SAP’s GRC suite, which is built on software acquired from Virsa Systems in April 2006, gives companies a handle on user access controls and authorization policies for compliance purposes.

GRC relates to the planning, implementation, monitoring and analysis of internal controls for business operations to ensure compliance with regulations like Sarbanes-Oxley and Basel II.

The Waldorf-based company said it gleaned best practices from customer and partner implementations across several industries.

The best practices comprise out of the box templates for processes and scenarios, preconfigured settings, methodologies, support, and documentation. Most relate to the RGC Access Control component of SAP’s GRC suite that maintains compliance with international financial reporting and risk management regulatory mandates.

The best practices templates and other components can be downloaded free of charge by SAP customers.

The other applications of SAP GRC’s suite include GRC Repository, GRC Process Control, and GRC Risk Management that are jointly marketed with Cisco Systems and now under the auspices of a dedicated GRC business unit set up in May 2006.

In March this year SAP recently created an advisory council to increase GRC collaboration with other partners like Deloitte, Protiviti, and VitalSpring. SAP has regrouped its other compliance-related products, such as Global Trade Service and Risk Terminator, under the GRC banner. It also plans to release industry-specific GRC products later this year.

SAP now has 2,200 GRC customers and wants customers to think of GRC in strategic terms and part of an integrated compliance-focused suite of products that also pulls in its ERP financials and strategic performance-management applications.

According to AMR Research the GRC software and service market is expected to grow to $30bn by the end of this year, a 9% CAGR increase.

Our View

Best practices could well be the differentiating factor in a GRC market awash with plenty of software. Oracle and SAP have been busy this year rounding out their GRC platforms, which looks set to be the next big battleground between the two software giants for dominance of the enterprise business applications market.

This year alone Oracle has added banking-specific GRC applications, a new audit-management vault, and BI and content management to its GRC suite. It also formed a GRC Strategy Council which lets customers provide feedback on its GRC product roadmap. SAP, meanwhile, has not been standing still. After acquiring Virsa and setting up a dedicated GRC division the company last year it also acquired operational strategy management firm Pilot Software to boost its performance management credentials.

Business intelligence and performance management vendors are also starting to take GRC seriously. The convergence of performance analytics and GRC has been happening for some time now, as a way to achieve faster and sustainable financial consolidation, reporting and compliance in a single platform. Cartesis, now part of Business Objects, has integrated GRC capabilities into its financial performance management system.

Since the technical boundaries of what constitutes a GRC investment is often blurred – GRC applies to a wide range of software products including document, email and records management, process management, workflow automation, archiving, business rule and BI and analytics – expect more acquisitions under the GRC banner. But providing methodologies and processes for tying together these various systems could well be the clinching factor for success. In that respect SAP is on the right track.