SAP’s GRC platform has moved up to the leaders category in the latest Gartner Magic Quadrant report because of the increase in SAP GRC users and recent improvements found in the newly released SAP BusinessObjects GRC 10. It was listed in the “visionary” category in the last Magic Quadrant report, published nearly a year ago.
“They were executing on two fronts here. They were executing on their vision with the rollout of GRC 10. At the same time, they were actually penetrating in the market with the previous version of Risk Management and Process Control 3.0,” said French Caldwell, an analyst with Gartner Research Inc. and co-author of the report. “They only rolled out that 3.0 version a year ago May, so the adoption rate on that has been pretty high.”
SAP also deserves credit for introducing a policy lifecycle management module within the new platform, as well as tighter integration among the GRC (governance, risk and compliance) applications and better reporting tools as a result of embedding SAP BusinessObjects within the software, Caldwell said.
Sharp Electronics gets a slice of GRC 10
While not specific to GRC 10, GRC Process Control is used at the Sharp Electronics Corp. to consolidate business processes among its seven different business units, according to Wyatt MacManus, senior manager for process management and business controls for Sharp in the U.S.
“So, rather than each of the local units do their local fixed-asset reconciliation, we were able to identify that the overall, or headquarter-level, reconciliation was sufficient to mitigate the risks in that area,” he said.
Sharp has also been using and evaluating Process Control 10, which is now in ramp-up but is expected to be generally available at the end of this month.
The company plans on taking advantage of the new policy lifecycle management module included in Process Control 10 to automate and better manage the process of having employees review and sign off on the company’s code of ethics.
In the past, employees would have to log on to the company’s intranet, review the document and take a short quiz, all of which was tracked in a Microsoft Access database. Once the new system is up and running, employees will get a notice in Outlook containing an Adobe interactive form walking them through the process.
“That feedback will come back into process control, and we’ll be able to report and track the status of who’s completed it and who hasn’t,” McManus said.
SAP GRC strengths
SAP GRC shares the leaders quadrant along with vendors BWise, IBM Open Pages, Thomson Reuters, Oracle and MetricStream. According to Gartner, SAP deserves that ranking based on a number of strategic and functional strengths:
- Market understanding and strategy. SAP’s knowledge and understanding of the GRC market has increased, which is reflected in the way it is better able to meet basic compliance and risk assessment requirements, as well as the more advanced challenges such as calculating the effects of risk management on business performance and decision making.
- Product strategy. SAP has integrated continuous controls monitoring (CCM) to enable a wider set of GRC capabilities.
- Vertical/industry strategy. SAP now offers a version of GRC for Environment, Health and Safety (EH&S) and also works with a number of other vendors that provide industry-specific GRC applications.
Cautions for GRC software users
Customers have to purchase multiple-core GRC products and partner products to get the advanced functionality like integrated CCM that SAP stresses in its GRC marketing, Gartner states. In addition, SAP markets content libraries created by consulting firms like PricewaterhouseCoopers and Deloitte. However, that content is only available if you’re using those companies’ services, which adds costs.
Gartner advises customers on the following:
- Because it does not support scoping and prioritization of the audit universe, audit management is not scalable for a large internal audit organization. Some of the audit functionality requires the licensing and integration of the SAP BI Explorer.
- Customers that were interviewed for the Magic Quadrant said that improvements were needed in reporting, audit management and the CCM feature within Process Control. However, none of those customers have evaluated GRC 10, Gartner stresses, which does include improvements in reporting and audit management.