SAP Community - SAP Risk Management

SAP GRC Access Control 12.0 - Exclude Objects from Risk Analysis with Supplementary Rules

2022-08-04T07:10:14+02:00

There might be situations in which the Business decides to accept a given Risk but just for a set of users, or a specific User Group, and you might need to exclude them from all Risk Analysis reports.

SAP Access Control provides the ability to exclude objects (Users, Roles, Profiles, User Groups) from Batch Risk Analysis via IMG activity 'Maintain Exclude Objects from Batch Risk Analysis':

However, this option will only take effect over Offline Risk Analysis and Dashboards. It will not affect online/ad-hoc Risk Analysis, nor any Risk Analysis simulations. One possible solution to this problem is to create a Supplementary Rule to exclude the desired User IDs or User Groups from any Risk Analysis report.

Excluding User IDs with Supplementary Rules

First, you will need to set parameter 1037 to YES.

Now, go to NWBC, Setup tab, and click on 'Supplementary Rules' under Exception Access Rules section.

We could use any custom or standard table, but in our example, we will extend the same table used by the IMG activity to exclude objects from Batch Risk Analysis, GRACEXCLUDEDOBJS.

The following supplementary rule is created and assigned to all Risk IDs, looks for all User IDs in the GRACEXCLUDEDOBJS table which are Object Type User (1) and Active (X), and excludes them for any Risk Analysis report, Online or Offline:

Excluding User Groups with Supplementary Rules

Similarly, let's say we want to exclude all users from User Group 'SUPPORT'. In this case, we could just use table USR02, and the field CLASS:

Hope this helps, if you need more information do not hesitate to leave a comment.

GRC Tuesdays: Governance, Risk and Compliance securing the Recruit-to-Retire process

2022-10-25T12:08:59+02:00

At SAP we tend to talk about 4 key ERP processes for the Intelligent Enterprise:

Source-to-Pay

Recruit-to-Retire

Design-to-Operate

Lead-to-Cash

This blog looks at the second of these, Recruit-to-Retire, and is in fact a follow-on companion blog to Governance, Risk and Compliance securing the Source-to-Pay process that my colleague Thomas Frenehard wrote a couple of weeks ago.

What is Recruit-to-Retire?

SAP visualises the Recruit-to-Retire process as comprising of 6 major steps: Planning, Staffing, Onboarding, Working, Travel, Paying and Closing. Different groupings of these steps make up frequently used industry subprocesses, for example: hire to retire, travel to reimburse, external workforce management. SAP has a number of foundational cloud solutions covering these steps and subprocesses.

While discussing this topic with SAP Human Experience Management SME colleagues internally we reached a conclusion that while HR departments understand HR risk well, they seldom look outside their line of business to for example assess the overall enterprise risk or business consequence of an HR risk becoming an event.

The above mentioned Thomas wrote about these steps in some detail his great blog Human Resources and Governance, Risk, and Compliance Working Together earlier this year. In this blog I will be more solution-specific and drill into how GRC can help secure the six steps with some examples, and in so doing, help the business secure the overall Recruit-to-Retire process. And potentially more importantly, help secure the company’s enterprise risk and resilience capability.

Plan

The organisation generates a plan by modelling the demand for talent, and budgeting. Includes formalised project planning where individual planners identify more detailed future and current talent needs.

HR risks include not accounting for keyman and leadership succession planning (recent study showed 43% of UK companies had unexpected leadership changes), global skills shortages (remember shortage of data protection officers when GDPR was ramping up?), and bad hires. The cost to a business of a bad hire includes their hiring cost, low productivity as they ramp up, potential costs if they are ineffective or make mistakes and maybe damage the business (or even a country if it’s the senior position….), and time delays on the projects they were supposed to deliver on.

Staff

Identify internal talent: search for existing resources with the required skills. Recruit new hires: open requisitions, find candidates, make offers.

The process of identifying the right talent through the avalanche of CV’s – and who (or what) actually wrote them – going through the recruitment process with various types and stages of interview and evaluation techniques, use recruitment agencies or your own staff, the growing complexity of types of employment contract, and options for full time vs part time, employees vs contingent labour, is complex, time-consuming and fraught with risk. One risk to highlight with all the personal information moving around is that of data privacy and protection, and the duties of a data controller vs data processor.

Onboard

Complete the paperwork, employee receives equipment, user/role provisioning, take required training, meet team members, etc.

Having secured your delightful talent you want them to have sign their contracts with the correct legal localisations, follow a well-planned and organised onboarding process, have them work through all the corporate policies, be operational as soon as possible – and not waiting for equipment or access to policy, training, and business systems. There is also the Transfer of Undertakings (Protection of Employment) regulations (TUPE) risk during a merger or acquisition, where employment terms have to be aligned. A little appreciated risk is the speed with which you can allocate your new joiner an email account and user id(s), and provision them to the systems they need access to with authorizations appropriate to their role as defined in the HR system. We have had cases where some companies can take up to 3 weeks for a joiner to receive their computer and get access to the systems to do their job.

Work

Aside from performing their role duties there are ongoing development, skills management, performance management, time and cost management, role/location change, regulatory compliance, and wellness programs to consider.

It sounds trivial to say that you need to have the correctly skilled people in the locations where the work demands it. It’s true that post pandemic we have all learned some roles, and some aspects of roles, can be done remotely. But there are many roles where this is not possible, others where productivity is greatly improved by teamworking, and with more junior roles sometimes a situational leadership approach is required – a lot of supervision initially. Also with current rapid and large scale changes in global politics impacting practicalities of out of country hires, import/export duties & supply chain challenges resulting in selection of different suppliers who are maybe no longer close to your ‘follow on process’ high skills centres, talent poaching and churn, having the right people in the right place at the right time is far more complex and volatile than it was. Consequences can impact goods and service delivery, growth, time to market, revenue, cash flow. Anticipating this and having risk-based contingency plans adds to your resilience but also agility.

Travel

Expense policy management and supervision, travel and expenses recording and submission, claims validation.

A well known risk is that of claims fraud, bribery and corruption using expenses, collusion leading to fraud, or accidental / deliberate breaching/abuse of travel and expenses policies. Managing this consistently, cost-effectively and quickly is not always as easy though, and is a risk to the business.

Pay & Close

Total compensation, payroll and tax, incentives and benefits payment, expenses reimbursement, severance/retirement agreement, update financial statements, off-boarding, deprovisioning.

Frequently labour cost is one of the highest costs for a business and errors with paying employees and contractors can lead to financial loss and employee disaffection. Fines can arise from incorrect employment paperwork for example incorrect employment and wage eligibility, under-insurance (recent study showed 15.6% of employers are unknowingly under-insured for employee liability), fines due to companies being unaware of regulatory changes (e.g. changes to anti-bribery and corruption law, duties under GDPR).

A specific risk to mention is employee payment errors during period close and year end close, which aside from the impact on employees can lead to financial statement errors, audit findings, costly remediation, reputational damage, and in the worst cases large-scale labor disputes and fines.

SAP Cloud solutions for GRC to the rescue!

Below is a representation of the examples of vulnerabilities and risks related to various steps in the Recruit-to-Retire process.

Summary of selected risks along the Recruit-to-Retire process

Individual risks can obviously lead to costs and delays in each step. The individual (or worse cumulative) impact can however lead to the end-to-end process being ineffective or even broken. Luckily there are cloud Governance, Risk, and Compliance & Cybersecurity and Data Protection solutions from SAP ready to be deployed, to help prevent these risks from becoming damaging events.

Companies can use these solutions to help develop a pro-active risk management approach to the Recruit-to-Retire process, thus safeguarding their employees, reputation, and financial viability.

In an alternative use of SAP Watch List Screening in the Plan step, employers can automatically screen the agencies they use to recruit employees in case they are sanctioned, and also independently assess the role candidates in case they are on a watch list, or for example associated with organisations supplying services to the public sector or on a sanction party list.

In the Staff step, SAP Privacy Governance helps companies document and manage the risk of improper processing of personal data during the staffing process, for example is ‘privacy by design’ in place for both your organisation and third parties involved in staffing, accountability duties of the data controller and data processor, data retention and deletion requirements, and which are lawful processing activities during staffing.

During Onboarding, SAP Identity Access Governance helps companies give their new employees the appropriate authorisations for their role – as defined in and read from their HR system – automatically, and rapidly. Ideally on or just before they start their first day of work. It will also help organisations ensure managed segregation of duties and also invisibility of data between sensitive LOB’s.

Once employed, i.e. during the Work, Travel and Pay & Close steps, SAP Financial Compliance Management helps automate internal controls over financial processes. Companies can minimize the risk of misstatements in their quarterly and annual reports and protect against fraud and bribery with a strong internal controls framework and system. The solution will help document the most important business processes and corporate exposure in cases where there is a risk of under skilled or under staffed operations. It will help achieve quicker and less error prone period end and year end close. Companies can also monitor and document inconsistencies in operating procedures and policy.

Underpinning the Recruit-to-Retire process is the Intelligent Enterprise, and how SAP supports this via Business Process Intelligence. At its core, HR processes are heavy users and processors of personal information, they increasingly use public cloud systems, and access/processing frequently crosses geographical and political boundaries. SAP Data Custodian enables companies to demonstrate and deliver controls over public cloud resources and applications. In parallel SAP Enterprise Threat Detection, a high volume real time security information and event management tool, helps companies proactively identify, analyse, and neutralize cyberattacks at a business level in their SAP applications - before for example serious breaches occur.

One final thing to take note of is that the same SAP cloud GRC solutions apply to both the Source-to-Pay and Recruit-to-Retire processes! In other words business and IT investment in these solutions will have multiple benefits within an organization:

Improving the return-on-investment business case

Reducing the overall IT footprint

Reduced change management / user disruption as the number of solutions to be trained on is reduced

Increasing simplicity and integration by adopting SAP solutions with a native SAP ERP integration

Cybersecurity highlights from SAP Insider 2022, Vienna

2022-11-21T11:25:11+01:00

SAPinsider 2022, Vienna

The 2022 conference in Vienna has been another great SAPinsider success.

The experiences and challenges that people from companies all around the world share and discuss with each other is essential to support the continuous innovation of our way of working and enriching us professionally.

Security as a key priority

Out of about 150 presentations in Vienna, more than 50 were focused on Security, Enterprise Risk Management and Business Resiliency.

This is more than a third of the whole conference focus and it shows how SAP, our partners and companies from every region and industry, are realising how critical the cyber threat become.

Conferences like this are instrumental to build stronger partnerships with one common goal. Safeguarding business, together.

What were the main topics and questions at the conference on Security

RISE with SAP was a key topic on the agenda. The number of companies looking into the RISE offering and model is growing significantly, and with that, the interest on how security is managed in the cloud.

To summarise, these were the main 3 topics I heard people at the conference discussing and asking the most questions about.

1. Shared security responsibility between customers, hyperscaler and SAP

"How do we distribute the daily security work and responsibilities in RISE, between our internal security teams, our external security advisors, the hyperscaler and SAP?"

Roles and responsibilities vary depending on the deployment approach, however, in general we can say that with RISE: network and infrastructure security are managed by SAP and the Hyperscaler; whilst application security measures like identity and access governance, as well as security logging and application security hardening, are decided, prioritised and managed by the customer (often supported by their specialised partners).

This is because the implementation of application security measures are often dependent on the business processes that run on these applications and needs to be strongly aligned with the company's business priorities.

Example of Shared Responsibilities in Cloud Architecture

2. Where to start with application security.

"What are the tools, solutions and services we should be using to secure the SAP application layer?"

First of all, you need the security culture, mindset and processes embedded at every level of the organisation. This is the foundation for success.

Then, a good way to start is to map the security framework (e.g. NIST, ISO27001/2) to services, tools and solutions that can support each framework area and domain.

Then based on this mapping understand: 1) what solutions are there by default, and depending on the contract with SAP, managed as a service; and 2) what solutions are there for the customer to opt in.

The first ones are usually referred to as SAP standard tools which are included as part of the SAP installation, and the second ones are Cybersecurity or Compliance solutions which companies can invest on, to improve their overall application security posture.

Additionally, security services are provided by SAP consulting, or specialised partners, to support customers with their security priorities.

Example of services and solutions to support the NIST framework in SAP

3. SAP Security standard documentation for Cloud solutions

"Where can we find security recommendations for SAP cloud solutions?"

Official SAP security documentation that can be found on SAP.com.

This objective of this documentation is to suggest customers the implementation of certain security measures. But ultimately, the customer is the one that needs to decide and approve how their business applications should be secured.

