How Does SAP Enable World-Class GRC Processes?

I have been writing for a while now about what this term “GRC” really means. While the definition on CFO.com was fun – an academic definition of the word ‘mess’ – there is a serious meaning as well.

I prefer and advocate the OCEG definition of GRC. I would like to see the community agree on this:

“A system of people, processes and technology that enables an organization to:

• understand and prioritize stakeholder expectations;
• set business objectives that are congruent with values and risks;
• achieve objectives while optimizing risk profile and protecting value;
• operate within legal, contractual, internal, social and ethical boundaries;
• provide relevant, reliable and timely information to appropriate stakeholders; and
• enable the measurement of the performance and effectiveness of the system.”

I have also explained why I believe there is value in talking about GRC. See this post.

But, I have not written about what my employer, SAP, provides for organizations seeking to improve their GRC processes. It’s time!

First, let’s examine what OCEG lists as processes included in GRC and which are supported by SAP solutions: 

Process	Supported?
Governance	y
Strategy and Business Performance Management	y
Risk Management	y
Compliance	y
Internal Control	y
Corporate Security	y
Legal	y
Information Technology	y
Business Ethics	y
Sustainability and Corporate Social Responsibility	y
Quality Management	y
Human Capital and Culture	y
Audit and Assurance	y
Finance	y

 Admittedly, SAP’s solutions don’t cover every process equally. Some are addressed in depth (such as Finance and Risk Management) and others in less detail (such as Business Ethics).

This is why I always advise people to address their needs and the business problems they are trying to solve, rather than try to find a single “GRC solution”. I don’t believe in a single “GRC platform” unless you are talking about something like SAP’s NetWeaver, which is the foundation on which SAP’s various solutions reside.

Points for your consideration:

• The core for me of GRC is strategy: developing it at the board and top management level, cascading it through the organization to everybody is working to the same goals, linking individual MBO and incentives, linking to risks, and managing performance. SAP has an excellent solution: SAP BusinessObjects Strategy Management (SM)
• Performance management is a key element of GRC, although often overlooked. SAP has a number of related solutions in its SAP BusinessObjects Enterprise Performance Management suite
• In order to develop intelligent strategy and manage the business, you need information. SAP leads the way with its SAP BusinessObjects business intelligence solutions (BI)
• Risk management follows. Risks can be identified using a top-down approach (i.e., risks to strategy, goals and objectives) or a bottoms-up approach (e.g., from interviews and surveys). SAP BusinessObjects Risk Management(RM) supports both approaches, for all forms of risk, and risks in RM can be linked to SM for a complete view of risks and strategies
• In order to manage risks, you have to understand, assess, and test controls – both manual and automated. This can be done using SAP BusinessObjects Process Control (PC), which is integrated with RM so you can do top-down and risk-based controls assessment and testing
• Controls over the important risk area of access to the ERP are enhanced and monitored by products like SAP’s BusinessObjects Access Control (AC) – formerly known as Virsa
• One popular topic in the GRC area is continuous control monitoring or auditing (CCM). PC is the primary solution for CCM, and especially powerful when combined with AC and the power of BI for data analytics
• Compliance is a massive area, and I don’t know of anybody that addresses every global law and regulation. Certainly, solutions like RM enable a risk-based approach to compliance, but many areas need specialized solutions. SAP has several, such as those for global trade compliance and environmental, health, and safety compliance
• Audit is included in most people’s list of GRC functions. SAP has many solutions with functionality for internal audit, including data analytics (BI), risk monitoring (RM), continuous auditing (PC, BI, and AC), and audit management (through its NetWeaver audit management functionality)
• Core to Governance is the effectiveness of the (as described in the COSO internal control framework) ‘control environment’. This includes the ‘tone at the top’ and human resources practices such as hiring, employee performance management, etc. SAP is a leader in solutions for human resources

I could continue talking about all the other solutions for GRC processes, including features in SAP’s ERP products. But, there’s a limit on my and your patience. Let’s just say that the list of solutions for GRC processes is long and leave it at that!