GRC Technology – still using Approva? Oracle GRC?
When and why upgrade GRC Technology
GRC software has reached 20 years of maturity. Many organizations purchased internal controls management tools in the early 2000’s to streamline the internal controls testing and certification process based on a COSO framework to comply with Sarbanes Oxley regulations such as SOX-302 and SOX-404. Remember Approva? LogicalApps? Versa? Oracle ICM? Advanced Application Controls Governor? Where are they now?
In 2022, organizations that have remained on outdated GRC software are unable to mitigate emerging risks, face operational inefficiencies and lose competitive advantages as a result of digital transformation including big data, hybrid work models, the Internet of Things (IoT), and cloud applications—all of which contribute to an expanding risk profile. These include cyber concerns, data exposure, and privacy issues.
Join GRC industry veterans Soumya Chakraverty, RiskPro Solutions and Adil Khan, SafePaaS as they discuss the when, why and how of upgrading GRC technology and what capabilities to consider in your new solution.
On-demand viewing
Join our Thought Leaders
Transcript
Emma: Good morning, everybody, afternoon, evening, wherever you may be in the in the world today, and welcome to today's session. “When and Why to Upgrade GIC Technology, what to look for in this solution.” So I'm Emma, for those of you who don't know me, and I'm delighted to be joined by Soumya Chakraverty and Adil Khan.
Before we start, just a few housekeeping items. The session will be recorded for reference. Hopefully, we'll get around to some Q and A at the end of the session, so feel free to post your questions in the control panel.
Before we dive in, I'll ask our speakers today to briefly introduce themselves and then we'll dive right into the topic, which is why you're all here today. So Soumya?
Soumya: Well, thank you and very delighted to join today's presentation, thanks to you and Adil for inviting me. I have a mixed background, mostly in risk management as a Jack of all trades, done a few things different times in my career, but these days I tend to focus more on enterprise and operational risk management and GRC. And I focused my career after spending some time in big4 consulting. And also, helping some big banks with risk management and compliance. Yeah, these days, I'm more focused on helping companies to kind of grow their GRC strategy and maturity, and kind of lead them on that transformational journey to implement better controls to enable risk management. But also to understand their technology needs as it comes to risk management. And frame those requirements. And into design solutions that really enable their maturity of their GRC journey, but when we talk about GRC, and we'll come to this later, it's more of a program and the discipline. But technology solutions play a big role, and that's where I come in. And help companies like SafePaaS really understand the client needs, and help make better outcomes for their success.
Adil: My background is in financial controls and technology controls. More recently I’ve been working on enterprise level GRC solutions for our clients. So my experience has been working with and learning from our customers, I've traveled around the world probably 300 be million miles or so on five continents and help customers implement financial controls that helps them satisfy some of the GIC requirements. That's the big focus of SafePaaS as it's in our name, so it's a platform for helping customers improve access controls and Soumya and I, I've traveled in similar professional circles and have kept up with each other each other and I thought would be a good time for us to kind of look back and look ahead. Now that we've been in this industry for a couple of decades, and share with you some insight on what we have learned, and how we can help you improve your GRC strategy or financial controls, your access controls.
Emma: SafePaaS has sat in the offices of some of the most complex organizations around the world, helping them mitigate risk with advanced control solutions. We have over 5.7 million ERP users on our platform and have identified more than 445 million unique risk incidence, really making SafePaaS, the most utilized Cloud Platform for detecting and controlling Access risk in Enterprise applications. We're laser focused on identity access governance, segregation of duties, user provisioning, access certification..
Soumya: I think about early 2019, and the focus was really kind of acting as the glue between the customers and technology solution providers in providing GRC implementation support. Also, where I see myself, is really forging the foundational framework on, which a lot of these GRC solutions are based, is in kind of improving the maturity. And so the key elements based on which every GRC program is no established or and definitely technology is then becomes a good enabler. And these include things like helping develop frameworks for risk and control assessments. And one of the big things that are focused on affiliate is integration.
Integrated risk management, but really, what does that mean?
And kind of breaking it down into kind of the component elements and really looking closely at how technology supports its element of the integrated risk management framework. And that's where I look at things like continuous monitoring, which we're going to look at today, but also looking at some of the controls, optimization, process optimization, and then, last, but not the least, education of your customer, as well as your employee base, and in learning about risk and controls, because risk and controls is a discipline by itself, and not everybody's kind of familiar with it.
So making that change, making that leap forward, and even when you implement new systems, and it's not just about the how to use that technology, but also kind of learning that new mindset. that is IT. So that's where our team comes in, and really enables the optimized use of technology.
