James Governor's Monkchips

SAP Grocks Governance Risk and Compliance: the new ERP

Share via Twitter Share via Facebook Share via Linkedin Share via Reddit

Last week after getting back from SAP’s Sapphire 2007 conference in Vienna I had to complete some work on a book project, which meant I didn’t get a chance to document much from the conference. One of the areas I want to comment on is Governance Risk and Compliance (GRC).

One of the SAP executives that took the time to come down and meet the bloggers was Amit Chatterjee, who heads up SAP’s GRC business unit. Amit, who blogs here, is an engaging character, with the invaluable knack of getting a hotel bar to continue serving drinks long after they have called last orders. I am sure there is a metaphor for compliance in there somewhere…

The Category Killer

What is SAP trying to achieve with GRC? Nothing less than turning a buzzword into a category killer. GRC could be the first significant new packaged application of the 21st century- at least in the Fortune 2000 customer base. And there was me thinking the days of Big Three Letter Acronym software sales was over…”S-O-A Killed The Packaged App Star”. Maybe not. 

SAP put a clear stake in the ground for GRC leadership when it acquired Virsa last year and the numbers are beginning to look pretty good. No startup has emerged from the pack though there are a host of compliance specialists such as Open Text, Paisley Software, Protivity etc – in the market, and newer entrants such as iWay. Amit said:

“We want to be the Siebel of GRC.”

But not get acquired by Oracle obviously. So what does SAP’s GRC’ momentum look like?

  • Amit claims the last fiscal quarter saw 300% growth.
  • A year ago SAP had 800 customers, now it has 1800…

“I close more deals in a quarter than my competitors ever have…”

That’s Amit sounding like the Shai Agassi protege he is…  He also offered some eye popping stats about the ever increasing regulatory burden, and the need for compliance oriented architecture services.

  • PwC apparently estimates there have been 114k new US regulations since the Reagan Administration

Cisco As A Flagship

Cisco chose GRC as a platform, even though it’s a wall to wall Oracle apps shop. I don’t know anything about this claim but I aim to follow it up. Very interesting.

Competition for the GRC dollar  

IBM’s efforts have been fragmented until earlier this month when IBM announced its own GRC program. Oracle meanwhile has plenty of integration work on its hands before it can really offer GRC as a package, although it has many valuable piece parts. Arguably IBM and Oracle are better positioned for data governance, but that’s not the same thing as corporate governance. IBM has done some notable work in the Basel 2 data analysis space. One area the fight is likely to be particularly fierce in content management, a core GRC technology.

Interestingly we haven’t heard much from Microsoft yet about GRC, which is ironic given the company’s recent history, with billions of dollars handed to competitors in out of court settlements around antitrust issues. It would also be foolish to ignore EMC in GRC market. Its Documentum subsidiary was after all the first major compliance vendor, having grown on the back of pharmaceutical industry regulatory reporting.

Compliance as Documentation problem

One of the misconceptions about compliance is that its all a workflow problem. The error of confusing Sarbanes-Oxley with compliance has encouraged this confusion. It’s about corporate officer sign off, right?

One of the most important aspects of compliance is the documentation of business and operational controls. An organisation that can effectively report on its controls is always in better shape when the regulators or auditors come knocking. Controls management is key to compliance. Well documented controls can actually be more useful than good controls. This is true of both US-style ticklist compliance and European style principle based regulation. ..

Chatterjee said SAP offers a repository for documentation and process control product for Sarbanes-Oxley 404 compliance. SAP will compete with the likes of IBM, Open Text and Stellent here. I wouldn’t rule of an SAP acquisition to accelerate its content management capabilities.

Risk Management as Corporate Cashback

GRC is about Enterprise Risk Planning, and better risk management drives greater profitability. The better an organisation understands its risks the smarter its investment decisions. One of the core tenets of the Basel 2 standard, for example, is that companies can reduce their allocation of funds to hedge risk because they better understand their exposures, and so free up funds up to invest in the business.

I recently canceled a monthly insurance payment that would cover my mortgage if I became unemployed. One day I said to myself “this is stupid – RedMonk is solid.” The injection of cash into my current account is most welcome. Businesses face similar issues and opportunities on a larger scale every day.

Say you’re GE and you keep getting fined for environmental pollution in the Hudson River in New York. What do you do? Clean up your act, right? Not necessarily, not if you’re making millions of dollars a year at a plant, but only get fined minor sums, say $5k a time, for dumping pollutants into the river. Its not worth investing in a cleaner plant, even if things get so bad a $5m fine kicks in. In this case shareholder value is best served by paying a regular stipend to the Environmental Protection Agency (EPA). That’s risk management. Under the Bush administration the EPA has been like an old man without his dentures, but that’s a different story. For a brilliant analysis of the the counterbalancing forces driving cold-eyed corporate decision-making read The Corporation. Eventually pollution becomes PR opportunity.

