Words from our community

We interviewed a client of ours, a GRC Officer in a large organisation in Singapore, to understand his role and get his take on SAP GRC.

Q: What does your job as GRC Officer entail?

A: My job is to ensure that access granted to users is ‘clean’ and to monitor that there are no unwarranted risk violations. My mission is: Get clean, stay clean and stay in control.

Q: Talking about granting access: do you sometimes reject access requests?

A: It happens occasionally that I cannot approve the request. I may need to reject the request as a whole, but at times I can still approve the request after ‘de-conflicting’ the risk violation by rejecting some individual roles.

Q: How do users appreciate your validation of access requests?

A: Generally, they appreciate my validation as they understand it is part of our organisational risk management. I always contact the requester (via email) prior to any rejection.

Q: Can you imagine doing your job without a GRC system?

A: We had to manage the access of 1,500+ users in the first wave of implementation. We handled 2,000+ user access requests in the two years since go-live, so it is impossible to do that without a GRC system. But you know it’s not easy: it took me one year to smoothly handle the system. It is very technical to understand why a violation shows up.

Q: Must a GRC Officer have good technical expertise?

A: I had no SAP or GRC background when accepting the position as GRC Officer. I had to go through a steep learning curve to get familiar with the control mechanisms in SAP. That is quite technical stuff and I definitely needed some coaching in the first year.

Q: How do you assess whether you achieve your objectives as GRC Officer?

A: I frequently use the GRC dashboards, user risk analysis reports and mitigated users report to monitor the numbers of mitigated and unmitigated violations. I will act upon any unexpected fluctuation in numbers. That’s my way to ‘stay clean’.

Q: What is your involvement with mitigating controls?

A: I make sure that there are no unmitigated violations. In addition, I monitor that user mitigating controls are still valid and correctly assigned. There should not be any deviation of mitigating control assignments to risks.

Q: What in your view are the main conditions for a GRC Officer to be successful?

A: It is good to have some IT background to understand the control mechanism and to be able to work in harmony with system development consultants. More importantly, you need to have an open mind and understand how to use the GRC system well in relation to the business processes. After all, organisation risk management is to benefit the business processes – not to trouble them. Of course, as GRC Officer you need the backing of management to achieve a clean access state.

Click here to  go back to the main newsletter page.