A good starting point is the SAP Trust Center where there are many security topics documented, covering various areas. From recommended system security configuration settings, to information about internal security operations, until audit and compliance certifications of SAP solutions.

SAP customers and SAP partners can also subscribe to My Trust Center, where a subscription functionality offers you email notifications about changes and updates for content which is of particular relevance to you. One example is the Recommended Security Configuration for SAP Cloud Services. (access only available to SAP customers and SAP partners).

One example of content available on My Trust Center

Other discussions worth to mention

A recurring a very popular discussion at the conference was the one about humans being the weakest link in cybersecurity.

Millions of people are targeted every single day with advanced phishing attacks, and it is very difficult for a victim to realise when they are being scammed. Therefore increasing the chances for an hacker to break in.

Training people on recognising these scams is a rising priority for companies that want to reduce the risk of their sensitive business data being breached, but also educate their employees on how they can safeguard their personal digital assets.

Conclusions

Security is a key decision factor when moving business applications to the cloud. It is paramount for companies to understand how security responsibilities are shared between them and their vendors. And it is equally important for them to recognise that even if they delegate responsibility to a third party, the accountability remains theirs.

Ultimately, it is the customer data, processes and business. And we can safeguard it together.

To Learn More

Blog: Rise with SAP shared security responsibility

SAP® Governance, Risk, and Compliance solutions.

And if you want to connect on LinkedIn here is my profile.

GRC Tuesdays: Governance, Risk and Compliance securing the Lead-to-Cash process

2022-11-22T13:49:05+01:00

As a refresh, at SAP we tend to talk about 4 key ERP processes for the Intelligent Enterprise:

Source-to-Pay

Recruit-to-Retire

Design-to-Operate

Lead-to-Cash

This blog looks at the last of these, Lead-to-Cash, and is in fact the last in the series that me and my colleague Thomas Frenehard have been writing. You can find blogs for the first three here: Source-to-Pay process, Recruit-to-Retire process, and Design-to-Operate.

What is Lead-to-Cash?

Lead-to-Cash manages all aspects of customer experience and business process chain. This covers the initial interaction, to order fulfilment, to service delivery, and revenue. The SAP Intelligent Enterprise approach provides adaptable process templates based on best practices, which vary depending on industry type, customer type, and sales channel (direct sales or e-commerce).

SAP visualises the Lead-to-Cash process as comprising of the 5 main stages below:

Lead-to-Cash is one of the most business-critical processes as it moves from customer contact to sales to ordering to contract to fulfilment to money! If this is delayed, disrupted, or damaged, the effectiveness, profitability, and possible viability of the business will be severely impacted. Furthermore, while the details and complexity of the process are largely hidden from end customers, being at the effect of a poor Lead-to-Cash process is all too visible and will permanently affect their impression of the business they are dealing with.

Each of the 5 stages are complex in themselves as is the technical integration and handover between them, and they span the entire SAP Customer Experience solution portfolio. The many stages and steps deal with personal data, financial data, contract terms and conditions, revenue & profitability, and ultimately brand perception and reputation.

Any new business models or offerings or innovations has to be supported by and realised through the Lead-to-Cash process. It therefore needs to remain flexible and agile, and yet robust and secure. In addition, the end customer’s experience needs to be seamless and frictionless.

This makes Lead-to-Cash an ideal beneficiary of GRC and cybersecurity controls, assurance, protection, and pro-active risk management.

Contact to Lead

A marketing expert creates a campaign to generate sales leads, and targets existing or new customers via mechanisms such as email, social media, personalised recommendations, or relationships. Based on the customer’s consent and interaction, the customer is converted to a lead.

Adherence to privacy laws, ensuring personal data protection, not dealing with sanctioned countries, organisations or individuals, not dealing with bad debtors, and not violating the businesses’ conduct risk policy, are important priorities during this stage.

Lead to Opportunity

A marketing expert retargets the customers if needed, to encourage them to proceed with the marketing offer. Analytics tools can be used to assess the potential of the lead and determine if it is worth pursuing. The lead is converted to an opportunity based on the lead scoring.

As with the previous stage, data privacy and protection, sanctioned parties and business ethics are key. In addition, from a business operational risk perspective, incorrect or biased analytics can lead to missed opportunities, inappropriate contacts, or skewed outcome based KPI’s leading to inaccurate performance analysis and future strategy setting.

Opportunity to Quote/Cart

The sales representative assessed the readiness of the opportunity to be offered a quote. The customer can request a quote for example via the web, a physical outlet, or by phone/email. The sales rep or system creates the quote and sends it to the customer.

I would anticipate that in the near future the greenhouse gas emissions loading for goods or services quoted for will also need to be included.

There is business risk associated with the quote value a sales rep can prepare and offer, and thresholds are frequently attached to an approval process. There is the opportunity for collusion, bribery and fraud within this stage. Appropriate disclaimers and offer conditions should also be reviewed before being communicated with the quote so there is potentially a legal process, and the suitability of the end customer should be re-confirmed (in case for example the party the quote is sent to is different to the end customer, is in a high-risk country, or is on a sanction list).

Accurate and defensible greenhouse gas emissions will also have to be ensured in the near future.

Quote to Order

The quote is presented to the customer and can be negotiated, until a final agreement is reached. Once the quote is accepted by the customer it gets converted to an order. Customer feedback on the order creation process is collected, and the feedback can be used to improve the quote and order creation process.

As with the previous process there is risk of collusion, bribery and fraud. It can also include approvals bypass or delays, process shortcuts, credit check errors, delays in issuing quotes, and errors in the quote (e.g. payment terms, currency conversions, tax).

Order to Cash

Based on the different types of items in the order, the order gets split into physical, subscription or service products, and are sent to the back-end systems for further processing. The order status is marked as complete only when all order types and steps are complete. On confirmation of delivery, billing and invoicing tasks are initiated and when received, revenues are booked (posted) for the business unit.

This is a key financial process that converts potential to recognisable revenue. It is at risk from fraud and collusion, dealings with sanctioned parties or high-risk countries as above, but also for example posting errors due to system errors, incorrect manual postings or manual overrides of preventive controls; inaccurate or incomplete customer master data leading to incorrect or out of policy orders; segregation of duties errors; delays in cash collection; currency and tax errors.

Days Sales Outstanding (DSO)

DSO is a useful performance indicator for a business, used to estimate the size of their outstanding accounts receivable (i.e. legally enforceable claims for payment). Measured in average sales days, it represents the number of days of (average) sales that you currently have outstanding. It is an important tool in measuring liquidity and ultimately cash flow. High DSO could indicate inadequate analysis of customers, incorrect terms and conditions (e.g. to close the deal), poor collection, less credit-worthy customers.

The Lead-to-Cash process is the primary process impacting DSO and therefore the company’s liquidity and cash flow, and therefore financial stability. Keeping this process well managed and consistent is critical for a successful viable business.

SAP Cloud solutions for GRC to the rescue!

Below is a representation of the examples of vulnerabilities and risks related to various steps in the Lead-to-Cash process, which can lead to errors and delays.

Summary of selected risks along the Lead-to-Cash process

The individual (or worse cumulative) impact through the process can lead to the end-to-end process being ineffective or even broken, with the potential for significant damage to financial performance, investment potential, reputation and future viability. Luckily there are cloud Governance, Risk, and Compliance & Cybersecurity and Data Privacy solutions from SAP ready to be deployed, to help prevent these risks from becoming damaging events.

Companies can use these solutions to help develop a pro-active risk management and internal controls approach to support the Lead-to-Cash process, thus safeguarding the marketing, conversion to quote, cash collection, and revenue recognition processes, and through these, overall business viability.

SAP Watch List Screening ca be used in the Contact to Lead step can screen for high risk or sanctioned parties, entities and individuals. It can also be used to assess suitability of supplying goods or services to partners who in turn supply to the public sector.

In the Contact to Lead and Lead to Opportunity stages, SAP Privacy Governance helps companies document and manage the risk of improper processing of personal data during the staffing process, for example is ‘privacy by design’ in place for both your organisation and third parties involved in staffing, accountability duties of the data controller and data processor, data retention and deletion requirements, and which are lawful processing activities during staffing.

Spanning from Opportunity to Quote, to Order to Cash, SAP Identity Access Governance helps companies detect, document and manage segregation of duties risk. This includes both removal of and controlled management of SOD occurrences. To Cash

As the more finance heavy steps of Quote to Order and Order to Cash are reached SAP Financial Compliance Management helps implement and automate internal controls. This allows companies to implement in-process business controls to deal with posting errors, process bypassing, fraud, master data errors, financial errors, delays, actual SOD occurrences. It will also help minimize the risk of misstatements in their quarterly and annual reports. The solution will help monitor the most important business processes and proactively protect the business from exposure. Companies can also monitor and document inconsistencies in operating procedures and policy.

I see the Lead-to-Cash process as a core process for the Intelligent Enterprise – and thanks Thomas for explaining it in your Design-to-Operate blog. With the proposed integration between SAP Financial Compliance Management and SAP Signavio, customers will soon have visibility and assurance over core processes like Lead-to-Cash, and all its sub-processes, as well as a synchronised view on the adequacy and strength of controls. Audit will love this!

SAP Data Custodian enables companies to demonstrate and deliver controls over the public cloud resources and applications which are fundamental to the Lead-to-Cash process. In parallel SAP Enterprise Threat Detection, a high volume real time security information and event management tool, helps companies proactively identify, analyse, and neutralize cyberattacks at a business level in their SAP applications - before for example serious breaches occur.

Note again that the same SAP cloud GRC solutions apply to all 4 of the core processes covered in this blog series! Business and IT investment in these solutions will have multiple benefits within the organization.

In summary:

Borrowing Thomas’ definition of the Intelligent Enterprise in his Design-to-Operate blog: organizations “that apply advanced technologies and best practices within agile, integrated business processes to run at their best” (link)

also acknowledging the business-wide move towards automation and ‘doing more with less’

and the increasing trend towards creating ‘digital twins’ of physical processes & assets in a digital representation...

it is clear from these 4 blogs that SAP’s GRC and Cybersecurity solutions can contribute significantly to a safe, secure, reliable, resilient, agile, ethical, efficient and effective, financially stable and financially viable business.

For your information, you can find all 4 blogs in this GRC and Intelligent Enterprise processes series listed below:

GRC Tuesdays: Governance, Risk and Compliance securing the Source-to-Pay process (released on 11/10/2022)

GRC Tuesdays: Governance, Risk and Compliance securing the Recruit-to-Retire process (released on 25/10/2022)

GRC Tuesdays: Governance, Risk and Compliance securing the Design-to-Operate process (released on 08/11/2022)

GRC Tuesdays: Governance, Risk and Compliance securing the Lead-to-Cash process (released 22/11/2022)

Mitigating controls - is this a cure for "all evil" in excessive authorizations risks in SAP? (part 1/5)

2022-12-01T10:47:38+01:00

Part # 1/5 - The challenge for mitigation controls.

Introduction

In my previous post I introduced the blog post series we preapre together with andrzejpartyka. I want to discuss the topic further to challange aproach where by default mitigation controls are used to to eliminate the excessive authorization risks. Are we eliminating the root cause of the problem or are we just dealing with its side effects? Let’s debate whether it is the right and well-thought approach. What are the negative consequences of doing so, are there any?

Mitigating controls are control mechanisms implemented in business processes, for the purpose of limiting the access risk coming from the user excessive authorizations granted in ERP systems. These are activities, in most cases, outside the ERP system (SAP) and conducted in a manual manner, usually based on SAP reports or other statements generated from the IT systems. Mitigating controls are a common management response to the access risk coming from conflicting authority assigned to users in SAP. Removing user access rights or modifying access via role change management process is a difficult, time-consuming and very often under appreciate response to the problem.

Considering the access risk of excessive or incorrect authorizations in the SAP system as a serious disease, it should be remembered that each treatment requires, first of all, a full spectrum diagnosis. Next using the doctor's knowledge and practice experience, appropriate diagnostic facilities and treatment plan, the disease (excessive authorization in SAP), can be cured.

As in the case of any disease, also in this area, anyone who faced the problem of wrong user access management process may consider applying short-cut solution. However, it is only a painkiller that will be a temporary solution to a serious problem, remediating a problem output not dealing with a root-cause of the problem. Sometimes such choice may prove to be beneficial but should not be considered as a long-term solution, like a painkiller can not be a substitute to doctor treatment. Are mitigating controls only a pain killer to excessive user system access or is it a remedy to the root cause of the SAP authorization problem?

