English   Deutsch   Русский   中文    

The GRC Marketplace is shaking up: SAP and CA partnering on GRC

Aug 11, 2010 by Sachar Paulus

In the last weeks, I had a number of interviews and product / vendor briefings about GRC related products. And as you may have noticed, the marketplace is yet pretty unstructured. Since there is still no generally accepted common definition or reference architecture for GRC (altough I have developed one, see my reports), anyone touching functionality related to GRC assumes it is in the core. And so you can find extended document management solutions there (for policy managemnet) as well as controls and IT controls management tools, besides access governance and financial risk management applications.

I believe though that it makes only sense to actually implement a holistic GRC management framework in an enterprise, if there is a common, integrated and standardized way of managing policies, controls, risks, improvement projects. There is no value in buying a multitude of isolated, on certain aspects extremely well performing solutions, because then the integration know-how still relies with the people - and isn't GRC actually exactly about reducing the risk that the enterprise is exposed to by people involvement, for personal, political or financial motivation?

The real value of implementing GRC projects only comes - very similar to ERP, history repeating - with an integrated framework. There are two ways of achieving this: first, by standardization (such as SOA), and second, by market dominance (such as R/3) . And to be true, none of the vendors I have been able to listen to is in my view in a position to advance the standardization path in that market.

With the recently announced partnership between SAP and CA, SAP pursues - similarly to Oracle - a pretty intelligent move: they will be able to integrate real-time information from SIEM and other solutions from CA, one of the established players in the IT infrastructure environment. The simple annoucement will shake up the space: until now, GRC was about prevention, mitigating activies, but the reaction part was left to the IT respectively other reaction facilities (fraud management, corporate security, e.g.). But with that partnership, GRC actively covers a "real-time" view on the threat / risk situation.

Another aspect is with the partnership of two giants, there will automatically be a de-facto-standardization happening. If, say, RSA now wants to provision SAP GRC too, they will need to adopt the interface definitions that the two have defined...

So: good move, SAP and CA.


Author info

Sachar Paulus
Scientific Advisor
Profile | All posts
KuppingerCole Blog
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live training sessions.
Register now
Customer-Centric Identity Management
As more and more traditional services move online as part of the digital transformation trend, consumer-centric identity management is becoming increasingly vital business success factor. Customers aren’t just physical persons, they are also the devices used by customers, they are also intermediate organisations and systems which operate together to enable the provisioning of the service.
KC EXTEND shows how the integration of new external partners and clients in your IAM can be done while at the same time the support of the operational business is ensured.
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2016 KuppingerCole