skip to Main Content

GRC Rulesets

Governance, Risk and Compliance (GRC) – Rules of the Road

Rules govern many aspects of our lives. Traffic rules are designed to reduce risks for drivers and pedestrians and lower insurance premiums. Homeowners’ associations have rules governing which colours you can use on the exterior of your home, or even mandating that upstairs units of condominiums must have carpet to reduce noise. While rules are often developed with the best of intentions, they can sometimes be overdone relative to the actual risk or inconvenience and become more of a burden than a tool to ensure safety or compliance.

It is the same in the SAP environment. Governance, Risk and Compliance (GRC) rulesets are put in place to ensure organisations comply with regulations, protect valuable data and reduce the risk of theft and fraud. Business functions and processes are carefully reviewed to determine the level and severity of risk. Rulesets are developed based on combinations of risk and severity so that Segregation of Duties (SoD) violations can be found and fixed.

For example, a process that contains two functions, such as having an employee who can create and maintain a vendor master list and also issue purchase orders or execute payments, is a clear segregation of duties (SoD) violation. These two functions should be separated, and any possible combination of these roles should be put into a ruleset so that attempts to grant access and permissions for both functions to a single person raises an SoD violation alert.

For this reason, GRC rulesets are at the heart of effective access control and risk analysis. Rulesets support accurate and meaningful reports and help reduce the cost of compliance and managing risk.  They ensure there are no audit surprises. Because GRC rulesets are such a vital part of protecting the organisation, they must clearly reflect what the business is all about in terms of functions and processes by monitoring the right risks and matching them to the appropriate levels of severity.

This includes both internal processes and external regulatory requirements, such as the Sarbanes-Oxley Act (SOX) regarding financial records and the Health Insurance Portability and Accountability Act (HIPAA) regarding the privacy of healthcare information. Rulesets and risk identification in SAP GRC must satisfy the requirements of both internal and external auditors. While it seems straightforward, this important function is becoming more challenging in today’s digital economy.

GRC Rulesets – It’s complicated

Today’s organisations are undergoing non-stop change and transformation to keep up with the constantly evolving landscape of the global digital economy. The regulatory climate is also shifting to adapt to the digital economy as evidenced with the General Data Protection Regulation (GDPR) recently implemented by the European Union.

This dynamic environment puts pressure on IT staff to adapt GRC rulesets to accommodate organisational and regulatory changes. This can quickly become a burden and potentially result in either too many restrictions of some business functions, or not enough on others.

Even without constant change, developing GRC rulesets can be a complicated process. While SAP does provide standard out-of-the-box rulesets for functions, such as procurement and purchasing, they may not meet the unique needs of an organisation. This means rulesets must be customised to match business functions and processes to accurately reflect business operations.

Creating and customising GRC rulesets that accurately align the impact of risks and their likelihood to each business process can sometimes result in an excessive number of rulesets applied to low-risk functions and processes. This creates a lot of “noise” by generating a high volume of reports about risks that do not have a significant impact on the business.

This noise can put a burden on SAP users, IT staff and auditors who must sift through pages of reports trying to find low-impact risks. The complexity increases as possible combinations of transactions and permissions and new custom transactions grow in response to organisational and process changes along with changing regulations.

Non-SAP functions also add to the complexity, as does accommodating new applications, such as SAP S/4 Fiori. While SAP Fiori is a powerful replacement for the SAP graphical user interface (GUI), careful integration into SoD activities is essential to proper GRC operations and ensuring visibility across the organisation.

ControlPanelGRC – Simplifying the Ruleset Process

Symmetry’s ControlPanelGRC Risk Analyzer greatly simplifies the GRC ruleset process and facilitates SAP Fiori integration. Risk Analyzer Rulebooks contain a core set of the most frequently used sensitive authorisation and SoD rules common to all industries. The rulebooks are extensible and can be easily customised to meet business process or auditor requirements, thus making rulesets easier to set up and maintain. Predefined rulebooks also include checks for access risks related to SOX, HIPAA, GDPR and other regulatory requirements. Risk Analyzer defines risks as conflicting functions and provides details and easy-to-understand descriptions.

Risk Analyzer also provides a high level of granularity to define risks by authorisation and transaction level. It provides automatic discovery of custom transactions and incorporates SAP Fiori applications, using an SAP S/4HANA SoD ruleset. Risk Analyzer automatically discovers and captures usage of SAP Fiori applications and pushes SoD analysis data back to the appropriate business users for review or removal.

The Symmetry Difference – Above and Beyond

Beyond the powerful features and capabilities of ControlPanelGRC, Symmetry delivers fast deployment backed with unparalleled support and managed services. Our industry-leading Net Promoter Score and 22 years of managing SAP systems means that your ControlPanelGRC Access Control Suite with Risk Analyzer implementation will not only be successful, but that your time to value will also be greatly accelerated.

GRC rule sets are vital to ensuring an organisation’s data security, risk management and regulatory compliance. They can be complex, but don’t have to place a burden on IT staff. ControlPanelGRC gives organisations peace of mind by automating GRC functions, reducing SoD conflicts and ensuring audit readiness so that they can successfully meet the challenges of today’s rapidly changing digital economy.

Talk to Symmetry to learn more about how ControlPanelGRC can help you make your GRC ruleset process both simple and a strategic asset.


Scott Goolik - VP, Compliance and Security Services

Scott Goolik - VP, Compliance and Security Services

Scott Goolik is VP of Compliance and Security Services at Symmetry. A recognized expert in the field of SAP security and compliance, Scott has over 20 years of expertise in SAP security and is a regular presenter at SAP industry tradeshows and ASUG events. His experience includes working for one of the Big Four accounting firms and developing auditing tools, including those for segregation of duties (SOD). Scott is also responsible for architecting the ControlPanelGRC® solution which provides audit automation and acceleration of security and control processes.