SAP Community - Governance, Risk, Compliance (GRC), and Cybersecurity

Building Resilient Enterprises: SAP’s Security Gains from Microsoft Defender for Cloud

2025-10-27T13:45:39.480000+01:00

By Sven Frank, Cyber Security Architect IAM & Zero Trust (SAP), Martin Pankraz, Principal Product Manager SAP Integration and Security (Microsoft), Amos Wendorff, Cyber Security Data Governance Lead

🚨The 3 PM Friday Security Crisis: Why Human-Centered Security Matters

Picture this: It's 3 PM on a Friday, and your development team just discovered a critical production issue affecting thousands of customers. A major client demo is scheduled for Monday morning, and your lead developer needs to spin up additional Azure resources immediately to implement a hotfix. The standard security approval process typically takes 48 hours.

⚠️The Dangerous Moment: In this high-pressure situation, it's tempting to take shortcuts—opening broader network access than necessary, using shared service accounts, or bypassing security scanning protocols. "We'll fix it properly after the crisis," becomes the dangerous refrain that can turn a temporary workaround into a permanent vulnerability.

🛡️ The SAP Secure-by-Default Philosophy

At SAP, securing our Microsoft Azure landscapes extends beyond technology alone. We face tight deadlines and pressure to complete projects quickly, which can challenge maintaining strong security practices. That's why our secure-by-default approach—closing unnecessary ports, phasing out legacy authentication, and enforcing automated policies with thorough identity management—is designed to support everyone in staying secure, even when time is limited.

⚡Speed AND Security, Not Speed OR Security

When our developer can provision resources through pre-configured, security-hardened templates with just a few clicks, we eliminate the false choice between speed and security. Equally important is fostering a security-conscious mindset throughout our teams, grounded in continuous learning and constructive accountability. Through consistent knowledge-sharing sessions, we ensure alignment across the organization.

🔗Bridging Security and Architecture: A Real-World Challenge

But here's where it gets more complex. Fast-forward to Monday morning—the crisis is resolved, but now our Enterprise Architecture team discovers something concerning. During the weekend sprint, three different teams independently deployed similar cloud applications to solve related problems. Each believed they were following secure practices, but collectively, they've created an unmanaged sprawl of SaaS applications across our landscape.

The traditional scenario: Our security team knows these applications exist and can assess their individual risk profiles through Microsoft Defender for Cloud Apps. Meanwhile, our enterprise architects are mapping our application portfolio in SAP LeanIX, trying to understand capability gaps and technology dependencies. In most enterprises, IT security and enterprise architecture are two critical disciplines, each with their own priorities, tools, and perspectives. One is laser-focused on threat detection, compliance, and access control. The other is mapping capabilities, rationalizing applications, and shaping long-term IT strategy.
But what if these two worlds could work together seamlessly?

🎯The Power of Integration: SAP #LeanIX + Microsoft Defender for Cloud App

At SAP, we've implemented an integration between SAP LeanIX and Microsoft Defender for Cloud Apps that transforms how we approach secure and compliant software usage. With this integration, you can pull application usage and risk data from Defender for Cloud Apps directly into SAP LeanIX. That means: ... You're no longer just identifying what's out there - you're aligning it with your architecture strategy. This turns ad-hoc discovery into intentional governance.

🔍Real-Time Visibility Meets Strategic Planning

Applications are added to Cloud Apps in MS Defender when someone accesses a cloud application through their browser, which could lead to a significant number of discovered applications. This continuous discovery feeds directly into our LeanIX environment, where our enterprise architects can immediately see:

Risk-aligned Architecture Decisions: Security risk scores from Defender for Cloud Apps appear alongside capability mappings in LeanIX, enabling architects to make informed decisions about application rationalization
Compliance-Driven Portfolio Management: Applications flagged for compliance issues in Defender are automatically highlighted in our architecture views, allowing us to prioritize remediation based on business impact
Usage-Based Capability Planning: Real usage data helps identify which applications are truly critical versus those that can be consolidated or retired

🚀From Reactive Discovery to Proactive Governance

This integration fosters collaboration between two personas that often operate in parallel but rarely intersect. With Microsoft Defender for Cloud Apps and SAP LeanIX, they do - bringing security and architecture into a shared conversation around risk, capability, and value.

Kahoot is an example of an in-house approved application, in the terminology of Defender for Cloud Apps a sanctioned application. This allows the Enterprise Architect to make clear, data-driven decisions when harmonizing tools, eliminating guesswork and ensuring alignment across the organization.

If you want to learn more about LeanIX and Defender for Cloud Apps, have a look here.
This blog post was co-authored by @Michelle10

🌊The Ripple Effect of Integrated Security / Final Part

This comprehensive strategy enables us to effectively protect our environments and maintain the highest security standards across our SAP landscapes in Azure - even when the pressure is on.

Ultimately, our customers and partners benefit directly from these security practices, as they translate into more robust, reliable, and trustworthy SAP solutions. The secure-by-default principles and security-conscious culture that protect our Azure environments become foundational elements when organizations implement our products - creating a ripple effect that strengthens security across the broader ecosystem.

GRC Tuesdays: What's New in SAP Risk and Assurance Management, Q4 2025

2025-11-04T07:00:00.117000+01:00

As I am sure you are already well aware, if you want to be amongst the first to know what is new within SAP Risk and Assurance Management, all the information is just one click away in the dedicated section of the product Help Portal.

In these GRC Tuesdays blog, we take a different angle: we don’t provide an exhaustive list, instead, we just make a focus on certain capabilities that we think can spark your interest.

Working with Claudia Behrendt and Alain-Brieuc Gall from SAP Product Management, we have decided to highlight 2 new enhancements delivered recently in SAP Risk and Assurance Management:

New integrated reporting dashboards in Enterprise SAP Analytics Cloud (SAC)
Predicted Conclusions in the Issue Management and Remediation service

New integrated reporting dashboards in Enterprise SAP Analytics Cloud

By leveraging the SAP Analytics Cloud stories, users of SAP Risk and Assurance Management can significantly improve their master data compliance and risk management processes, leading to enhanced efficiency, reduced risks, and a more robust assurance framework.

To support this objective the team has released a new SAC story:

Risk & Assurance Management Cockpit

This new dashboard increases transparency for Compliance executives as it provides them with a cockpit-like experience with actionable insights derived from visual and comparative analysis of compliance data. It helps in identifying patterns, tracking performance over time, and prioritizing efforts effectively.

This comprehensive view enhances the organization’s ability to manage risks and assurance activities, ultimately leading to better compliance and operational excellence.

This SAP Analytics Cloud story includes the following visualisations:

Instant Overview

Provides an immediate snapshot of compliance issues, organized by type and status, with visual charts that display trends over time.

Efficiency Metrics

Offers insights into average issue resolution times and year-to-year analysis, helping to identify process inefficiencies.

Comparative Analysis

Makes it easy to compare current performance and highlights long-term trends and deviations, facilitating informed decision-making.

Controls Compliance Dashboard

And, in case you missed the information or simply forgot about it, allow me to refresh your memory: there is already another SAC story previously available: the Controls Compliance Dashboard.

With this dashboard, users to have a granular view of their compliance posture, ensuring that all necessary controls are in place and that data integrity is maintained. It helps them identify potential risks early and taking proactive measures to mitigate them, thereby enhancing overall operational efficiency and compliance readiness.

The SAP Analytics Cloud stories in this dashboard are based on information from the controls’ master data and associated run results:

Compliance Coverage

Helps to understand the compliance coverage of controls, ensuring that all critical areas are adequately monitored.

Master Data Completeness

Assesses the completeness of master data across the controls, identifying any gaps or discrepancies that need attention.

Data Hygiene

Highlights data holes and orphaned data, facilitating timely data completion or clean-up efforts to maintain accuracy and relevance.

Complementary Insights

Complements the Fiori apps but provides additional, in-depth insights not available in the standard apps.

Compliance Status

Offers a comprehensive view of the compliance status of controls across organizations, processes, and regulations, with dedicated KPIs.

Failure Analysis

Shows which and how many controls fail at any given time and over time, across various dimensions, including automated and manual procedures.

Predicted Conclusions in the Issue Management and Remediation service

Shifting gear from reporting to workflows, with decision support for issues with Machine Learning, organizations can benefit from predictive model to automate decision-making and speed up issue processing. The model uses historical decisions to predict outcomes for new issues.

Compliance specialists are often faced with numerous issues raised that they need to quickly review and categorize so that they are addressed in time by relevant stakeholders.

If this is a key aspect of their role – especially when new types of issues arise that would require expert review, many issues are quite “standard” and decisions can be streamlined by an intelligent engine: confirm the issue and assign it for remediation or close it as a false positive.

This is precisely what this capability offers: to serve as an enabler for further automation steps for issue processing.

Based on previous manual decisions for related issues, SAP Risk and Assurance Management can generate an automated conclusion and display its level of confidence:

More information

Should you be interested in drilling-down further here, then I would suggest the following links:

What's New in SAP Risk and Assurance Management – the single source of truth for what has been released
SAP Road Map Explorer – the single source of truth, but this time for what is planned to be released!
Risk and Compliance Cockpit – for more granular details on this new SAP Analytics Cloud story

We hope this was useful. Keep an eye open for our next blogs in the What's New in SAP Risk and Assurance Management series. In the meantime, I look forward to reading your thoughts and comments on this blog.

And if you are interested in learning more about SAP solutions for Governance, Risk, and Compliance, feel free to fill-in the demo request form!

SAL: SAP 'Integrity Protection Format' secured with Distributed Ledger Technology on SAP BTP Kyma 🚀

2025-11-04T21:48:39.476000+01:00

Did you know,

the S/4HANA SAP Audit Log (SAL)

has a configuration,

'Integrity Protection Format',

which enables (malicious) modifications to be detected:

2033317 - Integrity protection format for Security Audit Log - SAP for Me

2191612 - FAQ | Use of Security Audit Log as of NetWeaver 7.50 - SAP for Me

This integrity protection is an extremely important part of your holistic Security Posture.

As @kevinrichardson showed and stated in this excellent picture, 'You cannot solve today's challenges with yesterday's tools',

(Source: 002_rise_with_sap_kr.pdf)

In the ERP modernisation and transformation which is happening everywhere, there is not enough being done on Security Posture Modernisation, SAL: SAP 'Integrity Protection Format', is available now included in your License and enabled with a Profile Parameter, so why not to do it ?

The OSS Notes explain that, SAL: SAP 'Integrity Protection Format', works like this:

2033317 - Integrity protection format for Security Audit Log - SAP for Me

And that's all fine, but where does the, 'Distributed Ledger Technology on SAP BTP Kyma 🚀' fit in to the equation, where's the relevance ?

Here's the answer, this Note 2191612 - FAQ | Use of Security Audit Log as of NetWeaver 7.50 - SAP for Me has a pdf attached: Explain SAL Integrity Format.pdf , and the pdf goes on to explain that,

'You should download the HMAC Ident as a backup, but you should save it on a secure place. The log files written with that can only be checked with that. It’s important to have this HMAC key data after a system copy or if the files should be evaluated in another system than the original. '

That's where the Blockchain / Distributed Ledger Technology running on the SAP BTP Kyma comes in,

store the HMAC Keys in the Distributed Ledger Technology running on the SAP BTP Kyma

This will ensure that nobody can tamper with the keys, and therefore nobody can tamper with the SAL Audit Logs and you have the least chance of losing the keys thanks to the built in characteristics of the Distributed Ledger Technology running on the SAP BTP Kyma, HA&DR out of the box, distributed, immutable, etc.

Source: BCP: Business Continuity Planning for SAP S/4HANA - made easy with Enterprise Blockchain 🚀

Creating digital finger prints of data is going to come in to our Security Posture whether it's protecting integrity of AI LLMs or Document Grounding, Log Files, Backups and more:

SAP AI Security - How To: Tamperproof AI LLM's with SAP BTP Kyma and Enterprise Blockchain 🚀

Cyber Security Protection for S/4HANA Backups with Enterprise Blockchain and SAP BTP Kyma 🚀

If you want to try it out there's a blog here, Running Your Own Blockchain on The SAP BTP Kyma Trial: A Hands On How To Guide 🚀

Have a think about, SAP Enterprise Architecture: Positioning Blockchain Database as an Enterprise Technology Standard 🚀 and then you can SAP Enterprise Architecture: Let the Use Case find the Blockchain🚀 by following SAP Enterprise Architecture Principles and the Enterprise Architecture: Enterprise Blockchain Platform Business Capability Map 🚀

And this is why, Why I love SAP and Blockchain Databases and why you should too 🚀

If you learn one thing from this blog, it's that you can protect the integrity of your SAL Audit Logs with SAP 'Integrity Protection Format', and that is a cool feature.

Until next time,

Andy Silvey.

Independent SAP Technical Architect and SAP Basis SME [you might also find my SAP S/4HANA RISE & BTP Toolbox interesting: 🧰👷‍ The SAP S/4HANA RISE & SAP BTP - Toolbox 👷‍🧰] and CEO of atkrypto (.) io

Author Bio:

Andy Silvey is a 26 years SAP Technology veteran [26 years SAP Basis and including 12 years SAP Tech Arch including Tech, Integration, Security, Data from 3.1H to S/4HANA PCE on RISE and the BTP and everything in between, and former SCN Moderator and Mentor alumni].

Andy is also co-Founder of atkrypto inc, an startup whose ambition is to make Blockchain easy for Enterprise.

atkrypto (.) io's flagship product is the atkrypto Enterprise Blockchain Platform for SAP, and atkrypto (.) io is a SAP Partner Edge Open EcoSystem Partner.

The atkrypto Enterprise Blockchain Platform for SAP has been designed by SAP Independent Experts for the needs of SAP Customers and to be deployed on the SAP BTP Kyma Runtime Service and leverage native integration to SAP Products.

atkrypto Enterprise Blockchain Platform for SAP has a number of unique qualities, including being the only Blockchain software in the world which has a DataCenter version and a light mobile version which can run on Edge/IoT/Mobile devices and enables data to be written to the Blockchain at the Edge where that same Blockchain is running on a Server in the DataCenter, protecting the integrity and originality of data from the Edge to Insights. Taking Blockchain to the Data at the Edge instead of taking the Data to the Blockchain.

SAP EA - Real World Asset Tokenization with Distributed Ledger Technology on the SAP BTP Kyma 🚀

2025-11-10T06:21:30.705000+01:00

I is for Innovation.... EA is about... the goal of this blog is to get us thinking and talking about tokenization before the Business turn up demanding it...

I've always wished and dreamed that us SAP EA's would know our Business so well and at the same time have Road Maps for all of our Technology Standards and including Emerging Standards so that we would know what Technical Capabilities the Business requires before they even come to us with their Demand.

In reality, in my experience 9 times out 10 it's the Business who come to EA with demands for new technologies (innovations).

How do we bring in or do "Innovation" ? Ideally with Roadmaps and Emerging Technology Standards.

SAP's next generation Customer CoE guides SAP Guides for Customer COE provide thought leadership on bringing in innovations, Customer Center of Expertise - Strategy, Governance and Organization

and continuous-improvement-and-innovation-with-a-ccoe.pdf

Customer Center of Expertise

ccoe_continuous_success_en.pdf

In SAP's documentation, in the North Star Architecture, in the next generation SAP CCoE, innovation responsibilities come in to a number of Roles

And combined with the Digital Innovation Manager Digital Innovation Manager | Digital Technology and Innovation Management| SAP Community

And that is what this blog is about, innovation, and innovation in the area of Tokenization and RWA Real World Asset Tokenization.