Emma: Today’s agenda will follow: What is GRC? There's a lot of confusion out there in the market. What do GRC systems actually do? We will go right back to when GRC technology first came about, Open Pages, Paisley, LogicalApps. Then what are the challenges that organizations face when they are still using outdated GRC technology, and what to look for in a replacement and then how SafePaaS can help.
Emma: What is GRC?
Soumya: As I was alluding to earlier, GRC is more like a program or a discipline. And I lifted this definition from Open Compliance and Ethics Group, which really has embraced the concept of GRC in the last couple of decades very well. GRC is an integrated collection of capabilities, and really the focus is on the word integrated, that allows organizations to reliably achieve its objectives. Again, that's that strategic goal in mind. And then mitigate risk, and stay compliant to staying compliant as an outcome. What we often see is companies actually start from the compliance bit, and then they go up to the strategic and which is fine, but I think having the broader outlook is really what GRC enables. Now, I would say a couple of years ago, I wrote a paper or an article on LinkedIn, and those who follow me can find that. And basically, that was around we hear these buzzwords GRC, Enterprise, Risk Management, Integrated Risk management. And, essentially, in my opinion, they all mean the same thing. It's, you cannot really achieve governance, risk, and compliance, or without an integrated approach, and to have that, you need that program framework of risk and compliance management.
And, really, technology should work in hand, And technology does play a big role. And that's what we're here to talk about today. So what are some of the key capabilities that you see is, like the standardization of risk and compliance management activities when you can put an article, GRC or SafePaaS or an Approva solution across different business elements. But if you have different frameworks for managing and monitoring your controls, then you're probably not using that technology very well. If you don't have any kind of communication and collaboration across your different business units, and how they manage their compliance management activities, you're gonna end up doubling your efforts, and spinning, spinning a lot of wheels around, and overhead with that in managing compliance. And basically, new learning to use that technology, and the most effective manner to,not only just monitor your risks, but to enable compliance, reporting, and reporting on the state of compliance, using key metrics, etcetera, up to your top level management. So your senior management has the hazard assurance, and also the comfort around how well the company is meeting its compliance goals. Our, let's manage its operational risks, These are all key components of GRC, and we will see that GRC technology solutions actually help manage or have capabilities to manage all of that. So you're talking of things like compliance dashboards, you can have things like end to end issue management, you can have things like data visualization. But then, also, when we start talking about the tech notes on the tactical Solutions. Things like enabling SafePaaS and access management, or access governance. In fact, your own identity and access management strategy, and implementing that through not just detective monitoring controls, but also preventative controls that help kind of manage your strategy.
Adil: So, yeah, I, I just want to emphasize from a SafePaaS perspective what I see our customers demanding. It's an integrated approach. So if you're following, let's say, Sarbanes Oxley, there's a component of risk that you're managing by certifying the financial statements under SOX 302 and 404. On a quarterly annual basis, you're also looking at controls, like segregation of duties, that live near enterprise applications. You're certifying access on a periodic basis. But from a framework standpoint, I think that's where the strategy comes in right before, like, Soumya can come in and very quickly tell you where you may have alignment gaps. So what I hear as an outcome on the technology side is where people are burdened, where multiple audit requests are coming in about the same control. And that's a good symptom where we need to invite someone like Soumya to our customers and say, "guys, before we put technology, why don't you really align your initiatives across your strategy first." So look at how many times you have to certify a control. Maybe it's strict control frequencies once a quarter and maybe one control satisfies other mandates. So, for example, I'm seeing more recently cybersecurity controls that are based on NIST, where access privileges entitlements have to be reviewed, but that's also a SOX control, and that's also a GDPR control. So, we can help with our partners, like Soumya, strategize on how to align your activities against what the objectives are. And that's where I think the biggest value I see in our partners, where you can implement technology to get results. It's a pretty easy process. So I think it's an excellent opportunity for you, if you have not taken that journey. I would strongly recommend next opportunity you get to at least assess where you are, Find the gaps and get a deliverable that'll help you align your technology with your strategy.
Emma: So how can we, how can we classify the solutions, then Soumya?
Soumya: Yeah, and the reason we had the previous slide and this slide is to show the audience, the lay of the land when it comes to GRC Technology Solutions. Obviously we have a lot of niche solutions in the market and everybody's calling their solution GRC, which is probably right. But it's a little bit like the analogy of three blind men, try to describe an elephant by touching different parts of the of the elephant. So the world of GRC is very broad. And really, as I said in the previous slide, it enables that holistic compliance, mission, and operational risk management mission across different areas of the company. And if you're especially a global organization with multiple footprints in different geographies, different products, you are subjected to different compliance frameworks, as I've mentioned too. So, how do you enable that?
