About Me

I'm one of the Directors @ su53 Solutions. su53 provides risk management, compliance and security services to companies that run SAP, reducing costs, automating process conformance, driving business results and enhancing your status as a trusted organisation. I'm passionate about Risk Management and Security. My views are influenced by OCEG thinking. My vision aligns Risk to Strategy, focuses on mapping controls to risks, leverages, CCM and data mining. All this operates within your boundaries. Technology is the enabler. Collaboration and Communication are key to the success of GRC. My path to my current role has been varied, joining a Big 4 as a post-graduate from Queens Belfast and Notre Dame Indiana, before developing in depth SAP® BASIS skills en route to a focused career plan to become a lead thinker in SAP related GRC, audit and security. I've travelled extensively and worked with many organisations(from Australia to the Arctic). The breadth of exposure to client SAP systems and the various attitudes, abilities, process and practices around risk management has given me a sound perspective on best-practice. GRC isn’t my job, it’s my passion.

Tuesday 22 March 2011

The impact of "Social" on GRC

Don't laugh - this sounds like a bridge too far but you may be surprised.

The last few years have seen social networking become part of everyday life. Hundreds of millions of people are using facebook, twitter, linkedin and other sites. Price comparison sites are accessed by millions and recently we've seen sites giving bulk discounts to the masses.
I've been thinking recently about how "Social" can apply to GRC. It's interesting to see how the future could leverage the brain power and insight of the masses, but also use them to encourage user adoption, better behaviour. I've spotted several examples recently that I wanted to share:
1. The su53 GRC Dashboards - http://www.youtube.com/watch?v=W18amVURIEs&feature=youtu.be
By allowing comparisons between different parts of your business - over time users are encouraged to improve and make better decisions. Transparency will drive better adoption and performance. It was interesting to see the reaction from John Garrish of SAP. He prompted the "Social GRC term". Also  fascinating  the feedback from some SAP GRC customers. Some like to name and shame their laggards, others take a softer approach.

2. Michael Rasmussen's anecdote from the OCEG bootcamp(quoting Tom Peters) - "If you want to know what's really going on you should ask the janitor" prompts some more thoughts about how the masses can help with Risk Management. We are already familiar with the whistleblower concept, but there must be some mileage in using the power of the crowd for more here. I'll be doing some research on how the crowd  to help with KRI's, to help you detect and avoid events. Watch this space!

3. "Apple" shares the results of it's 2010 supplier audit. (http://tinyurl.com/5r99pwy) I was impressed by the article from Computer world. It seems that there is some benefit in externalising your GRC information. This policy matters to Apple. Making the results public demonstrates this internally, but Apple will also benefit from brand enhancement here.

User adoption, embedding GRC in the business processes and encouraging ownership are key elements of any successful GRC program. I think "social" can have a part to play here. Do let me know your thoughts.
Posted by at 1 comment:

Tuesday 15 March 2011

The Inside Track from Vegas


So the crazy world of Vegas is behind me and I am excited to share with you the outcome of another successful and motivating GRC event. Thanks WIS!
Exciting keynotes from key SAP  players with Jim Dunham, Sanjay Poonen and James Fisher all promoting the same view of how SAP are progressing in Finance and GRC and the significance of integration with the analytics layer. The product focus was around Enterprise GRC (Process Control and Risk Management), Access Risk Management and Continuous Transaction Monitoring (via Oversight) with positioning around closer integration with the Business Objects portfolio and bringing Performance management and Risk closer together.
Mobile computing appears to be a definite hot topic which I found interesting as I had initially discounted the ipad as more of a consumer device, however, there is such a strong drive towards utilising such devices to really engage business and increase adoption. The launch of the Blackberry Playbook (RIM) in April is going to be exciting as it is compatible with flash based applications such as Xcelsius.  
From a customer perspective there is an increased awareness around Continues Controls monitoring and continuous transaction monitoring. More customers are integrating their IDM solutions with GRC. There is lots of buzz around upgrading to GRC 10.0 and positive impressions of some of the new features – here are the Top 7 that really hit the spot with delegates;

