Governance, risk and compliance activities are perceived by many
as a necessary evil, but if you have a consistent approach, good
automation capabilities and a mature organization, GRC can evolve
from a cost into a driver of improved performance.
That's the promise, says SAP, but the supporting technology has
to help with the consistency and automation part. That's the idea
behind version 10 of SAP BusinessObjects GRC software, a major
platform release announced on Wednesday.
The new GRC release is touted as a consistent platform
comprising four distinct products: Access Control, Risk Management,
Process Control and Global Trade Services. SAP has been working for
three years to get all of these modules onto the same code base and
a parallel development path. The Risk Management and Process
Control modules were the first to be unified in a 2009 release. But
in version 10, all four products have a consistent look and feel
and follow standard SAP development and deployment approaches.
Consistency and a common look and feel will deliver big gains in
productivity from a management, training and usability perspective,
SAP said. In terms of development and deployment, the entire suite
is now a single install, but you can still purchase the modules
individually. New modules are unlocked and exposed through as
simple matter of licensing rather than separate installation. All
modules share the same components, data model and access to SAP
services. And as organizations identify risks and create and
customize mitigating controls, they are immediately shared across
all modules.
The biggest change with version 10 is in the Access Control
module, a popular product that was previously written in Java. Now
that Access Control is built on the standard NetWeaver stack, SAP
developers can use familiar APAB (Advanced Business Application
Programming) capabilities.
"In version 10 if you need to do an upgrade or patch on Access
Control, you don't have to reinstall the application; it's a
non-disruptive upgrade that can be handled in minutes rather than
hours or days," said Jim Dunham, group vice president, GRC
Solutions, SAP.
Upgrades to core compliance capabilities include new embedded
business intelligence capabilities, better support for vertical
industry and line-of-business content, an industry-standard
"bow-tie" visualization capability for risks, and finer granularity
for security controls.
The new embedded BI functionality includes practitioner and
manager dashboards and reporting capabilities drawn from the recent
SAP BusinessObjects 4.0 release. Coupled with the data-sharing
capabilities of the new platform, the BI capabilities are said to
include more powerful analytics. When identifying risks around a
new-product introduction, for instance, users can model risks such
as supplier problems, IT project delays and international licensing
disputes as well as mitigation strategies to predict outcomes and
make more risk-aware decisions.
"Sourcing, IT and trade-related problems can make or break a
new-product introduction, and that's rich information that can now
be analyzed from your compliance initiatives and your
risk-management infrastructure," Dunham said.
A new Content Lifecycle Manager introduced in version 10 makes
it said to make it easier to import new regulations and supporting
industry and line-of-business content into the compliance
environment. These efforts previously required work on the part of
systems integrators, but the lifecycle manager imports and applies
version controls to compliance content from SAP partners such as
Deloitte, PricewaterhouseCoopers, Ernst & Young and others.
When you move to a new release or an upgrade of SAP Business Suite,
the Lifecycle Manager migrates all your mappings of risks, KPIs,
controls, processes and values into the new system deployment.
To help business users see and understand risks, the SAP
BusinessObjects GRC release includes a new Visual Bow Tie Builder.
Commonly used in compliance circles, bow tie charts depict risk
events as the center knot of the tie, risk drivers fanning out as
the left side of the bow and risk impacts fanning out as the right
side of the bow.
"There are other visual Bow Tie tools out there, but SAP is the
first to put it into an enterprise platform, attach a central
repository, pull in compliance content from partners and make it
actionable, meaning we've tied the controls seen in the bowtie
directly into the compliance system," Dunham said.
In another notable upgrade, the GRC version 10 supports finer
granularity on security controls so managers have flexibility in
granting compliant access to transactional capabilities. Whereas
the previously release tended to turn access to, say, order-to-cash
processes either on or off, the upgrade supports clauses on
privileges whereby a clerk might be granted conditional
authorization to execute certain aspects of a transaction.
This features comes in handy in close cycles, when companies
sometimes chafe against overly restrictive controls that get in the
way of timely consolidation.