Enterprise software stalwart SAP this week made a series of announcements that further the company's efforts to build out its portfolio of governance, risk, and compliance products.
In the wake of GRC2007, an annual conference held this week for users of governance, risk, and compliance (GRC) products, SAP announced an Executive Advisory Council for its GRC group that is aimed at strengthening the company's partnerships for GRC applications and tapping into customer feedback on new products. The company also revealed a new application for chemicals companies tasked with meeting the documentation standards of the European Registration, Evaluation, and Authorization of Chemicals (REACH) mandate, as well as new software that facilitates electronic customs filing and management for companies operating in European countries.
For manufacturers that must comply with the European Union's eCustoms Initiative, SAP throughout the coming year will release its Automated Export System — which it said can be deployed as a stand-alone application or as part of the SAP GRC Global Trade Services product — in country-specific versions. The software will help companies meet the recently updated standards for electronic customs filings.
For chemicals companies that must observe the newly enacted REACH standards, SAP will add relevant management capabilities to its existing Environment, Health & Safety applications, which the company said are in use at 1,000 companies. The initial REACH-based functionality, which will be available to existing customers as part of the normal maintenance cycle, will allow companies to track the substance volume of the specific chemicals they sell. SAP tapped the industry expertise of partner company TechniData, which has been developing various compliance applications since 1985.
TechniData, in fact, is one of the first partners SAP identified as a member of its new Executive Advisory Council for GRC. The council complements SAP's strategy of leveraging the expertise of partner companies in developing GRC applications for specific verticals, according to Amit Chatterjee, senior vice president of SAP's GRC business unit.
"We want to be able to provide a framework, and then we want to be able to have the partner be able to deliver the content value around being able to, for example, manage environmental health and safety for customers," he told Managing Automation. "This allows us to cover a broader swath of industries and regions more effectively than if we were to do it alone."
In addition to TechniData, early participants in the GRC council include SAP customers Adobe Systems Inc. and Chevron Corp. and partners Cisco, Deloitte, and Protiviti.
As SAP hones its focus, the feeding frenzy in the GRC market grows, with bigger vendors such as SAP and Oracle Corp. jostling for position in what is a relatively new software arena. In 2002, the holistic idea of a governance, risk, and compliance suite came into full view with the passage of the Sarbanes-Oxley Act (SOX), which gave public companies a slew of mandates to follow that, in most cases, were best managed through software. Indeed, AMR Research found that since 2005, companies have spent $6 billion annually to assure their compliance with SOX.
And yet, as SAP's recent announcements attest, the market for GRC encompasses more than SOX compliance. AMR notes that the $6 billion spent yearly on SOX compliance represents only about 20% of the approximately $30 billion that companies devote to compliance, which includes not only software purchases but personnel costs, service expenditures, and other resources.
"I don't think there's any value in us saying 'Hey, stay out of jail,'" Chatterjee said in explaining SAP's focus on initiatives that include more than just SOX. Small companies are not immune to the ill effects of poor oversight, either, according to Chatterjee. "If I don't create transparency in my business around where I have risks — but more importantly where I have a control fail point — if I'm a small business, I go out of business."
If the European eCustoms Initiative and counterparts such as the U.S. Customs Automated Export System are any indication, companies everywhere, and of all sizes, will need to give compliance initiatives their attention. As regional economies become more interdependent and transport of goods across borders becomes more prevalent, the number of customs, environmental, and other regulations that manufacturers encounter will likely multiply. Manufacturers already must contend with a sometimes dizzying array of regulations, from EVL (End of Vehicle Life directive) to the European-based RoHS (Restriction on use of Hazardous Substances) and WEEE (Waste Electrical and Electronic Equipment).
It took Sarbanes-Oxley, however, to make GRC software a must-have product for many companies. GRC software specialist LogicalApps, for instance, which was founded in 2000, in its short history has amassed a broad list of customers across verticals such as aerospace and defense, manufacturing and distribution, high tech, and life sciences. Just last month, the best-of-breed provider, which makes GRC products designed to be integrated with enterprise systems such as those from Oracle, improved its configuration management, access controls, and transaction monitoring capabilities by acquiring Applimation Inc.'s Integra product line.
SAP vaulted itself into a strong position in GRC with its April 2006 acquisition of Virsa Systems Inc. SAP also announced a partnership with Cisco in September that is aimed at converging business and IT controls into one integrated GRC platform. Meanwhile, Oracle has improved its lot with applications it gained from its buyout of Stellant in November 2006. Earlier this month, Oracle announced a new Governance, Risk, and Compliance Application Suite that features new functionality made possible by the Stellant deal.
IBM Corp. is a player as well, and has benefited from its December 2006 purchase of privately held risk management firm Consul risk management, Inc., which added capabilities to its IT monitoring offerings.
In a research note following the LogicalApps development, AMR Research Vice President and fellow John Hagerty noted, "With so much money being spent on so many programs, it is inevitable that consolidation among GRC market participants is again picking up steam."