Compliance platforms are emerging and maturing


Compliance has been one of the dominant themes in the post-Enron age of corporate IT. Many software providers tout their offerings as solutions for complying with the Sarbanes-Oxley Act (SOX) and every other regulatory mandate, industry best-practices framework and corporate internal policy.

As a product segment, compliance has defied easy definition and been dominated primarily by point solutions. Compliance-related offerings range across many established niches, including business intelligence, corporate performance management, business process management, identity and access management, application security, change management, risk management, auditing and archiving.

However, over the past year, a new IT product segment has emerged — governance, risk and compliance (GRC) management — that integrates compliance point solutions into comprehensive, service-oriented architecture (SOA)-enabled enterprise suites. Fueling this trend is the growing realization that companies cannot have one stovepipe GRC management infrastructure for each mandate, but must leverage a single infrastructure across all initiatives. Each new investment in compliance-enabling technologies must integrate through SOA into the company’s core GRC management platform.

The most noteworthy recent development in GRC management was SAP’s late-2006 launch of a comprehensive, modular product platform to address a wide range of GRC requirements. Essentially, SAP validated GRC management as an important new enterprise software platform. At the same time, through its product announcements, the vendor has provided an architectural blueprint for the core GRC management functionality: monitoring, verification and optimization of business controls that have been expressed as structured workflows.

First and foremost, SAP provides a GRC management repository that centralizes compliance frameworks, mandates, policies and rules. It also provides a GRC process tool for modeling enterprise controls, executing the associated workflows and enforcing compliance. Its GRC platform includes a compliance dashboard, which provides a rollup and enables detailed drill-down into key business risks across multiple enterprise levels and organizational entities.

SAP’s platform enables automatic aggregation of enterprise business-process risks, provides supporting evidence of compliance, pinpoints control violations and enables prioritization of corrective action. It also includes collaborative tools, role-based views and configurable alerts to support operational enterprise risk management involving process stakeholders.

Other GRC management platform vendors have equivalent features in their product suites; SAP is far from the leader in this emerging segment.

Kobielus is a principal analyst at Current Analysis in Alexandria, Va. He can be reached at

QuickLink 073738