If you were to plot a graph outlining the number of organizations that are beginning to form a comprehensive governance, risk, and compliance (GRC) strategy, it would likely follow a similar trajectory to the rate of regulatory proliferation. New and changing regulations such as anti-bribery and corruption (ABC) statutes are increasing regulatory pressure to unprecedented levels, and stopgap GRC activities that do not encompass a proactive approach put a company at the risk of non-compliance and business disruption. Just as important, companies that regularly rely on reactive, patchwork measures in lieu of a robust GRC strategy expose themselves to very real and potentially devastating security breaches and fraud.
The door has slammed shut to the days when quarterly, spreadsheet-based internal audits sufficed. Organizations recognize that having a truly consolidated view of GRC issues that aligns with their overall business strategy is no longer merely a nice-to-have luxury. Costs for non-compliance that include damage to the brand, loss of revenue, fines and penalties, and proprietary theft far outweigh the cost of implementing a global GRC platform. And trying to make do with a fragmented GRC environment only increases costs and complexity as that approach introduces redundancies and fails to protect against threats on the horizon.
Companies that adopt a forward-looking, proactive approach to GRC recognize that having a global GRC platform does much more than check off the box on compliance. An increased understanding of a business’s appetite to take on risk can aid an organization in exploring new revenue streams, for example, by fully capitalizing on emerging trade agreements such as the Trans-Pacific Partnership. Other hidden benefits include identifying new opportunities, enhancing one’s brand, and increasing market access. Overall, this helps to drive improvements in operations and even streamline business processes.
3 Cornerstones of GRC Success
This backdrop serves to explain the reasons why SAP’s GRC strategy has evolved from one in which automating and centralizing data was the starting and ending point for shoring up risk factors to one that places GRC at the very center of a business strategy. There are three cornerstones to this strategy converging to provide the business with the means to make better and more informed decisions:
- Simplify GRC
- Gain insight from it
- Strengthen the organization to anticipate GRC-related needs and opportunities they may create
SAP offering a global GRC platform is not new. But embedding GRC activities into underlying business processes is the key to transforming GRC from an afterthought into a true partnership with the business. Embedding GRC best practices into business processes drives simplicity in the organization by eliminating the redundancies that traditionally crop up when putting new programs in place with every new regulation or perceived threat that appears. A single, unified, SAP HANA-enabled GRC platform eliminates duplication, manual effort, and errors, and provides the real-time visibility that organizations need to proactively respond to any threat or compliance issue.
GRC is a focal point of SAP’s overarching Run Simple message because it is unique in how simplification can positively affect the landscape, and thus the business. When new threats result in new programs and processes, building siloed, redundant, and error-prone controls, policies, and technologies only serves to increase complexity, which may actually increase risk. Embedding GRC activities directly into business processes makes GRC a natural step in a business process rather than a separate process altogether. For example, complying with ABC regulations in a new jurisdiction shouldn’t require building new internal processes and controls. Leveraging existing processes and embedded controls documented in and reusable from an enterprise GRC platform saves time, prevents mistakes, and enhances compliance.
When GRC is no longer an afterthought, true business impact and insights can be derived, nearly instantaneously, and leveraged to optimize business decisions. Business decisions can be projected into the future and GRC activities can be modeled accordingly, which goes hand in hand with helping an organization understand its risk appetite. With GRC embedded into business processes, companies can identify business and regulatory trends and model for different situations and outcomes, as well as detect potential business anomalies such as fraud, waste, and abuse. A global organization added millions to its bottom line by analyzing data patterns with SAP solutions for GRC to identify travel expense errors that were being constantly repeated and costing precious discounts, rebates, and tax savings.
Leveraging a comprehensive GRC platform not only to detect and predict business impacts and anomalies before they happen, but to explore unexpected business opportunities helps strengthen the business in ways that just weren’t possible with a reactive approach to GRC challenges. When a business fully understands how certain regulations or trade agreements intersect with its business strategy, it can shape its response and be prepared for potential future outcomes. That might be an extreme example, but it speaks to an unprecedented level of preparation that an integrated GRC platform enables.
In addition, having this platform in place demonstrates that a company has taken the reasonable care to be compliant, which is a mitigating factor that can significantly reduce the cost of enforcement actions. Enforcement has shown to be nearly three times more costly than had an organization made the proper compliance investments.1
The GRC Future Is Now
In some ways, penalties have historically been an assumed cost of doing business. Not necessarily because of deliberate malfeasance, but because technology limitations prevented corporations from bringing GRC considerations into the business decision-making process. This is not the case today, with SAP solutions for GRC, SAP HANA, and the entire state-of-the-art analytics portfolio at the forefront of technology advancements that are helping drive better business decisions in GRC. With SAP Fiori, users have a consistent, streamlined, modern user experience across the device spectrum that also helps drive insight.
As regulatory proliferation continues, SAP’s goal is to continue to invest in and evolve the GRC suite, embedding deeply into business processes. We see this today with SAP solutions for GRC already embedded into what is available on SAP Business Suite 4 SAP HANA (SAP S/4HANA), and this will hold true as GRC continues to be an integral component of additional business processes and the applications supporting them that run on SAP S/4HANA. A truly comprehensive GRC suite is more than enterprise GRC. Security is an integral part of navigating risk by preventing large-scale data breaches affecting end customers. Because of this, SAP’s GRC strategy includes deepening the existing integration between its information security and enterprise GRC portfolios to provide unprecedented identity governance and administration capabilities.
It is no accident that SAP solutions for GRC are top of mind for new and installed SAP customers as the global market leader in the enterprise GRC space. We carefully designed and executed our strategy to build on the trust our customers put in the SAP brand. Through SAP’s unparalleled services and partner network, SAP will continue to deliver GRC and security solutions that simplify GRC, provide unique business insight, and strengthen businesses for the road ahead.
1 Ponemon Institute LLC, “The True Cost of Compliance” (2011). [back]