Internal Audit

Lawson/Infor Address GRC Gap With Approva Acquisition

On September 1, 2011 Lawson Software Americas, Inc., an Infor affiliate, completed the acquisition of Approva® Corporation. In doing so, the combined companies add a component previously missing from their product portfolio to address a growing need for Governance, Risk and Compliance (GRC). At the time of the Lawson acquisition in July 2011 Infor promised a fast pace of development and delivery of deeper industry-specific features for key industries. This move signals that Infor is serious about investment in establishing itself as a leader in the enterprise software industry. Integrating yet  another company before the dust has even settled from the prior one is an aggressive move that is not without risk. Yet managing risk is what this merger is all about.

Approva Key Facts

  • Founded in 2002
  • 200+ Customers – including Fortune 500 leaders in key verticals
  • 190 Employees
  • Headquarters in Herndon, VA
  • 120+ employees in Pune, India
  • Previously owned by four VCs – Sierra Ventures, Novak Biddle, NEA, and Columbia Capital

 

Identifying the Need

High profile scandals of the past decade, increased regulatory requirements and security and privacy issues that come with the age of connectivity have heightened the need for all three elements of the broad category of Governance, Risk and Compliance. And yet most companies today still rely on manual processes and have done little to automate controls. This condition itself adds a level of risk in being able to detect fraud, comply with reporting requirements efficiently and perform internal audits in order to prepare for the external ones.

The Enterprise Resource Planning (ERP) solutions offered by both Lawson and Infor are a focal point for gathering data and recording transactions that need to be monitored but do not provide the level of monitoring and control required for GRC purposes. However, to be fair, most ERP solution providers today, with the exception of SAP and Oracle, suffer from the same deficiency.

The Mint Jutras 2011 ERP Solution study looked beyond the realm of core ERP modules and investigated current and planned adoption of 20 different extensions to ERP. These are additional applications which might (or might not) be integrated with ERP. One of the categories included was GRC applications.

Figure 1 compares the current and planned adoption of World Class ERP implementations to all others, not achieving this status. To define “World Class” we use a broad spectrum of metrics. While the study also measures additional key performance indicators (KPIs) that are specific to different industries, we limit the World Class definition to those which can be universally applied to all companies. The definition of World Class performance is based on a composite of three different categories of metrics: results, progress in achieving goals and current performance.

While adoption rates are relatively low (39% for World Class and 16% for all others), World Class ERP implementations are almost 143% more likely to include one or more elements of GRC and 86% less likely to have no plans for adoption.

GRC is a broad category and can mean different things to different constituents in any organization. For the office of the Chief Financial Officer (CFO) “risk” generally refers to both financial risk and the financial impact of operational risks that can be caused by both internal and external factors. Those operational risks can include Information Technology (IT), which largely centers around IT security.

Approva positions its application as Continuous Controls Monitoring (CCM), which is all about monitoring what users “can do” and then analyzing what they “did do” in financial and business systems. Sitting outside of the ERP solution, between the corporate governance layers and the underlying IT infrastructure allows them to provide cross-platform monitoring across any number of different applications.

It has been the experience of Mint Jutras that most companies embarking on implementation of any GRC solution are most likely to start by implementing access control, whether driven by the need for segregation of duties (SOD), security or just good management practices, or for all three purposes.  While most modern enterprise applications today are able to secure access to individual functions in the application, and more and more of them are able to secure access to particular data (e.g. a sales representative can only access order status for his or her own customers, or warehouse personnel can only enter inventory transactions for that warehouse, etc.) the controls are confined to a particular application. What happens when an individual is allowed to add vendors in one particular application but payments are processed by a different application? Without cross-application visibility, there is risk of the same individual creating a vendor in one application and paying the same vendor from another.

The folks from Lawson tell me that while their customers have not articulated the need using references and terms like “access control”, indeed they have identified the need to better support internal audits. A CCM solution directly addresses this concern.

Why Lawson?

So, given that Lawson is the “newbie” in the Infor family, why did Approva land here? The answer has much more to do with the original Lawson S3 legacy than its acquired M3 (Intentia Movex) product line. Selling to and servicing the office of the CFO has always been Lawson’s strong suit. The addition of Infor’s Corporate Performance Management (CPM) suite only added to that strength and there is significant potential with the ION suite. Infor ION at the Center of Providing Immediate Value to Lawson and Infor speaks to this potential.

