One Vendor's Dedicated Governance, Risk Management, and Compliance Unit

SAP, a leading enterprise resource planning (ERP) vendor, has recognized the need for enterprise systems that will help companies meet the increasing number of challenges inherent with corporate compliance and other risks. Recently, the vendor has launched its latest product suite, which places compliance at its core. For more information, please see part one of this series How a Leading Vendor Embraces Governance, Risk Management, and Compliance.

Soon after the Virsa acquisition, SAP announced the creation of a new governance, risk management, and compliance (GRC) business unit to empower its customers with more comprehensive GRC solutions. In doing so, the vendor is now offering a unified alternative to the fragmented GRC point solutions available in the market, with the aim of helping user companies make GRC an integral part of their businesses and information technology (IT) strategies. SAP hopes to benefit from mitigating user companies' current approach to managing GRC, which is marked by two sets of problems: 1) highly fragmented business processes and systems, which compound the cost of managing risk and compliance; and 2) little or no investment in identifying and mapping out a phased approach to comprehensive GRC management.

Underlying these issues is the inherent risk in strategically coordinating and managing a wide range of IT infrastructures that directly support the processes and systems in the GRC business environment. As a result, organizations usually end up deprived of handy and cohesive tools for controlling and addressing risk effectively. At the same time, these customers continue to allocate investments and resources to activities that do not generate revenue and value.

By leveraging the Virsa acquisition and its solid foundation for process-based compliance (and by not letting grass grow underneath its feet), SAP announced the expansion of its portfolio of GRC solutions for both large and small enterprises in September of 2006. Up to now, SAP's portfolio had been largely fragmented despite having dozens of impressive products spanning numerous GRC requirements for multiple industries. But by adding three new products to its GRC offering, SAP has embarked on a painstaking effort to deliver a unified foundation that should allow for a more comprehensive GRC solution that will provide proactive transparency across entire enterprises.

SAP GRC solutions will eventually deliver integrated applications that manage business process and IT infrastructure risks, as well as operational and corporate-level risk across entire enterprises. The current portfolio of applications addresses the specific GRC requirements of public sector organizations and companies across diverse industries, including chemicals, financial services, oil and gas, pharmaceuticals, and utilities.

The Three Pillars of a GRC Foundation

Accordingly, building on its existing GRC offerings, SAP then announced three new service-oriented architecture (SOA)-based applications designed to create a GRC foundation for virtually all types of companies, and to work together to serve as the building block for a more complete compliance solution. Built on top of this foundation will be added enterprise services that should meet the rigorous requirements of numerous industry-specific GRC mandates. SAP pledges to drive continuous innovation on top of each of the following three new GRC applications, which map to the above mentioned components of a GRC framework:

  1. SAP GRC Repository will document and maintain GRC information in a single, central system of record, including corporate policies, board of director minutes, regulations, compliance and control frameworks, and key business processes. The content will in part be contributed by external GRC ecosystems, such as government agencies, industry councils, advisory services, etc. The component will also store and link risk and control libraries to multiple control frameworks and to international regulations, whereby GRC ecosystem partners are expected and encouraged to contribute their expertise to the repository. This centralization of key GRC information aims at simplifying risk management, promoting business transparency, and cutting the costs associated with GRC initiatives.

  2. SAP GRC Process Control will offer a risk-based approach that should align key controls to business risks in order to promote desired employee behavior and to optimize business processes. The process control application will automatically aggregate business process risks for the entire enterprise; provide supporting evidence of compliance; and pinpoint control violations (in policies or procedures), or uncover gaps in existing controls to prioritize corrective action and prevent material weaknesses from developing and persisting. The software will integrate automated control monitoring for SAP and non-SAP applications.

  3. SAP GRC Risk Management will help customers to implement collaborative risk management processes that provide thorough analyses of key business risks at multiple levels of the enterprise and across organizational entities, business processes, and IT infrastructures. To that end, SAP has designed intuitive and collaborative processes to guide professional risk managers and business owners in identifying financial, legal, and operational risks; in analyzing business opportunities in light of these risks; and in developing appropriate responses.

General availability of these foundation components was slated for the end of 2006, with all three products to be sold individually. Certainly, SAP's GRC roadmap is still in its beginning stages, and only time will prove the delivery of more tangible products as well as the success of those products with the vendor's current and prospective customers.

At this point, there is not much detail of how deeply integrated the SAP GRC portfolio is (or will be) within the SAP NetWeaver and Enterprise Service Architecture (ESA) initiative. Nor can much be said at this stage about mid- or long-term, industry-based, compliance product roadmaps and which partners they will lead to.

Given the number of non-SAP Virsa customers, the market will watch how well the GRC offering will fit into non-SAP environments. Also, while compliance expenditure is a necessary evil for many companies, it has thus far been proven to be a questionable investment from a facts-based, quantitative, payback perspective. Over the last few years, SAP has been doing payback analysis—dubbed "value engineering"—on customers looking to justify investment in SAP products. Therefore, one should expect better value propositions for SAP's upcoming GRC offerings.

