The pace of regulatory activity globally continues to increase at an astonishing rate. Identifying, understanding, and complying with all these regulations puts more stress on the internal teams responsible for managing these issues. According to a recent survey, 69% of the corporate audit executives polled said increased cost was the top impact that regulation was having on their organizations.1 A focus on regulatory compliance also prevented 36% of respondents from devoting resources to higher-value activities.
With rising costs associated with compliance, some organizations question whether governance, risk, and compliance (GRC) programs generate the proper return on investment (ROI). The risk of non-compliance, however, is simply too great. The average cost of compliance for organizations is $3.5 million, but the average cost of non-compliance-related problems is nearly $9.4 million.2
The pressure is on. Risk and compliance teams are stretched thin when it comes to managing regulation. However, with the right processes and solutions in place, compliance and risk activities can add value instead of a burden.
Mapping GRC to the Organization’s Strategy
Compliance and risk management have to be integrated into every business process, not only managed by a central team. SAP customers routinely tell us the practice of having compliance and audit teams inserted into organizations is too disruptive to the business and does not provide a full view of an organization’s activities. A company’s overall risk appetite must map to its strategic priorities, so a risk management strategy cannot be set without buy-in and top-down support from the C-suite or at the board level, where overall strategy is developed.
Think of the GRC maturity path for most organizations as a pyramid. At the bottom of the pyramid are organizations that conduct GRC activities in silos that do not necessarily create value for the organization — a controls implementation for accounts payable, for example. This maturity level represents the wide “base” of the market today.
The second level of the maturity pyramid represents organizations that have integrated compliance and risk management activities into their business processes. Simply conducting the accounts payable process, for example, as it is designed achieves compliance and addresses risk.
At the third and highest level, GRC activities are aligned very specifically and directly with those activities that create value for the business. Rather than focusing only on compliance in areas such as accounts payable, organizations at this level focus risk and compliance activities in areas such as new product design in manufacturing, or exploration in the oil and gas industry — business processes that truly bring core value to the business.
This value pyramid concept is not hypothetical — it is based on conversations we have had with customers challenged by simply keeping up with the increasing volume and breadth of risk and compliance issues. They spend valuable time and resources scrambling at the lowest maturity level and never get to the level of tying GRC activity to ROI.
SAP’s goal is to help these organizations make that progression and use their GRC investments not only to manage compliance, but to drive business value.
New Solutions, New Directions
The good news is that technology is evolving to help companies move up the GRC maturity pyramid. In fact, technology is progressing along its own maturity path. It is becoming not only more extensive, but also more flexible, so it can keep up with changing regulations.
By working closely with our customers and partners, as well as by using them internally, SAP ensures that SAP solutions for GRC — including SAP Access Control, SAP Process Control, SAP Risk Management, SAP Audit Management, SAP Fraud Management, SAP Global Trade Services, and SAP Electronic Invoicing for Brazil — provide the depth, breadth, flexibility, and integration that organizations need. Most customers begin their risk and compliance activities with a specific initiative — a risk or compliance issue that may hit their business directly. While it may be tempting to solve this challenge with standalone, niche solutions, they lack the broader, holistic view of risk and compliance, and will struggle to help an organization maximize the ROI of its GRC program.
For example, the Sarbanes-Oxley (SOX) regulation was a significant driver for the implementation of GRC strategy and technology. Many customers started with SAP Access Control and SAP Process Control as a way to ensure SOX compliance. These customers can configure these solutions to address more recent regulations as well. The flexibility these solutions afford has reduced the amount of work required to comply.
Moving Forward Collaboratively
One of the ways SAP customers achieve such breadth when it comes to GRC solutions is through the SAP partner community. While SAP expands its own solution suite in areas such as fraud and audit management, SAP partners will continue to develop complementary solutions and services that customers seek.
SAP’s GRC partners range from large global advisory firms to specialized niche players that are working with customers on the front lines of their GRC challenges and can serve as important advisors on strategy and direction. SAP is continually co-innovating and collaborating with both customers and partners to ensure our solutions can be extended to meet the latest GRC requirements.
The roadmap for SAP solutions for GRC will continue to move in exciting new directions. It will progress to include more advanced analytics and identity governance capabilities, and eventually will reach a point at which GRC functionality is embedded into every business process in an organization. For more information, visit us at www.sap.com/pc/analytics/governance-risk-compliance.html.
1 Grant Thornton, “The Unseen Costs of Meeting Compliance Requirements” (March 2014; www.grantthornton.com/issues/library/survey-reports/advisory/2014/CAE-Survey-costs-of-compliance.aspx). [back]
2 Ponemon Institute, “The True Cost of Compliance” (January 2011; www.tripwire.com/tripwire/assets/File/ponemon/True_Cost_of_Compliance_Report.pdf). [back]