Discombobulated is a wonderful word, one of those old English words that you rarely hear these days. Dating back to the 1820’s, the Oxford Dictionary defines it as a verb meaning to ‘disturb, upset, disconcert, confuse’. And it is these conditions that can sometimes be applied to a company’s risk management strategy.
As with a Lego set where you have many different bits that come together to make the perfect finished article, when you look at risk management related to Oracle EBS, you have many different elements to consider. Obvious things like Identity Management, Segregation of Duties (SoD) and Sensitive Access (SA) are just the start. When you add User Access Review, Automated Provisioning and De- Provisioning, Change Control with before/after values and just general Audit controls, you quickly have a box of ‘bits’ that need a coordinated approach if you are to end up with that perfect internal control framework.
And just like Lego, where we have come to expect that precise fit that clearly defines what is Lego, sometimes if you substitute a Lego block or two for those from Mega Blocks, although it looks OK, you just don’t get the same fit and there is always the danger that the whole thing might fall apart!
The same can be said of Oracle EBS risk management. An internal control framework is made weaker, and therefore vulnerable, if you do not have all the right ‘bits’ and they don’t all precisely fit together. A perfect example of this is using the best of breed User Access Review (UAR) tool from a third-party suite of compliance tools whilst managing SoD and SA on a spreadsheet. Surely it just makes sense to dovetail the UAR tool with the SoD/SA management tool from the same supplier.
We have a particular situation with Oracle EBS right now, where some very large companies have invested in Oracle GRC only to find that the solution has been ‘sunset’ as of the end of May 2025. Oracle GRC did give a company the ability to select one solution with various different compliance modules, to create a comprehensive coordinated risk management framework. But with its demise, what is a company to do?
Strange as it may seem, but some will continue to use Oracle GRC. Whilst a viable option, and it’s not just companies but the public sector too, none can escape from the fact that it’s a solution with just ‘sustaining support’; if it breaks, its broke! Imagine the outcry from shareholders or the general public, if a massive loss was put down to risk being managed by a tool that was substantially ‘obsolete’.
However, many have opted to be proactive and have already found alternative approaches. But these can often be disconnected because the coordinated options to replace Oracle GRC are limited, VERY limited. Some are using a cloud based third-party tool to do one element whilst falling back on external consultants for another and then those trusty spreadsheets to complete the picture. But his uncoordinated approach often leaves gaps and, as we all know, it easy for things to fall through gaps. And gaps equal a vulnerable approach to risk management.
Using Oracle GRC was the correct solution for a coordinated approach, but more than a few companies and public bodies have been using a mixture of risk management tools for years. All working on the basis that a gap won’t be found and exploited, that fraud and breaches in security always happen to the other guy. But be it the former or latter, it still leaves a pretty big question for all those customers that are committed to staying on Oracle EBS for the foreseeable future.
And it should not be overlooked that Oracle GRC also gave EBS users a key critical benefit, namely compliance on a local basis. Looking out to the marketplace today, nearly all third-party vendors are providing risk management tools on their own bespoke cloud platforms but what if it is mandated that your data can NEVER leave your system. If that is the case, then it immediately excludes every solution that extracts customer data for processing remotely. Something that is particularly pertinent if you are a government agency or a local authority or a company that provides services to the military, where rules are extremely strict and robustly enforced.
With the change to Oracle GRC support, those EBS users that have mandated need keep their data ‘local’ have only one option that manages risk without data ‘leaving the building’ and that is the CAOSYS Integrated solution suite.
As Oracle GRC rides off into the sunset or if things are a little nervy when it comes to compliance, don’t be disturbed or feel upset or disconcerted or confused. Don’t feel discombobulated. Just like the Lego set where you have all the right bits and they all come together precisely to give you the perfect end result, as many have found, selecting the right compliance suite can give you the perfect risk management framework. In the void left by Oracle GRC, CAOSYS can provide that coordinated compliance suite, something it does daily for some of the biggest brands still using Oracle EBS.
About the Author
Stephen Davis is Business Development Director at CAOSYS Limited. For the past 20+ years, CAOSYS has been a market leader in developing governance, risk, compliance and reporting solutions for Oracle EBS and Cloud ERP. The company strives to ensure that users of EBS always have the right answer to the ever-evolving compliance landscape.