  • ·         Process Control now includes policy management
  • ·         Technical layer now back in ABAP
  • ·         Common software and database – shared master data
  • ·         Enhanced SPM logging
  • ·         Process control queries now significantly more flexible
  • ·         CUP now leverages ABAP workflow
  • ·         Introduction of business role concept for CUP

There was also the feeling that many of the customers are entering an era of SOX maturity and they have an appetite for rationalising and streamlining. 2011 is going to be the year of organisations taking time to stop, think and plan for the future. No doubt we will see the reduction in the number of systems to manage risk and controls, more automation, management by exception and an overall rationalisation of controls. The CFO now wants to make the correct decisions, better and faster with less zero value added steps. There seems to be a realised reality that risks and controls impact business performance. With that in mind su53 insight analytics dashboards were really well received – these need to be shown to the business user to ensure appreciate of the benefits.

From my perspective, I saw a real step change in the way organisations are viewing and approaching risk. The emphasis is really changing – GRC will assist you with managing your risk and meeting regulations, however, it will also reduce costs and burden of the business controls. This step change is going to empower organisations to become more agile and drive better business performance.
With this in mind there is still not a great deal of risk management transformation talk amongst customers. There needs to be a move away from just technology and functionality and more of a focus on the velocity of business today and how understanding your risk profile and being able to take evasive action will ultimately change the performance and profitability of your business.

GRC 10.0 is a real step forwards for SAP customers. Convergence of the products, return to the ABAP platform, integration with CLM and an enhanced user interface is demonstrating that the technology has caught up with the positioning.

So it’s back to base for me and working on finalising the release 1 of our content for GRC for the Consumer Packaged Goods sector and P2P/O2C lines of business. We are really excited about this new innovation and look forward to working with SAP GRC customers implement at seeing how the utilisation of content and dashboards will help lower costs.

Key take home thought –“Link your risks and your controls to your strategy. Leverage technology to automate and manage by exception. Use data analytics to identify anomalies. Engage your business users with intuitive reporting. Change the emphasis of your GRC initiatives from burden to benefit. This will become the new normal for GRC solutions and SAP GRC 10.0 provides a great platform to achieve that.”

GRC Amsterdam is our next stop and I am looking forward to meeting up with customers and colleagues alike to share our next exciting innovation.
Posted by at No comments:

Thursday 3 March 2011

Viva Las Vegas

It's that time of year again. I'm on my way to Las Vegas for the #GRC2011 event. I'll be sending updates on key news via twitter, capturing my view of the big messages as we go through the week and post an update to this blog at the end of the week.

In the meantime if you are at the event make sure to come and meet me. I'll be in the exhibition hall (booth #245), in the GRC Partner Showcase or attending some of the sessions. I'll be easy to spot - with SAP GRC on a tablet and a smile on my face.

Viva Las Vegas!
Posted by at No comments:

Thursday 3 February 2011

GRC10.0 is Ramping Up


GRC 10.0 entered Ramp-Up on 13th December. You can expect new names for the old tools, much better integration and a return to the ABAP platform. Not many tears will be shed for the java component of Access Control but it must be said that 5.3 has proven to be much more stable and resilient than the early days of 5.1.

