Today is the last day for the exhibition hall and after a slow start the pace picked up well.

We’ve had a lot of interest in our new branding and we’re very pleased with the profile we now present. Narina Sippy (VP SAP GRC) collared Gavin, and Gary Dickhart has caught up with us probably half a dozen times – and it absolutely feels like we’re “in the global GRC club”, even though our focus is Europe.

We had an interesting talk with Philip Morin, Senior Director Risk Management in SAP’s Global Customer Advisory Office. What is absolutely apparent from talking to him is that the whole perspective and response to the market is changing from technology and IT led risk management initiatives to business and Board level strategy led enterprise risk management. That brings a whole mass of challenges and issues around culture and ownership of risk, and requires of every business an opinion as to whether risk management is simply a cost – in which case SoD management and automated provisioning is the sort of goal – or an important element in balancing risk & reward as you drive competitive advantage. Our goal is to help our clients surge forward by considering the latter – and positioning access controls, and process controls, as automated feed aspects of the wider picture.

Today we spent time evaluating Greenlight’s new RTA functionality for connecting GRC to non-SAP systems. It's a big step forward, with a look and feel almost identical to Access Control 5.3. It empowers system integrators to build their own RTA's which means we will now be better able to look at cross application access based risk. We'll be re-visiting our succeed GRC methodology to assess how this may change our approach. We’re very keen to implement Access Control on non-SAP systems and will co-innovate with any interested customers. Greenlight are on-board with this approach and will support us in this.

At the “Ask the Experts” section at the GRC Labs, Gavin had a very detailed discussion with Susan Stapleton on SPM strategy, functionality and future product development. The CAG are doing some significant research currently to identify what SPM does and doesn't log as standard and su53 will be sharing our 4 value scenarios with SAP, and we'll update you further on this as we go. We were excited to hear that our suggestion for using CUP workflow to manage SPM logs will likely be included in the next release: perhaps we’ll get royalties? Hmmm. Let’s plan to settle for the feel-good factor instead.

We also discussed the BI 7 integration with Access Control and its take-up by SAP customers. It seems that not many are leveraging this yet, and that the scope is limited to RAR and CUP. We need to assess this further as the potential for risk cockpit style reporting would be significant.

It was interesting to discuss the relative maturity of the GRC market with some of our Danish counterparts (Denmark, with over 90 delegates here, seems the best represented European country this year) and share our vision on Process Control and how it can be used to address some pain points.  We also spent some time in the bar the other night focused on a very imaginative envisioning session (don’t ask too much more...) with a very capable bunch of guys from Atlanta called S3 (pictured are Paul Kohler, Ana Bond and Johanna Thomas). They had seen we were attending and had contacted us ahead of the event to see if we would meet up, and I can see we will collaborate with them to drive our collective thinking.

Pete spent today focused on IDM and what some of the other vendors such as Novell are up to in this space and we will be developing our maturity model recommendations on the whole identity management/provisioning area in the coming weeks.

It has been good to meet so many people and noticeable that other vendors as well as SAP and clients are pointing new prospective clients towards us. Sadly they tend to turn up with really difficult challenges, but we’re doing well so far and have helped many people in their thinking and strategy, and we will be closing the stand down with a sizeable list of follow up actions and people to get back to!

More sessions tomorrow, but after three long days standing, we and our aching feet may take tonight off and try to sneak in a drink or two and – who knows – we may even try this blackjack lark....