Home > Risk > SAP’s Secret Recipe for GRC

SAP’s Secret Recipe for GRC

It is true that SAP has been selling a number of what it calls GRC solutions. (Now that I have retired from SAP I can tell you that I wish they didn’t call them that – which I will explain later.)

It is also true that the so-called Big 4 accounting firms have been explaining how organizations can address their SAP enterprise application access issues using SAP GRC.

So, the first secret, known only to a few, is that what the Big 4 are talking about is SAP’s Access Control suite. (Yes, it is actually a suite of several modules. Some customers make the severe mistake of only implementing a few, easy ones, instead of all of them – but that’s a topic for another post.)

SAP actually has several applications included in its GRC solution set: for enterprise application access, enterprise risk management, continuous monitoring and auditing (including risk monitoring), and global trade management. The middle two (Risk Management and Process Control) are quite nicely integrated, so that risk managers can link risks to controls and obtain assurance that the risks are being addressed by effective controls. The last one, Global Trade Solutions, is probably the market leader in its category but I would argue it doesn’t really fit into the typical “GRC” bucket. It enables management to comply rather than provide capabilities for monitoring compliance. Personally, I love it and would have been a very strong advocate for acquiring it at several of the companies where I was an executive. But, I wouldn’t call it a GRC solution.

The second and bigger secret is that SAP offers far more to those looking to improve their GRC processes than what is included in their GRC solution set. For example, if I were to take (as I have before) an executive position in risk management, compliance, or internal audit at an SAP customer, I would consider the following:

  • The core of my risk management program would be provided by SAP’s Risk Management solution. (Clearly, there are competitive products that would have to be considered, but let’s assume that the value of a consistent technology across my IT infrastructure, the availability of technical support, the continuing investment by SAP, and the potential for integration – discussed in a moment – means that SAP wins.)
  • In addition to the automated risk monitoring capability offered by that solution, I would use SAP’s analytics solutions (in all their forms) to monitor risk levels and warn me when they are outside my risk criteria. That would include using mobile analytics solutions to put risk management information in the hands of the executives and managers running the business.
  • I would use Process Control (or a competitor) for multiple purposes: (a) to manage my SOX program, (b) to automate the testing of configurable and other automated controls, (c) and to implement monitoring (i.e., detective) controls that might replace or, at least, augment my preventive controls.
  • SAP has a number of other solutions that I would consider for risk and transaction monitoring, including within their Treasury and Cash Management, Hedge Management, Trade and Commodity Management, and other solutions. Sybase (an SAP company) has an interesting product called Event Stream Processor that can be used in real time to test activities against defined rules.

If I were, as I said, an executive responsible for improving my organization’s GRC processes, I would not simply go out and get a so-called GRC solution or GRC platform. No. I would understand and define my particular business needs. As a strong proponent of managing risk at the speed of business and providing assurance that risks are managed at that speed, I need a core repository kind of program that is nicely integrated with continuous monitoring and analytics capabilities.

Maybe there’s a better set of solutions for an SAP environment than those offered by SAP. Maybe. But I have yet to see it. It is going to be difficult to persuade me that the advantage SAP has (with (a) its risk management and analytics applications built on the same technology as each other and the enterprise applications, (b) being the largest enterprise application software company in the world, and (c) also being, I believe, the largest GRC software company in the world) doesn’t overwhelm the advantages niche vendors may have with individual points of functionality.

Oh, I said I would explain why I don’t like SAP calling their solutions “GRC”.

  1. What is GRC?
  2. Perhaps because SAP only (or mainly) talks about its GRC solutions, people don’t know SAP has a pretty good risk management solution
  3. Organizations should be looking to address their specific needs instead of acquiring a GRC platform whose functionality is designed to meet an analyst’s needs, not necessarily theirs.

I welcome your views and commentary.

PS – Some of my semi-retirement activities are sponsored and supported by SAP, but all the opinions I share are mine and mine alone – without influence from SAP.

  1. Norman Marks
    May 2, 2013 at 3:46 PM

    PS – SAP has a ton of applications for the G in GRC – but that’s another discussion

  2. Carlos
    May 2, 2013 at 4:03 PM

    Thank you for sharing. Many organizations around the world still do not take risk management seriously, mainly due to the fact that it is still viewed as a cost and not an investment. Organizations focus mainly on those applications within GRC that will support a business case and a solid ROI.

    I think SAP hasn’t been successful in communicating the need that organizations have around this matter and forget about Big4 firms communicating this on their own, they have no idea. That together the fact that organizations also fail to see how they can leverage other applications within SAP with their GRC suite is the perfect formula for an inefficient use of the system.

    Only time will be able to get the message and expertise across, as it happened with all of the other applications that they have come up with over the years, i.e. CRM, BOBJ, etc.

  3. May 2, 2013 at 4:29 PM

    Thanks Norman – most useful

  4. Tom
    May 2, 2013 at 6:06 PM

    Norman – you have managed to articulate well in a couple of hundred words the value proposition of ANY integrated GRC system. I have always found SAP’s offering to be best of class … alas their promotion / selling explanation of it is not on equal par. They should just lift your assessment from this post!🙂

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: