Why GRC does not equal SAM for SAP
In previous roles, I have been directly involved with the oversight of governance, risk and compliance (GRC). In general, we deal with GRC issues in situations involving SOX or HIPAA, and when working in the public sector.
This area of control and access management is highly important, and usually narrowly focused. The SAP GRC module is targeted at this area and implemented for control and governance of users and systems. There is little doubt that certain enterprise environments demand that GRC be employed, but sometimes it is less than clear exactly what GRC is and what it can do – and, more importantly, what it can’t do.
In general terms, what is GRC and where is the focus of the SAP module?
According to SAP documentation (feel free to read it yourself here), there are six areas for which SAP GRC is intended:
Access Governance
Oversight in the process of managing and validating user access. This is focused on systems, applications and data. Financial Audit Management • Integrate audit processes into your fraud management processes. This allows you to improve your internal financial audit processes. Controls and Compliance Management • Work with the regulations common within your industry, your internal processes, and risk management for monitoring of compliance.
Enterprise Risk Management
Manage corporate risks associated with business value. Analyze risk variables, value impact, and possible responses.
Fraud Management
Monitoring and detection of possible fraudulent activity.
International Trade Management
Monitor and manage cross-border operations with regards to compliance and risk management.Avoid penalties and fines.
As can been seen by the above descriptions, the focus and intent of the GRC product and practitioner is fairly clear and defined. So with GRC in place, you are covered for monitoring allocations, contract allotments and related use of your SAP system from a business perspective, especially in international and cross-border operations.
You’ll notice, however, that there is no mention of managing licensing or costs.
That’s because this really isn’t a focus for the GRC module. It’s an important distinction to understand.
Solutions like Snow Optimizer for SAP® Software have a different, yet complimentary, focus in the ongoing management of the SAP environment.
For organizations already running GRC from SAP, Snow Optimizer provides the following additional capabilities:
- Cost control based on usage
- Cost savings by optimizing and adjusting user license types
- Cost savings from analysis of indirect access by third party applications or internal processes
- Cost savings from licensing structure analysis and “right-sizing”
- Cost savings resulting from user consumption which may violate the SAP licensing agreement
So the differences can be summed up thus: GRC = Security and access Manager SNOW Optimizer = Software Asset Management and License Optimization Manager Key differences exist between Snow Optimizer and SAP GRC in terms of the analysis of usage and consumption, versus the governance and control of access.
GRC is not intended to assist with license compliance and analysis. Nor is GRC intended or focused on cost savings with regards to your SAP licensing.
Since the focus of Snow Optimizer for SAP® Software is LICENSE and cost management, it is a powerful resource for the SAM Practitioner for delivering cost savings on SAP systems.
For example, one area GRC does not monitor is the indirect access of your SAP systems by outside connections and users; a possibly costly license compliance issue. Another area where GRC does not focus is in the allocation of your license allotments; incorrect or inefficient license allocation can have unrealized effects on costs.
Yet another is an overview of your SAP usage based on license type and system assignment; resulting in “true-up” penalties and additional costs. Yes, the GRC solution can manage and maintain user access to applications and data.
However, it is still incumbent upon the Basis and Security teams to maintain the licensing management and assignment. With GRC, the Basis and Security teams must run the system measurement on each system, consolidate the results, and check license allocations by comparing the results to the contracted licenses.
In contrast to the GRC module, Snow Optimizer aggregates and reports on all of the current allocations per system, showing where licenses are assigned, how usage matches with the assigned license, and gives YOU the power to re-allocate and “right-size” the license usage across your landscape.
If this sounds like “GRC bashing”, it’s not supposed to. The GRC has an important role to play in the effective management of some SAP implementations.
However, it was not developed to be – and never will be – a solution to help SAP customers manage the cost and complexity of their SAP systems.
To do that, you need dedicated license optimization solutions like Snow Optimizer for SAP® Software. To learn more about how Snow Optimizer can help you reduce your SAP costs,