SAP's acquisition of Virsa Systems last spring got a lot of attention, mostly due to the fact that prospective partners everywhere saw the deal as a green light to get in bed with SAP and end up, like Virsa, tying the knot.

What is now evident is that the Virsa acquisition was really the beginning of a massive push into what SAP is calling the governance, risk, and compliance (GRC) market. That market, where Virsa was an early pioneer, is about a lot more than just Sarbanes-Oxley compliance.

GRC is about the enterprise-wide problem of making sure that your business practices, partnerships, products, supplies, inventory evaluations, bills of materials, and just about everything else in your company are made or processed or performed in the lowest-risk, most compliance-centric way possible.

Sounds like a handful, but GRC best practices and applications don't have to be implemented in a big-bang manner. And the return on investment for new GRC processes should, in most cases (and in direct contravention to the norm with Sarbanes-Oxley and its ilk), actually be positive. In some cases, very positive.

One good start in understanding the value of GRC comes from looking at New Momentum, an early-stage company that is taking GRC to the high-tech and electronics manufacturing industries. New Momentum's GRC application assembles a massive quantity of market data -- using Web sites, broker lists, offers to buy, offers to sell, etc. -- about the price and availability of electronic parts from sources around the world, and creates a database that can then be used for some pretty sophisticated GRC functions.

This dataset can evaluate your company's excess parts inventory and even sell off some of it on the spot market. It can be used to check the provenance of a broker's offer for some constrained parts and to make sure you're buying parts that aren't counterfeit and do comply with environmental regulations, for instance.

In each case, the result is not only a better-run company, but a potentially more profitable one, as well. Selling inventory you would otherwise junk at least lowers your costs, and avoiding regulatory sanction by buying the right parts and tracking down counterfeiters avoids even further unwanted expenses. Meanwhile, your GRC-savvy company can do a better job of meeting customer demand, keeping its partners happy, and making sure its investment in its brand and intellectual property is safe and sound.

This model in many ways fits SAP's early GRC partners (which range in size from Cisco to New Momentum): Find some issue that already exists in the enterprise that is "leaking" risk -- financial, regulatory, product- or customer-related -- and plug that leak with some software and best practices. SAP's goal is to use Virsa as its GRC platform and house in that platform a GRC repository that can be accessed across the enterprise and used by everyone from the worker bee on the shop floor to the CEO.

The good news for real-world customers -- and the reason I believe GRC will be a major hit -- is that for the most part everyone is already doing it. They're just not doing it well, efficiently, or enough. And unlike Sarbanes-Oxley and other financial sinkholes, successful GRC activities will have a positive impact on the bottom line.