There is a silent digital revolution going on, where evidence, assets, transactions are being given a digital fingerprint, a hash on a Distributed Ledger and being tokenized.

What is Tokenization and who's doing it and where is it going ?

Let's start by looking at what's happening in the space:

[Disclaimer - we cannot post links outside of the Community and if you want to read these articles then just go on your favourite search engine and find them]

Pairpoint - Vodafone Sumitomo JV

World Economic Forum

Fortune - Asia's quiet tokenization revolution

CNBC

Oracle

from the same article, this is how Oracle sees it:

If they all see Tokenization that way then maybe the EA innovation leads in our Organisations should be having a look at Tokenization too.

This older SAP article considered common use cases NFT (Non-Fungible-Tokens) | Digital Technology and Innovation Management | SAP Community

SAP has dipped their toes into the water with the SAP Green Ledger What Is SAP Green Ledger? | SAP Help Portal , in my opinion the scope is too narrow, Green Ledger: Where Carbon and Financial Accounting Unite SAP Green Ledger and an ERP-centric approach to reinvent carbon accounting and Carbon Accounting is the tip of the iceberg.

Learning.sap.com has some excellent resources including videos Blockchain and this incredible Blockchain course What Can Blockchain Do for You .

Have a think about how Tokenization and Distributed Ledger Technology capabilities fit towards your Business, your Business Processes, your Business Partners.

Have a think about drawing the Blockchain Capability Map, positioning Enterprise Blockchain as an Emerging Technology Standard, and then when the Business come with the Demand... let the use-case / Demand find the Blockchain, and if you want to have a play with Enterprise Blockchain on the BTP Kyma, even the BTP Trial Edition Kyma then just follow this blog and reach out if there are any questions.

And that's the purpose of this blog, to get Tokenization onto our EA radars.

What do you think, put your thoughts in the comments.

Ultimately this is all "Why I love SAP and Blockchain Databases and why you should too 🚀".

Andy Silvey.

Author Bio:

Andy is also co-Founder of atkrypto inc, an startup whose ambition is to make Blockchain easy for Enterprise.

atkrypto (.) io's flagship product is the atkrypto Enterprise Blockchain Platform for SAP, and atkrypto (.) io is a SAP Partner Edge Open EcoSystem Partner.

GRC Tuesdays: SAP GTS Edition for SAP HANA 2025, Sneak Preview

2025-11-18T07:30:00.042000+01:00

Since Christmas is not far away, I think I would grant you your secret wish: get an early preview of what’s coming in SAP Global Trade Services, edition for SAP HANA 2025.

As per the Product Availability Matrix, this release is planned for this quarter so the Help Portal will be updated accordingly in time, but, if you read this blog, it’s because Santa’s helpers – here more likely Volker Mohr from Product Management and Torsten Stolz from Engineering, have provided a sneak preview of what you can expect in this release.

Planned enhancements

Enablement of the administrator function in SAP Fiori launchpad

A modernization of the user interface for administrators is planned by providing access to transactions using SAP Fiori launchpad. This will help increase work efficiency and enable the administrator role to be consistent with other business roles.

Mass maintenance of agreement-specific product properties

This enhancement will enable users to complete the maintenance of agreement-specific properties for one or multiple products at the same time in one screen, hence reducing the administrative burden and increasing information quality at the same time.

Maintenance of country and region of origin in inbound LTSD (technical delivery)

First technical delivery in what will further be improved with subsequent Support Packages, the maintenance of country and region of origin will allow users to maintain this information in the inbound Long Term Supplier Declaration (LTSD) at the product level.

New SAP Fiori app “Manage Partners – SPL Screening”

The previous app “Manage Blocked Business Partners” will be deprecated and a new Fiori app “Manage Partners – SPL* Screening” will enable users to process all business partners, whether they are blocked or released.

This ensures that organizations can also manage business partners which were released before and block them again or add them to positive or negative lists.

In this app, the user will be able to easily navigate among screening results of different business partners.

* SPL: Sanctioned Party Lists

Updates to screening capabilities of the sanctioned party list

The planned enhancement of the screening capabilities of the sanctioned party list will help improve compliance with international regulations and ensure frictionless international trade processes by allowing “block by association” between a business partner and bank master data.

To achieve this the following capabilities will be added:

Transferring SWIFT/bank identifier codes (BICs) and benefit-in-kind (BIK) codes of bank master data from the feeder system to SAP GTS
Transferring a relationship between business partners and banks during the transfer of customers, vendors, and employees from the feeder system and storing the relationship in SAP GTS
Managing of additional addresses of account holders in the bank details in business partner master data
Screening of bank master data with related IDs in SAP GTS
Screening of customers and vendors with associated bank

Integration with decentralized advanced shipping and receiving processes

Integration of SAP Global Trade Services (SAP GTS) with support for the outbound processes of advanced shipping and receiving in a decentralized extended warehouse management and transportation management landscape for trade compliance and customs management will increase efficiency with integration of the decentralized scenario for outbound freight management supported by SAP GTS. This enhancement will include:

Compliance check for the outbound freight unit and freight order
Export declaration based on the freight order

Railway bill of lading

The Customs Waybill for Rail feature ensures compliance with U.S. Customs requirements for rail shipments by accurately transmitting waybill data. The feature addresses complexities in coordinating freight forwarders, carriers, and BOL issuers for rail cargo. Overall, it streamlines rail logistics in the context of SAP GTS processes for Importation and US Free Trade Zone processes with customs authorities.

Automated Partnering Government Agency (US PGA) change messaging

The CA/CC messages supports the changes of PGA Data of a declaration even after no change to the declaration itself is allowed any longer. The system automatically detects the changed PGA data after being changed in the declaration and transmits these to US CBP. By this you can ensure to compliantly close all PGA activities even after customs declaration fixation.

Legal changes

And of course, in addition to the functional and technical enhancements, legal changes are also planned.

These can be found in the Regulatory Change Manager which provides timely information on upcoming regulatory changes that can affect SAP products. It offers a comprehensive and well-organized collection of information, and filters by product. To focus only on updates relevant for SAP GTS for instance.

This Regulatory Change Manager service can be accessed directly from the SAP For Me portal, under the Services & Support dashboard in the sidebar.

Be the first to know!

They say that information is power, so be the first to know about the details of any enhancement in SAP Global Trade Services, edition for HANA via the dedicated SAP Help Portal Page:

What's New in SAP Global Trade Services, edition for SAP HANA | SAP Help Portal

This page consolidates delta information about all functions of this product that are new, changed, or deleted not only for the latest version, but also all previous updates, and will be updated for SAP GTS, edition for SAP HANA 2025 in due time.

Finally, on December 9th, there will also be an SAP Global Trade Services Latest Release Updates webinar focused on updates on the last shipment, but also Roadmap, Regulatory Changes and a Q&A. You can register here: SAP Global Trade Services Latest Release Updates

And if you are interested in learning more about SAP solutions for Governance, Risk, and Compliance, feel free to fill-in the demo request form!

Roadblocks to AI Adoption

2025-12-01T13:28:01.063000+01:00

Introduction

In an era defined by rapid technological advancement, businesses face both significant challenges and valuable opportunities as they pursue digital transformation and integrate AI-driven solutions. As organisations work to maintain a competitive edge, AI’s impact on business strategy, customer experience, and operational efficiency has become increasingly pivotal.

As part of my recent doctoral studies in Digitalisation, specialising in Technology Adoption and AI Integration at IAE Nice, Graduate School of Management, Université Côte d’Azur, I explored this evolving landscape in depth through research focused on SAP customers. I am Happy to share the key findings through a series of insightful and practical articles, each offering guidance for both SAP customer leadership and SAP executives navigating the complexities of AI adoption and technology transformation.

Maximising AI Potential: A Blueprint for Business Success
Roadblocks to AI Adoption (THIS ARTICLE)
Is SAP Business Data Cloud the Answer to Your AI Ambitions?

Photo by adventtron Unsplash

With advancements in technology continually reshaping the business landscape, artificial intelligence (AI) stands out as a transformative force across industries. However, despite its potential, many organizations stumble on the road to successful AI adoption. Understanding these barriers is critical for any business hoping to leverage AI effectively.

Organizational Readiness and Resistance to Change

One of the foremost challenges in AI adoption is the readiness of an organization to integrate new technology. According to recent studies conducted by the author within SAP, involving 29 SAP customers and their SAP counterparts, many businesses lack the necessary infrastructure, skilled personnel, and strategic vision to implement AI successfully. Additionally, the cultural resistance within organizations can be a significant hurdle. Employees often fear job displacement due to automation or feel overwhelmed by the pace of technological change, thereby resisting new implementations. A customer from the Oil & Gas industry in EMEA South as part of an interview with the author stated that " The transformation is happening in three areas: people, processes, and technology. One significant challenge is that people often resist change, which is something we frequently notice when adopting new technologies. Sometimes, these technology is introduced without a proper change management. As a result, the leadership faces langes in later stages to manage the change and convince the end users to accept the AI automation and overcome their initial hesitations and fear."

Cost and Complexity Considerations

The cost involved in deploying AI solutions is another significant barrier. Setting up AI systems requires substantial initial investment in technology and training, which can be a deterrent especially for SME enterprises. Moreover, the complexity of AI technology itself poses a challenge. Companies must ensure they have the expertise to not just implement but also maintain and scale AI solutions, which often necessitates costly ongoing training and development. A customer in the Chemicals sector from EMEA South reports to the author of this article that "Yeah, it's an easy question because in the end if there's a SAP competitor upcoming next year with a cheaper alternative, then we will think about going for the SAP’s competition." According to a CSM from EMEA South team share his experience saying with the author "A customer that I managed a couple of years ago has moved away from us and they moved to a SAP’s competitor due to the cost of our solutions"

Data Privacy and Security Concerns

Data is the lifeblood of AI. However, the increasing stringency of data protection regulations such as GDPR in Europe presents a compliance maze for companies to navigate. Ensuring data privacy and securing AI interactions becomes a critical concern that companies must address, adding another layer of complexity to AI adoption. A Higher Education industry customer based in EMEA North shares that with the author "Data Privacy and security is absolutely a concern even today, thought it really depends very much on the industry."

Lack of Clear ROI

The uncertainty about the return on investment (ROI) from AI projects also serves as a barrier. AI initiatives can be experimental in nature, making it difficult to predict outcomes precisely. This uncertainty can make stakeholders hesitant to commit the required resources, slowing down or even halting AI adoption processes.

Vendor Selection and Integration Challenges

Choosing the right technology provider and ensuring the integration of AI with existing systems is another challenge for our customers. Businesses often struggle with choosing between SAP and multiple other options, each promising superior capabilities. Making the wrong choice can lead to integration issues, wasted resources, and failed projects. MEA North’s Oil & Gas industry customer expresses in an interview with the Author that "It also plays a very important role in the industry where I'm working right now, where we have to leaverage technology and AI to lead the market and to deliver the requirement of our demanding customers worldwide."

Moving Forward: Recommendations for Overcoming AI Adoption Barriers

1. At SAP, we understand the importance of cultivating a culture receptive to innovation. We must work with your business to develop comprehensive change management strategies. Our support will help alleviate resistance and ensure a smooth integration of AI into our customer’s existing processes, fostering continuous learning and adaptability.

2. At SAP, we recommend allocating resources for essential infrastructure upgrades such as RISE with SAP. Our team should assist in building AI competency through employee training programs which our leadership is already heavely investing. Additionally, we can help establish partnerships with universities and tech institutes, ensuring a steady flow of skilled talent to support your AI initiatives.

3. At SAP, we prioritise data security. Its necessary for us to help strengthen our customer’s cybersecurity measures and ensure compliance with data protection laws. By safeguarding customer operations, we will build trust among stakeholders, thereby smoothing the path for successful AI integration.

4. To demonstrate the value of AI projects, we ought to work with customers to establish clear metrics for evaluating their performance. This will help secure ongoing support from stakeholders by showcasing tangible results and a positive return on investment.

5. We believe in transparency and performance. By implementing a robust assessment process from our solutions, including pilot projects and performance benchmarks, we will ensure that our collaboration best matches our customers's needs. Our commitment is to be our customer’s trusted partner, guiding customers through successful AI adoption and implementation is the key.

Conclusion

In summary, while artificial intelligence promises transformative benefits for businesses, the journey to successful AI adoption is fraught with challenges. These roadblocks range from organisational readiness and resistance to change, cost and complexity considerations, data privacy and security concerns, uncertainty about ROI, to vendor selection and integration issues. To overcome these hurdles, businesses must approach AI adoption strategically and holistically.

At SAP, we understand these challenges and are committed to helping our customers navigate them effectively. In the light of above information, I do recommend to focusing on cultural receptivity, infrastructure upgrades, data security, clear ROI metrics, and transparent in our sales strategies, and strive to be a trusted partner in our customers' AI adoption journey. Through comprehensive change management, skill development, robust cybersecurity measures, and performance benchmarking, SAP can aim to smooth the path to successful AI integration. By addressing these barriers head-on and fostering a collaborative approach, businesses can unlock the full potential of AI and drive meaningful growth and innovation.

If you'd like to explore further, my full research article with reproach is available here. Please don't hesitate to contact me if you wish to discuss the research findings 🙂

Find me on Linked-in: https://www.linkedin.com/in/mi4po/

GRC Tuesdays: Early Preview of SAP for Internal Controls, Compliance and Risk Management Conference

2025-12-02T07:30:00.040000+01:00

After visiting Dublin, Copenhagen, Brussels, and Budapest, we continue our European tour with the SAP for Internal Control, Compliance and Risk Management Conference.

Next year, we’ll be back to the origin of this conference, in Amsterdam. If you were with us in 2018 and 2023, then this will bring back some fond memories!

During the first installation of the conference in Amsterdam in 2018, most of the discussions related to control automation and especially regarding GDPR. But things have definitely changed.

Although automation is still central to this conference, companies have started to break down compliance silos, and the 2026 theme of the conference reflects this broader approach: Driving Compliance, Managing Risk, Building Trust.

But what hasn’t changed is the continuous support from partners, the insightful customer sessions and the networking event, which have gotten more compelling every year!

New Trends and Topics Discussed

The alignment of IT Risk and Cybersecurity with the wider Enterprise Risk and Compliance framework is a process that started some time ago and will still be core to the discussions in Amsterdam, additional trends will also be at the heart of the presentations. Including how to adapt faster and more effortlessly with ever changing regulatory requirements with a delicate balance of intelligent automation and artificial intelligence to achieve compliance.

Additional “hot topics” will include:

Business AI

Automatically monitor and analyse regulatory changes
Detecting unusual patterns or behaviors
Automating the auditing process by analysing large volumes of data

Enterprise Risk and Compliance

Controlling key processes and compliance
Monitoring risks and the adequacy of your controls
Detecting fraud and investigating suspicious patterns faster

Cybersecurity and Data Protection

Neutralising cyberattacks before they cause damage
Simplifying the analysis of suspicious activities and detecting security gaps
Safeguarding the operation of SAP applications

Identity and Access Governance

Detecting and remediating access risk violations
Simplifying access management in complex environments
Managing user access in heterogeneous environments

RISE with SAP

Improving collaboration and mobility
Achieving faster time to value
Simplifying your transformation journey

Is this Conference for Me?

