Governance, risk and compliance (GRC) challenges have been around for a long time, even before some of the newest requirements set forth by the Sarbanes-Oxley Act and the Patriot Act. The trouble is, many enterprises make things harder by separately addressing the components of GRC -- and even the individual applications and initiatives within each category.
"Companies are starting to realize that they are handling similar risk and compliance activities over and over again with different applications, different capabilities and separate initiatives," says Narina Sippy, senior vice president and general manager, GRC Solutions at SAP BusinessObjects. "Companies are now looking to lower GRC costs, and one way they can do that is to improve visibility so they can see where there are shared risks and dependencies."
SAP's strategy has been to unify the disciplines of governance, risk and compliance, ensuring uniform and reusable policies and controls, wherever appropriate, deployed within business processes across the enterprise. With last week's release of upgraded SAP BusinessObjects Risk Management and SAP BusinessObjects Process Control applications, the company says it's taking a next step to integrate GRC activities by embedding dashboarding, analytics and reporting capabilities from SAP BusinessObjects Xcelsius and Crystal Reports.
"With embedded analytics, we can give you insight into what's going on in your business tied to key risks and business objectives," Sippy explains. "These applications previously had key risk indicators, but they weren't as comprehensive as they are now, and we didn't have a way to easily visualize what's going on in the business."
Executives utilizing the Risk Management application, for example, can use the reporting capabilities provided by Crystal Reports software to create, customize and distribute reports on, say, ongoing compliance status or control activities. For a more proactive approach, Xcelsius-based dashboards can be used for real-time monitoring. When performing a compliance review, heat-map visualization capabilities from Xcelsius can be used to present a prioritized view of which activities or locations across the enterprise present the highest risk of being out of compliance. In addition, predictive capabilities can be used to spur preventative action.
"If a particular plant is approaching a risk threshold, you can trigger an alert that will prompt someone to review the compliance activities related to that site," Sippy explains. "That user can then put new risk mitigation plans in place, implement new controls or initiate new activities that will ensure compliance."
SAP says that for many years it has focused on managing multiple compliance programs centrally -- be it Sarbanes-Oxley, HIPPA, Patriot Act or other compliance mandates -- by ensuring consistent and cohesive policies and controls across initiatives. With the newly embedded reporting and monitoring capabilities, the intent is to help companies know when and where to take action to ensure compliance.
"We have customers that have thousands of controls and risks, and in many cases they don't know where to focus their energies," Sippy says. "With these upgraded applications, we're enabling them to quickly and visually tie what they are doing in GRC with key performance indicators, key risks and their overriding corporate strategy."