When the term “governance, risk and compliance” (GRC) was introduced almost 10 years ago, software for this purpose was not a real category but a loose grouping of disparate applications that had something to do with meeting the requirements of the recently passed Sarbanes-Oxley Act. (You can find my perspective on the GRC category from a couple of years ago here. Now, with the release 10.0 of SAP BusinessObjects GRC, SAP is taking another step toward making the software category a real, comprehensive one that addresses the business and IT requirements of risk and compliance management efforts. This is the first platform that enables companies to efficiently provision risk and compliance management at an elemental level (for example, to manage individual access controls and process controls) and – over time – to gain effectiveness benefits from having the ability to comprehensively manage compliance and risk.
One of the key requirements of implementing a comprehensive GRC environment in a company is integrating the IT and business elements necessary for compliance and risk management. Without a secure IT environment, companies’ efforts at preventing threats such as financial fraud and loss of proprietary intellectual property (among other issues) can be undermined easily. Without the ability to collect, assess and communicate the data necessary for measuring risk, the effectiveness of risk management efforts will be limited. Moreover, maintenance of a secure IT environment and handling of the details of compliance management (defining and maintaining controls, logging, auditing and reporting) must be as efficient as possible, since these efforts are almost never strategic.
SAP GRC 10.0 is a comprehensive update, one that applies a common look and feel to the various elements, embeds SAP’s business intelligence (BI) assets (such as SAP Xcelsius charts) throughout the application, and provides controls for comprehensive GRC management. In addition, I want to highlight what I think are two of the most important aspects to the release. One, a higher-level aspect, is the development of a partner ecosystem that will be able to use GRC 10 as a platform on which to develop solutions; the other, more detailed element is its “bow tie” approach to defining and configuring risk and risk metrics.
A key issue with using GRC as a software category is that purchasing decisions are fragmented. Nobody currently implements GRC as such. Typically companies undertake, for example, some focused compliance effort or implement unified access controls or centralize credit risk management or automate their separation of duties (SOD) monitoring process, to name a few among a wide variety of efforts. Until now, there has been little reason for companies or (more to the point) the consultants who often do this work to prefer one software product over another. By making it possible to incorporate their intellectual property into a common platform, GRC consultants can execute a land-and-expand strategy, selling their specific compliance and/or IT governance capabilities. Moreover, multiple compliance efforts deployed broadly across an organization using GRC 10.0 can make ongoing maintenance and deployment more efficient, giving the integrators or consultants an added benefit to offer in incremental deployment. I think that SAP’s positioning should give it and its partners a market advantage compared to vendors offering one-off solutions.
The bow tie is a method of creating common methodologies for risk definition, management and remediation. (You can find an example of an SAP compliance bow-tie diagram here. The bow-tie approach is a seemingly small but important user interface design that can greatly improve how a company executes its risk identification and management process. It provides a framework within which individuals can more readily construct risk definitions and assessments. It enables people to work collaboratively using a common language. It enforces consistency where it’s needed yet allows for ongoing flexibility when it’s called for. And it can simplify the process of automating the links between risks, the metrics associated with measuring those risks, the data used for the measurement process and the context in which a risk is to be assessed.
As companies develop libraries of risk definitions, I expect it will facilitate the collection and coordination of risk metrics. I believe the difficulty of accessing risk metric data in the proper context is the single largest barrier to the incorporation of risk as part of an organization’s balanced scorecard effort. In particular, effective risk management is necessary to overcome the agency issue in corporate management.
We still have a long way to go to eliminate wasted time and effort in GRC efforts, and an even longer way to go to incorporate risk in performance management. However, with SAP BusinessObjects GRC 10.0, SAP has taken significant steps to enhance the long-term efficiency of how organizations manage their compliance and risk management efforts. Supplemented by partners’ offerings built on the platform, GRC 10 can provide organizations with a more cost-effective approach to automating compliance efforts. Another significant (albeit long-term) benefit that the platform approach can provide is to lower the barrier that currently prevents companies from incorporating risk into broader performance management assessments. By establishing a common platform for building individual compliance and risk management processes, companies should be able to facilitate the establishment of the data infrastructure necessary to support an integrated risk and performance management approach. Defining the data elements related to risk drivers and outcomes as well as establishing the processes to which these drivers and outcomes apply should substantially reduce the effort required to map the individual risk metrics in a scorecard to where the data needs to be collected. In all, I think GRC now offers companies some real improvements for the short and the long term – greater efficiency today and increasing effectiveness for years to come.
Robert Kugel – SVP Research