Quick hint: if you are reading this blog, then chances are that yes, this conference is 100% for you!

If you already are a user of SAP solutions for Governance, Risk, and Compliance for enterprise risk and compliance, identity and access governance or cybersecurity and data protection, and are looking to learn and do more, then this conference will provide you with an update on new features released but also innovative case studies and partner tips.

If you are new to the world of SAP and want to learn how others are gaining competitive advantage and staying one step ahead, then this conference will help you discover how your team can accurately and continuously monitor risks, identities, cyberthreats, and compliance across your mission-critical systems and processes.

Finally, if you would like to meet your peers to exchange best practices and expand your professional network for future development, then do join us!

Free Pre-Conference Webinar

If you haven’t attended a SAP for Internal Controls, Compliance and Risk Management Conference and are still not sure whether this is the right one for you, then have a look at our free pre-conference webinar from October where speakers from SAP, partners, and customers shared updates on the latest innovations and developments in SAP’s Governance, Risk, and Compliance solutions but also insights into what’s planned for the in-person event.

You will be able to view the recording here: Webinar - TAC Insights: Business Events & Networking

50 Words Summary

What: only event designed to bring together the ecosystem of SAP users, partners and solution experts to address SAP’s GRC and cyber security portfolio in a business-centric context
Where: Novotel Amsterdam City Hotel
When: March 3 - 4, 2026
What: have a look at the Agenda page - it will be updated as more sessions are confirmed
How: Registration page – and additional bonus: there is an Early bird rate running until December 31st 2025!

And if you are interested in learning more about SAP solutions for Governance, Risk, and Compliance, feel free to fill-in the demo request form!

GRC Tuesdays: Tickin’ Off the Policies (GRC Christmas tune)

2025-12-16T07:30:00.038000+01:00

Like decorating the Christmas tree, baking gingerbread cookies and waiting for Santa to arrive, our yearly GRC Christmas parody has now become a tradition.

Well, maybe not as famous as the other three, but getting there!

Another tradition of course is unwrapping presents… which, for some younger ones, will inevitably be a building brick toy from a very famous Danish company. Did you know that the patent for the toy building brick was lodged in 1958 and that it is possible to combine six 2x4 bricks in 915.103.765 different ways? I don’t know about you but I surely stepped 915.103.765 times on Lego bricks hidden on the carpet!

Getting back to our topic today but staying in 1958 because it’s the time of the year to fully embrace nostalgia, this is also the year that Rockin' Around the Christmas Tree was released.

Our GRC Christmas tune will therefore be inspired by this all-time classic!

So, leave your Legos on the table (not on the carpet!) and join me in singing our 2025 Tickin’ Off the Policies parody.

Background:

The day is Tuesday 16th of December 2025, our GRC lead is finalizing his compliance training and making sure that all controls are in place to run smoothly over the holidays to protect the organization and its business.

Tickin' off the policies

Before shutting my laptop

Data privacy’s the key

Wish I’d gone to the workshop

Year-end's near, finally

And vacation time coming

One last exception to deny

And I'll send the reporting

Can't wait for my audit lead to send me his cheer

When he sees no anomaly

We’ll celebrate merrily!

Screen' all our 3rd party

Making sure they are okay

Checkin' blocked payments to prevent any delay

[🎺 trumpets ]

There is just one last item I need to clear

IT checks for security

1st line users will be happy

Control testin' activity

Automated all the way

That's how GRC should be carried anyway!

[🎺 trumpets ]

I hope you enjoyed this last GRC Tuesdays post of the year. Thank you for following us once again in 2025, reading, sharing and commenting on these blogs and I sincerely hope you will continue to do so in 2026.

As usual, if you’d like to get in touch, feel free to add a note on this blog.

Finally, in case you’d like to continue singing GRC Christmas tunes, below are links to our previous beats:

New access risks, new SoD matrix: How S/4HANA changes the approach to Segregation of Duties (SoD)

2025-12-30T05:39:35.532000+01:00

Introduction – can the SoD matrix from SAP ECC be simply copy&paste to S/4HANA?

Migrating authorizations from SAP ECC to SAP S/4HANA is not just a technical upgrade — it’s a moment when many organizations, often for the first time in recent years, take a holistic look at their access design. S/4HANA introduces a wide range of new business functionalities, which significantly impact the existing Segregation of Duties (SoD) matrix originally built for ECC.

Business layer

The way business processes operate in S/4HANA has changed significantly - new flexible approval workflows have been introduced (for purchase requisitions, purchase orders, and invoices), along with the centralized Business Partner model, extended budget control mechanisms, automated accounting based on the Universal Journal, and new cloud and cross-module integrations (FI–MM–CO–SD). Users now have broader decision-making and configuration capabilities directly within Fiori applications: such as managing approval rules, reassigning cost center (MPK) ownership, or creating ad-hoc reports using Embedded Analytics. All of this means that the business layer of the SoD matrix must be updated: some SAP ECC risks have lost relevance, while new S/4HANA ones have emerged, resulting from greater process flexibility.

Technical layer

There is also a technical layer of change, it focus on how SoD matrix business activities are technically defined (transactions, Fiori applications, OData services and authorization objects) in the SoD matrix. The way users interact with the system has evolved: instead of executing transactions in SAP GUI, they now operate through the Fiori Launchpad (tiles/intents), while access to data and operations is handled via OData services (controlled by objects such as S_SERVICE), Spaces/Pages, Launchpad catalogs, and classical backend authorization objects. Access that once relied on a single T-code is now the result of multiple layers working together (frontend: Fiori & OData and backend: tcodes and authorization objects). This means that an SoD risk can now materialize not just at the transaction level but also within an app or service — and therefore must be defined that way in the segregation of duties matrix. This new authorization architecture contribute to the fact that the traditional approach to SAP ECC access control is no longer sufficient.

The SoD matrix

At the center of every access redesign lies something many organizations tend to overlook — the Segregation of Duties (SoD) matrix. It defines access risks and identifies potential threats arising from excessive or conflicting authorizations. It establishes the level of risk for typical business scenarios in which users operate within the S/4HANA system. For example, the matrix describes risks that occur when a user can change a supplier’s bank account and subsequently post a fictitious liability in an invoice document, or when they can receive goods into inventory that never physically arrived — thereby triggering a payment process for non-existent items. In other words, the SoD matrix defines which activities in the system can be performed together and which must remain separated to protect business processes and data from errors or fraud.

In short, the SoD matrix is a structured set of risks and sensitive activities that should be analyzed, monitored, and incorporated into access management processes to ensure the security and integrity of both business operations and the underlying data.

It’s also a key focus area for financial auditors, since one of the fundamental control mechanisms for preventing misuse is a properly designed authorization model. Yet many organizations make the same common mistake: they build roles based on the principle of “who needs what,” only later asking whether that person should have such access in the first place.

GRC Hack #1: Don’t design or build roles without SoD matrix

Before you start designing authorizations, perform a business process risk analysis and use it to create your SoD matrix as this will serve as the foundation for all role design activities.
Anyone doing it the other way around makes a conceptual error that will eventually surface during an audit. Including a dedicated authorization workstream and engaging experts who understand business process risks is a crucial, yet often overlooked as a part of any S/4HANA implementation project. Remember, the SoD matrix is a conceptual deliverable is a single document that consolidates all key principles related to security, segregation of duties, and access management.

With the transition to S/4HANA, this map must be redrawn from scratch: names, logic, and process execution methods have all changed and with them, the sources of access risk.

How to Redesign the SoD Matrix in S/4HANA

Changes to the SoD matrix in S/4HANA occur across two dimensions: the business dimension and the technical dimension. The technical dimension is usually more challenging as it requires significantly more work, and without adapting it properly, SoD analysis and reports will produce completely inaccurate results. Let’s start with the technical perspective.

a)Technical Dimension

In the SAP ECC system, authorizations were primarily based on transaction codes (T-codes) and corresponding authorization objects. SoD analysis therefore focused on verifying whether a user or role combined, within their authorizations, two conflicting transactions (together with the necessary authorization objects) that should not be executed by the same person in a given business process that could generate access risk for the organization. In SAP S/4HANA, this logic still applies, but the way users interact with the system has changed fundamentally. This shift has a major impact on how the SoD matrix must be defined and structured for S/4HANA.

b)From Transactions to Fiori Applications

Users no longer enter transaction codes in SAP GUI. Instead, they work within the Fiori Launchpad, where they access applications assigned to their roles. Each application is linked to an Intent, as a combination of a semantic object and an action, which in turn calls a specific OData service in the backend. Data is exchanged via HTTP in JSON (Odata v2, XML, V4) format and is subject to additional authorization checks. This means that user access now depends on the interaction of several components:

the Fiori application,
an active OData service,
the assigned Launchpad catalog and Space/Page (despite missing page app can be available), and
the backend authorization objects.

Missing any of these elements results in an access error, typically a 403 Forbidden or No data found message. From an SoD perspective, this means that access risks can now arise not only at the transaction level, but also at the level of Fiori applications and OData services and therefore must be represented accordingly in the SoD matrix.

GRC Hack #2: Expand the Matrix to Include Fiori Applications

If you don’t add Fiori applications to your SoD matrix, your analysis will be incomplete as reports may both miss real user access risks as well as generate false positives. It’s important to understand that Fiori applications in S/4HANA are not all the same. They fall into two main categories:

New Fiori applications (transactional, analytical, or factsheet apps) – completely rewritten using SAPUI5 technology, communicating with the backend via OData services.
These are the ones that most often introduce new functions and risks, e.g.: Manage Purchase Orders (F0842A), Post General Journal Entries (F0718), or Manage Supplier Invoices (F0859).
Classic Fiori applications (GUI transactions in Fiori) – a modern UI wrapper for traditional SAP GUI transactions. In practice, these launch traditional T-codes (e.g. ME21N, FB60, VA01) directly from a Fiori tile. They still rely on classic authorization objects, but are accessed through the Fiori Launchpad.

Each application requires its own technical mapping sometimes identifying the relevant OData service and S_SERVICE authorization object and sometimes mapping it back to a traditional GUI transaction. In both cases, the same backend authorization objects from SAP ECC still apply, as they ultimately determine whether the user can perform a given operation in backend system.

Every Fiori app in S/4HANA is linked to an intent, a combination of two elements:

Semantic Object – describes what the action relates to (e.g. PurchaseOrder, SupplierInvoice, SalesOrder).
Action – describes what the user does (e.g. manage, create, display).

The full list of Fiori applications, including their corresponding OData services, backend objects, and system versions, can be found in the SAP Fiori Apps Reference Library – an essential source for anyone updating their SoD matrix for S/4HANA. https://fioriappslibrary.hana.ondemand.com/

This library contains hundreds in practice, thousands Fiori apps for S/4HANA.

Many standard SoD matrices provided by SAP or vendors include only about 200 Fiori applications, which is just a fraction of the real scope.
Conclusion: every Fiori app can represent a potential SoD risk so verifying and expanding the matrix is essential.

c) Fiori applications and OData services

In the S/4HANA model, access to business data and processes occurs on the frontend via dedicated OData services (Open Data Protocol) the integration layer through which Fiori applications communicate with the SAP backend, retrieving and writing data in real time. An OData service definition is registered in the S/4HANA system on the Frontend Gateway and includes, for example:

the technical service name (e.g. MM_PUR_PO_MAINT_V2_SRV),
the URL path (e.g. /sap/opu/odata/sap/MM_PUR_PO_MAINT_V2_SRV/),
mapping to a backend ABAP component,
authorization control via the S_SERVICE object.

Example mappings:

Manage Purchase Orders (V2) (F0842A) MM_PUR_PO_MAINT_V2_SRV – Purchasing (MM)
Create Supplier Invoice (F0859) MM_SUPPLIER_INVOICE_MANAGE – Accounts Payable
Post General Journal Entries (F0718) FAC_FINANCIALS_POSTING_SRV – General Ledger (FI)
Manage Bank Statements (F1564) FAR_MANAGE_BS_SRV – Banking (FI)
Manage Sales Orders (F1873) SD_F1873_SO_WL_SRV – Sales Orders (SD)

Each of these OData services must be activated in transaction /IWFND/MAINT_SERVICE and granted to users via S_SERVICE authorization before the Fiori app can read or write data to the backend. This is a major shift, because OData access is not tied to T-codes. It requires dedicated S_SERVICE authorization, and such access may not appear in classical role-based analyses based solely on transaction codes. Therefore, the SoD matrix must explicitly include OData services, Fiori applications, and related backend objects.

GRC Hack #3: Include OData and Fiori in the SoD matrix

A user might have access to the classic GUI transaction MIRO (invoice posting) with the required authorization objects, but lack access to the Fiori app “Create Incoming Invoice”, which uses the MM_SUPPLIER_INVOICE_MANAGE service to post invoices in the backend via Fiori. In a traditional SoD analysis, this would be reported as a potential risk, because the GRC system detects authorization for invoice posting. However, in organizations that operate exclusively through the Fiori interface and no longer use SAP GUI, the user would not be able to perform the transaction via browser access, even though the authorizations technically exist. This is a classic false positive, where a GRC system reports a risk that is not executable in practice. Such cases illustrate why SoD analysis must combine authorization logic with an understanding of how users actually work within the modern Fiori interface. Otherwise, SoD reports can become overloaded with irrelevant alerts leading to business and risks owners frustration.

GRC Hack #4: Don’t forget about OData service

OData services form a new access layer for business processes their authorization operates independently from classic transaction-level checks in the backend. If you fail to include them in your SoD matrix, a user may have real operational access to perform actions that your GRC system will never flag as risky. In S/4HANA, a typical role can include:

classic SAP GUI transactions,
Fiori applications,
OData services, and authorization objects.

As a result, the SoD matrix must now evaluate whether a role combines functions that should remain segregated in the new model. It is equally important to include custom transactions and customer-specific extensions as the standard out of the box vendor SAP matrix does not cover them.

GRC Hack #6: Technical definition must include custom extensions
Don’t rely on the standard transaction list. Add to your matrix:

all custom Fiori applications used in your organization,
the OData services those applications call,
and every custom app, T-code, or service built for your specific system.

Only then will your SoD matrix will better reflect the real S/4HANA environment.

Business Dimension

If your organization has implemented custom Fiori apps, OData services, or modified backend logic, they must be manually added to the SoD matrix definition. The out-of-the-box matrix won’t be good enough and in these areas, you’ll have blind spots. With the transition to SAP S/4HANA, not only the technical structure of roles and authorizations changes, but also the very way business processes are executed in the system. This means the SoD matrix must now include new risks that simply did not exist in the old ECC world. One of the best examples involves approval workflows for purchase requisitions, purchase orders, and supplier invoices processes that, in S/4HANA, are configured through new Fiori applications such as Manage Workflow for Purchase Requisition and Manage Purchase Order Workflows. Each of these applications allows users to define approval paths (approvers), under what financial thresholds, and in which order. They can modify conditions that trigger the workflow or even rearrange the approval hierarchy. This is a powerful automation feature, but also a new source of risk for critical access (restricted access) and Segregation of duties (SoD) violations. If a user simultaneously has access to workflow configuration, purchase order processing, and the ability to edit cost center (MPK) or WBS master data, they could, for example:

remove a budget approval step in WF config and trigger the procurement process,
change the approver (e.g., assign themselves as owner) in cost center or WBS master data,
modify approval thresholds or limit values effectively bypassing budget control and the SoD principle.

