How Does SAP Enable World-Class GRC Processes?

By Norman Marks, Vice President, Governance, Risk, and Compliance for SAP BusinessObjects



I have been writing for a while now (here and here) about what this term “GRC” really means. While the definition on CFO.com was fun – an academic definition of the word ‘mess’ – there is a serious meaning as well.

I prefer and advocate the OCEG definition of GRC. I would like to see the community agree on this:

“A system of people, processes and technology that enables an organization to:

  • understand and prioritize stakeholder expectations;
  • set business objectives that are congruent with values and risks;
  • achieve objectives while optimizing risk profile and protecting value;
  • operate within legal, contractual, internal, social and ethical boundaries;
  • provide relevant, reliable and timely information to appropriate stakeholders; and
  • enable the measurement of the performance and effectiveness of the system.”

I have also explained why I believe there is value in talking about GRC. See this post.

But, what does my employer, SAP, provide for organizations seeking to improve their GRC processes?

First, let’s examine what OCEG lists as processes included in GRC and which are supported by SAP solutions:

Process Supported?


Strategy and Business Performance Management


Risk Management




Internal Control


Corporate Security




Information Technology


Business Ethics


Sustainability and Corporate Social Responsibility


Quality Management


Human Capital and Culture


Audit and Assurance




Admittedly, SAP’s solutions don’t cover every process equally. Some are addressed in depth (such as Finance and Risk Management) and others in less detail (such as Business Ethics).

This is why I always advise people to address their needs and the business problems they are trying to solve, rather than try to find a single “GRC solution”. I don’t believe in a single “GRC platform” unless you are talking about something like SAP’s NetWeaver, which is the foundation on which SAP’s various solutions reside.

Points for your consideration:

  • The core for me of GRC is strategy: developing it at the board and top management level, cascading it through the organization to everybody is working to the same goals, linking individual MBO and incentives, linking to risks, and managing performance. SAP has an excellent solution: SAP BusinessObjects Strategy Management (SM)
  • Performance management is a key element of GRC, although often overlooked. SAP has a number of related solutions in its SAP BusinessObjects Enterprise Performance Management suite
  • In order to develop intelligent strategy and manage the business, you need information. SAP leads the way with its SAP BusinessObjects business intelligence solutions (BI)
  • Risk management follows. Risks can be identified using a top-down approach (i.e., risks to strategy, goals and objectives) or a bottoms-up approach (e.g., from interviews and surveys). SAP BusinessObjects Risk Management(RM) supports both approaches, for all forms of risk, and risks in RM can be linked to SM for a complete view of risks and strategies
  • In order to manage risks, you have to understand, assess, and test controls – both manual and automated. This can be done using SAP BusinessObjects Process Control (PC), which is integrated with RM so you can do top-down and risk-based controls assessment and testing
  • Controls over the important risk area of access to the ERP are enhanced and monitored by products like SAP’s BusinessObjects Access Control (AC) – formerly known as Virsa
  • One popular topic in the GRC area is continuous control monitoring or auditing (CCM). PC is the primary solution for CCM, and especially powerful when combined with AC and the power of BI for data analytics
  • Compliance is a massive area, and I don’t know of anybody that addresses every global law and regulation. Certainly, solutions like RM enable a risk-based approach to compliance, but many areas need specialized solutions. SAP has several, such as those for global trade compliance and environmental, health, and safety compliance
  • Audit is included in most people’s list of GRC functions. SAP has many solutions with functionality for internal audit, including data analytics (BI), risk monitoring (RM), continuous auditing (PC, BI, and AC), and audit management (through its NetWeaver audit management functionality)
  • Core to Governance is the effectiveness of the (as described in the COSO internal control framework) ‘control environment’. This includes the ‘tone at the top’ and human resources practices such as hiring, employee performance management, etc. SAP is a leader in solutions for human resources

I could continue talking about all the other solutions for GRC processes, including features in SAP’s ERP products. But, there’s a limit on my and your patience. Let’s just say that the list of solutions for GRC processes is long and leave it at that!

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

  • Subscribe to Blog via Email

    Receive email notifications of new posts.

  • RSS Feed

  • Connect with Us:

  • Related Blogs

  • Categories

RSS Feed Subscription

Subscribe to the Analytics from SAP Blog or individual categories.

Analytics from SAP Blog

  • Analytic Applications Feed for all posts filed under Analytic Applications
  • Analytics Strategy Feed for all posts filed under Analytics Strategy
  • Big Data Feed for all posts filed under Big Data
  • Blog Archives Feed for all posts filed under Blog Archives
  • Business Intelligence Feed for all posts filed under Business Intelligence
  • Collaboration Feed for all posts filed under Collaboration
  • Data Visualization Feed for all posts filed under Data Visualization
  • Data Warehousing Feed for all posts filed under Data Warehousing
  • EIM Feed for all posts filed under EIM
  • EPM Feed for all posts filed under EPM
  • GRC Feed for all posts filed under GRC
  • Mobile Analytics Feed for all posts filed under Mobile Analytics
  • Predictive Analytics Feed for all posts filed under Predictive Analytics
  • SAP HANA Feed for all posts filed under SAP HANA
  • ×