While I was unable to attend SAPs Influencers' Summit, there were interesting snippets of conversation on the Twitter channel between Mike Krigsman, James Governor and myself. From what Mike said, the GRC (governance, risk and compliance) session was not particularly well attended. That's disappointing. GRC has been a strong theme for SAP the last few times I've met with them and for good reason. In my opinion GRC is one of the most urgent yet difficult management areas for large scale business to address with technology solutions.
In our Tweeted conversation, I said there are two themes in play:
- Productizing what is currently more of a consulting opportunity than a software sale
- Change management
Productizing is not difficult but will take time. In SAPs case, it has a bag of tools, many acquired or in the process of acquisition, that need pulling together in a coherent manner. That will be determined by the extent to which it can figure out a way of presenting incrementally valuable solutions. Success depends on how customers respond to the challenge. This will not be a case of SAP (or anyone else for that matter) letting customers tell them what they want. It will be a case of vendors telling customers what they need in order to preserve their reputations.
Mike quite rightly picked me up on the change management element - this is always an important part of any IT project. On GRC (and its closely related cousin, corporate social responsibility or CSR), meaningful change has to go right to the heart of the business and often needs a genuine cultural change at the very top. We thought that ERP was painful and Y2K expensive. Properly executed, GRC could be an order of magnitude more difficult and complex than these past endeavors. GRC implementation is far from easy in companies where certain practices have been the norm for many years. This is particularly true in SAPs backyard - Germany where two of its long term customers, Siemens and Volkswagen, have been the subject of intense scrutiny over corrupt practices.
The Siemens case has been well documented with the latest news that the company will be restructured. Reporting remains one of the key outstanding problems:
The restructure follows a filing to the USA’s Securities and Exchange Commission, saying it had identified ‘material weakness’ in its internal controls over financial reporting which could affect its ability to report its results accurately and that its anti-corruption controls as of September 30, the end of its fiscal year, were insufficient to prevent managers from misusing funds.
That will require a lot of work in documenting existing processes, creating closed processes that are actionable and ensuring the separation of duties in such a way that it becomes much more difficult to effect corrupt practices. From a software implementation perspective, it's not that difficult, but effecting the cultural change will be an altogether different proposition.
Looking at car maker VW, the same systemic problems of corrupt practices embedded at the highest level have, once again reared their ugly head. According to BusinessWeek:
When asked whether it was reasonable to believe that the former CEO of VW was unaware of lavish pleasure trips for labor representatives and millions in payments to Klaus Volkert, the former head of the labor council, Volkert said, in a documentary aired on German TV: "All I know is that there is very, very little that went on at Volkswagen that (Ferdinand) Piëch didn't know."
This is not the place to explore the ramifications of fresh allegations, but when you see cases where the problem is coming from the top, just how do you get an effective cultural change management program underway without either the force of law or a transparently documented commitment?
Software can help. According to Mike, SAP recognizes that managing different types of GRC projects is inefficient and plans to bring issues like IFRS reporting, SOX management and Basel II compliance much closer together. The current situation is not just inefficient, it's an incomplete response that is bound to leave gaps. It is therefore good to see that SAP has recognized the necessity of bringing related issues together in what will hopefully be a coherent manner. However, it still leaves open the question of just how companies like SAP will convince customers of the value of what will need to be a holistic solution. I suspect a good part of the answer will lay at the doors of firms like Accenture who have the consulting independence to make a clinically dispassionate case.