Enhancing Corporate Integrity Through GRC Tool
(Special Ref. To SAP GRC)


Tapas Bhattacharya
M.Com, FCMA, SAP Cert. FICO Consultant
Certified Information System Auditor (USA)


If you regularly follow business news and blogs, chances are you've seen increased occurrences of three little letters: GRC. Governance, risk, and compliance are nothing new… Actually, GRC seems as though the letters belong together and always have been grouped this way. Well, that's half right. They do belong together. These letters represent a critical business concept that is (or should be) on the minds of everyone responsible for leading and/or governing organizations in today's complex business arena. In an integrated and mature GRC program, an organization tries to align it's business processes, information and technology architecture that provides visibility across risk and compliance domains. Compliance needs technology and information that has a robust system of record to the state of compliance and documents, any changes made to the processes provide a complete audit trail. In the absence of an integrated approach to GRC information and technology, the organization runs a significant risk of failing to obtain, understand, and use effectively information about external and internal events; strategies, goals and objectives; requirements; performance; and conduct that enable effective governance, risk management, compliance and the operation of related controls.

In the current market scenario, there are many information technology vendors who offer GRC technology solutions. This paper attempts to find the relevance of GRC solutions in framing corporate ethical values and also discusses the highlights of GRC solution with a special reference to SAP GRC.

Key Words : GRC, Integrity,Ethics, Corporate silos, Access Control, Process Control, Information Technology, Compliance, Governance, Risk. Sox,


The question of Ethics, or the right way to run a business are inherent in all aspects of Corporate governance and in every board decision and action. Ethical choices are relevant within core business strategies that board peruse and the way that they direct the business as a whole to achieve them. Corporate governance lies at the very heart of the way the business are run. often defined as 'the way businesses are directed and controlled', it concerns the work of the board as the body which bears ultimate responsibility of the business. Compliance means following external laws & regulations as well as internally adopted rules of behavior (e.g code of conduct, policies & procedures, industry standards & contracts etc.) Ethics means acting according to company's values( i.e honesty, respect, diversity, accountability etc.) even in the absence of external laws and internally adopted rules of behavior. Compliance and ethics are closely related which enhance Company's brand and reputation for trustworthiness with customers, employees, business partners, shareholders,insurers, bankers and investing community- with other stakeholders like regulators & prosecutors.

Today's business faces several regulations, a wider range of stakeholders expectations and more public scrutiny than ever before. Global opportunities and growth bring global corporate governance responsibilities. This requirement gave birth to GRC ( Governance, Risk & Compliance ) solutions. Governance, risk management and compliance (GRC) aims to eliminate corporate "silos" and to integrate organizational management, protection against fraud and theft, and regulatory adherence.

Picture 1 : Why Compliance is Required

What is GRC:

GRC - Governance, risk, and compliance — represent a critical business concept that is (or should be) on the minds of everyone responsible for leading and/or governing organizations in today's complex business arena.

According to the Open Compliance and Ethics Group (OCEG), GRC is a system of people, processes, and technology that enables an organization to accelerate risk-intelligent decisions, improve organizational agility, and reduce system costs.

Widespread interest in GRC was sparked by the SOX Act and the need for US listed companies to design and implement suitable governance controls for SOX compliance, but the focus of GRC has shifted towards adding business value through improving operational decision making and strategic planning. It therefore has relevance beyond the SOX world.

GRC is the umbrella term covering an organization's integrated approach to governance, risk and compliance. While interpreted differently in various organizations, GRC typically encompasses activities such as governance, enterprise risk management (ERM), internal controls, regulatory compliance and internal audit. GRC activities are increasingly being integrated and embedded into organizational structures, processes, systems and data structures in order to avoid redundancies, as well as identifying and closing gaps. In other words, acting as "assurance as a whole" for the entire organization

                                             Picture 2: Future Needs of Compliance

Why GRC:

The growing number & Complexity requirements,high expectations from stakeholders and increased supervision and reporting demonstrate today more clearly than ever the central importance of corporate governance,risk management & Compliance. Companies today are confronted with a growing risk of non compliance as well as rising compliance costs. If this situation remains companies will face higher recurring compliance costs coupled with limited involvement by those responsible for the affected business processes. This is likely to cause frustration in the organization and stifle innovation and growth in the business.