Still, the new applications build on SAP's deep expertise and existing solutions for wide-reaching compliance requirements of different vertical industries, while grouping all GRC solutions under an integrated GRC framework. The competition is certainly not to be neglected, since vendors such as SAS Institute (see SAS: Striving to Sustain Leadership), Oracle, Hyperion, BusinessObjects, or Cognos have long delivered applications for the risk management of fraudulent financial behavior or anti-money-laundering activities—well before the US Sarbanes-Oxley (SOX) frenzy.

Also, since 2002, a slew of enterprise vendors have jumped on the bandwagon and are now delivering SOX or Food and Drug Administration (FDA) compliance tools, with Oracle, Microsoft, Lawson, Infor, LogicalApps, Oversight Systems, and CODA being only some of the more notable ones. Still, SAP's concerted effort deserves kudos, since even now the vendor offers a GRC solution set that covers a range of regulations in such areas as anti-terrorism, anti-money laundering, Basel II, Solvency II, data privacy, SOX compliance, and beyond, as opposed to most competitors' sporadic GRC nuggets.

Most notably, SAP has recently received both the challenge and the validation of its integrated GRC offering from Oracle and IBM. These two "giants" have lately consolidated a number of formerly fragmented applications and compliance-related processes from the recently acquired (or natively developed) modules for enterprise content management ([ECM] coming from the respective acquisitions of Stellent and Filenet), analytics, reporting and business intelligence (BI), integration and middleware, data-access control, etc.

Partners Remain Critical

Also, recognizing the importance of external collaboration for innovation, SAP is committed to establishing and nurturing a GRC ecosystem that includes recognized domain experts and thought leaders in diverse fields. These fields include, but are not limited to, audit, management, and risk consultancies; key software and technology partners; and information and content partners. In addition, professional services partners will have to support the GRC ecosystem by delivering intellectual capital and by bringing decades of proven, best-practice content and methodologies.

Most recently, SAP announced a strategic relationship in North America with Cisco Systems, the worldwide leader in networking for the Internet, to enhance the effectiveness of SAP solutions for GRC. Such enhancement involves taking advantage of the Cisco Service-Oriented Network Architecture (SONA) within the IT network infrastructure. The two leading vendors have thereby entered into a joint marketing agreement for the US and Canada that aims at addressing GRC business processes and IT control issues across the entire IT infrastructure—from the network layer all the way through the application layer. The joint effort will strive to help further enhance the effectiveness of SAP GRC solutions by making the most of the access and identity intelligence resident across Cisco's SONA. The marketing agreement encompasses collaboration in sales and marketing activities, as well as advanced service offerings.

The intelligent SONA services embedded in Cisco's networking solutions include application-oriented networking, unified communications, security, mobility, and identity services. To support SONA-based GRC software platforms, Cisco offers network architecture design, implementation, and operation services based on a life cycle approach and on the customer's specific needs.

The Cisco Lifecycle Services approach defines the critical set of activities required to help SAP GRC user enterprises successfully deploy, operate, and optimize Cisco SONA-based infrastructures. As an example, specific company controls for data confidentiality can be set to interrogate data batches sent over the network. If anyone tries to (willfully or not) disseminate sensitive data outside the enterprise, the Cisco controls can detect, intercept, and block the message, as well as notify the higher instances of the violation, and track status within the SAP GRC portfolio. Still, the partnership will require a long learning process for both vendors as well as for users.

Most current non-IT users of GRC solutions and prospects (that is, financial, internal audit, corporate risk management, etc.) will likely find Cisco's involvement less relevant for their purposes in the short term. On the other hand, when it comes to IT compliance, the partnership is not exclusive, and many other viable alternatives are available for content monitoring and filtering, identity management, security information and event management, preventive controls (such as predictive financial management), and security controls and policy management solutions. Vendors such as Sun Microsystems and Computer Associates (CA) could play important roles in these areas.

Conclusion and Recommendations

All customers looking at SAP's GRC offerings should demand thorough payback analysis, whereby quantitative and tangible—not "soft" and vague—benefits are pinpointed. The probability nature of predicting risks makes it difficult to produce tangible, hard numbers. Yet, on the other hand, one cannot wait for disaster to happen, and only then act under duress. SAP users that have already acquired another provider's point GRC solution should wait for more mature future SAP GRC releases before they consider changing providers.

Enterprises that are using older, fragmented SAP compliance point solutions (for example, SAP MIC) and that are ready to move to a more unified GRC platform should investigate the migration strategy to SAP's GRC solution, bearing in mind equivalent, competitive offerings. SAP-centric customers looking for compliance automation and process monitoring capabilities should certainly evaluate Virsa solutions.

Non-SAP users of solutions like those from Virsa should be vigilant about SAP's unequivocal commitments, as well as its roadmap that will entail complete functionality without requiring the "catch 22" introductions of other SAP components, integration ramifications, or additional licensing costs. Also, given the abundance of compliance solutions available, prospects should negotiate hard, both with SAP and its partners, on GRC software and services pricing.

This concludes the two-part series on how SAP is embracing governance, risk management, and compliance.

comments powered by Disqus