Project implementation practice

A properly carried out project of rebuilding user roles and authorizations in SAP should be based on a segregation of duties matrix for user responsibilities in business processes designed during business workshops. The SoD matrix is a key product in such project, often overlooked during the implementation of a new SAP system. The project team focused on the quick and cost-effective launch of the new S/4 Hana system, ignores the security aspects, shifting the effort for their implementation to the period after the go-live of new SAP system. The segregation of duties matrix is, however, a key product that summarizes the requirements for building authorizations from the perspective of the specificity of the company that implements the new SAP system. These requirements are the foundation for the future authorization architecture, which is derived from the method of executing activities in business processes. This product considers how the company: allocates documents, works with master data, controls data through Workflow system, carries out payments, warehouse, and logistics operations, etc. It is acting as an access risks security repository with guidelines and principles on how SAP users should be assigned to access rights and authorities in SAP system. Preparation of this information is a considerable investment, but from our experience it is worth doing it during the system implementation project to better prepare for the ongoing new ERP system operation and exploitation phase. This approach ensures the security of financial data from the very first day of the system operation, which is a huge benefit in comparison to alternative approach, where after go-live system is being secured and security breaches are closed. Solving these problems later causes additional work in needed to assess whether in the period from system go-live to security issues remediation, wrongly assigned, excessive permissions have not been misused by internal or external users. In case of such problems, it is possible to act on an ad hoc basis by implementing additional mechanisms in the form of mitigating controls, but it is worth considering beforehand whether it is a beneficial solution in the long term?

Over the last few years, our company carried out several dozen projects to rebuild authorizations in various organizations. We have cooperated with private enterprises as well as public administration units. We also had the opportunity to cooperate with widely recognized, international corporations.

Among many conclusions from such projects, the topic of mitigating controls seems to be an interesting aspect, and more precisely, the visible tendency to address these unnecessary risks in SAP authorizations by introducing additional control elements, the so-called "Mitigating control". Is this the correct approach? What are the consequences of doing so? Is there one answer that is right for all organizations or situations?

What is the challenge?

Excess user access authorities in the SAP system are circumstances in which a given user has unnecessary access in the SAP system that generates a risk to the company. Additionally in common practice the user usually does not even use these risky access. The Company is exposed to additional risk with a significant weakness withing security model and becomes for this exposure no rewards or benefits (e.g. replacement in the absence of another employee). This situation generates segregation of duties risk with potential exposure to fraud or company assets misuse. In our projects, we introduce mechanisms that allow us to determine which authorization or transaction the user has executed in the past period to justify if access is really needed. As a result, it allows to report information about transaction and system usage. This is useful, however this does not respond to the main question if used access is need by user or not, and if access was assigned based on minimal required access to perform user responsibilities and business process duties. This creates a challenge for both IT and business management.

An example from a project

To better understand the challenge of mitigating controls, let's use an example from the sales area. The price at which the Company sells its product to its Client should be carefully monitored and it is usually copied (imported with display access) from the price master data lists prepared by the team responsible for the pricing policy. It is carefully prepared based on the current market situation, labor costs and inventory, as well as the forecasted demand for goods and services. Then the sales price proposals undergo a detailed verification and approval process. At the end of each week, the list of applicable prices is sent to the system for the next billing period. Access to these operations should be monitored and restricted.

In the SAP sales process, the price information is presented on a sales order document processed by an employee of the Customer Service Department. One of the values that he can modify (intentionally or accidentally) is the price of the product. This creates vulnerabilities in the sales process with access risk of sales prices being modified during sales order creation of throwing all the work (prices validation, approval, etc) of the pricing team into the bin, but what is worse, there is also the risk that prices will not be adjusted to market conditions. This will also directly cause the risk of a falling trading margin and, consequently, net profit, which is the basic indicator analyzed by investors and company owners. Of course, there are many arguments for such a situation, the most frequently mentioned ones are the possibility of correction in the event of an error or a special sale for an 'exceptional' customer.

A natural action (or best practice advise) would be to not allow to change sales order price for users in Customer Service Department. In practice, however, it is much convenient for business users to propose a new mitigating control in which another user will, on systematic basis execute control action. This activity will focus on comparing the prices used in the sales orders to those in the price lists. This control will be random, and the method of its implementation will be a time-consuming operation with the nature to find out difference between two sources of information. Of course, this initial control will be optimized and evolved during control life cycle, new automation elements will be introduced, e.g. in the form of a price discrepancy report, which will be generated automatically after a few weeks or months. But is it really the right way? Would it be possible to simply 'avoid' such operations instead of automating such operations? Should automation capabilities replace thinking about the method and how to design business processes to be secured?

Often, instead of considering changing the approach to the access risk of wrong system user access rights, companies develops further automation: new reports or systems are created that compare these two statements faster and cheaper.

The find a right solution we need to take a look at the problem from a broader perspective and do not consider other solutions from the scope of the entire internal control system. It is also a problem because many business owners, under the influence of strong pressure from internal or external audit, convinced that the more controls there are to mitigate the operations in business processes, make the business process safer. However, it is worth considering whether the choice of this route will not cause a continuous appearance of new problems, "fires" requiring extinguishing and generating unnecessary costs? Are there other methods and ways that will allow the effective and safe use of the SAP system by users inside the organization?

Are the all user accesses in SAP required?

The above example concerns on granted broad authorization to users, but much more often we deal with a situation in which access is granted less intentionally. Excessive access is often unnecessary and unused (e.g. logs from SM19 or SM20 transactions do not indicate use for the last 12 months) by the user, and its presence in the permissions poses a significant threat to the company. Thus, we refute the popular myth that often appears in our clients' concerns that the SOD risk resolution project is directly related to the fact that users will lose the rights to transactions they need to work. Often, an allowance rebuilding project begins with the removal of permissions that have been previously granted to users that you do not use in their daily work SAP operations. Based on our design observations, these powers account for approximately 50-60% of the risks of redundant access.

The challenge faced by the organization is that managers responsible for business processes must decide when and in what situations the system access risk should be remediated by access removal, and when it should remediated by assigning compensating controls.

Summary & Conclusion

Often the solution is to involve people from different departments with the appropriate competencies and link them with technical competencies that are knowledgeable about roles and authorization best practices. Such a combination is a basic element of an efficient response to the presented problem of excess access or the abuse of risk-reducing controls. The problem resolution decision can not be found working in company or process structure silos – cross organizational team will have more chances to find better solutions.

In the next, second part, we will briefly present the GRC procedure for dealing with the new risk of excesive access rights. As can be seen from the problem description so far, this algorithm should not start and end with creating a new mitigating control. So how do you react? What to pay special attention to? About this in the next part of the article. We highly recommend reading and leaving a thought or two on the subject.

Please share feedback or thoughts in a comment section.

Read more on related topic in SAP Solutions for Governance, Risk, and Compliance Topic Page

See our introductory post with link to other articles in this series prepared together with andrzejpartyka

Ask questions about Governance, Risk, Compliance (GRC), and Cybersecurity and follow us

Read other Governance, Risk, Compliance (GRC), and Cybersecurity and follow blog post

Please follow my profile for future posts fnowak

Filip Nowak

Mitigating controls - is this a cure for "all evil" in excessive authorizations risks in SAP? (part 2/5)

2023-01-25T11:09:48+01:00

Part # 2/5 – When is it worth to create and when should we avoid mitigating controls?

In the previous part (#1) of our Mittigation control series of articles we concluded that managers responsible for business operations must decide when and in what situations the system access risk should be remediated by access removal, and when it should remediated by assigning compensating controls.

Mitigating controls are a common management response to the access risk coming from conflicting system authorizations assigned to users in SAP. Removing user access rights or modifying access via role change management process is a difficult, time-consuming and very often under appreciate response to the problem. In this part (#2) we will debate about when it pays off to implement a mitigation control and when it is better to remove user access.

One million dollar question is: is there 'some' algorithm for dealing with the new access risk of excess rights? What is the best way to proceed? When and what activities to execute? In this article, I share my knowledge and experience in respec to approach to SOD security and access risks.

When is it worth using mitigating controls?

While working on audit and consulting projects, I observed that the business management team, while working on the company best response to the access risk, more often than required, uses the creation of mitigating controls. Often this happens under pressure and a strong need to meet the audit requirements coming from external or internal auditors that are general in nature, served to customer without paying attention to specific situation.Should having more & more controls, which are very costly to maintain in long run, be the first management's choice? How to design a control mechanism so that it brings a real benefit to the internal control system and significantly reduces the risk for which it was created?

This is the question that we will answer in this part of the article too add my part to our series of five articles – see a list here. Our observations of the controls life cycle show that it is definitely worth to use mitigation controls in the following situations:

Conflicting user access activity are required to perform system tasks assigned to user and specified by the HR department at a given job-position. Introducing changes in such a situation is a difficult and complicated task.

Access risk are coming from wrong process design and it is not possible to change process design or the scope of activities to be performed, or separating these activities into another organizational area.

There are limited human resources and access risk related user responsibilities can not be delegated to another person in the department.

The presence of the above-mentioned situations makes the application of mitigating controls more justified. However, the order in which to proceed is important in determining the Organization's best response to a segregation of duties conflict. A model sequence of operation is presented below.

Conflicting access risks are part of HR defined user responsibilities

The first step in any authorization redesign project is the removal of redundant (not used) user access rights. The access rights defined as redundant are those assigned to the user authorization profile, while in practice (e.g. for the last 12 months) they are not used at daily employee ERP (SAP) system operations. Often, but not always, this system access are also not defined in the scope of the employee's responsibilities in its HR job-position description. Identifying and then removing this authorization, from my experience, eliminates about 50-60% of all risks identified in the user's permissions. In any case, this should be the first step in remediating the problem coming from redundant permissions. Skipping this step means that we begin to develop control mechanisms for risks that do not require it (have not been ‘materialized’ since last 12 months, as transaction was not executed) or there is an alternative, cheaper to maintain and more effective in operation, that the company has failed to implement. If there is a valid business reason to believe that the authorizations are being used to fulfill the daily job tasks, as described in job description, there is a need to conduct a detailed analysis. The analysis is not always simple, because the "general business description language" in which the user responsibilities are described, often cannot be directly translated into the SAP business process activities executed by user in the SAP S/4 Hana system. Those are often defined using specific activities (transactions) that are executed during day-to-day system operations. To prepare such a content manager needs SAP system experience and technical system understanding. Helpful here maybe the key user or application consultants engagement.

Organizational change in the business process is not possible

If all not needed user access authorizations have been revoked, and there is still an access risk of segregation of duties, it means that at the stage of designing business processes flow, the segregation of duties risk matrix was not taken into account. The team that designed the processes or target responsibilities of employees did not consider the fact that some activities in business processes in ERP systems should not be performed by the same person. In such a case, company management should consider changing the way the business process is carried out. Consider whether the conflicting scope of access authorities may be switch to another HR job position in the department or another organizational unit. Best practice here is to move authorization for working with process master data (business partners, material indexes, a chart of accounts, the structure of controlling objects,) to dedicated teams, that are not responsible for business process day-to-day transaction processing.

Limited human resources

If the assigned user authorizations are consistent with the scope of HR job responsibilities and the process itself cannot be redesign / changed in a short period of time, the next step should be to analyze whether the resources that the Organization has at its disposal are able to delegate these duties to another employee. These types of changes do not require a comprehensive reorganization of the processes, but a different distribution of responsibilities in the department. In practice, it can be difficult to implement. The "simulation" functionality is very helpful in implementing such a change, in which the GRC system creates a preview of the theoretical situation in which the given authorizations will be assigned to another employee. You can read more about the features of the GRC system on our website (#grcadvsory, #smartGRC). Coming back to the often-emerging challenge of limited human resources, it is worth following the example of one of our projects. An employee of a local, small Customer Service Department, which employs 2 people, is responsible for recording sales orders from customers that flow from various sales channels and ensuring (by verifying and, if necessary, correcting) that the prices on sales orders are in line with the company's current price list. The scope of duties defined in this way means that an employee in the SAP system, in addition to access to work with orders, must have access to correct valuable conditions. Combining these two activities in the system creates a risk that the prices entered on the orders will be incorrect and the company will lose the trade margin due to incorrect information entered on the sales order. Organizational change is not possible, because the department employs only two people who know the specifics of the local market and customers. The scale of operations means that without employment or centralization of this function, it will not be possible to divide responsibilities. Applying mitigating control in such a situation is the most beneficial decision from a business point of view.

Let's summarize when it is not worth implementing mitigating controls:

In a situation where in the SAP / ERP system it is possible to partially limit or revoke user rights

The organization accept the possibility of changing the current business process in place, to include segregation of duties requirements in the process design

User permissions can be delegated to another employee, thus avoiding new risks or segregation of duties conflicts.

