Have Your Pie and Eat it Too!

Luckily, I work in an environment where “open door policy” is more than just a buzz-phrase. Recently, itelligence’s SVP shared with us an article written by Jennifer Dulski, the President and COO at Change.org: “A Foolproof Tool for Motivating Your Team (and Yourself).” Dulski touches on the importance of the “platinum rule.” By now, you’re probably asking yourself “What the H$!! is the PLATINUM RULE?!” Well, so was I… but it actually makes a lot of sense.

You see, growing up our parents were always preaching to us (Jewish mothers are the queens of nagging) about the “Golden Rule: Treat others as you would like to be treated.” However, as a manager, Dulski asserts that we must reward our team members based on their own motivation factors. “Treat others as they would like to be treated.” Platinum: Because all that glitters is(n’t always) gold.

Dulski  decided that the best way to keep people happy at work was to start directly asking all the people on her teams what motivated them. To do so effectively, she created a tool: The Motivational Pie Chart. I won’t go into the details here, but using this tool is relatively straightforward (it doesn’t require nearly as many ingredients as my Nanny’s homemade blueberry pie does) and is a proven method to increase discourse on how we can better motivate our teams. My Pie Chart (BrownSugarPeachAppleToBeExact) looks something like this:

7-26-2013 8-47-38 AM

Did I mention that #PostGradSAP is a judgement free zone? Hey… girls gotta eat (not to mention all the shoes, handbags, and froyo that it requires to maintain the ultimate #yopro lifestyle).

You can read Jennifer Dulski’s full article on linked-in, here.

Peace, Love, Friday,

@PostGradSAP

Tracy

Advertisements

GRC Access Control (AC): “It Works Best if Everyone Participates”

scaleHappy Friday World! It is 5 pm yet??!!! #postgradproblems

This weekend I’m heading to my hometown of Cleveland (yes, I still have a personal vendetta again Lebron) to spend some long overdue quality-time with the fam. I think it was Patrick Henry who said: “Give me Melt/Tommy’s/East Coast Custard or give me death!” Can’t wait to hit up all the old stomping grounds.

In other news… here’s the low down on a topic that I’ve become very familiar with.

I don’t want to give too much away (I’m looking to pursue some other outlets to discuss this subject further), but I wanted to clue my readers in on one of the most desired and value-added aspects of GRC AC: the ease of collaboration between business and IT. Pardon my need for political analogies, but GRC AC is not all that different from a modern-day democracy in the following ways:

  • GRC AC works best when everyone participates
  • There are many examples of “Separation of Powers” within the GRC AC Engine
  • The system demonstrates the need for “Checks and Balances” which aids in achieving a more holistic approach to audit and compliance

Managed risks must actually be deemed critical by the business and aid in achieving global objectives. Risk management efforts are not likely to be successful unless everyone participates. If inadequate resources are allocated, compliance requirements may be overlooked, and remain unmonitored. Ultimately, by bringing together the individuals responsible for addressing real business needs organizations can achieve a more  balanced approach to governance, regulations and compliance (GRC). Collaborative accountability brings the individual areas of GRC into harmony and enables the business to be held accountable for their expertise while promoting information-sharing. Furthermore, by putting role ownership and remediation in the hands of the business, organizations can reduce the amount of time, energy and money that is put into overall risk management efforts.

Over and out,

@PostGradSAP

Tracy

2 Year Anniversary

Today marks my 2 year anniversary at itelligence. For the past 104 weeks I have been able to (not so) expertly navigate ERP and the world, all the while, managing to cultivate lasting relationships and learning some pretty fantastic skills along the way.

At the end of our consultant training program, Propel (formerly known as TPS), each of us was charged with the task of writing a report on “What TPS Means to Me.” Low and behold, I was the only one to actually submit the requisite paper… in fact, I’m the only one in the history of the program to ever meet that deliverable. Overachiever or sucker… you decide. I’d like to share some of the words of wisdom I covered in that synopsis (a mere 10 pages, but I’ll spare you the nitty-gritty). The following is in part, serious, but also a fun-loving ode to my TPS comrades who join me in celebrating this milestone.

