New-Generation Governance, Risk and Compliance are Critical in SAP Environment
2020 will be remembered as the year of an almost worldwide lockdown caused by a virus. What could be next?
The 2019 WEF Report on significant global threats lists cyberattacks and data fraud as high-impact threats in the near future. This underscores the fact that Governance, Risk and Compliance (GRC) is becoming increasingly critical within organisations, and the stakes are higher than ever should businesses fail to get it right.
We’re living through an era hallmarked by a rapid increase in the rate of change in the marketplace. Organisations are being forced to adapt to the new realities. Successful organisations are becoming more agile in their ways of working. New-generation GRC practitioners are seeing the opportunity for GRC to play a greater role in proactive value creation, more than ever before, and are embracing new agile technologies and methodologies in doing so.
GRC principles fit well with what is called the ‘agile’ approach and are more relevant and important today than ever before. Getting GRC right in an agile environment depends on having the correct mindset, approach and tools.
Agile thinking encompasses the idea of “clock speed”. This is the pace at which an organisation, as an entire system, is able to move, react, adapt and so forth. It is estimated that today’s average large organisation requires a clock speed 3-5 times faster than the equivalent organisation a decade ago.
Whilst agile thinking has brought great benefits in increasing clock speed, it has also brought with it a significant misconception about GRC. In the pursuit of agile delivery, GRC can easily be seen as part of the ‘old paradigm’ and hence ignored or undervalued. Alternatively, even if the GRC function is appreciated by business, GRC practitioners often fail to adapt their approach to the new clock speed realities.
Many new-generation GRC practitioners find themselves operating in a traditional organisation. They face a decision to either be an advocate for change or simply go through the motions and deliver the kind of GRC the organisation requires. Could someone in GRC influence organisation-wide change? We believe they can. With a ‘courageously pragmatic’ approach one could advocate for company-wide change, possibly finding kindred spirits within the company, whilst at the same time pragmatically delivering GRC requirements within the prevailing framework.
So, what is the correct approach then for agile GRC? Given that organisations differ vastly by industry, regulatory environment and GRC maturity, amongst others, there is no ‘one-size-fits-all’ answer.
Here are a few agile GRC descriptors. Agile GRC realises the need for engaged business users, and hence puts business users at the centre of the process. GRC language is converted into a language that business users can understand. This is further achieved through more intuitive tools such as introducing business process visualisations that help contextualise and understand risks.
A lack of engaged business users has always been the Achilles heel of GRC. Research shows it is the leading cause of GRC implementation projects floundering. Engaged business users are more vital than ever given the fluidity of organisational environments today. GRC must become a team sport.
If business users are unengaged, it falls to the GRC team to ensure that access risk remains healthy. This is usually done in an episodic fashion, frequently timed to coincide with an audit. In addition, traditional GRC tools are built upon static rule sets, which should be reviewed ‘from time to time’ to adapt to any changes in business process flows.
The traditional paradigm assumes that such process flows seldom change. In reality, with today’s pace of change and agile ways of working, access risk simulations are performed against rule sets that are increasingly out of touch with an organisation’s reality. Business users become frustrated by this and their buy-in diminishes accordingly.
New-generation GRC tools recognise that business process flows are dynamic and fluid, and hence enable us to build dynamic rule sets with adaptive capabilities. Machine learning technologies often play a role here. Another approach is ‘crowdsourcing’ rule set changes from business users themselves, through intuitive visualisations that keep GRC tools relevant and hence keep business users engaged.
Traditional applications typically have a software-license to implementation-cost-ratio of between 1:3 and 1:5. That is, for every dollar spent on licensing in the first year, the organisation can expect to pay up to $5.00 in configuration costs. The implementation process itself is often the organisational equivalent of open-heart surgery, given the sheer intensity of the process.
New-generation GRC applications are typically implemented at least 50% faster than traditional applications. This translates into lower total cost of ownership, less business disruption and quicker establishment of GRC capability.
Aside from the cost-saving implications of rapid deployment, Agile GRC configurations allow users to “fail faster” in the positive sense of getting vital feedback on access simulations and adverse process changes quicker, which allows for timeous adjustments.
In our increasingly fast-paced world, there is a strong correlation between successful GRC and levels of business-user engagement in SAP organisations. Therefore, the evaluation of tools in terms of attributes which contribute to business user engagement is an appropriate evaluation tactic to employ.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.