Simplified Risk Management made possible by a dynamic SoD Scan
Customer Profile
Name of Customer | Herman Miller Inc. |
Headquarters | Zeeland, MI, United States |
Customer Industry | Office furniture and services |
Web address | http://www.hermanmiller.com |
Business Problems
Herman Miller, Inc., is a leading global provider of office furniture and services and is serving markets in more than 80 countries worldwide. Herman Miller receives wide recognition for the innovative designed products.
Need for integrated Risks Management
As Herman Miller successfully passed their Sarbanes Oxley audit recently, they are well aware of the SOX requirement that requires that each company must identify all financial & operational risks inherent to their business process, and then establish appropriate controls in place to address these risks. For Herman Miller, the challenge was to find an easy-to-use yet powerful infrastructure enabling true Risks Management by the global integration of business processes, business controls and employee roles. In addition, the above integration is to be applicable to various
Herman Miller business systems (Baan IV, legacy systems, B2B/supply-chain applications, etc…) themselves not integrated to each other.
Need for efficient “Segregation of Duties” (SOD) validation
Other key requirement for organizations seeking SOX certification or adequate governance is the need to certify that users do not have access to applications that create a conflict of interest. The challenge for Herman Miller, however, is to perform such “Segregation of Duties” (SOD) validation across 1600+ users, 250+ userroles, 300+ business processes and thousands of application/session accesses linked to different business systems. “For our first round”, comments Pat Hogan, Director Finance Shared Services, “we came up with home made scripts, tables and spreadsheets along with countless hours of manual analysis. Not only was this a tedious task, the results of our analysis were good only as long as the Employee-Roles-Process-Applications relationships were not modified. Needless to say, when our SOD validation was completed, it was time to start it over again…”.
Solution
To address these issues and challenges, and to support company wide Risks Management, Herman Miller selected the Baan certified Dynaflow Solution.
”DynaFlow has done a great job at creating a tool that allows us to not only define graphically our processes, but also associate these with the business controls and risks that govern them. Furthermore, it also provides the ability to associate roles and employees to our process as well. After a comprehensive review, we have found that Dynaflow Compliance is the best tool on the market to address the dual roles of defining processes and embedding in them the business controls management that insure their accuracy and integrity” adds Don Morren.
“As for the SoD validation we were having increasing issues with, we have since then selected the Dynaflow Compliance rules-driven SoD conflicts identification engine. In a manner of minutes we are able to scan thousands of users, roles, processes and applications! Not only we know precisely who is able to access what, we have direct visibility of any SOD conflicts for us to investigate, resolve and mitigate. In addition to saving us considerable effort, the Dynaflow Compliance solution will enhance the accuracy of our conflicts identification, critical to maintain our SOX certification for years to come”.
Implementation
A quick and simplified implementation was made possible by the availability of predefined SOX & SoD libraries, containing hundreds of SOX Business Controls and related Business Risks. In addition to these, Herman Miller implementation was greatly simplified by the availability of Baan specific SoD Conflict Rules enabling instant identification of Baan sessions related conflicts. Within the first day of installation, after a quick import of Baan employee authorizations to Dynaflow Compliance, the scan engine was already able to identify Herman Miller employee access conflicts. Since then, Herman Miller is adding new rules to enhance the scan horizon to custom Baan sessions and to other business applications in use at Herman Miller. In addition, identified conflicts are able to be communicated to the process/role owners with instructions to resolve, document or mitigate the conflict. Since the process and role models are subject to changes, periodic scans are also scheduled.
Benefits
Ability to define preventative controls to ensure efficient risks management and accurate & rapid conflicts identification/resolution
- Increased operational monitoring by the crossapplications view of employee accesses
- Significant reduction of SoD analysis effort by replacing time-consuming tasks by a rule-based automated SoD scan
- Ability to perform what-if analysis on simulation employees and/or simulation user-roles
- Rapid deployment made possible by pre-defined SOX Controls library and available Baan specific SoD Conflict Rules
Pat Hogan concludes: “For organizations faced with this SOX requirements or those wishing to establish better controls in that area, Dynaflow provides a powerful and yet easy-to-use ‘Separation of Duties’ scan. A true benefit to Herman Miller, by automating this crucial control and helping us to keep our business processes Sarbanes Oxley compliant.”