GRC for Oil and Gas Industry

Oil is a Global concern. Not only has its fluctuating prices impacts Global economy but also its contribution to Global Warming is significant. Businesses to Common man, Troposphere to Stratosphere everything gets
affected by its use. The Oil and Gas Industry compliance's help to regulate this usage in larger interest of the
Globe.

There is an article written by Charukesh, which briefly describes such compliances like Kyoto Protocol, the Clean Air Act, ISO 14064, and the EU IPPC Directive and also gives an overview of SAP Solutions for Environmental compliance.

Open publication - Free publishing - More grc 10

SAP GRC 10.0 Access Control Certification in India

Many guys are asking me about the certification of SAP GRC 10.0 Access Control , Here are the details .

There are two(+1) ways that you can take up the certification exam.

1) Your company should involve in SAP Business or Implementation( At least one) , and you should be the permanent employee of the same company for at least 1 year , then you can take up certification directly.

2) If you are external consultant then need to take SAP Training with them(SAP Bangalore)  , Next batch is going to start in November-2012(Approximately) ,  then attend exam , it will cost you around 1,00,000 fee +30,000 Exam.

3) If SAP gives option in Tech Ed , you can take up exam there directly , but that you will get to know only during the Tech Ed sessions.

This is the information I got from SAP labs Bangalore , send me the email for the contact person name and phone number etc , I feel it's not appropriate to give those details in public forums and groups. 

SAP GRC Solution for European chemical industry

REACH  COMPLIANCE 

                – New compliance solution for EU chemicals regulation.

REACH is the European Community Regulation on chemicals and their safe use . It deals with the Registration, Evaluation, Authorization and Restriction of Chemical substances.  The law entered into force on 1 June 2007.

The aim of REACH is to improve the protection of human health and the environment through the better and earlier identification of the intrinsic properties of chemical substances. At the same time, REACH aims to enhance innovation and competitiveness of the EU chemicals industry. The benefits of the REACH system will come gradually, as more and more substances are phased into REACH.

 The regulation shifts the burden for proving the safety of substances, products, and consumer  use of those substances and products to the businesses that manufacture and import them. And businesses must work within the ReACh process framework to establish that proof. the proof rests on a business’s ability to submit ReACh-compliant product information about its substances and products and their intended commercial use. if the product information does not satisfy ReACh legislation, the business will be denied authorisation, registration, and ultimately the right to trade in that substance within the eu. in other words: no data, no business.

SAP GRC EH&S 

To meet the requirements ReACh compliance poses, SAP AG and "techni Data" AG jointly developed the SAP® ReACh Compliance application. Based on the SAP environment, health & Safety (SAP eh&S) application, it tracks regulated substances through the production, buying, and sales processes, showing in which materials and products a substance is used and in what quantity. the application provides a reliable and cost-effective means of implementing the ReACh requirements for all industries. its modular design  means it can be adapted to the needs of the particular industry, thereby ensuring that your company is ReACh compliant in all its processes.

The SAP ReACh Compliance application extends existing SAP eh&S application to integrate all phases of the ReACh process. the software supplies with up-todate, industry-specific information, ensuring the following benefits for companies active in all industries affected by ReACh:

• Visibility into the impact of REACH and support for consistent, non-redundant data.
• Reduced risk of non-compliance and heightened diligence
• Increased efficiency and minimised costs

SAP GRC NFE 10.0 - What's it all about ?

SAP GRC NFE 1.0 and  SAP GRC NFe 10.0                           

Not many people are aware of SAP GRC NFE-10.0 , Which is very well part of our SAP GRC Product suite. so an attempt to give some information about this product.

SAP GRC NFE released by SAP in the year of 2008, which  implements the requirements for Brazilian specific electronic invoicing scenario. It handles several communication interfaces between the company's ERP(s) system(s) and the relevant government systems; xml document handling; digital signatures for the xml documents with specific requirements from the government; B2B communication between business partners (suppliers and customers), among other functionality.

In Brazil, the NF-e project is part of a bigger government program called SPED (Sistema Público de Escrituração Digital, or Electronic Bookkeeping Public System), which is a nation wide project that intends to eliminate all (or most of) the current paper-based legal reporting activities, replacing them for electronic-based operations.

