Why business-centric GRC is what every organisation needs

October 19, 2020
Written by Roy Topham

Roy is a Professional Services Consultant and Data Security Lead in Europe, focusing on the implementation of Soterion solutions and SAP security consulting. He has 20 years of experience across various industries with expertise in full cycle SAP implementations, SOX certification and compliance, and the design and implementation of SAP Security frameworks, including GRC, Procedures and Technical Models.

The world is changing more rapidly than ever before. Organisations are facing an extremely complicated and unique set of conditions in the SAP security environment. Growing threats from the shift in hackers’ focus towards directly attacking SAP systems have been intensified by the huge rise in home working brought about by the COVID-19 pandemic. Businesses had to hastily enable distributed access to their key business systems, with little time to consider the security aspects.


On top of this, users are isolated from peers and supervisors, and have more freedom to explore the limits of their access, or download ‘interesting’ data. An example of this type of enhanced insider threat was recently reported at a global e-commerce platform (Shopify). This case emphasises that it has never been more important to ensure that users’ access is properly aligned with their actual job requirements, and to address vulnerabilities with RFC connections and associated security problems.


Added to this, organisations have to increase their clock speed to stay competitive and relevant. The time they take to get products to the market, to make organisational changes, to take up new projects and so on has had to be reduced enormously. This requires agile thinking, which started as a development concept, but moved to a mindset of how the organisation functions.




It’s estimated that today’s average large organisation requires a clock speed 3-5 times faster than the equivalent organisation a decade ago.
Dudley Cartwright, Soterion CEO

What is the GRC challenge for 2020?

  • Increase in fraud and data theft risk

  • Increase in audit and compliance requirements

  • Increase in regulations such as Data Privacy Regulations

While the pandemic and increasing cyber threats are putting extra pressure on IT teams, the need for large transformation and S/4HANA projects cannot be slowed. These projects bring their own challenges with respect to security and Access Risk, including access via Fiori apps, the obligation to use Business Partners, and security at the database level.

How do you manage your Access Risk at this time?

The well-known audit principle of the three lines of defence relies on effective collaboration from:


  • First line: Business/Operational users

  • Second line: Risk and Compliance Departments

  • Third line: Audit and Assurance

It’s clear that relying on audit and risk departments to identify risk is not good enough. To get effective value from all three lines, the business needs to take ownership of their risk. However, most businesses are already thinly stretched; surely they don’t have the capacity to take on more work, or added responsibilities?


So, organisations need to look for a more effective way to manage their risk. Think in terms of this analogy: An army of foot soldiers versus a handful of tanks. Effective GRC is about empowering the business users to become foot soldiers. These foot soldiers have a good understanding of the terrain (risks). You will have business users with 15 to 20 years of experience who know the risks facing the organisation, and understand the processes that support it; and you need to use that experience to focus on the risks that have the most impact.


To relate it back to the analogy: If there was an army protecting their border, and this army has three divisions:


Division 1: Foot Soldiers who walk up and down the border wall looking for weaknesses or signs of intrusion. As with employees, there are many of them who know the terrain like the back of their hands.


Division 2: Lookout Towers who monitor the border. As with risk and compliance departments, they have great tools at their disposal, but their numbers are limited, and the towers are spaced five miles apart, resulting in sections where they have no visibility.


Division 3: Surveillance planes, who monitor the border from the air. As with audits, they are very effective, but due to the cost of keeping the planes in the air, they are used sporadically.


If this army had their foot soldiers patrolling the border, but the army generals felt it was not necessary to provide them with any communication devices, they would be ineffective. While patrolling, they would see weaknesses in the border or infiltration points, but they would be powerless to notify headquarters of these breaches.


If that same army provided communication devices to the foot soldiers, they would be able to call for backup when they spotted any suspicious activity. This would allow the surveillance plane to be deployed when it is most needed, and will be most effective.

Access Risk is business risk

The changing environment, and increased risk, has turned Access Risk into a business risk. The days of pushing it to a specialist team are in the past. The business needs to become accountable. However, most GRC tools don’t support this. Traditional GRC tools have been developed from a technical perspective – they have been good for auditors and admin users, but not for business or operational users. The latter find the tools too technical and not user-friendly, which leads to increased resistance and low adoption.


GRC activities can also be seen as ‘ticking an audit box’ activities, which don’t add much value to the organisation. When the mindset is changed to have a business-centric approach to GRC, this viewpoint changes, and organisations benefit from really owning and managing their Access Risk.


A good example of where a business took ownership of their risk is captured in a case study for Aker Solutions. They used Soterion to identify the risks in their system, and also to reduce them substantially.


Aker Solutions in Norway were not seeing the benefits expected from their SAP GRC solution. Soterion was implemented within one week, with tangible results being released even from the first day. Within six months, they were able to reduce Access Risk by 85%. Perhaps most importantly, they were able to get their business stakeholders involved, with their Senior Vice President Financial reporting and compliance commenting, “Finally we have a tool to give us insights and visibility in our roles and authorisations.”


Read more about their experience

Soterion’s GRC solution for SAP

To solve the GRC challenges organisations are facing, Soterion Technologies developed a suite of solutions focusing on providing protection in an agile, business-centric way. This engagement is achieved via intuitive, easy-to-use dashboards and graphics, with drill-down ability; process flows that show where the risk lies in the business process; easy rule-set customisation and clean-up wizards, as well as comparison views across user groups and departments. Soterion’s approach caters for all SAP enterprise sizes and can be deployed rapidly into a client’s landscape, either on their own hardware or as a cloud-based service.


Once deployed, users can experience benefits immediately and Access Risks can be reduced in a short period of time. A prime focus of Soterion is to provide business-centric GRC, giving business users the tools to proactively manage and model risks within specific business departments. This allows them to take responsibility for the management of Access Risk in their area, freeing up the Security Administration and Compliance departments to focus on more strategic tasks. These business users, who know the business process intimately, can also be engaged to review the rule-set and customise it to reflect their company’s reality, which can be turned into an effective first line of defence for GRC.


Soterion is S/4HANA and Fiori ready and has rule-sets for other SAP systems, such as SRM and CRM. It can also detect SoD conflicts across different systems. It has an innovative Privacy rule-set, which helps to facilitate GDPR compliance by showing who has access to the PII of Employees, Vendors, Customers and Business Partners in the SAP system.



Implement business-centric GRC today

Effective GRC is measured by how well the business users can carry out their Access Risk management activities. And as organisations move to S/4, security is only getting more complex. It is important that organisations implement business-centric GRC to help manage both business and technological changes. These inevitably introduce additional layers of complexity. Get a free SAP risk assessment to start your journey.





Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance data scrambling Data Redaction General Data Protection Regulation POPI Act Data Redact POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager Right to be forgotten SAP data privacy and compliance GDPR readiness Data privacy compliance GDPR deadline Personal data SAP SAP security Data privacy regulations GRC for SAP Access Risk management Access risk controls Data minimisation Governance, Risk Management and Compliance (GRC) SAP data privacy and security SAP systems compliance COVID-19 Data privacy by design Data security breaches Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Portability Data Privacy suite Data Removal Data Replication Data integrity Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act Online shopping Penalties Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates

Leave a Comment: