The GRC (R)evolution

How recent innovations are making GRC implementations simpler, faster and cheaper for SAP companies

In recent years Sony(1) and Mossack Fonseca(2) have been examples of corporates who have underestimated the value of managing risk across their enterprises. The ramifications to their reputations, and bottom lines, are far-reaching and probably long lasting.

Perhaps more alarming though is the vast number of internal fraud cases which go unreported by organisations of various sizes, and in varying industries and locations. Organisations tend to prefer taking corrective action quietly, for obvious reasons, and therefore the problem is likely much bigger than formal studies indicate.

“The threat of economic crime is a very real concern for all organisations ─ regardless of their size, sector or region (3).”

A CEO survey (4) provided a window into this, revealing that around one in three organisations have been affected by economic crime, with asset misappropriation, cyber-crime, and bribery and corruption being the usual suspects. Further, the survey indicated that more than half of all internal fraud involves middle or senior management.

Furthermore, aside from actual information security breaches, regulatory compliance is also a motivating factor for companies to pay attention to GRC. Whether or not you currently operate in a country with stringent compliance Acts, as global markets continue to change the face of business,
many countries are translating their governance recommendations into policies.

SAP organisations aren’t immune to all of this, even though a range of GRC tools are readily available. For many companies, high costs and tool complexity often inhibit adoption of these tools.

GRC Remains a Challenge for SAP Organisations

Internally, the tendency is to address business first. GRC is seldom the priority that it should be. While SAP GRC is undoubtedly the benchmark for larger, complex organisations, it’s not always the perfect fit for those companies who lack internal expertise. The more comprehensive GRC tools cater for a myriad of complex scenarios which are often not essential to the average organisation.

“Varying levels of maturity in risk and compliance processes are driving the need for identifying and implementing the right GRC tool (5)

Implementations may not achieve the desired result as business resistance is experienced.
This is attributed to its struggle to associate effort required with the value derived (6). Software often remains under-utilised, a manifestation of the lack of alignment between IT, GRC and business.

The bottom line is that although it is of significant concern when appropriate risk management tools are not in place, having poorly implemented or managed tools in place can lull you into a dangerously false sense of security. The potential for fraud exists as long as there is lack of alignment between people, processes and technology.

Four innovations are changing GRC for SAP companies:

1. Cloud & Hosted Deployment

GRC applications have historically been available primarily as on-premise deployments, but a trend is emerging that is seeing the rise of remotely hosted and cloud deployment options.

For example, more and more organisations are reviewing their employees’ authorisations for the internal systems using the cloud. The data is obtained from the internal network, then transferred securely to the cloud.

A key advantage of using the cloud is that no hardware is needed, which means there are no installation costs or ongoing maintenance. Cloud platforms allow for quick deployment, given the ability to scale storage and technology infrastructure to meet increases in demand.

“In 2015, Gartner listed cloud computing as one of the top five enterprise technology investments in the next five years (7).”

Perhaps more importantly, given that most organisations often lack adequate internal GRC expertise, cloud solutions allow for vendors to supplement the client’s resource requirements remotely, creating further efficiency. Here are three common myths surrounding cloud computing (8):

  • Myth 1: It is only for tech companies
    Not so, companies across all industries, big and small, are making use of cloud computing.
  • Myth 2: Security is a big risk
    Security measures used by well-known cloud vendors are often better than their clients’ measures. Cloud vendors have the resources and skills to keep security up to date.
  • Myth 3: It’s always cheaper to run in the cloud
    It’s not always cheaper to run in the cloud, but it can often be more cost efficient. Cloud works best for variable demands and workloads, where you have high demand at times but lower demand at others.

2. Software-as-a-Service Pricing Models

The growth in the global Software-as-a-Service (SaaS) market is largely driven by the increasing need for organisations to cut costs, and by the relative speed and ease with which SaaS solutions can be deployed.

Whereas conventional pricing models are usually based on ownership of an instance of a software application, paid through licensing agreements, SaaS pricing models tend to match pricing more closely with usage levels.

Typically, significant savings are realised in upfront investment costs beyond just traditional upfront purchase costs. Infrastructure costs are now borne by providers, which is a significant saving for organisations. Further, SaaS implementation costs are often significantly lower than traditional implementations.

“Where SaaS models are paired with cloud deployment models, GRC capabilities are effectively put in the hands of users on an on-demand basis (9).”

Beyond the upfront cost benefits of a SaaS pricing model for GRC tools, is the real benefit of flexibility. Companies can increase or decrease their number of users as required, and can also choose to avail themselves of discrete elements of functionality as they become necessary.

Software-as-a-Service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. It is sometimes referred to as “on-demand software”. SaaS is typically accessed by users using a thin client via a web browser. Where traditional on-premise applications require upgrades periodically, these costs are usually borne by the SaaS vendor (10).

3. Size-Sensible GRC Maturity Goals

There’s no denying that the large enterprise GRC applications are the best tools for the large, global multinationals. Tools like SAP GRC cater for every conceivable GRC scenario. Many companies are learning that although these tools are impressive, they can be oppressive when an organisation isn’t yet mature enough to make comprehensive use of them. Less mature companies are opting for scaled down, size-appropriate GRC tools and goals, and realising surprising benefits.

“Instead of viewing GRC maturity as a fixed point, we need to see it on a spectrum. Appreciating that there are varying manifestations of maturity allows companies to focus on the essential tools they require, right now.”