GRC Hack #7: Analyze new functionality for new SoD risks

Add a new activity to your SoD matrix: “Manage Workflow Configuration” (for requisitions, purchase orders, and invoices). While these authorizations do not directly post accounting entries, they can indirectly bypass procurement access controls mechanisms. User can change the procurement design approval logic. Monitor who has access to Fiori apps like Manage Workflows for Centrally Managed Purchase Requisitions and related backend services such as SWF_FLEX_DEF_SRV, which handle the workflow logic. It’s also important to add new SoD conflicts to the matrix. A good example is when a user can modify Cost Center (MPK) or WBS element master data, assigning ownership to themselves and then approve a purchase requisition for that same object. This is a real risk in S/4HANA that did not exist in ECC, because the approval of requisitions and purchase orders was previously controlled by dedicated authorization objects and the Release strategy mechanism.

In ECC, approval control for purchase requisitions (PR) and purchase orders (PO) was handled by the classic Release Strategy model, based on authorization objects such as M_EINK_FRG.
Fields of this object included FRGGR (release group) and FRGCO (release code), which determined who could approve which purchasing documents and at what level. Authorizations were tightly linked to document type, purchasing group, and release level the entire process was static and fully embedded within the transactional system.

As a result, SoD control was relatively simple: it was enough to ensure that a user could not both create and approve a requisition or order under the same release group. Everything was based on authorization objects and could be easily represented in the SoD matrix or analyzed by GRC tools.

In S/4HANA, this model has been simplified, but new business risks have emerged.
Approval processes are now driven not by static authorization objects but by flexible workflows, MPK/WBS ownership assignments, and configuration rules that can be changed from within Fiori apps.

New business SoD risk example in S/4HANA

A user has authorization to change Cost Center (MPK) or WBS master data (e.g., assign a cost owner) and the ability to approve a purchase requisition for that same object. As a result, the same person can give themselves control over a cost center or project and then approve related purchases, violating the Segregation of Duties principle, bypassing budget control, and creating the potential for fraud or misstatement.

New SoD risks aspects in S/4HANA

Business risks – new processes and functions (e.g., approval workflows, business partners, flexible budgets) reshape SoD exposure.
Configuration risks – users can modify workflow parameters, approval rules, thresholds, or budget role assignments.
Automation risks – result from background workflows or schedulers performing actions without human confirmation.
Integration risks – arise from API and OData-based integrations that link processes across modules (e.g., FI ↔ MM ↔ CO).

In the classic ECC environment, there was no concept of a user “programming” approval logic that could violate internal control policies. In S/4HANA, thanks to Fiori this is now a real, browser-based possibility. Therefore, the modern SoD matrix must include not only traditional actions such as Post, Change, and Approve, but also Manage Workflow, Configure Approval Process, and Change Budget Control Settings because today, risks often occur where the process is configured, not just where it is executed.

GRC Hack #8: New risks are where you configure the process not just where you execute it

In the S/4HANA environment, the line between a business user and a process configurator is becoming increasingly blurred. A person with authorization to manage workflows can, in practice, change how documents are approved — even if they formally lack posting rights. Including such roles in the SoD matrix is now a mandatory step for any organization that wants to maintain control over its procurement and approval processes in S/4HANA.

Business activity	T-Code	Fiori	Intent	OData	Authorization object	Operation type
Create Purchase Order	ME21N	F0842A	PurchaseOrder-manage	MM_PUR_PO_MAINT_V2_SRV	M_BEST_EKG, M_BEST_BSA, M_BEST_WRK, M_BEST_EKO, S_SERVICE	manage
Invoice posting	MIRO	F0859	SupplierInvoice-create	MM_SUPPLIER_INVOICE_MANAGE	F_BKPF_BUK, M_RECH_WRK, S_SERVICE	Create, change process
Sales order	VA01	F1873	SalesOrder-manage	SD_F1873_SO_WL_SRV	V_VBAK_AAT, V_VBAK_VKO, S_SERVICE	Manage

Tools Supporting the SoD Matrix and Access Verification Process

Building an SoD matrix is only half of the success. The other half is ensuring that its content is taking into account when access management process are executed. Another aspect is that it is regularly updated, and monitored as part of daily user to role provisioning and access review processes. This is where GRC-class tools come in — not only analyzing the SoD matrix and conflicts, but also storing knowledge about risks, linking them with business processes, and supporting audit readiness and compliance reporting.

SAP GRC Access Control 12.0 and the upcoming SAP GRC 2026

This is SAP’s flagship access governance solution and in 2026 it will be succeeded by SAP GRC 2026. It enables centralized role management, SoD conflict analysis, automated risk prevention, and end-to-end control over access request and removal workflows. With its Risk Library repository, GRC Access Control allows you to link business processes with transactions and authorization objects, including Fiori applications and OData services in newer releases. It’s an enterprise-grade solution, ideal for large organizations with complex system landscapes, multiple SAP environments, and strong audit requirements.

GRC Hack #8: If your organization plans to upgrade, ensure you migrate your risk repository and all custom extensions to the new version.

SAP IAG (Identity Access Governance)

SAP IAG is the cloud evolution of GRC that delivers the same SoD analysis capabilities, enhanced with identity management and cloud integration (e.g. SuccessFactors, Ariba, Concur). It supports real-time access analysis, automatic role recommendations (auto-proposals), and browser-based Access Request Workflow handling. In hybrid S/4HANA migration projects, IAG is increasingly becoming the central platform for access risk management.

smartGRC – a lightweight alternative and practical complement

smartGRC was designed to meet the need for simpler and more flexible access risk management. It provides a unified place to maintain the SoD matrix, analyze conflicts, manage periodic access reviews, and integrate directly with business processes. Unlike classical GRC, smartGRC can operate as both a complement to SAP tools or a standalone audit platform, particularly valuable for mid-sized organizations and multi- SAP and non- SAP centric system environments. The tool allows easy extension of the SoD matrix with custom Fiori apps, OData services, and non-SAP business applications — extracting authorization data and storing it in a universal XML format, making it possible to audit systems outside the SAP ecosystem. It is equipped with updated segregation of duties matrix risks functions definitions for the newest S/4 Hana system release. smartGRC supports import/export of the SoD matrix (CSV/XML) for non-SAP system, enabling easy synchronization with ITSM or JIRA supporting system.

Why these tools matter

While SAP GRC and IAG provide enterprise-grade control, smartGRC’s advantage lies in speed, adaptability, and cross-system risk analysis making it ideal where agility matters more than standardization. Tools enable organizations to:

store the SoD matrix in a centralized, structured repository linking processes, transactions, apps, and services,
perform preventive SoD risk analysis during role provisioning (“what-if” simulation before access approval),
conduct periodic or ad-hoc SoD access reviews in production systems,
integrate SoD analysis with change and approval workflows,
generate audit-ready compliance reports.

From my project experience, the standard SAP SoD matrix for S/4 Hana is only a starting point as it usually includes around 200 Fiori apps, while best in class, process-driven Sod matrices contain up to twice as many. That’s why it’s essential to extend and update your matrix regularly with custom and standard Fiori apps, OData services, and project-specific enhancements.

GRC Hack #9: Treat SoD matrix like a living system

An SoD matrix that isn’t updated after every system change quickly loses its control value. Establish a cyclical review process, ideally aligned with your development and change management process cycle, to ensure that every new app, workflow, or extension is captured, analyzed and included if needed in SoD matrix

Summary

In the S/4HANA world, a current and well-defined SoD matrix is the foundation of security, compliance, and access management process efficiency. It’s not a static document, rather it’s a dynamic control mechanism that must evolve together with the system and the organization.

Recommendations for Authorization, GRC, and Security Teams

Refresh your SoD matrix before migrating to S/4HANA, don’t simply copy the old ECC version; many transactions are obsolete, and key functions have moved to Fiori and OData.
Cover all authorization layers as Fiori apps, OData services, roles, authorization objects, and master data (e.g. MPK/WBS ownership).
Retain classic authorization objects since objects like M_RECH_WRK still play a vital control role and must remain part of the SoD model.
Integrate your GRC/IAG/smartGRC tool into the access request process as automated SoD analysis at request time prevents risk before it happens.
Implement a recurring verification cycle: Matrix → Roles → Users → Access → Audit Report the best practice and audit requirement.
Document every update and every role, app, or workflow change must be reflected in the matrix. The standard SAP list is now just a small fraction of your real risk landscape in S/4HANA.

Closing Thought

Your SoD matrix can become your strongest asset in the security and authorization area migration to S/4HANA, if it’s designed well, your business processes will run smoothly, risks will remain under control, and auditors will stay calm. Properly managed authorizations stop being a source of problems, they become a protective mechanism that safeguards both data and business integrity.

Filip Nowak, Partner

GRC Advisory

Leveraging SAP GRC for SAP HANA 2026: A Migration Path to SAP GRC for SAP S/4HANA

2026-01-13T17:35:47.005000+01:00

Introduction

Background

Following SAP’s announcement of the upcoming SAP GRC for SAP HANA 2026 release, many customers are seeking clarity on how this new version differs from the existing SAP GRC for SAP S/4HANA and what actions they should take today to prepare.

SAP GRC for SAP HANA 2026 represents the next evolution of SAP’s governance, risk, and compliance portfolio, offering enhanced capabilities and long-term support. While the new release is not yet available, customers can already take important steps to simplify their current GRC landscape and position themselves for a smoother upgrade when SAP GRC for SAP HANA 2026 becomes available.

This blog outlines why preparing now on SAP GRC for SAP S/4HANA matters, what benefits customers can expect from SAP GRC for SAP HANA 2026, and how SAP consulting services can support this journey.

Why SAP GRC for S/4HANA Now?

The move to SAP GRC for SAP S/4HANA is a preparatory and consolidation step, not something customers should delay until SAP GRC for SAP HANA 2026 is released.

Today, many customers run SAP GRC components, UI Data Protection, and Assurance & Compliance solutions across multiple systems or instances, sometimes even outside of SAP S/4HANA. Consolidating these capabilities into a single SAP GRC for SAP S/4HANA instance enables customers to:

Simplify their GRC architecture and reduce operational and technical complexity
Be technically ready for a future upgrade to SAP GRC for SAP HANA 2026

Importantly, this consolidation effort often requires significant planning and execution time, which is why starting early is critical.

Objectives

The primary goals of this paper are to:

Highlight the advantages of migrating to SAP GRC for S/4HANA.
Explain how the SAP GRC for S/4HANA version integrates multiple solutions.
Introduce SAP consulting services as a comprehensive solution for a seamless migration.

Scope

This blog highlights the benefits of migrating to SAP GRC for S/4HANA, especially for customers using:

SAP Access Control
SAP Process Control
SAP Risk Management
SAP Assurance and Compliance applications (Audit Management, Business Integrity Screening, Business Partner Screening, Tax Compliance)
UI Data Protection Masking and UI Data Protection Logging

Moving these solutions into a single SAP GRC for SAP S/4HANA instance creates a clean and stable foundation for future innovation and upgrades.

Benefits of SAP GRC for SAP HANA 2026

Enhanced Compliance and Efficiency

The SAP GRC for SAP HANA 2026 version introduces upcoming innovations designed to enhance compliance and streamline processes in which some key benefits include:

AI Integration: Use of AI for advanced risk detection and reporting.
Enhanced User Interface (UI): Improved user experience with a more intuitive interface.
Improved Reporting: Enhanced reporting capabilities for better visualization, disclosure and compliance management.

Integrated Solutions

One of the standout features of the SAP GRC for SAP HANA 2026 version is its ability to combine multiple solutions into a unified platform. This includes:

GRC Core Solutions: Access Control, Process Control, and Risk Management.
Assurance and Compliance Solutions: Audit Management, Business Integrity Screening, and Tax Compliance.
UI Data Protection: Masking, and Logging.

By integrating these solutions, organizations can benefit from:

Centralized Data Management: A unified platform for comprehensive data management and reporting.
Seamless Workflows: Improved coordination between different GRC functions.
Reduced Complexity: Simplified deployment and maintenance of GRC solutions.

Migration Strategy

Consulting Services

To ensure a seamless migration, SAP offers comprehensive consulting services. Our expert team can guide you through every step of the process, providing tailored solutions to meet your specific needs. Prepare today and migrate confidently later.

Key services include:

Assessment and Planning: Evaluate your current deployment and develop a detailed migration plan.
Migration execution: Our consulting team has both tools and expertise to perform wide range of migration tasks, from simplest to the most complex.
Technical Support: Provide hands-on technical assistance during the migration.
Post-Migration Support: Ensure a smooth transition and address any post-migration issues.

Customized Solutions

SAP's consulting services can be tailored to your organization's unique requirements, ensuring that the migration aligns with your business objectives and technical environment. Our experts will work closely with you to:

Optimize Workflows: Streamline GRC processes to improve efficiency.
Enhance Compliance: Ensure that your organization meets all regulatory requirements.
Maximize ROI: Leverage the full potential of the SAP GRC for SAP HANA 2026 version to drive business value.

Conclusion

Summary

Preparing for SAP GRC for SAP HANA 2026 starts today. By consolidating on SAP GRC for SAP S/4HANA, customers can simplify their GRC landscape, reduce complexity, and significantly lower the risk and effort of a future upgrade. SAP consulting services provide the guidance and expertise needed to make this transition efficient and well-controlled.

Implications

Successful migration to the SAP GRC for SAP HANA 2026 version will enhance your organization's compliance efforts, improve system performance, and ensure long-term support and regulatory compliance. Engaging with SAP's consulting services will make this process efficient and reliable.

Details and Benefits of SAP GRC for SAP HANA 2026

AI Integration improves risk detection and reporting.
Enhanced UI offers a more intuitive user experience.
Improved Reporting bolsters visualization and compliance management.
Integrated Solutions unify GRC Core and Assurance functions, promoting centralized data management, seamless workflows, and reduced complexity.

Additionally, for a deeper dive into the product management session and a preview of the SAP GRC for SAP HANA 2026 solution, follow this link.

Contact Us

To learn more about the migration to SAP GRC for S/4HANA and engage with our consulting services, please contact us at:

Email: sap_dmlt_gce@sap.com

Stay tuned for announcements about upcoming SAP and partner webinars!

GRC Tuesdays: What Risks to Look Out for in 2026

2026-01-20T07:10:00.025000+01:00

In previous years, I used to release a blog ranking the top risks for the year to come – as per analysts, experts and business leaders insights, but this has proven quite impossible this year.

There are mainly 2 reasons for this:

The great discrepancies in views in what the main business threats are – depending on the industry and region. When there was previously somewhat of a consensus on top risks, for 2026 onwards, the risk landscape seems be quite “fractured” with diverging opinions
The risks are more and more interconnected. An impact on one category directly increases the likelihood of adverse events in another category from occurring

As a result, instead of playing Nostradamus, I decided to try and summarize this complexity without objectively granting more weight to one area over another.

10 business threats to look out for – in no particular order

Geopolitics

With the rise of nationalism and protectionism, the multilateral globalization that fostered international commerce for decades has ceased to exist. Not that global trade won’t continue of course, but the rules are being rewritten due to weakened governing institutions. Whereas trade agreements were previously the result of year long negotiations, this is no longer the case. And it questions their longevity. Will these quickly negotiated treaties continue to apply should administrations change or the legislator rule against their implementation?

This risk category and associated events directly impact Supply Chain and Economic Conditions, but also Security since (re-)militarization and conflicts are direct consequences of shifts in the geopolitical technical plaques.