To know more about Brazilian NF-e project please visit 

http://www.nfe.fazenda.gov.br( Open this page in google chrome and you can translate this page to english) 

SAP GRC NFE 10.0 - Introduction 

 

In JUNE22,2012 SAP Has released SAP NFE 10.0 ,also its official full name has been changed to SAP Business Objects Electronic Invoicing for Brazil 10.0.  (SAP NFE 10.0)

So, now, the SAP GRC NFE solution is comprised two "modules":

SAP NFE, Outbound: the classic feature of SAP NFE, best of breed NF-e issuing system for SAP ERP customers in the market;

SAP NFE, Incoming: leveraging the NF-e capabilities in order to improve the procurement & logisitc process for the Brazilian customers.

            

Netweaver Business Client ( NWBC 4.0) for GRC 10.0

SAP launched NWBC 4.0 , and here is the GRC Access Control 10.0 screens when you log in into NWBC 4.0) 

 New look of NWBC 4.0 for GRC 10.0 

NWBC 3.5 for GRC 10.0 AC Logon Screen

NWBC 4.0 for GRC 10.0 AC Logon Screen

These are the technical desktop pre-requisites listed in the latest documentation for NWBC 4.0 (check SAP's documentation for the latest advice on this)

• Microsoft .Net 3.5 SP1
• SAP GUI for Windows 7.30

Follow the instructions in OSS Note 1707626 to find and download the latest NWBC 4.0 from the Service Marketplace.  You should also download and install the new SAP GUI 7.30 (released in June 2012 ).

You can also select to add a new tab (just like in a modern browser).  Doing so presents you with a useful default page, which includes a listing of your most frequently used applications, and your last opened applications.

SAP Governance, Risk, and Compliance (GRC) solutions

SAP Governance, Risk, and Compliance (GRC) solutions:

                                                                                 ------- Maximize business performance :

 1) Access Control:

2) SAP Process Control:

3) SAP Risk Management:

4) SAP Global Trade Services:

5) SAP Environment, Health, & Safety Management:

6) Sustainability Performance Management:

There are couple of Mobile Apps Available too

1)SAP Access Approver Mobile App

2) SAP Policy Survey Mobile App

" SAP GRC vs Other GRC Tools"

Last week when i was giving a seminar , there was a question from one of the audience that who all are the famous GRC vendors available in the market, then i asked him " What makes a software vendor’s product a GRC product?" , He started responding something, I asked him " how to differentiate among ERM, compliance applications and GRC "  the story went on....Later thought of compiling this list. 

What is GRC , What are all the GRC Products available in Market ? 

“Organizations are inundated with IT vendors claiming to have the answer for their risk and compliance problems. However, most of these vendors provide capabilities to meet only a single requirement or a handful of requirements and really are not a risk and compliance management vendor themselves. Real risk and compliance vendors provide a platform for documenting and overseeing risk and compliance across an organization.

 The fragmentation of the market and misleading terminology used in software vendors’ marketing makes it hard to identify “real” GRC vendors. For the moment the list below is based on companies mentioned in the Gartner Magic Quadrant for Enterprise Governance, Risk and Compliance Management.

SAP
The German business software company provides a diverse GRC suite.

CA
The provider of IT management software released its GRC Manager in September 2007.

IBM
IBM sells mostly third-party tools together with its own GRC contents and procedures.

IDS Scheer
The GRC platform of IDS Scheer is architected around the ARIS Risk & Compliance Manager.

MetricStream ( Now PWC have JV with this company in GRC Space)
MetricStream offers comprehensive services for audit, compliance, risk and policy management on its enterprise GRC platform.

Paisley
Founded in 1995, Paisley is one of the leading GRC software vendors with its products “Paisley Enterprise GRC” and “GRC on Demand”.  In 2009 it was acquired by Thomson Reuters, combining GRC technology with Thomson Reuters business information.

Protiviti
The risk and internal audit consulting company also offers software along with its services.

Rsam
Rsam is the d.b.a name for Relational Security Corporation and was founded 2003.

Wolters Kluwer
The Dutch company offers GRC services leveraging self-built products. In July 2009 they acquired GRC software competitor Axentis.

Other vendors

Sword Achiever
“Sword Achiever” is a unified GRC management solution that covers many GRC relevant areas.

Archer Technologies
Archer provides enterprise risk management and compliance solutions centered around its SmartSuite Framework.

Axentis
Axentis Enterprise is a portfolio of integrated GRC applications built upon a shared foundation of software services. In July 2009 Axentis was acquired by Wolters Kluwer.

BI International
BI International offers GRC capabilities on its Aline platform.

BWise
Building on a strong business process management heritage, BWise covers GRC with a variety of software products.

