The fact is: business is dynamic, distributed, and complex. The pace of change to risk, regulations, employees, partners, and technology requires organizations to approach governance, risk management, and compliance in a way that is efficient, effective, and agile to the needs of today’s dynamic business environment.
Organizations do not operate in a static environment that slowly evolves. Today’s organization is in a continuous state of change as with shifting employees: new ones are hired, others change roles, still others leave or are terminated. There are changing business partner relationships, including those with suppliers, vendors, contractors, outsourcers, service providers, and temporary workers – all of whom may have access to internal systems. These business partners also have constantly changing employees that impact the organization. On top of this, business processes and the technology change at a rapid pace.
This means that organizations cannot rely on manual, ad hoc, and document-centric approaches to manage access to critical business systems. The issues of segregation of duties, inherited rights, critical and super user access, compliance, risk management, and general change to roles is too much for today’s organization to manage adequately in spreadsheets and e-mail. Growing exposure to risk and increasing regulations compound this as they require greater oversight of access to critical systems with audit validations of access control.
However, access control is not just about regulatory compliance; it is also about consistent operations. The organization needs distributed responsibilities and processes that are reliable and behave consistently. Strong access control delivers a structured system of access governance that enables processes to work as intended without anyone maliciously or inadvertently causing an issue.
Surprisingly, many organizations still use manual processes and documents to manage access and the associated risk upon the organization. This is primarily done by spreadsheets, word processing documents, and email. Not only are these approaches inefficient and ineffective, slowing the business down, but they introduce greater exposure to risk and non-compliance, as it is nearly impossible to keep up with risk. By automating the access management process and embedding risk analysis and mitigation into user and role maintenance, organizations take a proactive approach to avoiding risk while cutting down the cost and time required to maintain compliance.
Organizations need to establish a strategy and processes supported by technology to build and maintain an access control program that balances business agility with control and security in order to mitigate risk, reduce loss/exposure, and satisfy both auditors and regulators while enabling users to perform their jobs.
In an ERP environment, the business challenge of managing access control is burdensome when done with manual and document centric approaches. The inefficient, ineffective, and non-agile organization runs a combination of ERP security and access reports, and then compiles access information into documents and spreadsheets that are sent out via e-mail as an improvised workflow tool for review and analysis. At the end of the day, significant time is spent running reports, compiling information, and integrating that information into documents and spreadsheets to send out via e-mail for review. This manual and document-centric process ends up costing organizations significantly more in wasted resources, errors in manual reporting, and audit time drilling into the process than an automated solution costs. Worse, organizations often miss things as there is no structure of accountability and workflow and audit trails do not exist. This approach is not scalable and becomes unmanageable over time. It leads to a false sense of security due to reliance on inaccurate and misleading results from errors produced by manual processes.
The situation: manual approaches to managing access in the ERP environment are time-consuming, prone to mistakes and errors, and leave the business exposed.
This challenge grows when you consider the complex interrelationship of different ERP instances and access to those across the business environment. To reconcile access across different systems and see the big picture of access risk becomes complicated as the ERP environment grows. Organizations struggle to manage access risk within one instance of ERP; managing access across multiple ERP systems causes an exponential growth in time and resources when done by a manual and document-centric approach. In a heterogeneous environment, these challenges only become more complicated.
There are a variety of solutions on the market to manage access control in ERP environments. GRC 20/20 is focused researching, evaluating, and differentiating the solutions in this segment of the GRC market to assist organizations with their decisions to acquire the right solution to deliver value across efficiency, effectiveness, and agility.
Organizations looking for automated control, segregation of duty, user access, and broader GRC solutions can engage GRC 20/20 through our complimentary inquiry process to get your questions answered on the solutions in this space. Send an email to [email protected] with a focused question of what you are looking at and we will respond with our view of solutions that address your need.