Human Resources and Talent Management

Despite globalization of the labour market, talent shortage in in-demand sectors and functions is obvious. This is further heightened by inadequate skills in these areas.

Combined with economic uncertainty and reduction in workforce for some industries, a direct consequence is a much more competitive market for both employees – who must fight for limited number of roles, and for employers – where some roles are not filled due to lack of qualified applicants.

A perfect example here is Security – and especially cybersecurity, where it is estimated that 87% of organizations are experiencing a shortfall of security talent with 3,5 million unfilled jobs worldwide.

Going back to Geopolitics, new restrictions in visa allocations decided by governments further increases the velocity of this risk as it impedes the movement of workers to countries with higher demand.

Artificial Intelligence

One of the most recent and yet pervasive top risk category is Artificial Intelligence. The more AI develops, the more it offers business opportunities but also the more it opens the door to new risk types. Ranging from legal threats with IP infringement for instance where an AI model can make use of data without licensing or authorization, to economic with Digital Disruption completely reinventing a market and even rendering obsolete Business Models, it has since quickly increased for Security risk levels as well with autonomous AI-driven cyber-attacks in the digital world or even self-directed drones in the physical world. In this regard, the Science and Security Board of the Bulletin of the Atomic Scientists who contribute to setting the time on the Doomsday Clock summarize it better than I would: “The potential for this particular technology [AI] to constitute an existential threat on its own is highly speculative, but as succeeding generations of such models are released, the potential dangers, existential or otherwise, will increase.”

A key challenge to come will be providing trust and confidence in AI systems. This could come with the implementation of Compliance and Regulations frameworks such as AI governance structures that maintain human oversight while supporting the achievement of AI’s automation promises. Recent AI legislative acts around the global are already targeting this, and their effectiveness will be crucial in achieving this balance.

Digital Disruption

Fostered by AI but not only, Digital Disruption has clearly started with the emergence of new technologies and continues to be a top risk. In addition to bringing new technological landscapes that have their own challenges, organizations also face digital disruption due to changing consumer behaviour in the era of e-commerce and digital-first customer journeys.

This is not only redesigning organizations’ marketing approaches, but it’s also impacting sales, delivery, customer support… and much more! And in some extreme cases, completely redefining Business Models.

Security – Cyber and Physical

As already highlighted in the Geopolitics and Artificial Intelligence categories, there is no doubt that Security is a major concern for organizations. Physical security with conflict zones extending in geographical scope but also now entering the cyberspace and creating a new age of hybrid attacks where crippled infrastructure poses a vital threat.

It is therefore not surprising that the Global Peace Index has worsened and that the Doomsday Clock is inching towards midnight, with only 89 seconds to spare.

But increased security threats are also the result of in-house deficiencies. For instance, Cybersecurity experts highlight that the increase in unmonitored vulnerabilities leaving companies exposed can be attributed to unsanctioned AI usage.

Economic Conditions

Previous year’s trend on rising costs – especially energy and natural resources, seem to have stabilized but are still very fragile and a persistent concern for organizations. If the global consumer price index (CPI) shows a slight inflationary decrease in 2024 versus 2023, it remains above pre‑pandemic norms.

On the downside, continued tariff driven trade tensions will likely add pressure in 2026 and render pricing and sourcing strategies much more volatile due to an unpredictable economic environment and Geopolitical decisions.

Business Model

“Business resilience” and “Shift in consumer behaviour” are the most cited keywords in reports and interviews when it comes to root causes of evolving business models.

Consumer behaviour is not just about the way customers purchase a product or a service, it is also their spending pattern of course. With pointers indicating significant slowdown in recent months, mostly due to Economic Conditions and proactive cost reduction.

For organizations that have focused on leveraging technology to fuel a new business model or overall preparedness, analyst feedback points out that the return on investment from Artificial Intelligence and Digital initiatives has been limited, often hindered by siloed data, misalignment with business needs or misguided decisions based on flawed AI outputs.

Compliance and Regulations

I have already addressed the impetus of Artificial Intelligence governance earlier and will address Sustainability reporting just below and it is undeniable that these 2 drivers will continue to spearhead new compliance requirements across the globe.

In addition, the mandate for companies to demonstrate continuous oversight of their IT systems and their incident response will remain very high, as requested by requirements such as the Digital Operational Resilience Act (DORA) and others.

As a matter of fact, associated data sovereignty directives will be increasingly strict and complex, driven by these new regulatory frameworks and heightened concerns about cross-border data flows, and cyber resilience. As a matter of fact, in this area alone, global regulations are escalating in response to growing Geopolitical tensions with over 135 countries having already implemented some form of data protection and sovereignty legislation.

Sustainability

If Sustainability initiatives have slowed down with many companies having reassessed or delayed investments and program deliveries, it can be traced back to more limited regulatory enforcement of legislation than planned, reduced global cooperation on climate change… and of course overall market uncertainty due to Economic Conditions.

That being said, there is an overwhelming consensus across all reports and interviews that sustainability and climate concerns continues to be a top risk. For companies and for the world. If escalating extreme weather conditions is driving higher insurance costs and operational disruptions, policy uncertainty around the low‑carbon transition and additional sustainability reporting rules in leading economic blocks are a reality.

It is no longer the case that companies use the green agenda as a reputation boost, but they truly must deliver on measurable sustainability performance gains and demonstrate exemplarity.

Supply Chain

Last but certainly not least in this list of top risks is Supply Chain. To me, it represents the most interconnected category. Any adverse event in another section will increase the likelihood of its own risks manifesting.

For instance:

Geopolitics: an increase in trade wars can lead to new sanctions, exports and/or imports hence, de facto, impacting supply and delivery capabilities.
Security: attacks – whether physical or cyber on suppliers, on operational sites, or IT systems can result in system shutdowns, once again preventing the company from procuring the necessary materials for producing and distributing its good and services.
Economic Conditions: with fluctuating prices and rapidly evolving consumer demands, forecasting and demand planning is becoming increasingly complex.
Compliance and Regulation: requirements such as the Corporate Sustainability Reporting Directive, the Digital Operational Resilience Act or even the EU AI Act extend transparency and accountability to the company’s third-party providers.
Sustainability: extreme weather events such a floods, droughts or hurricanes are causing more frequent and severe operational disruptions, damaging infrastructure, leading to port closures, and blocking key trade routes.

What else?

This is the question that most business leaders I interviewed answered once they had provided their views: what else did I miss?

Despite being somewhat on the horizon for the following year, at the end of 2024, tariffs were not ranked as the major concern for many organizations. That was until the US administration enforced new rules, and this completely flipped the risk landscape upside down in just a few days. From then on, at least 50% of my “risk conversations” revolved around this topic. At least for the first half of 2025.

So, I turn the question to you: is there another similar emerging risk that I haven’t captured in this summary that you think should feature? If so, feel free to add your suggestions in the comments section of this blog!

If you are interested in comparing this picture to previous years’ reports, then I have listed them below for your convenience:

And if you are interested in learning more about SAP solutions for Governance, Risk, and Compliance, feel free to fill-in the demo request form!

What’s Next for SAP Process Control 12.0 and SAP Risk Management 12.0 ?

2026-01-21T06:36:57.454000+01:00

What’s Next for SAP Process Control 12.0 and SAP Risk Management 12.0 ? This is one of the common questions to most of the Organizations, Leaders, IT Directors, Managers, SMEs, Consultants and Vendors who are currently using SAP Process Control 12.0 and SAP Risk Management 12.0.

Before exploring the next options for SAP Process Control 12.0 and SAP Risk Management 12.0, I recommend referring to the blog below:

What’s Next for SAP Access Control 12.0?

After reading the above blog, you should now have a clear understanding of the future options for SAP Access Control 12.0.

Option : Upgrade to SAP GRC for HANA 2026 is also applicable to SAP Process Control 12.0 and SAP Risk Management 12.0.

Just as SAP Access Control has the option to “Migrate to SAP Cloud IAG,” SAP Process Control and SAP Risk Management have the option to “Migrate to SAP Risk and Assurance Management (RAM).

SAP has introduced a new cloud solution — SAP Risk and Assurance Management (RAM) — which is SAP’s next‑generation, cloud‑native platform designed to modernize and unify enterprise risk, controls, and assurance activities, built on SAP Business Technology Platform (BTP). It is ideal for customers seeking a cloud‑first governance, controls, and assurance solution with continuous innovation.

In simple terms, SAP Risk and Assurance Management (RAM) combines both Process Control (PC) and Risk Management (RM) capabilities and can be considered the “cloud version of PC and RM together.”

SAP Risk and Assurance Management (RAM) — includes the following key steps:

SAP Risk and Assurance Management (RAM) offers below Process Control & Risk Management equivalent capabilities:

Risk Management
Control Management
Control Execution
Result Processing
Issue & Remediation Management
Reporting

SAP Risk and Assurance Management (RAM) can seamlessly integrate with below systems

SAP S/4HANA Cloud
SAP S/4HANA On‑Premise
SAP Signavio Integration
SAP Analytics Cloud Integration
SAP Document and Reporting Compliance

Will be creating a new blog on “SAP Risk and Assurance Management (RAM) with different options, Pros and Cons, possible options”, stay tuned for this.

#	Scenario	Recommended Solution	Why It Works
1	Long-term on-prem/private-cloud GRC modernization	SAP GRC for HANA 2026	Unified, AI-powered platform; support to 2040
2	Cloud-first strategy (SAP RISE, SAP S/4HANA Cloud etc.)	SAP Risk and Assurance Management (RAM)	End-to-end cloud based compliance management and Risk Management

Summary

Option 1: Upgrade to SAP GRC for HANA 2026
Ideal for on-premise or private-cloud customers using multiple GRC modules. Also with complex landscape, heavy customization and workflows. Provides a unified, AI-powered platform on SAP HANA with support extended to 2040.
Option 2: Migrate to SAP Risk and Assurance Management (RAM)
Suits cloud-first organizations on RISE, SAP S/4HANA Private and Public Cloud or other BTP scenarios. Cloud-based solution built on the SAP Business Technology Platform (SAP BTP) to manage risk and compliance efficiently while benefiting from real-time performance, automatic updates, and high system availability.
Option 3: Stay on SAP Process Control 12.0 and SAP Risk Management 12.0 (Short-Term)
Gives organizations extra time for budgeting, complex landscape planning, and team training. Later can choose either Option 1 or Option 2.

Conclusion

Choosing the right path from SAP Process Control 12.0 and SAP Risk Management 12.0 depends on your organization’s strategy, timeline, and risk profile. If you’re committed to on‑premise GRC and need long‑term stability, upgrading to SAP GRC for HANA keeps you covered through 2040. For those accelerating cloud adoption, migrating to SAP Risk and Assurance Management (RAM) delivers a scalable, unified governance and assurance experience. And if you need breathing room to prepare, extending Process Control 12.0 and Risk Management 12.0 in the short term offers continuity without sacrificing compliance.

Whichever route you take, start by mapping your current landscape, aligning stakeholders on priorities, and building a clear project roadmap. Weigh the long‑term benefits against immediate constraints to make an informed decision that drives both compliance and innovation.

What option works best for your organization? Tell us your GRC challenge in the comments.

Like this post if it helped and subscribe for more SAP GRC blogs, news, tips!

SAP Process Control SAP Risk Management SAP Risk and Assurance Management

SAP GRC for HANA 1.0 (SAP GRC 2026): Useful Guide of Next‑Gen GRC

2026-01-22T08:26:21.888000+01:00

Table of Contents

1. Introduction:

SAP is entering a major transformation phase in Governance, Risk, and Compliance (GRC). With the introduction of SAP GRC for HANA 1.0 (SAP GRC 2026), SAP is consolidating and modernizing its entire GRC portfolio to support S/4HANA, cloud adoption, real‑time analytics, and continuous compliance.

SAP GRC for HANA 1.0 has quickly become one of the most discussed topics among organizations, leaders, IT directors, managers, SMEs, consultants, and vendors working in SAP Security and GRC. This 2026 release is designed for both on‑premise and private cloud deployments. It is ideal for organizations that want to remain on‑premise or private cloud while maintaining long‑term GRC capabilities, especially those using or planning to use modules such as SAP Process Control or SAP Risk Management.

SAP GRC for HANA 1.0 is SAP’s next‑generation unified GRC platform, built natively on SAP HANA.

2. Modules of SAP GRC for HANA 1.0 (SAP GRC 2026)

Within SAP’s GRC portfolio, there are multiple solutions that cover both on‑premise and cloud‑based offerings.

To learn more about the on‑premise SAP GRC solutions, you may refer to the blog Kickstart your SAP GRC Learning Journey: Introduction to SAP GRC, Submodules and useful links

To learn more about the cloud SAP GRC solutions, you may refer to the blog Kickstart your Cloud SAP GRC Learning Journey: Introduction to Cloud SAP GRC, its Submodules details

SAP GRC for HANA 1.0 is delivered as a single unified software component that includes all 8 of the following modules:

SAP Access Control
SAP Process Control
SAP Risk Management
SAP Audit Management
SAP Tax Compliance
SAP Business Integrity Screening
SAP UI Data Protection Masking
SAP UI Data Protection Logging

Image source: SAP

3. SAP Roadmap and plan for SAP GRC solutions

See below SAP Road map of existing SAP GRC v1200 and new SAP GRC for HANA 1.0 along with modules it it.

Image source: SAP

You may refer to the Details for Product Version SAP GRC FOR SAP HANA 1.0

4. Release Dates for SAP GRC for HANA 1.0 (SAP GRC 2026)

4.1. Early Adopter Customers

If you have already registered as a Early Adopters, SAP planned to release in March 2026.

4.2. Regular Customers

For General/regular availability it will be early Q3-2026

5. How to Migrate to SAP GRC for HANA 1.0 (SAP GRC 2026) from SAP GRC v1200?

Organizations can choose the “Hub Model” or “Embedded Model” for their SAP GRC for HANA (SAP GRC 2026) upgrade/migration. In case if an existing Hub Model setup customer wants to move to Embedded model, it is like a new implementation of SAP GRC for HANA 2026 but can reuse existing GRC design.

To migrate from SAP GRCv1200 to SAP GRC for HANA 1.0 (SAP GRC 2026), this requires below 2 prerequisites

SAP NetWeaver should be minimum SAP S/4HANA Foundation (it is just an upgraded version for SAP NetWeaver). This is not SAP S/4HANA full version. Organizations who are using SAP Fiori 2.0 would have already migrated their SAP NetWeaver to SAP S/4HANA Foundation. Incase if you are having lower version of GRC Support pack or still on Fiori 1.0 or using SAP NetWeaver as a base component for SAP GRC, then this is a mandatory step. In case for an Embedded GRC model, SAP GRC for HANA 2026 can be installed on S4Core.
Databased as HANA DB: SAP GRC for HANA1.0 only supports SAP HANA DB, Organizations are forced to migrate their Non-HANA Database to HANA DB.

Once the above prerequisites are complete, SAP GRC v12.0 can be upgraded to SAP GRC for HANA 1.0 release as part of their standard maintenance program, meaning no new SKU or additional purchase is required.

