Endeavor SS_Landing Page Baground image_23 September

How Endeavor improved their GRC compliance for SAP with Soterion

"Our business users expressed their appreciation of having a tool that was much easier for them to work through, understand, and have visibility over the reviews."
Nick Achteberg, Senior Director Technical Services (SAP), Endeavor

Reduced their Segregation of
Duties (SoD) risks by 50%

Achieved 100% response
from the reviewers

Reduced access footprint, with significant improvement in user experience

Who is Endeavor?

Endeavor (formerly known as WME | IMG) is a global leader in sports, entertainment and fashion, operating in more than 30 countries. Named as one of Fortune’s 25 Most Important Private Companies, Endeavor specializes in talent representation and management; brand strategy, activation and licensing; media sales and distribution; and event management. Endeavor owns the Ultimate Fighting Championship and Miss Universe.

Request YOUR Soterion demo     DOWNLOAD SUCCESS STORY    Watch video

Endeavor faced multiple GRC challenges


Endeavor’s IT teams are working with increasingly stringent audit requirements against a backdrop of a growing functional footprint.

Their SAP installation was originally implemented in the mid-1990s, resulting in a ‘snowball effect’ of user access over time. Typical user requests were along the lines of “please mirror Joe’s access”. Also, the problem was exacerbated by long-term users gaining additional access over time, and retaining access that was no longer required in their current business role.

The team conducted Periodic User Access Reviews (UARs), but it was largely an IT-centric process, reliant on manual Excel-based extracts and email. It was a very time-consuming process, and difficult to repeat. Being a manual process, it was also prone to error. It was difficult to track, consolidate responses and audit results. Because it was such a challenging process to manage, getting engagement from the business was difficult. The focus for the UARs was on a small subset of people, largely within the finance department. The team would typically have around 25 people to review the access of around 2,000 people.

What were Endeavor’s main objectives?

Endeavour’s primary goal was to implement a centralized and easily repeatable methodology for conducting UARs, governed by a defined, stable and system-based ruleset.

They needed to:

  • Reduce manual preparation effort
  • Remove the risk of manual error
  • Make risk visible and transparent by type and severity
  • Improve UAR end-to-end process efficiency
  • Engage and drive business ownership in risk management

Their secondary goal was to improve the efficiency, transparency and reportability in their access provisioning processes.

We have had very good results on our Access Review Management,
which is now performed by our line managers with much less effort.

Nick Achteberg, Senior Director Technical Services (SAP), Endeavor

The solution: Soterion for SAP

Endeavor didn’t want to get dragged into a lengthy and complex GRC configuration project with ongoing maintenance overheads for their SAP team. After various discussions with different suppliers, they opted to implement Soterion for SAP as a cloud-based hosted solution. This was considered by Endeavor’s team as the best fit, and the most user-friendly solution for their GRC goals.

The implementation process entailed:

Remote prep to connect with SAP environments, onsite consultancy, training, configuration & integration testing, deploying Soterion ‘vanilla’ ruleset

No bespoke SAP development or configuration was required; only standard Soterion transports were used.

What's next?

  • Endeavor’s IT teams are currently planning the next UAR.
  • They now hold rolling 365-days of user history, to give comprehensive information on usage and potential vs actual risk.
  • Reduced access means there is less for their business to review in the next UAR.
  • They are refining the risk rule-set to their specific needs, and building out their mitigation controls.
  • From 2021, they plan to conduct quarterly UARs.
  • They are aiming to deploy Soterion’s system-based access provisioning workflow, and automated provisioning, later in 2020.

With Soterion, we identified that many people had risk-bearing access that they no longer needed. Now, we have reduced our access risk footprint significantly.

Nick Achteberg, Senior Director Technical Services (SAP), Endeavor

What has been achieved?

The expected benefits in terms of risk and role management were better than they expected.

Endeavor has managed to reduce their risk profile significantly, by 50%. They are continuing on this journey and expect to see further reductions over the next months.

In parallel, the visibility of inactive users and unused access has been improved, which helps the team to make informed decisions in their role maintenance and development. With the reduced access and retiring of dormant users, Endeavor has gained efficiencies in their SAP user license utilisation.

Get a free Soterion risk assessment      Learn more about SOTERION

Agile GRC success stories

Aker

Aker Solutions

View Success Story

EndeavorFeature Image
1C_ForFamers_Client Study GRC in practice

ForFarmers

View Success Story