SAP's GRC Program: Practicing What They Preach

If you are an enterprise resource planning (ERP) customer, you probably have heard the following sales pitch or one just like it in the past 24 months: "The disciplines of risk management, compliance, and security should not be separate. The way to approach these areas is to unify them. We say that not just from a technology perspective, but from a people perspective and a process perspective as well."

These lines come directly from SAP Senior Director, Governance, Risk, and Compliance Ranga Bodla. Bodla supports his pitch in an interesting way: by pointing inside his company to a governance, risk management, and compliance (GRC) program that SAP initiated in mid-2007.

SAP's software developers, as well as the company's sales, marketing, and consulting professionals, cull "preferred practices" from colleagues responsible for operating the company's internal GRC program. "We take what [our GRC colleagues] teach us and we incorporate that into our products and services," Bodla adds. "We have what I believe is a fairly well-established set of processes."

This approach, as the following rundown of SAP's GRC program illustrates, includes:

• A unique grouping of GRC areas;
• A structure that A) stimulates the sharing of preferred practices throughout the global organization; and B) delivers talent management benefits; and
• A staffing approach that leverages an organizational culture in which amassing experience in several different areas of the company is valued and encouraged.

Origins and Structure

Like most large, global companies, Germany-based SAP AG's risk management and compliance capabilities existed before its formal GRC program began two years ago.

Previously, managers responsible for these areas reported to their local chain of command and maintain a dotted-line relationship with the corporate risk management and compliance functions. Local compliance and risk-management staff, for example, conducted Sarbanes-Oxley compliance with direction from the global risk and compliance function but did not report to the global risk and compliance function.

Today, GRC staffers remained scattered throughout SAP's numerous locations, but they all report to Senior Vice President Miriam Kraus, who heads the company's global GRC organization at corporate headquarters. Kraus reports to Werner Brandt, who as CFO and a member of the executive board of SAP AG is the company's highest-ranking finance executive.

SAP's global GRC program consists of three components:

1. Risk management;
2. Compliance (including Sarbanes-Oxley); and
3. Strategic security (including business continuity planning, crisis management, and information security).

All 105 GRC employees in the company execute their responsibilities according to this structure. In larger geographic areas, each GRC component (risk management, compliance, and security) is managed by a different executive. In smaller geographies, a single GRC executive or manager may wear more than one hat.

Preferred Practices

The purpose of the structure, notes Bob Tizio, governance, risk, and compliance officer for SAP Americas, is to bring greater effectiveness and efficiency to GRC processes. The structure helps cultivate efficiency by making it easier to identify and disseminate "preferred practices" throughout SAP's global locations.

"We basically brought together everyone around the globe who does risk management, [compliance] and security," says Tizio, "so that we could have a consistent vision and strategy -- and the same methodologies, tools, and best practices -- that cascade through the entire organization. ... Although we didn't have the formal, centralized GRC program from 2002 through 2007 that we had now, there were a lot of very good practices taking place during that time. This structure helps us share our practices much more easily."

The structure also cultivates greater effectiveness via more intense collaboration with GRC counterparts in the business.

Tizio and his counterparts in other regions of the world report directly into the global GRC function, but they "work very closely with the local teams, the local business people in our respective areas," Tizio notes.

Those local business people include colleagues in software development, sales, consulting, and other operational areas. For example, part of Tizio's team in the U.S. works closely with business counterparts to identify risks associated with sizable investments and initiatives and then develop mitigation plans that address those risks.