And this was a visual that I have used in the past, and I really like to use to describe GRC solutions. And this basically comprises of three tiers. What you will find there are these solutions that are more in the kind of the operational areas, and they do their niche activity. So, for example, Continuous Monitoring and Continuous Auditing, What does that mean? You know, it kind of things that we monitor for, like, you know, privileged access management and segregation of duties management, you know, even to the point of, know, preventative access controls and implementing your identity and access management strategy. You know, making sure when you're new companies, new employees come into the company, your employees leave the company, that their access is turned on and off in in accordance with your IAM policies or access management policies.
It's ensuring the controls that you have within your business processes or your access and systems. They are, you tested for design and operating effectiveness in an ongoing manner. And then, yeah, those results are actually reported in a meaningful manner, not only just for auditors, but also for senior management to understand the, kind of the state of the union when it relates to your risks and controls.
So, that's, and that's where a bulk of the universe, the save, as the Oracle GRC, Approva solutions are in that operational layer, and, in my opinion, that's a key capability, because, without that capability, it's going to be very hard to do editing.
You'll be doing a lot of your controls testing through manual processes, which are, not only just inefficient, it's also, not sustainable, given the amount of systems and controls that companies have, and, to ensure that they are tested, they are run, they are executed in an ongoing, an efficient manner, and effective manner.
The next layer is what I call the tactical layer, and you could probably name it different ways, but why it's a tactical is it helps lay down the framework under which risk and controls are managed within the company. This is where you kind of enable a lot of the risk and controls, identification, and assessment processes, whether it be financial risk, the other operational risk, whether it'd be compliance, risk, fraud groups, whatever have you, and it's really this layer that is the glue, in my opinion. That make sure that there is integration that you spoke about, You know, you have different frameworks of compliance GDPR NIST, here, in the US.
You have Sarbanes Oxley, you have something else going on, you have ISO those frameworks in, all be integrated in the tactical layer, and you then align them to your risk and controls inventories. And so, this, this tactical layer has solutions, for example, we see IBM open pages or matrix streams or, you know, your RSA Archer's that basically, provide that capability to align your Risk Control matrices, you, and with your risk mitigation and monitoring, And if you look at the downward arrow and bidirectional allo. This is where the tactical should talk to your controls monitoring solutions and help kind of understand, Well, what is the state of the union with the controls? How well are you complying to do your, you know, GDPR or CPA or, you know, Sarbanes Oxley control controls and feed that again up to the, to the layer at the top?
So again, this and this is the area where I spend a lot of time in enabling our partners, our clients with kind of rationalizing their controls and risks across different frameworks.
And then the topmost layer is what I call the strategic layer. This is kind of the Business Intelligence layer, but it's not just business intelligence. I mean, this is where you're enabling the organization alignment of your risk management activities with your mission, strategy, objectives, values. And in doing that you rely on a lot of the integrated reporting and analytics to kind of collecting and collating all the data across the different organizational and functional units and visualizing it and presenting it to your senior level. Management. So that it's presented in what I call an informational way, not in a digital way, to collect the data and you make it into information, you can then, that really do some cool analytics on it. And run. what if scenarios? What if I turned on no administrative access for these amount of people? What if I decide to remove a compliance function? So, a lot of these things, management does look for information because obviously, there are costs associated with it. They're competing priorities, but this strategic layer is what helps management understand the status of risk and compliance within the organization and how things are being managed.
Adil: I just give you some examples to reinforce the point you've made. So, you know, we have a wide range of customers, 200 or some customers, and I have put a book together called the GRC Handbook for Oracle Applications, and that covers that for Oracle customers specifically, which is where I spend a lot of my time. So, at the strategic level, our customers have come to us and said, "we have to develop essentially a key risk indicator framework. We want to be able to do risk assessments at the strategic level every few years."
So, there's a company that specializes in one of the largest companies in and paint products around the world, and they use key risk indicators, which essentially, they brought in a firm to help them identify, and had workshop with senior management.
