We are witnessing the greatest digital transformation ever as organizations are moving from legacy ‘on-premise’ ERP systems to cloud-based ERP systems (SaaS applications). Though management is investing millions into the implementation of these SaaS applications, experts estimate that up to 90% of them fail. Why? Because “success” isn’t always about going live on time, within budget or with the expected functionality, as many system implementation partners may believe. It’s about long-term success, security, and sustainability

Your ERP implementation “Going live” is just the beginning.

With over 25 years of experience in the ERP implementation industry, I have seen it ALL. I have worked both as a client and a consultant, focusing on financial modules and providing post-implementation support. I have also specialized in security and controls, addressing risks related to Sarbanes-Oxley compliance, cybersecurity, fraud, data security, and operations, as well as auditing security and controls on projects led by others.

As such, I’ve come to define true success with these key objectives:

• Meets organizational objectives.
• Is a secure and compliant system.
• Provides well trained and confident staff.
• Has sustainable maintenance with the right level of resources.
• Provides known and affordable long-term cost of ownership.
• Passes audit.

While countless books have been written about ERP implementations, few address the systemic biases that often lead to less-than-ideal results. Next, I’ll introduce six of these biases and how they impact your SaaS application implementation.

1. Software is often released before it is mature
2. System integrators rarely propose a complete ERP implementation
3. System integrators do not understand the complex compliance and cyber security requirements for today’s modern systems
4. Compliance and cyber security requirements are often misunderstood by software engineers
5. SaaS application software providers tend to be greedy with system storage because it affects their margins
6. Auditors are often not trained on the specifics of the ERP system they are auditing

Today, I will discuss: “Software is often released before it is mature.” In the coming months we will dive deeper into each bias one by one.

Software is often released before it is mature

Software companies are in the business of making money.  Their goal is to win deals.  Is it any wonder that they will compromise on security and rush functionality to promise a faster “go live” and win a deal?  Buyer beware…

Your organization needs to be in control of the process by documenting, evaluating and confirming that your objectives will be met prior to signing an agreement to purchase the software.  This could include one or more of these activities:

1. Ask for References: Request the software provider to connect you with companies with similar requirements
2. Independent Research: Join user groups or industry organizations, like Oracle Applications and Technology Users Group (OATUG), to hear about real world experiences
3. Consult third party analyst firms: Seek out organizations with similar requirements
4. Conference Room Pilots/Proof of Concepts: Work with the provider to test the software before committing. This hands-on testing can help ensure the software truly meets your needs, especially when it comes to functionality, compliance, and security. This is typically a paid engagement that goes well beyond what a scripted demo provided by the software firm

We regularly meet with organizations to provide them feedback on the gaps and challenges other organizations face in their ERP implementation.  We also learn from engagements with our clients.

One of the most significant challenges is that the software does not have all the appropriate features management needs.  These gaps exist within the application’s functionality and various modules. Features that are necessary for management include addressing compliance, cyber security, data security, fraud, and operational security.  All of which, we at ERP Risk Advisors are experts in.

We use the analogy of crawl, walk, run when it comes to maturing your security and controls program.  Most organization are barely walking when their system goes live.  Some are still in the crawl phase.

The Most Powerful Solution for your ERP System

The lack of maturity stems from the biases that we will cover in this series.  The key takeaway here is that while ERP Systems offer powerful solutions, some of these issues can be controlled by better planning, budgeting, management, and resource allocation. However, when functionality is not mature, organizations have little to no recourse with the software company which delays new feature implementation.

If your organization is considering moving to a new ERP system, we would welcome the opportunity to share with you all we know about security and controls.  Feel free to contact me at jhare@erpra.net or log a ticket with us by emailing support@erpra.net