Paradoxically, adoption of size-sensible maturity definitions and GRC strategies is accelerating the GRC maturity of many organisations.

4. Managed Service Models

In the eternal race for the most efficient way to conduct operations, the rapid rate of change in technology presents a headache for most organisations, from a resourcing point of view. Most businesses use a wide range of technologies, each requiring specialist skilled people.

Outsourcing has become a widely used practice for ‘grunt-work’ level activities, but has been less successful where the need for proactive management of tools has been required. The idea of Managed Services has evolved to fill the gap.

The essential difference between Managed Services and Outsourcing is that Managed Services includes the proactive management of the application, whereas Outsourcing has traditionally been limited to reactive deployment of an IT asset. Accordingly, a Managed Service relationship can directly achieve a specified business result, whereas an Outsourced relationship typically delivers an IT result.

Many companies are increasingly leveraging IT Managed Services to avail themselves of both IT management and deployment skills, in the most efficient and flexible manner. These organisations have the ‘best of both worlds,’ ensuring they have the most up to date technology solutions to suit their own needs without the excessive costs associated with in-house IT support.

We Solve GRC for SAP companies. How can we help you?

Soterion’s entire business is focused on building GRC products to suit your team and your pocket. Because companies differ, we’ve developed three ways SAP companies can affordably handle GRC, whatever their internal GRC capability.



What is it?

Soterion’s Compliance Cloud platform is a cloud-based, pay-as-you-go GRC Access Risk tool.

Ideal for?

  • Highly cost-sensitive companies
  • Companies that require access risk assessments seldom or ad hoc, e.g. internal auditors
  • Companies with basic in-house GRC expertise


  • Instant GRC access risk visibility
  • Easy-to-use
  • Business-friendly reporting
  • Extremely cost effective
  • Only pay when you use

Managed Service

What is it?

Combines ‘on-tap’ GRC expertise with Soterion’s Compliance Cloud platform for a complete GRC solution. Delivered in collaboration with Soterion’s Consulting Partner Network.

Ideal for?

Smaller companies who have a GRC requirement, but lack internal expertise.


  • Instant GRC capability, including both tools and expertise
  • Give business hassle free, complete control of access risks via dependable GRC service
  • Significantly cheaper overall solution than employing in-house GRC expertise and purchasing GRC tool
  • Proactive GRC management


On-Premise Software

What is it?

Soterion for SAP is a size-sensible GRC software application, offering powerful, easy-to-use features for smaller SAP companies.

Ideal for?

  • Smaller companies that have a GRC requirement, and have internal expertise
  • Companies with IT policies requiring on-premise solutions.


  • Powerful, size-sensible GRC features for smaller businesses without complex, unnecessary functionality
  • Highly cost-effective on-premise GRC alternative
  • Intuitive and easy to use
  • Minimally invasive to infrastructure and SAP installation

Soterion’s SAP Compliance Cloud gives you what you need, when you need it.

Instant GRC Access Risk Visibility: Move from no GRC access risk visibility to full visibility, within 24 hours. With our seamless data extraction process and intuitive interface, you won’t require any technical knowledge getting set up.

Insights As You Need Them: Avoid external audit surprises by viewing easy- to-understand access risk reports as and when you need to.

Pay As You Go: Benefit from the lower cost of ownership by avoiding the expense of a full-time on-premise solution and the staff to support it. No fixed term contract requirements.

Easy to Use: Our platform is extremely intuitive, and requires no GRC technical knowledge. Our business-friendly reporting tools allow focussed reports by business area.

Guided, Step By Step GRC Maturity Process: Use our proprietary GRC Maturity Model to benchmark your current GRC maturity level. Enhance your GRC capability by following the provided recommendations.

Simulate Changes Before Applying Them: Play it safe with our Allocation Simulator which runs pre-emptive ‘what-if’ analyses, showing you the impact before making changes in SAP.

For more information download the ebook. Email [email protected] if you have any questions, need more information or would like a demo.

Source 1: Peter Elkind, “Part 1: Who was manning the ramparts at Sony Pictures?” Fortune, July 1, 2015
Source 2: Charles Riley, “The Panama Papers: 7 things to know” CNN, April 7, 2016
Source 3: Various, “Global Economic Crime Survey 2014” PWC, November 2014
 Source 4: Various, “Global Economic Crime Survey 2016” PWC, November 2016
 Various, “Centralized Operations: The Future Of Operating Models for Risk, Control & Compliance” EY, November 2014,_Control_and_Compliance/$FILE/EY-Insights-on-GRC-Centralized-operations.pdf 
Source 5: Website, “GRC Technology Enablement” PWC, 2016
Source 6: David Houlihan, “GRC Vendor Implementation Success Strategies” Blue Hill Research, August 2015
 Source 7: Various, “Flipping to Digital Leadership” Gartner, 2015
 Source 8: Ahmed Banafa, “10 Myths About Cloud Computing” OpenMind, September 2015
 Source 9: David Houlihan, “GRC Vendor Implementation Success Strategies” Blue Hill Research, August 2015
 Source 10: Software as a service – Wikipedia, the free encyclopaedia,
General references:
  • Achieving Effective Risk Management and Compliance” Deloitte, 2014   
  • “GRC Today” KPMG, October 2015

You may find this interesting