Kathy Gibson reports from SAPInsider in Viennan June 2016 – The governance, risk and compliance (GRC) landscape brings unique challenges to a diverse range of end user customers. These include increased regulatory compliance; changing economic and political conditions; pressure on performance and profitability; disruptive innovation and technology; and cyber security attacks.
In fact, Kevin McCollom, global vice-president and GM for SAP’s governance, risk and compliance solutions, points out that compliance used to be the domain of the chief compliance officer, but is now of vital interest to the chief financial officer, the chief risk officers, the CIO and the chief security officer.
However, what they all have in common is that they are impacted by the changing business, technology and regulatory landscape, McCollom says.
The key themes in risk compliance and security practices map directly to the business problems that companies face, he adds. They include access governance, which enables companies to manage identities, authorised information access, data use and sharing conditions.
Cybersecurity risk and governance is more important than ever as companies have to protect data and control access, and thwart security threats.
Three lines of defence allow organisations to manage risks and control in business operations, says McCollom, and SAP enables this by providing independent assurance on risk and compliance standards.
International trade management has become a new element of risk, as companies are faced with a need to manage import and export compliance in their global supply chains. This can be accomplished by securing the movement of digital goods and technical data.
Fraud management and screening is a major element of GCR, and can have a huge impact on the bottom line of the business. Companies need to prevent financial losses quickly and effectively using fraud management solutions.
McCollom explains that the three lines of defence come out of business management needs and specify a process framework for monitoring and mitigating risk.
The three lines are:
First line: business operations – this includes business operations as well as process controls, and is supported by embedded automation.
Second line: management oversight – this refers to how decision-makers respond to risks.
Third line: dynamic assurance – requires both independent and internal auditing, focused on dynamic assurance.
“Customers have told us about the importance of the three lines and how they help the chief financial officer respond to the challenges of a globally challenging world, and to perform a stewardship role of the organisation.”
SAP serves the three lines of defence best-practice through automated tools that offer efficiency gains and improve transparency. They also offer a number of benefits that go beyond compliance, McCollom says.
One of the biggest concerns for organisations today is cybersecurity, with most end user customers focused on making their systems more secure.
“Cyber-threats are everywhere today,” says McCollom. “It’s one of SAP’s pillars for digital transformation, with our history of delivering secure solutions on a secure platform.
“But cybersecurity has a wider impact, and is no longer important for just IT.”
It’s no longer enough to simply secure IT systems, McCollom says, but to make sure sufficient security is in place to protect trade secrets, intellectual property, financials and personal data.
“Our viewpoint on cybersecurity is in the area of cyber risk and governance. And recognising cybersecurity for what it is: a significant risk to the business that needs to be managed and governed.
“In addition to delivering a secure platform we believe we can help users in hardening their applications so the data remains secure.”
Moving to a cyber risk and governance landscape isn’t easy, though, and McCollom says companies are typically asking a number of questions:
* What should we be doing?
* Where are the gaps compared to what we’re doing today?
* Are our cybersecurity practices effective?
* How do we communicate our vision and status with shareholders?
From a business application security perspective, McCollom says the questions are:
* Are we managing users across processes?
* How do we share information and data security?
* Are the right users involved in critical business processes?
* Can we detect security and anomalies in our system?
SAP has a number of solutions for GRC and security, he says.
SAP Cloud Identity Access Governance, access analysis service, intends to be the first in a planned range of services in a new cloud solution that addresses the growing market demand for identity as a service (IDaaS).
IDaaS provides a set of infrastructure functions that, taken together, allow a single sign-on for the cloud. Built upon SAP HANA Cloud Platform, the SAP Cloud Identity Access Governance service is designed to help organisations centrally manage identities and optimise compliance processes across their business.
“We are building upon our extensive experience with GRC and security to help customers harness the latest security and performance benefits of SAP HANA Cloud Platform,” says McCollom. “Our first service, access analysis, is designed to simplify access governance, thereby enabling customers to quickly and reliably assess and mitigate risks to ensure compliance.”
The access analysis service intends to be the first in a planned new range of cloud services from SAP. These services are designed to work independently or in combination, thereby enabling customers to extend and grow their identity and access governance solution according to their business growth and functional needs.
It will sit alongside and integrate with an existing cloud identity solution, SAP HANA Cloud Platform, single sign-on, designed for cloud-based secure authentication. Together they will help companies simplify the management of identities across a cloud and on-premise software landscape. More information related to further releases of the SAP Cloud Identity Access Governance service is provided in the product road map for SAP governance, risk and compliance solutions.
Simple in design with an intuitive user interface, SAP Cloud Identity Access Governance provides the intelligence to optimize user system assignments easily in accordance with organisation and compliance policies. It helps avoid potential costly access issues involving financial losses and fraud, while reducing ongoing operating costs of auditing and compliance.
Customers will benefit from the speed of cloud deployment, which will allow them to identify quickly and remediate potentially costly segregation-of-duty conflicts and critical access issues. Customers will be able to dynamically refine or remove incorrect or unused user roles, helping ensure ongoing compliance while lowering audit costs.
According to Forrester Research, “identity management and governance (IMG) solutions give security and risk (S&R) pros the ability to provision all users with the appropriate level of access to critical applications and systems, thereby minimising the risk of users with excessive privileges or orphan accounts that hackers frequently target to exfiltrate sensitive data.
“Comprehensive IMG platforms provide functionality such as user account provisioning, delegated administration, role management, access request management, user self-service and access certification.”