The Why Behind Our Tips

In the following article, I make the case for why these top 3 tips are crucial action steps for your organization. We call it “turning resovolutions into action.” For 25+ years I have been watching ERP (Enterprise Resource Planning) implementations go live that are half-baked at best. This has created massive headaches, risks, and audit findings for organizations. The issues are systemic, and management needs to be diligent to avoid them.

Our most important objective as an organization is to get ahead of the curve by making the C-Suite and supporting project staff aware of these risks, their consequences, and what to do about them. How will your enterprise be affected if you do not recognize and compensate for these systemic issues? We aim to accomplish these objectives by educating management, providing new services for the PMO, and building relationships with System Integrators and Auditors who are interested in challenging the broken status quo.

Top 3 Tips of the Trade

If you’re as impatient as I am and looking for tips, here they are:

1. Schedule a no-charge, one-hour call with us so we can help you understand the systemic issues in the System Integrator and project risk advisory space working against your organization to meet these project objectives:
   1. Meets organizational objectives.
   2. Is a secure and compliant system.
   3. Provides well-trained and confident staff.
   4. Has sustainable maintenance with the right level of resources.
   5. Provides known and affordable long-term cost of ownership.
   6. Passes audit.
2. Understand that the budget will be at least another 10% of the project cost for ‘clean up’ activities after you go live.
3. Take more of your resources out of their normal roles and assign them to the project. Ideally, utilize more than the SI (System Integrator) says is necessary and you think is necessary.

Real-World Scenario: Why These Tips are Important

We recently responded to an RFP response for post-go-live support for ERP/HCM Cloud. Within the RFP, they sought help supporting the applications AND identifying, managing, and mitigating access control risks. The RFP sought a single provider to address both functionality issues and risks in role design related to compliance, cyber security, fraud, data security, and operations. In our response, we strongly urged them to consider breaking apart the award to two firms – a system integrator who would understood application functionality and a risk content/risk advisory firm.

The List: What to Look for in an Implementation

To justify asking for a system integrator to not be awarded, we provided a list of things their current ERP implementation partner failed to provide them in the initial scope of the project. These included the following:

• Proper training for your support staff in how to support the applications.
• How to address the quarterly patch process including full regression testing of functionality in two weeks.
• How to identify when you need to update your models in Advanced Access Control module when Oracle introduces new risks.
• How to monitor HCM/Payroll staff to make sure they do not use HCM Data loader to set up a user or assign roles to a user(s).
• Implementation of an IT Compliance function to monitor for unauthorized changes to the application such as configurations and user provisioning by HCM/Payroll staff.
• A handover of OCI (Oracle Cloud Infrastructure), OIC (Oracle Integration Cloud), and IDCS application maintenance.
• Understanding and evaluating cyber risk including the management of accounts that do not have MFA (Multi Factor Authentication). Some examples include external suppliers via the supplier portal, contingent workers, service accounts and other ‘external’ users not onboarding through an SSO/MFA provider.
• How to understand the impact of patches. This includes how and when to incorporate new features and changes to the existing.
• How to stay in compliance with your license agreement via the SUM report.
• Mapping of role combinations to jobs/positions so that provisioning will be based on the job/position. This must be done consistently.
• Automation of role-based provisioning.
• How to properly secure system users via JWT
• Automated de-provisioning of users.
• Automated re-provisioning of users when a user switches roles in the organization.
• How to budget for additional users based on your license costs, when needed.
• Preparing you for your external audit including:
• Walkthrough documentation for workflow processes and other IT application controls.
• Using Advanced Access Controls to prepare for the audit of your access controls.
• How to develop a full population of changes to support your change management audit.

The argument we made in the RFP response was, “why would you expect another System Integrator to have the expertise, skills, and integrity to address these issues in Phase Two, when the System Integrator who did Phase One of the project missed many of these issues in the first place?”

A Systemic Bias to Overcome

This leads to the first systemic bias in the System Integrator industry that you need to be aware of and overcome.

The System Integrators will not provide a complete bid because their competition will not provide a complete bid.

The normal results of this are:

1. Change orders added to the scope of the project which were not included in the original scope.
2. Project delay to address the lack of resources on your team and to address issues such as:
   1. Process re-design decisions.
   2. Adequate testing of the applications.
   3. Customization of roles.
   4. Audit readiness / internal audit findings.
3. Numerous consequences of a system not yet ready to go live, leaving you on the hook to support immature processes after go-live.
4. Fewer features or modules included in the initial go-live scope than you expected.

Our Commitment to Helping You

Hopefully, this gives you perspective on the systemic issues within the System Integrator industry.

ERP Risk Advisors is deeply committed to disrupting these systemic biases so management can be better equipped to scope and manage ERP system implementation projects.

We will be continuing to gather information over the coming months to build a Learning class that the C-Suite and project PMO staff can take before they embark on this journey. We are just scratching the surface in this article.

Furthermore, let me recap the three tips you need to consider:

1. Schedule a no-charge, one-hour call with us so we help you understand the systemic issues in the System Integrator and project risk advisory space that is working against your organization to meet these project objectives:
   1. Meets organizational objectives.
   2. Is a secure and compliant system.
   3. Provides well-trained and confident staff.
   4. Has sustainable maintenance with the right level of resources.
   5. Provides known and affordable long-term cost of ownership.
   6. Passes audits.
2. Understand that the budget will be at least another 10% of the project cost for ‘clean up’ activities after you go live.
3. Take more of your resources out of their normal roles and assign them to the project. Ideally, utilize more than the SI (System Integrator) says is necessary and you think is necessary.

#1: Schedule a call with us. Let us exchange ideas about where you are in the process and decide what the next best steps are to your maturity. It makes a significant difference whether you are pre-award, have a project already underway, or are already live. The more we know and the more data points we have helps us better understand how to help management. We also have a goal to launch a class where we can scale the advice we provide from this article to more organizations.

#2: Budget at least another 10% of the project cost for ‘clean up’ activities after you go live. We regularly clean up the mess left behind and rarely is there a budget for management to address these issues. Typically, the project is already over budget.

#3: Take more resources out of their normal roles and assign them to the project. Ideally, utilize more than the SI (System Integrator) says is necessary and you think is necessary. Business process re-design and digital transformation is extremely difficult. You need to dedicate your ‘A team’ to these tasks. Then they can organize and manage the activities needed to drive the change in your organization and business processes. The system integrator cannot make decisions for you. When decisions are not made in a timely manner per the System Integrator’s assignment, the blame for a delay in project falls squarely on your shoulders. This is the main driver behind project delays and change orders.

Our motivation is to disrupt the System Integrator industry so they change the way they do business. Therefore, providing a better process for management to work through during the pre-award phase. Let’s work together to accomplish this using these tips.