|
Governance, risk, and compliance (GRC) issues are hot topics today, thanks to a myriad of high-profile stories about companies that failed to meet regulatory requirements governing finance, environmental compliance, and other areas. In each case, executives have been held accountable, stock prices have dropped, and brand image has suffered. GRC issues are also a top priority because business leaders increasingly understand that seemingly small operational control weaknesses can significantly impair corporate performance. These obstacles might range from a supplier inventory shortage that impacts revenue, to a faulty or counterfeit product that erodes brand and increases costs, to a leakage of confidential data that damages reputation and creates a compliance liability.
Many companies have responded to regulatory mandates by implementing disconnected, tactical processes and point solutions that address a single regulation or corporate initiative. But these fragmented efforts can make compliance far more costly and complicated than it needs to be. You would need to purchase and deploy multiple GRC applications for each enterprise application and then define risks, set policies, and monitor compliance for each application. At the same time, you need to find a way to manage countless GRC policies, decisions, and GRC data – data that is likely based on different metrics, standards, software, and methodologies. The resulting complexity can make it impossible to aggregate this data to gain a complete view of enterprise risk.
SAP offers a new approach for monitoring, identifying, and managing risk across the enterprise. A true cross-enterprise GRC solution dramatically simplifies management and execution of these activities – making it easy to compile data for a comprehensive perspective on overall exposure, monitor compliance and risk effectively, and adjust business processes to meet changing business and regulatory mandates.
This paper explains SAP’s vision for a cross-enterprise GRC solution and the benefits it can provide, defines key terms, and discusses what to look for when evaluating GRC software options. It also discusses how SAP is evolving the SAP® solutions for governance, risk, and compliance (SAP solutions for GRC) to deliver the industry’s first comprehensive, fully integrated cross-enterprise GRC solution.
Issues related to management of GRC have become top boardroom priorities, thanks to highly publicized corporate scandals and the release of a myriad of regulatory mandates designed to prevent everything from fraud to environmental damage. Most likely, you are keenly aware of the potential costs of noncompliance today. In addition to facing possible fines, your business could face the cost of litigation and remediation, as well as confronting negative impacts on brand, reputation, and market valuation. Equally important, executives at the top can be held personally responsible for compliance failures.
Many companies have responded to regulatory mandates with a series of disconnected, tactical, one-off projects to respond to a single regulation or corporate initiative. Your business may deploy multiple point solutions to address process control risks within a core financial application, for example. However, while fragmented GRC activities may be the status quo, they are likely costing your business more than you think and more than is necessary. AMR Research reports that compliance spending will reach US$27.3 billion in 2006.
Of even greater significance is the fact that fragmented GRC efforts make it impossible to implement a cohesive GRC strategy for monitoring, identifying, and managing risk across the enterprise. This fragmentation – when replicated many times across different business applications and business functions – creates a GRC management nightmare. For each business process or application, you may have one or more different applications to manage it. And for each process and each application, business and IT departments need to define risks, set policies, monitor compliance, manage attestations, address escalations and mitigations, generate reports, and more. Complicating matters further is the fact that departments responsible for different GRC initiatives may use different metrics, standards, software, and methodologies for analyzing risk and compliance information. This makes it difficult to aggregate data, gain a complete view of enterprise risk, effectively monitor compliance and risk, and adjust business processes to meet changing requirements, market trends, and regulatory mandates.
Clearly, fragmented approaches to GRC represent a massive – and costly – duplication of effort that impairs transparency and increases opportunities for issues or weakness to fall through the cracks until identified by regulatory body.
|
