On December 31, as the world was saying goodbye (or in many cases, good riddance!) to 2020, SAP Governance, Risk and Compliance (GRC) 10 users were saying a different goodbye as well. When the clock struck midnight, SAP officially ended mainstream support of the GRC 10 application.
Any organization that is still running Access Control, Process Control or Risk Management 10.x will need to upgrade to GRC 12 as soon as possible to avoid any SAP support disruptions with their GRC application. Not planning for or delaying the upgrade process can result in the inability to receive support or assuming and accepting additional costs for customer-specific support.
Upgrade or Update?
In October, we wrote about organizations starting their upgrade process with a “technical upgrade” and shared the key considerations for this approach. Over the last six months, we have seen many of our clients adopt this method. However, we also saw an equal number of clients take this opportunity to update their existing GRC system by implementing additional functionality. When deciding between these two options, keep the following in mind:
- Process optimization opportunities – take the necessary time to assess the current GRC environment for areas that can be enhanced and streamlined, while also taking advantage of the new capabilities that come with GRC 12. Some key functions being adopted include enabling risk analysis for Fiori/HANA, extending GRC integration to cloud applications, configuring automated continuous control monitoring and deploying automated policy management.
- Project team participation – the team members that will manage the project, participate in testing, coordinate project deliverables and communicate with end users may be tasked with these activities multiple times, or for an extended period, if the technical upgrade is performed separate from any GRC enhancements.
- Minimal business disruption – some GRC system downtime will be necessary when upgrading the environment; this downtime could be utilized to also push any additional GRC updates (i.e., releasing a new and improved Segregation of Duties ruleset).
- Repeated activities – consider the efficiencies that can be gained by reducing the duplication of activities such as project preparation/planning, testing, cutover, communication and deployment.
Example of the GRC 12 Fiori Launchpad screen (can be customized)
It is important to take the time needed during the project planning phase to assess the current GRC environment for any gaps or optimization opportunities, while also taking advantage of the new capabilities that come with GRC version 12. At the same time, keep in mind that this is not a “one size fits all” approach and organizations should not simply choose from a menu of GRC functionalities to configure and enable. Some of the key factors that should drive an upgrade strategy include:
- SAP systems that have not yet been connected to GRC (i.e., BW, HANA DB)
- SAP cloud applications already in use (i.e., Ariba, SuccessFactors)
- Status of move to SAP S/4HANA
- Enablement of Fiori applications or a Fiori-like end user interface
- Audit requirements/findings
The ultimate goal in making a move now is to ensure the upgrade is successful while maximizing the GRC investment by implementing and utilizing the functionality that will assist management to operate effectively and efficiently their associated GRC processes. Protiviti is currently helping organizations perform an independent review of their existing GRC environment and building a customized roadmap to GRC 12. Time may be up on SAP’s mainstream support of GRC 10, but that doesn’t mean there isn’t time to plan upgrade and optimization activities.