It’s now been 17 years since the passage of the Sarbanes-Oxley Act (SOX), which was…
As discussed in part one of this series, there are very real, tangible costs and other “soft” costs to living with current manual methods of IT security provisioning and compliance reporting. There are intangible costs, as well.
For many organizations, these costs are ever increasing. As organizations start to realize that the situation is becoming untenable, a search for potential solutions begins. Now in part two of three, we will discuss the hunt for a GRC automation tool and how to build the business case to acquire one.
Searching for solutions
An easy answer is to hire more staff (i.e. throw more bodies at the problem). However, most enterprises loathe adding more staff. Often, increasing staff also increases complexity since confusing, complicated processes only get more confusing and complicated by adding additional staff. Novice hands make more mistakes, and senior talent spends more time fixing.
Another solution is to try to automate linkages between existing systems and reports in the attempt to streamline processing. However, home-grown programs and scripts don’t always work well and maintaining customer code or scripts can take on a life of its own.
The best solution is purpose-built commercial software with comprehensive, automated workflows. Proven solutions exist on the market and some can be surprisingly easy to implement.
Evaluation of proposed solutions: a GRC tools comparison
In order to evaluate a solution for automating IT user provisioning and compliance reporting, the organization must identify specific criteria for assessing the quality and “fit” of possible solutions, or make a GRC tools comparison. Based on the criteria, RFPs can be developed to solicit proposals for solutions.
Some of the criteria may include:
- Automate and streamline approval workflow and provisioning processes
- Reduce cycle time
- Eliminate manual tasks
- Enable self-service and improve visibility
- Improve compliance efforts
- Solution must provide a single source of the “truth”
- Centralize SAP security data – common “dashboard”
- Reduce operational workload for technical team
- Processing user and role requests
- Compliance reporting
- Provide quantifiably more time to support innovation in the business
It is important for an organization to recognize its own internal constraints. Do you have the capacity to purchase, install, and maintain incremental servers and infrastructure? Can your staff develop specialized skills to implement and support new solutions? Is there budget for a large implementation using external consultants? Politically, what are management’s expectations of the project? A quick win or building value over time?
A total cost of ownership (TCO) analysis of solutions must be performed when conducting a GRC tools comparison. TCO considerations include:
- Cost of software licensing
- Infrastructure costs
- Ongoing operations
Any vendor must also be evaluated. Is their business approach as a long-term partner or just “a vendor?” Are they continuing to enhance their product? What is their product roadmap? Are there concerns about their viability, stability, and vision? Will they be in business three years from now? The GRC market is evolving, are they?
The evaluation cycle can reveal a lot about the vendor. Were the demos customized? Did the sales and technical staff really listen? Were they honest about shortcomings? Did they take the time to understand your needs? Were they timely and detailed in responses? In short, you must grow comfortable with your vendor for them to truly be a partner that helps move your enterprise forward.
Given well defined requirements, potential solutions can be dismissed quickly:
- Total price point simply out of reach
- “Footprint” requirements too high
- Incremental servers and infrastructure
- Incremental administration, interfaces, and day-to-day “care and feeding”
- Requires specialized skillsets
- Implementation costs and timeframes
- Ongoing operational complexity
Building the business case and calculating ROI
Netted out, the time, effort and risk associated with the business problem of coping with escalating difficulties in manual user provisioning and compliance reporting becomes unacceptable.
The first step in building a business case is to make clear, visible metrics on the current situation.
What is the current, average turnaround time for processing routine user provisioning requests? What percentage of requests gets lost or requires special handling? How many hours are spent processing user provisioning requests? What are the total current costs (hours times salaries) for processing user requests?
Similar, actual costs may be determined for current methods of compliance reporting.
Adding up the actual costs and hours spent on current methods of user provisioning and compliance reporting creates a benchmark against which projected savings in adopting an automation solution can be justified. Vendors should be able to provide references and case studies to estimate projected savings.
Applying estimated time savings against current costs creates the basis for a return on investment calculation. For example, if $200,000 in salaries is currently being spent annually and implementing an automation solution will reduce the manual work load by 50%, the annual savings would be $100,000.
Many organizations require a quantifiable return on investment (ROI) in less than 18 months in order to commit to an investment in a solution. In addition to a “hard” ROI calculation, sometimes corporate politics or executive issues exist which make resolving the business problem urgent.
In addition to defining hard ROI estimates for implementing an automated user provisioning and compliance reporting tool, there are other benefits which can be articulated.
- Better service to the business
- Faster time to value for new or changing employees (faster provisioning of user and role requests)
- Free technical team from operational drudgery
- Less manual provisioning
- More time for initiatives
- Reduce morale killing tedium
- Streamline audit reporting
- Less time spent preparing
- Less time for auditors to perform their jobs
By conducting a GRC tools comparison and implementing an automation solution for user provisioning and compliance reporting, an organization can realize an opportunity gain (the opposite of opportunity cost). Expensive IT staff can devote more time and energy towards driving, not impeding, enterprise initiatives.
In the final part of our GRC tools series, we’ll explore the implementation process and how to prove the ROI of your new GRC automation solution.