It’s now been 17 years since the passage of the Sarbanes-Oxley Act (SOX), which was…
Midmarket companies face very similar SAP GRC risk mitigation and compliance requirements as larger enterprises. If your company is publicly traded, you have to follow SOX just like a large enterprise, with severe civil and criminal liabilities for noncompliance. If you’re in healthcare, you are likely feeling the increasing pressure from the Department of Health and Human Services, and worrying about possible audits and rising fines for violations, just like the largest hospitals.
If you’re on the hook for 21 CFR Part 11 compliance, you have to meet high standards for authentication, record keeping, and other controls — just like anyone else. And while you may not fit in the same PCI merchant level as the bigger companies, you’re still required to adhere to the same security and compliance standards, even if you don’t have quite as many hoops to jump through.
However, while large enterprises have plenty of resources to meet this challenge, midmarket organizations often don’t. Many midmarket companies can’t even retain dedicated SAP GRC risk management assets internally, which means risk mitigation is at best, someone’s side job. They don’t have any continuous auditing or monitoring system in place, which means serious segregation of duties conflicts and other compliance issues can go undetected for months. On top of all that, many midmarket companies are struggling to keep up with SAP compliance — meaning that creating a more systematic approach is out of the question.
SAP GRC Incidents Are More Damaging to the Midmarket
Large enterprises have another advantage over the midmarket: they can weather pretty much anything. They tend to have more resources to investigate incidents and mitigate damages, bigger budgets to fight fines and do damage control, more diversified portfolios to help them mitigate damage to their reputation and when it comes down to it, a whole lot more money to pay for compliance fines, legal settlements, and remediation plans.
The 2013 Target data breach is a great example. When Target had to pay $18.5 million to 47 states over a massive data breach, it wasn’t even a big deal — they’d already shelled out $291 million (minus insurance reimbursement) dealing with the breach, what’s another $18 million or so to finally be done with it? But for a midmarket company, a major breach like that likely would have led to bankruptcy. At the very least, it would cause permanent damage to your ability to compete — particularly in a tight market.
Midmarket SAP GRC Risk Mitigation is Complicated By Several Factors
- Staffing Challenges: SAP GRC risk management is a daunting process for midmarket companies. You need a combination of very technical SAP skills, a strong understanding of the legal compliance framework, and insight at the business level just to put basic SAP GRC risk mitigation controls in place. Then there’s the resources required to continuously monitor security and compliance, review controls regularly to ensure they’re being executed properly and fulfilling their functions, and revise rules to keep up with changes in the legal framework, the business, and the SAP landscape. It’s all far beyond what your SAP admin can accomplish as a side job.
- Lack of Automation: Imagine you have a developer requesting new resources in your cloud. You need to ensure they’re meeting your security policy and not, for example, putting actual customer data at risk in a test environment. If you use cloud automation, that’s easy — you can build the control right into an automated process that checks the developer’s request against security policy.But if you’re sending requests to a help desk, it’s a much more time consuming process, because the staff has to check the request manually against company policy. Provisioning will take longer and use more resources, your team could make mistakes and break policy, or you might even run into situations where the rules aren’t clear, breaking your controls.Automated and standardized processes are your friend in SAP GRC risk mitigation, but midmarket businesses usually don’t have a well-developed approach to business process automation in general, and IT automation in particular. That makes achieving adequate SAP risk management more costly, difficult, and time-consuming.
- Ad-hoc IT strategy: No one likes throwing away IT investments or wasting resources, but frugality is especially important in midmarket companies. These companies require substantial, complex, and costly IT systems similar to those used by large enterprises, and many have spent decades upgrading onsite landscapes as hardware ages and licenses expire. Over time, this results in complex, ad-hoc solutions, glued together with custom code. SAP GRC risk mitigation controls may be applied inconsistently between older and newer systems, or may be entirely missing from legacy components.Many large enterprises face similar issues, but they generally have a much easier time remediating. Not only can large organizations can afford more substantial CapEx to update their SAP GRC risk management strategy, they also benefit from the economy of scale in a way that midmarket companies don’t. That means any major update is going to be less expensive relative to their usual IT budget compared to the midmarket. Midmarket companies — particularly those who are starting to plan HANA migration over the next few years — often don’t even see a path to improved SAP GRC.
You Won’t Fix SAP GRC Risk Mitigation On Your Own
Working internally or hiring a part-time security asset to find and mitigate risks isn’t going to fix the problem. In some cases, it will actually make it worse, as it did for Carlisle Construction Materials (CCM). CCM was struggling with audits to begin with, but their early attempts to remediate it only made their security model more complicated and harder to use. They ended up with 3,000 different roles for their 700 users, in a system that not even their auditors could understand.
The reasons CCM’s first remediation attempt failed are complicated, but it all boils down to this — when the problem is an ad-hoc, poorly automated SAP GRC risk management strategy, you can’t solve it with an ad-hoc, poorly automated solution. You need an MSP who is able to create a simple, effective security model that controls costs (both monetary and time) and ensures continuous compliance.
The Solution: ControlPanelGRC®
To get SAP GRC risk mitigation right, you need to start over, with a system designed for the needs of modern, midmarket organizations. That means automated monitoring and approval processes and centralized controls that are easy to understand that can serve auditors, executives, and your SAP GRC team. ControlPanelGRC provides all of that, along with a team of SAP GRC and security consultants with powerful industry expertise and technical know-how.
This provides unparalleled time-to-value and ROI, allowing you to spin up a successful SAP risk management program in a few months. Instead of spending massive amounts of resources to chase unsuccessful audits, you can move to an affordable, sustainable risk mitigation approach, emphasizing continuous improvement.
ControlPanelGRC can also help with other common midmarket risk management problems. Compliance automation continuously monitors your entire landscape, predicts security risks, and spots conflicts in real time, preventing change management issues from sabotaging your controls. We also reduce the work hours and expertise required to run your SAP GRC risk management software, and provide affordable assistance as needed. Whether you’re looking for an outside partner to completely run your SAP GRC program, or just someone to setup controls, provide training and occasional assistance, we’re here to to make SAP risk management easy.
To learn more, read our solution brief, ControlPanelGRC®: Enabling 360° Control in SAP Environments.