Steve Biskie, Managing Director of High Water Advisors, and Kevin McCollom, SAP Global VP and GM of SAP GRC Solutions, discuss the direction of SAP GRC at the SAPinsider GRC2015 event in Las Vegas. This interview, conducted at SAPinsider Studio, focuses on where GRC is headed and why. Topics of the discussion include:
- SAP S/4HANA and what it means for the SAP GRC suite
- What building real-time information, compliance, risk management and governance directly into an organization's existing business processes means for the future of GRC
- The future of the audit with SAP
This is a transcript of the discussion:
Steve Biskie, High Water Advisors: Hi, I’m Steve Biskie, Co-Founder and Managing Director of High Water Advisors. Here again with Kevin McCollom, Global Vice President of GRC Solutions for SAP. Kevin, it’s been a year since the last show, any introductory words you want to share?
Kevin McCollom, SAP: First of all, it’s good to see you again Steve, it’s always a pleasure. And yes it was about a year ago at this time we sat down – this is the first big show of the year and I’d like to say thanks to the WIS folks and to Riz personally this is the best show yet, best venue yet, attendance is way up for the GRC portion as well as for the conference overall. I think it’s reflective of the great year that GRC had both from a market buzz perspective as well as business results. So I’m looking forward to getting the year off on the right foot.
Steve: One of the things we’re hearing at this conference Kevin is the innovation agenda with GRC. Can you tell us a little bit about what that is?
Kevin: We put a little bit of emphasis on that in the spotlight presentation. I did a time lapse and over the successive years of presenting the spotlight presentation which is really a portfolio flyover of the full GRC portfolio, the first portfolio slide had four core solutions on it: Access Control, Risk Management, Process Control, and Global Trade Services. Now those still form the core of the solution. Around that, we have at least 10 other additional solutions, part of our innovation, partly from partner innovations that we’re reselling (because) we think so highly of them. Our Greenlight partners, our NextLabs partner soon to be announced reselling relationship there, as well as brand-new products and continuous innovation. So a great innovation agenda, part of our mantra within GRC is to continue to stay ahead of the curve of where governance, risk, and compliance is going and to support customers, simplify in line with the overall run simple messaging at SAP. Simplify their lives – it’s just untenable for them to try to manage governance, risk, and compliance without automation. Help them not only manage it but master it, gain insight from all of the mountains of big data that they have; talking about how the company is performing, complying, and optimizing to meet their business objectives. And then finally strengthening organizations to be able to respond for whatever may fall in their way, from a compliance perspective, a business opportunity that they need to assess the risk of to determine if they have the appetite to take it. So we want to help strengthen them so they can respond and be very resilient. So the innovation agenda continues to be a strength for us.
Steve: Speaking of that agenda, one of the things I’m hearing is S/4HANA. I’m a simple guy, I’m an audit and compliance professional; what does that mean to me?
Kevin: So S/4HANA – I’d like to tip my hat to our marketing folks, there’s long been a rumor that HANA was the R/4, but we trumped that from a marketing perspective – it’s the S/4, it’s the next-generation of SAP flagship solutions. And GRC is not only part of the first wave of S/4HANA solutions, Simple Finance is the first really S/4HANA core solution that is fully out in the market and along with our brethren in the Enterprise Performance Management (EPM) team and the core financials team, GRC is one of the three solutions that is part of that portfolio from a technical integration and a go-to-market perspective. So we’re already one of the card-carrying members of the solution. It only makes sense, GRC is a foundational, fundamental technology. And it needs to be there for monitoring of all business processes.
Steve: Tell me what this means though, Kevin, because as an audit and compliance professional my job is pretty straightforward; I’m monitoring business, I’m monitoring controls – what does the HANA piece do for me?
