Governance, Risk and Compliance (SAP

GRC): Are you ready to implement GRC 10?

Posted by Gretchen Lindquist Jul 21, 2014
With the go-live of our Governance, Risk, and Compliance (GRC) version 10 Access Control finally past us
(hallelujah!), I have been thinking about the learnings, from my previous GRC 10 projects as well as from this
one. Last year at SAP TechEd, I hosted an Expert Networking session , discussed hereThe rest of the story:
what else I learned at #SAPTechEd , where the most common response to my question about GRC 10 was
that customers were still thinking about it. Maybe you, too, are still thinking about it, working on a roadmap, or
planning your project. Even if your project is already underway, here are some readiness questions to consider.
What are the pain points of your current GRC related processes?
Be sure to get input from your key users. Pain points could include these:
Too many manual hand-offs in the access request process
User access reviews tedious due to manual processes, and not particularly value added besides
User interfaces for access requests confusing to requesters and approvers
Confusing/ inconsistent role names making it difficult to know what role to request
Roles not well aligned with either tasks or jobs, leading to a need to make a big security change,
such as complete security rewrite or implementation of Business Roles
Manual security team processes like maintaining organizational segregation with manual reviews and
hit or miss efforts to manage critical sensitive authorizations
Confusing/ inadequate information in firefighter logs, so they are not reviewed timely

What is your long range plan?

If yours will be a brand new GRC implementation, do you have a company policy for Segregation
of Duties and critical access rules that can be the basis of your new GRC rule sets, are you
planning to start with the rules out of the box, or will you take the time to customize them? If
you are on GRC 5.3 (or earlier release), have you been maintaining your ruleset all along with
the updates from SAP and custom transactions? A lift and shift of your current rules can be fine
if they have been maintained; otherwise, it is like bringing dirty, threadbare rugs from your old
house into your brand new one. The sooner you get them cleaned up, the better.
Have you thought about your long term roadmap and identified which components you plan to
implement? Some customers start out by just implementing Access Risk Analysis, to get the
system up and running, and then take on Access Requests and more later. With all the shared
master data across Access Control and Process Control, decisions you make early on could come
back to haunt you later down the road. If you are planning to use your current GRC system as the
model for the new one, has all the master data been maintained, or are there obsolete mitigation
monitors who have left the organization, mitigations configured for risks that do not exist, and

Generated by Jive on 2015-05-18+02:00

1

Governance, Risk and Compliance (SAP GRC): Are you ready to implement GRC 10?
other bad data that will not work in the new, better integrated, system? It can be a real challenge
if you have no golden client to use to validate the configuration of the new one.
Do you have the right resources for your project and enough of them?
Colleen Lee wrote an excellent blog about all the friends who helped her on her own GRC projects.
Depending on which components you plan to implement and the architecture, the resources needed for
your project could include some who may not have come to mind. Of course you will need security, GRC,
and Basis expertise, but you may also need LDAP expertise if your user master data resides there, or HR
expertise if you plan to use your SAP HR as the user data source and/or implement HR triggers. But are all
your users, including contractors, even in SAP HR? Are you sure? If you plan to use your LDAP, has it been
properly maintained, or does it need clean up before you can rely on the data fetched? For implementing
Access Request Management, workflow expertise including MSMP and BRF+ is a must , and if an Identity
Management system performs your user creation, count those experts in, too. How will the users access
your system - Enterprise Portal, NWBC, something else? Whatever you plan to utilize, be sure to budget for
skilled resources on your project team for that, too. If a new rule set is needed, expertise from the business and
internal controls will be key.
Then there are the ABAP resources. As I mentioned in a comment on Colleens blog, on my
current project we badly underestimated the demands we would make on ABAP resources,
needed for implementing the hundreds of corrections into our system. Better to budget for them
and not need them than be wishing you had the funds.
And about those hundreds of corrections: someone needs to stay on top of those issues. If the
people managing the fixes and corrections are also project managers, and also doing system
configuration, configuring the workflows, migrating master data from the old GRC system,
creating documentation, designing testing and training, and leading the change management
effort well, good luck with that. Yes, two resources can wear 8 or 10 different hats, but your
project timeline will need to be adjusted accordingly. If your project management tool tells you
that your projects resources are way over committed, a six month project could run on with
slipped deadlines and missed go lives, possibly impacting other projects that they were expected
to be working.
On top of that, the longer your GRC project drags on, the likelier that the systems connected to your GRC will
be upgrading. If a connected sytem goes to a new NetWeaver release, you may have to install new plug-ins
and start testing all over again.
I hope I have provided some food for thought for anyone considering or planning an implementation of GRC
10. Time spent now in considering these questions will pay off in the long run.
2881 Views Tags: grc, access_control, grc_10, governance_risk_and_compliance

Andy Silvey in response to Andy Silvey on page 3

Aug 15, 2014 2:40 PM

Generated by Jive on 2015-05-18+02:00

2

Governance, Risk and Compliance (SAP GRC): Are you ready to implement GRC 10?

interestingly my work has bought me into the GRC area today and I am trying to solve the riddle of SSL
protocol when doing User provisioning between GRC and LDAP, which as far as I can see is still not supported
out of the box - who knows why not in the year 2014. Clearly from the XSearch on the SMP I can we're not the
first ones wanting this, but why is it not yet supported anyway that's another story.
On my travels while looking for supporting doco and information, I came to the GRC Security Guide and the
menu for the different Governance, Risk and Compliance suite of products, here's the list:

Best regards,
Andy.
Andy Silvey in response to Gretchen Lindquist on page 3
Aug 12, 2014 3:27 PM
yep, but it's this constant change that keeps us all young, imagine how dusty and boring it would be if
everything stayed the same for ever :-)
Maybe in the coffee corner we could start a new sweep stake to guess the future names of SAP components.
Andy.
Gretchen Lindquist in response to Andy Silvey on page 4
Aug 12, 2014 3:11 PM
Andy,
Well, GTS is installed separately, but it is considered a compliance solution. I know, it really is confusing! Read
the brief, and as soon as you get it all sorted out, SAP will introduce another new component or change the
brand names again

Generated by Jive on 2015-05-18+02:00

3

Governance, Risk and Compliance (SAP GRC): Are you ready to implement GRC 10?

Gretchen
Andy Silvey in response to Gretchen Lindquist on page 4
Aug 12, 2014 3:07 PM
thanks Gretchen for the comprehensive explanation and the solution brief, I didn't know GTS was part of the
suite.
Best regards,
Andy.
Gretchen Lindquist in response to Andy Silvey on page 4
Aug 12, 2014 2:53 PM
Andy,
It is not a stupid question, thank you for asking for that clarification. No, GRC10 has not "become" SAP
Business Objects Process Control 10. For starters, SAP dropped the "Business Objects" branding from the
GRC suite, and Process Control is one of the components of the GRC suite, which also includes Access
Controls, Global Trade Services, Risk Management, Nota Fiscal Electronica, and in 10.1, there is a new
component called Fraud Management. I didn't really plan to write a post about the architecture of the solution; it
keeps changing, and the products section of SAP.com has a solution brief posted that seems to cover it pretty
well.
http://www.sap.com/pc/analytics/governance-risk-compliance.html
Regards,
Gretchen
Andy Silvey
Aug 12, 2014 11:00 AM
Hi Gretchen,
quick stupid question:
Has GRC 10 become SAP Business Objects Process Control 10 ?
I mentioned further up in this thread ongoing performance and sizing issues as the GRC's scope keeps
growing, and SAP have provided their latest sizing guide for GRC 10 which is entitled SAP Business Objects
Process Control 10.
If GRC 10 has become SAP Business Objects Process Control 10 then I missed that and I am wondering if
anyone else noticed it.
Ok I am contributing towards trying to answer my own question now, section 1,2 of the above linked document
says:

Generated by Jive on 2015-05-18+02:00

4

Governance, Risk and Compliance (SAP GRC): Are you ready to implement GRC 10?

Architecture of SAP BusinessObjects Process Control

SAP BusinessObjects Process Control consists of the following principal

components:

SAP GRC Process Control Core

SAP Portal
This could be worth a blog to share with the world the evolution of the product and its name :-)
What do you make of it, conclude ?

Ok update again... the sizing guide for 10.1 is using the term SAP GRC
We're still GRC :-)
Best regards,
Andy.
KiranKumar Lysetti in response to Gretchen Lindquist on page 5
Aug 8, 2014 11:03 AM
Thanks for the Wishes !
Gretchen Lindquist in response to KiranKumar Lysetti on page 5
Aug 5, 2014 4:13 PM
Kiran,
The GRC 10 project that I did back in early 2012 was for a client who had data extractors into BW for their 5.3
reporting. At that point, SAP did not even have a data map to offer us, so I spent about a month ferreting out in
which tables the data was that they needed. By now I would expect that you will have an easier time of it. Good
luck!
Gretchen
KiranKumar Lysetti in response to Gretchen Lindquist on page 5
Aug 5, 2014 3:46 PM
Gretchen,
Acutally we are intending to do reporting in BW system,which you not using it seems
.
I can see in that in GRC 5.3 via UD connect data is extracted to BW,so was wondering what is the process for
GRC 10. also I can see that there is change in the dataelements as well.
Regards,
Kiran
Gretchen Lindquist in response to KiranKumar Lysetti on page 6

Generated by Jive on 2015-05-18+02:00

5

Governance, Risk and Compliance (SAP GRC): Are you ready to implement GRC 10?

