The importance of risk management in ERP implementations

ERP systems are complex and unfortunately, organizations are too quick to overlook risk management as part of an ERP project. Where GRC is concerned, there is a tendency to believe that it’s not a necessity…until it’s too late! Embedding controls as part of an ERP implementation is critical for success. 

Many organizations fail to understand the benefits of embedding access controls in ERP implementations and push back on implementing risk management at the beginning of ERP projects and upgrades.  In our experience, this is mainly due to a lack of internal resources, knowledge, expertise and budget.  

Embedding controls in the ERP project implementation allows organizations a robust effective role design that mitigates security risks and avoids red flags from auditors later on in the project leading to increased costs and hours of re-work. We have seen, in some cases, this cost hundreds of thousands of dollars. GRC not only drives business value, growth and creates operational benefits but maximizes business performance.
 
A lack of GRC in an implementation project, can lead to financial loss, brand damage, non-compliance, and even financial misstatements.

 
No brainer right?
 
There is a common misconception that Risk Management is costly and complex to deploy, integrate and maintain. There are many solutions, including SafePaaS that provide an integrated and comprehensive view of risk with proven ROI that does not take an army of consultants to deploy, does not cost millions of dollars and does not cost hundreds of thousands of dollars to maintain. 

Here we help you understand how embedding access controls and controls upfront are a game changer for success. 

By embedding a solution like SafePaaS upfront in an implementation project, organizations can:

Design a robust, effective security role design with automated mitigating controls

Mitigate access risk in implementation project by giving access to the right people at the right time

Control privileged access

Be compliant at go-live and avoid costly re-work

Design effective Segregation of Duties controls for risk mitigation

When implementing an ERP, upgrade, companies have an opportunity to design Governance, Risk and Compliance controls into the business processes, therefore, eliminating overlap and duplication to create a more agile and cost effective structure.  

A Retrofit Approach

The control environment is assessed and corrected after the production system is live.
 
Less impact to the project team and project timeline

Less up-front effort

Review can be performed against some history (i.e., has the risk area manifested?)

Design-In Approach

Risk management is integrated throughout the implementation. 

Design decisions are augmented with real-time controls input, controls are verified with a specific focus in testing and training, and confirmed with post go-live reviews.
 
Provides most effective control baseline

Minimizes project team re-work

Long-term cost is lower

Leverages implementation momentum to make control improvements

One of the challenges during an ERP implementation/ upgrade is to ensure Segregation of Duty controls are enforced. Advanced policy-based access controls can be deployed to analyse segregation of duties violations, remediate issues in a timely manner and simulate the security model before go-live.

Benefits:

Design and Test Security Model before deployment

Ensure that users with segregation of duties waivers have compensating controls

Simulate Security Design in Access Controls

 
Eliminate false-positives

Improve Security effectiveness

 
Configuration Controls and Monitoring

Organizations struggle to upgrade transactional systems with fewer resources or reduce deployment time.

Configuration controls and continuous monitoring can be deployed to reduce the project time-line while also reducing project risk by continuously monitoring for changes.

Benefits include:

Automates the creation of system set-up documentation

Automatically keeps set-up information accurate and up-to-date

Quickly compare between instances or between organizations for trouble-shooting and to confirm consistency

Ensures that instances and organizations are set-up correctly and remain consistent

Organizations are also challenged with ensuring the policies and procedures are enforced. In this case, preventative controls can be deployed that have capabilities to enable real-time policy enforcement, while also reducing risk related to time-line challenges.

Key Benefits include:

Real-time enforcement of new business policies within the ERP.

Rules can be created and deployed very rapidly without writing code or building customizations.

Ensure that end users are not able to issue orders, quotes or invoices against the wrong legal entity.
Improve business process efficiency.

Eliminate opportunities for fraud, error and negligence.

Finding a risk management solution that not only provides agile, flexible capabilities but provides real outcomes for customers is what brings success. Implementing a solution such as SafePaaS, that not only delivers robust, effective solutions but a dedicated services ream that accompanies throughout your journey is key to mitigating risk.