Kevin: Well, a couple of things. First of all, the HANA piece gives us the ability to deliver real-time information about compliance, about risk. There are a couple of models of how you can deliver governance, risk, and compliance capabilities to the business. One model would be second order monitoring solutions, and those are critical. And that’s about what most customers are asking for these days, second-order solutions; how am I doing on controlling and mitigating this risk? What is my risk appetite? Those are largely decision support type tools as well as compliance tracking tools. We have another model that is already deeply embedded within the GRC portfolio, I’ll use Global Trade Services as an example which is part of our portfolio. It is a true real-time compliance system, looking at every single transaction, looking at every single on-boarding of a brand-new business partner and ensuring that we know the business partner, we know the transaction – we’re compliant and we’re optimizing the business process using governance, risk, and compliance tools. So, if you would, GRC fully embedded in the processes. S/4HANA, and HANA itself, gives us a chance to open the can on all the existing business processes whether it’s logistics, whether it’s finance, and much more deeply integrate the rest of the GRC portfolio so it’s not only real-time information, but real-time compliance, real-time risk management, real-time governance built right into the processes. So it’s governance, risk, and compliance as a matter of fact and deeply embedded within processes and not just the second-order monitoring functions.
Steve: So if I’m understanding right, with S/4HANA instead of my audit report which says “This happened six months ago, nine months ago,” it’s saying “This happened last week and what are we doing about it?”
Kevin: Right. It even says in real-time; (envision) we’ve had a number of vendors bill us early before the terms have expired and they’re having an impact on our cash flow. Let’s have a control to monitor that, to manage the overall solution; so that’s the monitoring piece. But now let’s have embedded GRC so that we are detecting that on the cusp of when it happens so that before the next payment run happens we can go back to the vendor and say “We need to respect our terms, so that we can enhance our own cash flow.” So offering real value to the business in real-time.
Steve: Now speaking of value, one of the things that was new last year that I’m pretty excited about is that we’re now starting to see solutions for auditors as well, both internal auditors and external auditors. Can you tell us what’s new on the audit side?
Kevin: Well, there’s not much I can tell you about audit because I know you are an audit pundit in your own right. And actually we’re looking to High Water Advisors and you personally as well as the rest of our partner ecosystem – but predominantly pundits like yourself to help get the message out there that the vision, the promise of continuous risk-based auditing is real with SAP Audit Management. So this is SAP’s brand-new internal audit management solution. We still have the NetWeaver Audit Management capability and we’ll continue to support that. This is truly an end-to-end solution built for auditors by auditors; our own audit department as well as the audit departments of a number of our prominent customers provided the requirements and said “Here’s how we do our daily business, here’s how we collaborate.” Task and resource management, scheduling, time and expense management because audits cost money, audits are complex to schedule – all of those types of things front-ended by linkage to GRC Risk Management so we can risk rate our audit universe. So we’re auditing the right things and the things that mean something to the organization and then on the back-end applying controls to all the findings to ensure A) they’re remediated as quickly as possible and B) we don’t stub our toe on those issues again. So how am I doing for an audit layperson in explaining how continuous risk-based auditing can be delivered on GRC Audit Management?
Steve: I love it. You hooked me at continuous, Kevin. You know it’s interesting one of the trends that I’m starting to see in a lot of our companies is historically audit’s been a bit of a dinosaur, right? And I can say that, I’ve been in the profession for awhile. But historically we’ve done these once a year audit plans, maybe once a quarter we do some updates, but it’s more conversational type updates. And this whole trend of continuous risk assessment, of being able to move that into the audit cycle as well so as you said we’re auditing what’s most important in the organization. I think that’s fantastic. I was joking with a colleague recently that my red and blue pencil that we used to use for tick marks is going away because you’re delivering this on mobile technologies now.
Kevin: Absolutely. And that’s another benefit of S/4HANA and the fact that SAP GRC was one of the earliest adopters from a technology perspective of the HANA portfolio, the HANA suite, audit management, all the GRC solutions for that matter are compatible and run on top of the HANA technology stack as well as using Fiori as a front-end. So you can run it anywhere, anytime on any device that simply has an HTML 5.0 compatible browser, and everybody’s device unless it’s an old cellphone from 1993 has the capability to run Fiori. So exactly right; anytime, anywhere, any device. Field auditing, take a picture of something, an exhibit in the field with your iPad, upload it, and you’ve got the artifact. That’s the type of capability it brings.
Steve: Real-time, anywhere, on-demand with insight into what’s going on in the organization in real-time. It’s going to change the way we work.
Kevin: We’re hoping so.
Steve: Kevin I appreciate it.
Kevin: Great to chat with you.