How a Leading Vendor Embraces Governance, Risk Management, and Compliance

Rather than complying with the growing number of legal and regulatory requirements in a reactive manner from the bottom up, more and more, enterprises are realizing the value of taking a holistic approach to regulatory compliance from top down. To that end, enterprises are beginning to harness the emerging strategic software category of governance, risk management, and compliance (GRC).

This new three letter acronym (TLA) has already earned a posting at Wikipedia. Some analysts have come up with meaningful definitions thereof, while leading vendors are on their way to delivering coherent GRC solution suites. For an extensive exploration of GRC, please see the following article series: Thou Shalt Comply (and More), or Else: Looking at Sarbanes-Oxley , Important Sarbanes-Oxley Act Mandates and What They Mean for Supply Chain Management, The Sarbanes-Oxley Act May Be Just the Tip of a Compliance Iceberg, Automotive Industry and Food, Safety, and Drug Regulations, "Evergreen"—Environmental Regulations for High-tech and Electronics, Chemical, and Oil and Gas Industries, Global Trade and the Role of Governance, Risk Management, and Compliance Software, The Challenges of Defining and Managing Governance, Risk Management, and Compliance, and Process-based Governance, Risk Management, and Compliance.

SAP AG is one leading enterprise resource planning (ERP) vendor that is seriously looking at providing enterprises with the necessary software to support GRC. While the vendor does not necessarily have a solution for each and every possible requirement (such as employee training, tracking and certification, or regulatory reporting in tune with every possible localized law), SAP nonetheless leads the market with its SAP Environment, Health & Safety (SAP EH&S) application suite.

This suite's central database makes it much easier to manage product safety specifications, hazardous substance inventories, and dangerous goods for safe handling, tracking, document management, and risk calculation (see SAP for Chemicals Functionality). Users can also create permits for hazardous waste and ensure that authorized waste quantities are not exceeded by selecting suitable disposal firms and by allocating disposal costs among internal departments. The product also supports the full range of industrial hygiene and safety processes, and centrally manages core tasks such as risk assessments, exposure logs, incident management, exposure profiles, and safety management of specific work areas.

Given that there are so many bases to be covered, a composite application like SAP xApp Emissions Management (or SAP xApp xEM, provided jointly by SAP and TechniData) is typically required to provide the capabilities enterprises need to handle the following:

  • Emissions management—by leveraging tools for emissions monitoring, compliance tracking, and regulatory reporting including greenhouse gas monitoring, allowance management, and National Allocation Plan (NAP) reporting and trading. SAP xApp xEM tracks, analyzes, and records emission data. The solution's integration with plant and equipment maintenance systems supports equipment calibration and maintenance tasks, since sophisticated tools calculate emissions (such as greenhouse gases) that cannot be measured directly. When a reference value exceeds normal plant values for operations, automatic notifications are fired off to determine the impact and trigger changes necessary to correct operations. The reporting functionality in SAP xApp xEM helps toward fulfilling legal requirements for documentation and reporting to regulatory authorities.

  • Compliance management—to operate facilities and manage processes according to relevant regulations, with capabilities for data monitoring, task monitoring, exception tracking, incident management, and reporting. Both compliance and emissions management have to support information flow across the user enterprise, enabling the enterprise to maintain compliance status; monitor and control plant facilities and permits, including emissions permits; track performance benchmarks; and communicate with key stakeholders.

  • Permit management—the process of applying for and obtaining the appropriate licenses and permits, with capabilities for application management, change management, and reporting.

  • Chemicals safety management—to provide information on product safety, dangerous goods, and labeling to international markets, allowing companies to control global business processes. This also enables companies to save resources in procurement; in exchanging substance and recipe information; in categorization; and in authoring the required documentation of customers or personnel, such as safety data sheets (SDS), transport emergency cards (or tremcards [TM]), the Occupational Safety and Health Administration's right to know (OSHA RTK) information, and labels.

  • Environmental health and safety (EH&S) surveillance—to enable enterprises to deal with increasing legislative pressure in the areas of industrial hygiene and safety, occupational health care, and hazardous substance management, thereby facilitating cross-company and interdepartmental cooperation.

