Expand +



A Holistic, Enterprise-Wide View of GRC

How People, Strategy, and Technology Come Together to Manage Risk

by Scott Osterman and Bruce McCuaig | SAPinsider, Volume 16, Issue 4

October 1, 2015

In today’s GRC environment, companies cannot afford to simply react to threats — they must anticipate them. A holistic GRC management program that leverages the right technology with the right people can do just that. Hear how your company can set up the “three lines of defense” to stop risk before it stops you.


Increasing risk and regulatory complexity are the biggest pressures on organizations’ governance, risk, and compliance (GRC) functions. Most businesses, however, spend their GRC focus on reactive measures, typically including security and controls improvements, without thinking proactively about setting up a holistic GRC program that can help them adjust as new regulations take form and new risks appear.

SAP market observations suggest that integrated, holistic GRC approaches where organizations are continuously and proactively monitoring risk aren’t yet prevalent among enterprises. While some companies are further along in their GRC journeys, whether that’s embracing mobile, SAP Fiori-enabled technologies or managing security around SAP HANA, many are still having trouble grasping the bigger picture. An SAP-sponsored survey of more than 1,000 executives with responsibility for GRC in their organizations found that just 17% of companies were using any continuous monitoring capabilities, meaning that the rest were relying on a combination of manual spreadsheets and disparate solutions across different organizations and groups.1

The technology is available. SAP solutions for GRC — including SAP Access Control, SAP Process Control, SAP Risk Management, SAP Fraud Management, and SAP Audit Management — provide the capabilities for companies to continuously monitor their systems and risks, allowing them to set up a GRC program that has real impact to the organization. The gap, therefore, isn’t technology; the gap is capability, motivation, and governing the future rather than the past.

This gap exists because most enterprises have taken a fragmented approach to GRC. Because professional standards and regulators do not require a holistic, integrated approach, companies often have employees tasked with monitoring controls operating separately from those who are focused on enterprise risk management at the corporate level. These functions too often work in silos; they don’t talk to each other, work together, or integrate properly to ensure that risks are mitigated. Moreover, many companies are still without risk management processes at all, and operate with a reactive approach to business changes. Executives therefore grow frustrated with the lack of visibility, and control failure becomes the biggest organizational risk. A consistent framework is needed to guide the allocation of accountability and the integration of information. Without it, businesses not only fail to manage risk and compliance optimally, but they also fail to achieve the proper return on their GRC technology investment.

3 Lines of Defense

A holistic approach to GRC means implementing compliance, process, audit, and risk on integrated platforms that are operated by collaborative teams that drive GRC practices into critical business activities and monitor progress at an enterprise level.

SAP developed the “three lines of defense” approach, which outlines how a business can find the best way to manage any given risk (see Figure 1). The methodology behind this concept is as follows:

  1. Control risk and manage compliance in business activities. This means that the first line of defense is the business — they own the risk in their business and monitor and evaluate related controls.
  2. Identify, measure, monitor, and report risk and compliance at the enterprise level. This means that the risk management function takes it to the next level, assessing and providing appropriate frameworks for operations and evaluating and taking action on risk management practices across the enterprise.
  3. Provide assurance, insight, and advice. This responsibility rests with internal auditors, whose audits can confirm that the framework in place is effective, and that risks are being properly tracked and mitigated

Figure 1: SAP’s “three lines of defense” methodology

With this methodology, an enterprise can carry out a strategy that can handle any risk, and report back to its top executives and board regarding progress.

It also enables the organization to get the most out of its technology investment. A holistic team working with integrated data can realize the value of SAP solutions for GRC. Some companies are unsure as to how exactly to treat risks: How do you even get started assessing something as daunting as risk management across an enterprise? SAP recently released SAP GRC Strategy Selector, an iPad app that is designed to assess risks, propose a risk management strategy and primary line of defense for each risk, and also suggest the most appropriate SAP solution to enable the line of defense.2

With the right methodology and technology in place, it’s important to have the right people on board, both within the organization as well as from outside thought leadership and consultants such as PwC.

Redefine the People

A compliant environment starts in the boardroom. While a compliant environment does mean addressing some issues in a reactionary fashion, from audit findings to breaches, executives must not lose sight of the fact that there are broader risks that are pervasive across all organizations that need to be monitored and addressed.

Throwing technology at risk management is only part of the solution. Simply implementing a solution that monitors a set of controls or tracks data for a given regulation, but fails to report its findings to the highest levels of management, is inadequate. The right people need to be in place to ensure the synergy between technology and strategy. One of the issues that companies face with GRC is that they fail to have someone at the C-level whose responsibility is chiefly on risk and compliance — a chief risk officer. Without someone at this level directing the GRC actions and framework, organizations will continue to manage GRC at a tactical, rather than strategic, level. But in the absence of a chief risk officer, the C-suite executives in charge of finance, risk, compliance, operations, and audit can effectively lead and promote the three lines of defense.

Going Forward

Having a holistic GRC strategy involves putting the right people and technology in place, and that they work in tandem to ensure an enterprise-wide execution of GRC processes. With such a view of GRC, you can ensure your organization is headed in the right direction to combat future uncertainty and protect your data. For more, visit

1 Loudhouse, “Managing Risk in an Age of Complexity” (2015; [back]

2 For more about the app, see [back]

An email has been sent to:


Scott Osterman
Scott Osterman

SAP Security and SAP Access Control
Practice Leader

Bruce McCuaig
Bruce McCuaig

GRC Product Marketing

More from SAPinsider


Please log in to post a comment.