Key trends in governance, risk, and compliance technology

In today’s ever-changing business climate, the only constants are intense global competition, tighter margins and increasing regulatory requirements. Meanwhile, the future promises to bring greater pressure – and with it, greater risk.

Companies are preparing for new challenges by devoting more time and resources to managing strategic planning and business risks. But few have adopted an integrated approach to governance, risk management and compliance (GRC). Motivated by fear rather than strategy, companies often take a piecemeal approach; they implement fragmented, one-off processes that prevent regulatory fines in the short term but compound risk and compliance costs in the long run. Without a unified GRC strategy across the enterprise, your organization may needlessly duplicate effort, repeat costly mistakes and leave itself vulnerable to emerging global risks.

Governance, risk management and compliance activities are typically fragmented across four dimensions: organization, systems, geography and policies.

Organizational fragmentation: Implementing departmental policies and mandates may seem to address the GRC challenge, but this inconsistent approach often leads to higher costs and duplication of effort while clouding transparency across your enterprise. The results can be embarrassing. Suppose your sales department launches a complex new overlay commission plan that results in greater sales commission expenses. If the expenses are not properly aligned with your company’s overall performance, you may have to delay or restate your full-year financial results. The resulting damage to your corporate image will decrease shareholder confidence.

System fragmentation: Behind most departmental GRC processes are departmental GRC systems –each with different metrics, standards and methodologies. As a result, aggregating risk and compliance data from across your enterprise can be a manual, error-prone task that offers a limited view of enterprise risk. If your organization fails to monitor compliance and risk centrally, you will be in danger of violating any number of the hundreds of constantly changing trade agreements. In the worst cases, you’ll be forced to pay hefty fines, deal with canceled sales – and counter bad public relations.

Geographical fragmentation: How do your local policies and systems affect your ability to comply with regional, national or global mandates? If you take a geographically fragmented approach to GRC, you may unwittingly end up in a state of noncompliance in certain markets. For example, complying with the Sarbanes-Oxley Act in the US does not guarantee that you will also be compliant with the similar Turnbull Report in the United Kingdom or with Japan’s proposed JSOX regulations. And a geographically fragmented approach may prevent your organization from leveraging best practices across regions.

Policy fragmentation: As your departmental teams race to achieve compliance in their own business processes, your executives may be unsure about what GRC really entails. If they focus on semantics and ownership issues, underlying business problems will go unsolved. For example, your internal audit committee may recommend implementing a credit risk application for customers while the CFO’s office implements an internal controls solution to help with Sarbanes-Oxley compliance. Unaware of these activities, the sales organization may reach its targets without completing the required credit analysis or adhering to new revenue recognition policies.

What fragmentation costs you

The fragmented approach to GRC is riddled with manual tasks, duplicative processes, errors and high costs. According to AMR Research, the cost of compliance around the world will reach US$27 billion in 2006 – and this figure doesn’t quantify the financial impact of distractions, delays and loss of competitive advantage.

GRC fragmentation can also affect share price performance. If your company relies on manual processes, it will have trouble repeating them and will remain susceptible to inconsistent calculations and human error. Management will hesitate to sign off on questionable financial results, and the investment community will begin to sense – and share – this lack of confidence.

Without a comprehensive, cohesive GRC strategy, your company misses opportunities and exposes itself to unnecessary risks. Executives cannot assess the impact of their business decisions by evaluating all enterprise events – positive and negative – that relate to the current situation. As a result, your company remains vulnerable to the increasing complexities and interdependencies of enterprise risks.

Plotting a course of action

As one might expect from such a complex, widespread problem, no panacea exists. Every organization must plan its own path to more effective GRC by adopting a consistent, integrated approach. But many companies are stuck in a reactive mode, in which they use people and point solutions to lessen the effects of fragmentation. As you seek to manage governance, risk and compliance with confidence, what tangible steps can you take to get started?

A holistic approach to GRC

If you want to move beyond piecemeal GRC, you must transition to a holistic approach. This strategy helps simplify GRC as a whole, rather than optimizing individual activities in isolation. With a holistic approach, you can reduce costs, ensure compliance and mitigate risks, while gaining greater visibility into processes and increasing your flexibility to change. And you can integrate GRC into every business process, rather than managing it after the fact.

To implement a holistic approach to GRC, you need a technology framework that can help correlate and align all of your GRC initiatives. This single system of record gives you an enterprise-wide view of GRC activities, enabling you to minimize duplicated efforts and combat complexity. Meanwhile, all stakeholders can centrally provide feedback on inefficiency, fraud and waste, enabling continuous business improvement.

Using software to build a framework

To ensure that you build your GRC framework with the right software, start by collaborating with external experts. Seek out GRC domain experts, including software and technology partners, information and content partners, risk consultants and thought leaders. This diverse group will help you manage GRC as a strategic activity, rather than a necessary hassle.

