GRC2015_resize_300x200As I attend SAPinsider events year over year, I measure our customers’ progress in leveraging the value of GRC solutions by how they’ve implemented beyond just using them for compliance and basic risk management. This has led me to look back and think about the new perspective governance, risk, and compliance (GRC) technology has brought after its emergence well beyond the initial urgency triggered by the SOx wave.

GRC solutions now can deliver continuous monitoring of controls, key risk indicators, policies, issues, and so on, and ensure they’re natively integrated with critical business systems, where the actual risk information resides. A number of presentations this week at SAPinsider GRC 2015 in Las Vegas demonstrate these solutions in action and explain how to make it happen.

But let’s take a step back – how did we get here?

Even before the GRC years, business activity monitoring (BAM) and business process management (BPM) were great ideas that had been around and “hyped” for quite some time. They have expanded significantly since the early 2000s, giving birth to a number of tools and technology solutions to support companies’ BAM /BPM programs.

However, implementing these programs and the related tools has proved challenging to say the least. This lead to several companies abandoning their large, costly BAM /BPM projects because of lack of results and insurmountable hurdles: integration issues, customization efforts, maintenance nightmares, etc.

Mounting External Pressures Fuel Need for GRC Tools

In parallel, external impositions have increased on companies to do a much better job of controlling their business. This translated into much more stringent and expanding regulations, and the need to implement better governance, more effective policies and accountability, and robust risk management.

Initially, in reactive mode, most companies have adapted to these impositions by:

  • Establishing risk and control frameworks
  • Documenting comprehensively their risks, controls, and policies
  • Implementing basic evaluation procedures to update key risk exposures, run control testing cycles, and produce the necessary reports

This was generally done with a lot of manual work and manipulation of masses of spreadsheets and documents, not to mention an extensive use of e-mails and numerous phone calls.

Now, specialised software has become available to ease the pain and help companies better centralize governance, risk, and compliance (GRC) information and structure their risk and compliance management processes. These systems all came under the GRC umbrella.

Does this mean that companies were able to really be “in control?” That is, to monitor on a continuous basis their activities and business processes? Implementing GRC tools on the surface provides a wealth of instruments that should allow them to better monitor their business-process and company-level controls, key risk indicators, policies and issues, transactions, and so on.

However, taking a closer look, a great number of these tasks still involve significant manual efforts (control testing is a typical example) and, due to the workload, they aren’t performed continuously but by periodic cycles. To actually monitor the enterprise, continuity is needed to ensure problems don’t fall through the cracks.

More Advanced Monitoring Capabilities Increase the Value of GRC Solutions

More advanced GRC technologies can help do this though, by relying on much stronger integration with business systems like ERPs and automation of labour-intensive tasks. They have been adopted as best practices by a number of forward-looking companies, who experience real added value through the use of continuous monitoring capabilities. At SAP, a complete set of GRC solutions with such capabilities have been developed and deliver high value to our customers, like SAP Access Control, SAP Process Control, SAP Risk Management, SAP Fraud Management, and SAP Audit Management, to name a few…

These technologies can help:

  • Improve performance in key business processes
  • Act more quickly on issues and emerging risks
  • Predict better
  • Optimize the use of innovations such as Big Data, mobile and cloud to streamline and strengthen companies’ GRC programs.

For forward-looking adopters, this comes as a nice addition to the fulfillment of initial goals of their GRC systems such as achieving compliance, managing policies, remediating issues, and solidifying their risk management program. And it may even contribute to some companies’ broader initiatives around BAM and BPM with much less pain.

So as companies look at GRC technology, it’s worth taking a close look at the ability of these solutions to deliver these continuous monitoring of controls, key risk indicators, policies, issues, and so on, and ensure they are natively integrated with critical business systems, where the actual risk information resides. There will be a number of presentations showing these solutions in this GRC 2015 event.

And more excitement will come as we discover, during event presentations, the power of game-changing technologies such as SAP HANA, the SAP HANA Enterprise Cloud or SAP Predictive Analytics – these expand the possibilities of monitoring critical information in a Big Data environment.

It’s going to be an exciting conference indeed this year in sunny Las Vegas….