Freedom of action: preventing paralysis from risk

In today's competitive markets, businesses must work increasingly hard to ensure they eliminate incidents of risk that impact company reputation and market...

In today's competitive markets, businesses must work increasingly hard to ensure they eliminate incidents of risk that impact company reputation and market position. However, the sheer volume and speed of business processes enabled by SAP in most large scale organisations today is outpacing senior management's ability to implement satisfactory governance, risk management and compliance (GRC) controls. Integrating GRC with SAP can shave a third off auditing costs. However, barriers to achieving this are embedded in the working cultures of many enterprises today.

Fundamental change is needed in three specific areas of SAP management:

  • Risk mindset

A culture has developed where risk is viewed as something to avoid. Yet any business venture contains risks. For example, a company may want to open up a new service line to gain an edge over its rivals. Rather than abstain due to the risks involved and risk losing out to a competitor, it would be better to get a grip of those risks, mitigate/monitor them and know when to take action. By integrating GRC controls with SAP, organisations can provide a framework for identifying, measuring and mitigating associated risks while also demonstrating greater transparency in business processes to potential customers and partners.

  • Risk and responsibility

Responsibility for GRC must be held by a separate team to those tasked with day-to-day IT, business operations and auditing. In the complex organisational models of today, it is common to see, for example, finance run by one supplier using an SAP system operated by the same or perhaps another provider. These services will generally be run by large numbers of people in locations across the world - often with high levels of staff turnover.

Asking such providers to implement and operate GRC controls is like trusting children with the keys to the sweet shop. Auditors are all too aware of the concept of conflicts of interest and would still hold the original business responsible for any GRC incidents resulting from this arrangement. The "it's not our fault, someone else runs it for us" excuse simply won't hold water. It's therefore common sense - and risk and audit best practice - to make sure that an independent organisation implements or operates GRC controls with SAP.

  • Balancing risk and productivity

When implementing GRC measures, businesses walk a fine line between better controls and alienating end users. For example, as their careers progress employees often need different levels of access to systems such as SAP. Employers must ensure this access won't comprise GRC controls yet also prevent any changes from impacting the usability of business systems and ultimately employee productivity.

Increased control may lead to employees waiting longer for access to systems or becoming demoralised because they feel less trusted, to the extent of actually reducing the efficiency of business processes using SAP. Striking the right balance between GRC controls and efficient business processes is a specialist skill, requiring dedicated resources that can quickly adapt to a changing environment.

By integrating GRC with the SAP environment, business leaders will again see the strategic advantage of risk. As long as controls are implemented independently, stakeholders, auditors and regulators will have complete confidence in the processes. And, when GRC is integrated correctly with SAP, an organisation's working culture will be much better equipped to adapt along with the changing faces of business risk.

Martyn Proctor is managing director, su53 solutions

Read more on IT risk management