SAP launches governance, risk, compliance management business unit to lead new, emerging market

SAP AG has announced the creation of a new business unit to empower customers with end-to-end solutions for governance, risk management and compliance (GRC), offering a holistic alternative to the fragmented GRC point solutions available in the market.

With the aim of helping companies make GRC an integral part of their business and IT strategies, the dedicated unit leverages SAP's deep expertise and existing software for wide-reaching compliance requirements such as the Sarbanes-Oxley Act (SOX) in the United States; applications such as SAP Global Trade Services to help companies across diverse industries manage international trade compliance challenges; and solutions for distinct industry demands including emissions standards in chemicals and utilities sectors, FDA requirements for pharmaceutical companies and Basel II for the banking sector.

Building on this rich portfolio of horizontal and industry-specific compliance software, the now completed acquisition of Virsa Systems, Inc boosts SAP's leading position in the rapidly emerging GRC market. After nine months of planning its go-to-market strategy and product road map for a comprehensive GRC portfolio, SAP unveiled the governance, risk and compliance management business unit at SAPPHIRE '06, SAP's international customer conference, held in Orlando, Florida, from 16 to 18 May.

SAP has long recognised the growing role of enterprise systems in assisting companies to meet the increasing challenges of corporate compliance and risk management. Customers are looking for powerful compliance solutions that work across heterogeneous IT environments to reduce risk and cost as well as provide improved business control. By embedding compliance into business processes, SAP is making compliance repeatable, sustainable and less costly for companies of all sizes in all industry segments.

"As spending accelerates in specific functional areas that are of critical interest to SAP's customers and prospects, the company will most likely fold in partner products to provide a broader application footprint," said John Hagerty, vice-president and research fellow, AMR Research. "The Virsa acquisition enriches SAP's GRC position, but it is not the answer to all compliance concerns. It is, however, a solid foundation for future growth." 1

In today's highly regulated environment, companies are increasingly pressured by governance, risk and compliance concerns while at the same time needing to drive business performance, predictability and stakeholder confidence. The current approach to managing GRC is marked by two sets of problems: highly fragmented business processes and systems that compound the cost of managing risk and compliance; and little or no investment in identifying and mapping out a phased approach to comprehensive GRC management. Underlying these issues is the inherent risk in strategically coordinating and managing a wide range of IT infrastructure that directly supports the processes and systems in the GRC business environment. Organisations are deprived of a powerful tool for controlling and addressing risk effectively, while at the same time they are shifting investments and resources to non-revenue generating activities.

"Enterprise risk management, beyond Sarbanes-Oxley, is being addressed at CA with the implementation of solutions from SAP, Virsa and CA," said Kevin Kern, chief information officer at CA. "We see clear business value in an enterprise-wide interlock between core business processes and managing GRC. Building confidence with the investment community and stakeholders is correlated to leveraging not only a detective but also a preventative control framework that increases predictability and visibility to our business. We applaud SAP in taking on this new challenge and we look forward to collaborating in this initiative."

Trek to the summit

00Days

:

00Hrs

:

00Min

:

00Sec

Each organisation must chart its own course to embrace a GRC framework, weighing critical business requirements with organisational GRC maturity and top-level commitment. Companies may choose to start by identifying one or two high-priority risk areas and initiate a business-specific or initiative-driven deployment of GRC applications. These early successes will help drive the value of a comprehensive GRC strategy and will provide a reusable and sustainable model for controlling and addressing future governance, risk and compliance areas.

"Companies will spend at least $27 billion on addressing tactical compliance issues in 2006 alone, yet even with this investment they will remain vulnerable to risks and burdened with high costs," said Henning Kagermann, CEO of SAP AG. "SAP and its partners are stepping up to the challenge by helping companies take control of governance, risk and compliance issues and ultimately leveraging this capability as a competitive advantage. We will achieve this vision by delivering an integrated and heterogeneous GRC foundation for customers to adopt in a pragmatic approach, leveraging existing IT investments in SAP software and other technologies. We are energised by this opportunity and excited to make such a significant impact."

