All companies need strong application security environments as part of a successful overall risk management strategy. Strong risk-oriented security environments rely on internal application security features, drawing upon entity and process controls only as a last resort when mitigating security risk exposures. Many companies have turned to governance, risk and compliance (GRC) software to help them remediate and manage their complex security environments. This paper discusses one such endeavor using SAP’s GRC Access Control suite.