6. Few New features of SAP GRC for HANA 1.0 (SAP GRC 2026)

6.1. SAP Access Control

Augmented Access request process
AI supported User Access Review process
AI driven Emergency Access Management log review process for monitoring, identifying and responding to potential security threats
Fiori based Access Request and approver process
Compliance reporting with extended analytics
Out of the box Fiori based reports – OVP
Additional Data source – Integrating Identity Services IdDs
SuccessFactors – Expand rulesets to include target populations
New EAM logs for Read Access Logs (RAL)
New Fiori App for Approval Work inbox

6.2. SAP Process Control

SAP Joule integration to create Data Source and Business rules, also to understand the table and required logic.
Issue Analytics: Smartness for issue analysis and resolution
MSMP is extended to PC workflows
No new enhancements for Policy Management
Improved User Experience: Utilizing Fiori Apps for enhanced usability and accessibility (My Compliance Tasks, MCP, Assessments, Intelligent Self Diagnostic)
Single Entry Control Screen: Streamlining operation (Manage Controls)
Intelligent Self-Diagnostic Cockpit: Error analysis and resolution capabilities (CCM)
Enhanced Integration: Leveraging the SAP Integration Suite and Framework for seamless connectivity
Flexible Workflow Management: Adapting to business needs with customizable workflows
Regulatory Alignment: Integrating with Regulatory Insights for compliance and oversight

6.3. SAP Risk Management

Harmonized Email Notification – Planner/Scheduler enhancement
Business Continuity Management
MSMP is extended to RM workflows
SAP Joule integration to create KRIs, also to understand the tables/CDS views etc.

6.4. SAP Audit Management

Overview page for Audit Coverage
Import Master Data from PC/RM in same system per the push of a button
Inspection Management module
Consolidate email notifications for multiple actions
AI Supported Audit Report Generation
AI Supported work program preparation

6.5. SAP Business Integrity Screening

Fiori apps for Detection Runs
Improving performance for Managing Alerts App

6.6. SAP Tax Compliance

Bulk Edit User group attributes

6.7. SAP UIDP Masking

Extending UI Masking to ODATA V4 applications and BW/4AHNA scenarios
Configurations need to be done in Central S/4 or S/4Foundation system
No need to install it in each connected system.

6.8. SAP UIDP Logging

Streamlined UI lugging optimized for SAP HANA
Configurations need to be done in Central S/4 or S/4Foundation system
No need to install it in each connected system.

7. Key characteristics

Built on SAP HANA
HANA DB is mandatory
Fiori‑based user experience
Real‑time analytics
Cloud‑ready architecture
Integration with SAP Joule, BTP, SAP IAG, SAP Cloud Identity Services

8. Licensing model

Licence is still separate for each GRC module; hence customers need to buy a separate licence based on required module.

9. Benefits

Unified GRC platform
AI Integration
Easier deployment
Reduced complexity
Reduce TOC with increased ROI
Modern Fiori UX
Improved Reporting
Future‑proof roadmap

10.Conclusion

SAP GRC for HANA 1.0 (SAP GRC 2026) is more than an upgrade — it is a complete modernization of SAP’s GRC landscape. It brings real‑time capabilities, unified architecture, cloud readiness, and a simplified user experience.

For organizations, leaders, IT directors, managers, SMEs, consultants, and vendors, now is the time to:
- Understand the new platform
- Assess your current GRC landscape
- Plan your migration strategy
- Align with SAP’s long‑term roadmap

The future of GRC is real‑time, automated, cloud‑ready, and unified — and SAP GRC for HANA 1.0 is the platform that delivers it.

#SAP GRC #SAP GRC 2026 #SAP GRC for HANA 1.0

More Effective Security Programs Through Security Risk Quantification

2026-01-27T10:00:00.097000+01:00

By Josh Marker, Head of Security Risk Management, and Jay Thoden van Velzen, Technical Advisor, Office of the CSO

Security Risks, Enterprise Risks, and Business Priorities

This year has seen a further rise in cyber threats with increasing business impact. Just in recent months, cyber attacks have disrupted retail chains, air travel and beer production, and an entire supply chain in the automotive industry requiring government support. Managing security risks well is more critical than ever to organizations.

From our conversations with customers and partners, we know that business leaders are concerned about security and compliance risks. We also know that many security leaders still struggle to communicate security risks, and, given the current climate, face challenges to justify investment when organizations are looking to cut cost and run more efficiently. Both sides are familiar and comfortable with uncertainty and balancing their respective risks. Business leaders set out strategic directions they bet the success of the company on, by opening new markets, launching new product lines, or investing in new technologies where despite good execution external factors outside of their control may determine the outcome. Security leaders similarly chart out strategies and uplift programs they anticipate will best defend their organizations against unpredictable and ever evolving threats. The remaining challenge to action appears to be miscommunication and misalignment.

For effective communication and decision on the appropriate response, we need to translate security risks into business terms, and in ways that they can be related and prioritized alongside enterprise risks and business priorities. At SAP, we have found that a quantitative security risk approach, based on the methodology of the FAIR Institute, is very helpful in providing that, as well as hold the organization to account driving change and effective progress through measurable accountability.

Risk Identification, Analysis and Response

Every risk analysis involves some combination of probability x impact. The problem is that calculating either is very difficult. There is in cybersecurity in general a lack of good data, but organizations struggle even more to estimate to probability of a particular event to occur in their own landscape – especially if a new threat hasn’t happened yet. Impact is similarly difficult to estimate, as that depends in large part on the intent and actions of the adversary. This forces you to shoehorn more likely but lower impact events together with low probability but catastrophic potential outcomes.

The common “rainbow” risk matrix is a poor communicator for this. Even when category ranges are appropriately chosen, and position of the risk on the matrix is justified, it gives an inappropriately definite and reductive answer that allows risks to both be under- and overrated. It doesn’t tell the whole story and therefore is often not a useful communication device to convince others – especially those outside cybersecurity and business leaders - investment or action is required.

Risk Identification and Analysis with a Quantitative Approach

To better express this larger story, we need an approach that expresses risk in financial terms. It also needs to allow for uncertainty in the world. And it should account for inputs that are sometimes educated guesses.

In SAP, during risk identification, we try to capture as many parameters as possible for which we can reasonably find information or can make informed guesses on based on threat intelligence data and landscape scans of the likelihood the threat materializes in a given year. Subject matter experts (SMEs) provide the information, when can be expressed in a range – avoiding the conversation falling in “it depends” traps.

“Defenders have to be right all the time, attackers only once”, is a common theme in cybersecurity. The reality is that attackers usually require multiple steps to succeed before they reach any data and system with high business impact, giving defenders multiple opportunities to put obstacles in their way, or detect and contain them. Attackers can be extremely lucky, by obtaining credentials of exactly the right privileged administrator, but more likely they follow a longer path of initial access, persistence, privilege escalation and lateral movement. By allowing the domain experts to express a range of scenarios and consequences for these parameters, supported by data available, we get a far more nuanced understanding of the risk.

Core input for impact is based on direct financial loss in case the risk materializes, to keep the financial calculation conservative and avoid exaggerating a risk. It’s always easier to present your case when able to say other less tangible downstream consequences are not included in the analysis, and the impact could be higher.

To make sense of the data ranges in the parameters, we use machine learning and run 50,000 Monte Carlo simulations to create a model for the risk scenario. This results in a dataset that is sorted by probability and impact and plotted on a graph. A curve is drawn through the data points, resulting in the Loss Exceedance Curve. This curve and the analysis that led to that is reviewed with the SMEs to validate if they agree and accept the results.

By following the curve from the top left to the bottom right, we can see what loss we can expect with what probability. In this example, the curve starts with a steep slope, indicating that a certain percentage of cases where the risk is manifested the impact is low. After that, the curve flattens out and ends with a long tail indicating rare but catastrophic cases. The way to read this is to find a probability along the vertical axis, for example 5%, then trace a horizontal line from that value until it intersects with the Loss Exceedance Curve. Follow a vertical line down from that intersection point to find the value along the horizontal axis, so in this case there is a 5% chance to exceed $126.4M in loss (in any given year, from this scenario). An average and 90th percentile financial impact is provided as an easy to remember label used in conversations, but always with the understanding of the curve behind it.

By updating the values of model parameters, we can express how planned remediations effect the financial risk by running the same Monte Carlo simulations to produce a Loss Exceedance Curve for the risk after remediations. That provides a projection of risk reduction for any investment or effort required. The model for the risk can also be rerun when new information emerges – internally or externally – that requires updating the parameters.

Loss Exceedance Curve as Communication Device

The Loss Exceedance Curve is very useful for security leaders to better understand their organization’s security risks, and how proposed remediations reduce that risk and what risk remains after any mitigations have been deployed and operationalized. This can be a sobering exercise if the investment to remediate is too close to the risk and projected risk reduction, forcing you to reevaluate your approach. On the other hand, it can also provide strong justification for that investment if it is only a fraction of the risk and risk reduction that would deliver.

But it works also well with business- and executive leaders. The narrative can be entirely expressed in likelihood and impact in financial terms, while avoiding complexity. The conversation takes place without cyber security jargon, aside from terms business leaders are bound to be familiar with from business reports, such as ransomware attacks and social engineering. It allows business leaders to evaluate security risks better and decide what scenarios they want to protect against and whether they consider the needed effort or investment justified. At times, even a small probability of a catastrophic outcome can lead to a business decision to address a low average risk threat. In other cases, the same business leaders can be more comfortable to accept a reasonable residual risk at a higher probability. Meanwhile, there is no need to go into technical details and explain how such threats would materialize that could derail the discussion, unless a business leader specifically requests it.

When business leaders challenge the impact parameters, the model can be adjusted with more accurate information and the simulations rerun. Since business leaders typically own risks – security or enterprise – it is just as important that they stand behind the inputs into the model as the security and compliance SMEs. The balance between risk reduction and remediation cost along the curve further helps justification for investment of financial and human resources. If most of the risk can be addressed with a minor investment, this can set the upper limit of what is feasible. On the other hand, the long tail of the curve can justify a greater investment to limit the likelihood and impact of catastrophic events.

Allowing both sides to debate the risk through the Loss Exceedance Curve and follow its slope, it serves as an excellent communication device. It helps security and business leaders to get on the same page and express complex scenarios in a way both can understand and relate to.

Investment Prioritization and Optimization

The quantification of security risks enables prioritization among them and see where there may be overlaps in mitigation strategies. The remediation plan for one risk is likely to have positive impact on other risks in a layered defense approach. For instance, stronger automated network controls are likely to have a positive impact on the reachability of known vulnerabilities, beyond their immediate intent to protect the network. Such remediations should be prioritized.

Other risks can prove not to have much business impact at all in relation to others. Security professionals and business leaders are prone to overreaction when certain threats hit the media – whether through security conferences or business press – and overvalue the importance of a threat. Risk quantification assists in prioritizing what is important and avoids chasing ghosts while greater immediate risks remain. This way, constrained budgets can be optimized for greater effectiveness in risk reduction.

Security Program Governance

The effects are even greater when the risk analysis and response tracking are tied to data than indicates progress along the remediation plan. For instance, the percentage compliance of the landscape with security policies, or how well a team meets remediation target timelines for alerts from landscape scans, or how fast a team adopts a central service can be directly tied to model parameters. That way the model can be rerun with updated parameters as remediation plans progress to show how much risk has been reduced for the effort and how well the organization is progressing on the planned timeline.

The Loss Exceedance Curve aids in target setting, as well. It protects us against unrealistic expectations of targets that can’t be achieved or require high effort to squeeze out a bit more risk reduction. At the same time, it prevents organizations from setting targets too low, because it believes that is what the available resources can achieve. The Loss Exceedance Curve shows at what percentage of remediation of the threat the residual risk falls to an acceptable level. That level is the target to achieve.

Summary

The Loss Exceedance Curve helps express the uncertainty that we find in the world: ranges of values are used for inputs which means that variations in outputs need to be expressed. The Loss Exceedance Curve helps us do that, enabling better conversations among various stakeholders, including SMEs who live and breathe the cyber jargon, as well as the managers and business leaders who make decisions that govern and guide the organization.

This approach leads to truly risk-informed decisions and prioritization, rather than what feels good, what cyber textbooks tell us, what vendors sell, or what was exciting at the latest security conference.

More Information

For more information, please see:

To Be More Effective Cybersecurity Must Learn to Think in Matrices

2026-02-02T09:30:00.019000+01:00

By Jay Thoden van Velzen, Technical Advisor, Office of the CSO

Cybersecurity leaders have been recommending for years to learn to speak to the business. However, I hear from many that they are still struggling to get heard in their organizations. This is puzzling, since media and industry reports on cyber incidents with significant business and operational impact and increase in regulations have put security and compliance firmly on the agenda of business leaders.

There is still a communications gap. To get to the source of this communication challenge, it is helpful to explore how different groups in organizations look at applications.

Since the word “application” is used loosely in a variety of contexts, it is important to define what we mean by it. Following Kelly Shortridge, I define an application as a combination of technical and human resources, that is, a socio-technical system that delivers a necessary (business) function.

A human resource (HR) management application, for instance, that supports employee recruitment, compensation, learning, payroll, and so on, is composed of the technical stack of infrastructure, operating systems, code and surrounding tooling, as well as the developers, operators and administrators managing its configuration, uptime, and resilience. That holds whether the application is run on-premise, is in-house developed or comes from a third party, is operated in the cloud by yourself, by a managed service provider, or through a Software-as-a-Service provider.

Different Perspectives

However, different groups of stakeholders look at applications very differently.

Business Users and Owners

Business owners support business functions and processes. Whether intermediated through a central IT organization or functional business owners directly, they seek a solution on the market or developed in-house, and authorize purchases, fund development and operational teams to manage it in production. They are responsible for Procurement, or Finance, or HR business processes. Or an online catalog and store.

For the application users, they need to get their jobs done. They buy and sell products and services, they hire and fire employees and contractors, they manage warehouses and production lines.

That is, this group has a business to run. They don’t care how the application achieves that, or what the technical stack is, as long as it supports them in their functional role. Their domain knowledge is functional within the vertical.

Application Developers, Operators and Administrators

Applications have operators and administrators who run the application for functional business users. They manage access and authorizations, provide user support, and manage the underlying technical stack the application relies on, such as servers and operating systems, databases, backups and relevant networking. The technical stack could be on-premise or in the cloud, whether on Infrastructure-as-a-Service (IaaS) or as full Software-as-a-Service.

The application can be in-house developed or come from a 3rd-party provider. Either way, the operators and administrators need to work with the application developers or service provider on feature requests, bug fixes, or implementing patches and upgrades to the application.

This group is still closely tied to the business function. The technical teams supporting each application will know the technical stack and functionality of their application, but not that of others. Their domain knowledge is technical within the vertical space of a specific application supporting a particular business function.

Cybersecurity Professionals

Cybersecurity is cross-functional, and in case of the application technology stack, looks at it in horizontal layers. Frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) describe functions horizontally, such as Govern, Identify, Protect, Detect, Respond and Recover. Cybersecurity thinks in terms of network security, cloud security, operating system hardening, identity and access management, configure-, posture- and vulnerability management, application (or product) security, and so on, and then applies that across business functions across the application space. The domain expertise accordingly is horizontal, along layers of the technology stack.

Where cybersecurity connects with business users and executives, such as security and compliance awareness programs or mandatory training, they are often not engaged specifically targeted to their business function. Even privileged access users are seen as a singular class, rather than segmented by business function criticality. Cybersecurity sees them as undifferentiated between business functions, as if they all have the same requirements.