It began in July, our VP of Consulting was shouting something at us about “ASAP”, “FOCUS”, “CRP”… my head was spinning. I was upstream without a paddle, in a sea of acronyms. That’s the first lesson I learned in TPS: “write everything down.” Make a personal dictionary. Merriam Webster doesn’t have anything on this girl. Eventually, one stroke at a time, things started to come together. That’s the second lesson I learned in TPS: “Start big.” Don’t try to learn too much too quickly. To learn the business, you must start at the bottom of the pyramid and eventually, brick by brick, it will all start coming together.

The 3rd lesson I learned in TPS was “fake it til you make it.”  You don’t have to know everything, but you always have to appear as if you do. Whoever it is, whether it be a mentor, colleague or a client, it’s imperative that the consultant is always one step ahead. That brings me to our guiding principles, how they have begun to define my career at itelligence and how they have become intrinsic to who I am. One of the most remarkable aspects of working for an organization, in which each individual has a sincere sense of proprietorship over the group effort, is that each individual grows to become part of a joint values system such as ours.

Customer Focus: Be ready to pack your bags and go! Be responsible for your own actions and deliver. Be both and honest and direct, but maintain authority.

Responsibility: Have a clear understanding of individual and team objectives.

Teamwork: Give constructive feedback. Be supportive and optimistic. Teams win and lose together.

Integrity: Celebrate others achievements. Be honest and outline deliverables and project scope up front to keep everyone on the same page.

Professionalism: Be reliable. Arrive early and be clear and concise while presenting. Communicate SAP in terms of business processes.

Innovation and life-long learning: Promote change and communicate areas for improvement. Participate in knowledge transfer.

Be a role model as a manager: Be a role model regardless of your position. Be a capable and willing confidant and coworker. Have a clear understanding of the business and how each individual contributes to its success.

In our 2nd trimester as baby consultants, we hit a little speed bump on our road to SAP Olympic Gold. TPS Lesson #4: “While ‘faking it,’ make sure you actually have some minute understanding of what in the world you’re talking about.” We’ve all heard the sayings, and actually it is true, proverbially speaking, failure is an important part of life. That doesn’t mean however, that one should not come prepared. Whether your forte is Production Planning, Finance and Controlling or Sales & Distribution it is imperative that you can speak to everything you show. Have a clear understanding of the system in terms of cross-industry business processes: forecast to stock, procure to pay and order to cash; and be able to relate those processes to industry specific solutions and best practices. Which brings me to my next point, TPS Lesson #5: “SAP Consulting has very little to do with SAP, it’s about the people.” Some people you encounter may have been in their roles for 5, 10, 15 years—they don’t give a damn what you have to say. They don’t care that you will be saving the CEO and his comrades millions of dollars a year, making their processes more efficient, yada yada yada. They just want to go to work, do their jobs, and get the hell out of there so they can go home and feed the 5-13 cats they have anxiously awaiting their return. It’s your job to make them care, which means building trusting and lasting relationships that will endure the changes and detours that an SAP implementation entails.

To sum up my time in TPS…

There are times when an opportunity comes along and you know without a shadow of a doubt that a single moment in time has changed your life forever. You feel unparalleled elation, or sometimes earth-shattering sadness, but regardless you are noticeably and irrevocably different from that moment on. The day I started at itelligence was nothing like that— Brian Merkel, Ryan Lundquist and I timidly sat side-by-side and began to tackle the unknown together. I met some other people too— they were nice enough I guess, Kent, Dave, Geoff, and Laura, but how was I supposed to know that within that group I had come to meet 12 individuals would serve me unequivocally as role models over the course of the next 6 months. I am very appreciative of the opportunity itelligence has given me, and I hope to continue to build upon this foundation in order to grow skill sets, both technically and personally.

