GFKL Strengthens Corporate and IT Governance

 Within a short period of time, the Capgemini GRC Fitness Check delivered a holistic status review in terms of the key GRC factors. The reports helped us plan our next steps and design our system to be even more secure and easier to audit. The comprehensive analyses uncovered a number of optimization potentials as well as potential risks. The results of the SoD analyses led us to restructure our workflows and underpin them with suitable controls. We would especially like to emphasize the excellent collaboration in the workshops, which despite the tight timeline and strict focus on objectives, left us aiming for an even deeper level of collaboration. Dag Demming, IT Lead, GFKL AG

The Situation

Increasing regulation in the financial sector over the past few years has meant that financial businesses and institutions have come under intense scrutiny, globalization, market uncertainty, and feeble consumer and investor confidence have added to the challenges faced by financial firms today. GFKL, a German financial services company, decided to act fast to reduce any risk in its enterprise-wide SAP systems. It was determined to strengthen its corporate governance and adopt a more strategic, consistent and comprehensive approach to IT governance. In this context, Capgemini and SAP delivered with the standardized “Governance, Risk & Compliance (GRC) Fitness Check” across several GRC factors to GFKL Financial Services AG.

The Solution

In this challenge, Capgemini assisted GFKL by conducting the standardized GRC Fitness Check which covers three relevant areas:

Conceptual Analysis

• business environment & regulatory compliance
• internal control system (ICS), existing rule & risk sets and controls
• high-level screening of all authorization, support and emergency concepts
• analyses of workflows and responsibilities in Maintenance & Support
• organizational & operational structures

Risk & SoD Analysis

• analysis of the standard risks and segregation of duties (SoD) conflicts in the SAP system (without interfaces to non-SAP applications)
• at role & user level with management summary (including Risk Dashboard on PPT) and detailed analyses (in Excel)

Technical Analysis

• ERP authorization and user reviews e.g. user groups and their responsibilities, naming conventions as well as critical transaction codes and role and profile allocations n system parameter (e.g. password settings).

The GRC Fitness Check was used to achieve a holistic overview of all GRC relevant areas for GFKL, especially to conduct a rapid analysis on Risks and SoD. Capgemini is one of only a few consultancies which have permission to use SAP’s Standard Rule Set. The Standard Rule Set enables a service provider to extract data from Enterprise Resource Planning (ERP) systems for analysis. SAP supported Capgemini during the project by allowing the service provider to use its SAP access controls without a specific license for GFKL. Based on that, and in combination with Capgemini’s own Strategy for Provisioning Roles in Transparency (SPRInT) model and Capgemini’s Rightshore® approach, it was possible to deliver these comprehensive analyses to GFKL’ s SAP systems and concepts in the short timeline of two weeks.

The Result

The screening of existing documents, processes and responsibilities has given the company a clear and accurate view of its governance, risk and compliance status. Furthermore, GFKL now has a clear overview of existing risks and SoD in its SAP landscape. GFKL is now on track to fulfilling all current and future risk and compliance requirements (e.g. traceability of payment runs in combination with the authorization to change bank accounts) within their SAP system. Furthermore, GFKL can now review the full benefits of SAP GRC Access Controls solution, and decide if and when any SAP application implementation should be started.