Skip to Content
Product Information

GRC Tuesdays: What really is SAP Governance, Risk, and Compliance (GRC)?

I still recall my first “meet the expert” session at SAPinsider in Las Vegas when I joined SAP nearly 8 years ago. I was the Solution Owner for Risk Management and ready to tackle any risk question from customers.

Comes the first customer and, to my question “which module of SAP GRC do you have?” they answered, “all of them” and then listed: “RAR, CUP, SPM and ERM”.

That’s when I realized that, by all modules, they actually meant all modules of their SAP Access Control version 5.3 solution: Risk Analysis and Remediation (RAR), Compliant User Provisioning (CUP), Superuser Privilege Management (SPM) and Enterprise Role Management (ERM). But certainly not all the solutions from the SAP Governance, Risk, and Compliance offering.

Interestingly, “SAP GRC = SAP Access Control” this is still a misconception that I encounter very often so I thought I would write this blog, and also a few follow-ups to clarify what SAP GRC really is: a complete solution addressing multiple requirements.

 

Key Themes and Focus Areas

 

First things first: there’s not just one SAP GRC solution and there’s not just one GRC functional area.
SAP solutions for Governance, Risk and Compliance cover 4 pillars with 20+ modules:

Enterprise Risk and Compliance

 

The idea here is to support The Three Lines Model, linking operations, risk management, compliance, and internal audit.

To do so, the GRC solutions in this area enable organizations to:

* Document and monitor risks and regulatory compliance requirements as part of the enterprise risk management program
* Align risk management and controls with business objectives and best practices
* Establish policies and rate adherence and understanding
* Document and test controls, responses and recovery plans
* Audit business and security risks and controls to provide independent assurance
* Report and manage at the board level to help ensure awareness and status

 

Identity and Access Governance

 

Identity and access governance provides the key capabilities to manage system accounts and helps ensure the correct authorization assignments. With the SAP solutions for Identity and Access Governance, organizations can monitor and manage identities and control who has access to what information and processes within the organization – in the Cloud and OnPremise of course.

 

The modules for this specific pillar enable to optimize digital identities across the enterprise by:

* Reducing cost and improving security with identity management and automated provisioning
* Managing access for enterprise applications role and/or attribute-based controls
* Enabling greater user productivity by eliminating excessive logins with single sign-on
* Reducing audit costs by quantifying the financial impact of access risk violations
* Supporting superuser account access with monitoring and integrated log review workflow

 

Cybersecurity, Data Protection, and Privacy

 

Customers can use the solutions from the Cybersecurity, Data Protection, and Privacy pillar for threat monitoring, data controlling, and privacy management.

The solutions for this pillar are designed to secure the organization’s core applications by:

* Managing cyber risk with greater alignment to information security standards
* Identifying potential cyber threats sooner at the application layer with real-time pattern detection
* Enabling greater control with sensitive data masking and logging
* Creating and enforcing public Cloud data access, location, movement, and processing policies.

 

International Trade Management

 

With solutions from the international trade management pillar, organizations can screen trading partners, reduce the risk of penalties and fines, and clear inbound and outbound customs quickly.

Solutions in this pillar enable customers to:

* Automate trade processes for imports and exports and screen third parties for improved compliance and efficiency
* Use free trade agreements to drive bottom-line savings
* Manage special customs procedures such as e-filing, bonded warehouses, trade processing in China, and foreign trade zones to optimize duty rates
* Centralize international trade on a single platform to drive consistency across global operations

 

One View of Risk Across the Enterprise

Offering dedicated modules for each area has one great advantage: we don’t compromise on features or capabilities. But it can have one downside in that it could create functional silos.

In addition to logical integration points between the different solutions, another great capability is to be able to align the Governance, Risk, and Compliance framework with business value drivers.

With the Digital Boardroom, users can get one view of business objectives linked to related risks, controls, and issues. As illustrated in the screenshots above.

 

Drill-Down into Each Pillar

 

Since the format of GRC Tuesdays is for short blog posts, I thought I would stop here for today and follow this blog by 4 other posts, each focusing on one of the pillars from the SAP GRC solution offering mentioned above.

So, keep an eye on this series if you are interested in learning more!

I’ve added below the release schedule for these blogs and will update it with the links when they are published:

I hope this helps in introducing the topic and the SAP offering for Governance, Risk, and Compliance. I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard

3 Comments
You must be Logged on to comment or reply to a post.
  • I completely agree that because Virsa/AC came first, for many people “SAP GRC” remains synonymous with simply being Access Control. It’s an educational challenge for us with clients worldwide, especially those who have less interest in Segregation of Duties (feeling that’s a bit dry or a bit outdated) compared to the topic of cyber threats.

    In our experience, it’s about solution positioning, or even repositioning - using words and phrases that resonate best with today’s influencers and decision-makers.