As an industry pundit and analyst it is always fun to play match maker. For some time I have been pontificating that SAP and CA are very complimentary in their approach to the GRC market. While one focuses on business processes and applications (SAP), the other (CA) focuses on IT management and security. I was quite excited when they formally announced that they have worked out a partnership and demonstrated an interesting level of integration.

What this means . . .
SAP and CA together offer the broadest and most interesting coverage of any GRC solution on the market. Together their strengths provide significant value in managing enterprise risk and control from the business process, down into the business application, and from their into the IT infrastructure that supports that business application. In many respects they are defining a world of GRC that competitors simply do not touch on.
Consider . . .

GRC is about protecting the business — staying within defined risk and requirement boundaries to minimize loss while optimizing performance. An organization approaching GRC proceeds through three levels of maturity:


  1. Manual and isolated: The first level is a reactive approach to risk and compliance. Different issues are managed in different parts of the organization, relying on burdensome and costly approaches to managing risk and compliance. This ad hoc approach is a manual and labor-intensive process, and results in mountains of paper and electronic documents. This produces a compliance posture that is often full of holes or outright smoke-and-mirrors.
  2. Documentation and workflow:The second level is documentation of GRC controls and processes. This is often maintained in document or policy-management systems that have content and workflow capabilities, but little understanding of business processes and no integration with the underlying business application environment. The focus of this level of maturity is the design effectiveness of GRC — to document the business appropriately to satisfy regulators and stakeholders.
  3. Control automation and monitoring: The third level focuses on the operating effectiveness of GRC. Here, the organization achieves economies in GRC through processes and controls connected and in-sync with objectives, policies, and risks associated with business processes and applications. Value is created by ensuring that control violations are identified immediately, minimizing loss from fraud and errors, and by greater efficiency in human and financial resources.

The most economical GRC approach focuses on automation and efficiency. The goal is to connect policies and procedures to control objectives and automate monitoring and enforcement of controls. Automated controls can span business processes, applications, and information to reduce inefficiencies in current methods of internal control monitoring and validation.






The importance of automated monitoring increases as the velocity of change steps up within the organization. Change can be good or bad. As companies expand the number of users spread across geographies, there is more opportunity for mistakes, fraud, or operational errors. Growth also multiplies the application levels within which users can make changes, for both end-users and database users. Changes can also come from third-party systems running batch processes, application triggers that are poorly implemented, or stored procedures that do not leave a transaction footprint. Accidental changes can occur during IT system upgrades, patches, or restarts.

When control monitoring becomes a background process of everyday business activities, a continuous real-time audit trail is always available. This eliminates the need for time-consuming investigations that take place when exceptions are identified, weeks or months after the fact. The scope of monitoring can expand beyond a limited subset of key controls required for compliance activities. By empowering business process owners to monitor the integrity of their operations, operational risk from fraud and errors is greatly reduced.

For audit and compliance, this eliminates or greatly reduces sample-based audits while providing a comprehensive control baseline and change history for data and processes. The scope of review can also be significantly expanded without requiring additional resources: Audit processes that were performed once every several years can be done continuously. Once validated, auditors can rely on the existence of automated controls and continuous change-tracking as evidence of compliance.

SAP and CA deliver on this vision . . .

SAP and CA, together, are delivering on this GRC value and vision from the business application to the IT infrastructure in a breadth of capabilities that no other vendor/partnership currently competes with.

To date, Oracle has had the broadest ala carte GRC offering – but customers regularly complain to Corporate Integrity about the lack of integration between the breadth of Oracle GRC solutions. SAP and CA offer a deeper suite of GRC solutions but have already demonstrated interesting integration between critical products. If you consider SAP’s additional partnership with Greenlight Technologies – SAP extends into the Oracle environment for managing GRC.

Other GRC vendors focus on the documentation and workflow elements of GRC – but lack integration and application support for the range of business processes, applications, and IT infrastructure that SAP and CA bring to the table.

Interesting, Corporate Integrity has still not seen any vendor come forward and clearly demonstrate the role of identity in GRC. There have been attempts – the occasional webinar or white paper, but no concerted effort to contribute and answer the role of identity and access management across physical and logical/information access. I trust that CA with this focus will put more effort into this critical and needed education of identity as it crosses the physical environment, business application, and IT infrastructure. The role of identity and access is a pillar of GRC.

Leave a Reply

Your email address will not be published. Required fields are marked *