In the next part of Mittigation control series of articles, we will describe what are the best practices and how to build a mitigation control repository. We will deal with the Bermuda Triangle(also know as Devil's Triangle), where all our SoD conflicts and access risks 'magically' disappear and then return during the financial audit😊 How to avoid their delay in time and sudden appearance during an audit? How to avoid the risks of their materialization?

Please share feedback or thoughts in a comment section.

Read more on related topic in SAP Solutions for Governance, Risk, and Compliance Topic Page

See our introductory post with link to other articles in this series prepared together with andrzejpartyka

Ask questions about Governance, Risk, Compliance (GRC), and Cybersecurity and follow us

Read other Governance, Risk, Compliance (GRC), and Cybersecurity and follow blog post

Please follow my profile for future posts fnowak

Filip Nowak

Mitigation Controls creation and assignment in SAP GRC 12.0

2023-04-19T11:36:30+02:00

Author's LinkedIn Profile : linkedin.com/in/javedkhan0107

Purpose of the document:

Creation and assignment of Mitigation Controls in SAP GRC 12.0.This document describes the Mitigation configuration proces in GRC12 Access Control in very simple and easy way.

What is Mitigation?

The Mitigation allows you to mitigate certain risk violations that you want available to specific users or roles. This is done by creating and assigning a Mitigation Control.

Why is Mitigation is required?

you can use mitigation controls when it is not possible to separate Segregation of duties SoD from the business process.

Use

You can use Mitigating Controls to associate controls with risks, and assign them to users, roles, profiles, or HR objects. You can then define individuals as control monitors, or approvers, and assign them to specific controls. You can also create organizations and business processes to help categorize mitigating controls.

Using the Mitigating Controls section, you can complete the following tasks:

Create mitigating controls (that you cannot remove)

Assign mitigating controls to users, roles, and profiles that contain a risk

Establish a period of time during which the control is valid

Specify steps to monitor conflicting actions associated with the risk

Create administrator, control monitors, approvers, and risk owners, and assign them to mitigating controls

Now we will learn how to create and assign a Mitigation.

Step 1) As a pre requisite, the two Owners (Normal Dialog User Ids) should be created under SU01 and assign the below Roles.

GRC Controler Roles under PFCG

and should be maintained under Path, NWBC > Setup > Access Owners > Access Control Owners ,as below.

Assign one as Mitigation Monitors and Second as Mitigation Approvers

Owners Assignment

Now Save and Close.

Step 2) Now, we will be creating Root Organization

Path : SPRO > GRC > Shared Master Data Setting à Create Root Org Hierarchy

SPRO Tcode

Give the name as per your requirement and execute.

Step 3) Now, Goto NWBC > Setup and maintain data for Root Organization

Under NWBC

Open the Organization you created.

Details for General and Owners Tabs are compulsory

In Owners Tab maintain the Users which we have created in Step -1.

Step 4)

Now, we will create Mitigation Control Id

Goto NWBC > Setup > Mitigation Control

maintain the details

Give the Risk Id under Access Risks which you wanted to Mitigate. One Mitigation Id can be used to Mitigate multiple Risks.

Risk Id asignment

In Owners tab maintain the same two users which we had created in Step -1. One as Approver and another as Monitor.

Owners Assignment

We have created Mitigation Control Id now Save and close this tab.

Step 5)

Now we will assign this Mitigation Control Id to the User who has a Risk.

Goto Mitigated User under Access Management under NWBC.

Goto Assign tab and fill all the required details, we already created the Control Id, Monitor and Approver, same we can maintain here, also give the user Name which you wanted to mitigate and click on save.

User Mitigation

Step 6)

We may now proceed for Risk Analysis

Maintain all required details.

Upon executing Risk Analysis it will through as no Violation.

Risk Analysis

User is Mitigated, we achieved our goal, we learned End to End Process of MItigation Creationa and assignment here.Hope this document will help you to learn the mitigation Process.Please feel free to ask questions and comment if any issue related to Mitigation is being faced or any further help needed, this will motivate to create further more SAP blogs.

Mitigating controls – is this a cure for “all evil” in redundant authorizations in SAP? (part 5/5)

2023-05-25T10:24:20+02:00

Part #5/5: Summary and conclusions

The fifth and the last part of the article summarizes the topic. In this section, we will gather all the information and answer the questions:

Why the topic of access risk and SoD control is important? and Why it is worth dealing with in? We will suggest a correct sequence of actions. Why are redundant permissions dangerous and why shouldn't this problem be left for later? Why do financial audits analyze this topic in such detail? We will also select the most important points from the previous parts to present both the problem itself and the method of dealing with it in a short summary. Finally, we will also look at the topic from the financial perspective - what determines the cost of 'compliance' ($$$) and how to reduce it. Enjoy reading!

Why is the topic important?

Every year, the American organization ACFE (Association of Certified Fraud Examiners) investigates cases of fraud in organizations around the world. The data disclosed in the report for 2020 confirm the trend that has been visible for many years, in which the costs of fraud are on average 5% of financial revenues. It takes an average of 14 months to detect an abuse from the moment it first occurs. The abuses cost businesses an average of $ 8,300 per month. Financial corruption is the most common type of fraud. In the report itself, the authors repeatedly emphasize that the best cost-effective approach to reducing financial losses resulting from fraud is prevention, i.e. preventing the occurrence of fraud.

It may seem obvious, but from our perspective it is important to pay attention to the 'direction of thinking'. Which means that it is possible, and it is worth investing in preventing abuse than bearing the costs of repairing the damage caused by them. The lack of an appropriate internal control system is responsible for 1/3 of the abuses. We refer to the topic of our article here, because the question about mitigating controls is the question about the architecture of the internal control system. Building an effective internal control system should start, just like building a house, with a good foundation. Our experience shows that this foundation is the appropriate secured IT systems that support business processes and generate financial data because of their implementation. These financial data are summarized later in the Profit and Loss Account or in the Corporate Financial Balance Sheet. These data are the basis for making investment decisions by investors and for setting the course of action by the Management Board and management of the company. Therefore, they cannot be wrong. The central point of ensuring the correct processing of this data is a properly planned, designed, and implemented user authorization control system. The authorizations have the advantage that if they do not make it possible to perform a specific operation in the IT system, the user will not perform it. Of course, this is often the subject of frustration for users who want to carry out the tasks entrusted to them, and the system displays the message "You are not authorized to perform this operation". Most importantly, however, by its nature, correct authorizations in the SAP system enable preventive control, i.e. preventing the occurrence of financial fraud.

How to approach the topic in correct manner?

In a few words - when you identify the risk of excessive access rights, do not start with the implementation of a new mitigating control. In the first place, it is necessary to analyze the authorization model and determine whether the user who has the risk of excessive access rights needs access from which the risk arises. The practice of working with organizations shows that users use only 50-60% of the rights they are assigned to. It is worth approaching each identified risk in the entitlements individually, taking into account the level of risk and its negative impact on our organization. After deciding on the lack of acceptance for the effects of the risk and the willingness to eliminate it, it is worth analyzing the algorithm below, which presents the possible actions and, more importantly, the suggested sequence of their execution.

How to deal with user excessive access?

Excessive user access rights often result from copying privileges during access requesting ("I am asking to copy authorities from Mr. Kowalski) and taking into account that access rights of Mr. Kowalski are very rarely removed when the employee moves from the one to another department. The system for periodic access review comes to the rescue, which allows to define authorizations that are not or have not been used (e.g. in the last 6-12 months) by the user to perform daily system tasks based on his HR responsibilities. The process of periodic verification is the foundation of the authorization control system, unfortunately, companies rarely use it, because such a process is difficult to implement in the organization without the use of appropriate tools that support management decisions. Valuable information during such a review of rights is not only whether a given transaction was used, but also whether, for example, a given risk has already appeared in the history of reviews and if so, what was the decision made at that time (acceptance or rejection of rights) for a given risk, context organizational and user. Before starting the access review, useful information is to determine which authorizations have already been withdrawn in accordance with the verifiers' decision and, for example, have been re-granted in the authorization process. That is why the processes of broadcasting and periodic verification should be mutually coupled, so that information between them is shared for better decisions of the management of the organization.

How to improve the user authorization model?

A good authorization model is one in which users have only the privileges they require to perform the tasks assigned to a given HR position or process steps. Two challenges will often arise at this point. The first is how to determine what is needed to perform tasks at a given HR position (process steps), and the second is how to technically define (map) it to the accesses in the SAP system (ERP). The scope of duties in each position is defined, but it often happens that it is allowed to extend the scope of an employee's tasks - and thus – system authorization accesses. This is a partially understandable practice, but it does not improve the situation of the person who is to design a new entitlement model and wants to base it on the minimum needed for work. In such a situation, during the project initiative, the management redefines the division of tasks in each process or area. For this purpose, it uses the practices resulting from the segregation of duties matrices that define the scope of authorizations that should not be combined as they cause unacceptable risks for the company.

Summarizing, therefore, the entitlement model should include the following features:

user rights should be minimal required, necessary to perform tasks in each HR position. There should be no excessive rights, needed during the replacement or received as part of the performance of work in previous job-positions,

authorizations should not include the risk of segregation of duties, in particular those marked as high or critical,

The authorization process should be controled, i.e. one that takes into account segregation of duties risk analysis before assigning authorizations. Permissions should not be copied from other users (a frequently used simplification in the permission granting process). Access to data should be multi-stage, in particular approved by the appropriate data owner ("Data owner" or, for example, "Role owner"), i.e. avoiding a situation in which the manager of an employee in the logistics area grants authorizations to financial areas,

authorizations should be periodically verified to consider organizational and process changes, or those resulting from the conducted HR policy. The data owner should have tools for periodic (once a year) efficient (supporting decision-making) verification of the existing accesses.

How to use mitigating controls wisely?

Mitigating controls are not an ideal solution to the problem of excessive user rights, but if properly implemented, they can be an effective protection against the access risks. They apply especially when in the SAP / ERP system it is impossible to partially restrict or revoke user access rights. The organization has resources or allows for the possibility of changing the current way of implementing the process in the short term.

In the third part of the article, we described the important role of knowing the business context. This is key in determining whether the control mechanisms we want to create haven’t already been implemented in the organization or there are similar ones, addressing the same control objective (the same risk). The only difference is in the way the control activity is described or there is a different business area requesting this control mechanism. It is very important to avoid duplication of control activities because it generates huge costs for the organization, without guaranteeing better (effective) management of the identified risks. An important element that helps to avoid duplication is an automatic repository of controls and risks, which allows in various aspects to report the reasons for the existence of control in processes: the perspective of risks, regulations or legal requirements, processes, etc. Touching the appropriate scale (> 30 risks), it is impossible to maintain such a repository and system without a dedicated tool/system/application that will enable the implementation of automatic mitigating controls.

Changes in business processes

If we are unable to implement business controls or their implementation is not justified in the long term, it is worth considering changes in the current business processes design and operations. In the short term, this is a greater organizational effort, but in the long term, it may turn out to be more beneficial and may generate some optimization into our business process flows. Of course, ad hoc changes in business processes require an appropriate project initiative that will plan and design the future shape of the processes and then prepare a roadmap to achieve this state. Then, through progress monitoring mechanisms, it will ensure that the changes are implemented. This requires costs related to:

work of own managers and / or external experts who will help design the target model,

costs of training employees in a new way of implementing the process,

costs related to the maintenance of the new model, which, in principle, should be lower than the costs incurred so far.

How much does it cost?

Finally, it is worth considering the financial and cost aspect. From our experience, this aspect is often overlooked, as the management of the company often thinks in terms of must have, as it is required by a specific legal regulation. It is often justified, but the years of our professional practice show that no regulation directly indicates the method of implementation. The method of implementation is at the discretion of management or external advisers who yield to an approach based on the principle that it is better to do more than less. In the years 2003-2005, when the first implementations of the Sarbanes-Oxley Act appeared in the world, which forced the construction of an internal control system, organizations based on powers created new control mechanisms. In the following years, many costly optimization projects were carried out, as it turned out that maintaining unjustified, ill-considered controls in business processes cost a lot of money.

This cost of control resulted directly or indirectly from:

time (working-days) of middle and high-level managers devoted not only to the implementation of control in the business process, but also its documentation and description,

time (man-days) of internal and external audits needed to test these mechanisms, that is, certify that they work properly and further address the control objectives resulting from the risk described.

On the other extreme, there are penalties for companies for failure to control or misunderstanding of requirements. The Securities and Exchange Commission (SEC) imposed penalties on the anonymous amount of USD 4.3 billion only in 2019.

