Five questions that will help tighten your SAP governance
SAP is the platform that most European shared services centres operate from. According to The Hackett Group, 64% of the 198 multinationals recently it interviewed run off SAP. Because of its European roots, and its appreciation of different currencies, VAT requirements and languages, SAP is the favoured child among the finance shared services heavy weights. But that doesn’t mean the system is perfect.
Last month I chaired the sharedserviceslink.com conference on ‘How to Successfully Blend Finance needs and SAP Functionality’ in London. The results of the pre-event survey suggest that although SAP users love the end-to-end integration (supporting their back office, anti-silo, end-to-end-processing aims), they struggle with the rigidity of the system and sometimes feel forced to tailor SAP. Delegates recognised that the technology was only as good as the data within it and the biggest influence over its cleanliness is the SAP user base.
Enter the importance of governance. If a company can manage how people use SAP to ensure excellent data presentation and availability, then that company would be using the system in the optimum way.
With the help of Nigel Kilpatrick, Senior Vice President at Nimbus Partners, I ran an interactive session on how to take control of your SAP user base to establish effective governance. It was a thought-provoking session that challenged delegates to scrutinise their own governance structures.
Here are the five areas we discussed to increase our understanding of compliance:
- How do you know if you have good governance? What mechanisms do you use that provide evidence of good governance?
A number of participants said they used GRC, the governance and compliance tool within SAP, to ensure that only approved, trained and compliant users have access to the areas they need. One company wasn’t sure which users had access to the SAP sales, finance and banking interfaces, which exposes it to fraudulent activity and massive risk.
- Do you know how large your actual risk is today?
Nigel says that if you have 20,000 users, you have 20,000 risks. He pointed out that when a company is taken to court for fraud, you don’t find a system in the dock, It’s a human who has fiddled the system, made an innocent error or is taking responsibility for the breach. The more users you have accessing the system, the greater your risk. Steps to consider:
- Evaluate whether all users need access to SAP
- Ensure those that do need access are trained in how to use it in the most compliant way
- Work out how you will manage, monitor and measure their usage.
- Can your company prove that it is following good processes? How many ways do you have to do the same thing?
Many organisations are working towards having one way of doing things so there is only a good process and a bad process. Ironically, the company that jumps to mind as an example of good practice is Oracle shared services. If you have one good process and all deviations are bad, then better governance can be achieved.
- What is the depth and breadth of ownership? Who owns the governance in your company and what does this ownership mean?
There are many user types like employees, suppliers, partners, business process outsourcers. To achieve good governance you need to know what happens when someone makes a mistake and who is ultimately
- Does your definition of good governance chime with the organisation?
Behind your definition there should be a methodology that details what compliant user behaviour looks like, how and when it will be measured and reported, and how it will be contained.
It became clear from last month’s conference that SAP can be optimised as an enabling tool if users have access to the right parts of the system and use it compliantly rather than molest the data until it is inaccurate, toxic and untrustworthy. Getting the governance piece right from the start will pay massive dividends throughout your ERP’s lifecycle. As Nigel says, it pays to be a master of paranoia.
With thanks to Nigel Kilpatrick, Senior Vice President, Nimbus Partners www.nimbuspartners.com