Hence the companies will face a significant challenge in meeting today's demands with regard to governance, risk management and compliance in an efficient & effective manner. Companies require an integrated strategic view of GRC, supported by a sustainable operating model with aims of :

* Optimal fulfillment of relevant stakeholders requirements in a dynamic and complex business environment thereby minimizing the risk of non compliance;
* Ensuring the long term effectiveness of GRC initiatives and reducing costs through increased efficiency;
* Exploiting Synergy potential by reducing redundant efforts;
* Aligning the company's aims with the GRC objectives, so that compliance and risk management become integral, value creating parts of the daily business.

Integrated GRC does not only combine the business topics of Governance, Risk & Compliance (and many more), but also different technologies such as business intelligence, real-time applications and ERP systems. In the overall picture of Integrated GRC, a Company's GRC strategy is linked to GRC-relevant processes controlled through information technology.

Therefore using appropriate technologies becomes a key success factors for the implementation of truly holistic GRC management system. Effective technological support not only contributes to the sustainable design of GRC initiatives but also to leveraging synergies that arise from the integration of different initiatives. The technology used should support the design of the sustainability Elements. Further benefits are achieved when GRC technologies and ERP system work in an integrated fashion and are closely linked to each other. This allows comprehensive, companywide reliable and meaningful GRC monitoring and reporting.

Benefits of Integrated GRC:

For any enterprise wide Governance Risk and Compliance management system to be effective though, it must delivers a single, integrated management strategy across the whole organization, be harmonious with the organizational or business goals and drill down into every-day business processes. In short, we are talking about GRC systems going beyond mere compliance, instead serving as a catalyst for enhancing overall business consistency, efficiency and accountability. This is in sharp contrast to the historic approach of multiple systems that do little more than mirror legal requirements.

The major benefits of a Integrated GRC solution usually includes – Quality Information, Process Optimization, Better capital allocation, improved effectiveness, Reduced Costs, Protected reputation.

                                                    Picture 3: The GRC Process

Role Of SAP GRC as a Integrated System:

By Following a unified approach to GRC with an integrated suite of applications, organizations can i) Predict and prevent risks, ii) Increase business performance, iii) Drive increased competitive advantage

SAP delivers an integrated applications that leverage a common software platform and a central repository. When deployed together, these applications form a unified solution for GRC and because all the applications are integrated, they can break down barriers to efficiency across different regulations and mandates. These applications reach into existing SAP or non SAP applications to embed compliance functions across the enterprise and beyond, giving you the real time visibility you need to ensure effective business operations and maximize competitive advantage. The SAP GRC solution Portfolio based on Business Objects provides an enterprise wide framework to integrate risk management and compliance activities while simultaneously providing functionality for continuously auditing and monitoring of financial, human resources, environmental, and trade management business processes.

                                            Picture 4 : GRC as a Integrated System

SAP GRC Solution Components:

Access Controls:

Control the access across the enterprise reliably, prevent fraud, minimize the time and money spent for compliance.

* Analysis of risks and remediation of access related conflicts –SOD violations etc.
* User provisioning using automated functionalities in Access Controls
* Enterprise Role Management
* Track super user access and behavior

Process Controls:

Achieve the central compliance by performing the important controls in all enterprise systems and enable the control management of business processes

* Document control environment by capturing process, controls, objectives and risk.
* Test automated controls, manual controls and perform assessments.
* Monitor exceptions and report issues.
* Certify and sign off controls.

Risk Management:

Maximize the corporate performance by balancing the business opportunities with strategic, operational, financial, legal and compliance risks, and reduce market penalties arising from the high-impact activities.

* Drive agreement on risk appetite, and thresholds
* Identify and assess all key risks across the enterprise
* Recommend resolution strategies for key risks
* Build proactive monitoring into existing business processes

Global Trade Services :

Deals with Export/import compliance, customs e-filing, sanctioned party list screening

* Identify, manage and prioritize risk exposure across global supply chains
* Automates export license management and electronic customs communication

Latest Improvements in SAP GRC

The latest SAP GRC (version 10.0) platform combines and integrates existing GRC and business intelligence technologies. Although styled as version 10 of the SAP Business Objects GRC software, the release is an entirely new platform that pulls together the disparate GRC applications from SAP, says Jim Dunham, head of GRC for SAP.(Source Computer Weekly.com)

The most notable improvement to the SAP GRC offering is the integration of solutions. The three main GRC components now run on one unified platform , using SAP Net Weaver platform technology. SAP NetWeaver technology platform easily integrates information and applications from virtually any source. Both front-end and back-end processes benefit from this integration.

