The Kuppinger Cole definition of generic GRC tools which support a consistent platform approach to GRC requirements, includes role management capabilities as one of the core functional areas. To efficiently implement GRC, organizations should consider an enterprise role management approach.
Role management has become relatively popular within the last 36 months. The recent IAM market survey by Kuppinger Cole shows that the portion of organizations with an enterprise-wide approach for role management has grown from 8% in 2006 to 20% in 2008. And 36% of all companies are currently in the planning phase for role management implementations, whilst only 11% aren’t addressing the topic. Another interesting statistic from the current Kuppinger Cole IAM market survey is that 27% of the organizations are in the process of implementing role management – the by far the highest number for any segment of the IAM and GRC market within this survey.
The Need for Role Management
The reason for this strong growth is obvious. Kuppinger Cole’s definition of GRC identifies five core areas which can be supported by GRC tools. Role management is at the center. The other four areas are authorization or entitlement management, auditing and analysis, risk management, and attestation.
Role management is central because it is required in the other areas. Authorization management is mainly controlled by business and IT roles. The access to auditing and analysis features is controlled using roles. Risk management is driven by role management. And attestation has to be done according to the role and the related responsibilities a person holds. Certainly, the underlying issue of Segregation of Duties can’t be managed without a role approach.
Even though this view is focused mainly on the Identity Management-oriented parts of GRC, a view on other approaches to GRC won’t change the picture. BSM (Business Service Management) and ITSM (IT Service Management) vendors have to provide comparable functionality for GRC, including control features as counterpart to entitlement management, auditing and analysis, risk management, and attestation. Here again, role management is required. Incidentally, it is also required for ECM (Enterprise Content Management) SOA Governance and controlled access to new business processes. In a nut-shell: There is no successful GRC approach without role management.
Failing Role Management Projects
That stated however, implementing role management is amongst the most common reasons for failing Identity Management projects. There are several reasons why. One is the lack of organization maturity for role management. Without job descriptions, without defined and at least somewhat reliable and stable organizational structures and without clearly described business rules, the foundation for defining (business) roles is absent.
Closely tied to this later aspect is the lack of experience in defining roles within organizations. Interestingly, many vendors, integrators, and consultants are failing as well. The reason why is fairly elementary. There isn’t a single role management approach; rather, there are numerous approaches for different types of companies and industries. Applying proven role concepts from the finance industry within a retail organization for example, will never work. Essentially, role management expertise and industry background as well as a good understanding of the organization where role management is to be implemented is mandatory.
The third key factor in failing projects is the inherent complexity of role management. Many organizations try to define the perfect role model. Instead, they should keep the 80/20 rule in mind and focus on core roles to begin with, before moving on to refine them. The idea of an Enterprise Role Model is due to failure as well as the Enterprise Data Model in previous times has been.
One result of too complex approaches to role management projects is that they tend to be long running. This subsequently inhibits the capacity for quick wins. Role management approaches should therefore focus on lean approaches and should be understood as a process, not a project. Over time, the role models can be refined and optimized as the organization matures.
The complexity of role management projects often arises due to an unclear understanding of the term “role” and its occurrences. In many projects, IT roles at the level of specific systems are understood as business roles – but they are IT roles. This leads to situations where a project is stopped when, after a first analysis, companies detect tens of thousands of roles.
The last main reason for failing role management projects is the misalignment of business with IT. IT is not able to define business roles. IT can support this, but only in collaboration with business.
Business and IT
The relationship between business and IT thus is the main critical success factor in any role management project. According to the Kuppinger Cole IAM market survey, in 51% of the organizations the organizational department supports the definition of role models. Another 68% (multiple choices allowed) answered that the business departments are working on these, whilst in 62% of the organizations the IT department is involved.
This statistics highlight that most organizations have understood that role management can’t be done by IT exclusively. Interestingly, the relatively low number of participants from central organizational departments demonstrates that many organizations haven’t understood the fundamental aspect of business role management in the context of GRC. Kuppinger Cole’s view on this is that it’s barely possible to successfully implement role models without a close cooperation between IT, the business departments, and the organizational department.
Enterprise Role Management
Beyond the key factors which affect the success or failure of role management projects, there ought to be an understanding that an IAM role management, an ECM role management or a BSM role management aren’t sufficient. There is one set of business roles; there is one set of business rules. These roles and rules might affect IAM, ECM and other areas of IT in different ways. But there is no value in defining multiple role models.
Kuppinger Cole recommends that organizations should follow an enterprise role management approach, not to be confused with the enterprise role model above. An enterprise approach to role management is still a process, starting lean with ongoing optimizations. But one that focuses on a consistent, reusable role model that can be applied to any GRC-relevant area of IT.
There are two reasons for this approach. One is consistency, the other is efficiency. Consistent role models are essential to reliable GRC implementations. If different business role models for different IT solutions characterize the entire GRC approach in organizations, the answers delivered will be inconsistent at best but are more likely to be inaccurate. Inaccuracy undoubtedly isn’t conducive to building multiple role models in the context of the complexity of these projects.
Unfortunately, there are no standards for role exchange today, neither on the level of GRC tools nor for lower-level applications that use roles. There are some early initiatives to address this but we don’t expect results before 2010-2011. Nevertheless, the formal definitions of business roles can be reused, even manually.
Organizations have to address the threat of role management. Most of them are aware of this today. And if what drives success and failure is bourne in mind on such projects, successful implementation can certainly be achieved.