Home > Risk > How Does SAP Enable World-Class GRC Processes?

How Does SAP Enable World-Class GRC Processes?

I have been writing for a while now about what this term “GRC” really means. While the definition on CFO.com was fun – an academic definition of the word ‘mess’ – there is a serious meaning as well.

I prefer and advocate the OCEG definition of GRC. I would like to see the community agree on this:

“A system of people, processes and technology that enables an organization to:

  • understand and prioritize stakeholder expectations;
  • set business objectives that are congruent with values and risks;
  • achieve objectives while optimizing risk profile and protecting value;
  • operate within legal, contractual, internal, social and ethical boundaries;
  • provide relevant, reliable and timely information to appropriate stakeholders; and
  • enable the measurement of the performance and effectiveness of the system.”

I have also explained why I believe there is value in talking about GRC. See this post.

But, I have not written about what my employer, SAP, provides for organizations seeking to improve their GRC processes. It’s time!

First, let’s examine what OCEG lists as processes included in GRC and which are supported by SAP solutions: 

Process Supported?


Strategy and Business Performance Management


Risk Management




Internal Control


Corporate Security




Information Technology


Business Ethics


Sustainability and Corporate Social Responsibility


Quality Management


Human Capital and Culture


Audit and Assurance




 Admittedly, SAP’s solutions don’t cover every process equally. Some are addressed in depth (such as Finance and Risk Management) and others in less detail (such as Business Ethics).

This is why I always advise people to address their needs and the business problems they are trying to solve, rather than try to find a single “GRC solution”. I don’t believe in a single “GRC platform” unless you are talking about something like SAP’s NetWeaver, which is the foundation on which SAP’s various solutions reside.

Points for your consideration:

  • The core for me of GRC is strategy: developing it at the board and top management level, cascading it through the organization to everybody is working to the same goals, linking individual MBO and incentives, linking to risks, and managing performance. SAP has an excellent solution: SAP BusinessObjects Strategy Management (SM)
  • Performance management is a key element of GRC, although often overlooked. SAP has a number of related solutions in its SAP BusinessObjects Enterprise Performance Management suite
  • In order to develop intelligent strategy and manage the business, you need information. SAP leads the way with its SAP BusinessObjects business intelligence solutions (BI)
  • Risk management follows. Risks can be identified using a top-down approach (i.e., risks to strategy, goals and objectives) or a bottoms-up approach (e.g., from interviews and surveys). SAP BusinessObjects Risk Management(RM) supports both approaches, for all forms of risk, and risks in RM can be linked to SM for a complete view of risks and strategies
  • In order to manage risks, you have to understand, assess, and test controls – both manual and automated. This can be done using SAP BusinessObjects Process Control (PC), which is integrated with RM so you can do top-down and risk-based controls assessment and testing
  • Controls over the important risk area of access to the ERP are enhanced and monitored by products like SAP’s BusinessObjects Access Control (AC) – formerly known as Virsa
  • One popular topic in the GRC area is continuous control monitoring or auditing (CCM). PC is the primary solution for CCM, and especially powerful when combined with AC and the power of BI for data analytics
  • Compliance is a massive area, and I don’t know of anybody that addresses every global law and regulation. Certainly, solutions like RM enable a risk-based approach to compliance, but many areas need specialized solutions. SAP has several, such as those for global trade compliance and environmental, health, and safety compliance
  • Audit is included in most people’s list of GRC functions. SAP has many solutions with functionality for internal audit, including data analytics (BI), risk monitoring (RM), continuous auditing (PC, BI, and AC), and audit management (through its NetWeaver audit management functionality)
  • Core to Governance is the effectiveness of the (as described in the COSO internal control framework) ‘control environment’. This includes the ‘tone at the top’ and human resources practices such as hiring, employee performance management, etc. SAP is a leader in solutions for human resources

I could continue talking about all the other solutions for GRC processes, including features in SAP’s ERP products. But, there’s a limit on my and your patience. Let’s just say that the list of solutions for GRC processes is long and leave it at that!

  1. akira
    June 2, 2010 at 2:30 PM

    What do you think about Archer?

  2. nmarks
    June 2, 2010 at 3:09 PM

    Archer is a competitor of SAP and their parent (EMC) is a partner, so it would not be appropriate for me to comment.

  3. June 4, 2010 at 6:52 AM

    Thanks, Norman good summary. Would you recommend someone who could demo latest Version of SAP GRC (or parts) or point to webcasts that are scheduled. It is a lot to absorb.

  4. June 5, 2010 at 6:29 PM

    Norman — Given that you have lots of venues to publish your opinions (e.g. IIA blog, your own blog, SAP blogs, etc.), wouldn’t it make more sense to publish unabashed SAP promotions on the SAP blogs? You provide a tremendous service to the larger community of people interested in all issues related to risk, GRC, compliance, and audit. Posting SAP commercials on your personal blog seems to diminish the authority and impact of everything else you post there.

  1. June 1, 2010 at 11:50 AM
  2. June 14, 2010 at 9:14 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: