I’ve just spent a full day at the SAP Insider GRC 2011 event, where over 700 GRC professionals from all over the world gathered to network, share experiences and hear about new developments from SAP. This is an annual event, co-located with SAP Insider Financials 2011 and HR 2011, the 9th of its kind, and my 4th. As a conference within a conference, the message from SAP had a dual focus for GRC 2011, but with a common theme – delivering more value to its customers by listening carefully to their needs. Previews of the upcoming release of GRC 10.0 (currently in ramp-up with general availability planned for Q2) were a testament to the fact that the voice of the SAP customer has never been stronger.
Sanjay Poonan, SAP’s President of Global Solutions & Go-to-Market, delivered the general keynote entitled Creating Competitive Advantage with Business Analytics. It was refreshing in that the keynote itself was less about the latter (SAP’s products) and more about the former. It’s really all about
· seeking operational excellence
· providing visibility for better decision-making, including analytics and performance monitoring
· supporting a risk-aware and compliance culture
· developing a people and talent agenda
How can SAP help its customers gain this advantage both in general and in the context of GRC specifically? Over the past few years SAP has built an impressive portfolio of solutions under the umbrella of GRC. While a convenient “category,” GRC has never been crisply defined as evidenced by all the different definitions that are floating around. Indeed over the course of the day I spent at the conference, I heard several speakers refer to GRC as Governance, Risk and Confusion. If you are looking for definitions, the OCEG Group Red Book (Standards and guidelines | by OCEG the Open Compliance and Ethics Group) is a good place to start.
For SAP, GRC is a convenient grouping of solutions that have been developed and acquired over time. However, although its GRC portfolio is extensive, it has been more of a collection than a true suite of products. As far back as March 2008 when SAP announced new versions of products across this portfolio it referred to this launch as a “unified approach to GRC”. This launch included new versions of the SAP GRC Access Control, SAP GRC Process Control and SAP GRC Global Trade Services applications. In addition, the SAP GRC Risk Management application was integrated with the SAP Strategy Management application, which was then separated as part of SAP’s enterprise performance management (EPM) solutions. The goal even back then was to enable organizations to drive an integrated corporate strategy that synchronizes the management of enterprise risks, business controls and global trade compliance.
But the solutions were still separate applications built on different technology platforms, without a common user interface. They did not share data or workflows. They felt like different products. They behaved like different products. Therefore as an existing customer who may have started with Access Control, and was looking for a trade compliance or process control or risk management solution, there really wasn’t a significant advantage in sticking with the SAP family of products.
That all changes with GRC 10.0. SAP has transformed a collection of disparate applications into a platform for GRC. There is a common look and feel. Master data can be shared across Access Control, Process Control and Risk Management. For example, the rich organizational structure that was available in Process Control can now be used in Access Control. All use the same workflow structure, supporting integrated monitoring. And perhaps just as important, is the embedded (SAP Business Objects) BI. Excelsius-based dashboards are pervasive throughout the solution and navigational tools such as Explorer are available as well.
Acknowledging the confusion over GRC and relatively low adoption rates (as compared to other enterprise applications), as a platform provider, SAP’s objectives are to simplify the message of what it will deliver, while providing a lot of meat and not just sizzle behind the messaging. SAP knows its goals need to align with the goal of the GRC professional. Simply put, that goal is to proactively balance risk and opportunity to:
- Better manage compliance and risk
- Better protect value – proactively avoid risk events; reduce cost of violations
- Better perform – actively link risk and performance management and objectives
In order to do this, the platform must support the ability to analyze, manage and monitor. One key advantage SAP will have over GRC point solutions is in making the connection back to operational systems of record (think ERP). Not only is SAP uniquely positioned to do this with its own ERP solutions, but it is also proactively working with a partner (Greenlight Technologies : Solutions : SAP GRC Cross-Platform : RTA Design Studio for Access Control) to also connect to other business systems such as legacy applications and other commercially packaged solutions.
These are all great enhancements, and create an incredibly comprehensive solution and significant market advantage in turning a collection into a platform. The old SAP probably would have stopped here. But the new SAP took two additional steps.
While SAP has been concentrating on developing the GRC platform and focusing on the technology, management understands a platform is simply a tool. Nobody looks to buy a platform. They look to solve a business problem. So the value of these efforts will be lost if the customer cannot go that last mile to connect to the business, sometimes with very industry-specific requirements. And often that specific expertise must be both deep and broad. The proliferation of regulatory requirements alone these days makes it difficult for any one company to provide this level of knowledge and expertise across a wide range of businesses. So while SAP focuses on technology and platform, it lets partners focus on the domain expertise for consulting as well as the development of plug-in applications through its Ecohub (http://ecohub.sdn.sap.com/irj/ecohub/home ).
And finally, and likely most important for the customers, has been the active listening process. Eighty six customers from the GRC customer advisory council would not have showed up for a daylong meeting with product management and development if they did not feel their voice was being heard. In the course of these types of conversations, three things have emerged: the effort required to manage GRC, the elimination of manual processes and reduction of cost. While in the past SAP may have simply concentrated on offering those high profile but often under-utilized leading edge features, this time it also included a lot of the mundane and boring features that simply can lead to improved day-to-day efficiencies. As a result it has made GRC 10.0 much more appealing to its existing customers. In many cases, the customer can justify implementation based on just one new feature.
Each new customer that moves to GRC 10.0 will be another testament to the value of listening to the voice of the customer.