The market for governance, risk and compliance technology has attracted the gaze of some of the world’s biggest IT companies. Forrester’s Michael Rasmussen reports
Earlier this year, Oracle launched its governance, risk and compliance (GRC) strategy, taking aim at what SAP had announced 10 months earlier. Both companies are driving a significant technology and marketing investment in GRC, aiming to capture mindshare as well as market share within today’s business and IT environments. Both vendors are convinced that the expanding opportunity in GRC is well-aligned with their applications and middleware strategies. How do Oracle and SAP stack up? Both have cohesive and thorough marketing messages – the differences come down to their technical capabilities and areas of industry focus.
SAP’s process control and ERM dashboard resonate with business stakeholders
SAP has a 10-month head start on Oracle in understanding and marketing GRC and fares particularly well against Oracle when GRC involves:
Integrated process and access controls. SAP, through its Virsa Systems acquisition last year, has a stronger automated process and access control solution for SAP business applications than Oracle. Organisations are looking to leverage automated controls to enforce segregation of duties and access within business financial applications – particularly because of Sarbanes-Oxley (SOX) compliance issues. This automated control approach relieves pressure on the business in answering control self-assessments as well as provides an ability to prevent and detect risk and control violations across a much larger volume of activity than sample-based manual testing procedures. Oracle’s strategy, in comparison to SAP, is to partner as opposed to own and directly integrate this capability where it partners with companies like LogicalApps.
Integrated risk dashboards and corporate performance. While Oracle has an extensive collection of business performance analytics solutions, SAP has a significant lead in building an enterprise risk dashboard that can integrate with its own business performance and business intelligence offerings. The SAP ERM Dashboard was developed internally at SAP and is the core of its internal enterprise risk management (ERM) function across SAP operations. Its dashboard is a leading innovator in identifying and monitoring key risk indicators across SAP business operations and has enabled SAP’s internal risk management function to win two significant ERM awards from Strategic Risk magazine over the past few years.
Business-led GRC strategy. SAP has deeper penetration outside of IT into lines of business in delivering a variety of business applications, which is reaping rewards for SAP when it comes to GRC. This is particularly true when it comes to SAP’s core vertical strengths in manufacturing, pharmaceuticals, and logistics. The chief risk or compliance officer is driving GRC, and it is this role that is aggressively looking for technology to drive sustainability, consistency, and efficiency, as well as transparency, in GRC processes. Forrester’s interactions with risk and compliance professionals reveal that SAP has stronger relationships with the business role, while Oracle has a stronger relationship within the CIO’s office. SAP’s GRC strategy and footprint is more mature than Oracle’s; it covers areas including compliance with import and export regulations with SAP Global Trade Services; the ability to enhance a company’s brand with corporate sustainability management; and environment, health, and safety regulations with SAP applications for environmental compliance. These areas are not currently on Oracle’s road map, but Oracle’s commitment to business executives and vertical GRC solutions is growing rapidly.
Oracle answers with strong content and process management
Oracle’s recent GRC strategy announcement launched a significant attack on SAP’s role in this market and positions Oracle right where SAP is weakest. Oracle’s GRC strengths include:
A robust GRC content management engine via the Stellent acquisition. The core of a GRC software platform is content management. Neither Oracle nor SAP had a strong content management engine that could deliver GRC until Oracle acquired Stellent in December 2006. Organisations require a platform to document, maintain, communicate, and assess the state of policies, procedures, controls, and risk and business practices as a foundation for GRC. This means that a GRC software platform must have a top-notch content management solution. Case in point: A major financial services firm needed a platform to support the process of defining, maintaining, and communicating policies and procedures for Securities and Exchange Commission/National Association of Securities Dealers (SEC/NASD) compliance. Specifically, the firm wanted the platform to be able to identify everyone who viewed, printed, accepted, or was trained on a policy so that it could communicate future updates to the appropriate people. Neither Oracle nor SAP was involved in this deal. But today Oracle could be a contender; SAP could not. SAP has limited document management capabilities within its GRC process and access control solutions.
Fusion BPM capabilities. Oracle has strong, native business process management (BPM) capabilities in its Fusion Middleware stack, which complement Stellent’s strengths in enterprise content management (ECM) and enterprise rights management. Organisations have embraced content management for GRC and moved away from spreadsheets and paper trails. When organisations started entering year two of SOX compliance, their attention focused on enhancing content management with simple workflow. The next-generation GRC software platform is moving beyond content strategies to encompass business process management, automation, and visualisation. Oracle is well-positioned with the integration of Fusion Middleware process management capabilities to deliver a comprehensive technical platform for GRC. SAP recognises the critical importance of BPM and has put this on its road map for early 2008.
Deeper integration into the IT environment, particularly with security. Oracle has a stronger IT software stack than SAP. Its strategy shows that it can extend deeper into the IT infrastructure of databases and security technologies – an area where SAP has almost no capabilities. Oracle’s breadth includes identity management, security technologies, and databases, as well as information rights management (something brought to Oracle with the Stellent acquisition). Support for the IT environment is important when GRC is about protection of structured and unstructured information as well as when access needs to be monitored and restricted to individual identities across the organisation and its partners. Areas of GRC that touch on intellectual property, privacy, and information/IT security are Oracle’s strengths. SAP has approached IT integration through partnerships with companies like Cisco, but this is not as comprehensive as what Oracle delivers across the IT environment.