This horizontal, layered perspective also drives the market segmentation of cybersecurity solutions, targeting different layers of the technology stack:

network security (firewalls, web application firewalls (WAF), intrusion detection and protection systems (IDS/IPS) or anti-Denial of Service (DoS))
End point detection and protection agents
cloud posture management
vulnerability scanners
E-mail security
Security Incident and Event Management (SIEM) systems
Identity and Access Management (IAM), or zero trust access

It even has Application Security as a market category, despite lacking application-specific domain expertise.

In summary, each group has a fundamentally different view of applications:

Business users, owners: care about what the application does – functional focus on business benefit
Application developers, DevOps, operators, administrators: care about what to do to make the application work – a practical focus in service of functional requirements (including security and compliance requirements)
Cybersecurity professionals: care about what the application is composed of – a cross-functional technical stack focus on security and compliance

Diagram illustrating the different worldviews of application owners, users, and operators along business functions, and Cybersecurity teams who look at the world horizontally in layers of technical stacks.

The diagram above illustrates these different ways that our groups perceive their function.

Misaligned Communication

There is no wrong or right. These differences in perspective are the natural outcome of performing a vertical business function or a horizontal, cross-organizational one. But it has clear implications for misaligned communication and the potential pushback against central security programs from business units. A couple of examples can illustrate this:

Cybersecurity sets a policy for Single Sign On (SSO) and Multi-Factor Authentication (MFA) for application access, a solution has been acquired, and teams are expected to onboard. Several business units raised objections that they need an exception because
- their application vendor doesn’t support the solution
- is too old to adopt it
- the developer has left but the application still provides a business function, or
- they’re a new acquisition and have a completely different technical stack and a competitive solution is in place
A business unit always misses their vulnerability management target on their application and escalations from cybersecurity are frequently denied, because patching requires a reboot that would disrupt critical business operations
To be more agile and resilient and save cost, a business unit decides to adopt a cloud solution. Since they want to move fast, they didn’t engage the cybersecurity team in advance, because “they just slow things down”. During implementation, the security team comes with a long checklist of requirement, delaying adoption of the solution.
Application teams taking it upon themselves to secure their applications while the cybersecurity team is mostly concerned with their OS and network logs and configuration
Cybersecurity never managing to get the budget their need from the business

This miscommunication persists even now that business executives through their professional networks and media are increasingly aware of the potential business impact of security and compliance incidents, if not direct experience.

Cybersecurity Must Learn To Think in Matrices

Cybersecurity must learn to think in matrices. That is, cybersecurity must learn to apply their horizontal domain expertise to the different business functional verticals to properly understand the context of what they are trying to protect. Teams must be sensitive to both the variety of technology stacks in their organizations and the value to the business functions these applications and their operating teams provide. “Enabling the business” means to enable the business functions to operate securely, not only to secure their technology stacks.

Cybersecurity mustn’t lose its horizontal perspective. Central governance, policies and services are more effective and efficient than fragmented and different in each business unit. But without the additional understanding of the vertical perspective cybersecurity can’t be optimally effective either.

At SAP, this matrixed cybersecurity function is achieved through the central-and federated Business Information Security Officer (BISO) model. This consists of a central Security and Compliance organization that sets policies and standards, mandates security solutions, runs central security programs and services, security and exception management, and provides central governance. This is paired with BISO teams within the different business units responsible for ensuring security and compliance requirements are implemented and followed in their unit. Together it creates a continuous dialogue between the central organization and the business units, where the BISO teams help provide the context and constraints of their specific vertical and the cyber teams provide the horizontal domain expertise.

Recommendations

Learning To Listen

Setting up a matrixed operating model doesn’t work if we don’t learn to listen, or it just becomes another forum to talk past each other. Central cybersecurity teams can often dismiss any objection by business units as an excuse not to do something, and inevitably that is sometimes the case. But in many cases, there are real constraints that should be acknowledged. It’s hard to convince a business unit that a potential but not materialized risk must be mitigated with urgency when doing so causes business disruptions with a guaranteed price tag.

Quantitative Security Risk Management as an Aid

Quantitative security risk management can be an effective communication aid that works both ways. It is easier to articulate the probability of real business impact if the security risk is not remediated, and it justifies the cost of remediation in relation to the risk. But it also educates and disciplines the cybersecurity team on what is critical and important to the business, and what is therefore more important to protect. This can be enlightening, but also sobering, if the plan to address the latest hyper cybersecurity trend proves to cost too much relative to the risk it is meant to address.

More on how SAP uses quantitative security risk management can be found in this article.

Cloud Transformation and Platformization as Opportunities

Cloud transformation and the trend of platformization in software and services provides further opportunities. Technology stacks can be simplified both horizontally from the bottom up - through use of IaaS - and vertically - through moving from spot solutions to integrated platforms and application suites. By doing so, we make the matrix simpler, reducing complexity. Cloud transformation reduces the depth of the technology stack by outsourcing more responsibilities to cloud providers. Platformization reduces the width and variety of the technology stack by reducing the number of different solutions to support, operate and integrate.

Look Beyond the Tech Stack

Applications have a business function. They are not only a collection of code, infrastructure, network configurations and open-source libraries that may be vulnerable to SQL injections, cross-site scripting, or directory traversal. To secure applications, and not just the components in the technology stack, requires domain knowledge of the application. Otherwise, we miss what the application is for, how it and its business logic can be abused, and what impact such abuse would have on the business function it supports.

SAP and the partner ecosystem provide security solutions with application domain expertise, that is, they are aware of what the application is for, and how it can be abused, within the context of the application and business function it provides. Explore if similar solutions exist for your other applications.

Even further, cybersecurity must understand the social aspects of the application as well – the constraints that developer and operations teams are under – for instance in terms of budget and headcount. Security teams also must have a sense of how application users use it and how it helps them perform their business function. When users bypass your security controls, sit with those users to understand what they need to do to do their job.

Finally, understanding the challenges and motivations of those in the business unit makes the communication with the business owners much easier.

This is how we get better.

More Information

For more information, see:

GRC Tuesdays: Drive Compliance, Manage Risk, Build Trust at SAP CCR Conference 2026 in Amsterdam

2026-02-03T07:30:00.016000+01:00

Every 100 years, a major event transforming the risk and compliance landscape takes place:

1726 – The United Kingdom enforces 2 new trade compliance acts – the Importation Act for importing salt from Europe into the Province of Pensilvania (sic) and the Taxation Act for “Duties upon Malt, Mum, Cyder, and Perry”. Proving that tariff and trade restrictions have a long history.
1826 – Nicéphore Niépce takes the first photograph in history and trust in what is reported by other parties is established. Quality auditors will soon embrace this technology for their missions… Later to be questioned by AI but that’s a whole different story.
1926 – The United States Congress passes the Air Commerce Act. Creating safety standards for civil aviation, an industry-wide scale risk mitigation to reduce accidents.

1726 for Driving Compliance with new legislation, 1826 for Building Trust with photographic proof, 1926 for Managing Risks to commercial flying… And now, in 2026, it all comes together: Drive Compliance, Manage Risk, Build Trust at the SAP for Internal Controls, Compliance and Risk Management Conference on March 3rd and 4th in Amsterdam!

Whether you are already using SAP solutions for Governance, Risk, and Compliance, or looking at options to help you automate your GRC processes, then this two packed days of great content, inspiring talks, and valuable networking opportunities is the perfect channel. Since you missed the tectonic changes of 1726, 1826 and 1926, make sure you don’t miss 2026!

Keynotes

After a welcome by TAC Insights, in the SAP opening session, Axel Vetter – Head of Product Marketing for Quote-to-Cash and GRC will kick-off the conference with an overview on how to enhance your organisation’s agility in meeting new compliance requirements — and turn regulatory change into a business advantage.

Then, Dr Bruce Garvey – Managing Director from Strategy Foresight and Adam Svendsen – Associate Professor from the Norwegian Defence University College, will explain how Foresight provides “Strategic Options Analysis” acting as an insurance against uncertainties defined as “unknown-knowns” and “unknown-unknowns”, hence improving organisational resilience.

Later on the first day, Turnkey Consulting and SAP will unpack the Shared Responsibility Model within RISE, clarifying exactly what SAP manages – and what remains in the customer’s hands.

Customer Stories

As for previous years, this conference is centred around customer case studies which has been a key success criterion for attendees to this event. But don’t just take my word for it. Here are a few testimonials from previous attendees:

Use cases that will you hear about from representatives of

Compliance, Control and Risk Management (“CCR track”)

Utilizing AI with SAP Process Controls to streamline controls, enhance risk visibility and drive greater efficiency.

Practical developments including the implementation of manual control performance, continuous control monitoring, control design assessment, risk assessment workflow, and backend mass upload functionality to strengthen the internal control system cycle and drive efficiency.

Insights into Transport for London’s journey in identifying key gaps, implementing sustainable improvements, and embedding risk-aware practices across the organisation by leveraging SAP GRC solutions.

Common challenges organisations face in governance, access management, process controls, and audit readiness, and how targeted improvements and modern tooling can drive measurable results.

The ongoing journey from manual controls to digitally-enabled efficient controls through SAP Process Control, the challenges faced in scaling a solution internally, and the response to these challenges.

How engaged teams (People), strong security and control foundations (Protection), and clear business priorities (Performance) work in unison to transform GRC from a compliance tool into a driver of growth, innovation, and resilience.

How SAP S/4HANA drives automation and process efficiencies to make the overall internal controls environment robust, resulting in greater effectiveness, transparency, substantially, flexibility, and efficiency.

How organisations can simplify access governance, automate key controls, and improve visibility across complex landscapes.

Identity and Access Management & Cybersecurity and Data Protection (“Cyber track”)

Enhancing security, compliance, and governance across their SAP landscape using SAP GRC and cybersecurity solutions.

Taking SAP GRC beyond out-of-the-box functionality to deliver smarter, more efficient, and more resilient governance, risk, and compliance processes with a chatbot for SAP Access Control to answer user queries on assigned and available access and a link-monitoring engine integrated with ticketing systems to automatically raise incidents for failed controls in SAP Process Control.

An exploration on what effective emergency access management looks like in a hybrid landscape, the pitfalls organisations face, and practical steps to strengthen control and compliance.

Why introducing SAP Enterprise Threat Detection, Cloud Edition helps close key security gaps. This presentation will include an overview of how the solution works and what it takes to move from project to stable operations.

How SAP Identity Access Governance automates workflows, streamlines user provisioning, accelerates onboarding while reducing manual effort and risk to create a security model that is not only stronger, but smarter and more scalable.

How to adopt a best-of-breed strategy across SAP, Microsoft, and specialized third-party tools to build a fully integrated and future-ready security and compliance framework.

How to navigate a complex SAP S/4HANA brownfield conversion while simultaneously building a future-proof security and compliance landscape.

How to reinforce resources in terms of time and investment dedicated to proactive security measures, recognizing that robust protection is a strategic imperative, not just a technical task.

Key challenges encountered during the migration and operation in a cloud-based landscape, the security measures implemented, and the best practices adopted for effective access control.

Masterclasses

This year, we’ll also be innovating with GRC Masterclasses. A model already widely successful at other TAC Insights & SAP events where Partners and SAP experts from Product Management and Consulting, provide a deep dive into a particular technology or module from a solution. These supercharged and interactive sessions represent the perfect opportunity to take a deeper look at a specific topic of interest and then continue the discussion with the experts directly at their booth.

Networking breaks & evening event

This event is also a great opportunity to learn from other industries and geographies, recruit into your team and expand your professional network for future development.

And because this is easier done in an informal setting, networking and lunch breaks also planned to give you time to interact with your peers, but also with SAP experts all along the 2 days.

Finally, we will wrap up day one of the event with canape and drinks at the beautiful Zuidpool waterfront:

Wait no more: joint us on March 3rd and 4th 2026 in Amsterdam!

As a next step, I would suggest a simple 4 phase approach:

Pick your sessions of interest in the Agenda
Book your Tickets
Plan your travel to the Venue
Stay updated by joining the Mailing List

I hope to see you there and, in the meantime, feel free to add your thoughts and comments on this blog.

And if you are interested in learning more about SAP solutions for Governance, Risk, and Compliance, feel free to fill-in the demo request form!

What’s New in SAP Cloud Identity Access Governance

2026-02-03T23:52:32.042000+01:00

Strengthening Access Visibility, Automation, and Governance

As organizations continue to modernize their system landscapes, access governance must adapt to increasing complexity. Managing users, roles, groups, and entitlements across hybrid and cloud environments calls for clearer visibility, smarter integration options, and dependable audit support.

The Q4 2025 updates to SAP Cloud Identity Access Governance (IAG) introduce a fresh set of enhancements spanning application integrations, APIs, job management, and reporting. These additions bring more flexibility, improved insight into access data, and expanded options for governing access. As a result, this helps teams work more efficiently as their environments grow and evolve.

Let’s take a closer look at what’s new in this release!

Seamless Application Integration with SAP HANA Cloud

SAP Cloud Identity Access Governance now supports deeper integration with SAP HANA Cloud, enabling synchronization of users, groups, and group authorizations. This integration lays the foundation for consistent access governance by supporting risk assessment, user provisioning with group assignments, and certification processes, all from a centralized governance layer.

Please refer to the following for more information: Help Portal Documentation

User Filter Support Across All Applications

User filter functionality is now extended to all SAP Cloud Identity Access Governance integration scenarios. This enhancement allows customers to exclude users who do not need to be governed, ensuring governance efforts remain focused and effective.

Please refer to the following for more information: Help Portal Documentation

Enhanced Access Request API for Greater Flexibility

The Access Request API has been enhanced by removing the mandatory domain field and introducing flexible user identification options. Users can now be retrieved using identifiers such as email, global user ID, or a universal search parameter.

Please refer to the following for more information: Help Portal Documentation

Manage Jobs - Change History Visibility

A new change history capability has been introduced in the Manage Jobs application. Administrators can now view updates made to jobs, including pause and resume actions, as well as the users responsible for those changes.

Please refer to the following for more information: Help Portal Documentation

Business Role Coverage Report

The new Business Role Coverage Report provides clear insights into how user roles are mapped within business roles. With smart filters, intuitive selection tools, and easy download options, administrators can quickly identify gaps and ensure proper role coverage.

Please refer to the following for more information: Help Portal Documentation

Unassociated Access Report

Embedded within the Business Coverage Report, the Unassociated Access Report helps administrators identify roles and groups that are not linked to any business roles. Users can drill down into details and refine searches using smart filters to pinpoint specific unassociated accesses.

Please refer to the following for more information: Help Portal Documentation

Access Report

The Access Report provides a comprehensive view of all users along with their assigned and unassigned accesses. It also shows how accesses relate to business roles, making it easier to validate access origins and appropriateness.

Please refer to the following for more information: Help Portal Documentation

Access Usage Report

The new Access Usage Report combines the functionality of the previously separate Unused Access and Actively Used Access reports into a single unified view. It supports on-premise and ABAP-based systems, including SAP HANA on-premise and SAP ERP.

Please refer to the following for more information: Help Portal Documentation

Closing Thoughts

These enhancements mark another strong step forward for SAP Cloud Identity Access Governance, bringing greater clarity, flexibility, and control to how organizations manage access across increasingly complex landscapes. From deeper integrations and APIs to unified reporting and stronger audit transparency, this release is designed to help teams govern access with confidence, efficiency, and precision.

As access governance continues to evolve alongside cloud and hybrid environments, SAP Cloud Identity Access Governance remains committed to delivering practical, scalable innovations that reduce risk, simplify operations, and support compliance at every stage. We’re excited to see how these capabilities help you strengthen your governance processes, and we look forward to continuing this journey with you as even more improvements arrive in upcoming releases.

