In this interview, SAP VP and GM of GRC Solutions Kevin McCollom talks with Steve Biskie of High Water Advisors about SAP's roadmap and strategy for GRC solutions. Topics covered include:
- The status of GRC solutions in the cloud and on SAP HANA
- The path to SAP HANA for SAP GRC users
- The impact of mobility on SAP GRC
- A detailed look at SAP Fraud Management and SAP Audit Management
View the video and read the edited transcript here:
Steve Biskie, High Water Advisors: Hi, I’m Steve Biskie with High Water Advisors. Here today with me is Kevin McCollom, who is the vice president and general manager of SAP GRC solutions.
Kevin, we’ve known each other for a while, and I know at the last conference one of the big trends that SAP was talking about was the move towards big data analytics supported on both HANA and cloud. How’s that affecting the GRC space?
Kevin McCollom, SAP: Well, we talk a lot about HANA at SAP, but what that really means to GRC users, GRC customers, and SAP customers in general, is that it’s the gateway to the cloud for SAP solutions.
GRC 10.1, our newest release, which is now fully in general availability, is all HANA-available -- or HANA-able, HANA-capable -- and what that means is that GRC on the cloud is a reality.
We have the entire core suite available on HANA, as well as a number of new HANA-based innovations, so HANA-native applications such as Fraud Management and Audit Management.
As I said, this is the gateway to the cloud, the gateway to unlocking the power of the mobile environment. HANA is the platform of the future for SAP applications. GRC is one of the earliest adopters of the HANA platform. We’re one of the first groups at SAP to have our entire suite HANA-capable.
Steve: And for organizations that aren’t on HANA yet, what’s the typical path for them on the GRC side? Do they have to go HANA for the entire SAP ERP system, or are they able to move to that with just GRC?
Kevin: Good question. So, HANA remains an option for the core GRC application, and that’s Access Control, Process Control, Risk Management, Global Trade Services. So it’s an option for you. For the new kids on the block, Audit Management - which we’ll talk a little bit more about, I think - and Fraud Management, those are HANA-native applications and require HANA to run. But the beautiful thing when you talk about a roadmap to getting to HANA is that with the cloud, it really doesn’t matter. With SAP’s cloud, the HANA Enterprise Cloud, we do all the hosting, we do all the application management. There are entirely new commercial models to deliver solutions, including subscription-based pricing.
It doesn’t matter what the hardware is, it doesn’t matter that it is HANA, all the user needs to know is here’s the application. Or all the customer needs to know is, here’s the applications I need access to, the parts of the application I need access to, and then, let SAP set that up on the HANA Enterprise Cloud for you, and you’re ready to go.
Steve: So you’ve basically taken the “how to do it” out for the customer, provided that for them and allowed them to migrate to these applications a lot quicker than in the past.
Kevin: Precisely. And a lot of the innovation that we’re doing with GRC is focused around helping customers attain that full cloud experience. It’s a lot more than just hosting something on a really fast set of hardware, which is what HANA is. It’s also ease of use: people expect cloud applications to be easy to use, to be available for a subscription-based price, to be maintained for them.
Think about your cell phone, your iPhone. You get automatic updates for your iPhone apps, they’re easy to install, fairly non-disruptive, and those are the types of things that customers expect from the cloud. Those are the types of things that SAP GRC delivers, starting with the 10.1 release on the HANA Enterprise Cloud.
Steve: Kevin, you’ve mentioned two different applications that are pretty new to the GRC portfolio, both Fraud Management and Audit Management. Can you tell us a little bit more about both of those?
Kevin: Sure. So in keeping with SAP’s strategic application and database platform, HANA is also an application platform in its own right, so there are HANA-native applications written for HANA, written to exploit all the power, the speed, the data compression, and data security tools, that HANA has to offer.
