SAP Brings Intelligence To Unified Governance, Risk and Compliance Apps

Governance, risk and compliance (GRC) challenges have been aroundfor a long time, even before some of the newest requirements set forthby the Sarbanes-Oxley Act and the Patriot Act. The trouble is, manyenterprises make things harder by separately addressing the componentsof GRC -- and even the individual applications and initiatives withineach category.

"Companies are starting to realize that they are handlingsimilar risk and compliance activities over and over again withdifferent applications, different capabilities and separateinitiatives," says Narina Sippy, senior vice president and generalmanager, GRC Solutions at SAP BusinessObjects. "Companies are nowlooking to lower GRC costs, and one way they can do that is to improvevisibility so they can see where there are shared risks anddependencies."

SAP's strategy has been to unify the disciplines of governance,risk and compliance, ensuring uniform and reusable policies andcontrols, wherever appropriate, deployed within business processesacross the enterprise. With last week's release of upgraded SAPBusinessObjects Risk Management and SAP BusinessObjects Process Controlapplications, the company says it's taking a next step to integrate GRCactivities by embedding dashboarding, analytics and reportingcapabilities from SAP BusinessObjects Xcelsius and Crystal Reports.

"With embedded analytics, we can give you insight into what'sgoing on in your business tied to key risks and business objectives,"Sippy explains. "These applications previously had key risk indicators,but they weren't as comprehensive as they are now, and we didn't have away to easily visualize what's going on in the business."

Executives utilizing the Risk Management application, forexample, can use the reporting capabilities provided by Crystal Reportssoftware to create, customize and distribute reports on, say, ongoingcompliance status or control activities. For a more proactive approach,Xcelsius-based dashboards can be used for real-time monitoring. Whenperforming a compliance review, heat-map visualization capabilitiesfrom Xcelsius can be used to present a prioritized view of whichactivities or locations across the enterprise present the highest riskof being out of compliance. In addition, predictive capabilities can beused to spur preventative action.

"If a particular plant is approaching a risk threshold, you cantrigger an alert that will prompt someone to review the complianceactivities related to that site," Sippy explains. "That user can thenput new risk mitigation plans in place, implement new controls orinitiate new activities that will ensure compliance."

SAP says that for many years it has focused on managingmultiple compliance programs centrally -- be it Sarbanes-Oxley, HIPPA,Patriot Act or other compliance mandates -- by ensuring consistent andcohesive policies and controls across initiatives. With the newlyembedded reporting and monitoring capabilities, the intent is to helpcompanies know when and where to take action to ensure compliance.

"We have customers that have thousands of controls and risks,and in many cases they don't know where to focus their energies," Sippysays. "With these upgraded applications, we're enabling them to quicklyand visually tie what they are doing in GRC with key performanceindicators, key risks and their overriding corporate strategy."