to have a clear path forward for managing risks impacting these objectives. With this clear path forward, the organization will be able to make an educated decision when selecting a risk management solution that suits its needs and use it to its full potential.

This graphic illustrates the levels of ERM value proposition that organizations should consider when developing their ERM framework:

Risk harmonization with Process Control

As mentioned above, we were implementing SAP Risk Management into an already established GRC environment with an active SAP Process Control module. A key benefit of the SAP Risk Management module is its ability to integrate and work with SAP Process Control to consistently apply risks and controls across organizational structures, helping eliminate existing silos. This feature is called risk harmonization and enables the following benefits:

  • SAP Risk Management and SAP Process Control modules and users share a more unified source of risk repository
  • Direct relationships can be established between SAP Risk Management activities and risks and SAP Process Control subprocesses and controls
  • SAP Process Control users can use SAP Risk Management risk assessment results to display the harmonized data in reports

The key integration point between the two modules is the relationship that can be established between SAP Risk Management activity and SAP Process Control subprocess. Flipping this “switch” enables SAP Process Control users to add SAP Risk Management risks to local SAP Process Control subprocesses. Subsequently, any controls applied to these risks are automatically recognized on the SAP Risk Management side as available responses to the risks.

This graphic illustrates the structure of both SAP Risk Management and SAP Process Control modules and where they have the potential to overlap:

The lesson learned during this stage of the implementation is that the harmonization feature requires that both SAP Process Control and SAP Risk Management are aligned and set up to work together. While evaluating the scope and use of SAP Risk Management, it is key for the organization to account for the potential structure or data changes that may arise from an SAP Process Control perspective. In this organization, both modules were being managed by multiple teams with different sets of expectations. Integrating the team managing the SAP Process Control module earlier in the development process would have alleviated communication issues between the two parties and their expectations around data classification.

Application ownership and risk management training

Due to the nature of the implementation, we had the opportunity to heavily involve client team who would eventually be the administrators for the SAP Risk Management module. In addition to the key design decisions that clients are typically involved in making, our counterparts were able to take an active role in the configuration, testing and deployment activities of their solution. This gave them a sense of familiarity and understanding with the application, how it operates and how to address defects should they arise.

In hindsight, this integration between teams at almost every step of the process proved to be beneficial when it came time for our training sessions. Much like many engagements impacted by COVID-19 during 2020, there was an abrupt transition to a completely remote work environment. This posed a new challenge to my team as we typically like to conduct our training sessions in person, with a more interactive experience. However, the knowledge absorbed by the client team over the course of the engagement offset the challenges of an atypical virtual training experience. We were able to focus on subjects that we did not encounter or cover during our implementation activities, affording the trainees a well-rounded experience. To sum it up, the lesson here is that involving key client resources during the various development stages will result in more confidence with the application and provide a deeper sense of ownership once implementation activities conclude.

One of the final project activities included holding a retrospective session with the client to discuss the topics covered above. It is important to set time aside to reflect on how the engagement has developed. Whether it is during the project itself or a retrospective after the fact, understanding what went well and what can be improved on next time is the key to continuous success.

To learn more about our SAP capabilities, contact us or visit Protiviti’s SAP consulting services.

Rocco Sacramone

Manager
Enterprise Application Solutions

Subscribe to Topics

Managing Director Shinoy George details some of the common challenges preventing the proper integration of vulnerability management programs into security operations. Read more: http://ow.ly/PMu150Ff0bI

#vulnerabilitymanagement #cybersecurity #cyberattacks

Listen to Protiviti's Konstantinos Karagiannis and @SamMugel, CTO of @MultiverseQC on how finding a specific use case that proves #quantum advantage will radically kickstart the #quantumcomputing industry. https://protiviti.com/US-en/insights/podcast-will-portfolio-optimization-prove-quantum-advantage-year

#protivititech #podcast #fsi

TOMORROW! Cloud deployment of #SAP solutions provides a fast, scalable and repeatable process for implementing full SAP stacks in the cloud. Join us June 17th to see how you can unleash the power of SAP on #Microsoft #Azure! Register now! https://bit.ly/34bF4Oh

#SAPonAzure

The CISO Next initiative provides diverse perspectives and cross-industry resources that enable security leaders to address challenges in a dynamic threat landscape. Learn more about the different types of CISOs now. http://ow.ly/GqIz50EwnPq #CISOnext #CISO #Cybersecurity

Are you a (Cyber) Security Professional? Join us for the Virtual Attack & Defend - The Endpoint Threat. Watch and learn as CyberArk White Hat hackers guide you through a hacking and defense simulation covering six real-life endpoint attacks.

Register now: http://ow.ly/p0s950Fb2cN

Load More...