Fraud Management and Audit Management are two of the first HANA high-performance applications that SAP has built that are native HANA applications, and as I said, with the early adoption of the HANA suite, by the GRC team, by the GRC application set, we have two of the first and most robust HANA applications. Fraud Management is designed for fraud investigation and detection teams within organizations, chief fraud investigators inside of organizations, to essentially detect and prevent fraud.
Combined along with our predictive analytics suite, including the KXEN analytics suite, gives fraud investigation and detection departments within companies a chance to root out fraud, identify patterns in data that may indicate a potential fraud that could go viral within an organization, and stop transactions right in the actual transaction systems before they become frauds.
Steve: I remember seeing that, Kevin. That was pretty impressive to me that you’ve taken it beyond just rapid detection of fraud to be able to tie back into the ERP system, and say ”There’s something strange going on here, let’s stop all activity related to this.”
Kevin: That’s the prevention piece. And then predictive takes it one step further to say, “Let’s extrapolate some of the patterns that we’ve discovered in the data.”
So at its core, Fraud Management is a data discovery tool and you can take some of the discoveries you’ve made and extrapolate them in predictive analysis in KXEN. So you can say that this is something, as we look out into the future, that we need to get in front of to prevent it from becoming a viral fraud inside our organization.
Now, Audit Management is built on the same platform, but it’s an application of a different class or category, if you will. When we looked around at the software market, first of all, we look at audit - your venerable profession - as really the last line of defense for protecting shareholders, the company, the customer, and employee value within a corporation. The auditors are the ones who are assuring, looking at, I think you used the term “independent assurance.” They’re safeguarding an organization and identifying whether the controls designed to mitigate risk in the organization are working. They’re your last line of defense.
But we found they were grossly underserved from an IT enablement perspective. We found that their process was IT enabled by a patchwork quilt of spreadsheets and point solutions. There was no end-to-end solution that not only managed the entire audit process from initial planning and inception, all the way through to findings, final reporting, and follow-up to ensure that action plans and issues were resolved.
So that’s the first charter of the solution. But we need to go beyond that, because one of the things that auditors spend too much time is just going through the process, gathering data, things like that.
So one of the biggest pieces of Audit Management is to give auditors the tools to gain insight that can help them become advisors to the business - not just the tattle-tales, but advisors to the business. Big data analytics tools -- we integrate Fraud Management right into the Audit Management solutions. So they can use big data analytics to identify insights and share those with the C-suite and the board to say, “These are things that can really have a material impact on our business, and we need to follow up on them.”
Steve: That’s pretty exciting for me. I mean, SAP’s been known for innovating around processes, and it’s nice to know that for myself, in the audit profession, we’ve now got some innovation for us.
I’ve got one last question for you before we go. From your perspective, you oversee the entire suite of GRC products, whether it’s things that have recently come out or things that are on the roadmap. What do you feel are the one or two things that are most exciting to you?
Kevin: Well, things that are most exciting to me are that each and every one of the GRC solutions is evolving in its own sphere and domain, still as part of an integrated GRC platform but evolving to meet the challenges and regulations. Access Control, one of the oldest and most venerable pieces of our suite, is evolving to handle the new challenges of identity access governance and identity governance and administration. These are areas where the spheres of identity management - who a person is, their attributes (nationality, political affiliations, all types of things that might be important in knowing who a person is) - are coming together with their IT access capabilities. And then you can tell, oh, maybe this person should or should not have certain access. So each one of our solutions is evolving, and the entire suite is evolving, and it’s been quite gratifying to watch it from inception. And it will continue to evolve.
Steve: Truly, truly looks like an integrated platform these days, with various components designed for different purposes but sharing knowledge and tied together.
Kevin: And the plan is just to communize and build that risk, control, and process library so they’re all working off a single view of the organization, managing risks with internal controls and tying it all together with a robust audit solution that can be your last line of defense. That’s our mission.
Steve: That’s great. Kevin, you’ve made a lot of progress in the last year, looking forward to catching up again next year.
Kevin: Thanks Steve, looking forward to it.