The governance, risk, and compliance (GRC) software category has come a long way since its birth back in the days of Sarbanes-Oxley check sheets. Now hundreds of small vendors crowd the space, offering solutions that cover everything from enterprise risk management to health and safety regulatory compliance.

As the sector matures, though, these players are feeling increased competitive heat from giant ERP software providers like Walldorf, Germany-based SAP. "We feel that today we're very much in a recognized market," says Narina Sippy, senior vice president and general manager, GRC, for SAP. "Everyone has a slightly different definition and boundaries for it, and it's still evolving, but we're seeing recognition that this is a significant category that companies are focused on."

SAP is very much focused on it, too. The company unveiled a slew of upgrades to its GRC portfolio this week at the GRC 2008 conference in Orlando, Fla.

SAP's GRC Risk Management module now ties in to Strategy Management, part of its enterprise performance management suite. "You would set up within Strategy Management your key initiatives, your strategic objectives, and your KPIs, which of course then would cascade down the organization," says Sippy. "With the new integration to our enterprise risk management application, you're now able to tie in key risks; you can do risk profiling, determine your risk appetite, and track against key risk indicators."

The GRC Process Control product gets some enhancements that originate in part from SAP's 2006 purchase of Virsa Systems, a continuous controls monitoring software firm. "We took some of the good thinking in their prototypes and looked at capabilities within SAP and married the best of both worlds," says Sippy. The new release combines functionality for manual testing of financial controls with continuous control automation.

New features in GRC Access Control include the ability to automatically detect conflicting roles and security authorizations as well as integration with the leading identity management vendors, according to Sippy.

In addition, SAP has expanded the capabilities of its GRC Global Trade Services application to help users manage country-specific customs processes, especially electronic processes. "We're seeing a host of new regulations in the EU -- Germany, in particular -- and Brazil pushing this trend toward electronic customs declarations," Sippy reports.

The sheer scope of GRC offerings from SAP and other enterprise software providers is impressive, and point-solution vendors will need all of their agility to respond. Best-of-breed firms "are trying to figure out how to differentiate themselves from the likes of SAP and Oracle rather than just fall in line behind them," says John Hagerty, vice president and research fellow with AMR Research in Boston. Some are exploring particular verticals, such as life sciences, financial services, and manufacturing. Others are focusing on IT compliance and risk mitigation.

"One of the concerns they have is that a lot of them started off as being Sarbanes-Oxley oriented," Hagerty adds. "I don't want to say that Sarbanes Oxley has run its course, because it hasn't, but people have already put a lot of the fundamentals in place. There isn't necessarily that much buying any more specifically around one initiative like SOX, so these firms have had to think about what life after Sarbanes is going to look like."

Industry observers have noted that the market looks ripe for consolidation, and some signs point in that direction. In February, Dublin-based financial governance software firm Trintech Group Plc announced plans to acquire Movaris, an early entrant in the GRC space.

But according to Hagerty, the deal is not so much a response to market dynamics as it is a natural outgrowth of both firms' focus on the largely ad-hoc processes between the formal accounting close and external financial disclosure. "The Trintech-Movaris partnership to me is a case of saying, 'This is a process area that we both participate in, but we only provided part of the story. Let's now come together and provide the same story,' " he says.

There's no question, though, that a lot more GRC providers will need to tweak -- or rewrite -- their stories as they adjust to the looming presence of the ERP giants in their market.