Starting on the surface, users immediately experience the advantages of integrated GRC solutions. The unified platform supports a common look and feel across all GRC solutions. Users, especially those with previous experience in one of the GRC components, profit from the shared user-interface and workflow structure. The applications are easy to use in conjunction with one another.

Dive a bit deeper and the benefits of a single platform continue. There is now better data integration among the SAP GRC solutions. The three applications share master data, which allows for more accurate risk and control management as well as more reliable risk reporting.

Global Demand on GRC

It is getting harder and harder to ignore the pressure to implement Governance, Risk & Compliance (GRC) processes and technology. The pressure is driven in part,by changes in regulatory requirements, shareholder's expectations, and social demands to go green. Studies by Mckinsy & company have found that investors are willing to pay more for good governance:14% more in US and Western Europe, 25% more in Asia and Latin America, and 39% more in Eastern Europe and Africa.(Source :Mckinsy & Company Global opinion Investor Survey2002).

The SAP GRC solution (based on Business Objects) is designed to help organizations to make better decisions while simultaneously avoiding bad ones.


Risk managers and auditors face a serious challenge that they lack real time, unified visibility across the various business units. Traditionally they monitor risks and access controls via manual processes, such as surveys and spreadsheets sent on annual or quarterly basis, to help them comply with and support specific regulations or corporate initiatives. But risk is not a static, predictable event. Companies today require an ongoing and automated way to identify risks and test controls continuous and to quickly aggregate the data into a comprehensive, enterprise wide picture. With the solutions of SAP GRC,customers can enact continuous monitoring of business risks and internal controls. Customer ability to make risk management an ongoing process will help to ensure fewer surprises and more sound business practices. For example recent product recalls have cost companies both money and reputation. But SAP business objects GRC solution can help companies make sure the right controls are in place to help them identify and resolve product quality issues before they put both the public and company at risk. The SAP GRC Tool which is now embedded with SAP Business objects,
(Business intelligence (BI) solutions) enabling greater transparency across the customers organizations and helping them to develop smarter, more risk aware business strategies
The enhancements to SAP Business objects GRC solution also can help enable customers to manage multiple compliance program me's centrally, helping to save time and cut costs. Rather than manually tracking numerous initiatives one by one, SAP customers can manage various risk management and compliance program's at the same time in one environment. This centralized approach also helps make sure that controls are being used effectively across the company. For example SOX, FCPA, HIPPA,BASEL II regulations may require same controls, now SAP customers use the same controls and make sure they are deployed across the various initiatives.

Refernces :

1. How to Implement an Integrated GRC Architecture- ©2011CheckPointSoftwareTechnologiesLtd.
2. Why GRC and Why Now?- SAP Insider –Special report | Governance, risk, and compliance-(oct-dec'2010 issue ).
3. SAP Solutions For Governance, Risk and Compliance ( Solution Overview ) – SAP AG.Germany.
4.White Paper : Governance, Risk Management and Compliance : Sustainability and Integration Supported by Technology – Published By PriceWaterHouseCoopers.
5. Foundations of GRC : Streamlining Compliance by Micheal Rasmussen - Corporate Integrity(www.Corporateintegrity.com)
6. A solid foundation for GRC by SAPAG
7.Unlocking the power of SAP's governance, risk and compliance technology Insights on governance, risk and compliance March 2013 – Ernst & Young.
8. www.computerweekly.com
9. GRC Risk Management 10.0 & Process Control 10.0- Satyen Paneri, SAP COMMUNITY NETWORK

Tapas Bhattacharya
M.Com, FCMA, SAP Cert. FICO Consultant
Certified Information System Auditor (USA)

Source: E-mail January 9, 2015



Articles on Management Main Page