Lawson is also the home for products that specifically address two of the industry sectors most sensitive to GRC issues today – healthcare (and associated HIPAA requirements) and the highly visible public sector. Approva fills a notable gap in addressing these issues.

Two Distinct Markets

This begs the question of whom and what will be the target market for the acquired CCM product. It would seem there would be two separate and distinct targets.

First of all, there is the cross-sell and up-sell opportunity in the existing Lawson and Infor installed bases. Since there is no product in the current portfolio that competes in any way, there seems to be ample opportunity here. The Lawson S3 base would appear to have the most low-hanging fruit. Lawson already has a relationship with those most likely to perceive the need for this solution, and also those that control the budget which would fund the investment – namely the office of the CFO. And, according Lawson’s Darci Snyder, Director FS and Public Sector Product Management, its customer base has been asking them to fulfill that need.

Whether the remaining customers using Lawson M3 and other Infor products see that same need remains to be seen. To date, large enterprises have been most likely to invest in GRC solutions. Smaller companies don’t have deep pockets when it comes to investments in GRC or CCM and while Infor’s customer base does include very large corporations, it also includes small and midsize companies as well.

Lawson has always taken a very industry focused approach in its product development and its marketing. Expect to see this industry focus spread through all the Infor product lines over the coming months. This focus had already begun before the Lawson acquisition across 10 specific industries and the acquisition simply added three more industries. Lawson and Infor are already working to integrate Approva’s applications into existing financial suites (yes, there are still multiple) and to address industry-specific requirements. So adding CCM as a feature/function to those solutions will be a priority and will simply give representatives selling these solutions more to offer.

Yet the cross-platform, cross-application capabilities of Approva have always been its strength and therefore it would be not be in Lawson/Infor’s best interest to walk away from that business. And while there is some overlap in customers, there are a lot of Approva customers running applications that are in neither the Lawson nor Infor portfolio. It has an obligation to those companies as well. Yet expecting the existing sales teams that are focused on selling a complete ERP solution to be successful selling stand-alone CCM is unrealistic…which brings us to questions that are normally associated with any acquisition.

Integrating the Companies

How will Approva be integrated into the Lawson/Infor corporate structure and strategy? It is still too early in that process to answer all the burning questions about branding and about sales, and even development teams. It would certainly make sense to have a dedicated team that specializes in marketing and selling this type of solution, since Lawson/Infor does not have experience in this realm. Yet this may be entirely separate or managed more as an overlay team.

Infor has already broken rank, so to speak, in absorbing Lawson. Infor combined Lawson with SoftBrands, Inc., an affiliate company which was acquired back in 2009. This represented a bit of a divergence from past acquisition strategies. Until it acquired Softbrands, Infor had generally executed mergers where the staff was fully integrated and the acquired company’s brand was subsumed by the Infor brand. The combination of Softbrands and Lawson seemed to simply be an internal organizational decision and has nothing to do with branding, selling or supporting and Lawson staff does appear to be working closely with their counterparts on the Infor side. Now Approva is being included in the Softbrands/Lawson affiliate company. It remains to be seen whether the Approva brand will survive and what level of integration we’ll see in the coming months.

Summary and Key Takeaways

In summary, CCM is a logical extension to the Lawson and Infor applications. The product itself is complementary to financial applications, and indeed fills a gap that at least some of the company’s customers have noted. This provides opportunity to Lawson/Infor in allowing sales teams to add functionality and intelligence into existing accounts.

Infor is committed to developing and deploying industry-specific functionality, allowing for tighter fit with existing customer base and sales teams while creating a complete solution that is both broad and deep, while still being industry-focused and yet can compete in the office of the CFO.

Yet preserving a level of independence will be necessary if Infor wants to continue to be able to sell stand-alone CCM and also maintain the loyalty of the Approva customer base.

This move was quick and aggressive, given the very recent acquisition of Lawson by Infor. All eyes will be on managing the risks associated with this type of bold move.

 

Tagged , , , , , , , , ,