Archive for February 2018

WHAT TEMPERATURE IS YOUR DATA? Planning for your HANA Upgrade!

2017 was the year of planning for SAP HANA. Will 2018 be known as The Year of The HANA Upgrade?

SAP has done an exceptional job of incentivizing customers and sales reps to migrate to the latest suite of SAP applications – most notably S/4 HANA, HANA, and BW4/HANA. Which application is a top priority for you to upgrade, ERP or EDW – Enterprise Data Warehouse?

What are some of SAP’s clients saying about their road to HANA? Are they realizing the business benefits of migrating to a HANA-based platform? The expectation is that HANA will deliver process and performance improvements that speed up transaction processing and reporting.

Simply, HANA is about performance and data volume. Because of poor data management policies, some customers are not getting the performance. Is this HANA’s fault?

The data volume issues we saw are grouped into three categories:
• Database size and transaction volume
• Reporting, and
• Data Usage

ILM, Information Lifecycle Management is a major benefit of migrating to HANA. However, many customers either do not have an ILM model or their practices are not current.

First, what is ILM? ILM is the segmenting or tiering of data based on criteria such as usage, relevance, compliance, and others. You usually hear this referred to as Hot, Warm, and Cold data.

Since HANA uses in-memory storage and a premium is paid for this storage, it is in your best interest to segment your data to pay only for what you need.

One recent adopter had a 15 TB DB. Can HANA handle this efficiently? Maybe, maybe not, according to our sources, it depends on how the data is managed. Before the upgrade, we recommended that they archive their data. Archiving is another form of tiering, making the archived data cold or off-line.

This customer did not archive their data and the result – slower than expected reporting and transaction processing. After the upgrade, reporting efficiency and duration did improve, but not as expected. SAP suggests that you will get up to an 80+% improvement due to the HANA and S/4 simplified data scheme. They were only getting a 30% improvement.

Data analysis and preparation should be performed before the upgrade. Define your data according to the three tiers. Do this analysis and it could dramatically impact your HANA sizing exercise; Enterprise HANA, BW4/HANA, or S/4 HANA.

The exercise can take between 2-days to 2-weeks. We recommend including stakeholders from both business and IT in the workshops. However, a deep dive into some data statistics on volume, frequency, and type can streamline the analysis. The criteria to assess your data is common, the approach and results are unique to each customer and industry.

Each customer, business, and environment evaluates their data differently.

Using this criterion, segment the data into Hot, Warm, and Cold. Typically, Hot and Cold data is easy to define. The grey area is with Warm data. And this definition may change based on the business function and processes; financial data has a different scoring or weight than operational data.

Hot data, or Tier 1 data, is recently acquired data relevant for months or years. Hot data benefits from the HANA in-memory computing and capabilities. This is the data that HANA manages best for performance and speed.

Warm data, or Tier 2 data, compressed, but disk-based rather than in memory, but needs to shift from warm to hot in short order.

Cold data, or Tier 3 data, is lower cost and value data and commonly extracted using Vora or Hadoop, for example. This data is stored off-line with lower cost platforms.

Once you have performed this exercise prior to the upgrade, take periodic snapshots to see if your assumptions on the criterion has changed.

Recent articles spoke of the importance of archiving. Start with the archiving strategy you have in place and evolve it towards ILM Best Practices.

If you do not have an ILM strategy in place or need an experienced team to review your strategy or upgrade plan, contact Mark Vasinda, mvasinda@titanconsulting.net, 972.977.3100; or your Titan Consulting Sales Director.

10 MINUTES, 10 HOURS OR 10 YEARS – IN JAIL? How SAP GRC Reduces the Cost and Risk of Compliance!

Sarbanes-Oxley (SOX) was invoked more than 15 years ago. It seems like yesterday when Enron and many other reckless companies cooked their books.

The goal of SOX was to restore confidence and close loopholes that allowed companies to defraud investors. The regulatory impact of compliance on companies is considered a major concern according to a recent survey of C-level executives. The Cost of Compliance and risk on these companies has increased exponentially and digitization will substantiate this trend.

Section 404 of the regulation is one of the most arduous to implement. It requires companies to perform extensive internal control tests and include the results in the audit report. However, over the past 15 years, most companies have attacked this approach using standalone tools that target the various controls.

The current trend is to combine your governance and controls requirements and build synergistic solutions. SAP GRC accomplishes this integration and lowers your cost of compliance and reduces your risk.

Another significant trend is to combine management objectives of business performance, compliance, and value / cost control.

There are many areas of risk, but one certain violation of controls, risk for fraud, deception, and loss is user access. The four primary functions of User Controls in SAP GRC are:
• Access Risk Analysis (ARA),
• Business Role Management (BRM),
• Access Request Management (ARM), and
• Emergency Access Management (EAM).

Where should you start?

Audits or the notification of an audit is the catalyst for many businesses to tighten up their controls. When audits trigger your actions, we see ARA or Access Risk Analysis as the starting point.

For instance, one of our clients resolved their Access Controls challenges with SAP GRC. This $1 billion USD manufacturing company resided in the portfolio of a private equity group for many years. As a privately-held company, access controls weren’t aggressively enforced. Management’s goal was to grow the company for future sale. Controls were a secondary objective for management and to ensure major breaches did not occur.

Then they were sold to a publicly-traded global company that had governance and risk controls as a measurable objective of management. They had a controls program in place co-sponsored by the CEO, CFO, and CISO and were rolling it out to the newly acquired entity.

The first time they ran ARA for the new business there were over 4,000,000 conflicts. The divisions management had to abate these conflicts or suffer the consequences. The task fell squarely on the shoulders of the division controller and IT Director.

It took two months of reviewing the conflicts and either remediating or mitigating them. In today’s manufacturing and economic environment, you will never remove all conflicts due to:
• Lean Manufacturing Environment,
• Overlap of Primary and Secondary Responsibilities,
• Cost and Risk Analysis.
After the focused effort, the conflicts were reduced by 75%.

Some of the challenges that occur in lean companies are False Positives. A false positive typically happens when secondary roles are assigned; for example, a user can receive goods and put them away. This is common in smaller warehouses and lean plants.

In these situations, you need to ensure that remediation occurs and is reviewed and signed off by the appropriate approval levels and internal audit. This may be as simple as running a weekly report or performing random sampling of conflicted areas.

Even in the best governance practices, there will always be conflicts. The balancing of conflicts and risk is the art and science of a well-designed GRC environment. Attention to the business roles, part of BRM, is the activity where you weigh the cost/risk of the roles.

A function that streamlines a burdensome workload and provides great benefits is Access Request Management (ARM).

I don’t have enough time to do all of this compliance work!” is a common complaint we hear from controllers and plant managers. By leveraging the ARM functionality, you automate the role creation process and it saves you time and frustration.

One IT Director we work with loves this functionality.

Now, when a new employee is hired, the hiring manager submits an electronic request for the new employee or contractor. The GRC system builds all the necessary user ids, roles, and authorizations – no human intervention other than to review the audit report.

Where should you start is a common quandary. We recommend a diagnostic that targets areas of risk in your processes. The diagnostic will highlight the low hanging fruit: risks, rules, opportunities, and effort to remediate or mitigate.

If you need assistance getting your Cost of Compliance under control, Titan Consulting is here to advise and guide you. Contact David Geaslen at 832.422.3251, or david@titanconsulting.net; or contact your Titan Sales Director.

February 2018-03

Download (PDF, 2.5MB)