From the October 2006 issue of Treasury & Risk magazine

SAP Branches Out

SAP AG, the dominant enterprise software and services provider, is known for a lot of things, but being an innovator in the market for governance and risk management solutions isn't one of them. Instead, a short list of such vendors would be crowded with a dozen (or more) smaller, best-of-breed specialists such as OpenPages, Paisley and Axentis, to name a few. That's an image that SAP executives are trying to change, one partnership or acquisition at a time.

Last month, the company made a series of announcements to stake its claim in the so-called governance, risk and compliance (GRC) solution space. Three new products will be offered later this year--a compliance repository, a process control and a risk management solution--that together will form the platform for enterprise-wide GRC integration. SAP also announced a new strategic partnership with another tech heavyweight, Cisco Systems--a convenient way for the two companies to cozy up to each other's customers, with the technological goal of establishing greater cooperation so that Cisco's IT infrastructure products work seamlessly with SAP's operational and compliance-based tools.

The new solutions build upon SAP's acquisition earlier this year of Virsa Systems, a leader in the continuous controls monitoring space, for real-time monitoring and enforce- ment of business controls. They indicate a move toward more high-end analytic tools that can better draw on the information chugging through a company's ERP systems. "This is a real push to elevate the caliber of SAP pro- ducts at the management level, rather than from a transaction-only level," says John Hagerty, vice president and research fellow at AMR Research in Boston. "It's a real step up to try to capture another segment of the market. What they have is a great blueprint and products to deliver over the next six to nine months."

Few companies can match SAP's offerings in enterprise software, which the company is betting will give it an edge when companies look for end-to-end governance solutions. "We are trying to deliver proactive transparency, to give executives a better profile of risk within the organization," says Holly Roland, senior director of GRC solutions marketing at SAP. "One of the things we want to make sure we do with GRC is have the functionality to handle entity-level risk management, since GRC is most effective when it's embedded in various business processes of a company." The new functionality will allow companies to identify and prioritize risks ranging from environmental accidents to data security breaches and financial reporting problems, and determine how each could impact a company's brand or market standing. To do that, all relevant risks and controls are gathered from across the organization and made more visible, and mitigation and other options are made available. Clear ties to existing controls are also made available, to see which departments are in sufficient compliance and which ones need to do a better job.

Another core to SAP's new offerings is a GRC repository, a centralized system of record for all of a company's governance, risk and compliance content, including requirements and control frameworks on a worldwide basis. The repository will maintain everything from a company's corporate policies to board of directors minutes and key business processes. Risk and control libraries will be stored and linked to multiple control frameworks and regulations across all countries. SAP officials envision the repository containing information from all vendors, allowing it to define relationships between different regulations and risk and control libraries. The repository is meant to help avoid the clutter and confusion that mired initial Sarbanes-Oxley compliance efforts, where many companies got bogged down with too many risks and controls in place. "The relationship between the different frameworks is key," says Roland. "As executives analyze the information and they can clearly see [the relations] between the controls frameworks, it's, 'These are the risks, and here is how we controlled for them.'"

Comments