They identified what are the key risk indicators that are stopping us from the very definition of risk, is the ability for you to know the risks and or the obstacle and being able to achieve particular of strategic objectives. So this company came up with some ideas, like we have to make sure that we're maintaining our market share or growing that market share. We have to make sure we have access to financial lines of credit, so those are external factors that are internal factors that we focus mostly on. is how is your procure to pay cycle? What are the risks in your procure to pay cycle? So, the head of procurement went through this full cycle that they had, let's say, 10 strategic objectives. They came up with these macro risks at the strategic level, And the framed that in our application, which enables them to then monitor those. On a periodic basis,
We have customers on Wall Street that have a very different view of risk. This example, I just gave you more industrial organization. So, from a Wall Street standpoint, the risk goes about losses on their day trading, Trading losses, CTO losses, as you guys might remember from the 2008 crisis. So, those are the kinds of risks that a financial institution tracks to Soumya's points. It's very much a business industry-specific, business model industry-specific exercise and you really need that to be a facilitated exercise. Because, as Soumya said previously, it's not a domain that you normally find in house or information readily available. Unlike, let's say, some technical skill lead to write code or compile programs. The scale is hard to find. So, you need these experts to come in and help you provide the strategy then it can be mapped and solutions like SafePaaS as the second layer.
Tactical is where we have seen a lot of success and some failure also. So many of the organizations have adopted some sort of platform to document their risk and controls even do periodic updates, document updates, certifications. Some of the products that came to market in the early days of Sarbanes Oxley were more tactical because the strategy will outline, Hey, if you don't comply, you're going to jail. So, it was thoroughly started at the tactical level. We'll talk a little bit about our products in the next few minutes. But I want to tell you that there's a lot of countries, customers that have some solution. They may be using spreadsheets to manage their risk control matrix. They use to track everything. Some have built Access databases and they're using SharePoint. Others are more sophisticated. They're using products that we'll talk about in a minute. MetricStream and OpenPages. What we found in the market is those products were great at the tactical level to document the controls and even the status of manual controls. But where our customers are driving us too is to streamline and automate and integrate those controls. So that during this great resignation period and our labor costs are very high and hard to find, people are looking for SafePaaS to drive operational costs down and support this hybrid work model. So, the pressure from our market that we feel today, is that, OK, we have some, we have a strategy we're going to bring in someone to review that. We need operational components in place, tactical components in place and that drive to that operational components place, and that's where we're seeing a lot of automation around preventing and detecting risks within enterprise applications that are pervasive, whether they are the cloud or on premise.
So, yeah, those are some examples of just validating what I see from our customers to, to highlight the points that you made. Sorry. Yeah, and one other thing I would like to add, the very, very much valid points are though, is when we look at that technology space. What we're seeing is that there's no one size that fits all and there's no one single solution that you see spanning across all three capabilities. Some play well in the strategic play, this domain, some play well in the tactical domain. And then the real key component and we'll discuss about what to look for in a GRC solution, is the ability to kind of string them together into an integrated solution that really fits your company's needs. The word that comes to mind is alignment. I mean, if these two things are not aligned, then you have a disaster and you need people experts that have done it for many, many years to help you align this.
OK, well, let's go back to the beginnings, where did GRC start?
Soumya: Back in the days, when Sarbanes Oxley first came about, we saw the advent of some of these tactical solutions is that Adil was talking about. And it really grew around the fact that there was need for management of some of these complexities that use acts.
Like Sarbanes Oxley plays that for the first time people had to document their financial risks and financial controls. And yes, it they started with Excel or Access databases. but it quickly kind of spun out of control that they were non sustainable. So, you started to see the other solutions, like, you know, Paisley or ICM or OpenPages that started in domains. Paisley, for example, started as an audit solution, OpenPages started as a SOX solution, ICM I don't remember, but they were more of compliance integrated, compliance management, but as these things started to progress and by the time, the great financial crisis came by, and around 2007 or 8, we started seeing some of the challenges around as Adil was mentioning, like, keeping up the sustainability of, for example, manually control. Assessing effectiveness of controls became pretty cost effective and cost prohibitive. And then, also, you'll just be able to not only just have a risk and control matrix, but also being able to know and integrate across the domains of where solutions like Approva were developed to automate. So, the control testing and monitoring, with that tactical layer, So that's, that's how this things came by, and then there was a more of a need to present some of these up, the food chain, or the organization chain, to the senior management, and we started to see some of the development of strategic solutions, and as things progress, since then, I've seen that there has been no growth into other areas. For example, in the the 2009/10 market, we saw a huge jump in IT risk management and IT compliance. Now, of course, cybersecurity is one of the culprits, and so cybersecurity risk management. You have frameworks and managing that itself is somebody's full-time job. So you have solutions that basically cater to that need, and how that's how, like all of these solution providers have also started to provide those niche capabilities, taking some of this knowledge out of the standard frameworks, and operationalize it on their, their technology solutions. So the point is that as you start to think about the journey of these tools, and also some of the day, they're based on some of the needs, changing with a client, or customer basis, and how they are progressing.