DoubleCheck
The DoubleCheck™ GRC & Audit Platform provides all four elements of a complete Enterprise GRC solution: Audit Management, Compliance Management, Risk Management and Policy Management.

Cerrix
Cerrix, which is part of the Dutch Artena group, offers a large set of GRC solutions.

Cura
This young software producer (founded in 2001) specialises on software for GRC.

DoubleCheck
The DoubleCheck GRC&T Enterprise Solution is a risk centric set of key modules that bridge the material requirements of Controls Framework Compliance to GRC Management with Controls Testing administration.

Difference between SAP GRC 5.3 and SAP GRC 10.0

Though it's not the right way to differentiate the two versions but here I have attempted to give some major differences for the beginners . 

	GRC 5.3	GRC 10
Naming Convention	SAP GRC Business objects Access control	SAP Access Control (from May 2012)
	Risk analysis and remediation	Access Risk Analysis
	Super user Privilege Management	Emergency Access
	Compliant User Provisioning	Access Request Management
	Enterprise Role Management	Business Role Management
Installation	Need to install on Java Stack	Need to install on ABAP Stack
End User Access	Any Browser ( Internet Explorer )	NWBC ( Netwever Business Client) Or Through Portal Browser
GRC Patch Installation	JSPM or SDM (/usr/sap///j2ee/JSPM/go.bat                      (Windows)	ABAP Stack ,  T-Code: SAINT
GRC Patches	VIRCC00_0.SCA - Risk Analysis and  Remediation  VIRAE00_0.SCA - Compliant User Provisioning  VIRRE00_0.SCA - Enterprise Role Manager  VIRFF00_0.SCA - Superuser Privilege Management  VIRACLP00_0.SCA - Launch Pad  VIREPRTA00_0.SCA - Enterprise Portal	Add-on patch GRCFND_A
Real Time Agents ( RTA)	VIRSANH  VIRSAHR	GRCPINW( Non HR) GRCPIERP (HR)
Features		Rich Set of new features available, Will be discussed in Next post

SAP Access Control Rapid Deployment Solution ( SAP RDS)

SAP Access Control Rapid Deployment Solution - live in approximately 7 weeks.

There are 3 main phases for this implementation methodology

1) Start

2) Deploy

3) Run  

SAP Access Control Rapid Deployment Solution –Solution Scope

1) Access Risk Analysis ( ARA ) :

Automated, real-time access risk analysis : Upload the rule set with sample data , Sample mitigating controls ,Sample data for risk owners ,Pre-configured mitigating control workflow.

2) Emergency Access Management ( EA ) :

Closed-loop emergency access management: Sample firefighter IDs ,Sample owners and  controllers , Pre-configured log report workflow.

3) Access Request Management ( ARM ) :

Streamlined user access management: Pre-configured provisioning workflows , Pre-configured user access review workflow.

4) Business Role Management ( BRM ) :

Comprehensive business role management :  Sample business role, Pre-configured business role approval workflow , Role derivation 

"Key enhancements in SAP GRC Access Control 10.0"

As we zoom past our initial hiccups during the configuration of the SAP GRC Access Control 10.0 we come to notice major enhancements that SAP is trying to do in the SAP GRC Access Control version 10.0

Seems to me that a lot of feedback is being incorporated by SAP improve to the day in a life of SAP GRC Consultant working on Access Control 5.2 or 5.3 versions.

No doubt the console of the new SAP GRC Access Control 10.0 is sleek and brand new. It gives a good feeling and a sense of fear as well since there are new things out there that we need to master and leverage now. Below is a glimpse of some of the key changes we noticed that are coming our way in the SAP GRC Access Control version 10.0

1.Robust RAR – Often customers used to ask us when we used to show to them an access risk analysis report, “Is that all?”The challenge was that since the report used to be so bulky that one needs to spend considerable amount of time reading and analyzing it to find out where we need to act first for remediation/mitigation. Looks like we can have some relief around this problem since SAP has come up with a new framework for RAR which helps us narrow down our risk analysis to a very specific level as well as quickly sort our risk analysis data in a way where in we can reach to our critical mass of the users or roles faster. RAR in SAP GRC Access Control 10.0 is giving us an option to add conditions based on system, user groups or even risk level to do an analysis. Earlier it was just restricted to User and Roles primarily. Another important new feature in SAP GRC Access Control RAR 10.0 is that it supports multiple rule sets during the analysis.

