Last week after getting back from SAP’s Sapphire 2007 conference in Vienna I had to complete some work on a book project, which meant I didn’t get a chance to document much from the conference. One of the areas I want to comment on is Governance Risk and Compliance (GRC).
One of the SAP executives that took the time to come down and meet the bloggers was Amit Chatterjee, who heads up SAP’s GRC business unit. Amit, who blogs here, is an engaging character, with the invaluable knack of getting a hotel bar to continue serving drinks long after they have called last orders. I am sure there is a metaphor for compliance in there somewhere…
The Category Killer
What is SAP trying to achieve with GRC? Nothing less than turning a buzzword into a category killer. GRC could be the first significant new packaged application of the 21st century- at least in the Fortune 2000 customer base. And there was me thinking the days of Big Three Letter Acronym software sales was over…”S-O-A Killed The Packaged App Star”. Maybe not.
SAP put a clear stake in the ground for GRC leadership when it acquired Virsa last year and the numbers are beginning to look pretty good. No startup has emerged from the pack though there are a host of compliance specialists such as Open Text, Paisley Software, Protivity etc – in the market, and newer entrants such as iWay. Amit said:
“We want to be the Siebel of GRC.”
But not get acquired by Oracle obviously. So what does SAP’s GRC’ momentum look like?
- Amit claims the last fiscal quarter saw 300% growth.
- A year ago SAP had 800 customers, now it has 1800…
“I close more deals in a quarter than my competitors ever have…”
That’s Amit sounding like the Shai Agassi protege he is… He also offered some eye popping stats about the ever increasing regulatory burden, and the need for compliance oriented architecture services.
- PwC apparently estimates there have been 114k new US regulations since the Reagan Administration
Cisco As A Flagship
Cisco chose GRC as a platform, even though it’s a wall to wall Oracle apps shop. I don’t know anything about this claim but I aim to follow it up. Very interesting.
Competition for the GRC dollar
IBM’s efforts have been fragmented until earlier this month when IBM announced its own GRC program. Oracle meanwhile has plenty of integration work on its hands before it can really offer GRC as a package, although it has many valuable piece parts. Arguably IBM and Oracle are better positioned for data governance, but that’s not the same thing as corporate governance. IBM has done some notable work in the Basel 2 data analysis space. One area the fight is likely to be particularly fierce in content management, a core GRC technology.
Interestingly we haven’t heard much from Microsoft yet about GRC, which is ironic given the company’s recent history, with billions of dollars handed to competitors in out of court settlements around antitrust issues. It would also be foolish to ignore EMC in GRC market. Its Documentum subsidiary was after all the first major compliance vendor, having grown on the back of pharmaceutical industry regulatory reporting.
Compliance as Documentation problem
One of the misconceptions about compliance is that its all a workflow problem. The error of confusing Sarbanes-Oxley with compliance has encouraged this confusion. It’s about corporate officer sign off, right?
One of the most important aspects of compliance is the documentation of business and operational controls. An organisation that can effectively report on its controls is always in better shape when the regulators or auditors come knocking. Controls management is key to compliance. Well documented controls can actually be more useful than good controls. This is true of both US-style ticklist compliance and European style principle based regulation. ..
Chatterjee said SAP offers a repository for documentation and process control product for Sarbanes-Oxley 404 compliance. SAP will compete with the likes of IBM, Open Text and Stellent here. I wouldn’t rule of an SAP acquisition to accelerate its content management capabilities.
Risk Management as Corporate Cashback
GRC is about Enterprise Risk Planning, and better risk management drives greater profitability. The better an organisation understands its risks the smarter its investment decisions. One of the core tenets of the Basel 2 standard, for example, is that companies can reduce their allocation of funds to hedge risk because they better understand their exposures, and so free up funds up to invest in the business.
I recently canceled a monthly insurance payment that would cover my mortgage if I became unemployed. One day I said to myself “this is stupid – RedMonk is solid.” The injection of cash into my current account is most welcome. Businesses face similar issues and opportunities on a larger scale every day.
