That's the promise, says SAP, but the supporting technology has to help with the consistency and automation part. That's the idea behind version 10 of SAP BusinessObjects GRC software, a major platform release announced on Wednesday.
The new GRC release is touted as a consistent platform comprising four distinct products: Access Control, Risk Management, Process Control and Global Trade Services. SAP has been working for three years to get all of these modules onto the same code base and a parallel development path. The Risk Management and Process Control modules were the first to be unified in a 2009 release. But in version 10, all four products have a consistent look and feel and follow standard SAP development and deployment approaches.
Consistency and a common look and feel will deliver big gains in productivity from a management, training and usability perspective, SAP said. In terms of development and deployment, the entire suite is now a single install, but you can still purchase the modules individually. New modules are unlocked and exposed through as simple matter of licensing rather than separate installation. All modules share the same components, data model and access to SAP services. And as organizations identify risks and create and customize mitigating controls, they are immediately shared across all modules.
The biggest change with version 10 is in the Access Control module, a popular product that was previously written in Java. Now that Access Control is built on the standard NetWeaver stack, SAP developers can use familiar APAB (Advanced Business Application Programming) capabilities.
"In version 10 if you need to do an upgrade or patch on Access Control, you don't have to reinstall the application; it's a non-disruptive upgrade that can be handled in minutes rather than hours or days," said Jim Dunham, group vice president, GRC Solutions, SAP.
Upgrades to core compliance capabilities include new embedded business intelligence capabilities, better support for vertical industry and line-of-business content, an industry-standard "bow-tie" visualization capability for risks, and finer granularity for security controls.
The new embedded BI functionality includes practitioner and manager dashboards and reporting capabilities drawn from the recent SAP BusinessObjects 4.0 release. Coupled with the data-sharing capabilities of the new platform, the BI capabilities are said to include more powerful analytics. When identifying risks around a new-product introduction, for instance, users can model risks such as supplier problems, IT project delays and international licensing disputes as well as mitigation strategies to predict outcomes and make more risk-aware decisions.
"Sourcing, IT and trade-related problems can make or break a new-product introduction, and that's rich information that can now be analyzed from your compliance initiatives and your risk-management infrastructure," Dunham said.
A new Content Lifecycle Manager introduced in version 10 makes it said to make it easier to import new regulations and supporting industry and line-of-business content into the compliance environment. These efforts previously required work on the part of systems integrators, but the lifecycle manager imports and applies version controls to compliance content from SAP partners such as Deloitte, PricewaterhouseCoopers, Ernst & Young and others. When you move to a new release or an upgrade of SAP Business Suite, the Lifecycle Manager migrates all your mappings of risks, KPIs, controls, processes and values into the new system deployment.
To help business users see and understand risks, the SAP BusinessObjects GRC release includes a new Visual Bow Tie Builder. Commonly used in compliance circles, bow tie charts depict risk events as the center knot of the tie, risk drivers fanning out as the left side of the bow and risk impacts fanning out as the right side of the bow.
"There are other visual Bow Tie tools out there, but SAP is the first to put it into an enterprise platform, attach a central repository, pull in compliance content from partners and make it actionable, meaning we've tied the controls seen in the bowtie directly into the compliance system," Dunham said.
In another notable upgrade, the GRC version 10 supports finer granularity on security controls so managers have flexibility in granting compliant access to transactional capabilities. Whereas the previously release tended to turn access to, say, order-to-cash processes either on or off, the upgrade supports clauses on privileges whereby a clerk might be granted conditional authorization to execute certain aspects of a transaction.
This features comes in handy in close cycles, when companies sometimes chafe against overly restrictive controls that get in the way of timely consolidation.