How Endeavor improved their GRC compliance for SAP with Soterion

Endeavor faced multiple GRC challenges

Endeavor’s IT teams are working with increasingly stringent audit requirements against a backdrop of a growing functional footprint.

Their SAP installation was originally implemented in the mid-1990s, resulting in a ‘snowball effect’ of user access over time. Typical user requests were along the lines of “please mirror Joe’s access”. Also, the problem was exacerbated by long-term users gaining additional access over time, and retaining access that was no longer required in their current business role.

The team conducted Periodic User Access Reviews (UARs), but it was largely an IT-centric process, reliant on manual Excel-based extracts and email. It was a very time-consuming process, and difficult to repeat. Being a manual process, it was also prone to error. It was difficult to track, consolidate responses and audit results. Because it was such a challenging process to manage, getting engagement from the business was difficult. The focus for the UARs was on a small subset of people, largely within the finance department. The team would typically have around 25 people to review the access of around 2,000 people.

What were Endeavor’s main objectives?

Endeavour’s primary goal was to implement a centralized and easily repeatable methodology for conducting UARs, governed by a defined, stable and system-based ruleset.

They needed to:

• Reduce manual preparation effort
• Remove the risk of manual error
• Make risk visible and transparent by type and severity
• Improve UAR end-to-end process efficiency
• Engage and drive business ownership in risk management

Their secondary goal was to improve the efficiency, transparency and reportability in their access provisioning processes.

The solution: Soterion for SAP

Endeavor didn’t want to get dragged into a lengthy and complex GRC configuration project with ongoing maintenance overheads for their SAP team. After various discussions with different suppliers, they opted to implement Soterion for SAP as a cloud-based hosted solution. This was considered by Endeavor’s team as the best fit, and the most user-friendly solution for their GRC goals.

The implementation process entailed:

No bespoke SAP development or configuration was required; only standard Soterion transports were used.

What's next?

• Endeavor’s IT teams are currently planning the next UAR.
• They now hold rolling 365-days of user history, to give comprehensive information on usage and potential vs actual risk.
• Reduced access means there is less for their business to review in the next UAR.
• They are refining the risk rule-set to their specific needs, and building out their mitigation controls.
• From 2021, they plan to conduct quarterly UARs.
• They are aiming to deploy Soterion’s system-based access provisioning workflow, and automated provisioning, later in 2020.

What has been achieved?

The expected benefits in terms of risk and role management were better than they expected.

Endeavor has managed to reduce their risk profile significantly, by 50%. They are continuing on this journey and expect to see further reductions over the next months.

In parallel, the visibility of inactive users and unused access has been improved, which helps the team to make informed decisions in their role maintenance and development. With the reduced access and retiring of dormant users, Endeavor has gained efficiencies in their SAP user license utilisation.

About Endeavor

Endeavor (formerly known as WME | IMG) is a global leader in sports, entertainment and fashion, operating in more than 30 countries. Named as one of Fortune’s 25 Most Important Private Companies, Endeavor specializes in talent representation and management; brand strategy, activation and licensing; media sales and distribution; and event management. Endeavor owns the Ultimate Fighting Championship and Miss Universe.