Therefore, the challenge remains the correct balance between the effectiveness of the internal control system and the expenditure incurred on its implementation and subsequent maintenance. An appropriate system of entitlements allows to reduce the costs of maintaining such a system, and the resources saved can be wisely invested in the automation and maintenance of those control mechanisms that are appropriate for the defined risk base

Please share feedback or thoughts in a comment section.

Read more on related topic in SAP Solutions for Governance, Risk, and Compliance Topic Page

See our introductory post with link to other articles in this series prepared together with andrzejpartyka

Ask questions about Governance, Risk, Compliance (GRC), and Cybersecurity and follow us

Read other Governance, Risk, Compliance (GRC), and Cybersecurity and follow blog post

Please follow us on and our profile for future posts fnowak and andrzejpartyka

Filip Nowak

Shining a light on Cybersecurity: Safeguarding Critical Infrastructure and Communities in the Age of the Internet of Things

2023-05-26T13:01:33+02:00

One of the first known cases of a cyber-attack to critical infrastructures was the power outage in Ukraine, which left over 225,000 people without electricity for several hours.

Cybersecurity has evolved significantly in today's ever-changing digital landscape, transitioning from a routine IT task to a critical business strategy.

The rise of recent cyber-attack trends has further elevated the importance of cybersecurity, which in some cases involves safeguarding critical infrastructures and ensuring the safety of individuals and communities.

The Internet of Things: A Double-Edged Sword

The risks associated with cyber-attacks on critical infrastructure are amplified due to the increasing use of interconnected devices used to automate processes and manage operations more efficiently. This trend, often referred to as the "Internet of Things" (IoT), has led to the creation of vast networks of connected devices, commonly known as Operational Technology (OT), which are used to monitor and control critical infrastructure systems.

While these interconnected devices offer significant benefits, they also introduce new vulnerabilities that cybercriminals can exploit. For example, a cyber-attack on a single device within a network can quickly spread to other devices and systems, potentially causing widespread disruption and damage.

Power Grids and Healthcare at Risk: The Urgent Call

Particularly worrying is the increasing number of ransomware attacks on critical infrastructure. These attacks are often carried out by sophisticated cybercriminals who seek to extort money from organizations by threatening to disrupt or destroy their vital systems.

The potential damage that can be caused by cyber-attacks on critical infrastructure is significant. For example, an attack on a power grid could cause widespread blackouts, leaving people without electricity, heating, and other essential services. In hospitals, an attack could result in the disruption of patient care, leading to serious health consequences. Attacks on transportation systems could cause chaos and disrupt the movement of people and vital goods.

Securing our future: Steps Taken by Governments and Organizations

As a result of the increased risks associated with interconnected devices, many organizations and governments are taking steps to address the security challenges posed by the IoT.

Governments are working to establish standards and regulations to ensure the security of interconnected devices and systems. For example, the US government has established the Cybersecurity and Infrastructure Security Agency (CISA), which is responsible for protecting critical infrastructure from cyber-attacks.

Recently, the European Union has introduced the NIS2 (Network and Information Systems) Directive to strengthen cybersecurity measures across its countries.

These governing bodies require operators of essential services and digital service providers to take steps to prevent and respond to cyber threats that could affect their systems and services, and in case of significant cybersecurity incidents, timely report and communicate them.

Companies operating in these sectors are required to implement strong cybersecurity measures, such as incident response plans, risk assessments, and regular security audits.

This is why there is an increasing investment towards advanced cybersecurity tools and techniques, such as machine learning and artificial intelligence, to better detect and respond to threats. Those technologies help with:

Cybersecurity risk assessment: Processes and tools can be used to analyse and assess the cybersecurity risk associated with different types of critical infrastructure, such as power grids or water treatment plants. This can help organizations prioritize their security efforts and allocate resources to areas where they are most needed.

Threat intelligence analysis: Analytics on threat intelligence data can be used to identify patterns and trends that could indicate an impending attack. This can enable organizations to prioritize their security efforts and take preventive measures to prepare their defences before attacks occur.

Anomaly detection: Machine learning algorithms can be trained to recognize normal behaviours and flag any abnormal activity that could indicate a cyber-attack. By correlating data from multiple sources, including network data, application logs, and threat intelligence feeds, potential cyber-attacks can be predicted before they occur.

Automated incident response: Security process automation can be used to automatically respond to certain types of cyber-attacks, such as malware infections or distributed denial-of-service (DDoS) attacks. This can help organizations quickly contain the attack and prevent it from spreading to other systems

Working together: Securing Critical Infrastructures and Communities

In summary, cybersecurity has transitioned from being a routine IT task to a crucial strategic business objective, and currently, it also represents a mission-critical effort to safeguard vital infrastructure.

The threat of ransomware is real and can cause serious damage, but while the risks associated with interconnected devices are significant, they are not insurmountable. With the right investments, collaborations and partnerships in cybersecurity, organizations and governments can mitigate these risks to ensure the safety and protection of our communities.

Find out how SAP can help protect data and business systems as a Cloud ERP provider. Visit the SAP Trust Center site to explore our security, compliance, privacy, and service performance capabilities.

Demystifying Cyber Risk: Empowering SAP Organizations to Measure and Integrate Cyber Risks into Business Decisions

2023-06-12T16:11:41+02:00

FAIR Methodology (Factor Analysis of Information Risk) for Risk Quantification

In today's digitally driven world, organizations of all sizes and industries face the pervasive threat of cyberattacks.

With businesses relying increasingly on technology and interconnected systems, quantifying cyber risk has emerged as a critical task to increase risk visibility at the board level.

This blog explores how the FAIR (Factor Analysis of Information Risk) methodology helps in quantifying cyber risk, particularly within the SAP realm. It emphasizes the importance of integrating cyber risks into the broader enterprise risk management framework, ensuring that cybersecurity is not treated in isolation but is considered alongside other strategic risks.

By adopting a holistic approach to risk management, organizations can identify and prioritize cybersecurity investments, enhance their incident response capabilities, and safeguard their assets, reputation, and customers.

Quantifying Cyber Risk with the FAIR Model:

The FAIR methodology is a framework for assessing and quantifying information risk in a structured and systematic manner. It provides organizations with a consistent and repeatable approach to evaluating and measuring risk.

It promotes the usage of data-driven methods and probabilistic models to estimate and measure risk in financial terms, providing organizations with a more objective and consistent way to make risk-informed decisions and allocate resources effectively.

“By assigning probabilistic values and monetary figures to these components, organizations can gain a clearer understanding of the financial impact associated with cyber risks.” says Julian Meyrick, VP of Security Strategy Risk & Compliance, IBM.

Integrating Cyber Risks with Enterprise Risk Management:

Quantifying cyber risk with FAIR is essential, but it's just the beginning. Organizations must integrate cyber risks into their broader enterprise risk management (ERM) approach. This alignment allows them to prioritize risk mitigation and consider the impact on reputation, resilience, compliance, and finances.

To learn more, read the NIST guide for Integrating Cybersecurity and Enterprise Risk Management.

For SAP, integrating cyber risks means assessing their effects on data breaches, operational downtime, financial losses, and reputation damage. This is how organizations can gain a comprehensive view and can develop cohesive mitigation strategies.

Quantifying cyber risks in SAP:

The confidentiality, integrity, and availability of information (CIA Triad) in an SAP system is often crucial to the operation of a business. Ideally, when the CIA Triad is effectively managed, the security profile of the organization is stronger and better equipped to handle threat incidents.

Let’s look at one real-life example on how Loss of Integrity could be estimated in an SAP environment (the specific values used in this example are for illustrative purposes only, and in practice, actual values would vary based on the organization and its context).

In this scenario, a privileged insider with malicious intent, could manipulate or alters data in the SAP systems, leading to a loss of integrity and potentially affecting product manufacturing processes.

Please note that, for the sake of simplicity, we will not delve into all the specific analysis parameters and variables, such as Control Frequency, Probability of Action, Threat Capability, and Resistance Strength.

We also present values as point estimates (for simplicity). In practice, we account for the uncertainty that naturally occurs in this work by using ranges of values. For example, threat event frequency might be estimated to be somewhere between 0.05 times per year (1 in 20 years) and 0.2 times per year (1 in 5 years) with a most likely of 0.1 times per year (1 in 10 years). In our examples, we’ll only discuss the single most likely value.

Threat Event Frequency:

Assume the threat of a Privileged Insider compromising the integrity of the SAP system occurs once every 10 years. Therefore, it would be 0.1.

Vulnerability Frequency:

Assume that the set of controls that protect from a skilled privileged insider from compromising the integrity of the SAP system only allow half of threat events to become loss events. Therefore, the probability that the Threat Event will result in a Loss Event could be estimated to 50%.

Primary Loss:

Consider the potential primary loss as the cost of rework, system restoration, and operational disruption caused by the compromised integrity of the SAP system. Assume this amounts to $500,000.

Secondary Loss:

Assume the secondary loss refers to the potential loss of customer trust, brand reputation, and market share. Assume a value of $30,000,000 was calculated to capture these intangible losses.

Loss Frequency:

Multiply the Threat Event Frequency (0.1) by the Vulnerability Frequency (50%) to calculate the Loss Frequency. In this case, it would be 0.05.

Loss Magnitude:

Add the Primary Loss and Secondary Loss together to get the Loss Magnitude. In this case, it would be $30,500,000 ($500,000 + $30,000,000).

Overall Risk:

Multiply the Loss Frequency by the Loss Magnitude to calculate the overall risk. In this case, the most likely annual aggregated loss exposure would be $152,500 ($30,500,000 * 0.05).

As previously stated, in practice, these values would also be expressed in ranges, as opposed to a single point value as shown in our example.

Call to Action:

This example demonstrates the importance of quantifying risk to help organizations see where they need to implement stronger access controls, monitoring mechanisms, privileged user management, and incident response protocols to maintain the integrity of their SAP systems and their business processes.

Quantifying cyber risk is an essential step towards building business resilience. The FAIR methodology empowers organizations to assign financial values to cyber risks, aiding in better decision-making and resource allocation.

However, the true power lies in integrating cyber risk management with the broader enterprise risk management framework, which allows organizations to get buy-in from senior leadership and effectively prioritize risks mitigations.

It is essential to acknowledge that cybersecurity is an ongoing investment that requires continuous adaptation and enhancement, and it is important to collaborate closely with your cloud service providers of software (SAAS), platform (PAAS), and infrastructure (IAAS) to fortify your organization against the ever-evolving face of cyber threats.

Learn more:

Podcast: A Guide to Measuring and Managing Your Cybersecurity Risks with SAP & IBM

SAP and the FAIR model

SAP Cybersecurity Dashboard

The Cybersecurity Advantages of the Cloud

GRC Tuesdays : Why I Love Risk Management… and I Think You Should As Well

2023-07-04T15:28:09+02:00

The bottom line is pretty straight forward: it’s because risk management is not about preventing the business from progressing faster. It’s actually to help it thrive and take the right level of risk - the one that will support the achievement of the objectives and won’t endanger the business in case it encounters a few roadblocks on the way.

Who would drive a car at night and not turn the headlights on? Or go on a long trip without checking the level of petrol first?

Risk Management Is Reactive and Proactive

That’s precisely what risk management is – a constant petrol gauge to ensure the company is sufficiently fuelled and won’t run out of gas before it reaches its destination. That’s the reactive part.

But risk management also incorporate a proactive part, hence the headlights in the night analogy. Our context and environment is always changing, and so is the road you’re driving, so making sure you can see all the curves and other cars ahead of time will prevent last minute swerves and enable a smoother drive.

Risk Management Is Insurance

Risk management is also about ensuring that you have the right level of insurance. Not only because it’s a legal obligation when you own a car - a regulatory risk if not complied with - but also because, if you’re the sole driver of your compact two-door-car, do you really need an insurance that covers two extra drivers and all damage liabilities for a Lamborghini class vehicle?

Well, with risk management, you’re able to identify what could go wrong and to quantify these events in the context of your business and its own value. Hence, when you transfer your insurable risks, you can confidently select the right level of coverage and optimize your insurance costs.
The potential gain can then be reinvested in the business to add more fuel and go further.

In order to be as close to reality as possible, risk management has to rely on a network of in-house business experts since they’re the ones who know the business like the palm of their hands and can not only explain what the potential risks are, but also can work on finding responses that would appropriately mitigate them.

There’s where risk management goes to full power – these business experts are not necessarily risk specialists, so both departments need to work together to come up with the list of threats and their associated mitigations in a manner that’s consistent with the company’s risk management framework so as to be reportable and comparable across all business units.

