SAP GRC Consultant

· We are seeking an experienced Senior SAP GRC Consultant with deep expertise in Access Control (AC), Process Control (PC), and Risk Management (RM) to design, implement, and sustain enterprise-grade governance, risk, and compliance frameworks across complex SAP landscapes.

· The ideal candidate has led end-to-end SAP GRC deployments, optimized SoD and risk rulesets, executed mass master data uploads using MDUG, automated controls and testing via CCM, scheduled MCP plans, and partnered closely with Security, Internal Audit, Compliance, and Business Process Owners to improve control maturity, reduce risk exposure, and conduct enterprise risk surveys.

· This role requires strong hands-on experience across backend SPRO configuration and front-end GRC operations.

Key Responsibilities

SAP GRC Access Control (AC)

Lead design, configuration, and rollout via SPRO for:

· Access Risk Analysis (ARA)

· Access Request Management (ARM)

· Business Role Management (BRM)

· Emergency Access Management (EAM)

Define, maintain, and tune SoD rulesets, risk functions, and mitigating controls aligned to business processes:

· OTC, P2P, RTR, HCM, TM, and others

· Implement workflow-driven access provisioning and approvals, including:

· MSMP configuration

· BRF+ rule design and optimization

· Perform user-, role-, and authorization object-level risk analysis, define remediation strategies, and enforce least-privilege role design

· Establish and operate Firefighter (FFID) governance:

· FFID ID setup and assignment

· Log review workflows

· Control owner and reviewer maintenance

· SLA compliance

· Integrate SAP GRC AC with:

· HR / IDM / IAM platforms (SAP IDM, Azure AD, SailPoint, Okta)

· SAP Cloud Identity

· Ticketing tools (ServiceNow, Jira)

· Strong end-to-end SAP Fiori authorization configuration knowledge, including catalogs, groups, spaces, and OData services

SAP GRC Process Control (PC)

Perform mass master data uploads using the MDUG program

Design and implement:

· Control libraries

· Centralized control documentation

· Test of Design (ToD) and Test of Effectiveness (ToE)

Configure and operate:

· Automated Business Controls (ABC)

· Continuous Control Monitoring (CCM)

· Data sources, business rules, workflows, alerts, and background jobs

· Schedule and manage MCP plans, certifications, and periodic control assessments

Align Process Control framework with:

· SOX / ITGC

· ISO 27001

· COBIT

· GDPR

· Internal audit requirements

Build dashboards and reports for:

· Control Owners

· Process Owners

· Internal Audit

· Senior Management and Executives

SAP GRC Risk Management (RM)

Lead implementation and configuration of SAP GRC Risk Management module

Design and maintain:

· Enterprise risk frameworks

· Risk categories, risk attributes, and scoring methodologies

Create risks and assign controls, including:

· Risk-to-control mapping

· Preventive and detective control alignment

Configure and manage:

· Risk assessments and risk surveys

· Risk owners and responsible parties

· Risk response strategies (accept, mitigate, transfer, avoid)

· Enable risk monitoring, KRIs, and trend analysis

Support integration of RM with:

· Process Control (PC)

· Internal audit and compliance reporting

· Prepare executive-level risk dashboards and risk exposure reports

Architecture, Integration & Operations

Define SAP GRC architecture across:

· ECC and S/4HANA

· SAP Cloud solutions (Ariba, SuccessFactors, Concur, Fieldglass)

· Non-SAP systems where applicable

Support internal and external audits:

· Evidence collection

· Audit queries

· Remediation and action plan tracking

Drive continuous improvement across:

· Joiner-Mover-Leaver (JML) processes

· Periodic access reviews

· Control automation and operational efficiency

· 8+ years of hands-on SAP GRC experience across Access Control, Process Control, and Risk Management

· Minimum 2-3 full lifecycle implementations of SAP GRC modules

Deep understanding of SAP authorization concepts:

· Roles, profiles, authorization objects

· SU24, PFCG, SUIM

· Fiori catalogs, groups, spaces

· OData services

Proven experience with:

· SoD rulesets (SAP standard and custom)

· BRF+ rule maintenance

· Mitigating control design

Strong experience with:

· EAM / Firefighter configuration and operations

· Firefighter log reviews and compliance workflows

· PC frameworks, CCM automation, issue and deficiency management

· MCP plan scheduling

· Strong knowledge of SOX, IT COBIT, NIST, ISO 27001, GDPR

· Excellent stakeholder management across IT Security, Audit, Compliance, and Business

· Reporting and analytics experience:

· GRC standard reports

· SAP BW/BI

· SAP Analytics Cloud (preferred)

· Strong documentation and communication skills

Nice-to-Have

· S/4HANA greenfield or brownfield migration experience

· Integration experience with:

· Azure AD, SailPoint, Okta

· ServiceNow

· SuccessFactors, Ariba, Concur, Fieldglass

Exposure to:

· Cybersecurity programs

· SIEM / SOAR integrations

· Identity Governance & Administration (IGA)

· Knowledge of SAP IAG / SAP Cloud Identity Access Governance

Certifications:

· SAP Certified Associate - SAP Access Control

· CISA / CISM / CRISC

· CISSP

· ISO 27001 Lead Implementer/Auditor

· ITIL

Core Competencies

· Risk & Control Design: Mapping business processes to risks, controls, and monitoring logic

· Technical Depth: SAP security design, authorization object analysis, trace/log review, connector troubleshooting

· Advisory Mindset: Workshops, CRP/FIT-GAP analysis, roadmap development

· Operational Excellence: SLA-based delivery, change and incident management

· Communication & Influence: Executive-ready reporting and audit committee interaction

· Systems, Computer Science, Accounting/Finance, or equivalent experience

Short Job Board Version

Senior SAP GRC Consultant (AC | PC | RM) - 8+ Years

Lead SAP GRC Access Control, Process Control, and Risk Management implementations across ECC/S/4HANA and SAP Cloud platforms. Own SoD rulesets, mitigating controls, firefighter operations, CCM automation, MCP planning, and enterprise risk assessments. Partner with Security, Audit, and Business teams to reduce risk and elevate compliance maturity.

Must Have: 8+ years SAP GRC (AC, PC, RM), strong SAP authorization expertise, SOX/ITknowledge, stakeholder management.