In risk management SAP competitors include IBM and Hyperion. Other notables in the market include FairIsaac. 

Built to Last: On Corporate Sustainability

I am pretty skeptical of Corporate Social Responsibility (CSR) – witness for example the variance between BP’s public statements and its investment behaviour and safety record. But it would be silly to dismiss the real impacts in the world CSR can have on share price, ability to hire great people, creating better environmental outcomes and so on. The brightest graduates don’t say to themselves: “how can I get a job at a major polluter?”

One interesting take Amit put forward at Sapphire was that CSR meets GRC in what he calls “corporate sustainability”. As I understood it that means taking a long term view of the corporation’s goals, in a wider context that the often surprisingly nebulous “shareholder value”.

I was gobsmacked when Amit started arguing for the value of including unions in corporate strategy. That’s something you don’t hear every day from a software company executive. In fact you usually don’t hear that any day from a software exec. Amit was talking about the need to bring unions onboard for companies wanting to successfully trade in China, but the perspective was still intriguing, and quite Germanic it might be said. German companies take a long view. They invest in skills and education. Unions are part of the body corporate in a way that scares the pants off most American business people. If I had a euro for every time someone in the software industry bitched about German employment law I would be a very rich man indeed. Of course as VW showed union reps are just as prone to – ahem- risky behaviour as anyone else. But the facts on the ground as I see it are that Germany’s economy is in ruder health than its often given credit for. Who is building the screens for the new iPhone- a German firm. Who is competing with the Japanese in the car industry? More than one German firm. Then there is a certain leading software company with its own works council. SAP is not a company that plays for the short term.

Emissions and Profits

Amit also linked corporate sustainability to SAP’s partnership with a company called Teknidata, which offers carbon emission tracking software. I find it refreshing to see a tech firm with a decent green story beyond the green data center. SAP plays an incredibly important role in the global supply chain and therefore any carbon awareness it can drive is extremely welcome. Good PR? Absolutely. But green can also drive efficiency, whatever the nattering nabobs of neocon negativism say.

SAP worked with Teknidata to build SAP x-emissions management software, to help companies establish whether they are actually carbon neutral or not. They are also now working together on software to help with the REACH standard in the chemicals industry.    

Compliance: A wider view

One of the characteristics of SAP’s GRC strategy is that its taking a wide view of the problem. Sarbanes-Oxley is just one regulation of many that companies need to deal with. In pharma, FDA approval is still the real bugbear. According to Amit at one UK pharma company – for every one SOX dollar they spend, they spend $10 on FDA approval. SOX is far from the be all and end all.

Thus in risk management, SAP is now moving into the content inspection market through a deal with Cisco for network sniffing tools as part of the Cisco SONA architecture. The biggest risks in corporate information flows comes from insiders, whether by accident or design. Ensuring that information which is supposed to remain with the corporate walls does so can be extremely valuable. In fact thinking about it this could be also an opportunity to deepen the Adobe SAP relationship. Adobe has some notable information control products in the shape of its LifeCycle portfolio.

Of course its obvious that SAP would never take an approach that just solved one compliance problem- if a problem is worth solving its worth generalising and solving from end to end. I plan to dig further into GRC over the next few months but I want to get this out there as a Sapphire write up.


Technorati Tags:


  1. […] · No Comments Good to see James Governor posting on GRC. I’d suggest you read the whole post, but a little snip for you here. One of the characteristics of SAP’s GRC strategy is that its […]

  2. So, what are your conclusions James? How do they stack up?

  3. Hey James,

    Great post on SAP’s GRC efforts (one of these days we’ll be at the same Sapphire or other event and meet in person. For now, hanging with Cote will have to do).

    Wanted to provide a few additional points; color commentary if you will, that might be of interest to those GRC fans out there (as you know, I work in SAP’s GRC biz unit, but these are my comments not necessarily official SAP positions).

    – Protiviti is actually an SAP GRC Services Partner, they help customers implement and use the full suite of GRC solutions. Additionally, and in their own right, they’re an independent risk consulting and internal audit services firm.

    – With Cisco, in addition, to being a customer, there is also a joint marketing agreement for SAP GRC and Cisco’s Service Oriented Network Architecture (SONA) (http://www.sap.com/company/press/press.epx?pressid=6673). By using Cisco’s SONA with SAP GRC, notably the Process Control solution, SAP customers can address compliance and risk issues that may reside outside of their core ERP systems.

