This week, my company, SAP, hosted a roundtable where three executives talked about the successful implementation of solutions for governance, risk, and compliance (GRC) at their companies and answered questions from media. While the solutions they discussed were all from SAP, I understand that other companies have acquired products from other vendors with similar results.
As the CAE of companies with a variety of ERPs from Oracle, PeopleSoft (now part of Oracle), SAP, and many others over the year, I can testify to the business needs discussed at the roundtable. I would not be comfortable any more if my Oracle, JD Edwards, or SAP environment was not protected by access control solutions.
The executives were:
Frank DiPentima, VP Financial Compliance, Pearson North America — Pearson Education provides assessment, technology, online learning, professional development and curriculum content and services for lifelong learners.
Mark Lubas, Finance and Internal Controls Management, Becton, Dickinson and Company (BD) — BD is a medical technology company that serves health-care institutions, life science researchers, clinical laboratories, industry, and the general public.
Shelley Cottrill, Senior Controls Compliance Consultant, Allegheny Energy — Allegheny Energy provides electric and natural gas service to more than 1.7 million customers.
The roundtable was moderated by Gary Dickhart, Vice President GRC Customer Advisory Office, SAP.
A number of themes caught my attention:
1. The power and value of moving from detective to preventive access controls.
All three companies had implemented SAP BusinessObjects Access Control to manage risks related to excessive systems access (e.g., super-user access such as SAP_ALL, or access to sensitive functions like journal entry approvals) and segregation of duties (SOD).
Before the purchase, each company had used a combination of manual procedures and Excel spreadsheets to manage access. Then they would run reports of actual access and chase down and fix excessive access, including SOD conflicts.
I remember those days myself: a few years ago, I was chief audit executive for a US $4 billion global company with SAP Enterprise Resource Planning (ERP). We used a software solution that we ran at the end of every quarter (and sometimes monthly) that told us where we had SOD conflicts. We also ran quarterly reports of actual access that would be routed to business owners to review and validate that people only had the access they needed. (The problem was often who to ask — the owner of the people, or the owner of the data — but that's another story.) We felt confident in these procedures, but every month or quarter we would fix hundreds of problems only to run the reports a month later and find hundreds more. We were always chasing, chasing, chasing. To be honest, when it got to the end of the year and we ran the reports, I crossed my fingers and prayed that the volume wouldn't be too high and the excesses manageable.
The Access Control solution changed everything. First, they used the product to perform a risk assessment of their environment and designed their user profiles and roles to minimize SOD conflicts. Then they changed their access provisioning processes to use Access Control to identify — and prevent — potential SOD conflicts.
When the user requests access, the system adds the requested access privileges to any the user already has and then assesses whether a conflict would be created. Only if mitigating controls are identified will the access be approved. DiPentima emphasized that his company is tough on this. The "key" to his program at Pearson is "not allowing unmitigated access." Not only does the control have to be identified (and they could include monitoring the user's use of the access, through the capabilities in Access Control), but if it relates to U.S. Sarbanes-Oxley Act of 2002 compliance he insists that the compensating control must be linked to the list of Sarbanes-Oxley key controls. Both finance and other business owners need to sign off on the adequacy of the mitigation. Cottrill talked about how this enabled the business owner to take ownership of access to its data and systems.
DiPentima said that the move from detective to preventive was a "night and day" difference, while Lubas said that while they were chasing issues they had "no time to evaluate and analyze risks."
2. Initial programs were based on Sarbanes-Oxley requirements but are now extended to other risk areas.
All three companies had started their programs to address Sarbanes-Oxley requirements. However, they reported the program had then been extended to other business risk areas. Lubas talked about how Access Control gave his team and management "visibility into access risks beyond Sarbanes-Oxley" and how they had partnered with the head of regulatory affairs, U.S. Food and Drug Administration compliance, and others to extend the program. One of the strengths, in his opinion, was that BD was now using the same process for all risks — with tailored approvals, etc., as needed for some compliance areas.
DiPentima discussed how Pearson had extended use of the Access Control product to the internal audit function and others. They were now using the product and related processes for nonfinancial controls, and were able to ensure they were aligned with the board's risk appetite. Pearson considers management of these risks essential to how they operate the business, so they are going far beyond compliance risks into the risks of business disruption, etc.
