In this blog series, we would like to provide our readers with an overview of the improvements in the new SAP Governance Risk and Compliance (GRC) version 12.0 solution. The new version of SAP GRC was launched in March last year. The new application brought some improvements such as a Fiori user interface and changes to support the S/4HANA ruleset. This is just the beginning so let`s explore the improvements in a bit more detail.
GRC 12.0 comes with a strong improved user experience, which I believe is the biggest benefit of the new version. As part of SAP`s strategy, moving forward with Fiori provides a central location for all applications in the system. The interface is simpler, cleaner and easily customizable when compared to the Webdynpro screens. The applications are defined on the front-end as Tiles. Using Fiori, several applications are available via mobile, which increases the accessibility of the GRC suite across the organisation. Employees away from the office can execute daily tasks via email. Managers can review and approve requests that require critical access or some requests that require special attention. Tiles give users the metrics even before accessing the application. The key metrics are essential for reports, work inbox and some applications that display numbers in monetary terms. Compared with Webdynpro screen customising tools, Fiori brings a full personalisation of the user`s work area. The drag and drop functionality makes it easy to select, remove and move tiles allowing the user to define what`s best for them.
Even the screens that were not turned into Fiori Tiles received a Fiori-like screen. Although the new user experience is the standard of 12.0, it is not mandatory to go with Fiori and NWBC is still supported.
Integration with Cloud Applications
Let`s talk now about application-specific improvements as Fiori is not a GRC specific feature. SAP has moved to the Cloud and GRC has introduced a set of tools to integrate with cloud applications. Having said that, Access Controls 12.0 can run a risk analysis on cloud systems. This feature comes with the integration between Access Control and SAP Cloud Identity Access Governance (IAG). SAP IAG is a standalone Cloud solution built on the SAP Cloud Platform and can fetch data from on-premise and cloud solutions such as Ariba, Fieldglass, Success Factors and SAP S/4HANA Cloud. Bear in mind that this integration requires a subscription to SAP Cloud Identity Access Governance.
Access Control New Features
The following list is an overview of the new features in Access Control.
- End to end integration with Success Factors
- Cloud application support via Cloud Identity Access Governance
- Risk Analysis for SAP Fiori Apps in SAP S/4HANA on-premise
- Out of the box risk definitions for S/4HANA rules
- Emergency Access Management for SAP HANA Database
- Manage critical access on HANA Database
- SAP IDM for centralised provisioning and BRM integration
- IDM can load business roles from GRC making them requestable in IDM
- Maintain IDM and GRC in synch
- SAP SF Central Payroll
- Connection of Employee Central Payroll System to on-premise Access Control
Risk Management New Features
The following list is an overview of the new features in Risk Management.
- Manual Key Risk Indicator (KRI) Entry has a workflow now
- Risk validation process as a sign-off activity for the risk. Risks are timestamped with validation date and time
Enterprise Risk Enhancements:
Operational Risk Aggregation ⇒ In previous versions of GRC, aggregation of operational risks was only available through custom code implementation. The customer had to create their own aggregation logic. Now, risk aggregation is automated, and a set of aggregation methods have been created to support different risk profiles. The aggregation methods can be extended and the auto-aggregation mode can be deactivated.
Process Control New Features
- There is the possibility of adding a test plan to an automated or semi-automated control.
- With this change, testers receive the automatic work item and can complete the manual test plan.
- A job can be created based on a standalone business rule without connecting the Business rule to a control.
Other important changes delivered by support packages in 12.0
Some other enhancements were created during support package releases. Here is a list of some important enhancements:
- Access Control ⇒ Web Based Emergency Access Management (SP 04);
- Process Control ⇒ Search Work items
- This new feature allows users to search for specific work items matching a filter criterion. This is valid for Process Control Assessments.
- Process Control ⇒ Download/Upload functionality of Questions and Surveys via excel template (SP 04)
- Risk Management ⇒ Probability and Impact analysis guidance added into offline forms (SP 04);
- Access Control and Process Control Integration ⇒ Locked and expired users included in SOD integration scenario of Business Rule (SP 04);
- Access Control ⇒ Background Risk Analysis after approval stages. Risk analysis in the background can be enabled and asynchronous risk analysis is run after the stage is approved.
The GRC suite also comes with process Optimization in the following areas
- Reports performance has been improved.
- Easy to maintain screens (Mass Role Methodology and firefighter controller/owner maintenance
- Synchronization jobs performance has been improved.
In order to migrate from any previous SAP GRC versions to 12.0, there is a list of requirements that need to be met. The requirements include minimum Netweaver version, Support package level, UI components, gateway system etc. Also, there is a compatibility matrix that needs to be followed to make module versions and support packages installed in the system talk to each other. The compatibility matrix changes if systems are installed in S/4HANA or ECC environments. Knowledge migration is fairly simple as most of the applications were migrated to Fiori using the webdynpro attributes, fields and screen layout. It means that a transition from GRC 10.x to GRC 12.0 can be smooth to end users.
Summary of prerequisites
- The migration of GRC 10.x to GRC 12.0 comes with a few prerequisites:
- Minimum Netweaver version required
- SAP UI components to enable the Fiori Content for the modules (AC, PC and RM).
I hope you have enjoyed this blog about the new features in SAP GRC 12.0.
If you would like us to blog about another topic or would like to discuss your own SAP GRC requirements, challenges or transition, please get in touch with us using this link.
Fernando Bassuino is a Senior GRC consultant at CompliantERP whom specialises in SAP Security and Compliance. His GRC experience totals more than 8 years with specialisation in all modules (Access Control, Process Control and Risk Management). He has worked for SAP Labs Latin America helping GRC customers worldwide. His strong troubleshooting skills means he is capable of explaining complex functionality in a high level of detail and resolve complex application issues. Fernando’s deep technical understanding of GRC has allowed him to also provide GRC training and embedding of GRC processes for his customers.