  • Environmental product compliance (EPC)—to provide capabilities for compliant product design and to help avoid risk in the supply chain. EPC supports collaboration with suppliers, partners, and customers. The software collects, organizes, analyzes, and evaluates data about various products, factories, suppliers, countries, and customers. Such information is needed to provide proof of compliance with environmental directives that regulate the development, manufacture, distribution, disposal, or recycling of products. The software documents product content and regulatory or sector-specific substances lists; integrates compliance checks and analyses with central business processes; and automates communications with customers and suppliers. For example, when a product is being checked for compliance with the Restriction of Hazardous Substances (RoHS) directive, the solution verifies that all the necessary information (such as the lead content of a supplied part, for instance) is in place. If this data has not been provided, the solution automatically requests the supplier's manufacturing department to disclose the exact lead weight percentage of the product, and notifies the user when the supplier has provided the data.

SAP's Commitment to GRC

As indicated with the SAP Global Trade Services (SAP GTS) and SAP xApp xEM examples, SAP, the largest of enterprise application providers, has long committed to placing compliance at the core of its broad suite of products. This is because the vendor has recognized the growing role of enterprise systems in assisting user companies to meet the increasing challenges of corporate compliance and risk management. Customers are looking for potent compliance solutions that work across heterogeneous information technology (IT) environments to reduce risk and cost, as well as provide improved business control.

By embedding compliance into all pertinent business processes, SAP hopes to make compliance repeatable, sustainable, and less costly for companies of all sizes in all industry segments. To that end, it has long espoused a number of individual tools and modules, such as SAP Audit Information System (SAP AIS), SAP Strategic Enterprise Management (SAP SEM), SAP Records Management (SAP RM), and SAP Management of Internal Controls (SAP MIC).

As an example, SAP MIC's aim has been to support a best-practice system to document and test internal checks and auditing. As a core component of mySAP ERP, it contains functions for data analysis and reporting, as well as financial and risk management. The solution also ensures that all financial processes comply with the US Sarbanes-Oxley Act (SOX) requirements.

Another component that has been serving some complex compliance requirements (such as EH&S) very well is master data management (MDM). This is especially true in light of globally dispersed supply chains, but the need for product quality, specifications consistency, and brand protection have also been parts of SAP's platform (see SAP Bolsters NetWeaver's MDM Capabilities).

This GRC offering, which until recently was largely fragmented, has been helped by a number of partner point solutions. Key software and technology partners integrate applications through the service-oriented architecture (SOA)- and business performance management (BPM)-enabled SAP NetWeaver platform to provide the much needed transparency over the extended GRC ecosystem (see Multipurpose SAP NetWeaver).

A few years back, SAP stated its strategy to use "fill-in" acquisitions to add to its broad solution offerings by gaining specific technologies and capabilities that meet the needs of its customers—within or across industries. To that end, in addition to the above mentioned SAP xApp xEM, VitalSprings Technologies also released the VSxApp risk management composite application. This solution is designed to work with back-office systems to integrate human resources (HR), payroll, and financial applications in order to address specific health care benefits and the financial impact that health care plans might have on businesses.

Also based on the NetWeaver technology, key performance indicators (KPIs) integrate both SAP and non-SAP data to enable the creation of what-if scenarios based on company information and parameters from payers. This allows employers to calculate health benefit expenses and to ultimately negotiate better health plan rates. Similar alliance examples include Approva, Security Weaver, Atrion International, ArisGlobal, and ACL, to name only some.

SAP has "opened up" the content portion of its EH&S offering, thereby allowing multiple vendors to provide key information that might lower the total cost of ownership (TCO) of the system. Atrion International was the first vendor to be certified under SAP EH&S Open Content Connector (OCC) certification program in mid-2005. The EH&S OCC is an open, extensible markup language (XML)-based interface to load external content into SAP EH&S specification databases. To that end, Atrion provides a full range of content (data, rules, phrases, forms, and pictograms) to SAP EH&S clients, allowing them to address global regulatory requirements.

Leapfrogging via Acquisition?

