Role to Position Mapping (RtPM) 101

OCS Communications Teleconference

Objectives
Provide OCS practitioners insight into the process of Role to Position Mapping in ERP implementations
What is it? How it works Data sources used Who is involved? Timing

Discuss how the process of Role to Position Mapping impacts Change Management practitioners

Share Role to Position Mapping lessons learned from the Disney SAP BPS implementation project

Definitions of Terms You Will Be Hearing

Role A group of related SAP or manual worksteps with a level of authority and a series of KSA (Knowledge, Skills, and Abilities) requirements. Multiple roles may be mapped to a position. Position The unique combination of job and organization unit that creates an employees job title. Multiple positions may be mapped to a role. Segregation of Duties (SOD) Those combinations of roles mapped to a single position with duties that are potentially conflicting in nature that may cause internal or financial control issues.

What is Role to Position Mapping?

Role to Position Mapping (RtPM) is the activity of assigning roles to positions within an organization RtPM is the determination of who can do what in an ERP implementation RtPM process is sensitive to the confidential nature of personnel information Access to salary information, social security numbers, job codes, union data, etc. is not included
Roles mapped to positions Positions mapped to people People mapped to courses and access

Why is Role to Position Mapping Critical?

The outcome of the RtPM exercise is critical to implementation of ERP systems ...

Provides the Security team with the information to create accurate security profiles

...And also provides critical inputs for change management-related activities: Identifies appropriate training for end users Provides information about potential change implications and job impacts Establishes defined audiences for targeted communications

Why is it important for a Change practitioner to lead or facilitate the RtPM process? 1. 2. 3. To kick start collaboration between change management practitioners and the rest of the project To present a single face and single source to the client organization for information To ensure that RtPM is not done in a vacuum but that key stakeholders (mappers) are educated on the roles, impacts to jobs, and potential risks associated with the RtPM activities

How Does RtPM Work?

SAP Business Processes Process Sub-Process Sub-Process Activity Activity Activity Workstep Workstep Workstep Transaction: SAP worksteps

RtPM Begins by linking SAP Business Processes to a Transaction

6

and Maps that Transaction to Positions and Employees

SAP Business Processes xxx Organization

Process
Sub-Process Sub-Process Activity Role Role Role: performs one or more transactions Transaction: SAP worksteps

Position: performs one or more roles

Employee Name

Employee Name

Activity
Activity Workstep Workstep Workstep

then RtPM Data is Used to Develop Change, Training and Security Deliverables
SAP Business Processes
Process Sub-Process Sub-Process Activity Activity Activity Role xxx Organization

Role
Role: performs one or more transactions Transaction: SAP worksteps

Position: performs one or more roles

Employee Name Employee Name

Workstep
Workstep Workstep

Change: Enables OR team to create targeted communications to specific audiences 8

Training: Enables OR team to identify training candidates, curriculum, etc.

Security: Enables Security team to create security profiles

RtPM Key Players and Activities

Gather Role and Position Information Map transactions to roles Provision roles in the role mapping database Provide role requirements and business justifications Define roles Provide employee data to Security to load into role mapping database Provide job descriptions to assist with mapping Facilitate role education sessions Coordinate with other project teams to meet critical deadlines Track and communicate progress to key executives Role to Positions Mapping process Participate in role education sessions Define security restrictions and discuss potential SODs Participate in role education sessions Work with local SMEs to map roles to positions Validate Results Check for potential SODs Document business process controls Work with key executives / SMEs to ensure mapping consistency Update role mapping data in the mapping database Project Implementation Transport final role mapping results into production Test users mapping and security access Security

Process/ functional

HR

Change Mgmt & Comms

Coordinate and facilitate role validation meetings with process teams, SMEs, and client executives

Use mapping data to assess change impacts and potential job impacts (esp. union employees) communicate change impacts to end users

Training

Include change impacts Leverage initial mapping data to obtain estimated user count Use mapping data to estimate training audience count Build curriculum by mapping Leverage role assignments to roles to courses schedule training

Disney Forecast & Planning Project RtPM Lessons Learned

Identify role mapping strategy (who, what, how, when) early in the project
Push for mapping to a position and not at the individual level to promote standardization

Manage the overall mapping process, timeline, and expectations to meet different teams deliverable needs while keeping in mind mapper availability.
Very difficult to do unless it is managed early and added in as part of each teams resource plan; including change management

Work closely with the Security team to design role mapping tool/database
Avoid using spreadsheets (high data error rate) Push for automated mapping tool and reports to empower mappers to review and validate own work before due dates

Educate mappers on roles, transactions, and security model before the start of the role mapping exercise
Instill interim deadlines to review mapping results for consistency and adherence to project guidelines Schedule reoccurring calls with the mappers, process and security teams to check progress
This also works as a platform to discuss new information, raise questions, remove roadblocks

Obtain signoff on the mapping results from key client executives

Promotes participation in the process and ownership of the final product

10

Summary
RtPM creates consistent ERP-enabled rights and responsibilities that are standardized within each Division (and company-wide, where possible) RtPM is critical because it forces the different project teams to work together and integrate implementation efforts Many different teams involved with many interdependencies
Change Management, HR, Security, Process, Training, Communication RtPM helps put Change Management on the project teams map!