If risk management has the ear of the business and is correctly perceived as a trusted value-add activity, then this will not only go smoothly but will ensure continuous discussions and updates. And this is worth its weight in gold for both parties.

As you can read, I’m a strong believer that risk management is much more than a consolidation and reporting function, it supports effectively the efforts of the complete company: from its operations to its management functions.

A department that focuses on the long-term sustainability of the company – doesn’t that sound like a good place to be in?

Originally published on the SAP Analytics Blog

Net Present Value Calculation using TPM60CVA

2023-08-29T18:42:17+02:00

TPM60CVA - Calculate Net Present Values - With CVA and DVA

In Treasury and Risk Management, one can use the following functions for system to calculate NPVs (or fair values):

Transaction JBRX - Single Value Analysis: NPVto calculate NPVs for financial transactions. Please note that this transaction doesn’t save any calculated NPVs but is used for What-if analysis based on input scenario.

Transaction TPM60 – In order to save NPVs that system has calculated and use them later, we can use TPM60 which is function for Save NPVs. For this transaction, the system calculates the NPVs in exactly the same way as transaction JBRXand saves the results in NPV table VTVBAR.

Transaction TPM60CVA – The function is used to determine NPVs Including CVA and DVA in your NPV calculation. The results are also stored in the NPV table.
- Credit Value Adjustment (CVA) is the amount subtracted from the mark-to-market (MTM) value of positions to account for the expected loss due to counterparty defaults. Since CVA is a positive value, it is deducted from the risk free NPV calculation.
- Debit Value Adjustment (DVA) is the amount added back to the MTM value to account for the expected gain from an institution’s own default. As the DVA is negative value, it must be subtracted from the risk free NPV calculation.

The NPV of a financial transaction with the inclusion of CVA and DVA is derived as “Risk-free NPV – CVA – DVA”

CVA and DVA is calculated in the system in the following ways:

Difference Method: With this method, the system will calculate below values based on evaluation types:
1. Risk-based NPV using the yield curve stored in the evaluation type. If the settings for credit spreads is also saved, the system also takes it into account when calculating the NPV like in a composite yield curve.
2. Risk-Free NPV based on risk free yield curve stored in the evaluation type

The difference between Risk-free NPV and Risk-Based NPV is equal to CVA or DVA

2. Based on Expected Exposures: In this method, CVA/DVA is calculated separately based on the expected exposures on a given date. The calculation required the credit spread curve for the reference entity for either the counterparty or your own company.

This document explains the NPV calculation of a Foreign exchange transaction based on expected exposures and below is the terminology for understanding of the process:

Evaluation Type: This is an object where all the required yield curves are mapped that will be used to determine the NPV. The field is available as input in the TPM60CVA screen

Reference Entity: Reference entities are created for counterparty or own company codes. These entities are mapped to the yield curves that will be used for CVA/DVA calculation.

CVA/DVA Type: This object determines how CVA/DVA calculation is done in the system.

Customizing required for calculating NPV for CVA/DVA:

Define Expected Exposure Type

This setup control how the system calculates expected exposures (EE).

SPRO-> Financial Supply Chain Management -> Treasury and Risk Management -> Basic Analyzer Setting -> Valuation -> Settings for Calculation of Credit and Debit Value Adjustments -> Define expected Exposure Types

Define Credit and Debit Value Adjustment types

The adjustment types control how the system calculates CVA and DVA.

SPRO-> Financial Supply Chain Management -> Treasury and Risk Management -> Basic Analyzer Setting -> Valuation -> Settings for Calculation of Credit and Debit Value Adjustments -> Define Credit and Debit Value Adjustment Types

Define Valuation Rule

SPRO-> Financial Supply Chain Management -> Treasury and Risk Management -> Basic Analyzer Setting -> Valuation -> Define Valuation Rule

Define Evaluation Type

Settings for evaluation types are required for the calculation of the net present values of financial transactions/treasury positions.

SPRO-> Financial Supply Chain Management -> Treasury and Risk Management -> Basic Analyzer Setting -> Valuation -> Define and Setup Evaluation Type

Master Data Required to be maintained:

Below are the currency parameters of the Forex transaction that we are evaluating:

Position Currency: USD

Valuation Currency: EUR

Based on the composite curve structure in the evaluation type, the market data for the required date need to be maintained to make sure that NPV calculation is being done correctly.

Risk Free Yield Curve – Curve Type 1000

Reference rates maintained for Yield Curve for Currency EUR:

Reference Rates Maintained as on 31.07.2023:

FX Volatility Type –Curve Type 002

Basis Spread Curve – 1000 (Will be picked based on Tenor)

Credit Spread for Business Partner

Now, we execute TPM60CVA as on 31.07.2023.

Upon execution, system will display the NPV calculated.

The NPV value is saved in the internal table(VTVBAR)

Once NPV values are saved, execute valuation TPM1 to post the accounting entries.

TPM60CVA offers an enhanced functionality to calculate the Net present value by taking into account the credit risk associated with the external bank and own organization, thus further adjusting the value allowing for a more accurate assessment of the financial position.

Please share your thoughts in the comments and let me know in case you want me to cover any other analyzer related topic..

GRC Tuesdays: In Risk Management, a Picture Is Worth a Thousand Words

2023-10-10T05:31:10+02:00

To me, this adage fully applies to risk management where the complex situation and environment of a risk can more easily be grasped visually using dedicated graphical models like the bow tie representation. Indeed, I believe this type of representation can truly ease the risk identification and mitigation phases. Furthermore, with such an easy-to-understand representation, the myth of risk management being a complicated process vanishes and people can focus on the true value of risk management – making decisions.

What Is the Bow-Tie Method?

The bow tie method is a risk documentation and representation approach where the risk event sits in the middle of the picture and its context surrounds it. In most versions, the impacts and drivers are displayed on both sides of the risk resulting in a representation of a man’s bow tie.

Most diagrams also include risk responses located on each impact and driver branch and some elaborated versions incorporate the associated processes in which the risk would take place and even sometimes the relevant key risk indicators (KRIs) constituting the early warning system for the risk.

When Should I Use the Bow-Tie Method?

To me, the bow tie method can be used in most if not all situations. Widely used for Environment, Health and Safety (EH&S) type risks, I see no reason why it should be restrained to one risk category because it’s simply another representation of the risk information.

From my experience, this approach is very helpful when performing a risk identification with people who don’t have a prior risk management experience. Leveraging this approach often helps stakeholders better picture the risk, its sources and consequences, and therefore increase their implication in the exercise.

Furthermore, for risks that span across multiple areas or departments, it helps in recreating the complete chain of events that would result in the risk occurring. Indeed, by graphically documenting the risk drivers, this approach can facilitate the identification of related events since bow tie is a great brainstorming support.

Where Do I Start?

Using bow tie is rather straight forward and I would suggest simply following these steps:

Name and describe the risk event (what could happen) in a circle placed in the middle of the page

On the left of the circle, place the risk drivers (risk sources) that could trigger the even to occur

On the right, place the potential consequences (risk impacts) that would be incurred should the event effectively happen

That’s it! Now that you have identified the risk, if you want to take this exercise a step further, you can place the preventive and corrective risk responses on each branch. This would enable you to rapidly visualize if any branch is left uncovered or if, on the other hand, some are being over covered with too many risk responses.

The following is simply an illustrative example of the result you would be getting and the lightening symbol illustrates where risk responses are in place:

This easy-to-understand representation facilitates decision making, which is the true value of risk management.

What about you? Do you currently use this bow tie approach? If so, would you have any recommendations on where to start and how to progress? If not, could you tell us why you aren’t using this method?

If you are interested in learning more about SAP solutions for Governance, Risk, and Compliance, feel free to fill-in the demo request form!

Originally published on the SAP Analytics Blog

SAP Risk Management and Controls in the Public Cloud

2023-11-21T09:50:12+01:00

Game Changer for our Customers

This is a momentous event in SAP GRC! We are adding a new public cloud risk management capability to our already exciting public cloud internal control solution SAP Financial Compliance Management (FCM). Take a look at my GRC Tuesday blog on the solution if you want additional information about FCM.

We will offer public cloud risk and control management in the same solution, running on SAP Business Technology Platform, and with integration into SAP S/4HANA cloud - both public and private versions. It can also integrate to SAP ERP 6.0 (ECC) as part of an implementation project. Note this risk module is different to our existing private cloud solution SAP Risk Management.

We plan to release the new functionality into FCM before the end of 2023.

Why this matters, and why now

We are in at a point time where businesses really do have to deal with a VUCA (volatility, uncertainty, complexity, and ambiguity) environment – in terms of data, processes, employees, financials and financing, n^th parties, technology, regulations, internal and external risk. By way of example, ESG pretty much covers all of these aspects in one go.

At the SAP Insider GRC conference last week in Copenhagen, we saw an interesting figure from their The CIO’s Transformation Report Card 2023. The most common trend, with 53% of 2023 respondents (up from 36% in 2022) picking it was: Automation, standardization, or redesign of our business processes.

I believe this is a reflection of trends such as:

90% of compliance leaders expect evolving business, regulatory, and customer demands to increase compliance-related operating costs by up to 30% (Accenture, 2022)

50% of organizations aim to automate controls monitoring and management capabilities to address core drivers of GRC strategy in 2023 (SAP Insider, 2023)

3 out of 4 of companies are planning to increase spend across data analytics (75%), process automation (74%), and technology (72%) to support the detection and monitoring of risks (PwC, 2022)

The way to deal with a VUCA business landscape is to centralize and consolidate risk and control management, automate where possible, adopt best practices and standard operating procedures, replace technical debt options with strategically aligned integrated solutions from a single supplier, and select solutions with low TCO but with ease of use. Which is where this new offering from SAP fits, perfectly.

Risk and Controls in the same solution

It’s incumbent and honest of me to say this is the first release of our public cloud risk module into FCM. However, there is a strong roadmap of product development behind it, as well as FCM itself. Which will also include a name change.

With this solution we will:

Provide one platform for many uses cases and risk domains across the enterprise

Transform governance, risk, and compliance (GRC) from a cost factor (backward looking) to a strategic differentiator (business performance improvement, forward looking)

Enhance process assurance for S/4HANA Cloud, Public & Private Cloud Edition, on premise, as well as hybrid scenarios.

Align with SAP core strategy of running on SAP Business Technology Platform, and SAP Analytics Cloud.

Some sneak screenshot previews

Bear in mind the actual release version may look different.

Below are some screenshots form one of our development instances of the public cloud risk management software. It’s no accident I have chosen an ESG-type risk below just to demonstrate that while the software is (currently) called SAP Financial Compliance Management, use cases are by no means limited to financial ones. They could be HR, Operational, Legal, IT application, ESG (as in this case), and more.

The risk definition section is intuitive and comprehensive, with a summary and loss section at the top for a quick grasp of the state of the risk.

We document Causes and Impacts for the risk

As well as the process and result of a risk assessment, based on the strength of treatment plans.

By including this risk management module within FCM allows the use of automated control performance to be included in the risk assessment. In the example above the treatment measure "Reduction of high risk water-sourcing regions" is in fact one of the controls in the system. The control automatically interrogates S/4HANA, checking for suppliers from countries subject to failures due to increased occurrences of drought brought about by climate change.

Business users can easily fine tune the logic in the procedure by editing parameters and thresholds for the automated procedure performance. They can also drill into the outputs and conduct thorough issue and remediation activities.

It’s worth noting too that we have an integration between FCM and SAP Signavio Process Manager, which means the business first line solution (Signavio) and assurance second line solution (FCM) automatically synchronize process and control information. I have discussed this in my blog about this integration. And this leading edge integration has been nominated for an innovation award by #RISK Awards Team. Of course we are looking at including risk in the integration

Benefits

The benefits of this new offering are simple but can be subtle, which in fact means they are sometimes complex to articulate with due importance. And there can be many which leads to a ‘listener fatigue’. But for the business and business users, they are real.

Examples include:

Low total cost of ownership

Simple infrastructure

Short time to operationalize

Smoother digitalization, finance/digital transformation

Ease of use, intuitive user interface

Standardised best practice approach

Access to expanding consumable content

Leverage SAP Business Technology Platform capabilities

In line with SAP strategy, customer strategy

Benefits from LLP and ML capabilities, future potential access to anonymized data

In Summary

Effective risk and control management is a fundamental requirement for the modern business - for performance, not only risk and compliance.

Public cloud GRC software has real business benefits.

SAP is here to support customers looking for a public cloud risk and control solution with deep integration to S/4HANA.

And this journey is just going to get stronger.

