By Stephen D'Arcy, Managing Director, PwC
The days are long gone when decision-makers viewed the cloud as too risky to host enterprise applications. In every way that matters, the cloud is a better, simpler, less expensive solution for managing your enterprise applications needs.
But for firms moving their financial operations into the Oracle Cloud, it’s important to recognize that a few missteps can be all it takes to expose your data, and your organization, to a number of avoidable risks. Conversely, a few leading practices, applied carefully and consistently, can help CFOs avoid losing sleep over moving to Oracle Cloud and can have confidence in their financial results while reducing the cost of their compliance activities.
Let’s set the stage by looking at some telling statistics. According to one recent study, 81 percent of enterprise cloud users cite security as a significant concern, while 79 percent cite compliance, and 84 percent cite governance as major challenges. These figures are especially significant given our experience working with enterprises where in-house expertise in these areas is often in very short supply—and even many third-party service providers lack deep cloud risk management experience.
This is why it’s important for enterprises to understand that a cloud migration demands a proactive and carefully planned approach to managing risk. That approach should begin at the outset of your Oracle Cloud project, represented by a dedicated Security and Controls work stream just like you would have one for Procure to Pay, Record to Report, etc. An Oracle ERP Cloud environment offers powerful inherent risk management capabilities. Knowing the correct functionalities to enable is an art. Ignoring the design and implementation of controls during a Cloud project should concern CFOs just as much as lost or stolen data. As Oracle Cloud acumen builds, auditors and compliance organizations will likely impose expensive remedial measures to fix gaps identified generally by not implementing the right level of control.
Oracle Cloud specialists at PwC have recently worked with a number of companies to leverage Oracle Risk Management Cloud as part of an Oracle Cloud risk and security work stream. While every engagement is (and should be) unique in many ways, we consistently observe three areas where Risk Management Cloud has the potential to give your company cost-efficient continuous monitoring capabilities to build your trust that only approved activities are occurring inside of your Oracle Cloud system.
Every day, employees engage in activities that seem harmless, or at least reasonable, on an individual basis. Collectively, however, they can completely undermine the effectiveness of the governance, risk, compliance, and security controls in an Oracle Cloud environment:
These are the kinds of events that systematically break down Oracle Cloud controls. They can happen constantly, across a huge variety of system configurations and system setups—particularly right after go-live as users are getting used to their new system. Trying to find and fix them manually is truly a Sisyphean task: Even if you manage it for a while, the effort involved isn’t sustainable.
Continuous monitoring of configuration changes and transactions, using Risk Management Cloud (RMC), is a powerful tool for combating these control breakdowns. Monitoring analytics can be configured to detect anomalous or out-of-policy activities embedded into a company’s business processes. Once monitoring analytics are in place, RMC can automate the process of finding and flagging anomalous system activity and out-of-policy transactions—allowing managers to restore control breakdowns quickly. And this approach is powerful in the hands of experts, such as our own Oracle Cloud specialists, who can advise businesses on where and how to monitor high-risk activities. The important piece is having these continuous monitors in place right when you go live. Implementing them during your project is an important action to develop the comfort most CFOs want as they assess go-live readiness.
Segregation of duties (SoD) conflicts are another major contributor to governance, risk, compliance, and security lapses in Oracle Cloud environments. On-premise ERP systems typically addressed this problem by System Integrators creating expensive but effective configured security roles. There is a common misperception that this changes with Oracle Cloud. While Oracle Cloud ERP- and HCM-delivered roles can be leveraged to jump start functional security design, many cause immediate Segregation of Duties conflicts and therefore need to be reviewed and, when necessary, replaced (similar to the on premise days) with tailored, configured Oracle Cloud roles.
Understanding the access points that Oracle Cloud roles possess is complicated. Risk Management Cloud provides our clients with the diagnostic ability to determine if delivered or tailored roles accomplish your security design and segregation of duties objectives in an understandable non-technical manner. Post go-live Risk Management Cloud continuously monitors your access as it expands and provides those same insights on a repeatable go-forward basis.
More clients today are using the automation capabilities available in Oracle Risk Management Cloud in an effort to reduce the amount of time it takes to operate and also test internal controls on an annual basis. The implementation of systematic data driven controls via Risk Management Cloud allows clients to expand the breadth of controls—deploying more controls across a wider range of modules and processes. Automation liberates IT teams from tedious data acquisition and reporting necessary to support controls operation and testing. Exception-based targeted analytics allow the first line of defense (business process control owners) the opportunity to focus on higher risk exceptions versus spending time on less concerning activities. This releases trapped resource capacity to focus where it matters and drive business objectives.
While automation clearly allows companies to gain efficiencies and scale up their controls environment, it is very important to understand where and how to apply these capabilities effectively. The PwC team, for example, teams Oracle Cloud controls specialists with business process owners during the design phase of a cloud transformation—identifying key control points and embedding process controls within a company’s new process flows. This proactive approach is more cost-effective, and more likely to stand up to scrutiny from auditors, than the scattershot or ad hoc use of controls, especially when conducted post go-live.
This blog has outlined what’s possible for companies that take full advantage of their Oracle Cloud transformations to take a truly forward-looking risk management stance. And keep in mind, while the direct benefits are significant, so is the ability to stay ahead of your auditors, compliance organizations and those who may take advantage of the current remote working situation out of necessity or worse still, malice. Companies that can independently be confident that they know what’s happening in their systems—and can prove it—are in a much better position than companies caught in an endless loop of remediation projects, breakdowns, and reactive responses to audits and compliance findings. If Oracle Cloud risk, compliance, and security nightmares are what keep you awake at night, especially during these trying times let us help you find the formula for a good night’s sleep.