Say you’re GE and you keep getting fined for environmental pollution in the Hudson River in New York. What do you do? Clean up your act, right? Not necessarily, not if you’re making millions of dollars a year at a plant, but only get fined minor sums, say $5k a time, for dumping pollutants into the river. Its not worth investing in a cleaner plant, even if things get so bad a $5m fine kicks in. In this case shareholder value is best served by paying a regular stipend to the Environmental Protection Agency (EPA). That’s risk management. Under the Bush administration the EPA has been like an old man without his dentures, but that’s a different story. For a brilliant analysis of the the counterbalancing forces driving cold-eyed corporate decision-making read The Corporation. Eventually pollution becomes PR opportunity.
In risk management SAP competitors include IBM and Hyperion. Other notables in the market include FairIsaac.
Built to Last: On Corporate Sustainability
I am pretty skeptical of Corporate Social Responsibility (CSR) – witness for example the variance between BP’s public statements and its investment behaviour and safety record. But it would be silly to dismiss the real impacts in the world CSR can have on share price, ability to hire great people, creating better environmental outcomes and so on. The brightest graduates don’t say to themselves: “how can I get a job at a major polluter?”
One interesting take Amit put forward at Sapphire was that CSR meets GRC in what he calls “corporate sustainability”. As I understood it that means taking a long term view of the corporation’s goals, in a wider context that the often surprisingly nebulous “shareholder value”.
I was gobsmacked when Amit started arguing for the value of including unions in corporate strategy. That’s something you don’t hear every day from a software company executive. In fact you usually don’t hear that any day from a software exec. Amit was talking about the need to bring unions onboard for companies wanting to successfully trade in China, but the perspective was still intriguing, and quite Germanic it might be said. German companies take a long view. They invest in skills and education. Unions are part of the body corporate in a way that scares the pants off most American business people. If I had a euro for every time someone in the software industry bitched about German employment law I would be a very rich man indeed. Of course as VW showed union reps are just as prone to – ahem- risky behaviour as anyone else. But the facts on the ground as I see it are that Germany’s economy is in ruder health than its often given credit for. Who is building the screens for the new iPhone- a German firm. Who is competing with the Japanese in the car industry? More than one German firm. Then there is a certain leading software company with its own works council. SAP is not a company that plays for the short term.
Emissions and Profits
Amit also linked corporate sustainability to SAP’s partnership with a company called Teknidata, which offers carbon emission tracking software. I find it refreshing to see a tech firm with a decent green story beyond the green data center. SAP plays an incredibly important role in the global supply chain and therefore any carbon awareness it can drive is extremely welcome. Good PR? Absolutely. But green can also drive efficiency, whatever the nattering nabobs of neocon negativism say.
SAP worked with Teknidata to build SAP x-emissions management software, to help companies establish whether they are actually carbon neutral or not. They are also now working together on software to help with the REACH standard in the chemicals industry.
Compliance: A wider view
One of the characteristics of SAP’s GRC strategy is that its taking a wide view of the problem. Sarbanes-Oxley is just one regulation of many that companies need to deal with. In pharma, FDA approval is still the real bugbear. According to Amit at one UK pharma company – for every one SOX dollar they spend, they spend $10 on FDA approval. SOX is far from the be all and end all.
Thus in risk management, SAP is now moving into the content inspection market through a deal with Cisco for network sniffing tools as part of the Cisco SONA architecture. The biggest risks in corporate information flows comes from insiders, whether by accident or design. Ensuring that information which is supposed to remain with the corporate walls does so can be extremely valuable. In fact thinking about it this could be also an opportunity to deepen the Adobe SAP relationship. Adobe has some notable information control products in the shape of its LifeCycle portfolio.
Of course its obvious that SAP would never take an approach that just solved one compliance problem- if a problem is worth solving its worth generalising and solving from end to end. I plan to dig further into GRC over the next few months but I want to get this out there as a Sapphire write up.