In terms of their maturity, they, meaning the customers, also drives when and how some of these technology solutions come into play. And as I said earlier, sometimes clients are looking at multi solution approaches to meet different parts of their GRC.
Adil: I think, when I look at this slide, it's, people that are new to GRC might not be able to appreciate the benefit of talking about this. I think if you are new to GRC or if you've been part of the GRC journey like us for a couple of decades. I think one message I would like to pass on is what is the market driving towards? So, the market is driving towards better controls, better compliance, better governance. Well, and it's coming from different directions. It's been mandated by the governments around the world. So, US. this trend when I started following and was, I was running a public company listed on Nasdaq and President Bush at the time in 2002 signed the Sarbanes Oxley Act and I was scared. I didn't want to sign the financial statements to the consequences of any mistakes. On the financial statements were that, It was a criminal penalty. This was the first time in US history that a criminal penalty was tied to financial statement risk in the past. Even in the crash in the 1920s, it was all about when SEC was first created, Securities and Exchange Commission, was first created in the US, was an outcome of 1920s. Financial, mismanagement, it never had criminal penalties so, it was pardon the word, paradigm shift in and managing financial controls, and what you saw was the reason this is helpful to talk about is that these trends just started getting bigger and bigger. So, it was an outcome Sarbanes Oxley was an outcome of failures are publicly listed companies like Enron here in Texas, as well as auditors that audit those companies like Arthur Andersen, they used to be big five for those of you that may not know that. We call it Big four, but Arthur Andersen disappeared, and number of my friends and so forth worked there, that colleagues and so forth. So, it was a It was a big disaster. As a result of missing controls and financial controls over the financial statements.
So that was, where this journey starts. When we started tracking, and you had some players come to market successfully, like the ones the senator 2003. And then as we saw the housing crisis in the US, and it turned out to be a global crisis credit crisis where, you know, credit default swaps were being used to finance. Some really risky assets in the market, and you saw collapse of Solomon Brothers and number of investment banks in the US. And there was $1000 billion bailout. And so that created the need for not only documenting the risks and testing them manually, but really trying to automate more of them. So, demand for automated controls, started to pick up, and what we see there is these new players coming in, like Approva for example, that had the ability to go across different ERP systems. It could do SAP it could do Oracle. Also, the software vendors, like Oracle acquired LogicalApps, Versa was acquired by sap, Software vendors, talk to your software vendor said, Oh, we need this because these control for our customers, or, they're not going to be able to rely on our financial statements coming out of our financial systems. So, they quickly went to the market, acquired these organizations. So, there's a number M&A occurred as a result of that, and so what you're seeing here is that the risk is continuously growing. The regulatory regulatory bodies are continuously putting new mandates and then you saw the crisis of, you know, Facebook, for example, where, you know, data protection became a huge issue after the, the elections in US.35:21 Where it was discovered that Facebook was selling a lot of their data 2 to two people that were misusing it. Right, so the European Union put together the GDPR, Data protection Act.What we're learning is what we're learning on this site as a vendor is that you cannot be enough vigilant enough, right. You have to constantly be looking at the controls and in a way continuously monitoring them, making sure they're aligned with your objectives. And that's, that's what gets us out of bed every day here at SafePaaS because we don't think our job is done till we solve this multi trillion dollar problem. That exists in the marketplace today, which destroys people's livelihoods and businesses because either there's some nefarious players in the marketplace that we are linked together, you know, through this chain of business and commerce today, across the globe where they cause massive disruptions to the marketplace.So we're continuously working to get better. Hopefully in our lifetime, will achieve some of our goals, but journey has just started.
So this is, by two decades, sounds like a long time, but it's just a small, beginning, compared to overall financial markets that are 200 years old
Emma: Why should somebody invest in GRC technology then? How can it help?
Soumya: Yeah, I think this is primarily what we're trying to present here. And really the question around when or why should you consider upgrading your technology for GRC. Really, you know, begs us to look for, what are you looking in, a GRC solution? So, some of the things that we see is around the concept of being well managed, and what is well managed mean. So, it's things like timely detection, timely remediation, timely escalation of critical problems, or issues. Um, yeah. Also, kind of ensure some organizational accountability. As the old spoke about. The financial crises and how it became a criminal penalty for any kind of mismanagement.
