SAPs GRC challenge

SAPs GRC challenge

Summary: While I was unable to attend SAPs Influencers' Summit, there were interesting snippets of conversation on the Twitter channel between Mike Krigsman, James Governor and myself. From what Mike said, the GRC (governance, risk and compliance) session was not particularly well attended.


While I was unable to attend SAPs Influencers' Summit, there were interesting snippets of conversation on the Twitter channel between Mike Krigsman, James Governor and myself. From what Mike said, the GRC (governance, risk and compliance) session was not particularly well attended. That's disappointing. GRC has been a strong theme for SAP the last few times I've met with them and for good reason. In my opinion GRC is one of the most urgent yet difficult management areas for large scale business to address with technology solutions.

In our Tweeted conversation, I said there are two themes in play:

  • Productizing what is currently more of a consulting opportunity than a software sale
  • Change management

Productizing is not difficult but will take time. In SAPs case, it has a bag of tools, many acquired or in the process of acquisition, that need pulling together in a coherent manner. That will be determined by the extent to which it can figure out a way of presenting incrementally valuable solutions. Success depends on how customers respond to the challenge. This will not be a case of SAP (or anyone else for that matter) letting customers tell them what they want. It will be a case of vendors telling customers what they need in order to preserve their reputations.

Mike quite rightly picked me up on the change management element - this is always an important part of any IT project. On GRC (and its closely related cousin, corporate social responsibility or CSR), meaningful change has to go right to the heart of the business and often needs a genuine cultural change at the very top. We thought that ERP was painful and Y2K expensive. Properly executed, GRC could be an order of magnitude more difficult and complex than these past endeavors. GRC implementation is far from easy in companies where certain practices have been the norm for many years. This is particularly true in SAPs backyard - Germany where two of its long term customers, Siemens and Volkswagen, have been the subject of intense scrutiny over corrupt practices.

The Siemens case has been well documented with the latest news that the company will be restructured. Reporting remains one of the key outstanding problems:

The restructure follows a filing to the USA’s Securities and Exchange Commission, saying it had identified ‘material weakness’ in its internal controls over financial reporting which could affect its ability to report its results accurately and that its anti-corruption controls as of September 30, the end of its fiscal year, were insufficient to prevent managers from misusing funds.

That will require a lot of work in documenting existing processes, creating closed processes that are actionable and ensuring the separation of duties in such a way that it becomes much more difficult to effect corrupt practices. From a software implementation perspective, it's not that difficult, but effecting the cultural change will be an altogether different proposition.

Looking at car maker VW, the same systemic problems of corrupt practices embedded at the highest level have, once again reared their ugly head. According to BusinessWeek:

When asked whether it was reasonable to believe that the former CEO of VW was unaware of lavish pleasure trips for labor representatives and millions in payments to Klaus Volkert, the former head of the labor council, Volkert said, in a documentary aired on German TV: "All I know is that there is very, very little that went on at Volkswagen that (Ferdinand) Piëch didn't know."

This is not the place to explore the ramifications of fresh allegations, but when you see cases where the problem is coming from the top, just how do you get an effective cultural change management program underway without either the force of law or a transparently documented commitment?

Software can help. According to Mike, SAP recognizes that managing different types of GRC projects is inefficient and plans to bring issues like IFRS reporting, SOX management and Basel II compliance much closer together. The current situation is not just inefficient, it's an incomplete response that is bound to leave gaps. It is therefore good to see that SAP has recognized the necessity of bringing related issues together in what will hopefully be a coherent manner.  However, it still leaves open the question of just how companies like SAP will convince customers of the value of what will need to be a holistic solution. I suspect a good part of the answer will lay at the doors of firms like Accenture who have the consulting independence to make a clinically dispassionate case.

Topic: SAP

Dennis Howlett

About Dennis Howlett

Dennis Howlett is a 40 year veteran in enterprise IT, working with companies large and small across many industries. He endeavors to inform buyers in a no-nonsense manner and spares no vendor that comes under his microscope.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Value of GRC

    There's an interesting conundrum in articulating the value of an integrated risk management platform. Namely, that the costs of measuring, monitoring and reporting on multiple regulatory initiatives falls largely outside IT, dispersed among business functions. IT is happy to install siloed solutions because they're not charged with the costs of inefficiency. The problem is that just as the rise of disparate customer datamarts across the business drove down customer satisfaction and drove up acquisition costs, scattered risk and compliance databases in an of themselves are a risk, to say nothing of the carrying costs. What's really missing is executive leadership, something SAP should be able to influence. The problem is that SAP is largely selling to the IT side of the house, Doug Merritt's nascent Business User Group notwithstanding.

    There are very practical benefits to an integrated risk management platform for any public company. Such a platform can provide, for instance, a framework for SOX and IT in the same solution, allowing each group to report on the same set of controls, using the same data, but do so for different purposes, without duplicating effort. I've written on this topic at