Management of Risks associated with ERP Implementations
The use of Enterprise Resource Planning (ERP) has become more common in many companies today. It can be used to support the operations of an enterprise. To enable the enterprise to work effectively, ERP systems must be fully integrated into all significant processes and procedures of the company. There are several ERP systems on the market such as Sage ERP X3, Sage 300 ERP, Sage 500 ERP. Although often ERP systems have imbedded in them their own security integrity, special attention must be paid during the implementation phase where an organization has several significant challenges to overcome, including the reconfiguration of existing controls and the adoption of new internal controls. Risks or challenges can be generic or specific to ERP and related to:
- Business requirements not being adequately understood and documented
- Lack of user involvement or conflicting management behavior
- The choice of the ERP system may not meet the business objectives
- Detailed changes related to application configurations not being tracked
- Data conversion and integrity
- Ongoing maintenance/business continuity
- ERP project manager competence
- Industry and business environment
To control risks associated with ERP Implementations, It is important to:
- involve your team throughout the decision you make for a new or improving ERP system,
- Identify key responsibilities for each business process area
- Pay particular attention to any additional products that you choose to purchase alongside your ERP system, such as report generators or data warehouses
- Define role-based access to the ERP
- Define segregation of duties rules
- Assign appropriate access and authorization roles within your organization
- Back up your ERP database at least once a week, although daily backups are recommended and offer the most protection
- Talk to your vendor about your specific ERP security concerns
The following questions regarding ERP System Implementation are derived from ISACA Guidelines (http://www.isaca.org) and may help to identify other aspects related to the management of risks during the ERP implementation.
- What ERP product and modules are or will be used?
- How are or will the modules be interlinked (such as, data flow across the modules)?
- What database management product(s) are or will be used?
- How is/will the ERP (be) configured with the database management system security (DBMS)?
- What operating system product(s) are or will be used?
- How have or will each be configured/implemented and controlled?
- To what level is the ERP web-enabled?
- What processes are being extended to the web?
- What interfaces or linkages exist/will exist to non-ERP systems internal or external to the organization?
- How have or will each function be controlled?
- To what extent have or will ERP functionality and controlling roles or responsibilities be centralized or decentralized?
- How was or will data integrity be controlled and tested by management during the conversion of data from old or non ERP systems during the ERP implementation?
- To what extent was or will business processes reengineering take place during the ERP implementation project?
- If not, why not and when will it take place?
- If so, what changes implemented and why?
- How are the ERP and BPR projects agreeing common process designs?
- What IT hardware and network resources are or will be used and how will they be configured and managed?
- To what extent are the ERP management and technical support roles and responsibilities integrated or separated from other related IT support (such as, database administration, operations)?
- What the controls will be over the change management processes for:- ERP application modules – ERP core system- DBM – OS – BPR changes – Other non-ERP linkages or interfaces
- What are or will be the access security policies and standards, and who will be responsible for ongoing management control and support?
- What processes are being adopted to provide reasonable assurance that acceptance of the ERP system and transfer of ownership to user management is complete?
Knowing that there are risks during any ERP implementation allows you to better prevent and manage them. At Mantralogix we have successfully completed hundreds of such implementations and have worked alongside our clients to mitigate risks. Call us today if you wish to discuss any of these risks or others you may be worried about/ experiencing.