For Allegheny, Cottrill said one key was the ability to reduce the risk of noncompliance with a number of laws and regulations, avoiding fines of significant magnitude. DiPentima added to that, pointing out that a major concern for Pearson was the risk to the company's reputation should inappropriate access lead to issues — which extend way beyond Sarbanes-Oxley.
3. The value of effective access controls is clear and compelling.
I was surprised that all three executives downplayed the importance of cost savings or return on investment in justifying the value of an access control solution. While all three said costs had been reduced (generally by far more than the cost of the product), the greater value had been obtained by:
Insight into risks to an extent not previously available. Not only did the solution provide preventive controls and risk analysis, but it also monitored the effectiveness of the access control process and produced dashboards and other reports that they used to inform executive management and the board of risk status. Lubas and the others talked about the value of providing comfort and assurance to management as they now had visibility into risk levels.
The level of access violations — and potential violations through excessive access — had been minimized. DiPentima said Pearson actually had zero defects due to the strict preventive controls. At BD, the company was able to achieve "a higher degree of compliance with cost savings."
SAP's Access Control works against multiple ERP and application environments. Pearson uses both Oracle and SAP ERPs, and is able to use a single product in a consistent process to assess risks, provision access with preventive controls, and monitor risks across both systems. It is now moving to extend the product's use to a legacy ERP system.
For Cottrill, great value had been obtained by implementing the Access Control solution at the same time as the SAP ERP. They used it to monitor access during the ERP implementation process and the immediate period after go-live. It enabled them to manage the risks related to granting IT personnel a higher than normal access to the system so they could resolve user issues, etc. Access Control enables higher levels of access (such as SAP_ALL) to be forbidden except in emergency situations. Access is granted for a limited period and monitored (with reports and alerts to managers).
Another value that was mentioned was the ability to grow the company and its IT infrastructure using a consistent set of solutions and a scalable process.
4. While the companies started with access control, they were moving on to automated management of other risk areas.
Each of the three companies was at a different stage of their development, with plans to implement other solutions for their GRC processes. In particular, Lubas said he viewed GRC as a "megaprocess" and that BD was not in the process of implementing SAP's solutions for automated controls and risk management. All the firms take a risk-based approach, so the combination of products help them to manage the more important risks to their business and the related controls.
Overall, the companies emphasized the values of:
Insight into risks.
Prevention instead of detection.
Other notable quotes:
"Regardless of the system, we've standardized the process. When we were scoping different applications, one of our key drivers was that it had to handle multiple ERP systems. SAP GRC does work seamlessly between the two. We know real time whether there is going to be an access conflict or not. When we do monthly or semi-monthly reviews, I'm always 99.9 percent confident we're coming back clean. When we are asked by others in the industry how we do that, I know it's because we have the upfront preventive controls.
"From the onset going into automated process, we saw a cost reduction. At the most basic level, we were able to remove the consultants and manual parts of SOD management — immediately. When we were doing this manually, it took three months — and was nearly impossible to do it cleanly and correctly. From simple reduction of conflicts month to month, huge comfort to them, and saves a great deal of time and energy."
"Any company can try to save themselves by being reactive, but at what cost? Proactive mitigation cost savings are invaluable.
"Success breeds success. With the initial success with our Sarbanes-Oxley project, management recognized the fact that if this is good for finance, it will be great for other processes — even if not part of the Sarbanes-Oxley universe, it makes good business sense to implement in other areas."
Cottrill (Allegheny Energy)
"Sarbanes-Oxley compliance provided an entrée into GRC through [Access Control's] Compliance Calibrator. Once we went live and saw success we began a preventative strategy, not solely reactive. This mind-shift has made an enormous difference. Based on our industry, we fall under multiple regulatory bodies, such as the Federal Energy Regulatory Commission within the energy industry. Through standardizing our processes, we've been able to tailor facets of our GRC software to pertain to these specific regulations and standards.
"When we were in the planning phase, they [executive level] were the folks that made the decision that we wanted the ERP and the GRC to go live at the same time. We were able to make sure we were clean for SOD when we went live. We were able to identify our weak spots prior to launch, which proved invaluable. Prior to implementation, when everything was manual, we had given manual access pretty widely, so there was some work to do. But now we're clean, and we've stayed clean. Now vision at the executive level is uniform throughout the organization."