Manager SAP Risk & Compliance - EMEA/APAC

Reports to: Director Global SAP Risk & Compliance

Business Unit: IT Solutions - SAP

Role Type: Permanent - Hybrid

Location: Paris, France

This position follows a hybrid work model, requiring employees to work from our office 2-3 days per week.

Smurfit Westrock (NYSE: SW) is a global leader in sustainable paper and packaging solutions. The Global SAP Centre of Excellence (CoE) defines SAP strategy, governance, and end-to-end integration with business processes, enabling standardization, innovation, and continuous improvement across all SAP functions worldwide.

We are seeking hands‑on, technically grounded professionals to ensure our complex, multi‑continental SAP landscape scales securely, maintaining rigorous compliance while actively engineering the technical controls of tomorrow.

About The Role

The Manager SAP Risk & Compliance - EMEA/APAC is responsible for managing SAP risk management and compliance activities, with a focus on SOX compliance, ensuring adherence to internal policies, regulatory requirements, and defining security architecture governance, and SOX technical compliance across our global landscapes.

The Manager works directly in the trenches with our Basis, Authorization, and Functional teams to design, configure, and troubleshoot technical compliance solutions. He is deeply involved in securing a massive, multi‑year migration from SAP ECC to S/4HANA, managing cross‑system cloud integrations, and safeguarding financial systems. The position includes regular collaboration with global stakeholders and auditors and requires travel approximately once per quarter to Global SAP CoE hubs (France and Mexico).

The role reports to the Director Global SAP Risk & Compliance and supports the SAP Platforms organization.

Key Accountabilities

Technical Security, Authorizations & Basis Collaboration

• Direct Solution Engineering: Partner directly with Basis and Authorization teams to map, design, and restrict critical SAP authorization objects (e.g., F_LFA1_BUK, S_SERVICE, S_BTCH_JOB) across hybrid architectures.
• Cross‑System SoD Configuration: Understand how the configuration SAP GRC Access Risk Analysis (ARA) rulesets and cross‑system connectors catch segregation of duties (SoD) violations spanning on‑premise ECC, S/4HANA, and Cloud environments.
• Emergency Access Governance: Oversee, configure, and technically audit the GRC Emergency Access Management (Firefighter) sessions, utilizing system logs (such as SM20 Security Audit Logs, DBTABLOG, and change tables like CDHDR/CDPOS) to investigate and trace control bypasses.

Dual‑Maintenance & Transport Control Execution

• Transport Gatekeeping: Work with ALM and release management teams to enforce rigorous segregation of duties within Cloud ALM. Ensure developers cannot transport unverified configurations or job variants directly into production.
• Retrofit Governance: Technically analyse the dual‑maintenance retrofit process, ensuring that emergency security fixes or functional updates from legacy ECC are synchronized into S/4HANA without overwriting code, bypassing code‑freeze windows, or introducing obsolete authorization patterns.

Operational Compliance & Continuous Audit Automation

• Layered Technical Audits: Conduct deep‑dive risk assessments and compliance verifications across the entire SAP stack, including the application layer, HANA/AnyDB database layers, and the underlying OS.
• Automated Control Optimization: Drive the transition from manual, spreadsheet‑based controls to automated application controls, leveraging organizational levels in global role blueprints to handle regional compliance variations (e.g., GDPR data masking, local data residency, split‑second e‑invoicing/tax reporting) without multiplying role complexity.
• Audit Defense: Act as the primary technical liaison for internal and external auditors, demonstrating control effectiveness through system‑generated evidence, table queries (e.g., AGR_1251), and direct system walkthroughs.

Qualifications & Experience

Crucial Technical Requirements (Essential)

• 8‑10+ years of hands‑on experience in SAP Security, Authorizations, and SOX ITGC compliance within complex, multinational environments.
• Knowledge of at least one IT governance and security frameworks (COBIT, GDPR, SOX, NIST, ISO 27001)
• Experience conducting risk assessments, compliance audits, and ERP risk management
• Analytical, problem‑solving, and communication skills
• Deep Screen‑Level SAP Expertise: Proven ability to navigate, query, and analyze SAP security tables (e.g., USR02, AGR_USERS, AGR_1251) and logging mechanisms (SM20, ST03N, SUIM).
• GRC Ruleset Architecture Experience: Demonstrated experience overseeing technical compliance of cross‑system SAP GRC rulesets and cross‑system logical connectors.
• Hybrid Landscape Knowledge: Practical understanding of securing a dual‑maintenance ecosystem (ECC running in parallel with S/4HANA), retrofit strategy, and the key control areas for integrations via SAP BTP or Cloud ALM.
• Very good Business English with strong cross‑functional communication skills (ability to translate audit requirements into clear technical orientation for Basis and developers).

Desirable Frameworks & Certifications

• CISA, CISSP, or relevant technical SAP Security/Basis certifications.
• Practical familiarity with global data privacy and localized mandates (e.g., GDPR, data residency laws, real‑time fiscal reporting integrations).
• Bachelor’s degree in Computer Science, Information Systems, or equivalent technical experience.

Please note that only applications submitted with an English‑language CV will be considered.