Both access and process controls, generically speaking, are critical to many GRC efforts, so these two SAP offerings cut a wide swath of possibilities for many SAP-focused enterprises. Does this make looking to SAP for GRC solutions a no-brainer decision?
"Definitely not a no-brainer," notes Chris McClean, an analyst for Forrester Research. "If you have a working relationship or a strategic relationship with SAP and they are running a lot of your business processes anyway, it is a natural fit because they do have a lot of capabilities to oversee the products you have in place."
The important thing to remember, even for SAP-focused companies, McClean warned, is that there's no single platform or solution that's going to cover all of your GRC needs. Because GRC is such a broad topic and covers so many of the world's largest and best-funded enterprises, the GRC software landscape is extremely wide.
"The number of vendors that talk about having GRC or GRC-related technology is just huge," McClean said, noting that most companies have already purchased and implemented several products across their organizations, covering segregation of duties, risk management, security, environmental health and safety, and many other point solutions.
"SAP also has an environmental risk and compliance area as part of their GRC suite, so that could be important," he said. "But they don't have everything. For example, if you need really detailed IT or HR risk and compliance, you might want to consider other solutions."
Ask the important questions
One starting point is to look at what collectively you are trying to solve. Ask questions such as, "Are you still in a tactical mode or are you more proactive?" Tom Eid, a vice president of research for Gartner, recommended.
For many companies, cost-reduction through streamlined solutions can't be dismissed as a great tactical move.
One of SAP's BusinessObjects Process Control application customers, Sharp -- the leading electronic manufacturer -- needed a GRC solution that could help it meet several objectives, including providing a platform for process and control documentation. The company also needed to streamline attestation and testing procedures, and to centralize and standardize controls across the organization.
"SAP BusinessObjects Process Control provides us with an advanced set of tools that are both sophisticated and intuitive for end users," noted George Dramalis, VP CIO for Sharp. "The impact has been a more streamlined, transparent control environment that has ultimately reduced our overall testing efforts. We expect that these improvements will yield reduced external audit activity, as well as reduced external audit expenditures."
Another key factor is to understand whether your organization is inclined to implement a short-term or long-term solution.
"Some will say, 'Longer term, we're looking to catch up and integrate in with our ERP, but right now, this is a short-term problem, so we're looking at best of breed,'" Dramalis said.
Next, you need to know your core type of GRC -- financial, IT or operational GRC? Most GRC solution providers have competencies in one or two key areas but are not yet savvy with all three.
"You can enter in with any core GRC area, but make sure that downstream, you are planning to support all three," Eid said. "Don't buy yourself into a corner so you have to go through the whole process again in three or four years."
Where does SAP fit in?
"Our cut is SAP was being a bit more tactical until 2009, but then in 2009, we feel they've taken a big step forward to take a more strategic view of the GRC marketplace where they are really trying to create a linkage between GRC capabilities and overall enterprise performance management," Eid said. "We anticipate by the end of this year, they'll have another refresh going into their portfolio, and their GRC portfolio will continue to align with the overall enterprise performance management strategy they have in place."
Look to the future
One of the important things to understand about SAP's GRC strategy is that it is aimed at being able to work with solutions you may already have installed. SAP BusinessObjects has a business intelligence background, and a hallmark of BI solutions is the ability to tap into a wide variety of data from across corporate silos and then put it to work. This architectural tie to SAP BusinessObjects helps enable SAP GRC solutions reach effectively across many SAP and non-SAP systems to tap into data and processes.
"One of those things that is really interesting is that companies are starting to look seriously at how risk relates to performance," Forrester's McClean said.
Going back to the financial crisis and similar issues, a lot of companies are very focused on short-term results, making it easier to ignore risk data, he said. He is seeing more companies that are starting to realize that when they look at the performance of a product line or a business unit or an office, they can't look at performance without looking at risk exposure also.
"It's going to take some time to actually implement that concept through processes and technologies, but a lot of companies are starting to look at risk and performance together -- and that's one area that SAP has a fairly good message and a set of capabilities they are starting to bring together," McClean said.
As part of the GRC software evaluation process, it's a good idea to look beyond the audit, beyond compliance, and consider how GRC solutions can affect ongoing business.
As a former auditor, Gary Dickhart, vice president of the GRC Customer Advisory Office for SAP, knows firsthand how many organizations have held onto the SOX-generated division between consulting and auditing -- auditors could not audit solutions they themselves recommended, and the effect has been that many executives have looked to audits to understand their performance.
"What's really been lacking is the infusion of knowledge down into the operation so the people who are running their business know they are responsible for the controls and they perform these every day, and know what makes a good or bad control," Dickhart said. "That's evolving. The days of knowing whether I was doing bad or good, that was an audit -- if I got a good audit, I'm doing well, so we can wait until next time."
Next time you might have an operational problem, and that has to do with your controls and how to manage risk, and that has nothing to do with the audit -- the audit is just a point-in-time snapshot. Making people realize that the audit is not the control and that it's not something they should depend on, that's key to actually extending GRC to the enterprise, he said.
One such company that is extending understanding into real time is BearingPoint, a global provider of management and technology consulting services that is using the SAP BusinessObjects Access Control application. In need of a better way to handle SOD analysis around compliance initiatives like Sarbanes-Oxley, BearingPoint chose Access Control to replace inefficient, manual processes. The company also needed to reduce the high level of administrative effort and involvement around managing controls.
"With the SAP BusinessObjects Access Control application, BearingPoint now has real-time insight into controls," said Serkan Caliskan, a manager for BearingPoint. "We have approximately 3,000 users of the application spread out over 14 … countries, and it enables us to conduct real-time analysis and remediation to discover any potential regulatory violations and provide solutions for them."