Aug 5, 2014 3:41 PM

Kiran,
I'm not clear on your question. Are you inquiring about access request provisioning to BW or GRC reporting
using BW functionality? We are provisioning BW roles successfully, no issues so far. We are not yet using the
BW reporting functionality, so I cannot comment on that.
At this point we are following up with some wish list items that came out of our user acceptance testing, but
they are relatively minor. Email notifications to a delegate approver is probably the biggest improvement we
hope to deliver later this year.
I am glad you liked the post.
Regards,
Gretchen
KiranKumar Lysetti
Aug 5, 2014 3:23 PM
Gretchen Thanks for sharing your experience,
well elaborated checklist for GRC 10 ,but haven't seen any comments on the previous version and new version
functionality with SAP BW ,if you are aware of it ,can you share your insight on this as well.
Kiran
Ineke Ligthart
Jul 23, 2014 4:11 PM
Nice article Gretchen, thanks for sharing your experience.
I'd like to add that organisations who want to implement Process Control or Risk Management next to Access
Control at a later date will have to keep this in mind too, not only for the configuration but also for the sizing. Its
the medium/long term view which is really important to make GRC a success.
Ineke
Alessandro Banzer
Jul 23, 2014 12:52 PM
Thank you very much for sharing! Great document :-)
Gretchen Lindquist in response to Arif Mahamud on page 7
Jul 22, 2014 5:19 PM
Arif,
I agree, it certainly is a marathon, not a sprint, and for us, there is still much to be done in an exploitation
initiative, as we still need to implement UAR, EAM, and more. There is plenty here to keep us busy.
Thanks for your comments.
Gretchen
Gretchen Lindquist in response to Colleen Lee on page 8
Jul 22, 2014 5:16 PM

Generated by Jive on 2015-05-18+02:00

6

Governance, Risk and Compliance (SAP GRC): Are you ready to implement GRC 10?

Colleen,
So far,so good; access requests are getting processed, but we are working through a few browser issues.
We have had a lot of positive comments from the request submitters, who really like my EUP templates much
better than the 5.3 templates, so I am happy for that.
I wish we had done a roadmap effort before jumping into this project, but it is water over the dam now. I am a
bit concerned that we have boxed ourselves in with our landscape group configuration, but we will deal with it
when we must, maybe when we upgrade to 10.1.
I am glad you enjoyed the post!
Cheers,
Gretchen
Gretchen Lindquist in response to Andy Silvey on page 7
Jul 22, 2014 5:12 PM
Andy,
Great tips! To be honest, we did the sizing so very long ago (Q4 2012), it seems like another lifetime, and only
time will tell how well we did, but I agree completely that taking the long view is important.
I'm glad you enjoyed the post, and thanks for your comments!
Gretchen
Andy Silvey
Jul 22, 2014 9:30 AM
Hi Gretchen,
agree with the others, a nice guide for people looking at GRC 10.
Some tips from our GRC 10, one of the Roles of the GRC system is password reset self service and Roles/
Authorisations self service, and with more than 100,000 Users we've had to do a lot of performance tuning and
resizing as the scope of the GRC implementation has grown.
The tip for others is, put some good effort into the sizing of the GRC system with a forward looking perspective.
I know this is a no brainer but it doesn't hurt to be reminded.
Best regards,
Andy.
Arif Mahamud in response to Colleen Lee on page 8
Jul 22, 2014 5:52 AM
Hi Gretchen,

Generated by Jive on 2015-05-18+02:00

7

Governance, Risk and Compliance (SAP GRC): Are you ready to implement GRC 10?

It is really great. any company must need to consider as mentioned and after go-live GRC maximum users
have tendency to get role bypassing GRC. Respective organization projects manager should have good
knowledge about GRC and long plant how to re mediate roles and users.
Also we have to consider that GRC existing role removal process and SoD free is a marathon process.
Regards,
Arif
Colleen Lee
Jul 22, 2014 4:51 AM
Hi Gretchen
A blog I have been waiting for!!! It was great to read and glad to hear you made it (and beyond) to go-live!!
Do you feel the implementation was worth it - are you seeing the return on investment? Other than resourcing,
is there anything you would change if you had to go through it all over again?
Regards
Colleen

Generated by Jive on 2015-05-18+02:00

8