Expertise in financial services. Oracle is further penetrated into the financial services market than SAP, particularly in banking, giving Oracle the upper hand within this industry. Oracle also has a broader GRC portfolio of interest to financial services; much of this comes from its stake in the i-flex Reveleus products aimed at helping financial services manage credit, market, and operational risk. The most significant GRC spending is coming from the financial services industry. Risk and compliance drivers such as Basel II, Solvency II, MIFED, Know Your Customer, anti-money laundering, and SEC/NASD laws and regulations are driving GRC adoption. Other industries are starting to pick up steam – particularly across the Global 100 – but Oracle has a solid foothold where spending is strongest today.
Both Oracle and SAP face hefty competition from specialty vendors
Interestingly, the Oracle–SAP rivalry is somewhat misplaced within the GRC market – a market that is filled with more than 400 vendors, more than 100 of which are aspiring to be an organisation’s core GRC software platform. Oracle’s and SAP’s GRC opportunities are mostly within their respective existing customer bases, which means that they will spend more time competing against specialty vendors rather than each other. While both Oracle and SAP have big brands and resources, the specialty GRC vendors have three key weapons that will give these software giants a run for their money:
GRC market penetration and experience. Most of the requests for proposals in the GRC space are going to the likes of Axentis, CuraRisk, OpenPages, Paisley, and QUMAS – the smaller and more nimble players that have made this space what it is. The result: specialty vendors offer more GRC experience and the ability to add new functionality quickly to stay ahead of the curve.
Vertical focus. Financial services has established GRC solution vendors such as Algorithmics and SAS. The pharmaceuticals industry has a wide range of smaller players offering risk and compliance solutions. These represent entrenched vendors offering a range of GRC industry-focused solutions with significant revenue. The battle will be difficult for Oracle and SAP within these industry segments, although Oracle has a significant upper hand with its stake in i-flex for financial services, while SAP does have a strong business application foothold in pharmaceuticals.
Software-as–a-service platforms. Forrester estimates that one-third of GRC deals are going to software-as-a-service (SaaS) vendors, and we expect this to increase to as much as 50 per cent. The business roles buying this software – namely a chief risk or compliance officer – often see IT as a roadblock to getting things done and see SaaS as away to get things started quickly. SaaS is also winning a lot of GRC deals when the organisation is under the requirements of a consent decree, corporate integrity agreement, or other legal mandate to implement GRC within 30–60 days.
Recommendations: GRC buyers, understand your GRC vision and what you need
What Oracle and SAP deliver today are two very different things – particularly outside the world of SOX. This will change over the next few years as both vendors broaden their GRC portfolios and deliver on their communicated visions. Risk and compliance officers should consider:
SAP when automated access and process controls are a primary concern. Organisations looking to automate control detection and prevention within SAP business applications will find that SAP has a stronger and more versatile cross-business application than Oracle. SAP becomes the leading contender if you are a chief financial officer looking for automated control management for SOX compliance in an SAP application environment. Further, SAP has the lead in an integrated risk dashboard that monitors key risk indicators within business applications and performance.
Oracle when content and process management is critical to GRC strategies. When looking for an application to document and manage GRC information and processes in a heterogeneous environment, Oracle has a competitive offering. This is a particular strength if you are a chief compliance officer and have detailed content controls and oversight requirements for compliance. Additionally, Oracle is the right choice if you are a financial services firm and need a complete GRC solution that extends into banking and risk applications as well as IT security and identity management. Oracle is also well-positioned to be the core of GRC in a heterogeneous business application and technology environment.
The small specialty GRC firm when experience and flexibility are key. While both SAP and Oracle offer important components of GRC today, they are both still executing on their strategies and coming to a full understanding of what GRC means. The vendors winning the day are the small firms that are quick to react and meet client needs. However, these small vendors are risky as there are many of them in a market that is ripe for consolidation.
Oracle and SAP hold the future of GRC
Yes, the small and nimble GRC vendors may be winning the day today – but the commitment of Oracle and SAP to this space is important as they will dominate it in the next three years. What differentiates Oracle and SAP is their ability to integrate GRC into the business application suite – where GRC becomes a component of business and not just a siloed application. As Oracle and SAP look beyond SOX, a whole world of business GRC opportunities is opening up as with current demands around employment/labour compliance solutions. To do this, both will need to aggressively work on their GRC delivery capabilities as well as acquire more vendors in this space. Both vendors must build up experience and reference architectures for delivering on critical and integrated GRC solutions. Potential vendor acquisition targets include specialty GRC vendors with strong content and process management capabilities like BWise or QUMAS, SaaS vendors focused on GRC like Axentis, risk analytics vendors with strong visualisation capabilities like Certus/Securac, and automated control vendors like Approva that can link into the SAP and Oracle business environment. Both Oracle and SAP will also need to focus on developing their GRC solutions to fit into a heterogeneous business environment.
Michael Rasmussen is vice-president, risk and compliance research, at Forrester Research
News