Last week was an exciting week – three events converged in an action packed week in Orlando:
- I did a live webcast on Measuring the Ethical Organization with the Institute of Internal Auditors from their headquarters in Florida;
- Archer Technologies had their User Summit – it has been a pleasure to see Archer grow and expand over the past seven years. Particularly as they move beyond IT-GRC into enterprise GRC initiatives; and,
- SAP held GRC 2008 – and that is something to really talk about. This was an exciting conference with over 1000 people in attendance.
SAP for the past two years has communicated one of the broadest visions for GRC in the industry. What is exciting is that they have really begun to deliver on it.
I am getting irritated with companies that still equate GRC to SOX or IT controls/security. Yes, that is part of GRC – but my vision, since I originally defined this market four to five years back, has been much broader.
What SAP has done is demonstrated a broader footprint and definition for GRC. The SAP GRC strategy and demos at GRC 2008 illustrated how enterprise risk management is tied into strategic planning, the role of environmental, health & safety (EH&S) in GRC, the complexities of environmental compliance monitoring, as well as the integration of GRC around global trade compliance (e.g., OFAC). The SAP approach still includes a significant focus in financial controls and with that SOX – but SAP has demonstrated how their technology and strategy are reaching well beyond this.
SAP is strongest when GRC means business monitoring and transactions. When GRC is about monitoring the environment and transactions SAP is building a robust solution set. However, they have some weaknesses . . .
These weaknesses primarily stem around the documentation of GRC and management of GRC processes. SAP needs to further develop their enterprise content management (ECM) and business process management (BPM) strategies as they related to GRC. These are technology gaps that SAP does not own today which puts them at a disadvantage in some GRC deals.
My assessment to date – SAP is a leader in enterprise monitoring and enforcement of GRC, though they are weak when it comes to documenting and managing the processes of GRC.
SAP is a thought leader in advancing the definition and cause of what GRC is about. This is more than I can state for Oracle who still seems to be confused about communicating a broad GRC strategy and executing on it – SAP is clearly winning the day on that end.
While SAP and Oracle duke it out – it is still the small, nimble and focused GRC players that have the most traction in the market today. However, the next 18 months will show a lot of consolidation in this market as SAP and Oracle become a dominant force. SAP still remains well in the lead in the battle of GRC from the ERP vendor side.
What are your perspectives on SAP in the GRC space?