    – Risk Management regarding Basel II – Using a combination of SAP Risk Management and SAP Bank Analyzer my understanding is that you can cover virtually all aspects of Basel II, as well as other regulatory frameworks.

    – Risk Management regarding your GE example – the SAP Risk Management application would allow GE to evaluate the risk of a fine at a particular location, then to roll it up to the corporate level to perform a cross-enterprise analysis of real cost/benefit analysis of the risk. The application is designed to have all stakeholders collaborate to reach accurate analysis of the activity. It then enables management to analyze the potential loss and make a quick, informed decision of the best course of action.

    – Emissions – Emissions is actually part of the wider category (and SAP solution) of EH&S (Environment, Health & Safety). The SAP solution is indeed offered through a partnership with Technidata (http://www.technidata-america.com/). It helps firms manage risk and compliance around the following: health protection, environmental protection, consumer and environment safety, and workers’ safety.

    Hope that’s helpful and that you are enjoying your holiday.


  4. James, sounds like SAP is getting in the insurance business. Can they really help with all these known and unknown risks and compliance issues? Will they provide contractual assurance and related warranties and indemnity?

    I know one thing…it is harder and harder to just shame a company in to compliance spend like we did the last few years – see my post


  5. […] risk and compliance or GRC in SAP-speak. The discussion came about following a long piece James Governor wrote (SAP is one of Redmonk’s clients) which basically parroted what he was told by Amit […]

  6. […] 31st, 2007 · No Comments Vinnie, Dennis, James  and I are having a rather longwinded discussion on Compliance, Governance and Risk […]

  7. Great notes on GRC. SAP is a member of a nonprofit organization that I head up called the Open Compliance and Ethics Group (OCEG).


    Being the guilty party that coined the GRC acronym 4 years ago, I can tell you that there has been a ton of momentum over the past few years.

    What is important to remember is that GRC was defined by end-users before it was defined by the vendors building these solutions. 4 years ago, our organization was almost entirely comprised of large end-users (ADM, Staples, Wal*Mart, Wachovia, etc.). All of these end-users were seeing tremendous overlap in governance, risk and compliance processes.

    About 2 years ago, several of the solution providers jumped on board and now we are seeing a great mix of solutions to help automate and integrate (not consolidate, but integrate) GRC.

    SAP is one of the clear leaders.

    == slm ==

  8. […] to James , Vinnie, Thomas, and Dennis contributed differing views points on a heated debate.  However, I […]

  9. […] I also want to know when the GE’s of the world aren’t doing what their messaging tells me it is. (tip james)  […]

  10. […] to James , Vinnie, Thomas, and Dennis contributed differing views points on a heated debate. However, I […]

  11. […] wrote about Amit and SAP’s Governance, Risk and Compliance (GRC) strategy a while ago over at Monkchips. I called GRC the new ERP. Well folks, what did ERP support? First wave BPR. What are we now […]

  12. […] I wrote about Governance, Risk and Compliance as the new ERP here. […]

  13. Hi James, wonderful post and would definitely like to hear more of the RedMonk’s views on how the major enterprise vendors are managing to internalise an environmental awareness. I for one believe it needs to go much further that simply GRC or “add-on” niche applications.

    I only found your posting after putting my “Why SOX won’t keep your feet dry” rant on this topic up at http://tardate.blogspot.com/2007/10/why-sox-wont-keep-your-feet-dry.html

  14. […] AIR (bing. sexomatic!). And SAP is indeed integrating its corporate performance management and Governance Risk and Compliance functions in the shape of its Office of the CFO push. No IT portfolio stuff yet, but there will be […]

  15. […] opinion pieces where he described GRC as the new ERP. How could I not agree? I have argued the same thing! Recent events in financial services make it even more imperative that organisations treat […]

  16. […] Something that struck me very clearly reading the release was that this compliance application was being led by Business Objects, rather than SAP Classic. Now I haven’t had a chance to get an update on the direct from SAP but this makes perfect sense. For one thing- look at the speed of delivery. This is not a traditional SAP module development schedule. Also, organisationally Business Objects now owns Governance, Risk and Compliance. […]

  17. […] SAP announced that they’re going to buy German Partner Technidata, a specialist in Product Safety, Health and Environment Solutions. I guess Greenmonk can really claim they were on the money when back in March 2008 it reckoned that ”SAP should really buy Technidata so that it can move forward more quickly in this space” (nb carbon accounting solutions). James Governor also saw something like this coming in 2007. […]

Leave a Reply

Your email address will not be published. Required fields are marked *