The GRC landscape is constantly shifting. New threats emerge, nations change their regulatory requirements, and companies change priorities and operational practices. These factors and more can have a significant impact on which GRC strategies organizations utilize.
In the
SAPinsider GRC State of the Market 2023 Report, SAPinsider surveyed 135 members of our community in January and February of 2023 to determine some of the key factors that drive the
GRC strategy of their organizations.
According to the results, new technology upgrades and migrations like the move to
SAP S/4HANA and the cloud drives GRC strategy more than any other factor, with 57% of respondents noting that this had an impact for them. The second-most cited driver was an increasing number of security threats and attacks requiring more monitoring and detection, at 44%. Third was rapid changes within compliance and data privacy regulations are adding to GRC staff workload, at 43%.
To get a sense of how these factors affect companies, SAPinsider spoke with Susan Zortea, senior Manager of Global Governance at manufacturing company Jabil. She offered insights on how each of these drivers affect Jabil’s evolving GRC strategies.
The Move to S/4
Like many other companies, the move to SAP S/4HANA had significant GRC ramifications for Jabil. Zortea said Jabil needed to quickly adjust to the introduction of SAP S/4HANA because the company still had some manufacturing servers not using S/4.
“Those migrations to S/4 prompted us to look at a more recent version of GRC because we needed to be S/4 ready. And the version we were in and the support pack we were in was so outdated that we were outside of maintenance. So, we couldn't, in good conscience, go to S/4 in a manufacturing system where GRC could possibly have some bugs or missing some things in S4. Because everything's in the cloud, things happen much more quickly now than they happened when it was on-prem,” said Zortea.
She added that Jabil relied on outside assistance with multiple different partners to make sure the transition minimized downtime, which provided immense savings for the organization.
The transition to SAP S/4HANA also gives companies a chance for something of a cultural reset–using the new method of operation as a way to get back to best practices. Companies tend to stray from GRC best practices over time, but organizations can use the transition as an opportunity to refocus on these important considerations.
More Threats
Many organizations have faced increased cybersecurity threats but lack increased budgets that could help reduce the risks. One of the top strategies organizations can use to mitigate risk is access management tools.
From the GRC State of the Market Report: “Access management is one of the top strategies GRC teams can utilize to mitigate risk. This ensures that only the most well-equipped members of your GRC team can help reduce the risk of fraud, audit issues, and other potentially damaging issues for your organization.”
Zortea said Jabil is in the process of considering new process controls and the user access reviews, but turnover and differing types of employment add to the challenge of finding the right solution.
“Your manager yesterday might be a different manager today, and another one tomorrow. And we have a lot of employees. Because of plants, transient people, or only needing people by contract. People start, people are terminated, they may come back and terminated again. There's a lot of people activity that really depends on SAP's and GRC teams’ ability to note and discover how this happened,” said Zortea.
Rapid Changes
Rapid changes within compliance and data privacy regulations adding to staff workloads is another major issue for organizations. These challenges are only compounded as companies expand their geographic reach and sectors in which they operate.
“We're a lot more diversified now than we were 20 years ago when we first installed SAP. Because of our diversity, we have to be able to be federally regulated and have validated access. Any activity in our healthcare servers has to be validated and even more tightly monitored,” said Zortea.
To help deal with these shifting challenges, organizations can leverage automation. This allows GRC teams to be more forward-looking and prepare for any upcoming regulation changes.
What Does This Mean for SAPinsiders?
Many SAP organizations like Jabil must contend with the ever-changing GRC landscape in order to secure its valuable assets. While the constant shifts in regulations, threats, and technologies pose a serious challenge to GRC teams, there are some crucial takeaways.
Use the SAP S/4HANA transition as an opportunity: Organizations can use this change to optimize the tools embedded within SAP S/4HANA and implement best practices. The transition to SAP S/4HANA is a perfect chance to streamline operations and ensure that all team members are on the same page.
Access management: Managing access is one of the most important tools for companies to safeguard crucial data. More and more organizations are implementing access management tools like
Access Control to support visibility and reduce the risk of fraud while also mitigating the potential risk of an audit.
Automation: Automation not only helps companies to detect potential threats and reduce audit risk, but it also removes time-consuming manual tasks from the to-do lists of team members. This gives them much more time to work on value-adding projects.
You can learn more from Susan Zortea as she shares her insights on
SoD Control Monitoring & Automation at MasteringSAP in Melbourne on June 7-8.