For more details and configuration guidance, please refer to the SAP Help Portal documentation for SAP Cloud Identity Access Governance.

Empty

2026-02-08T22:38:38.247000+01:00

Empty

GRC Tuesdays: Unleashing Artificial Intelligence for Regulatory Insights with SAP

2026-02-17T07:00:00.092000+01:00

You may recall a GRC Tuesdays blog released some time ago (cf. Implications of AI in the field of Regulatory Compliance) where I mentioned a Customer Influence program investigating the use of artificial intelligence in the area of regulatory intelligence and internal control.

Well, I have good news: Engineering teams from across SAP have come together for an end-to-end compliance platform and have now released a new SAP Business Technology Platform service for regulatory insights natively integrated with SAP Process Control for end-to-end regulatory intelligence.

Why the need for an automated service?

According to analysts, there are over 300 regulatory changes every day. Of course, not all these updates will impact your organization, but you may still need to check them to assess the (lack of) impact. In many organizations, this is done manually internally or outsourced to specialized 3rd party providers. And there is therefore a cost in monitoring these updates. Especially since the business impact assessment is usually performed by legal subject matter experts.

Furthermore, the identified regulatory changes then need to be reflected into your internal control framework or gaps can occur between the regulation and the controls being tested… which would be problematic.

As a result, digitalization becomes a key objective for compliance surveillance to reduce the cost, but also to increase the efficiency and resiliency of the control framework itself to ensure legal requirements are continuously met, and that nothing falls through the cracks.

Regulatory Compliance

Jointly leveraging multiple artificial intelligence areas such as text mining, natural language processing and large language models, the new service for regulatory insights automatically analyses and highlights risk and control changes in legal texts, best practice procedures or policies and suggests updates to existing controls or even new control definitions if needed. It also offers analytical insights into control coverage and gap analysis as well as recommendations to reduce the gap.

How does it work?

Unlike a magician that never reveal its tricks, there is no magic here – and Regulatory Insights certainly doesn’t function as a black box. So it is transparent and more importantly auditable.

Upload document & automatic parsing

User uploads relevant document (regulatory framework or control standard, internal policy, etc.) which gets parsed and stored.

Automatically detect & extract control definitions

Regulatory Insights automatically detects and extracts control definitions into a structured format.

Document red-line analysis & control delta analysis

Control definitions are compared between versions to flag, add, subtract and/or change deltas.

Control mapping (not in scope of 1st release but coming soon)

New control definitions are mapped to any similar existing ones to empower joint implementation.

Dashboard with Gap & Coverage Analytics (not in scope of 1st release but coming soon)

Analytics dashboard for gaps and coverage of (mapped) controls are visualized together with action recommendations.

Updated content in SAP Process Control

Thanks to dedicated SAP Fiori applications, information from regulatory insights can be leveraged in SAP Process Control to create, map and adjust the internal controls. Simply select the Regulatory Insights Framework, the associated Regulation in SAP Process Control and create new controls or map to existing ones! This ensures a seamless flow from the regulatory intelligence to the control operations.

Unlock business benefits

In summary, Regulatory Insights enables companies to automatically detects changes in regulatory documents, maps changes to controls, and suggests recommendations to mitigate risks for non-compliance. With this service, organizations can:

Mitigate and reduce risk of non-compliance, business disruption and reputational loss

Boost efficiency and speed up time-to-action by lowering the cost and effort for regulatory compliance

Make informed business decisions by leveraging smart technologies

More to come!

This release already supports a variety of regularory frameworks – including various versions of CELEX, SAP Security Baseline Template, COSO, ESRS, C5, COBIT, FitSM, GHB, MaRisk, NIST Security & Privacy (NIST SP 800-53), IT Act, SOX, and Experimental - which allows end users to upload and test requirement extraction on additional regulations that are not yet officially supported. But the team is continuously evaluating further frameworks and working towards a generic solution to extract compliance requirements from a larger variety of document sources.

Interested in learning more?

If you’d like to dive a little deeper here and hear more about it before it’s in general availability, I recommend the following resources:

Finally, if you would like to participate as a customer to the Early Adopter Care program, feel free to register. The campaign is open until June 23rd 2026: Smarter Regulatory Analysis with AI : SAP Regulatory Insights Early Adopter Launch

What about you, how does your organization manage regulatory surveillance? I look forward to reading your thoughts and comments on this blog.

And if you are interested in learning more about SAP solutions for Governance, Risk, and Compliance, feel free to fill-in the demo request form!

GRC, Trade and Tax in SAP Cloud ERP 2602

2026-02-19T14:07:53.164000+01:00

Hello Experts,

I'm excited to share the update regarding our latest release - GRC, Trade and Tax in SAP Cloud ERP 2602. This update highlights many significant innovations from SAP Risk and Assurance Management, SAP Watch List Screening, SAP Document and Reporting Compliance, as well as SAP Cloud Identity Access Governance.

For a quick overview of the top release highlights for GRC with 2602, you can watch the video below.

Video 1. Release Highlight Video for GRC, Trade and Tax in SAP Cloud ERP 2602

This blog covers the following innovations:

SAP Document and Reporting Compliance

AI-assisted trend analysis and summary for reports (beta)
Embedded analytics to facilitate VAT adjustments
E- verify and Automated Handling of Draft VAT Returns from Authorities
Enabling Electronic Invoices Through KSeF 2.0 for Poland

SAP Risk and Assurance Management

Extended analytical and reporting capabilities: new reporting dashboards with SAP Analytics Cloud, enterprise edition

SAP Enterprise Threat Detection

Intelligent alert handling and investigation recommendations
Management-focused monitoring dashboard

SAP International Trade

Export declaration for plants abroad in the context of Registration for Indirect Taxation Abroad (RITA)

SAP Watchlist Screening

Delta Screening

SAP Document and Reporting Compliance

AI-assisted trend analysis and report summary

Tax accountants often spend significant time validating data by comparing current tax figures with previous returns. To accelerate this process, we introduce AI-assisted trend analysis for VAT returns. This feature helps tax experts by automatically uncovering hidden trends, flagging outliers, and detecting root causes for discrepancies. It provides intelligent summaries that can be used to simplify the approval process and support future audits. This innovation allows the team to move from reactive validation to proactive analysis.

Picture 1. AI-assisted trend analysis and report summary

Value Proposition

Reduce the time needed to interpret VAT data across periods, leading to faster reviews, quicker approvals, and shorter reporting cycles.
Accuracy is improved and compliance risk is reduced. This helps identify anomalies early, minimizing manual errors and lowering the risk of incorrect filings.
Easy to make clear and informative data-driven decisions.

Capabilities

The analysis highlights key trends, fluctuations, and irregularities, and flags values that help to identify potential errors or compliance risks.
Provide concise summary of key VAT insights to support faster reviews, approvals, and decision-making.

Embedded analytics to facilitate VAT adjustments

During the preparation of statutory reports, tax experts require deep visibility into their data to ensure accuracy. With the 2602 release, the 'Manage Tax Items' activity within SAP Document and Reporting Compliance is enhanced with a powerful ''analyze data" option.

This provides tax experts with additional fields and the flexibility to analyze tax data to identify anomalies. Now you can easily see how invoices are mapped to your VAT returns and pinpoint any documents that might have been excluded, enabling seamless adjustments integrated directly with accounting. To further tailor the solution, you can now use extensibility to plug in your own custom analytics CDS views, allowing you to choose between standard SAP-delivered queries or your own defined views for analysis.

Video 2. Embedded analytics to facilitate VAT adjustments

Value Proposition

Advances the VAT review and adjustment by integrating analytics.
Improves accuracy and strengthens compliance through data-driven decisions.
Reduces manual effort and reliance on offline analysis and external tools.
Enhances analytical transparency and enables faster and more confident decision-making.

Capabilities

Embedded analytics within the Manage Tax Items for Legal Reporting application
Direct access to detailed VAT tax line-item records with added data points
Interactive analytical views with charts, filters, and drill-down capabilities
Trend analysis and comparisons across multiple VAT dimensions
Identification of documents for inclusion in or exclusion from VAT returns
Analysis at the point of action without switching applications
Support for efficient VAT reconciliation and compliance preparation

For more information, see: Manage Tax Items for Legal Reporting | SAP Help Portal

E- verify and Automated Handling of Draft VAT Returns from Authorities

A growing number of tax authorities are providing pre-populated, or draft, tax returns based on real-time transactional data. Our latest update helps you automate the handling of these draft returns, ensuring consistency with your company's books. With this feature, you can pull auto-populated returns from an authority's portal and automatically compare them with the returns prepared in your ERP system to identify any mismatches.

Based on the reconciliation results, you can then process actions such as submitting a delta file, accepting, or rejecting the draft. This streamlines the entire process, from review and correction to the submission of the final return.

Video 3. E- verify and Automated Handling of Draft VAT Returns from Authorities

Enabling electronic invoices through KSeF 2.0 for Poland

With the Polish Ministry of Finance enforcing the use of electronic invoices through the KSeF 2.0 platform beginning in February 2026, we are equipping you to meet this mandate head-on. SAP Document and Reporting Compliance now enables you to generate B2B e-invoices in the required XML format from both Finance (FI) and Sales & Distribution (SD), including tax invoices, correction invoices, down-payment invoices, and self-billing invoices. You can submit these invoices interactively to KSeF 2.0, visualize them in a human-readable PDF format with a QR code, and retrieve supplier invoices for automated posting.

Picture 2. Enabling electronic invoices through KSeF 2.0 for Poland

SAP Risk and Assurance Management

Extended analytical and reporting capabilities: new reporting dashboards with SAP Analytics Cloud, enterprise edition

We are introducing the new Risk and Compliance Cockpit, an SAP Analytics Cloud story that gives you an instant, comprehensive overview of your organization's compliance landscape.

This dashboard empowers compliance managers to identify process inefficiencies by visualizing compliance issues organized by type and status, with charts showing trends over time. It makes it easy to compare current performance against historical data, highlight long-term trends, and identify deviations. With insights into average issue resolution times and year-to-year analysis, this single source of truth helps you prioritize critical unresolved issues and improve operational efficiency.

Video 4. Extended analytical and reporting capabilities: new reporting dashboards with SAP Analytics Cloud, enterprise edition

Value Proposition

Get an instant overview of compliance issues, organized by type and status
Improved operational efficiency supported by trend and year-to-year analysis
Charts visualize trends over time
Overview of what to prioritize by highlighting critical unresolved issues

Capabilities

Identify inefficiencies in organizations' processes
Instant overview of compliance issues
Filter business data to examine specific categories of compliance issues
Visual and comparative analysis of data
Compare current performance while highlighting long-term trends and deviations

For more information, see: Risk and Compliance Cockpit

SAP Enterprise Threat Detection

Intelligent alert handling and investigation recommendations

In SAP Enterprise Threat Detection, cloud edition, investigations are the central hub for examining security incidents. This new capability automates and enhances this critical process.

The primary value of this feature is to decrease the manual effort required by SAP monitoring agents and increase their overall efficiency. When an agent prepares an investigation to send to a customer, they are now supported with automatic, case-specific response and mitigation recommendations.

This helps teams by automatically compiling investigation results and formulating suggestions for customers on how to address the alerts. The system intelligently generates these recommendations based on the standard operating procedure of the specific pattern that created the alert, further enhanced by predefined value lists and machine learning functionality. This ensures that the advice provided is both highly relevant and immediately actionable, allowing your security teams to move from detection to resolution faster and more effectively.

Picture 3. Intelligent alert handling and investigation recommendations

For more information, see: Generating Investigation Recommendations

Management-focused monitoring dashboard

We are introducing a powerful new monitoring dashboard within SAP Enterprise Threat Detection, cloud edition, specifically designed for management roles. In today's complex security landscape, having a clear, high-level view of your organization's cyberhealth is not just an advantage; it is a necessity. This new dashboard is for all managers and security leaders who need to quickly understand current security events, alerts, and ongoing investigations to make informed, timely decisions.

It facilitates a deeper understanding of complex security data by offering a comprehensive picture of your system's cyberhealth and protection status. The dashboard also shows the distribution of security events by various criteria, effectively highlighting the most affected systems, patterns, and users to help you focus resources where they are needed most.

To ensure the information is tailored to your specific needs, you can also create your own personalized monitoring pages with a selection of charts that are most relevant to your responsibilities..

Picture 4. Management-focused monitoring dashboard

For more information, see: Using the Monitoring Dashboard

SAP International Trade

Export declaration for plants abroad in the context of Registration for Indirect Taxation Abroad (RITA)

For businesses operating with plants abroad, ensuring the correct export declaration is crucial. In a plant abroad scenario, this feature ensures that the country of the delivering plant, rather than the country of the company code, determines the correct foreign trade organization for the customs declaration. This enhancement improves compliance with international trade regulations for businesses leveraging the "Registration for Indirect Taxation Abroad" (RITA) scope.

Value Proposition

Enhance compliance with trade regulations by ensuring the correct foreign trade organization is used for export declarations.

Capabilities

Manage your export declaration in SAP Global Trade Services using the foreign trade organization within the country of the plant abroad.
Identify plants abroad on pro forma invoice line items by considering countries where registration for indirect taxation (RITA) is enabled.

In SAP Cloud ERP, a billing document exists where goods delivery is performed via a foreign plant, for example, the plant country is different from the country of the company code.

Picture 5. Export declaration for plants abroad in the context of Registration for Indirect Taxation Abroad (RITA)

In SAP GTS, Edition for SAP HANA, the FTO of the corresponding export declaration is now determined based on the legal unit corresponding to the foreign plant used in the billing document.

Picture 6. Export declaration for plants abroad in the context of Registration for Indirect Taxation Abroad (RITA)

For more information, see: Enablement of Plants-Abroad for Export Processing and Foreign Plant

Delta screening with SAP Watch List Screening and manual release of blocked document items

Continuous compliance with sanction party lists is critical. Screening requests sent to SAP Watch List Screening will now remain active for delta screening for up to one month. This means the system automatically performs delta screenings against any changes to watch lists and updates the status of your business partners and documents accordingly, providing automatic coverage without requiring new manual screenings.

Additionally, for situations requiring manual intervention, the "Manage Documents - Trade Compliance" Fiori app now allows authorized users to manually release a trade compliance document item that is blocked. This creates a simple, straightforward, and auditable overrule process to comply with legal requirements while ensuring business continuity.

Picture 7. Delta screening with SAP Watch List Screening and manual release of blocked document items

For more information, see: Integration with SAP Watch List Screening and Delta Screening in SAP Watch List Screening

Watch the replays of our SAP Cloud ERP 2602 Early Release Series!

From January 12-16, we hosted a series of 22 expert-led live sessions to highlight the exciting innovations shipped with the SAP Cloud ERP 2602 release. Missed the live sessions? We've got you covered! Take advantage of the entire series or pick and choose the sessions most relevant to you. You will find the recording and presentation for Artificial Intelligence as well as 21 other topics of interest. Don't miss this chance and watch them on demand–anywhere, anytime.

Find all our assets

We at Cloud ERP and SCM Product Success offer a service as versatile as our product itself. Check out the numerous offerings our team has created for you below:

Don’t hesitate to leave a comment and check out our community page to ask your questions and engage with the experts. Follow the PSCC_Enablement tag to stay up to date with our latest blog posts.