🌐 INNOVATING RISK MANAGEMENT: ENVISIONING SAP S/4HANA CLOUD AND AI INTEGRATION 🌐

2023-12-01T09:46:21+01:00

🚀 As a Product Manager deeply immersed in the realm of innovation, let's explore an exciting yet imaginary scenario— the integration of SAP S/4HANA Cloud with Artificial Intelligence for advanced risk management. Although currently a vision, the potential impact on business resilience is profound. 🤖

𝐓𝐡𝐞 𝐕𝐢𝐬𝐢𝐨𝐧𝐚𝐫𝐲 𝐁𝐥𝐞𝐧𝐝:
Imagine SAP S/4HANA Cloud evolving into a strategic powerhouse by harmoniously integrating with AI algorithms to redefine how businesses approach risk management. The mission? To fortify organizations against uncertainties and drive informed decision-making. 🛡️💼

𝐏𝐨𝐭𝐞𝐧𝐭𝐢𝐚𝐥 𝐓𝐫𝐚𝐧𝐬𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧𝐬:
📊 𝘍𝘳𝘢𝘶𝘥 𝘋𝘦𝘵𝘦𝘤𝘵𝘪𝘰𝘯 𝘔𝘢𝘴𝘵𝘦𝘳𝘺: Envision AI scrutinizing financial transactions within SAP S/4HANA Cloud, detecting patterns indicative of potential fraud. It's not just about identifying risks; it's about thwarting them before they materialize. 🔍💳

🌐 𝘏𝘰𝘭𝘪𝘴𝘵𝘪𝘤 𝘙𝘪𝘴𝘬 𝘈𝘴𝘴𝘦𝘴𝘴𝘮𝘦𝘯𝘵: Picture AI analyzing diverse data sources, from market trends to supplier performance, providing a comprehensive risk assessment. It's a futuristic approach to risk management that goes beyond traditional boundaries. 🌐📈

𝐇𝐨𝐰 𝐭𝐡𝐞 𝐅𝐮𝐬𝐢𝐨𝐧 𝐔𝐧𝐟𝐨𝐥𝐝𝐬:
1. 𝐈𝐧𝐭𝐞𝐥𝐥𝐢𝐠𝐞𝐧𝐭 𝐃𝐚𝐭𝐚 𝐀𝐧𝐚𝐥𝐲𝐬𝐢𝐬: Imaginative AI algorithms dissect vast datasets within SAP S/4HANA Cloud, identifying anomalies and potential risks.
2. 𝐂𝐨𝐧𝐭𝐢𝐧𝐮𝐨𝐮𝐬 𝐋𝐞𝐚𝐫𝐧𝐢𝐧𝐠 𝐌𝐞𝐜𝐡𝐚𝐧𝐢𝐬𝐦: In this visionary scenario, AI continually learns from emerging patterns, adapting its risk assessment capabilities over time.
3. 𝐏𝐫𝐨𝐚𝐜𝐭𝐢𝐯𝐞 𝐑𝐢𝐬𝐤 𝐌𝐢𝐭𝐢𝐠𝐚𝐭𝐢𝐨𝐧: Hypothetically, SAP S/4HANA Cloud becomes a hub where AI not only identifies risks but actively suggests mitigation strategies, empowering businesses to navigate uncertainties seamlessly. 🔄🔒

𝐈𝐧 𝐂𝐥𝐨𝐬𝐢𝐧𝐠:
In the world of ERP and AI convergence, this scenario is a call to dream beyond the known. It's about innovating not just for today but for the challenges that tomorrow might bring.

Enhance your SAP experience with SAP approved GRC AC Experts through the Ask an Expert Peer channel

2023-12-04T15:55:49+01:00

What is Ask an Expert Peer?

Ask an Expert Peer lets you collaborate on your technical, product-related questions through one-on-one interactions with a qualified and approved expert outside of SAP. This channel is best to deliver fast issue resolutions for your basic, non-business critical questions and all low to medium priority cases. Ask an Expert Peer is currently available for SAP SuccessFactors and SAP ERP, SAP S/4 HANA, Technology, GRC & Finance solutions at no additional cost.

More information, including expanded product areas for Ask an Expert Peer, can be found in KBA 2998816. More details in blog

Ask an Expert Peer channel is available for which GRC Product Areas?

This channel is available for SAP Access Control and SAP Access Control for SAP S/4HANA.

Experts are available for all sub-product functions of Access Control.

Product Function includes:-

Emergency Access Management

Business Role Management

Access Risk Analysis

Access Request Management

Analysis and Reports

How to Access Ask an Expert Peer from SAP for ME?

Logon to SAP for Me with valid S user id. Navigate to Services & Support and select Get Support App

Provide all basic information about your issue, System, Product and Product Function.

Based upon Product SAP Access Control / SAP Access Control for SAP S/4HANA selection, all available channels will be shown. Select button “Ask an Expert Peer” to launch the experience

Provide details about your issue and submit your question. A qualified and approved expert outside of SAP will work with you to resolve your case through a chat window.

If the expert is unable to resolve your question or you are not satisfied with the answer, you have the option to easily switch to another channel and interact with SAP support by starting Schedule an Expert or by submitting Case. The conversation transcript from Ask an Expert Peer will be saved, so there will be no duplication of effort for you.

Start using Ask an Expert Peer today for all your low to medium
priority incidents.

SAP Financial Compliance / Risk and Assurance Management covers much more than Finance

2024-01-30T11:14:37.797000+01:00

Reset your Perception!

First thing is to say is that SAP Financial Compliance Management has changed names to SAP Risk and Assurance Management (as of end February 2024). I'll use the new name in the rest of the blog.

But a new name isn’t going to be the thing that changes how the software can be used. That is determined by what the solution can do. This blog is aiming to reset your perception, and expectations, as to what RAM can already do.

RAM is now a strong generic internal controls solution. I have to say has grown leaps and bounds since it was first released to customers almost 3 years ago. I bring this up because:

With the rise in importance of the office of the CFO to business performance but also business advice and stakeholder management, finance is a very important topic for any business. It spans operations, planning and forecasting. It covers core finance but also for example IT and digital transformation.
While launched with the name SAP Financial Compliance Management, it was actually the baseline content SAP provided that focused on financial processes. It’s not a software design constraint.
And while it was called SAP Financial Compliance Management, since December 2023 it can also perform simple risk management, and crucially, link documented control performance to enable stakeholders to produce a more accurate and complete risk assessment.

So the software itself is more generic. And if one applies other LOB content/use cases, the software can do more. Hence the new name SAP Risk and Assurance Management. I hope to make that clear in this blog.

What RAM can do already

One of the interesting but subtle points to note is that RAM covers both first line and/or second line controls in the same solution. And I know as I typed the word control I am using it a bit loosely to also include what some people might call an exception report, rather than a control.

For example RAM can already:

Run one of its baseline content automated procedures as a first line business check. For example, checking if journal entries have been posted in a previously closed fiscal period: this could impact how quickly month end / quarter end / annual accounts can be closed. Or looking for blocked suppliers with open items: this could reduce production and/or revenue, or negatively impact supplier relationship.
Run one of S/4HANA’s control exception reports automatically and put it under a ‘governance process’ (assign an owner, raise issues if anything untoward is found, document remediation if required, make all this transparent for audit). This could be an exception report, or a control, or both!
Dive into the topic of tax compliance to help companies with their prefiling accuracy by automating tax compliance checks.
On top of this also perform second line activities for example test of effectiveness and test of design over the above examples.
Perform a survey / questionnaire / mixed format assessment.
Integrate automatically with Signavio Process Manager.

What will be available soon

We also have some exciting content updates, to further reinforce the additional breadth of RAM:

There are 8x latent IT controls SAP produced, which are deployed in S/4HANA, that RAM can make use of. They focus on S/4HANA user management (e.g. detect users that never logged in, detect expired and locked users that should be deleted). We will formally roll them into RAM baseline content as part of the S/4HANA 2408 release, but can already be used.
Next month as part of our S/4HNA 2402 release we will add to our baseline content with ESG, human rights due diligence and Fraud use cases. To show what is possible. We also plan to release a GDPR certification content pack.
Key to the RAM strategy is the ready to use content for S/4HANA. And our partners see this too. Across our energetic and innovative partner ecosystem there will soon be (weeks) content covering ESG as a more comprehensive stand-alone topic plus industry-specific content packs covering 12x industry verticals from Winterhawk. Turnkey have starter packs for RAM . There are a large library of tax compliance rules amongst the Big-4.

In terms of functional enhancements:

We will be adding an Asset object to RAM in the first half or 2024, thus extending the IT control (and risk) management capabilities. But of course this is a generic object that I expect can also be used for ESG-relevant assets, finance assets, data assets, and other physical assets (water and energy utilities, oil and gas, transportation etc.)
We will build an integration to SAP Document and Reporting Compliance during 2024.
We will build an integration to SAP Sustainability Control Tower during 2024.
We will add AI use cases.

Move up the Performance, Control, and Risk Maturity Curve

There are obviously financial and rollout benefits of being able to cover more LOB use cases in a single solution.

But I also want to highlight what this can enable for the ‘digital first’ customers - those who are transitioning to a posture where internal information, processes, and customer experience is digitised and virtualised.

To drive performance (financial, operational, non-financial, legal etc.) with intentionality, processes, risks and controls if well managed will enable the business to catch and prevent any downstream impact to the organization or an end customer. Which is a true value add.

RAM can help the first line owning and managing risk via understanding and analysing the processes of the business, and ensuring adequate internal controls over [insert an LOB here] reporting. Supporting first line activities also helps the business grow and by nature is more forward-looking.

This is in addition to value protect activities such as compliance.

Summary

With one single low TCO, short time to operationalize, easy to use public cloud solution RAM:

Can already technically cover finance, tax, IT, ESG, HRDD, fraud and data privacy
Will soon expand this to broad, and deep, content packs from our partner ecosystem
Can cover control and risk in the same solution, and automate controls
Provides transparency into the business
Helps the business improve performance, and provides real value add

That’s what I would consider a good return on investment.

Join the Innovation Journey with SAP Enterprise Threat Detection, cloud edition

2024-02-04T19:00:00.037000+01:00

Picture 1

Embark on a Journey of Growth and Innovation and secure customers Businesses Now and Tomorrow with SAP Enterprise Threat Detection, cloud edition.

At a time when threats are constantly evolving, SAP Enterprise Threat Detection, cloud edition is a robust solution. We are pleased to announce our expansion journey and officially invite like-minded partners. Be part of our journey of progressive growth and innovation and take advantage of this exciting opportunity. Let's secure the digital landscape together and foster an environment that is not only secure but also conducive to innovation.

Picture 2

Current State of application security & corporate compliance

The need for robust cybersecurity measures has been amplified by our increasingly digital economy. Statistics reveal that 81% of data breaches result from lost, stolen, or weak passwords, of which three-quarters are instigated by outsiders. Alarmingly, a quarter of these breaches are carried out from within the organizations showing that cybersecurity threats do not solely exist externally but also pose a significant internal risk that demands attention.

Increasing Importance of Cybersecurity

Organizations now readily recognize the relevancy of their cybersecurity posture, with 64% rating it as either important or very important. These businesses understand the integral link between a robust cybersecurity framework and reduced risk of data breaches for all involved - employees, customers, and partners. As many as 65% of the organizations acknowledge this correlation in our intensively digitized business world, where data security is of paramount significance.

The Talent Gap

However, a considerable challenge remains - the acute scarcity of security talent in the industry. A staggering 87% of organizations are struggling with a shortage of cybersecurity specialists. As a result, the number of global cybersecurity job vacancies has drastically increased by an impressive 350%, from 1 million in 2013 to an anticipated 3.5 million in 2021. With the increasing proliferation, sophistication, and scale of cybercrimes, this glaring lack of qualified talent creates a significant hurdle for businesses globally.

Cost of Cybercrime

From a broader perspective, the extraction of an alarming $6 trillion annually from the global economy due to cybercrime reinforces the severity and urgency of reinforcing cybersecurity measures. It is worrying to find that only a mere 38% of organizations can proactively spot risks before they develop into serious threats.

Picture 3

Cybersecurity as a Business Risk

Cybersecurity, once considered a specialized branch and an IT domain challenge, has escalated to command serious attention at executive levels within organizations. Recent data show that a substantial 88% of board members view cybersecurity as a critical business risk, marking a significant shift from 2016 figures - when only 58% shared the same view. This shift signifies a growing seriousness about cyber threats and their potential to impact businesses at large.

Security and Compliance

Importantly, it must be noted that organizations cannot be compliant without establishing thorough security measures. Compliance to industry standards and regulatory requirements, while providing a guide, cannot alone ensure security. It is insufficient to just adhere to compliance checklists. The rising surge in cybersecurity threats calls for more elaborate and dynamic security protocols, which go well beyond basic compliance frameworks.

The Impact of Security Inadequacies

Failures in the security domain can render organizations susceptible to cyber-attacks, breaches, and violations, inevitably affecting compliance outcomes. These cyber risks disrupt business processes, putting at risk confidential and sensitive information and thus impacting overall compliance with industry standards. Hence, it is fundamental for an organization to incorporate security measures not merely for compliance, but to safeguard vital assets, secure data, uphold reputation and provide assurance to stakeholders.

Picture 4

Embedding Security into Organizational Fabric

Therefore, if compliance is the goal, weaving security into the very fabric of an organization is essential. This necessitates transforming approaches to view cybersecurity as an inherent part of the business strategy, thus amplifying overall compliance and resilience to cybersecurity threats.

Picture 5

Benefits of leveraging SAP Enterprise Threat Detection

SAP Enterprise Threat Detection (ETD), cloud edition, is a cutting-edge SAP Business Technology Platform Software-as-a-Service (SaaS) solution. Moreover, it incorporates managed services from SAP or one of our specialized partners, dedicated to identifying, analyzing, and reporting malicious activities in your SAP applications before they can inflict serious damage.

Along with presenting a detailed audit trail of all activity and detecting anomalies, ETD provides best practice advice for monitoring SAP applications. It also aids companies in complying with onerous regulatory requirements such as those outlined in the EU's NIS2 directive, the RCE, KRITIS, General Data Protection Regulation (GDPR), as well as various local security laws.

Picture 6

The Power of Partnership

As we, at SAP, expand our product and service horizons, we're inviting partners to join us on our journey of growth and innovation. We fervently believe that by synergizing our individual proficiencies and skills, we can significantly advance the way we serve our clients and deliver unparalleled value, not just to our direct customers, but to partners' customers as well.

By partnering with SAP, you as partner receive multi-fold strategic benefits. To start with, you can take advantage of our advanced cybersecurity solution which will instantly enable you to augment your service propositions and boost client confidence. With this service, your customers will benefit profoundly as it offers more than just data protection. It equips them with strengthened security measures, significantly reducing their threat to potential breaches. Plus, it delivers an invaluable sense of tranquility, knowing that their data is safeguarded. This secure atmosphere fosters trust and confidence, allowing your customers to focus on growing their businesses, rather than worrying about data security. Moreover, it elevates their experience with your partnership, reinforcing your reputation as a reliable, secure provider.

On top of this, leveraging SAP's extensive global network, you can amplify your reach in the market, acquire access to untapped industry sectors and widen your customer base. The sheer magnitude of our network ensures that associating with us instantly lends an additional layer of trust and reassurance to your customers, thereby bolstering their already existing confidence in your services.

Picture 7

Exploring New Opportunities

But that's not all! Your engagement with SAP Enterprise Threat Detection, cloud edition equips you with the resources to create unique security services and solution offerings tailor-made to address your customers requirements and objectives. This could take the form of customized managed security services, expert compliance and security consulting, or portfolio optimization. It opens up the gateway to innovative security opportunities, empowering you to stay abreast of competition and offer forward-looking, cutting-edge solutions to your customers.

Getting in Touch & Moving Forward

To explore potential collaboration, receive more information, or simply discuss synergies, feel free to reach out to Tobias Keller or Arndt Lingscheid.

Our doors (and inboxes) are always open to engaging discussions on combating cybersecurity threats together.

Explore our SAP Enterprise Threat Detection Partner Portal to delve deeper into our product and partnership framework.

We, at SAP, wholeheartedly invite all entities who are serious in their quest to enhance their cybersecurity strategies. Together, we can augment our defenses against the incessant tide of cyber threats and build a safer, resilient digital economy. Let's rise to the challenge, together.

SAP Enterprise Threat Detection | SAP Community

GRC Risk Management Series: Risk Analysis profile

2024-04-07T18:00:00.031000+02:00

This article provides a conceptual overview of the Risk Analysis measurement through 'Analysis' and 'Response' calculations. A pre-requisite to this article is to have a basic understanding on the building blocks of Risk Management, such as Probability, Speed of Onset, Impact, etc.

We will begin with determining the 'Analysis'. And then will proceed to 'Response'.

Calculation of 'Analysis'

Risk Management in GRC is based on a hierarchical model, where Risks are associated with Activities. An Activity can be thought of as an assignment which an organization undertakes. Eg. Data Processing of EU countries. Activities are grouped into categories. Let's say EU projects.

And each Activity Category is assigned with a Risk Category. A Risk category is created under the work-center Master Data > Risk and Responses> Risk Catalog. A Risk category requires an 'Analysis profile' to be assigned to it.

So, let us begin the calculation by understanding from the basic unit of Analysis Profile.

An Analysis profile is defined in SPRO > Governance Risk and Compliance > Risk Management > Risk and Opportunity Analysis . The important governing factors for an analysis profile are Probability and Impact.

These 2 factors can of the type Qualitative, Quantitative, scoring, Three-point analysis, etc. Here we will consider Quantitative and Three-point analysis for determining the Risk level.

Three-point Analysis This approach considers customizable %age for 3 scenarios: Min., Average and Max.

Example in the case of a financial loss the %age definition such as 25, 50 and 25 , respectively for the above 3 scenarios will determine the Total loss.

Calculation of 'Response' : A Response is an action taken against a Risk and are of the types: Mitigate, Accept, Transfer, etc. The amount of loss mitigated through this Response is subtracted from the Total loss(calculated through 'Analysis') resulting in the Residual Loss.

The amount(in currency) mitigated is defined under 'Mitigation' in tab Response(for the Risk). The 'Completeness' and 'Effectiveness' are 2 other factors which determine the Residual loss. Therefore, there are 2 types of Residual Loss. One is the present Residual Loss. The other is when the Response is fully completed and therefore is termed Planned Residual Loss.

Example: Response defined with a Completeness of 50% will consider half of the amount(monetary) mentioned under the Response/Mitigation for the present Residual loss. While the planned Residual loss will consider completion at 100% and therefore the entire amount define under Mitigation is considered.

'Effectiveness' also determines the residual loss. Such as 'Very Effective' considers the entire monetary amount defined in Mitigation, while Effective considers 50% of the amount.

Below figure shows calculation of Analysis and Mitigation, resulting to net Residual loss and Residual loss(Planned)

There can be other scenarios such as where the probability-reduction is 10% when Mitigation is applied.

The above provides a basic understanding of Risk Measurement. The other elements on Risk Management will be shared in different articles.

Please share your comments and suggestions.

INFLUENCE THE DEVELOPMENT OF SAP ENTERPRISE THREAT DETECTION, CLOUD EDITION

2024-05-03T06:40:10.948000+02:00

Introducing influence page for SAP Enterprise Threat Detection, cloud edition.

The SAP Enterprise Threat Detection product team are inviting customers and partners to share their feedback and ideas to enhance our solution.

On SAP Enterprise Threat Detection, cloud edition Influence page you can see all submitted requests, submit your improvement requests, vote and comment on other ideas.

The rationale and advantages of a customer influence page include:

Augmenting customers engagement and influence on product features.
Improving product/services using meaningful customer insights.
Cultivating an engaged community.
Serving as a central platform for customer suggestions and fueling innovation.

The product team regularly evaluates the ideas and considers them for roadmap planning. Votes help to priorities ideas along with other important selection criteria such as:

DESIRABILITY: How many customers voted for this? How many customers will benefit from it?
VIABILITY: Is this Improvement Request globally relevant? Is this in alignment with SAP’s strategy for the product?
FEASIBILITY: Is the development effort realistic? Is this request achievable within the product’s architecture?

While this page is mainly for the public cloud edition, for private cloud and on-premise versions feel free to propose integration-related ideas.

Follow the steps below to get access and start sharing your enhancement ideas:

Go to SAP Enterprise Threat Detection, cloud edition Influence page.
- In case you are a new user, create a user account using S-User-ID and accept the Terms of Use. Once the user is created you activate SSO and can access without any interruption.

Follow the session to get notified of new Improvement Requests and blogs.
Vote and comment on Improvement Requests posted by other customers/ partners.
Submit new Improvement Requests.

You can also check out the videos\link below, if you wish to learn more about SAP Continuous Influence and how to submit and manage improvement requests:

Please reach us at SAP-ETD@sap.com in case of any issue.

We look forward to seeing your ideas and further improve our software as we move forward.

SAP Community - SAP Risk Management

SAP GRC Access Control 12.0 - Exclude Objects from Risk Analysis with Supplementary Rules

Excluding User IDs with Supplementary Rules

Excluding User Groups with Supplementary Rules

GRC Tuesdays: Governance, Risk and Compliance securing the Recruit-to-Retire process

What is Recruit-to-Retire?

SAP Cloud solutions for GRC to the rescue!

Cybersecurity highlights from SAP Insider 2022, Vienna

Security as a key priority

What were the main topics and questions at the conference on Security

1. Shared security responsibility between customers, hyperscaler and SAP

"How do we distribute the daily security work and responsibilities in RISE, between our internal security teams, our external security advisors, the hyperscaler and SAP?"

2. Where to start with application security.

"What are the tools, solutions and services we should be using to secure the SAP application layer?"

3. SAP Security standard documentation for Cloud solutions

"Where can we find security recommendations for SAP cloud solutions?"

Other discussions worth to mention

Conclusions

GRC Tuesdays: Governance, Risk and Compliance securing the Lead-to-Cash process

Mitigating controls - is this a cure for "all evil" in excessive authorizations risks in SAP? (part 1/5)

Mitigating controls - is this a cure for "all evil" in excessive authorizations risks in SAP? (part 2/5)

Mitigation Controls creation and assignment in SAP GRC 12.0

Use

Mitigating controls – is this a cure for “all evil” in redundant authorizations in SAP? (part 5/5)

Shining a light on Cybersecurity: Safeguarding Critical Infrastructure and Communities in the Age of the Internet of Things

The Internet of Things: A Double-Edged Sword

Power Grids and Healthcare at Risk: The Urgent Call

Securing our future: Steps Taken by Governments and Organizations

Working together: Securing Critical Infrastructures and Communities

Find out how SAP can help protect data and business systems as a Cloud ERP provider. Visit the SAP Trust Center site to explore our security, compliance, privacy, and service performance capabilities.

Demystifying Cyber Risk: Empowering SAP Organizations to Measure and Integrate Cyber Risks into Business Decisions

Quantifying Cyber Risk with the FAIR Model:

Integrating Cyber Risks with Enterprise Risk Management:

Quantifying cyber risks in SAP:

Threat Event Frequency:

Vulnerability Frequency:

Primary Loss:

Secondary Loss:

Loss Frequency:

Loss Magnitude:

Overall Risk:

Call to Action:

Learn more:

GRC Tuesdays : Why I Love Risk Management… and I Think You Should As Well

Risk Management Is Reactive and Proactive

Risk Management Is Insurance

Net Present Value Calculation using TPM60CVA

GRC Tuesdays: In Risk Management, a Picture Is Worth a Thousand Words

What Is the Bow-Tie Method?

When Should I Use the Bow-Tie Method?

Where Do I Start?

SAP Risk Management and Controls in the Public Cloud

Game Changer for our Customers

Why this matters, and why now

Risk and Controls in the same solution

Some sneak screenshot previews

Benefits

In Summary

🌐 INNOVATING RISK MANAGEMENT: ENVISIONING SAP S/4HANA CLOUD AND AI INTEGRATION 🌐

Enhance your SAP experience with SAP approved GRC AC Experts through the Ask an Expert Peer channel

What is Ask an Expert Peer?

Ask an Expert Peer channel is available for which GRC Product Areas?

How to Access Ask an Expert Peer from SAP for ME?

Start using Ask an Expert Peer today for all your low to medium priority incidents.

SAP Financial Compliance / Risk and Assurance Management covers much more than Finance

Join the Innovation Journey with SAP Enterprise Threat Detection, cloud edition

Current State of application security & corporate compliance

Increasing Importance of Cybersecurity

The Talent Gap

Cost of Cybercrime

Cybersecurity as a Business Risk

Security and Compliance

The Impact of Security Inadequacies

Embedding Security into Organizational Fabric

Benefits of leveraging SAP Enterprise Threat Detection

The Power of Partnership

Exploring New Opportunities

Getting in Touch & Moving Forward

GRC Risk Management Series: Risk Analysis profile

INFLUENCE THE DEVELOPMENT OF SAP ENTERPRISE THREAT DETECTION, CLOUD EDITION

Start using Ask an Expert Peer today for all your low to medium
priority incidents.