Increasingly a lot of organisations are having to take serious measures around Governance, Risk Management and Compliance: after all the stakes, risks and rewards (or punishments) of doing business seem to get more serious every year. In this light, SAP’s launch of its next-generation GRC software could be very well timed (http://www.computerweekly.com/Articles/2011/03/23/246027/SAP-combines-GRC-and-BI-in-new-platform.htm).
GRC as it stands is still far from a smooth process. Misunderstandings and frustrations are rife, with some organisations still seeing such rules as simply a means to stifle their operations. Indeed, research last year suggested that UK enterprises suffer 510 person-hours a year in lost productivity thanks to ineffective or inefficient GRC controls (http://boardroom.cbronline.com/news/poor-grc-initiatives-cost-revenue-stifle-innovation-survey-291110). Yet the risks of not following these regulations are greater. Regardless of the fines and loss of reputation that can result, there is also the increased risk to security and the business that can result from not having adequate control.
With this in mind, perhaps one significant claim of SAP’s next-generation GRC is its apparent ease of use: by unifying GRC capabilities and maximising visibility in one place, organisations should begin to see GRC as much less of a chore. At the same time it will free up their time for other, related activities such as educating employees. Considering that last year’s research also showed that in 69% of enterprises, workers will temporarily share their IT logins and passwords with co-workers without approval, there still seems to be a way to go.
The next-generation GRC software isn’t a magic bullet that will automatically solve GRC issues for SAP users, but it should help. As always though it is important that workforces are trained to reduce risks, that organisations aren’t leaving huge vulnerabilities in their processes and that IT teams aren’t simply attempting to paper over any cracks.