The importance of risk management in ERP implementations

ERP systems are complex and unfortunately, organizations are too quick to overlook risk management as part of an ERP project. Where GRC is concerned, there is a tendency to believe that it’s not a necessity…until it’s too late! Embedding controls as part of an ERP implementation is critical for success. 

Many organizations fail to understand the benefits of embedding access controls in ERP implementations and push back on implementing risk management at the beginning of ERP projects and upgrades.  In our experience, this is mainly due to a lack of internal resources, knowledge, expertise and budget.  

Embedding controls in the ERP project implementation allows organizations a robust effective role design that mitigates security risks and avoids red flags from auditors later on in the project leading to increased costs and hours of re-work. We have seen, in some cases, this cost hundreds of thousands of dollars. GRC not only drives business value, growth and creates operational benefits but maximizes business performance.

A lack of GRC in an implementation project, can lead to financial loss, brand damage, non-compliance, and even financial misstatements.

No brainer right?

There is a common misconception that Risk Management is costly and complex to deploy, integrate and maintain. There are many solutions, including SafePaaS that provide an integrated and comprehensive view of risk with proven ROI that does not take an army of consultants to deploy, does not cost millions of dollars and does not cost hundreds of thousands of dollars to maintain.

Here we help you understand how embedding access controls and controls upfront are a game changer for success. 

By embedding a solution like SafePaaS upfront in an implementation project, organizations can:

• Design a robust, effective security role design with automated mitigating controls

• Mitigate access risk in implementation project by giving access to the right people at the right time

• Control privileged access

• Be compliant at go-live and avoid costly re-work

• Design effective Segregation of Duties controls for risk mitigation

When implementing an ERP, upgrade, companies have an opportunity to design Governance, Risk and Compliance controls into the business processes, therefore, eliminating overlap and duplication to create a more agile and cost effective structure.

A Retrofit Approach

• The control environment is assessed and corrected after the production system is live.

• Less impact to the project team and project timeline

• Less up-front effort

• Review can be performed against some history (i.e., has the risk area manifested?)

Design-In Approach

• Risk management is integrated throughout the implementation.

• Design decisions are augmented with real-time controls input, controls are verified with a specific focus in testing and training, and confirmed with post go-live reviews.

• Provides most effective control baseline

• Minimizes project team re-work

• Long-term cost is lower

• Leverages implementation momentum to make control improvements

One of the challenges during an ERP implementation/ upgrade is to ensure Segregation of Duty controls are enforced. Advanced policy-based access controls can be deployed to analyse segregation of duties violations, remediate issues in a timely manner and simulate the security model before go-live.

Benefits:

• Design and Test Security Model before deployment

• Ensure that users with segregation of duties waivers have compensating controls

• Simulate Security Design in Access Controls

• Eliminate false-positives

• Improve Security effectiveness

• Configuration Controls and Monitoring

• Organizations struggle to upgrade transactional systems with fewer resources or reduce deployment time.

• Configuration controls and continuous monitoring can be deployed to reduce the project time-line while also reducing project risk by continuously monitoring for changes.

Benefits include:

• Automates the creation of system set-up documentation

• Automatically keeps set-up information accurate and up-to-date

• Quickly compare between instances or between organizations for trouble-shooting and to confirm consistency

• Ensures that instances and organizations are set-up correctly and remain consistent

• Organizations are also challenged with ensuring the policies and procedures are enforced. In this case, preventative controls can be deployed that have capabilities to enable real-time policy enforcement, while also reducing risk related to time-line challenges.

Key Benefits include:

• Real-time enforcement of new business policies within the ERP.

• Rules can be created and deployed very rapidly without writing code or building customizations.

• Ensure that end users are not able to issue orders, quotes or invoices against the wrong legal entity.

• Improve business process efficiency.

• Eliminate opportunities for fraud, error and negligence.

Finding a risk management solution that not only provides agile, flexible capabilities but provides real outcomes for customers is what brings success. Implementing a solution such as SafePaaS, that not only delivers robust, effective solutions but a dedicated services ream that accompanies throughout your journey is key to mitigating risk.