If you are an enterprise resource planning (ERP) customer, you probably have heard the following sales pitch or one just like it in the past 24 months: "The disciplines of risk management, compliance, and security should not be separate. The way to approach these areas is to unify them. We say that not just from a technology perspective, but from a people perspective and a process perspective as well."
These lines come directly from SAP Senior Director, Governance, Risk, and Compliance Ranga Bodla. Bodla supports his pitch in an interesting way: by pointing inside his company to a governance, risk management, and compliance (GRC) program that SAP initiated in mid-2007.
SAP's software developers, as well as the company's sales, marketing, and consulting professionals, cull "preferred practices" from colleagues responsible for operating the company's internal GRC program. "We take what [our GRC colleagues] teach us and we incorporate that into our products and services," Bodla adds. "We have what I believe is a fairly well-established set of processes."
This approach, as the following rundown of SAP's GRC program illustrates, includes:
Like most large, global companies, Germany-based SAP AG's risk management and compliance capabilities existed before its formal GRC program began two years ago.
Previously, managers responsible for these areas reported to their local chain of command and maintain a dotted-line relationship with the corporate risk management and compliance functions. Local compliance and risk-management staff, for example, conducted Sarbanes-Oxley compliance with direction from the global risk and compliance function but did not report to the global risk and compliance function.
Today, GRC staffers remained scattered throughout SAP's numerous locations, but they all report to Senior Vice President Miriam Kraus, who heads the company's global GRC organization at corporate headquarters. Kraus reports to Werner Brandt, who as CFO and a member of the executive board of SAP AG is the company's highest-ranking finance executive.
SAP's global GRC program consists of three components:
All 105 GRC employees in the company execute their responsibilities according to this structure. In larger geographic areas, each GRC component (risk management, compliance, and security) is managed by a different executive. In smaller geographies, a single GRC executive or manager may wear more than one hat.
The purpose of the structure, notes Bob Tizio, governance, risk, and compliance officer for SAP Americas, is to bring greater effectiveness and efficiency to GRC processes. The structure helps cultivate efficiency by making it easier to identify and disseminate "preferred practices" throughout SAP's global locations.
"We basically brought together everyone around the globe who does risk management, [compliance] and security," says Tizio, "so that we could have a consistent vision and strategy -- and the same methodologies, tools, and best practices -- that cascade through the entire organization. ... Although we didn't have the formal, centralized GRC program from 2002 through 2007 that we had now, there were a lot of very good practices taking place during that time. This structure helps us share our practices much more easily."
The structure also cultivates greater effectiveness via more intense collaboration with GRC counterparts in the business.
Tizio and his counterparts in other regions of the world report directly into the global GRC function, but they "work very closely with the local teams, the local business people in our respective areas," Tizio notes.
Those local business people include colleagues in software development, sales, consulting, and other operational areas. For example, part of Tizio's team in the U.S. works closely with business counterparts to identify risks associated with sizable investments and initiatives and then develop mitigation plans that address those risks.
During the development of those mitigation plans, SAP's GRC team can also help business colleagues identify opportunities.
"We can help uncover trends about a particular product or an industry earlier than we did before," Tizio explains when asked to identify the benefits of the new GRC structure. "That allows us to put the right resources in place to make sure we can take advantage of those opportunities."
By providing greater clarity into risks, GRC staffers help the business make better decisions about the volume (and timing) of resources allocated to specific business initiatives.
Tizio also points to two other benefits. First, he reports that the company was "able to derive a significant discount off of our professional liability insurance premiums" as a direct result having a "more robust" set of risk management processes in place.
Second, he says that the new structure has brought much greater consistency and standardization to GRC job profiles. That means that the company feels more confident that it is "hiring the right skill set for our GRC functions," Tizio adds. "I think it has helped us upgrade the level of [GRC] talent in our organization."
What are the specifications within those profiles?
Gray hair might be one.
"You want to make sure that you get the right level of experience and the right level of skill set so that the GRC people -- particularly those in the field and in the product support area and development area -- can really talk to business people," Tizio notes. "You don't want to have what I'll describe as 'very junior people' trying to do this function."
More specifically, Tizio says he seeks out excellent verbal and written communications skills. "Often, you need to have the dialogue on risk not only with one person, but with many people sitting around a table discussing these issues."
He also likes to seed his teams with at least one seasoned expert in the business area that the team supports. "So, if you're risk manager supporting the software development group, it would be nice to have some experience with software development," adds Tizio, whose direct reports include a former consulting manager, a former project manager, and a former purchasing manager.
But it is Tizio's current external-facing business partner who best sums up the software company's approach to GRC.
"I think the biggest thing here," Bodla asserts, "is that we try to practice what we preach."
SAP AG started moving to a globally centralized governance, risk management, and compliance (GRC) program in mid-2007. Bob Tizio, governance, risk, and compliance officer for SAP Americas, identifies three high-level keys to success: