It is also true that the so-called Big 4 accounting firms have been explaining how organizations can address their SAP enterprise application access issues using SAP GRC.

So, the first secret, known only to a few, is that what the Big 4 are talking about is SAP’s Access Control suite. (Yes, it is actually a suite of several modules. Some customers make the severe mistake of only implementing a few, easy ones, instead of all of them – but that’s a topic for another post.)

SAP actually has several applications included in its GRC solution set: for enterprise application access, enterprise risk management, continuous monitoring and auditing (including risk monitoring), and global trade management. The middle two (Risk Management and Process Control) are quite nicely integrated, so that risk managers can link risks to controls and obtain assurance that the risks are being addressed by effective controls. The last one, Global Trade Solutions, is probably the market leader in its category but I would argue it doesn’t really fit into the typical “GRC” bucket. It enables management to comply rather than provide capabilities for monitoring compliance. Personally, I love it and would have been a very strong advocate for acquiring it at several of the companies where I was an executive. But, I wouldn’t call it a GRC solution.

The second and bigger secret is that SAP offers far more to those looking to improve their GRC processes than what is included in their GRC solution set. For example, if I were to take (as I have before) an executive position in risk management, compliance, or internal audit at an SAP customer, I would consider the following:
- The core of my risk management program would be provided by SAP’s Risk Management solution. (Clearly, there are competitive products that would have to be considered, but let’s assume that the value of a consistent technology across my IT infrastructure, the availability of technical support, the continuing investment by SAP, and the potential for integration – discussed in a moment – means that SAP wins.)
- In addition to the automated risk monitoring capability offered by that solution, I would use SAP’s analytics solutions (in all their forms) to monitor risk levels and warn me when they are outside my risk criteria. That would include using mobile analytics solutions to put risk management information in the hands of the executives and managers running the business.
- I would use Process Control (or a competitor) for multiple purposes: (a) to manage my SOX program, (b) to automate the testing of configurable and other automated controls, (c) and to implement monitoring (i.e., detective) controls that might replace or, at least, augment my preventive controls.
- SAP has a number of other solutions that I would consider for risk and transaction monitoring, including within their Treasury and Cash Management, Hedge Management, Trade and Commodity Management, and other solutions. Sybase (an SAP company) has an interesting product called Event Stream Processor that can be used in real time to test activities against defined rules.

If I were, as I said, an executive responsible for improving my organization’s GRC processes, I would not simply go out and get a so-called GRC solution or GRC platform. No. I would understand and define my particular business needs. As a strong proponent of managing risk at the speed of business and providing assurance that risks are managed at that speed, I need a core repository kind of program that is nicely integrated with continuous monitoring and analytics capabilities.

Maybe there’s a better set of solutions for an SAP environment than those offered by SAP. Maybe. But I have yet to see it. It is going to be difficult to persuade me that the advantage SAP has (with (a) its risk management and analytics applications built on the same technology as each other and the enterprise applications, (b) being the largest enterprise application software company in the world, and (c) also being, I believe, the largest GRC software company in the world) doesn’t overwhelm the advantages niche vendors may have with individual points of functionality.

Oh, I said I would explain why I don’t like SAP calling their solutions “GRC”.

1. What is GRC?
2. Perhaps because SAP only (or mainly) talks about its GRC solutions, people don’t know SAP has a pretty good risk management solution
3. Organizations should be looking to address their specific needs instead of acquiring a GRC platform whose functionality is designed to meet an analyst’s needs, not necessarily theirs.

I welcome your views and commentary.

PS – Some of my semi-retirement activities are sponsored and supported by SAP, but all the opinions I share are mine and mine alone – without influence from SAP.

Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/