The aim of those regulations was really to establish that accountability. And really, one of the challenges without having it formally documented somewhere is to establish that accountability. I don't know who manages this process. I don't know who's supposed to be the owner of this control. I don't know. Who's the owner of the systems? So, some of those definitions, auditors, myself having been one, when we used to go to, to look at organizations, it was a challenge to establish end point and say it like this, So, and so, John Smith. Gene, is this, the owner of this, you know, the control of the system. Lastly, but not the least, I talked about the capability for aggregation of risks and compliance across the company. It is very important to have that. So you present the consolidated view to regulators, to auditors and to your investors of the status of how well your internal controls are over financial reporting as well as the operational risk areas.
Obviously one of the things that we look at in a GRC technology solution, is the effectiveness. I mean you if you think about it very logically, what do you do manually can be improved several fold through in terms of effectiveness? When you use technology in the proper way, and where we start to see the benefits is around, you know, segregation of duties, monetary. nI mean, some of these activities you probably can never do without automation. And also just enabling controls over identity and access management, making sure that every individual that works in your company has the right level of access there when they don't need, access should be granted on the least privileged basis. What does that mean when it comes to operationalizing it? How do you enable that? You know, Soumya gets access, on least privilege mechanisms. So, all of that is kind of enabled through the definition of certain parameters, we call here this term, called role based access control. So you'd have said these GRC technology solutions can help establish those parameters, based on which you can effectively, not only monitor, but also prevent the the proliferation of access within your company. And then also standardizing some of the rule sets within, in terms of here configurable controls and, and so the solutions actually go into your ERP solutions and can enable those controls in, in Europe. ERP solution, um, especially efficiency is a big part of technology solutions but it's not the be all and end all.
I mean most people try and look at the GRC solution as an automated tool to just kind of reduce the headcount and, uh, the effort it takes to develop like a risk control matrix or a SoD matrix. But obviously, the the efficiencies, not something that we can overlook, because some of these things are so resource intensive, that you know, trying to do this manually, as I said earlier, through spreadsheets or other tools is pretty much non sustainable. Back in the days when I was at KPMG, we had developed an actual, this tool that used to pull in some script data from, from your Oracle database, or ERP tables, and being able to produce results. But as things started to get more and more complex and you know oracles development of its own security started to mature those tools sustaining those tools became quickly you know non sustainable and went out of control. So, that's where the reliance on third party tools that really do this well and manage this well became important.
And then last but not the least, risk intelligence, being able to collect all the data and being able to perform that cross analysis of risks. Again, the organizational imperatives, that is a key factor. So if you look across the spectrum of well manage, the increasing the effectiveness, efficiency, and risk intelligence, you can start to see different capabilities that, you know, you can start to leverage. And we'll come to that in the next slide, when we talk about why you should consider, you, know, upgrading your solution. Exactly. So in the interest of time, I'm going to skip over the risks of using outdated technology, and I have a great blog that I can send over to the audience today that talks about that.
Let's talk about, you know, what to look for in a solution. And how safe pass can can help those organizations, you know, that was starting with GRC or upgrading or looking for, know, all alternatives to legacy GRC technology. And this is a great topic, in my opinion, because, obviously, on one end of the spectrum, we still see companies that are struggling with some of the basic activities, especially the smaller organizations that don't have the budgets too invest in a SafePaaS or, or Approva, where they still have to perform, you know, the activities related to ensuring that their controls are operating effectively. That their access management is working effectively, that they're segregation of duties, that are being managed.
Uh, but on the other hand, if you kind of cross across to the other, cut across to the other side, you'll see that companies are actually using some, what we call as emerging technologies, and it's things like using, and all-natural language processing, or artificial intelligence capabilities. Just to kinda mind through the data and provide that intelligence.
All about, you know, in your state of the union, in terms of your operational and financial risks, um, or using RPA solutions on top of your, you know, GRC technologies, solutions to automate.
So, the manual, repetitive activities, like controls testing, having workflow capabilities, end to end, to do not, only just have the collection of data within your technology, but also being able to talk to other solutions. That, as I've mentioned, that you may have a mix of different systems in play. And ensuring that you have the seamless data transfer.
In terms of co-ordinating notifying the relevant, you know, for example, if I have a controlled test, that is, I need to perform, and I'm late in providing the results. Notify that your testers do, or your issue needs to be closed by this time.
Those are all these capabilities that are driven through workload in the solutions, and I can't emphasize how important it is to have this workflow capabilities.
