Las Vegas – crazy place. The formality of SAP® software in a world of casinos, dancing girls, bright lights and total excess seems incongruous, but the venue (MGM Grand) is spacious and “facility-rich”... and sadly smoky, as all routes seem to go via the casino. The organisers tell me that they have been pleased with attendance, with some 2,800 attendees booked (though this is some 30% down on last year): however the level of attendees is higher – perhaps reflecting the greater focus everyone has on careful and justifiable only expenditure at present.

The morning session by Jim Dunham and Gary Dickhart from SAP BusinessObjects (still can’t get used to the name) was good and set the scene for SAP’s strategy and positioning in this area. Some of the key messages were:

• Continued positioning of GRC and EPM (and BI) together as part of an holistic business strategy & execution model
• Wider holistic view of risk
• More than finance – SAP is increasingly positioning for supply chain and IT risk
• Transition from SOX tactical response era to maturing strategic view of GRC as a controls strategy
• Acceptance that IT is perhaps the integrator of risk management and controls elements and the place to drive executing better risk strategy
• SAP strategic focus
• Extend GRC coverage beyond finance
• Enhance user content (i.e. make it easier for us all to add content and tailor to our specific risks)
• Accelerate deployment (i.e. easier to use and adopt)
• Other themes
• Increasingly looking to embed controls in to processes rather than position as add-ons
• Adapt and alignment with vertical sectors
• GRC now widely accepted as for more than SAP (fascinating example of Johnson Controls who ran both Process and Access Controls successful pilots on non SAP systems to validate GRC against other products)
• Product news
• Process Controls 3.0 and Risk Management 3.0 scheduled to enter Ramp-Up 12th May 2009

Gary Dickhart referred to recent PwC research showing that 40% of respondents stated that their Chief Risk Officer role was held by the Chief Internal Auditor – which is his view is a “sad state of affairs” and confuses the audit and response segregation that is so important and key in effective risk management.

It was encouraging to hear SAP confirm a view we hold, that cultural change management is the first hurdle to introducing effective risk management. Getting business users to buy in to controls is so important in achieving success in GRC projects without doubt. Gary also went on to express the view that often the biggest challenge in GRC projects is getting the business to define its risk tolerances – as without that, how can anyone determine whether risk relate issues matter – i.e. at what level does a risk management failure matter. More likely to be known if you’re looking at running payrolls or flying planes, less so if you’re manufacturing products.

Another pleasing observation was that GRC does not add controls or complexity – it simply gives evidence of controls that probably exist manually to some extent today, and helps confirm to the Board that the business is safe rather than carrying unknown and unmeasured risk. Gary went on to point out the variance in views that arises and why businesses need an agreed risk strategy. Risk Managers resist risk whilst business leaders tend to look at the upside in the risk-reward balance – but unless the different parties can communicate objectively, risk management is a bit haphazard and can be overly constraining.

SAP have a sound maturity curve for GRC use – and it’s interesting that across many hundreds of clients across the globe, the view is that most are still in the tactical response phase or starting to create inventories of their GRC initiatives, and few are into unified GRC or operational excellence through continuous improvement.

In answer to who except SAP could help implement GRC, Gary avoided my eye (and furiously waving su53 flag) and said that in his view, he would choose the smaller lower cost partner in situations where the business had a clear view that GRC mattered, but that if you need to change the mindset and culture of the Board and business users, then you need the more costly larger players. I can live with that!

So what was missing?

• It still feels like early days for Process Controls and Risk Management, but the strategy sounds good, and the early adopters are there. Our thinking is that 3.0 will bring more clients on board through 2009, and that the RoI of Process Controls in particular looks clear and substantial. I would have expected a bit more bragging about this though
• Data privacy through the Cisco alliance with Process Controls didn’t get much coverage, though I would have thought is a solution that would be much in demand – one to investigate further through the week
• Identity Management is positioned as related to Access Controls but explained clearly by Jim as being about creating and managing the user – not the access rights as transaction and object level. Still feels a bit like two camps needing to join up to me

In the afternoon session the su53 team split up to get maximum coverage. The topics which interested us most were Frank Rambo’s view on the GRC technology and an overview of the various approaches to SoD management.

Frank’s session covered Access Control, Process Control and Risk Management and discussed everything from sizing to landscape and Configuration management. Our recent experiences on multiple GRC projects prepared us well for this session. It seems that the customer base are always interested in these technical sessions. It’s always good to hear from the RIG directly. We’re hoping to have a session with Frank later this week and take the opportunity to thank Frank for the recent Performance tuning guide for Access Control 5.3.

We won’t overload you with technical details, but suffice to say we’ve covered multiple java nodes on multi-core Intel based platforms, discussed the merits of a QA instance, discussed load balancing on the webdynpro and evaluated server sizings based on expert mode and “SAPS”.

The session on SoD management also touched on role content. It addressed the age old debate of derived versus organisational limited roles. One interesting point was made regarding the amount of effort that companies invest in designing their SoD’s. A comparison was made between the amount of effort customers invest in designing and implementing R/3 compared to the effort they dedicate to definition of SoD’s. It certainly put things in perspective.

I’m sure there will be plenty of stimulating updates tomorrow, but for now we’re off to sort out the stand and get some well earned rest.