We’re nearing the second anniversary of SAP’s purchase of Virsa and their entry in a serious way to the GRC space. Last week, they made a series of announcements about their GRC products, which now extend beyond industry apps and the SOD/access control arena to other areas of GRC. Business Finance has a new GRC blog and covered SAP’s announcements. John Cummings notes that "the sheer scope of GRC offerings from SAP and other enterprise software providers is impressive, and point-solution vendors will need all of their agility to respond."
Certainly, we wouldn’t argue with that statement, but we would say that one of the most important parts of a GRC solution is how it fits into the rest of the system. While SAP (and maybe Oracle) might be able to make the argument that you should be single threaded on SAP, the rest of us cannot make that argument, so we have to play nice in the sandbox and 1) fit into the existing (heterogeneous) environment and 2) work across silos. This latter point is critical because what the enterprise GRC platform vendors are delivering is a way to see risk across the organization. When SAP demonstrates their risk management application, they focus on controls associated with a sales process; that’s a very different solution, a tightly integrated top-to-bottom solution, but not very good at crossing silos. And, as I blogged earlier in the week, the real value in risk management comes from relating risk together at the top of the business. Of course, we’re not an ERP vendor, but you have to wonder if you want the fox guarding the hen house.