Skip to Content
Product Information
Author's profile photo Thomas Frenehard

GRC Tuesdays: What really is SAP Governance, Risk, and Compliance (GRC)? – Focus on the Enterprise Risk and Compliance pillar

In the previous blog in the series (GRC Tuesdays: What is really SAP Governance, Risk, and Compliance (GRC)?), I introduced the 4 pillars addressed by this solution area: Enterprise Risk and Compliance, Identity and Access Governance, Cybersecurity and Data Protection & Privacy and International Trade Management.

In this blog, and as its title suggests, I’ll focus on the solutions addressing the 1st pillar: Enterprise Risk and Compliance. Follow-up blogs will address the remaining pillars until I have provided you with a clear picture of the modules that compose this portfolio at SAP.


Enabling the Three Lines Model


First things first: why do we even have a solution area for this topic? The answer is quite simple and it is to enable organizations to implement and leverage an aligned Three Lines Model as recommended by many international associations.

With this approach, organizations are able to:

  • Provide one view of risk for real-time decision support. This is possible by sharing one single framework, methodology, and repository of risk and control data across the organization
  • Manage risks, controls, and regulatory requirements in business operations from a single source of truth. Since all information is shared, companies can further identify early warnings from key risk indicators and act before the risk exceeds target thresholds
  • Screen 3rd parties and detect anomalies and potential fraud, including by using predictive algorithms to identify new anomalous patterns and promote early detection
  • Enable continuous controls monitoring with automated alerts to manage by exception which is possible by using real-time checks embedded in business processes (i.e.: travel and expense, procure-to-pay, order-to-cash and more) to help ensure compliance


SAP Risk Management – Preserve & grow value


Features and functionalities:

* Plan risk management within the context of value to the organization

* Identify risks (including drivers and impacts), key risk indicators, and responses

* Analyze risk scenarios (qualitatively, quantitatively, or by scoring methods), model and simulate outcomes to understand exposure

* Respond to risk after balancing costs and benefits and launch workflow-driven responses with remediation tracking

* Monitor & report on risk thresholds, effectiveness of risk responses, and corrective actions


SAP Process Control – Control key processes and manage compliance


Features and functionalities:

* Document controls and policies centrally and map to key regulations

* Plan workflow-driven performance, assessments, and tests of effectiveness, but also distribute policies and related surveys

* Perform & monitor manual and automated controls, including continuous control monitoring of configurations, master data, transactions, and related changes

* Evaluate control design & effectiveness, but also raise and remediate issues

* Report compliance ratings, decisions and promote accountability with insightful analytics and sign-off


SAP Audit Management – Enhance audit quality and provide trusted insights


Features and functionalities:

* Managing audit activity by establishing a risk-based plan, prioritizing audit activities and aligning with the needs of the enterprise

* Planning the engagement by developing and documenting a plan for each engagement

* Performing the engagement by identifying, analyzing and documenting relevant information

* Communicating results on engagement objectives, scope, conclusions, findings, and recommendations

* Monitoring progress of results reported to management


SAP Business Integrity Screening – Detect fraud and investigate suspicious patterns faster


Features and functionalities:

* Design and determine the screening lists, analyze patterns, and define detection rules and models

* Set-up the detection strategy through simulation and calibration

* Detect by executing mass and/or real-time detection and stop anomalies or irregular transactions

* Investigate alerts with efficient evaluation, qualification and remediation of issues

* Analyze (key) performance indicators and create management reports


SAP Regulation Management by Pathlock (formerly known as Greenlight) – Maintain authoritative sources for multiple regulatory alerts and mandates


Features and functionalities:

* Intake regulatory changes by maintaining authoritative sources for multiple regulatory alerts and mandates

* Evaluate by identifying and addressing compliance gaps to meet new or changed regulatory requirements

* Collaborate to establish accountability and unify requirements and controls across operations and compliance stakeholders

* Monitor by aligning compliance requirements with operational activities and automate testing of controls

* Report to demonstrate comprehensive auditability of regulatory compliance

I hope this helps in introducing the Enterprise Risk and Compliance offering from SAP’s Governance, Risk, and Compliance portfolio.

As a reminder, you can find all the other blogs in this series listed below:

I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo sunny ponnar
      sunny ponnar

      Hello Thomas,

      These GRC Tuesdays blog series are very informative. Thank you!

      I am wondering whether SAP BPS Business Partner Screening solution will fit into the first pillar - Enterprise Risk and Compliance or the last pillar - International Trade Management.

      I will appreciate your thoughts and comments on this.




      Author's profile photo Thomas Frenehard
      Thomas Frenehard
      Blog Post Author

      Dear Sunny Ponnar,

      First of all, thank you very much for your kind message and very relevant comment.

      This is a great question indeed and apologies for the long response below but I tried to make sure that I would answer fully.

      The answer is actually yes and yes!

      More seriously, there are requirements for screening capabilities from stakeholders operating in both pillars, Enterprise Risk and Compliance & International Trade Management – but the business requirements and expectations will differ. As a result, at SAP we have decided to create different solutions to cater for these different needs.

      Concerning SAP Business Partner Screening (BPS), the capabilities of this solution have been included in SAP Business Integrity Screening (BIS) back in July 2017 when this solution was renamed.

      You may already know that, until then, SAP Business Integrity Screening was named “SAP Fraud Management”. Even though early customers of the solution used it for fraud detection and investigation, the solution can also be used (and is being used!) for other types of scenarios involving large volumes of data and transactions such as anomaly detection, errors, waste, non-compliant transactions and so on. The original name was therefore too narrow in scope so we decided to rename it. At the same time, we included the capabilities of SAP BPS so that we could offer our customers a complete solution that can analyze transactions and master data, and screen against specialized external lists (sanctioned parties, politically exposed persons) to help customers meet business integrity standards which is a terminology that is more and more used on the market by customers and partners alike.

      In this regards, screening capabilities fully belong to the Enterprise Risk and Compliance pillar indeed.

      Nevertheless, concerning International Trade Management, you are once again absolutely right: here as well there are business requirements for screening of restricted and/or sanctioned parties. But the focus is slightly different since the intent is really to improve compliance confidence with checks throughout the processing of sales and purchasing transactions.

      As a result, we have 2 screening modules in the International Trade Management pillar:

      * Sanctioned Party List Screening (SPL) capability in SAP Global Trade Services (GTS). This was actually the very first screening feature from SAP, and delivered as part of the larger SAP GTS solution.

      This capability focuses on screening business partners associated with sales and procurement transactions involving cross-border goods movements and has tight integration with operational transaction systems. There are also hard blocks placed on transaction with questionable partners and has pre-built integration to SAP ERP, SAP S/4HANA and SAP Transportation Management.

      * SAP Watch List Screening (WLS) is a standalone and Cloud-based screening service solution that was released more recently. It was developed with primary focus on SAP S/4HANA customers using embedded international trade capabilities and having a need for basic business partner screening. It has pre-built integration with S/4HANA and focuses on transactional screening in sales and procurement.

      As you can read, I agree with you that the business requirement for screening arises from both pillars – as you have rightly identified. At SAP, we have therefore decided to create different solutions, depending on the specific business need, to ensure that we cover them adequately and with the right features and functionalities.

      I hope this helps in better understanding.

      Of course, feel free to reply in case you have any additional questions or comments.

      Thank you once again for your feedback, it is much appreciated indeed!

      Kind regards,


      Author's profile photo sunny ponnar
      sunny ponnar

      Dear Thomas, Thank you very much for the detailed explanation. Appreciate it!!!