For a long time, SAP propagated the main advantages of the new S/4HANA product line in the underlying technology. There was a lot of talk, for example, about in-memory databases and the public cloud, which are essentially IT strategy topics but of only moderate interest to the business. Thus, initial discussions on the transition strategy also focused essentially on technology.
Only gradually were functional differences brought to the fore, but then they were not limited to the new product line, but in part – e.g., in the core module SAP FI – also made available to ERP customers. Here, new features were offered that were also intended to meet the needs of the business without alienating the existing customer base.
However, what is important in any conversion project – even if it falls short here and there – is organizational management. And this extends not only to SAP products, but to all components of your organizational structure.
Organization? We have.
Specialist functions in highly structured companies (such as corporations with worldwide plants) normally form on-demand. If the locations are still small, there are individuals who run the whole store, organizational structures are only rudimentary (let alone documented), processes live from visits to the desk, tools are set up and used as needed.
As the entities grow, the tasks gradually diversify, colleague by colleague, department by department, system owner by system owner. A fundamental overhaul of organizational roles rarely occurs, and the more the company grows, the greater the effort required for such a restructuring. As a result, it becomes increasingly unattractive to tackle the whole thing.
This is fundamentally not a problem, because a localized approach to the organizational distribution of roles is often the most efficient way to achieve the goal of a plant. In this way, local conditions are optimally addressed, because no one knows the little tricks and peculiarities better than the locally responsible department. Of course, the head office is seldom happy about this, as it has neither transparency about the process nor about the performance of the processes (not to mention harmonization or a centralized system).
When someone comes around the corner with an ERP system, it is a good moment to take another look. Although the clean-up work is not directly part of the system introduction itself, it can be addressed perfectly in the course of this. You take a look at the currently active functions and processes anyway, so why not clean them up right away?
Where are the problems?
The above-mentioned development is by no means rare. Of course, business and IT first take the most efficient route to accomplish their tasks. However, this is seldom secure or even compliant with specifications. The resulting problem often extends in two dimensions: the scope of available authorizations, and the combination of critical authorizations. These by no means extend only to a particular IT product from a particular vendor. The concept should encompass all products and (also physical) accesses.
Problems in the scope of authorizations
Access and access rights accumulate over the years, as obsolete rights are rarely removed when positions change or tasks are handed off
The scope of permission roles themselves also has a tendency to grow (and never shrink) because it is plausibly argued that activity X absolutely still belongs in role Y (but no one ever gets the idea to shrink a role)
Too extensive authorizations on the site and in the system lead in the final consequence to godlike employees who are allowed to do „as good as everything“, and are often used that way. „Go to H. Schmidt, he used to be in purchasing / he can post the invoice / he can get into the R&D building“ could then be a much-used tip in one of your plants. You can only prevent this by doing two things:
- You make sure that H. Schmidt and all his colleagues are subject to constant authorization controlling. His organizational role must be assigned to a fixed set of authorization roles in all systems and locations, and as soon as the former changes, the latter must be changed as well. Whether you want to do this with pen and paper or use an IAM system is up to your digitization strategy. But you should cover the topic workflowsided if you don’t want to risk a super-GAU (e.g. if H. Schmidt is terminated and wants to show it to the company again at the end).
- The roles themselves should also be integrated into a well thought-out role framework, so that they do not grow inflationary and at some point it does not matter which role you get, almost all of them can do almost everything anyway. Here, too, a higher-level documentation and (ideally) monitoring system makes a lot of sense if you want to get and stay on top of the complexity.
Problems in the combination of authorizations (Segregation of Duties / 4 eyes principle), e.g.:
- critical combination in the same business process, e.g. create purchase order, approve purchase order
- critical combination in originally separate processes, e.g. maintain vendor master, post invoice receipt.
At this point, at the latest, you can no longer do without a comprehensive IT tool. This is especially true if you have not mapped the process substeps in a central system. Otherwise, it will be difficult to regularly check whether the colleague in the SRM system is the same one who posts the invoices in the FI system.
Not just cleaning up
Finally, I would like to make one thing clear: it is not enough to clean up compliantly once. You also need to ensure that the rules are adhered to in the operational hustle and bustle. So you need governance officers globally (regionally,) and locally, and you need role owners for the organization and the system. By developing a governance structure and regular audits, many issues can be addressed with fairly basic means.
Last but not least, it also needs the understanding on the part of management and employees that it is in the best interest of the company to invest a certain amount of effort here. So don’t forget the most important part of change processes: communication.
Good luck in the future,