Effort needs to be planned, integrated, and started quickly

Estimated efforts required during peak RtPM times: Change management: 50% of one FTE Process: 25% of one FTEs time per process Security: 50% of one FTE HR: 25% of one HR rep per division/business unit

Caveat - Not all RtPM efforts are the same

Process, tools, and resources will vary depending on the type of system being implemented and your clients unique requirements However, fundamentally all RtPM efforts begin with collaboration between HR, Process, and Security teams to deliver key outcomes that directly support the projects success.
11

Sample RtPM Timeline

Jan
CH

Feb

Mar

Apr

May

Jun

1/8-2/27: work with HR to identify Division-specific Positions

SEC 3/1: Complete Role Descriptions and Segregation of Duties

3/5-3/11: Conduct Initial Mapping of Roles to Position Titles FUNC CH Week of 3/11: Build Division-specific Spreadsheets

CH 3/18-4/5: Conduct RtPM Training

TASKS

MAP 3/20-5/3: Map Roles to Positions

CH SEC 4/19-5/3: Project Team Validates Mapping MAP

Legend
CH Change Management//Communications Team

RtPM 5/3: Deliverable - RtPM Map CH 5/3: Provide mapping to Training and Security

SEC Security Team CH Functional Team FUNC MAP Mappers SEC

5/3: Implement change impacts in end user communications

5/3-Go Live: Maintenance

12

Role Creation

Organization Design is Different than Role to Position Mapping

Division Structure

SAP Role

SAP Role

SAP Role

SAP Role

SAP Role

SAP Role

SAP Role

14

Bottom Up

Top Down

Department Structure

Department Structure

TWDC Position A

TWDC Position B

TWDC Position C

TWDC Position D

TWDC Position E

SAP Role Group

SAP Role Group

SAP Role Group

Baseline Role Development Process

1
Activity SAP Txn. 4 SAP Txn. 5 Starting Point: Role defined at the Activity level of the Blueprint documentation and includes all SAP transactions. SAP Txn. 1 SAP Txn. 2 SAP Txn. 3 Role 1

SAP Txn. 1 SAP Txn. 2 SAP Txn. 3 SAP Txn. 4 SAP Txn. 5 Role 1

3
SAP Txn. 3 Role 2
The Display transaction is pulled out of the original role and becomes a discrete role itself. It could later be grouped with other Display roles performed by the same group of end users.

It is determined that one of the transactions is a Display transaction that will be made available to a larger group of people.

SAP Txn. 1 SAP Txn. 2 Role 1 SAP Txn. 4 SAP Txn. 5

5
SAP Txn. 5 Role 3
The Approval transaction is pulled out of the original role and becomes a discrete role itself.

6
SAP Txn. 1

SAP Txn. 2
SAP Txn. 4

Role 1

Out of the transactions remaining in the original role, another is determined to be an Approval transaction that will be assigned to a smaller, more senior group of end users.

The original role now only has 3 transactions. It has evolved into 3 discrete roles.

15

Example Role Descriptions & Mapping Input Finance - General Ledger

If you map the SAP Role in the first column to a position, then the role(s) below should also be mapped R3: G/L Display R3: G/L Reporting

SAP Role

SAP Role Description

R3: G/L JE Approver

This role allows a user to post parked Journal Entry Documents

R3: G/L JE Processor

R3: G/L Master Data Maintainer R3: G/L Master Display

This role allows a user to create and park Journal Entry Documents
This role allows a user to maintain company code specific Chart of Account Master Data. This role allows a user to display the General Ledger Chart of Accounts and G/L Account Lists within their own company code(s).

R3: G/L Display R3: G/L Reporting

R3: G/L Display

N/A

16

Role Mapping and Segregation of Duties Conflicts

Segregation of Duties (SOD) Overview

Given the integrated nature of SAP, there are certain inherent role combinations that represent segregation of duty (SOD) conflicts
SOD conflicts could lead to internal control issues such as fraud, misleading information, etc. An example SOD conflict:
1. Vendor Maintenance 2. AP Invoice Processor 3. AP Check Processor

In the above example, a user could create a fictitious vendor and process a payment
While this is a simple example, there are numerous standard SAP conflicts that must be incorporated into the RtPM process

18

SOD Conflicting Roles Matrix

As part of the RtPM process, we are providing a summary matrix of SOD conflicting roles The general objective of these conflicts is to point out any role combinations that may cause internal or financial control issues

This list is not all encompassing

Instead it is a starting point that will be refined over time

Mappers can reference this document during the RtPM process to determine which combination of roles may or may not be well suited to a position

19

Example SOD Role Conflicts

Finance General Ledger
SAP Role Area Global Chart of Accounts Maintainer Potential Conflicts General Ledger Journal Entry Processor Potential Control Risks Potential misstatement of financial statements Chart of Accounts disorganization Potential misclassification of financial transactions Potential misstatement of financial statements Entry of fictitious A/P invoices which could lead to fraud Potential misstatement of financial statements Entry of fictitious A/P invoices which could lead to fraud Potential material misstatement of financial statements by posting to closed (and/or audited) periods

General Ledger Journal Entry Approver General Ledger Journal Entry Processor General Ledger Period Closer

Accounts Payable Invoice Processor

Accounts Payable Invoice Processor

General Ledger Journal Entry Processor General Ledger Journal Entry Approver Accounts Payable Invoice Processor

20

SOD Exceptions
As part of the RtPM process, we understand that SOD exceptions may come up
The business may identify a new SOD conflict or The business may identify a need to assign SOD conflicting roles

In either case, the feedback is positive and will be incorporated into the RtPM process
21