A lot of, you know, places I would say, I've talked to technology vendors would say yes, we have it, but it's really the, it's a, it's an art versus science.So, they're workflow capabilities but it depends on how you define them because it could lead to an overabundance of e-mail notification or text message alerts. Or you don't get the right So, it's, it's an art in, in terms of how well you design the solutions but definitely to look for that, that capability.
Also, and I taught, touched a little bit about this, the extensibility of this solution. What do I mean? It's basically to adapt to different myths needs of the organization. So, you can have an out of the box solution that monitors against your Oracle your ERP solution for for risk and controls. What if you have a third party or a custom software? Does your solution enable monitoring? over those of can you quickly, you know, have an extensible adapter that goes into that solution and can perform the necessary controls monitoring. It's that's what I mean by extensibility and those things are coming into play as we start to operate in more hybrid environments of financial and operational systems.
Then last but not the least, being able to collate and aggregate data across multiple dimension. And this means like organization units. You know, business processes. And then also your regulatory frameworks and your risk taxonomies. And then being able to enable that alignment. That's, that's really where I see a key capability of the GRC technology solutions to drive integrated risk and compliance management.
Emma: How can SafePaaS help?
My observations based on what Soumya said on the previous slide. So this is the SafePaaS approach. But I really want to emphasize the fact that this journey has started two decades ago, and some of the legacy products, they were very innovative, like Approva and Versa and these were some of the operational controls, monitoring products and mid two thousands.
So, what would the, so I mean, I was talking about on the previous slide, is about the capabilities like data analytics, advanced data analytics, integration, extensibility. So in the old days, companies needed that. And the way they were doing that is through very costly methods. In some cases, they just couldn't do it. There was a barrier to GRC technology, right? So for example, if you had an Oracle GRC technology, which only works for e-business suite. So when Oracle introduced their cloud version, which many customers have adopted, many of them are safe past customers. They couldn't use that technology anymore. It was essentially obsolete. So you had to buy a whole new technology from Oracle or the cloud and if you bought the cloud, technology wouldn't work. But the on premise technology, even though they're both Oracle products, right.
So if you're moving from E-Business Suite to Cloud ERP, you cannot use any of that. Approva was doing fantastic in the early days but they're stopped and they were sold.So, many of their technologies didn't go down that vision that they had about being able to cover many of the ERP systems. Same thing with SAP, So if you want SAP to connect with JD Edwards, you have to go to Greenlight and buy an adapter in some cases. The price for the adapter is higher than what you paid for JD Edwards and ERP system. So these are some of the barriers.
And so SafePaaS comes in today in the modern, I call it the fifth generation of this GRC technology is where things are all integrated. So as an example, if you look at this workflow, you can see that we have a considerable application security model, what does that mean? So, not only do we support the top tier applications out of the box that are out there, you know, so PeopleSoft J D Edwards, ERP Cloud, SAP. All these major technologies that enable us to have as many as, you know, 5, 7 million users on our platform. You can configure any other things. So we have customers that are coming to us. They're saying, Well, we use certain products for managing our retail locations, They have hundreds of retail locations. That's in red at that's a risk. And in the past, I would the answer would have been no. Because you would have to spend a million dollars to integrate that application and work with that software vendor. These API services, where the user configurable, they're seamlessly integrated.So you can go and basically configure SafePaaS, what we call DataProbe, a security model, and then extract all the security information, using APIs, like rest.So and so partners that have integration skills can really benefit and customers can utilize those skills or have internal skills to be able to connect across the enterprise. We have been working on this journey to make a GRC technology fully aligned with your strategy and your business is now going to wait for a software vendor to provide this capability, business wants to achieve the business objectives. So SafePaaS provides that agility and that scalability to be able to connect all of those risks that are exposed to the applications where they're in the cloud, legacy, on premise applications. So we have customers that use SafePaaS. They're moving to the cloud. Certain business units are using Oracle Cloud ERP, they're used to keeping some EBS on premise because it as a legacy business, says the different business units. They purchase other things like Workday, JD Edwards, SAP for other business units. So we can create not only all those tier one application tie them together. But also, new application that come to the market like Coupa, that are coming to the market that also need to protect risks. So that's basically that first swim lane tells you how flexible the modern technology our technologies are.
