SAP, Oracle Scrambling For GRC Dollars

SAP and Oracle both announced new components for their growing governance, risk and compliance (GRC) technology suit in the past 10 days.

GRC applications are typically sold to public and large privately held companies, especially those operating in heavily-regulated industries, and are intended to perform a variety of critical functions including electronic document search and retrieval, ensuring compliance with audit and other financial and industry-specific regulations.

More advanced technologies promise the ability to segregate access to documents by job description or role, monitor environmental risks, assess possible future risks associated with a new strategic initiative, and monitor risk along customers’ supply chains.

It is this latter application that both SAP and Oracle just added, as the vendors pursue a strategy of upselling this kind of technology to their respective installed bases.

If the current political environment seems propitious for selling corporate compliance tools, prevailing economic conditions make selling applications without an obvious and immediate ROI payoff much more difficult.

SAP, Oracle and a few other platform vendors are seeking to mitigate that difficulty by selling them as add-ons to existing customers of their enterprise resource planning (ERP) suites. Niche GRC players, particularly those with experience in the post-Sarbanes Oxley era, like Compliance360, OpenPages, Walters Klewer, and BWise, are working their relationships with risk and compliance officers.

Meanwhile, both sets of vendors are looking over their shoulders at IT security vendors who may look to extend their own product sets from IT risk mitigation into compliance and governance.

According to Chris McClean, who follows GRC for Forrester Research, the niche players have more of the core GRC competencies, such as policy management, remediation workflow and risk assessment, than the larger vendors. That, and their preexisting relationships with compliance officers gives them a leg up in a market that is variously estimated at anywhere between $10 billion and $30 billion (depending on how GRC is defined).

Platform vendors like SAP and Oracle can offer existing customers a seamless integration with, and analysis of, data already residing in their proprietary databases. For instance, SAP is connecting its risk assessment and performance management applications, and can offer dashboards that display key performance indicators and key risk indicators simultaneously.

McClean told me that IBM has some capabilities in this market, and that CA is making a strong play built on its Clarity technology. Microsoft has also made announcements in this area through its relationship with BearingPoint, but McClean called the offering “light weight” and said it “doesn’t sound like a serious investment.”

Where the niche players excel is in being able to provide context, such as routing new regulatory and compliance information to the appropriate executives based on the industries in which their customers operate.

But the plaform vendors are better equipped to offer automated controls such as role-based access, which is also something security vendors already do for their customers. “I think McAfee, Symantec, and EMC [through its RSA division] are toying with the idea,” he told me.

According to McClean, there is an ROI argument to be made in terms of potential cost savings–being able to reduce the number of financial auditors is an obvious example. There are also a few companies, “not very many at this point,” who are beginning to use GRC tools to proactively assess risk to which their companies could be exposed by geographic expansion or acquisitions.