As you evaluate software, look for solutions that address the four main areas of fragmentation:

• Organizational fragmentation: Your software should support an enterprise standard for implementing policies, identifying and responding to risks, and supporting regulatory mandates.
• System fragmentation: Look for software that integrates with your legacy systems and point solutions to centralize information and provide a single version of the truth.
• Geographic fragmentation: To meet your needs around the world, your software should scale globally and adapt to country or region-specific mandates.
• Policy fragmentation: Your software can prevent fragmentation of GRC into separate disciplines by aligning strategic direction and business objectives with risk management. To do so, the software must deliver real-time information to business decision-makers so that they can better identify and mitigate risks.

Example of a holistic solution
To fulfill the need for predictability and transparency of risk across organizations, systems, geographies, and policies, SAP has built a holistic GRC framework. SAP Solutions for GRC provides common methodology, vocabulary and measurements for use throughout your organization. It allows your executives to address fragmentation directly, leveraging best practices into a larger GRC framework.

As you work within a sustainable technology framework, you improve the predictability and performance of your business. Your managers have a systematic process for anticipating and controlling risks. And when institutional investors, rating agencies and regulators inquire about your capabilities for understanding and managing risk, your organization will have the right answers.

SAP’s solutions are designed to help you increase shareholder value, reduce GRC spending and respond appropriately to risks and opportunities alike.

Increasing shareholder value: The promise of increased shareholder value is real. According to a recent Wall Street Journal article (May 8, 2006), companies that had no internal controls violations in 2004 and 2005 experienced an increase in share price of 27.7 percent. Companies that experienced ongoing internal control violations through 2004 and 2005 experienced a 5.7 percent decline in share price. SAP Solutions for GRC is designed to help you avoid violations and strengthen the trust of shareholders.
Reducing GRC costs: SAP’s holistic approach helps companies overcome the four degrees of fragmentation, dramatically reducing the number of people and amount of time they must devote to GRC. A unified GRC approach becomes part of your core business processes and lets you transition to a “management by exception” approach, saving countless hours.
Responding to risks and opportunities: As you migrate isolated GRC projects into a holistic framework, you can better respond to risks and opportunities alike. SAP’s solutions put decision-makers in the best position to select business initiatives based on their potential for a positive return. For example, by better understanding insurance risks, you can negotiate with your insurance vendors to lower insurance costs – or choose to save money by self-insuring.

Delivering strategic value

In a crowded GRC technology marketplace, SAP seeks to distinguish itself by delivering a holistic GRC framework. This framework draws upon SAP’s domain expertise, worldwide partner ecosystem, integrated framework and cross-application GRC functionality.

“We delivered the industry’s first comprehensive, integrated portfolio of governance, risk and compliance applications,” says Amit Chatterjee, Senior Vice President for the GRC Business Unit at SAP. “This framework embeds and optimizes all GRC activities to overcome the problems of fragmentation across enterprise business processes, address industry and company-specific compliance requirements, and protect and increase shareholder value.”

SAP’s business process expertise, industry knowledge and global presence position the company to deliver a comprehensive framework for addressing GRC management. In addition, recognizing the importance of the emerging GRC market, SAP purchased Virsa Systems – a longtime SAP partner – in 2006.

Partner ecosystem

Partners play a vital role in SAP’s ability to deliver and support integrated, end-to-end GRC solutions. SAP has assembled a network of partners that includes advisory services as well as implementation, technology and content partners. As a result, SAP’s customers can benefit from industry best practices as they optimize and extend their GRC solutions.

First integrated framework for GRC

SAP delivers an integrated framework that includes a comprehensive set of GRC tools. A centralized GRC repository serves as a hub for managing all GRC elements, ensuring consistency and efficiency. Although various applications run independently to support specific aspects of GRC, they help automate processes by aligning all information back to the central repository.

Cross-application GRC

The complexity of your business network requires that your GRC solutions be adaptable and flexible. SAP believes that business processes are not contained within a single application or function, but instead cut across an entire corporation or extended enterprise. To that end, SAP has built its solutions to integrate across multiple business applications. As a result, GRC becomes a seamless part of every business process.

Building your strategic GRC framework

Whether your company has begun implementing GRC solutions or is still refining its technology plan, one thing is certain: governance, risk management, and compliance will remain complex, constantly changing issues. To master this complexity, you need to focus on replacing piecemeal processes with a holistic framework.

“To tie up all the loose ends and leverage all of the interdependencies, customers today are looking for a platform that can address all GRC issues in a single consolidated framework,” concludes Chatterjee. “This platform is where companies can transform GRC into a strategic weapon—one that allows them to understand where their risks are, see how they can adjust those risks, and streamline the compliance process to free up more time for strategy and innovation.”