The area of security and controls is well-established, with best practices and tools widely available to enable professionals to manage their SAP environments effectively. These best practices and tools are applied to technical security, critical access, segregation-of-duties management, sensitive data access, a myriad of process controls and various design and process considerations etc..

The problem is, sometimes we lose sight of the “why” and become blind followers of the “what”, slaves to the best practice doctrine or to the information steer from our controls platforms. In our obsession with implementing these measures, we can sometimes forget about the actual risks that we are ultimately trying to address within the context of our business processes and systems. The result is controls inefficiency and ineffectiveness, and often very unhappy users.

In this session, we will look at how taking a risk management approach to controls can restore clarity and allow better decisions and better solutions, how it can inform effective remediation or mitigation strategies, and how ultimately it allows us to execute more effectively and efficiently. We will look at specific examples where risk management has been used to clarify and shape the controls strategy and how this can be applied more generally.