SAP GRC Process Control for optimized information flow management of a 231 model

Challange

The Client, a relevant entity operating in the Energy, Utilities & Telco sector, expressed the need to equip itself with an information system through which to improve the management of activities in support of compliance with Legislative Decree 231/2001. In detail, the request called for the use of an application that would allow to:

• Manage control activities by the Supervisory Board (SB) and/or Internal Audit; 
• Set up the sending of information flows according to established deadlines to relevant users (owner); 
• Provide alerts and reminders to be sent to stream owners; 
• Compile flows periodically giving evidence of outcome and any notes/attachments;
• Query master records and flow outcomes through ad hoc reporting; 
• Securely store data and make it shareable with members of the SB.

Solution

To support 231 compliance and with a view to optimizing information flow management, the SAP GRC Process Control module was implemented.

Team followed an agile approach, innovative methodology which included 4 steps:

• Prepare (Start works from preconfigurations provided by SAP);
• Explore (Define a prototype and provide analysis sessions with the Client for the purpose of gradually adapting the solution to his specific needs);
• Realize (Develop the solution by adapting it with what emerged in the Explore phase and start the testing phase); 
• Deploy (Conduct final tests and, following successful completion of these tests, bring the solution into the production environment. This phase will then include end-user training sessions and post go live support). 

Following the methodology described above, the Qintesi team divided the activities into 4 project moments: 

• 231 Model implementation: All the information needed to manage the activities has been imported into the system: the organizations, areas the processes with related information flows. In particolare, per i flussi informativi, sono stati definiti gli attributi necessari per la fase di schedulazione come owner, frequenza, data inizio e data fine etc.
• Scheduling information flows: two types of scheduling were provided: a massive one (designed for annual planning) and a specific one (for any flows to be managed as needed). Based on the attributes of the information flows, alerts and reminders were scheduled to be sent to the owners involved, according to predetermined rules from the scheduled dates.
• User experience: a user interface has been released, on a cloud platform with Fiori technology, that responds to the specific needs of the client, with the aim of making it usable and easy for users to access the system (via web links). Specifically, dedicated homepages were provided for each user profile (owner, manager, administrator and SB member).
• Reporting: the necessary reporting was implemented to meet all the needs of the different actors in the process. In particular, ad hoc reporting was created for VO members through SAPUI5 technology, which allows them to easily extract documentation related to the flows sent. All reporting is exportable in word, excel and pdf formats.