**UPDATE: I found this old post of mine in my personal space and decided to move it to the GRC space. It is several years old but still timely**
Perhaps you are familiar with the fable of the 12 blind men and the elephant. Each blind person holds onto a different portion of the elephant’s anatomy and in turn declares that the elephant is like that part- a snake, a tree trunk, etc.- none of them able to see and appreciate the whole elephant in its complexity. This is not to suggest that people in our organizations are blind, but merely to offer that it can be easy to not see the full range of SAP’s Business Objects GRC solution particularly if supporting or using only one or two of the components.
The question of who owns GRC came up in discussions during last weekend’s ASUG Education Planning Summit, about which Jim Spath has already shared some of his thoughts Planning 2010, teamwork, and community building I’ve continued to mull over the question, because it strikes me as one that is simultaneously simple and complex.
If you start thinking about risk, the list of risks our enterprises face seems endless. Nearly every facet of an organization engages in activities with some element of risk: supply chain partners unable to supply critical materials, fraudulent accounts payable and receivable, shady accounting practices concerning joint ventures or other entities (think: Enron), risks to the company’s reputation and “good will” (think: Toyota), business disruption due to technology outage or natural disasters- the list goes on. In that sense, every member of an enterprise faces risks of some level and must be cognizant of the mitigations to those risks. At the end of the day, the executives of the C-suite are accountable for ensuring that appropriate precautions have been taken, appropriate for the organization’s appetite for risk, and the Risk Management dashboard can help them get a high level view of the curent state.
The organization where I work has been using the Global Trade Services (GTS) solution for several years now. I’m not sure if our Export Compliance people are aware that GTS is now considered to be part of the GRC Suite, but I do know that to them, it is a key compliance tool and an integral part of the import and export business processes.
Security and internal controls people may think of the Access Control module as the “real” GRC, but again, it is just one component of the solution. Who owns the segregation of duty (SOD) and other rules? In our organization, it is the SAP Controls group who owns and maintains the SOD rule sets, but security personnel are keenly aware of the importance of complying with these controls, and the business units must own and take responsiblity for their own SOD mitigations.
I haven’t yet mentioned Process Controls and Environment, Health, and Safety Management, additional components of SAP’s GRC Suite , both of which can be utilized by various segments of an organization as well as external partners such as external auditors. It seems to be that, while different departments make take the lead as the primary users of the various components, mitigating risks and ensuring compliance are everyone’s responsibility. In my opinion, the biggest risk is the risk of the assumption that compliance is someone’s else’s job. Your organization’s Code of Business conduct can help reinforce the message that compliance is everyone’s responsibility so that no one can claim ignorance of the importance of compliance at all levels.