5 Case studies to evaluate how you can enhance your SAP GRC experience!!

I often ask people, “What do you think about SAP GRC application?
To which, 90% respond positively.

But, when I ask my next question, “Do you use all the features of the application?
Only 20% reply with affirmation.

No doubt, GRC Access control is a perfect solution that enables businesses to make better decisions by visualizing and predicting how certain risks may impact the performance. In fact, by integrating key activities into the business processes, it is possible to reduce the complexities and costs. This would not harm the company’s reputation and financial well-being in any way.

But, the majority of the customers don’t utilize the complete features of GRC or limit the application to specific areas due to their complex business processes. This could also be due to minimal technical knowledge and resources.

ToggleNow’s GRC Innovation team has automated various activities with a few additional configurations and solution enhancements. This lets us provide the optimum utilization of the GRC application.

Here are the 5 case studies that our GRC innovation team has delivered in the recent past:

Case Study # 1: Maintaining Internal Controls while mitigating the Risks

Pain area/gap – Our client had an internal control structure where every mitigation was to be updated in the respective internal control library. SAP GRC doesn’t give an option to add internal controls by default, so our client used to update the relevant/applicable internal control document numbers in the comments section of the mitigation control.

This process created a lot of chaos, as either the users/managers forgot to maintain the control list or the approvers skipped reviewing them correctly. The TAT of the request became so high that the users started getting frustrated with this process.

Solution –Our team automated this entire activity. As soon as the user mitigation is selected, the relevant internal controls are listed for the user/approver. The internal control document is updated automatically within the GRC system. Now, our client can download the reports directly in PDF format, whenever required.

Savings – Since the activity is now 100% automated, it removed human errors and enabled generation of internal control reports anytime. This helped our client to streamline the entire process within a few days. It also helped them reduce the manual efforts and team size to 2 resources from 4. The TAT also improved tremendously.

RoI is 300k USD/year + Improved TAT + 100% compliance

Case Study # 2: Unlocking System/Service IDs using End-User Home page

Pain area/gap – The GRC end-user homepage allows users to reset their own passwords by setting up some challenging responses. If the user authentication is against the HR system, it is much more secure. However, if the user authentication is set to SAP, then users can enter the system/service type IDs, set the challenging responses, and reset the password for users such as WF-BATCH. Our client had similar experience which caused them a lot of issues.

Solution – To resolve this issue, we enhanced and improved the end-user home page. It now authenticates the user identity and allow him/her to reset the password only for their own user ID.

Savings – This helped our client to ensure that users are getting an option to reset their own password rather than resetting it for others or other IDs. The implementation also removed the need for manual controls.

RoI – The system is accurate and removes the need for manual monitoring and controls. SAP GRC saves 50-60 man hours in a year.

Case Study # 3: Identifying Risk Owners based on Organization Unit defined in GRC.

Pain area/gap – GRC Access Control has a limitation where the risk owners can’t be identified based on the organization unit. If there are multiple root/child Org units available, GRC can’t pick the right risk owner. Due to this drawback, our customer wasn’t able to maintain the risks for all the Org units in a single GRC system.

Solution – We created a custom API. This helped in the determination of risk owners based on the Org unit. The API further automated other risk management activities for our customer.

Savings – This helped our customer not only automate the activities but also reduce human errors and effectively use 3-4 consultants in other areas.

RoI is > 540k USD/year.

Case Study #4: Region specific Owners for the Mitigation Controls

Pain area/gap – By default, the MSMP process ID for mitigation control assignment allow either standard agents or custom agents based on standard (User group, PFCG role, or directly mapped) or specific (BRF+ rule) conditions. However, our client had more than 300 regions where a BRF+ rule was not applicable due to frequent changes in the region specific owners. This led to a lot of manual efforts, as our client’s GRC team used to manually take the approvals from the regional owner, update it in the request, and approve it. This turned out to be a cumbersome activity for GRC team and caused a lot of human errors.

Solution – We created a custom table with a mapping of regional and global approvers along with a custom API, using which the MSMP process ID pick the relevant approver. Further, if there is a change in the approver, it can be directly modified in the table rather than changing the MSMP or BRF+ rule.

Savings – This helped our customer streamline the activity completely and also reduce the ongoing maintenance efforts.

RoI is > 400k USD/year + 100% compliance

Case Study #5: Sending Notifications to the Controller Manager

Pain area/gap – Whenever the EAM (Firefighter) ID is used, access logs are sent to the FF ID controller as a part of the workflow request. However, the default settings of GRC can only notify the approver or the requester. The approvers don’t give much importance to these notifications, which caused a lot of delay in reviewing the logs.

Solution – We enhanced the notification settings, where the controller’s manager is automatically picked up from the LDAP. An escalation is sent to the manager after 5 days of inactivity on the FF log review.

Savings – This automation helped our customer remove the manual efforts completely and also streamline the escalations.

RoI is > 150k USD/year + 100% compliance

SAP GRC has the potential to organize your business processes. However, not using it fully only leads to errors in the system. Hence, if you are not able to use all the features of SAP GRC, contact our team for help. We can assist you to remove loopholes in your system and effectively streamline your activities.



Author: Raghu
Raghu is an author, blogger with rich experience in IT application Security. His extensive knowledge and pragmatic approach helped him to write extensively for various websites, and blog on the recent trends and technology advancements. His knowledge of SAP Security, GRC and direct contact with customers ensure that our applications are constantly moving towards the next innovation. His areas of expertise lies primarily in SAP Security Redesign (Business process re-engineering), Forensic Security and Tweaking GRC applications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.