For a business that is rapidly taking on new acquisitions, it can be a challenge to integrate the new companies given their existing IT infrastructure and different business processes. Sometimes the greatest challenge of this process is making sure the appropriate user access and roles are assigned to the incoming employees. This was the case for Dalmia Bharat Group — an organization divided into four distinct lines of business focused on cement, sugar, power generation, and refractories. Dalmia experienced extreme growth over the past decade, increasing from $400 million to $2 billion as it expanded its manufacturing plants.
Two examples of this extreme growth were the cement and sugar businesses. Dalmia’s cement operations, focused primarily in Southern Asia, grew to become the third largest cement manufacturing company in India. On average, the cement business added at least one new company or plant each year. Much of the sugar business was also expanding at a rapid pace. These and other areas of growth made it apparent that Dalmia needed an IT landscape that could sustain continued growth without compromising security.
“One of the reasons Dalmia has had so many recent acquisitions is that we are an extremely well-run company. Our goal is to make sure that when we acquire a new organization, we learn from them and they learn from us. Because of this, we need flexible and well-governed IT solutions that can help us drive expansion without taking on unnecessary risks,” says Sunil Tewari, Group CIO for the Dalmia Bharat Group.
Cementing a Foundation with SAP Software
In 2005, Dalmia had been using individual homegrown ERP systems primarily to manage financial transactions. But as the business started acquiring and building greenfield plants, it realized that these newly inherited systems were not compatible with Dalmia’s existing platforms or with each other. The resulting inefficiencies were unacceptable. Dalmia began evaluating software providers and soon decided that SAP was an ideal choice. “Since we had plans to grow rapidly, we needed an ERP system that would allow us to sustain growth and integrate new plants — each with different business processes — very quickly,” says Dheeraj Muku, Group Head of Technology for the Dalmia Bharat Group. “That’s when we decommissioned the individual legacy systems and implemented the SAP systems.”
Currently, Dalmia runs its whole company on SAP ERP for manufacturing, logistics, finance, and sales. Additionally, it uses SAP Business Warehouse, SAP Customer Relationship Management, SAP Process Integration, and SAP Solution Manager. The long-term roadmap for Dalmia’s SAP landscape includes migrating these systems to SAP HANA — a project slated to begin within the next year or so.
In 2011, after additional acquisitions, Dalmia decided to create a template to standardize the process for rolling future companies into the SAP system. “We needed to determine how to structure the organization with the new entities and integrate them quickly into the SAP system,” says Muku. “Each company had its own way of working and its own legacy ERP system. It was a challenge to align so many different business processes.”
One of the biggest hurdles with onboarding involved handling the different access rights needed to accommodate each business process that had been supported by the legacy ERP platforms. Often this led to requests for excessive access privileges. For each acquired company or plant, Dalmia had to rationalize both the processes and the needed SAP access rights. This presented difficulties because sometimes the same responsibilities were executed differently across the sugar and cement businesses, or even within the same business division. For example, the cement business in the eastern region might perform sales order processing differently from the southern region. Or perhaps a regional office in the sugar business might generate its sales orders from finance instead of the sales team.
“There was no way to ensure that the appropriate access was assigned given so many differences,” says Muku. “With the rate of acquisitions, we had significant concerns around access controls and whether there were potential risks to business operations. These concerns were magnified by new compliance laws. People being given too much access could negatively impact our business.”
The IT team realized it needed a two-part solution to support growth without allowing security gaps to multiply. The first part of the solution was to use templates. Along with resources from SAP and a third-party consultant, Dalmia created an industry-specific template for the cement and sugar businesses that took into account industry best practices. The template detailed the end-to-end process involved with integrating newly acquired companies and served to standardize all the business processes across various entities. While templates worked well for getting new entities up and running on the SAP systems, the Dalmia team realized they still needed a way to structure how access was assigned to the systems and how security was enforced. Finding the right technology platform for controlling access was the second part of the solution, but that would require increased collaboration and a larger budget.
Forging Collaboration
Over the years, it had become evident that access controls were being stressed — some users simply had too much access for their roles. In conjunction with these growing concerns from IT, compliance mandates increased because of the Companies Act 2013. These two factors, along with the continued growth of the business, compelled IT, business, and audit teams to collaborate more than ever. Furthermore, because the Companies Act 2013 requires that the company’s financial statements are certified by the CFO along with a host of other mandatory financial controls — similar to the Sarbanes-Oxley Act in the US — it has spurred action by the executive team and has engaged them in the process.
“These events helped all the businesses realize that governance, risk, and compliance (GRC) should be taken seriously,” says Muku. “It motivated business heads to look for a long-term fix. Sometimes external pressures help an organization drive initiatives. We knew there were some risks, but when our audit team found significant issues in the SAP environment, those findings and recommendations caused us to take action.”
With the increased accountability of executive teams, the buy-in from upper management meant more financial and operational support. “We had such strong support at the top level that no matter how much resistance we encountered, we were able to align teams across the group,” says Muku. “The key users played a big role because it would have been impossible to send teams across the world to each plant to align people.”
Realizing that the existing processes and controls were inadequate, and with new legislation and audit recommendations as clear motivators, Dalmia began a search for a GRC platform to tighten its security framework. While evaluating IT systems and applications, the business followed a philosophy of three key fundamental objectives: It needed to be simple to deploy, easy to manage, and up and running very quickly. “Our idea was to find a tool we could sustain long-term that could be rolled out very quickly, maybe in a week’s time. We also wanted a platform that didn’t require a lot of training across the various teams and that business users could handle on their own,” says Muku.
