The global and independent platform for the SAP community.

Soterion's report on GRC trends - a new GRC era for SAP customers

The way forward: Soterion's GRC trends report highlights four key findings and predictions that we believe will shape the future of GRC for organizations using SAP.
Dudley Cartwright
March 2, 2024
This text has been automatically translated from German to English.

As companies working with SAP undertake major digital transformation projects, including the move to SAP S/4HANA, customers increasingly need to ensure their data is protected in the face of rapidly evolving business processes.

Security incidents such as cyberattacks and data fraud have increased over the last ten years. The financial and reputational consequences can be considerable for the companies affected. The need to increase security is therefore obvious.

With audit firms and regulators increasingly focusing on SAP control environments and imposing stringent measures to ensure compliance, it is more important than ever that customers take steps to secure their SAP environments and implement appropriate GRC (Government, Risk and Compliance) measures to safeguard their future.

Soterion specializes in helping companies to make their access risk management more effective with its business-oriented GRC solutions. Soterion recently launched a Report on GRC trends with the title A New Era of GRC for SAP Customers published. In this report, which you can read in full length herewe outline four key findings and predictions that are likely to shape the future of GRC for companies using SAP.

1. scarcity of qualified SAP security resources can increase risk exposure.

The expected increase in SAP security complexity combined with the global skills shortage may increase the risk of organizations struggling to find sufficiently skilled SAP security resources.

The already challenging management of SAP authorizations is further complicated by significant changes to security management in SAP S/4HANA (Fiori Catalogs, Spaces, Pages, etc.). This additional complexity may lead to the implementation of inferior role designs and role methodologies and/or the recommendation to use standard business roles. As a result, SAP users may be assigned broad and inappropriate access.

The added complexity of security management in SAP S/4HANA means that it now takes even longer to train a suitably competent SAP security resource. In addition, many projects are being worked on remotely due to home office guidelines. This can have a negative impact on the training/learning process.

2. the pursuit of standardized business processes will lead to an expansion of access.

Amid the push to introduce standard business processes and predefined roles, organizations may be forced to assign multiple default business roles to users. This expands access and increases business risk.

Because SAP takes a fit-to-standard approach to help its customers get the most value from their investment in SAP technology, organizations with unique business processes and requirements may not be well suited to predefined business roles. To avoid potential operational bottlenecks, users are assigned multiple business roles so that they have the necessary access to perform all of their functions. However, this can lead to unnecessarily broad access rights. This increases the risk of fraud within the company.

3. as cloud usage increases, the clarity of ownership and risk exposure blurs.

The increasing use of cloud solutions brings additional security challenges, as all of these solutions have very different security concepts. Access control solutions are often unable to perform a comprehensive access risk analysis for cloud solutions. It is therefore essential that security teams are aware of the security protocols for all the solutions used in their organization and have the resources to manage them effectively.

SAP is offering customers incentives to transition to SAP cloud hosting via RISE. Soterion also sees challenges ahead in terms of ownership and responsibilities for various activities: from basic system administration to security between SAP and RISE customers.

4. the emergence of the hybrid IAM/GRC model.

When weighing up the benefits of Identity and Access Management (IAM) and Governance, Risk and Compliance (GRC) solutions, more and more organizations will consider a hybrid model that leverages the strengths of both systems.

While there are IAM solutions for managing identities in an IT environment that enable workflows, provisioning and user access, many of these solutions are not able to analyze SAP access at a detailed or technical level or assess the risk impact of assigned roles. To define business roles, organizations may therefore be inclined to consider GRC solutions that are better able to display detailed risk information.

Soterion's report highlights the fact that migrating to SAP S/4HANA is not just a technology upgrade, but also a significant shift in processes and control. It is therefore critical that organizations using SAP put security at the heart of project planning and execution so that business users can navigate the future of their SAP environments securely and responsibly.

" Download the Soterion trend report here.

An advertorial by:

Dudley Cartwright

Co-founder and CEO of Soterion.Dudley has over 20 years of experience in SAP authorization. With his strong technical understanding and practical business knowledge, he has implemented the highest quality security solutions for organizations around the world. Dudley is passionate about purpose-built, value-added solutions - a philosophy that has become the cornerstone of Soterion's mission.

Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024


Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT


Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024


Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.