Specific benefits from a comprehensive GRC approach include:

* Increased shareholder value: Good governance - reflected in many intangibles, including brand, culture and reputation - can have favourable impact on share price premiums.
* Optimised risk/return portfolios: Achieved with transparency and insight for selecting (and rejecting) projects based on risk impact and probability relative to potential return.
* Reduced GRC costs: Significantly cuts down the resources required to control and address risk, ensure compliance and maintain effective governance.
* Improved business performance and predictability: Delivers comprehensive visibility, a systematic process for anticipating and controlling risks and the tools to proactively determine proper actions and critical tasks.
* Business sustainability: Delivered through software automation, analytics and alerts, visibility to risk interdependencies for improved control and repeatable, cost-effective GRC solutions.
* Business agility: By empowering decision-makers to identify and assess alternative what-if and future scenarios, GRC leads to greater business agility and competitiveness.
* Intelligent IT risk management: Delivered through an intelligent network infrastructure that can provide IT risk management information and controls at high speeds throughout the enterprise.

"General Mills uses SAP as the global platform for integrated transaction processing and segregation of duties in ensuring SOX compliance in the area of information systems," said Michael Carr, director of Information Systems for General Mills. "Software and business processes that streamline and advance a company's risk management and compliance capabilities are critical aspects of corporate governance. SAP tools that deliver an integrated solution across the enterprise are an important and welcome new advance in this important area."

Key to early success of the GRC business unit is SAP's continued momentum and investment in helping customers solve critical compliance pain points and the acquisition of SAP partner Virsa Systems (see 3 April 2006 press release titled, "SAP Strengthens Leadership in Compliance Solutions with Acquisition of Virsa"). The acquisition, which was officially completed on 12 May 2006, reflects SAP's commitment and investment in the GRC category. Virsa's nearly 250 employees are now part of the GRC business unit, providing talent, domain expertise, intellectual capital and experience to add immediate value for many SAP customers.

1 John Hagerty, AMR Research, "SAP Snaps Up Virsa Systems To Enhance Compliance Story", 3 April 2006.

Cisco

"Companies are looking for better ways to track risk management and compliance processes throughout their IT infrastructure," said Bill Ruh, vice-president of technology architecture and Cisco Services. "Cisco intelligent Service Oriented Network Architecture (SONA) in combination with SAP's GRC solutions can help businesses comprehensively monitor risks and compliance across their network infrastructure at greater speeds. We will continue to work with SAP GRC business unit in advising customers on IT Infrastructure strategies, plans, investments and operations that drive greater control over risk management and compliance."

Deloitte Consulting LLP

"A key challenge for businesses today is integrating processes and metrics used to monitor adherence to regulatory requirements with those used to understand risks and manage enterprise performance," said Lee Dittmar, principal and national leader of Deloitte Consulting LLP's Enterprise Governance practice. "The goal should be to create a set of processes and information to help achieve the ongoing viability and performance of the enterprise, and to improve alignment between the board and the executive team. Governance, risk and compliance is a powerful concept. The fundamental idea is to view these three separate but related functions in a comprehensive, integrated manner. Companies can benefit by leveraging common processes and systems to address all three. SAP's GRC emphasis and approach is consistent with our view concerning the important role technology must play in making governance, risk management, and compliance more efficient and effective."

PricewaterhouseCoopers

"PricewaterhouseCoopers is excited to work with SAP on this evolution of technology and its impact on the business issues of governance, risk and compliance," said Jacqueline Olynyk, partner in the Advisory practice of PricewaterhouseCoopers. "Technology-enabled GRC improves decision-making by factoring risk information into strategic planning and capital allocation. The ability to leverage existing ERP technologies and an open platform allows an enterprise to select the most appropriate solution without having to compromise because of existing platforms. GRC becomes an integrated part of business decision-making rather than an afterthought. This is about meeting the demands of industry and making a difference in our clients' bottom lines."

Protiviti

"We recognise the benefits that accrue to those organisations who maximise their ERP's value through the implementation of detective and preventative controls," said David M Johnson, managing director at Protiviti and head of the company's Application Controls Effectiveness (ACE) practice. "We are actively assisting our SAP clients improve their capability in this important area by effectively utilizing the full SAP suite of GRC solutions to enhance their risk mitigation and compliance efforts."

Symantec

"We share SAP's vision of providing a holistic GRC solution," said Jeremy Burton, senior vice president of enterprise security and data management, Symantec. "With the combination of the Symantec IT Compliance solutions for infrastructure compliance and SAP's solutions for GRC, customers will have an integrated, end-to-end framework."