Dormant for years, the best of breed (BOB) vs. ERP debate has rekindled now that enterprise resource planning vendors have awakened to the importance of beefing up their business suites with compliance and risk-management capabilities.
After letting stand-alone software vendors vie for customers in the first four years following the passage of the Sarbanes-Oxley Act, SAP, Oracle, Lawson, Microsoft, and other ERP vendors unveiled new controls monitoring, policy management, and process management functionality at different points within the past 18 months.
What do these new offerings mean for buyers? More confusion, initially, followed by some tough decisions. If finance executives complete those technology investment decisions thoughtfully, they will help to strengthen their organization's governance, risk management, and compliance (GRC) capabilities while streamlining business processes.
Honeywell Aerospace did just that while providing a novel answer to the "BOB or ERP?" question: both. The largest business within the manufacturing giant currently uses GRC functionality within SAP and a stand-alone application from Approva to achieve three objectives, notes Karen Chirico, manager, financial center of excellence, Honeywell Aerospace:
• Identify segregation of duties (SOD) violations before and after a user gets access to the company's ERP system;
• Document which SOD violations have been remediated and what the remediation plan is; and
• Monitor and flag certain ERP system changes and sensitive transactions that have been executed by support personnel.
"Our auditors have been able to rely on the tools we implemented to reduce the amount of time spent reviewing SAP for SOX compliance," reports Chirico, who also is vice president of finance for the board of the Americas' SAP Users' Group (ASUG).
Before the ink dried on President Bush's signature on the Sarbanes-Oxley Act on July 30, 2002, a motley assortment of software and services firms -- including document management vendors, business process management vendors, business performance management vendors, policy management vendors, and even Big Four public accounting firms -- had started thrusting "compliance solutions" into the marketplace.
These applications ranged from gussied-up spreadsheets to fairly sophisticated, if ultimately incomplete, platforms. The unfinished quality of these platforms stemmed from a major challenge: No one -- including regulators, legislators, auditors, sellers, and buyers -- quite knew how to translate, comply with audit, or enforce the far-reaching new rules.
As the SEC gradually clarified the new law's meaning, stand-alone compliance software vendors steadily massaged and improved their offerings. ERP vendors largely remained on the sideline during this time, partly because buyers were reluctant to use the same vendor to manage and monitor business processes that had contributed to the creation of financial statements.
In the first three years of Sarbanes-Oxley compliance efforts, "ERP compliance" mainly consisted of activating automated controls within the system. Once finance and internal audit teams flipped on the ERP system's internal control switches, they typically turned to a stand-alone compliance software vendor to support the bulk of their Sarbanes-Oxley compliance efforts. When SAP and Lawson first announced their intentions to inject new compliance functionality into their ERP systems in March 2006, buyers would soon have an alternative to stand-alone compliance applications. Today, AMR Research Vice President and Research Fellow John Hagerty notes, there is much less reluctance to using the same software vendor to manage and monitor key business processes.
Yet, one major challenge remains in a ripe-for-consolidation application market that contains 400-plus vendors. "The problem is that GRC is a vaguely defined software category and business process area," says Hagerty, who has tracked compliance automation for many years. "I think that most people understand GRC more from a business process angle than they do from a software side. Everyone and their brother tries to throw something into this GRC category, and I don't think that there is a clearly defined schema of what GRC software really is."
Part of this problem represents a side effect of a beneficial realization: Compliance management processes and technology can extend far beyond Sarbanes-Oxley compliance. The "GRC platform," which "documents and communicates policies and controls, conducts risk and control assessments, manages investigations and events, and provides reporting and dash-boarding of GRC," is emerging as a "risk central nervous system" for the business, explains Michael Rasmussen, vice president and principal analyst for Forrester Research.
While Sarbanes-Oxley compliance remains the primary reason that companies invest in compliance applications, organizations increasingly seek to apply this technology to other compliance needs. Although 43 percent of 200 midsize to large U.S. manufacturing and services companies participating in a recent AMR Research survey identified Sarbanes-Oxley as the GRC mandate their compliance technology investment addressed, document and record retention requirements (33 percent), operational and general risk management (28 percent), security and privacy rules such as HIPAA (24 percent), environmental compliance (22 percent), and code of conduct requirements (20 percent) also represented common objectives. These findings indicate that more buyers intend to use compliance technology to support two or more GRC mandates.
To date, stand-alone compliance vendors have dominated the market: Rasmussen estimates that they account for 95 percent of compliance applications in use today. ERP customers using the new GRC functionality are relatively small in number and relatively quiet about their experience thus far (both Oracle and SAP had difficulties in tracking down customers to speak to this article). That said, ERP vendors appear well positioned to reverse this trend.
"I firmly believe that SAP and Oracle are going to dominate this space in the next 18 to 24 months as they execute on their strategy," Rasmussen adds.
Scott Mitchell, chairman and CEO of the Open Compliance and Ethics Group (OCEG), agrees. He notes that the market for compliance platforms that help companies address numerous compliance mandates remains quite young. Based on OCEG research, Mitchell estimates that only about 25 percent of U.S. companies have automated portions of their Sarbanes-Oxley compliance. And the amount of automation in compliance areas outside of internal controls over financial reporting is "darn near zero," he asserts.
"Even companies that structure GRC in the most sophisticated manner don't automate a lot of these compliance areas," Mitchell explains. "Labor law is still primarily manual and labor intensive. Environmental health and safety is still primarily manual and labor intensive. … This is where the ERP vendors are saying, 'We deal with the big-picture implementation of technology, and if somebody is going to win this battle, it's us.' And they're certainly in a great position."
There are two primary areas of recent GRC enhancements in ERP systems. First, vendors have automated previously manual processes and "improved information management capabilities for systems of record, monitoring, and reporting for risk management and compliance purposes," explains Lee Dittmar, principal with Deloitte Consulting. He points out that ERP vendors have also made improvements or additions to the following GRC-related areas: controlling access to systems, managing segregation of duties, systems of record for risks and controls, controls program management, financial compliance reporting, customs and trade management, environmental monitoring and reporting, and industry-specific compliance solutions.
SAP, for example, offers different GRC functionality that provides access controls (which help limit segregation of duties violations), business process controls monitoring, and global trade compliance monitoring. SAP also offers applications for environment, health, and safety compliance management as well as a risk-management tool that supports risk identification, risk analysis, risk response management, and continuous risk monitoring throughout the enterprise.
Oracle's GRC solutions focus on three similar capability sets: policy and process management, controls monitoring, and diagnostics and reporting. Like SAP, Oracle also offers applications that address industry-specific requirements such as HIPAA, Basel 2, anti-money laundering, data privacy directives, and other industry-specific rules.
According to research analysts who track compliance automation, SAP's 10-month head start on Oracle in GRC functionality has paid dividends.
In his "Tale of Two GRC Strategies" report, Forrester's Rasmussen cites three areas in which SAP has fared well against its largest competitor: integrated process and access controls, integrated risk dashboards and corporate performance, and business-led GRC strategy (i.e., delivery of a broader variety of applications that resonate outside IT with business users). Rasmussen's report also describes Oracle's GRC strengths -- robust content management and business process management, deeper integration into the IT environment, and sharper financial services expertise -- before making an important point: "The Oracle-SAP rivalry is somewhat misplaced within the GRC market."
Why? Because neither vendor is using its new GRC capabilities to attempt to lure customers away from the other. Rather than an ERP vs. ERP confrontation, the battle for compliance software customers now shapes up as an ERP vs. BOB affair. This dynamic is evident in the language that the ERP vendors use to describe their mutual competition. Stand-alone compliance software vendors, Oracle and SAP's marketing folks sneer, foist "disconnected," "fragmented," and "tactical" (as opposed to strategic) "point solutions" onto customers. To which, stand-alone compliance vendors respond by pointing to satisfied customers and a track record of flexibility. "People tend to go to stand-alone products because they offer more features and flexibility and the vendors are much more willing to adapt to customer needs," says Rasmussen. Moreover, some of these tactical point solutions will soon enhance strategic GRC platforms, as SAP's purchase of Virsa and Oracle's acquisition of Stellant demonstrate.
The specter of much more consolidation and the relative immaturity of ERP GRC functionality leave compliance technology buyers in a tough spot during the next 12 months. For this reason, Dittmar advises finance executives to ask six questions at the onset of their compliance technology selection process:
• How can we more efficiently and effectively produce and manage GRC information?
• What does integrated GRC look like for my business?
• How can we enhance the security and integrity of critical systems and information?
• Where can risk and compliance management activities be automated?
• How can the capabilities in my current enterprise systems be better utilized?
• Where can technology enable truly proactive risk management?
Folia Grace, vice president of ERP applications marketing with Oracle, identifies two more considerations that finance executives should weigh: input on compliance needs from other corporate functions (IT, legal, HR, and risk management), and a clear understanding of the highest risk areas confronting the organization. "This," Grace adds, "will help to evaluate and prioritize which capabilities are most urgent for the company to leverage technology in."
Honeywell's Chirico agrees. "It's important to look at what functionality is required within your organization to meet business requirements or regulations," she explains. "The tool selection process is dependent on how well the selected tools meet these requirements and fit into your overall IT landscape. While it may be preferable to maintain a homogeneous environment, the choice to stay within the ERP system or utilize an application that integrates with the ERP system is dependent on four basic factors: ability to meet business requirements, ease of use, seamless integration, and total cost of ownership."
When Honeywell Aerospace evaluated the benefits of compliance applications from a functional perspective, "we looked at how well the tools would allow us to stop SOD violations before they occur, how well the tools are accepted by our auditors as a basis to reduce audit effort, and whether the tool will help to reduce the risk of loss of assets."
This analysis helped to settle one skirmish in the latest ERP vs. BOB battleground. And, as the company's integrated use of SAP's GRC functionality and Approva illustrates, there is definitely room for compromise.
GRC Automation Red FlagsAs companies invest in technology to support expanding governance, risk management, and compliance (GRC) strategies, finance executives should steer clear of three common pitfalls: Exclusionary buying: Failing to involve representatives from a sufficient number of functions in the selection process can lead to GRC technology purchases that neglect important needs. At a minimum, the finance, IT, legal, HR, risk, and internal audit functions should collaborate during the selection process. "The CFO may get separate budget requests for the same technology capabilities from different groups," notes Folia Grace, vice president of ERP applications marketing with Oracle. "Finance can build a stronger business case for GRC investment if they can show that the solutions can be leveraged across company domains." Overvaluing compliance automation: Ignoring the risk assessment: |