What Groups Normally Make Up the SMEs and Project Drivers in a Security Project?
Dillon Connor – Associate Solution Consultant – Security & Fraud Protection
In a security project, there are 2 main types of client personnel that will be critical to the success of the project: Subject Matter Experts (SMEs) and Project Drivers. In this article, I will describe the groups that normally make up the SMEs and Project Drivers, as well as areas to watch for that could turn these assets into project distractors. It is important to identify these important players and leverage their talents to help the project go as smoothly as possible.
Subject Matter Experts are typically identified either due to their knowledge of the system, Business Analysts, or because they are approvers for a particular process or “Process Owners”. The Business Analysts will be most helpful in designing the menu and identifying applications to include in process-based roles. Process Owners are previously identified client employees who are given the ability to add or veto changes within an area of the company. These areas are typically at least separated into finance and operational sections but may be divided further depending on the client. Finance Process Owners will be more familiar with the idea of Segregation of Duties and auditing and as such will typically require less instruction on how to define process-based roles than Operational Process Owners. Business Analysts will be the most helpful in identifying specific applications – including custom applications – that would be difficult to include otherwise. These users will also be critical later in the security project to help solve problems in user acceptance testing as they know all the steps to their processes.
Project Drivers are typically defined either as client employees, with authority to make decisions about the project or as individuals who can produce important deliverables themselves or encourage others to do so. It is important to identify these people as soon as possible, as they can make the project difficult if we are not on the same page. If they are knowledgeable and on-board with the project direction, they can ease a lot of the burden, regarding the client’s deliverables. The major deliverables that are critical for a successful security project are: an approved menu design and preliminary role structure, customization of Segregation of Duties reporting, approval of refinements to the menu and roles, identification of users to test new roles, and assignment of roles to all users. Delays in producing these deliverables can greatly delay the go-live date of a project, so identifying the users who can drive the production of these deliverables is of utmost importance. The second group of Project Drivers are the decision-makers. While these are not always JDE users, they have the authority to make decisions about how the company will be using JDE going forward. These individuals, typically financial controllers or C-level employees, have been a part of the project since before GSI became involved and will already be identified. However, it is important to make certain that they fully understand the scope and timeline of the project as they will also have the authority to delegate deliverables and help keep the project on track.
There are a few areas to watch to make sure that the project stays on track. Two of the biggest areas that can derail a project are SMEs and Project Drivers, who do not understand the project plan or are focused on “nice to have” rather than on “need to have” features, or having a change in these people after the project has started. If they do not fully understand the project plan, they might recommend changes in the scope of the project and potentially delay the project’s timeline. One of the more common delays is changing the order of deliverables, such as requesting that segregation of duties conflicts be resolved before go-live rather than after go-live. Producing a clean SOD report requires input from all levels of the company and can cause delays if decisions are delayed, or changes are rejected. In these situations, the importance of the change needs to be determined and will differ between companies. A common-ground solution would be to identify and resolve the highest-importance issues and give the client the tools and training they need to resolve remaining issues once the project has been completed.
If the SMEs or Project Drivers are focused on nice to haves rather than need to haves, they could also change the project timeline by adding granular security details that were not accounted for in the project planning phase. These changes can include resequencing the menu, changing the role naming standards, or adding additional types of security such as push-button or tab security that control the look of the interface. While these changes are important to the client, implementing them can use up project hours that could be better spent elsewhere and should be minimized or addressed post go-live.