We’ve been planning for GRC 10.0 for almost a year. In September Pete Fitzsimmons and Sarah Dawson spent the month in Palo Alto working on the testing and validation. It was a great experience for them and a crucial insight into the product direction. They returned to base and shaped our mobilization plans for GRC 10.0. A few months have passed now and we’ve done the delta training for Access, Process and Risk. We are upgrading our internal systems and testing the migration routine to make sure that we are ready for our customer demand. We are working on one ramp-up project and will be working with a household name in the UK to deliver an early success on the 10.0 platform.
The key benefits of the new platform:
  • ·         Back in ABAP with all the standard ABAP functionality (job scheduling, SAP query, transport / change  management)
  • ·         Integrated with other GRC modules with shared master data
  • ·         Organisational level security available to restrict access to data
  • ·         SAP Business workflow is considerably more flexible and aligned with customer skills
  • ·         Audit logs for SPM(aka Firefighter) are much improved and Firefighter users can now be administered centrally
  • ·         Process Control query design is more sophisticated and flexible
  • ·         Collaborative risk assessments in Risk Management
  • ·         Alignment of risk to policies
There will be much more that we can share on 10.0 after GRC 2011 in Las Vegas. (www.grc2011.com). Watch this space. Contact me if you have any specific queries.
Posted by at No comments:

Looking forward to 2011!

One of my New Year's resolutions was to update my blog more regularly. I've had a slow start to blogging in 2011 but that will change that soon.
I'm excited about the value and opportunities that GRC will bring to customers in 2011. Up to now the focus of GRC for SAP customers has been on restricting / managing access to transactions. That's changing and fast. Increasingly companies want to embed better controls, automate them, test them automatically. The next opportunity will be predict / manage risks better with Key Risk Indicators but we don’t see much appetite there yet. This will require a transformational approach to how you manage risk. (for you and your auditor!)
SAP's latest release GRC10.0 is now in ramp-up. We've been waiting on this for quite some time and have supported SAP in the test / validation phase. Our internal SAP GRC lab systems are being installed. In the next few weeks we will simulate the upgrade process from AC (4.0 and 5.3) and PC 3.0 to the new release. I will release the Top 10 benefits for both AC and PC in another blog shortly.
GRC2011 in Las Vegas is just around the corner. You can expect some significant announcements from SAP. For those who think Las Vegas is a jolly, think again. It's hard work, but one of my favourite weeks of the year. We’ll be catching up with the SAP EMEA and Palo Alto teams, our partners and exchanging ideas with customers and prospects alike.
Posted by at No comments:

Monday 8 November 2010

SAP GRC event in Barcelona

I can't believe it's November already. It's time for Europe's SAP GRC 2010 event and I'm en-route to Barcelona.

I'll be sharing some of the highlights as the event progresses (twitter @gavin_campbell_ and on this page). I'll collate the best bits and share as the event progresses in different formats.

I'm always interested to see what new offerings there are out there. It's always good to see the niche vendors who have identified a pain point and addressed it.

I expect that the Dashboard Content will generate some interest and start some good discussions. I anticipate there will be lots of chatter about the 10.0 release (functionality, Ramp-Up, timelines and positioning). It will be great to get to meet some of my extended network. Relationships matter and it's much more fun when you get to know people in the real world.

If you are't familair with MindMaps then get ready to optimise your learning. I'll share some of my notes for the keynotes etc. There are those who remember when I was change resistant, but now I'm a big fan of Mindmaps!

Posted by at No comments:

Thursday 28 October 2010

Dashboards – Turning GRC data into intelligence.




Start to leverage your GRC systems to make better risk adjusted decisions.
GRC systems get lots of bad PR because the output is vast, complex and often too technical for the target audience. This causes a barrier to user adoption and business engagement. Dashboards can help address these issues by providing business managers information in a format they can understand and interact with. Managers see beyond the reams of paper / lines of spreadsheet and engage the data. Mindsets can change from resentment of controls to users becoming intrigued by exceptions. Business users can start to take ownership of Risks and Controls. .   

I’m excited about how better delivery of information can encourage better adoption.  I’ll be road testing these with customers, partners and SAP in the coming weeks. Expect the content to evolve rapidly.

http://www.su53.com/news/219-bringingvitalitytogrc.html

(previous typo in the URL is now resolved)
Posted by at No comments:
Subscribe to: Posts (Atom)