2. Bulk data handling – It happens. Huge organizations at times grow out big and never get time to do the cleaning in the authorizations assigned to profiles and users. Cases are known where the number of violations reported after an analysis has shot more than 1million. It used to become very difficult to download this amount of bulk data to an excel sheet due to sheer limitation of rows and columns in an excel sheet. This particular issue is now resolved in the new version SAP GRC Access Control 10.0 where reports can be split into different files and downloaded.

3. Personalization in Reporting- Reporting was mundane before in SAP GRC Access Control 5.3 as there were stringent limitations in the way one can modify the report as per ones needs. SAP GRC Access Control 10.0 gives us a lot of flexibility to shape up a report in fact the view of the report in the system as well to fit our requirements or the viewer’s profile. One can sort, filter or simply remove rows and columns which are not so important for us and print our report as a PDF or a Crystal Report. The best part is we do not need Crystal Report license to do all we need is the Crystal Report adapter to be installed.

4. Drill Down on Reports – This particular feature was present in SAP GRC Access Control 5.3 but in the new version SAP GRC Access Control 10.0 it has been significantly enhanced. Doing a drill down to identify and troubleshoot the violation and under the risks associated with it is made better. One can do a drill down based on the risk id, user id , functions and every other security entity which can help us understand it better and plan a mitigation for it.

5. Mitigation made easy – Setting up a mitigation control to remediate each violation/risk was a time taking task in SAP GRC Access Control 5.3, we now have new features that have been introduced by SAP to help us save time and plan mass mitigation approaches. We can now assign a single mitigation control for a set of violations /risks, now this means that business users can define a lesser but more effective mitigation controls for all their business risks. Also the IT teams can set up mitigation controls specific to systems which is also a new feature introduced. The mitigation controls also have the tenure (time period for which mitigation will be valid) that can be tied to a mitigation control.

6. Audit‘s delight- Well good news for hardworking auditors have also come in the SAP GRC Access Control 10.0. Auditors will now have a better view of all changes made in the GRC system. One could never track from SAP GRC Access Control 5.3 when was the last time this transaction was used by a particular user or how many times has it been used in the last six months. This kind of information was difficult for a non SAP Security person to find out without any help from the backend. Now SAP GRC Access Control 10.0 makes the life of an auditor also simplified to be able to access this information as a SAP GRC power user. Any changes made to the rule sets, critical roles or profiles, functions, risks, org rule can be tracked by an Auditor with details like when the change was made and by whom. The historical value of these set of fields are also maintained.

7. Centralized Emergency Access Management aka Firefighter - access is now centralized in the SAP GRC Access Control 10.0 to manage and utilize firefighting activities from SAP GRC Access Control 10.0 applications. Workflow based provisioning and review process is introduced now which helps us greatly reduce our efforts compared to SAP GRC Access Control 5.3 for provisioning of firefighter ids and review of logs to monitor the usage of firefighter ids.

SAP GRC Certification course and other GRC courses

SAP BusinessObjects Access Control Course Details:
GRC Certification course and other GRC courses:

Q)What are the sap stadard courses for SAP GRC 10.0

1) GRC100 , 2days ( Not Available In india)
SAP BusinessObjects Governance, Risk, and Compliance (GRC) 10.0 " Principles and Harmonization"

2) GRC300:Version: 010 , 5days
SAP BusinessObjects Access Control 10.0 - Implementation and Configuration

Certification:

C_GRCAC_10 : SAP Certified Application Associate - SAP BusinessObjects Access Control 10.0

1) TZAC10 Version: 096 , 4 days
SAP Access Control 10.0 - Implementation and Configuration Delta

2) OGRC10 Version: 095 , This is e-learning course
SAP GRC Solutions 10.0

For Details please Vist SAP official website
https://training.sap.com/in/

en/curriculum/fin_grccac_in-
sap-businessobjects-access-control-in/

Branding Change SAP GRC - May 2012

Branding Change - May 2012

As of May 2012, the application formerly known as SAP Business Objects Process Control is now available as SAP Process Control.

Same Case with other Products too , SAP have removed the word "Business Objects" now from its GRC Suit, now its SAP Access Control , SAP Process Control, SAP Risk Management etc.

SAP GRC Overview

Many people ask me about what is GRC , here is the document gives you the technical details about the SAP GRC.

Open publication - Free publishing - More grc 10

Sizing GRC AC 10

Open publication - Free publishing - More grc 10

SAP GRC Access Approver Mobile App