After initially dabbling with the development of native SOX compliance solutions, the real quantum leap in SAP's corporate compliance and risk management foray has been the acquisition of a long-term partner in mid-2006. Virsa Systems, Inc., a former privately held supplier (in part by SAP Ventures, as a matter of interest) of cross-enterprise compliance solutions, was founded in 1996 and headquartered in Fremont, California (US). At the time of the acquisition, Virsa had more than 300 enterprise customers and more than 2.5 million users (many of which were Global 1000 companies) across all major vertical market segments. The company also employed nearly 250 people and had offices throughout the US, as well as in the United Kingdom (UK), Germany, India, and Australia.

SAP has since continued operations in these offices, and Virsa employees have become part of SAP America, as well as the worldwide network of SAP Labs, thereby providing talent, domain expertise, intellectual capital, and experience for many SAP customers. Acquired Virsa applications included

  • Virsa Compliance Calibrator—supports rule-based compliance with the idea to stop security and controls violations before they occur. To that end, with a comprehensive library of segregation of duties (SoD) rules available for enterprise applications from SAP, Oracle, and PeopleSoft, the application facilitates the deployment of rules applicable to the user organization for business-process owners, and eliminates risks from enterprise applications.

  • Virsa Access Enforcer—supports compliant user provisioning across applications throughout the employee life cycle, whereby guided, multistep procedures automate approval processes and enforce mandatory, embedded risk assessments prior to provisioning users to enterprise applications. Leveraging the Web-based application's dynamic workflow functions, users can automate complex approval processes as well as prevent risks from entering production environments by performing real-time analysis on proposed user access.

  • Virsa Role Expert—centralizes and standardizes enterprise-wide role management, thereby eliminating manual errors; provides an audit trail for changes; and enforces best practices. Business managers can define functional roles, and IT managers can define the associated technical permissions. Embedded within an ERP system, the product allows administrators to define which transactions and objects are necessary to create a role in the system.

  • Virsa FireFighter—helps super-users perform emergency activities outside the parameters of their normal roles, but within a controlled (that is, in tandem with authorizations, data, and access restrictions), fully auditable environment. To that end, it creates a temporary ID that grants the eligible super-user broad yet regulated access, and tracks and logs every activity the super-user performs using that temporary ID.

Apparently, Virsa was once the provider of compliance solutions that monitor and enforce business controls in real time across enterprise systems and legacy applications. Virsa solutions have been helping customers maintain continuous compliance with SOX, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and other regulations by enabling these users to embed automated control design, testing, and enforcement directly into their business processes. Even before the acquisition, SAP and Virsa enjoyed a successful relationship at three levels:

  1. Technology—since Virsa solutions were designed and delivered on the SAP NetWeaver platform, making Virsa one of the more than 1,000 independent software vendors (ISVs) that have reportedly committed to building and marketing solutions on the renowned platform.

  2. Go-to-market—since SAP and Virsa had been closely aligned in joint marketing, sales, and product development activities. Since March 2005, SAP had been reselling Virsa's flagship product, Compliance Calibrator, as an add-on to mySAP ERP, and in the one-year period since that agreement was announced, SAP and Virsa have reportedly partnered on more than 150 customer wins. Additionally, SAP Ventures was an investor in Virsa, as noted earlier on.

  3. Customer and vendor—since SAP had one of the largest global deployments of Virsa's Compliance Calibrator and Access Enforcer, with more than 40,000 users around the world.

Thus, the acquisition of Virsa by SAP was expected to deliver value by providing compliance solutions that are workable in heterogeneous IT environments, possibly making SAP solutions even more attractive for prospective customers on a global basis. With the aim of helping companies to make GRC an integral part of their businesses and IT strategies, SAP has further realized the need to form a dedicated unit that will leverage its expertise and existing software for far wider-reaching compliance requirements beyond SOX in the US. The vendor also realizes this need because there are currently more than 1,000 companies worldwide that use SAP point solutions for GRC.

Other such notable applications are, for example, SAP GTS, which helps companies across diverse industries to manage international trade compliance challenges, as well as solutions for distinct industry demands. Such demands include emissions standards in the chemicals and utilities sectors; Food and Drug Administration (FDA) requirements for pharmaceutical companies; and Basel II for the banking sector.

This is part one of the two-part article How a Leading Vendor Embraces Governance, Risk Management, and Compliance. In part two, SAP's GRC product suite will be discussed in more detail, and speculation will be made on the product suite's potential for success within the vendor's current and prospective customer base.

comments powered by Disqus