Data governance is nearly as expansive and confusing as governance, risk and compliance (GRC). And like GRC, it comes in overlapping categories with terms that are poorly defined.
For example, the data quality and master data management (MDM) initiatives that organizations have launched for use in data warehousing and business intelligence (BI) efforts are tangential to data governance for financial reporting and compliance. The aims are similar -- ensuring that data is not only accurate but also put to work accurately -- but the solutions that ensure accurate data for BI may have little to do with the people and processes needed to ensure correct financial reporting or compliance with environmental health and safety regulations.
So how does an SAP-based organization get started with data governance for GRC? Here are three core elements:
1. Don't start with a technology solution
It's not that SAP doesn't have options, and it's not that there aren't third-party vendors available to help. Technology is only a part of the story, and it's not even in the early chapters, so avoid the pitfall of thinking a shiny new MDM suite with a "GRC" tag on it will keep your data-focused activities squeaky clean.
"Data governance can be a monstrous project, and for any large organization, it cannot be handled simply by licensing a software package," said Chris McClean, an analyst for Forrester.
More information on SAP GRC technology
Find out if your organization's SAP GRC strategy is in need of software
Learn how to align SAP GRC technology strategy with constantly shifting compliance requirements
Data related to GRC will be used to craft financial statements, submit regulatory filings, and justify decisions at the highest level of the organization, McClean said. Confidence in that data is clearly a high priority. Many GRC solutions have good capabilities for tracking how certain information is created, changed or used, but the scope of this oversight is usually quite limited.
"Comprehensive GRC efforts involve data related to customers, finances, market information, product, quality, and much more," he said. "To gain confidence that all this data is accurate and up to date usually requires sophisticated technology solutions as well as rigorous process controls."
2. Expand your GRC stakeholders
A CFO, CIO or COO, for example, all have different GRC needs stemming from different regulatory requirements that land on their departmental doorsteps. These stakeholders will be the critical weight needed to make sure data is not only accurate in and of itself but, more importantly, that the business processes and the people who interact with the data actually work together appropriately within the expected business rules.
"Whether talking about data governance or just governance, the people part of the equation is extremely important. The most successful GRC programs are when the number of GRC stakeholders is expanded, not reduced," said Ranga Bodla, senior director of governance, risk and compliance solutions for SAP.
"The way to do this is build a business case with the business that shows how an effective program can reduce their individual work or make it more effective," Bodla said.
"Especially when it comes to data governance, so much of the focus is on data protection after the fact; and, as a result, people get information that they then cannot use," he said. "Good GRC programs ensure that people only get the data that is appropriate for them, and then people aren't dealing with data barriers."
3. Enlist help to save time and effort
In order to implement an effective data governance plan for GRC, most organizations will need to go to SAP, to SAP's business partners, or to SAP-savvy data governance consultants for the heavy lifting that will map their specific organization to business-appropriate solutions. If your company is primed and ready to protect its data assets, consultants can save you time and money -- not to mention headache and heartache.
It is possible, however, that larger organizations have internal experts who have already completed similar data-intensive governance efforts in related ERP or CRM projects, and GRC project managers can tap that experience for GRC-focused governance projects as well, McClean said.
"However," he added, "many will have to look for external guidance."
For SAP customers in particular, SAP works to offer flexible options to help individual enterprises.
"Most organizations will need some help in planning, deployment or best practices," Bodla said. "In that context, the best consultants know the product, can supply content, but also can relay best practices that avoid elongated or false-start project expenses."
"SAP's customer advisory office is actually providing our customers with a resource that can suggest 'preferred' practices that can ensure project success," Bodla said. The SAP customer advisory office works hand in hand with consultants and the customer to drive the adoption of these practices, he said.
SAP's BusinessObjects portfolio
SAP's primary GRC solutions are bundled as part of the SAP BusinessObjects portfolio, which also includes the SAP BusinessObjects information management solutions that not only support business intelligence efforts but also include solutions for data quality management, MDM, and other data integration and related services.
SAP's GRC suite is part of the broader SAP BusinessObjects portfolio, which includes BI, information management, and enterprise performance management, according to Gary Dickhart, vice president of the GRC Customer Advisory Office for SAP.
"There's a lot of solutions out there that say, 'Let me look at all orders that were sent to a sanctioned party list, or let me look for all adjustments made to our financials more than $10,000 after the end of the period,' and there's all these bad scenarios that people look for after they happened," Dickhart said. "Our approach is, don't look for it after, build the process so that it takes it into consideration within the process -- embed it in the process."
The takeaway here is SAP's progressive strategy for GRC -- data governance and all the process controls that go along with operating a business are best served when risk and compliance are addressed from within the moment any action is occurring.
As companies look to gain benefit from their compliance efforts in order to actively reduce risk and seek out opportunity, data governance is being recognized as a key foundation for GRC.
In some aspects, a lot of the risk and compliance programs over the last five years have been focused on documentation, so that in terms of data governance, there's an audit trail of when policies were created or when certain data was collected for risk assessment.
"Those are all important, but companies are looking for more data-centric risk and compliance -- actually running analysis of key risk indicators and key performance indicators -- so data governance is definitely becoming more important," McClean said. "You're talking about collecting data from hundreds of different locations, from different business partners, so you must make sure that data is accurate and coming from the right places."