Expand +



GRC by the Numbers: ASUG/SAP Benchmarking Study Reveals Early Trends in Governance, Risk, and Compliance Initiatives

by Steve Strout | SAPinsider

January 1, 2008

Find out how the SAP/ASUG benchmarking program has helped more than 200 companies across over 12 industries discern their strengths (and weaknesses!) regarding their GRC practices.

Steve Strout

Benchmarking gives companies a framework for comparing themselves to the competition, a foundation for closing performance gaps, and a way to measure continuous improvement. But good benchmarking involves more than just facts and figures. A successful benchmark starts with an understanding of its goal; a primary goal of the ASUG/SAP Benchmarking Program is to attain best-practice insight and actionable information to improve business processes.

The ASUG/SAP Benchmarking program not only collects metrics and best practices to compare the effectiveness and efficiency of a company's processes and systems against those of its competitors (see sidebar), but also uses intimate knowledge of industry best practices to generate actionable results.

Good benchmarking is more than just giving facts and figures. A successful benchmark starts with an understanding of its goal; a primary goal of the ASUG/SAP Benchmarking Program is to attain best-practice insight and actionable information to improve business processes.

One of the most recent benchmarking efforts focuses on governance, risk, and compliance (GRC). Though regulatory pressure drove initial interest in GRC, now companies are thinking about how to wield GRC initiatives to add business value by improving operational decision making or strategic planning.

The benchmarking study is still in progress. But as you review your own GRC strategy, here is a preview of some of the study's general trends and results.

The ASUG/SAP Benchmarking Program: Quick Facts

  • The ASUG/SAP Benchmarking Program was launched in 2004 as a strategic service for ASUG member companies.

  • Through the program, SAP customers can identify strengths and opportunities for improvement in adopting best practices.

  • After completing an in-depth survey, participating ASUG members get a free, customized, comprehensive report comparing their processes and systems with best-in-class key performance indicators (KPIs).

To learn more, visit Also see "Good Benchmarks Are Hard to Find — Or Are They?" a Q&A with ASUG's Mike Perroni in the January-March 2007 issue of SAP Insider (

Benchmarking Study Divulges Early GRC Trends, Challenges, and Results

In September 2006, SAP and ASUG began collaborating on a GRC benchmarking study. Companies representing a wide variety of industries continue to submit their confidential surveys, from which SAP comprises data averages (see Figure 1).1

Figure 1
Demographics of GRC benchmarking study participants by industry

The data gathered to date has enabled ASUG and SAP to provide participants with actionable results in the form of recommended GRC best practices. These studies have also provided valuable insight into current GRC trends developing in the market. What follows is a sampling of these findings:

  • The primary driver of GRC initiatives is companies' compliance with government mandates

  • Defining and communicating enterprise-wide risk is an area where companies have a significant disconnect between the importance of related best practices and the extent to which they have been implemented

  • A majority (79%) of participating companies have seen a reduction in significant deficiencies, material weaknesses, and control violations as a result of their GRC efforts (see Figure 2)

  • The top GRC challenges include manual control activities, difficulty quantifying management effectiveness, lack of enterprise business transparency, and complex IT landscapes (see Figure 3)

  • On average, companies with a higher degree of automation-related best practices have better-than-average performance on labor-related KPIs

  • Most organizations have an executive responsible for GRC and take a hybrid approach to managing it, with responsibility falling equally between finance and the business units

Figure 2
Benchmarking results indicate the impact of GRC investments

Recent Webcast Unveils GRC Trends

ASUG and SAP hosted a GRC-focused Webcast in late September 2007. Based on the results of the benchmarking study thus far, the Webcast focused on:

  • Defining what GRC and corporate governance means for your business

  • Understanding GRC measures of effectiveness

  • Aligning business and IT organizations around GRC

  • Being able to identify and minimize risk areas

  • Correlating compliance automation and labor requirements

The Webcast also shared information on how companies have rated the effectiveness of their GRC initiatives in addressing the main challenges of compliance.2 This Webcast is just one example of the types of information and services available to ASUG members who participate in the user group's benchmarking program.

Top GRC Challenges
(1 is most challenging, 10 is least challenging)
Forecast for 3 Years from Now (average)
Control activities are manual and take up
too much time
4.3 4.5
GRC management effectiveness is difficult
to quantify and measure


GRC management is fragmented at a departmental, divisional, or regional level, making it difficult to attain enterprise-wide business transparency 4.6 4.0
Necessary information is contained in complex and heterogeneous IT landscapes 4.7 4.3
Figure 3
Surveyed companies were asked to rate GRC challenges

How to Participate

If you'd like to participate in the compliance benchmarking study — or any other ASUG/SAP study (in areas ranging from finance to manufacturing to business intelligence and analytics3) — and receive an individualized analysis report, visit

ASUG members looking to garner even more GRC information should join ASUG's new GRC Community. The GRC Community hosts free educational activities about SAP's newest GRC product features and functions. For example, the Community's next Webcast, scheduled for January 2008, will focus on environmental, health, and safety compliance.

The ASUG GRC Community, which also has focused content areas and online discussion forums on, is in a unique position to help influence and prioritize the development roadmap for SAP's GRC solutions.

How effective have GRC initiatives been to...? Average Rating
Protect company brand and reputation
Detect and prevent fraud
Improve accuracy of corporate forecasts and decision making
Reduce resources spent on compliance
Improve operational effectiveness and streamline business processes
1= GRC initiatives have not been effective 5= GRC initiatives have been very effective
Figure 4
Benchmarking results for the corporate effectiveness of GRC initiatives

1 The GRC benchmarking study also includes data from a finance benchmarking study that SAP and ASUG conducted in late 2005. Data from more than 200 companies comprises the finance benchmark database averages.

2 See the online version of this article at for additional benchmarking results.

3 For a complete list of all benchmarking studies, see

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!