With love and admiration for Brian (the Merk), Geoff, Brian (the Brain), George, Marco, Kent, Dave, Laura, Crystal  and Ryan…

@PostGradSAP

Tracyitelligence-d4-august-2012-189-edit

The State of the Union: Surviving an SAP Security Audit (Part 1)

The first step of surviving an SAP audit requires doing a little digging and getting your hands dirty. PROCEED WITH CAUTION. You may not like what you are going to see. The State of the Union: Necessary, albeit Messy (if you will).

The State of the Union not only allows for reports on the condition of the nation (SAP Landscape), but also allows the president (key stakeholders) to outline their legislative agenda (key remediation initiative).

"Let's never forget: millions of Americans who work hard and play by the rules deserve a government and financial system that do the same. It's time to apply the same rules from top to bottom." President Barack Obama, 2012 State of the Union Address

“Let’s never forget: Millions of Americans who work hard and play by the rules deserve a government and financial system that do the same. It’s time to apply the same rules from top to bottom.”
President Barack Obama, 2012 State of the Union Address

Where are we now?

Determining the “current state of affairs” is perhaps the most difficult task of all. Having a clear understanding of all the pieces of the puzzle and how they should fit together, will help dictate the steps needed to put everything in place and the strategy in which one will approach this task. The following is a modified checklist highlighting a few of the key factors that should be monitored, regulated and documented in order to sustain a scalable and stable SAP environment.

  • Do documented processes exist for user administration, role administration and transport management?
  • Have custom tables and programs been secured?
  •  Do multiple roles exist with only one transaction assigned? Do transactions repeat across multiple roles? Are many roles assigned to only one or a few users?
  • Is critical access and permissions limited to only a few users and are their actions being recorded and audited?
  • Have the proper steps been taken to follow industry standards regarding password rules, SAP default users and table maintenance?
  • How many Segregation of Duties (SoD) violations occur inherently within individual roles? How many users have SoD violations per the combination of assigned roles?

***The list above is only a small portion of the discovery efforts required in order to determine the current state of an SAP environment. For more information regarding audit efforts for your organization, please feel free to comment below or e-mail me at tracy.levine@itelligencegroup.com.

How did we get here?

An organization must focus on appropriately designing user access rights to identify an effective balance between the provisions of sufficient end-user privileges to fulfil job responsibilities, and ensuring that business process and system security risks are adequately controlled. As SAP is pre-configured with only a basic level of security and control, organizations are essentially required to define, build and maintain their own requirements into the system which requires a significant investment of resources. Organizations need to ask themselves the following questions:

  • Were scalability needs and growth outlook taken into account when the role design was originally conceived?
  • What persons and stakeholders are involved when role remediation efforts are performed? How have these changes been tracked? Who owns the roles and determines accuracy in the permissions within each role?
  • What persons and stakeholders are involved when users are assigned new roles? Has any effort been taken to perform regular user access reviews across the organization?
  • How was the naming convention for the roles determined? Is there an inconsistency between roles descriptions and actual authorizations, potentially leading to unauthorized access?
  • Is there an internal audit system in place to determine whether SoD violations exist? Have efforts been made to mitigate SoD risks in some manner?

What challenges do we face?

One of the primary concerns, when preparing for an SAP Audit, is being able to articulate the security landscape in terms of business processes. Auditors are looking for the “owners” of the security environment to be able demonstrate knowledge on potentially risky pain-points and how they are going about monitoring these issues. Oftentimes, SAP security requirements remain undocumented, what we refer to as “tribal knowledge,” as in there is no central repository that clearly defines the SAP landscape and tracks and monitors changes. As the SAP landscape matures, scalability efforts prove more difficult with increased requirements and a lack of correspondence between functional silos. Changes done by one functional team may override requirements that were purposely implemented for another, driven by a lack of visibility with regard to change management. Furthermore, clients may be concerned with underlying segregation of duties (SoD) violations and the need for a Sarbanes-Oxley (SOX) compliant deployable role design.