Skip to Content

In the past, many Governance, Risk, and Compliance (GRC) tools have primarily focused on increasing the degree to which the platform was embedded in the organization – how many processes were covered, how many systems were integrated, etc. Recently, the integration of reporting / BI has gained importance –as seen in the latest release of SAP’s GRC suite – making the results of the related analysis more understandable to a greater number of people. Despite its fundamental significance, however, GRC has often failed to infiltrate the entire enterprise – many layers in the hierarchy / organization unfortunately view the related corporate policies / activities as something foreign to their daily routine. The necessary change management is often difficult and many employees don’t understand how / why such policies impact them.  

The question is why aren’t GRC platforms able to penetrate the organization more successfully? Is the limited degree of participation based on corporate culture or is the involved technology at fault. Increased collaboration in the form of Social GRC might assist in solving these problems.

Social GRC 

I first heard the term “Social GRC” from a tweet from SAP partner su_53 announcing a blog on this subject. Although I’ve The relationship between GRC and Processes: A deep dive into SAP’s current offerings about GRC in the past, I had never thought about possible enhancements that would increase the collaborative potential of such environments.  

A quick Google search on “Social GRC” returned only 324 hits of which only two were really relevant! Compare these search results with those for “Social BPM” where there are 54,000 hits. Hmm – I was intrigued by this difference. Why were there so few results for Social GRC?

An initial Definition

Note: Social GRC doesn’t concern the monitoring of Social Media (Facebook, Twitter, etc) to assure compliance to various laws, etc – that is an entirely different topic.

For me, Social GRC is the intention of increasing the participation in GRC-related activities using Web 2.0 technologies / design features that originate in the consumer space and now gaining increasing importance in enterprises.

Learning from Social BPM

What is very interesting is that many descriptions of Social BPM are also useful to achieve a better understanding / definition of Social GRC. One example is a Leadership BPM blog which suggests that the current BPM-related toolsets really don’t reflect how knowledge workers work and make decisions. 

Participation in a business process, too, is “social” in nature. The participants of the process are members of a team who often want to discuss and collaborate with each other and want to know what other participants are thinking. In many case they want the ability to use the thoughts and feedback of others to change and improve their own actions in a process. Today, most BPM solutions provide a structured way of doing work, using a factory automation metaphor. But knowledge workers who participate in processes are not automatons working on a factory floor. Instead they are humans with the need to learn and to satisfy emotional needs. They find too much structure imposed by rigid BPM solutions to be an impediment rather than a facilitator. When the process becomes an impediment, these knowledge workers will find ways to bypass the rigidity of structured BPM and work around it. This defeats the whole purpose of BPM.

If you replace “BPM” with “GRC”, you will find that the quote is still relevant. Of course, a comparison of BPM and GRC might not be easily made – a process is a very general concept while GRC is more specific and includes processes but also includes other influences. Regardless both involve attempts to describe / define some aspect of the corporate “world”. Both activities involve individuals from Business and Corporate IT acting in different roles collaborating using different tools. How does collaboration between these different roles take place – how democratic is this collaboration?

Introducing the Bow-Tie Modeler in SAP’s GRC 10.0

During a recent meeting with bloggers, SAP’s Jim Dunham described the upcoming changes in GRC 10.0. As he described some of the new features, one new development in particular caught my attention. Starting with the new release, there is now a Bow-Tie modeling tool that allows business users to more easily understand the background associated with a risk as well as the impact of the risk.

What is a Bow-Tie Diagram? 

The bow tie technique is a graphic approach for the implementation of this approach to risk management. It assists the identification and recording hazard scenarios, the causes and consequences of a hazard scenario, the barriers available and their effectiveness. Colour coding of causes, consequences and barriers provides a visual aid for assessing whether sufficient barriers have been implemented.” [Source]

The Bow Tie Modeler 

The Bow-Tie modeler is based on this type of diagram and quickly displays a risk and its context in a manner that non-experts can understand. Here is the description of the tool from analyst Robert Kugel: 

It provides a framework within which individuals can more readily construct risk definitions and assessments. It enables people to work collaboratively using a common language. It enforces consistency where it’s needed yet allows for ongoing flexibility when it’s called for. And it can simplify the process of automating the links between risks, the metrics associated with measuring those risks, the data used for the measurement process and the context in which a risk is to be assessed. It provides a framework within which individuals can more readily construct risk definitions and assessments. It enables people to work collaboratively using a common language [SOURCE]

 Note: I’m at a little bit of a disadvantage, because I’ve never actually used the Bow-Tie editor – I’ve just seen the video, read a few blogs and seen a few screenshots.

 I was intrigued by this tool, because it represented a focus on collaboration in GRC products that was previous unfamiliar to me. GRC Analyst Norman Marks describes this bow-tie technique as being primarily used by advanced users. In my opinion, this tool represents a first step in making this technology accessible for the masses. The whole purpose of this tool is to give more users – regardless of their expertise – the ability to understand and create risks.

