 su53 sent a team to the GRC 2008 in Orlando, March 10th – 13th to meet others and to find out the latest developments in the world of GRC. An immediate summary of each day is included here and over the next week we will be publishing analyses of the entire event, the key messages we’re picking up on, and giving details of how to contact us to find out more.
The first impression you get is the enormity of the event: 5,000 delegates, over 50 sessions to choose from each day from 08.30 to 19.30, and perhaps 80 vendors here. Talking to delegates on our stand was very interesting and we gained an excellent understanding of what in general the top current issues are for organisations.
- 73 organisations visited our stand and left details for us to follow up on – contacts varied from C level Executives down, in companies such as Coca Cola, Harley Davidson, and Nokia, and covering geographies around the world but with key footprints in the UK and Europe
- The three top enquiries we had were from organisations:
- with GRC wanting better advice on how to get the best from it
- with specific technical issues
- thinking of buying GRC but wanting an independent assessment of the likely real benefits, resources needed, costs and timescales
- Four GRC vendor/services companies met with us to explore collaboration and joint working, and we are following up on if and how these would improve the solutions we deliver to our clients
- The top comment without doubt was “I like the company name – we know exactly what you do!”
Two of the session highlights were around the new version of Access Controls just coming out, and about SAP’s GRC support:
Torsten Budesheim and June Sun hosted an excellent session on the new features of SAP GRC Access Controls 5.3. Significantly the Access Control tools have be re-branded by SAP. We now have
- Risk Analysis and Remediation - RAR (formerly Compliance Calibrator)
- Compliant User Provisioning – CUP (formerly Access Enforcer)
- Enterprise Risk Management – ERM (formerly Role Expert)
- Superuser Privilege Management – SPM (formerly Firefighter)
There are 150 enhancements since version 5.2. Some of the most exciting ones we noted were:
- Mitigation re-affirm to make it simple for risk managers to extend mitigations.
- Periodic User review to allow managers to review access assignment. This even highlights which roles have not been used by a user!
- BI content to enable enhanced reporting.
- Improved mechanism for migrating config between systems.
- Performance enhancement for risk analysis.
- Improved change history for all configuration.
Jayne Gibbon and Ramelyn Paredes gave an overview of the SAP GRC support process. The volume of calls SAP receives has increased from 300 a month when they acquired VIRSA to 500 per month now. Their customer base has increased from 400 active users to 700 during the same period. We were impressed to learn that the average time to resolve a HIGH CSS message is 5 days and were surprised that only 10% of bugs reported actually require a program change.
Some of the key breakout sessions we attended were useful where we could quiz SAP’s own experts in the GRC tools. We also participated in sessions where common pitfalls of implementing GRC Access Controls were discussed, and we participated in the first of three GRC Process Control sessions - an area we see as the next key area of focus for many clients following Access Control.
Sadly the volume of follow-up calls and note taking meant that we decided not to watch the 02.38am shuttle launch just an hour away – but that probably also highlights the buzz this event generates for us too. |
