In-Depth

SAP Delivers Its First GRC Deliverables

The market for compliance-related software and services alone is expected to reach more $27 billion this year—and SAP wants a piece of the action.

As far as business intelligence (BI) storylines go, German enterprise resource planning (ERP) giant SAP AG’s BI push makes for engrossing reading. SAP first established a BI bridgehead of with its Business Information Warehouse (BW), and has since expanded into the industry-specific analytics space. Factor in SAP’s Office-based application push—the Montecito effort that it’s developing in tandem with Microsoft Corp.—and you’ve got the makings of a BI brouhaha.

Things got even more interesting last week, when SAP announced three new governance, risk, and compliance (GRC) entries—its SAP GRC Repository, SAP GRC Process Control, and SAP GRC Risk Management. GRC is one of the hottest new BI market segments, and a host of vendors have already forayed into this space, including Business Objects SA, Cognos Inc., Hyperion Solutions Corp., and SAS Institute Inc. Meanwhile, SAP’s announcement—which analysts say is a no-brainer move, given the ubiquity (and centrality) of its ERP software in the enterprise data center—was notable in at least one other respect: the ERP giant also touted a GRC partnership with networking giant Cisco Systems Inc.

Put it all together, and you’ve got a rather toothy GRC offering from SAP, says James Kobielus, a principal analyst for data management with consultancy Current Analysis. “SAP continues to strengthen its already impressive GRC strategy by showing steady progress toward delivery of a unified, comprehensive, extensible product suite,” he writes. “SAP… has made GRC a core strategic theme in its ongoing product development, partnering, and industry positioning, and as a new frontier for delivering composite applications for diverse compliance-related national, horizontal, and vertical markets.”

Of course, the BI marketplace isn’t bereft of competitive offerings. Some vendors—such as SAS, for example—have marketed GRC entries for years, in fact. SAS’ Risk Management and Anti-Money Laundering offerings pre-date the advent of the compliance era, which—for lack of a hard and fast dateline—is often pegged to the passage of the Sarbanes-Oxley Act of 2002. Nor have SAS’ BI competitors—Business Objects, Cognos, and Hyperion perhaps foremost among them—neglected the promise (and profits) of the GRC space, the revenues of which (for compliance-related spending alone) are expected to reach $27.3 billion this year, according to market watcher AMR Research Inc. Of that total, fully $6 billion (or 22 percent) of will be allocated for SOX compliance.

In this respect, Kobielus concedes, SAP’s GRC portfolio is comparatively untested: SAP announced its GRC roadmap only months ago, after all. But SAP’s software is so central to the operations—and GRC concerns—of so many different companies that it has a huge built-in advantage right out of the gate. In other words, Kobielus argues, what’s important is that SAP execute—or execute meaningfully—on its previously announced GRC roadmap, and that’s precisely what it did with last week’s announcement.

“SAP’s GRC product group has made good on the first step in its previously announced implementation roadmap. By announcing new GRC foundational components [e.g., repository, process control, and risk analysis], SAP has bolstered its stature and credibility in the GRC market,” Kobielus writes. “SAP’s GRC product group has made good on the first step in its phased implementation roadmap for development of its future GRC management offerings on the NetWeaver platform.”

So what, exactly, do SAP’s first GRC deliverables bring to the table? For starters, says Kobielus, the new GRC Repository provides a means for customers to centralize GRC frameworks, policies, and rules contributed by external ‘GRC ecosystems’ (e.g., government agencies, industry councils, advisory services, and other groups). Elsewhere, says Kobielus, “[SAP] is building a GRC process control tool that will provide a critical enforcement mechanism for enterprise compliance. And it is integrating a proven risk management tool (which it has been using internally) into its GRC product portfolio.”

That’s the good. The bad—or, at least, the not-so-good—is that SAP hasn’t yet disclosed any information about how and when it plans to integrate its new GRC components into NetWeaver—or its Enterprise Service Architecture, for that matter. And while SAP touted its partnership with Cisco—under the terms of which it plans to integrate its GRC stack with Cisco’s Service-Oriented Network Architecture (SONA) environment (effectively embedding GRC awareness at the network level)—as one of the biggest selling points (not to mention differentiators) of its GRC push, it didn’t include partners other than Cisco in that announcement. Whatever else it might mean, Kobielus contends, the lack of accompanying testimonials from partners other than Cisco creates the appearance that SAP might be moving out ahead—perhaps too far ahead—of its partner ecosystem.

“The vendor also did not provide greater detail on the next step of its GRC product development roadmap: introduction, in spring 2007, of industry-specific GRC applications that leverage the new GRC foundation components,” Kobielus concludes. “It did not mention whether, when, and how it will integrate existing compliance solutions—both from the former Virsa and from other SAP product groups—into the new GRC foundation components.” Nor has SAP partnered with producers of design-time or run-time SOA governance products, which—if left unaddressed, either by partnership or by dint of in-house development on SAP’s part—would amount to a critical oversight, Kobielus argues.

One consultant in the field, Norman Comstock, president of Houston-based GCRM Solutions, had this to say: "SAP may be the first ERP vendor to recognize the underlying and inherent value of a sustainable, coherent approach for end-to-end compliance automation. Much of the process and control framework is ready or waiting to be configured. While there will always be manual controls, there is in overwhelming cost/benefit for automating manual controls that can be automated."

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Must Read Articles