Cloud Transformation Creates Greater Need for GRC Centralization
As cloud applications have proliferated, so have the number of applications organizations use to conduct their business. This move to the cloud creates a challenge for Governance, Risk, and Compliance (GRC) teams as there is software that may or may not be natively integrated and are potentially owned by different departments with different access and data management standards. As a company implements more applications, that creates a more significant need for GRC Centralization.
In our recent GRC research, we found that over 40% of respondents were running at least 11 applications within the scope of compliance. In addition, nearly three-quarters had at least six applications that compliance needed to track and monitor.
Total Number of Applications within Compliance Scope at SAPinsider Organizations
Source: SAPinsider, May 2022
When looking at the types of applications tied to GRC activities, it’s clear that cloud applications are adding to the size of application stacks at many organizations. These can be a collection of former SAP acquisitions such as SAP Ariba, SAP Concur, and SAP SuccessFactors, along with non-SAP cloud apps such as Salesforce and Workday.
Key Applications Relevant to GRC
Source: SAPinsider, May 2022
As companies look to digitally transform their processes, they often turn to cloud applications tailored to those processes. Salesforce has a significant share of the CRM market, while Workday and SAP SuccessFactors have replaced on-premise SAP ERP HCM tools at many organizations.
SAP Ariba offers cloud tools for procurement and supply chain management. SAP Concur does the same in the travel and expense management space. These were processes traditionally tracked in spreadsheets, but now an entire application has replaced them.
Those applications put more pressure on GRC teams and often take at least part of the management of applications out of IT’s hands. This group has often been in control of compliance and risk management by way of their role in maintaining on-premise software. With those apps having different owners in different departments, that raises the level of risk and creates a need for GRC centralization.
For more on the latest trends in GRC, including GRC Centralization, download the full GRC State of the Market 2022 report.
More Applications Bring Action Around GRC Centralization
How does the number of applications integrated with SAP included in compliance’s scope impact the actions companies take? Companies with 11-20 applications in their compliance scope are slightly more likely to be bridging on-premise and cloud-based security. However, they are more than twice as likely to provide strategic and centralized visibility into potential risks and fraud than those with 6-10 applications in their compliance scope.
With a greater number of applications, it becomes more challenging to track areas of potential risk and fraud individually. That’s where GRC centralization across applications can help—if a GRC professional can access risk data related to applications in a single place, that saves the time of analyzing risk by logging into several different systems. Michael Agbamuche, an Asset Security Advisor in the Oil and Gast industry, say his company has a broad application set but has set up a way for any user logged in at work to be automatically authenticated.
“We have more than 30 integrated apps. We try to make access control easy for everyone with the way it is structured in our system, says Agbamuche. “As long as they are logged into the system network domain, they are authenticated with active directory.”
The number of applications integrated with SAP in the compliance scope also impacts what drives GRC strategy at organizations. The top drivers for respondents’ organizations with 11-20 applications are increasing security threats and globalization. Those with 6-10 applications are more driven by rapid changes in data privacy regulations and new technology upgrades and migrations. Finally, the top driver for companies with five or fewer applications is the rising cost of compliance.
Likely, the companies with more applications are also larger organizations, and larger organizations are more likely to be targeted for security attacks. Smaller organizations may not be as concerned with those challenges or GRC centralization, instead focusing on upgrading their systems and staying compliant with the latest regulations with smaller compliance teams.
What This Means for SAPinsiders
More Applications Creates Greater Need for GRC Centralization. If your organization has adopted many cloud applications, you are likely aware of how that complicates access management and data compliance. Striving to create GRC Centralization and moving toward a single view of compliance and risk data could make the lives of risk and compliance experts easier and reduce risk and increase compliance.
Determine how new technologies impact access. If your company is implementing a new system, such as SAP S/4HANA, there will likely be different role definitions that affect how access is granted. New systems also add new access touchpoints, bringing more risk.