However, despite its good intentions, the Bow-Tie modeler is still far from achieving the goals of Social GRC. In order to better define the existing gaps, I’d like to compare this modeler with another tool that represents the best characteristics of Social BPM. The goal of this comparison is not to belittle the efforts of SAP’s GRC product group but rather to illustrate how they might improve the tool to further increase participation. 

Note: There are other aspects of the SAP GRC 10.0 that have social characteristics as well. For example, partners now have the ability to place GRC-related content in the EcoHub. In this environment, the community can also rate these solutions.

This solution, however, is inherent in EcoHub rather than being specific to the new GRC release.

A comparison with the new Collaborative Process Modeler 

As I heard Jim describing the Bow-Tie modeler, I realized that there were similarities to SAP’s Sketching the process to making a good decision- and then executing on it. – Codename “Gravity” – which is now available for beta users. 

What it offers is the ability to model process flows graphically and intuitively. And not just you, but the others in the StreamWork activity can work on the same process at the same time without the discontinuity of having to use additional tooling to get this collaboration working. So if you are presenting a suggested process flow to other experts (and experts are typically widely dispersed and difficult to buttonhole down for meetings) and one of the experts suggests a change, there is no awkward “hang on will I try to give you control in this web conference” – they just reshuffle the shapes themselves. Not happy with the changes? Just undo. It’s as simple as that. They can comment, rearrange, add process steps, new paths… there is virtually no limit to what can be done.

Note: The Collaborative Process Modeler is currently in beta and features may change before a release occurs. I’ve been lucky to be part of the Design Partner Council and a smaller group of SAP Mentors who have been able to assess the tool.

The new version of Collaborative Process Modeler – many of us remember the older version and its origins in Google Wave – has been embedded in StreamWork and now takes full advantage of the functionality in this environment.

At first glance, both tools provide modeling environments that facilitate greater participation of Business in activities that are usually considered too difficult or complex for non-experts – indeed are often the territory of Corporate IT or external consultants.

Note: It is important to make a distinction between collaborative modeling tools such as the Collaborative Process Modeler and the Bow-Tie modeler and other corporate applications- such as SalesOnDemand – which are directed more towards end-users. Although both types of applications focus on enterprise users and place great emphasis on their “social” features, the uses cases are involved are totally different.

A Comparison 

I’d like to compare the two tools and focus on their collaborative characteristics.

Note: I’m not going to concentrate on the BPM-related function of the Collaborative Process Modeler (CPC) – I’m sure others will do this in later blogs – but rather on its “social” characteristics.




Collaborative Process Modeler

Bow-Tie Modeler




Collaborative Embedding

Embedded in StreamWork

Appears to be a standalone tool

Model Updates

Data is pushed to all participants online simultaneously, so that users get updates in real-time

Looks like a manual refresh is necessary


Users may comment on the diagram and other users see the comments

No comments appear to be possible


– Access to the Social Map of the StreamWork activity via contributor list

– Manual integration with NetWeaver BPM via BPMN export

– Data is pulled from GRC framework

Wiki-related functions

Changes from different users have different colors so that it is possible to see who has changed what.

Not available.

User Interface

Simple UI that enables with various levels of expertise to create processes

Simple UI that enables with various levels of expertise to create risks


Users can mark interesting parts of the process with a highlighter



Uses the embedded Chat functionality from StreamWork so that users can discuss the model in real-time


It must also be said that some of the collaborative functionality that the Collaborative Process Modeler offers is based on its integration in StreamWork – StreamWork offers this functionality to any business method present on the platform (ie OpenSocial Gadgets) but the Collaborative Process Modeler also offers other functions that are not StreamWork-based but originate its own implementation. 


GRC is an important topic in any organization. By adding Social GRC features to the various tools, then the level of participation in such activities would definitely increase. Of course, it is also important to state that not all tools in GRC portfolios should be retrofitted with such collaborative features. Product managers should examine the related use cases to see which tools might be enhanced by such features.

Although this blog has focused on the Bow-Tie Modeler, there are other means to achieve Social GRC functionality.  

  • For example, the ability to use BI to create visualizations of GRC data that can be easily embedded in existing processes is an important feature of this new release, will increase the awareness of such measures and also ease the usage of such data in corporate decision-making. However, this use case is usually-read only – the intended audience can’t manipulate the risk. One interesting Social GRC-related change might be to allow users to comment on the diagram and then have others see the changes in real-time. A quick aside: Embedding BI diagrams with GRC-related data (perhaps via BIOnDemand) in StreamWork would be an easy method to further increase the usage of this data.  
  • Another idea would be to have GRC components add their events (compliance violations, changes in risks, etc) to an activity stream – so that users could follow these events and comment on them.  I’ve used Apache ESME as the activity stream platform but it would also be possible to post such messages just as easily to StreamWork.

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Alan Rickayzen
    Hi D,
    That’s a refreshing comparison. And thanks for including a link to show how to join the beta for the collaborative process modeling tool.

    I’ll update with a video to show the steps just to make it clear.


Leave a Reply