One of the biggest success stories of our company was the implementation of SAP GRC 10. 0 at CIMPOR. Because of this we want to explain to you how the process has been from the very beginning.
CIMPOR (Cimentos de Portugal), is the largest cement group in Portugal and is currently in the TOP 10 World, and is present in 8 countries (Portugal, Brazil, Argentina, Paraguay, Cape Verde, Egypt, Mozambique and South Africa).
The IT services within CIMPOR invested a great deal of time in password resetting because of the SAP infrastructure they had internally. There were 12 SAP systems at the ERP level which meant that the same user had to reset the password in several SAP systems and environments. In total there were 39 systems and environments that were part of the SAP infrastructure. In addition, the processes of additions, deletions and modifications were quite long in time and that caused users to lose time in getting their accesses in the SAP systems.
Finally, there was no day-to-day visibility of the risk situation of general segregation of functions within the different SAP systems that existed in CIMPOR. These three points were the main needs that had to be covered as part of the project with Inprosec.
From Inprosec, as SAP partners, we saw the possibility of implementing the SAP GRC 10. 0 solution that had recently been released by SAP. CIMPOR had previously acquired the SAP GRC 5. 3 license but was not using it, it was the ideal moment to recover the investment on the SAP GRC license by directly implementing the newest version at that time.
The only problem that could cause the implementation of the latest version would be the type of programming language (it went from JAVA to ABAP), but CIMPOR was not using the previous system, so there was no such problem. Thus, CIMPOR was ahead of the rest of the companies using the latest version.
SAP GRC 10. 0 covered all 3 requirements and included more tools that would bring new possibilities to the organization. We started with the implementation of SAP GRC version 10. 0 SP 6 and within two months we released the password reset for all your SAP systems (39 at that time). At the same time, Inprosec worked on the definition of a risk matrix for the segregation of functions based on the risks reported by an external audit.
The implementation of this SAP GRC solution served to improve several areas:
Segregation of Duties
From the External Audit, we were told that CIMPOR had to improve in this area, but we had no visibility or tools to work accurately on this point. Thanks to the use of SAP GRC, CIMPOR had a case of success due to the great reduction of conflicts due to the segregation of functions through a Roles Reengineering Project.
After the implementation of SAP GRC, the request for password resets with the help desk was reduced by 80%. This meant a great economic saving for CIMPOR.
Automation of the leave process
One of the biggest problems within an organization is to process a leave in time. Once we completed the implementation of SAP GRC, thanks to the automation of this process, there were no more incidents related to this stage.
Authorization on SAP account creations and changes
With SAP GRC you have all the records and evidence of the authorizations to create or change an SAP account automatically (included within the tool). Previously, all this information was recorded in the emails of the teams that were part of the process.