After careful evaluation of the latest tools, Dalmia decided that solutions from Security Weaver, an SAP partner, offered all of these desired features and capabilities. “Based on our criteria, we felt that Security Weaver was the ideal fit,” Muku says. “It wouldn’t take us months to deploy; our Basis development team could run it, and our business users could learn it quickly. It didn’t require a separate system to build the tool because it integrated with the SAP system, it was ready to use with just a simple transport into SAP ERP, and it delivered reports that would be analyzed to make better-informed decisions. Furthermore, Security Weaver’s platform was comprehensive enough to meet our multinational compliance objectives today and into the foreseeable future.”
(For more information about the Security Weaver platform, see the sidebar at the end of the article.)
“Ensuring that our businesses are running on the latest and greatest technology has always been a priority for Dalmia, and our compliance platform was no exception. We wanted technology that would support the latest best practices for compliance and security just like our current technology investments support the latest best practices for plant operations,” adds Tewari.
We feel that, overall, there is less concern around people taking advantage of the system, and significantly fewer of those incidents will happen now that we have created a more controlled, monitored environment.
— Dheeraj Muku, Group Head of Technology, Dalmia Bharat Group
Powering Up Access Controls
Once the platform was chosen, the next step for compliance and security was for Dalmia to identify and remove segregation of duties (SoD) conflicts in its SAP environment. Dalmia rolled out Security Weaver’s Separations Enforcer. The rollout was completed in just a week. “The biggest area of concern for us was what kinds of access people had,” says Muku. “We started with Separations Enforcer so our IT team could identify, monitor, and manage how privileged access — key user access that allows people to access or change data in the SAP system — was separated out.”
When the project team members — including a project manager, several Basis resources, subject matter experts from each business function, and key users from each plant and regional office — first ran a pilot of Separations Enforcer, they were surprised to find more than 10,000 SoD conflicts in the SAP systems. These conflicts occurred most significantly in sales and distribution, commercial, and finance. SoD conflicts occur for many reasons — such as individuals changing jobs and receiving new access without losing their previous authorizations or individuals performing multiple roles — and not every conflict is severe. Even so, the overall number of conflicts needed to be greatly reduced, and any high-impact conflicts eliminated. To do this, the Dalmia team built on the collaboration established earlier across IT, audit, and business users.
“First, we communicated with business and process owners to stress the overall organizational risks posed by such a large number of conflicts,” says Muku. “Then we spent three months working with various business units, trying to determine whether each user’s existing roles were appropriately assigned or if changes were required.”
Because the solution is highly customizable, it was flexible enough to be applied easily to the operational processes of both the cement and sugar businesses. The project team used the application to quickly generate reports to calculate the number of remaining SoD conflicts, they strategized with the various business functions on how to use the application to reduce those conflicts, and then they worked with the business to implement the agreed upon changes to the users’ access for each system. After only four months, close to 80% of the conflicts were eliminated. Of the few remaining conflicts, the team found that only 30% of those were high-impact conflicts. The team then worked with business functions to reduce the number even further.
“Within three-to-four months’ time, we achieved significant value from Separations Enforcer,” says Muku. “While we haven’t yet reduced the number of high-impact conflicts to zero, considering that we have only been using the application for one year now, we are very satisfied with what we have achieved so far.”
Refractoring Processes
In addition to the Separations Enforcer application, Dalmia has also rolled out Security Weaver’s Process Auditor, which offers continuous control monitoring and provides a complete framework for identifying misuse and errors in transactional processes. The solution offers templates for 125 processes. These templates help the IT team monitor for any deviation in those processes. If a deviation is found, it sends an alert to the business process owner and the audit team. For example, if a duplicate invoice is entered in the SAP system, Process Auditor will identify it as a duplicate and alert the appropriate people to address the issue long before any funds have left the company.
“Because of the success of previous customizations, we are now looking into what business processes can be risky — duplicate invoices are one good example,” says Muku. “We worked with our finance and audit teams to identify about 50 processes from the Security Weaver templates that are immediately most relevant to us — primarily in finance and sales and distribution. These are now being configured in the system so we get an alert any time there’s a deviation in those processes.” For example, if finance is preparing to close the books, Process Auditor might send an alert that bad financial data was entered in the SAP system. Finance can immediately focus on the error and rectify it before the books are closed and any downstream negative impacts occur.
Mitigated Risks
Many positive changes, both in terms of compliance and in terms of operational efficiencies, occurred throughout the organization as a result of the Security Weaver rollout. For example, all sales order processing is now done centrally. People in the regional offices who had been creating sales orders, which was an SoD conflict, had their access to create orders removed. Now, they simply use a toll-free line to take orders and let a central facility create them. This allows the regional offices to focus on managing the operations and not the sales activity.
A key lesson of the project was that when mitigating the risks of excessive user privileges, removing that access after it has already been given is not an easy task. It’s more advisable to assign basic privileges at first and then add more access later on. Muku compares this situation to receiving 5GB of data bandwidth on a mobile phone and then later having it reduced to 2GB. “The moment you give too much access, reducing it or removing it becomes very difficult because people have aligned with those ways of working. It’s a painful process to then restrict them to more focused access and roles,” he says. “My advice would be to always start with basic access and then expand from there only as needed.”
A big benefit of the project for Dalmia is that fraud, misuse, or other compromises of its SAP systems are virtually non-issues for the business now. “An immediate benefit has been ensuring that people who have significant access to a system — especially the financial system — cannot consciously or unconsciously create a negative risk for the company,” says Muku. “We feel that, overall, there is less concern around people taking advantage of the system, and significantly fewer of those incidents will happen now that we have created a more controlled, monitored environment. The key objective of the project was to ensure that our risks were mitigated, and that’s what Security Weaver has achieved for us.”