And in a second swim lane, we talk a little bit about how you detect risk. So SafePaaS is really a policy-based access management system. So by Access Control system so we provide you a central global repository. We're independent on which system you use. Controls need to remain valid. So just because you're upgrading from Oracle E-Business Suite, you're going to Cloud or Hana. You don't want to lose those controls. You want to maintain the capability that people have created suppliers, should not be paying the suppliers. So in the old days, what you would have to do is really upgrade your GRC technology as well and many times a new technology doesn't match the old technology. So with SafePaaS you can be assured that your detection engine will work in such a way that you just simply define the policy at the business level, which is what business really wants back to that alignment. So your alignment with executives is that we don't want, as a policy for suppliers. People that create suppliers to pay supplier and a global organization, let's say, has done is now enabled you to apply that Independent of what ERP or application or even data source, whether on Cloud or on premise you have. Where are those activities occurring?
The other thing we have learned and then, of course, the workflows we talked about earlier. So you can see that workflows that are very important part of SafePaaS. As Soumya said workflows are not all equal right than my paraphrasing what he said, but basically the workflows can be really hard coded workflows, so they basically one step workflows, we're seeing that a lot in the identity governance applications that have a single level workflow. So an example of what Soumya was referring to, I see that in the business all the time. Customers come to us and say, Well, you know, the request goes to the manager, Manager says I don't mind if my employees have more access. But they're not responsible for the control, the control owner, or the process owner sitting in a different country. So let's say I'm sitting in Dallas, and my manager says give Adil whatever he wants basically because I'm a manager I want him to be happy. But Emma is sitting in Spain and she's responsible for financial controls over the financial close process. So, she's not even in the workflow, right? So, even though you have this false sense of security, that I've got a workflow, but am I never heard about it, and therefore, I introduced at risk. So, we create these up to five level workflows that are all driven, that are event driven, and you can route them based on the right responsible party, that is designing your delegation of authority at the enterprise level. So, this way, you can be rest assured that your controls and risks that are being reviewed are going to the right resources. And that's what we mean by that third swim lane, that the when the corrective actions come in. It's one thing to just look at a report and say, oh, yeah, I guess, know, these users have the ability to create an ... file, go tell someone to fix it. That's not good enough. In the modern world, business moves too fast. It's hybrid. It's changing. So what you want to be able to do is create a workflow that goes in and tells the approver that, Hey, you have this risk, and they take an action. That action is also recorded. So now we call that a closed loop workflow, as opposed to notification, right? And there's a lot of confusion in the market. You buy a product that's really a tool that sends notification, you things can workflow. That's not going to pass the audit. Because what audit is looking for is that response loop, or what action did the controller or the process owner took and then finally, how directionless executed and completed.
All right, because it's one thing for a process owner to say that yeah, no, go ahead and take their access away. But what auditor is looking for is the evidence that that access is actually taken away. And that's where the last swim lane comes in. So that the actions are that the action might go into the ERP system. So where are you seeing this grey spot on the top right? There'll be a new box that shows the ERP system. An ERP system is where we can go: Cloud ERP, Oracle, E-Business Suite, whatever you have. We have these APIs through the rest and soap, and so for JDBC, where we can go and execute that action. Right. So, now you can say, OK, not only did the control on our process owner approve this, the workflow can also actually execute that in the ERP. Other customers are using IGA systems like SailPoint, or ServiceNow, an ITSM system. So, they want us to go in those systems, and really update the ticket ServiceNow, or a execution command, and server, and sail point. And, so, we have, now, APIs, available back to the beginning of the presentation. When we're talking about no integration capabilities and making risk integrated, so over the last few years, customers have adopted lots of different technologies to protect themselves. But they are not integrated. What SafePaaS has done is, provided you the ability to integrate all these provisioning systems, where the risk is happening, because they do not go the fine grain level. Also going down to the ticketing systems to execute those tickets, Going into your ERP systems to make sure that the user's access is corrected or taken away. And that's what's driving the efficiencies in the last two decades. So that's what makes us a first generation solution. Because we have learned the lessons over the last two decades integrated. All of these fragmented components of GRC, where things were manual things were offline or things were done through e-mails, and spreadsheets and integrated, all of that into this workflow that you see on the screen here.
Our Speakers
SOUMYA CHAKRAVERTY
Senior Consultant
Soumya is an Executive Consultant in enterprise and operational risk management. He helps companies to develop and implement strategies to manage their complex risk and compliance needs. He has led and managed large program implementations to implement risk and control identification and assessment processes at large financial institutions and other companies to help comply with regulatory requirements.
adil khan
CEO
Over 25 years of experience in enterprise business systems. Adil serves on the board of the OATUG GRC SIG. Adil has authored “Governance, Risk and Compliance Handbook for Oracle Applications”. He has delivered over fifty presentations on GRC trends, best practices, and case studies at many industry conferences including Gartner GRC Summit, IIA, ISACA, Collaborate, UKOUG, and Oracle OpenWorld.