Thoughts from SAP GRC Insider

SAP continues to show thought leadership and growth in the GRC space as revealed in the GRC Insider conference last week. The conference itself is a combination of GRC, Financials, and Human Resources tracks put together for SAP users. The overall conference had over 2000 individuals in attendance with significant growth in GRC’s presence over previous years.

 

Of particular interest is the contrast of SAP’s GRC strategy to other companies in the industry. What many vendors assume to be competitive they would actually find complimentary. SAP strengths in GRC are in . . .

• Continuous control monitoring/enforcement. SAP continues to excel and focus on the automation, detection, and enforcement of controls when they represent business transactions within the environment. This means that SAP is a formidable player when GRC means continuous control monitoring and enforcement when part of financial and global trade transactions.

• Environmental, health & safety.SAP has also bolstered their presence within the environmental, health and safety space.

• Risk management tied into corporate performance. With the integration of Business Objects SAP is delivering some of the best risk management dashboards integrated into corporate performance management.

• Corporate social responsibility/sustainability. SAP demonstrated new focus on delivering solutions to monitor and report on organization’s CSR and sustainability programs.

Where does SAP need to show further growth in GRC? There is no one stop technology shop for GRC – any organization looking to define a technology GRC strategy will soon realize that SAP is a solid core, but not enough. SAP is particularly weak, or needs further growth in the following GRC functional areas:

• Content and process management. SAP’s GRC strategy has been focused on business transactions and intelligence where most other GRC vendors have focused on GRC documentation and workflow/process management. SAP does not have strong content and process management capabilities/technologies within its portfolio – and is hesitant to offer this directly as they have a rich ecosystem of enterprise content and business process management partners. SAP really should consider acquiring a GRC vendor with strong content/process management capabilities or work out a GRC market strategy that integrates one of their ECM/BPM partners in this space.

• Human resources. The most surprising blind spot in SAP’s GRC strategy to me is the lack of integration with SAP’s human resources management business. A significant portion of GRC involves the HR element – training, background checks, policies & procedures, access management, approvals, etc. There was tight integration at the conference between GRC and Financials, but the Human Resources track (as well as SAP’s GRC technology) remains completely separate from GRC. SAP is a dominant player in the HR market and one would think they would be quick to integrate and deliver a holistic GRC solution in this area.

One final thought that occurred to me . . . how would Thomson’s acquisition of Paisley impact SAP? To date the two offering are complimentary. Paisley documents, communicates, and manages workflows for GRC and does not automate transactions. The Thomson acquisition of Paisley aims to deliver and integrate rich tax/accounting content into the Paisley audit/GRC platform. While this still remains complimentary – what would happen if Thomson would acquire an automated/continuous control-monitoring vendor (e.g., ACL, Approva, Oversight Systems) that directly competes with SAP Process & Access Controls? The complete integration of information/content, process management, and automated controls could really shake up the space.