With organizations transitioning to unlock the full potential of S/4HANA and SAP cloud solutions, GRC functionalities and operations also need to be updated. For example, updating the Segregation of Duties (SoD) ruleset to support S/4HANA transactions including Fiori apps, or to run risk analysis on HANA database users. While an implementation or upgrade project would typically include the relevant set of Fiori apps in the ruleset, the continued effort of keeping the ruleset up to date with newly implemented Fiori apps is equally important.
What is GRC Managed Services?
In addition to identifying and deploying incremental changes on demand, GRC Managed Services provide the specialized workforce for ongoing operational activities such as managing daily or periodic GRC reporting, review, and monitoring. For many organizations, having a GRC administration resource pool dedicated to these types of activities is not feasible, or simply not necessary as an outsourced managed services team can provide greater value and drive efficiency through specialized skillsets.
SoD/Sensitive Access Management
The day-to-day operations of access risk analysis (ARA) vary from one organization to another. However, there is a common theme of reporting out risk analysis results on a periodic basis, as well as helping executives and reviewers interpret the issues in a business context to ensure appropriate risk remediation or mitigation of the risks. Occasionally, it involves leveraging data visualization software like Power BI or Tableau.
A few other key daily or periodic activities related to GRC risk analysis are:
- Monitoring synchronization and batch risk analysis jobs
- On-demand ruleset updates, including new Fiori apps and custom transactions to the ruleset
- Optimizing risk analysis results by maintaining excluded objects and critical roles/profiles
- Continued remediation and mitigation efforts to improve compliance
- Ensuring optimum performance through periodic clean-up jobs and appropriate usage
Elevated temporary access
Also known as the firefighter module, emergency access management (EAM) can mostly be set to autopilot through firefighter access provisioning and firefighter log review workflow. A managed services team can be leveraged to provide:
- Proper master data maintenance to support the workflows
- On-call support to address or workaround any unexpected errors
- Supervision of workflow SLAs and follow-ups as needed
- Trend analysis reviews and optimization of firefighter usage
- Monitoring of EAM jobs and workflows are completed timely
User provisioning and role management
The access request management (ARM) workflows facilitate compliant SAP user access and auto-provisioning. While business role management (BRM) has its own workflow and methodologies for role maintenance, it is more commonly used as the role repository to support ARM workflows. Leveraging a managed services team can help identify the proper ARM and BRM implementation scope based on the organization’s needs and complexity. Once implemented, some of the key tasks of a GRC-managed services team would be:
- Maintaining an up-to-date BRM library, including new business roles
- Providing trend analysis and optimization of workflow usage
- Addressing workflow enhancement needs
- Monitoring background jobs and workflows
User access review and SoD review
These two workflows address the periodic SAP user access review (UAR) and SoD/sensitive access review (SoDR) needs. Organizations typically execute these reviews at least semi-annually and successful execution of the review rounds is one of the most important responsibilities for a GRC managed services team. After sending the review requests to the reviewers through GRC, the team would typically perform the following activities:
- Daily monitoring of review completions, including providing technical support to the reviewers
- Managing rejected request items
- Ensuring timely reminder emails
- Managing escalations
- Ensuring appropriateness of UAR decisions made by the reviewers
- Identifying optimal SoD resolution based on SoDR
Putting it all together
In addition to access control module-specific tasks noted above, support pack upgrades, resolving newly identified bugs, evaluating and solutioning new functional requirements, ensuring up-to-date user training materials based on functionality or process enhancement, etc., can lead to IT support bottlenecks or unforeseen consulting costs. Protiviti’s GRC Managed Services offerings are designed to address such needs in a cost-effective manner, enabled by a team with years of GRC implementation and support experience. The service model is scalable and flexible to be customized based on customer-specific needs. Team operations are driven by KPIs ensuring optimum cost and integration with the clients’ overall IT support model.
Example GRC Access Control KPIs
Protiviti’s GRC experts can help with your SAP GRC needs. To learn more about our SAP capabilities, contact us, visit SAP Consulting Services or our SAP Resource Center for Protiviti’s SAP thought leadership, client stories and service offerings.