Discover how Bridgestone Australia use Soterion’s GRC solution to effectively maintain segregation of duties
For Bridgestone Australia, one of the most well-known tyre manufacturers in the country, dealing with risk is a daily reality. Part of their brand promise is reducing risk for their customers who trust them to manufacture high-quality tyres to keep their families safe on the road.
But when it came to managing financial risk in their SAP system, they faced challenges. With a growing team, maintaining access controls within their SAP system had become time-consuming, inefficient and costly.
High growth and legacy ERP set-up no longer sustainable
Bridgestone Australia has used SAP since 1998 and over the years the volume of users has increased significantly. In 2008 they had a small number of SAP users due to running two systems within the company, namely SAP and iSeries. Due to the volume of users being fairly small, managing segregation of duties was relatively simple.
The turning point came in 2013/14 when all Bridgestone users needed to be migrated to SAP and many new processes were introduced.
With a large number of users and the complexity of the process, the team knew this process needed to move from the existing manual processes to automation.
The search for a commercial solution
Having investigated several options, Bridgestone decided that a custom solution was the way to move forward. Leading the charge for a fit-for-purpose solution was Jess Barnes, Senior Business Analyst in the SAP team at Bridgestone Australia.
Jess understood the complexity required to create a custom program that would handle the needs of the business and the plan was for her to write IT specifications for the program during the first quarter of 2015.
It was then at the Mastering SAP Conference Australia that Jess came across Soterion, and discovered their solution could do everything she needed it to do, presenting the data beautifully, and meeting budgetary requirements.
After three days of training, the Soterion team worked closely with Bridgestone’s infrastructure team to set up a Soterion server to talk to their SAP server. After a proof of concept, in 2016 Bridgestone Australia started using the Soterion solution.
“The tool is very useful to us because it gives us a clear picture and transparency of ourfinancial risk in the business and the team is able to present the stats to the risk committee and executive team providing peace of mind to all.”
– Jess Barnes, Senior Business Analyst
Adjusting the solution makes it more powerful
Although Soterion’s solution can be used out-the-box, there were certain setups that Jess and the Bridgestone team needed to do to customise it to their specific requirements and integrate into the company’s risk and governance control policies.
1. Reviewing the rule set
The first thing the Bridgestone team did was to review the risk level and relevancy of the standard rule set. They decided to create their own Bridgestone rule set so that they could add their own set transactions to the list.
The out-the-box solution shows low, medium, high or critical risk levels. In the system, Bridgestone found that certain risk levels which were marked as ‘high’ they saw as ‘medium’, however, a relevancy checkbox allowed the team to keep oversight of all risks regardless of the levels.
2. Segregation of Duties (SOD)
The second activity the team embarked on was to review all the risks that they have in the business by looking at all their users. They needed to define a mitigating control for each of them, something that the business and auditors would both agree on.
After running the SOD risk details within the Soterion solution, users who had a particular risk were highlighted together with a long description function that defined the risk. The team were then able to record a mitigating control.
Role simulation and user simulation were used on a daily basis. When creating a new role the team could instantly check whether there was any segregation of duties, look into their risk definition details and allocate a mitigating control, ready for audit.
Key lessons from Bridgestone’s implementation
- Once a mitigating control has been decided on, it is a good idea to review it regularly. Bridgestone Australia does this on a yearly basis to ensure their mitigating controls are still relevant.
- When setting up roles, ensure there are no conflicts in the same role. Revoking a role is difficult to do once the role has been set, especially with a large number of users. Setting this up correctly from the very beginning is crucial.
- There is no need to develop a custom solution. Solutions such as Soterion’s GRC software can do everything and more, and brings with it expert knowledge which has been built up over years.
Soterion is an international leading provider of governance, risk and compliance solutions for organisations running SAP. Soterion’s user-friendly GRC solutions provide in-depth access risk reporting to allow organisations to effectively manage their access risk exposure. Soterion is passionate about simplifying the governance, risk and compliance processes, with a focus on translating this complexity into a business-friendly language to enhance better decision making and business accountability.
How can Soterion Help You?
Soterion is the market leader in business-centric GRC. By converting the technical GRC language into a language the business users can understand, we facilitate business buy-in and accountability.
Feel free to email us on firstname.lastname@example.org. Let us help you take your GRC to the next level.
This article is sponsored by Soterion