The event this year has a feeling of maturity rather than the frantic excitement of previous years. SAP’s message has a consistency and the development of this message is subtle not radical. Growing use of the term “Policy” suggests a new vision of process governance emerging, covering internal discretionary rules that organisations use to manage their business, and this sits alongside the stalwarts of Risk and Compliance.

In general attendees seem familiar with SAP GRC Access Controls and take-up seems huge – most people we spoke to seem to either have it fully implemented, or are somewhere along the path. However the take up of SAP GRC Process Controls feels low, and SAP GRC Risk Management even lower: enthusiasm for it is good though, which suggests a mis-match somewhere. Our take is that AC is a clear solution (for SoD, provisioning, superuser and role management), and as a generalisation, tends to be bought by IT management facing audit pressures.  PC however is more of a toolset – like workflow say – that itself is a technology and needs to be applied to business issues – duplicate vendors for example. As a  consequence, the “need” tends to be more business or finance driven, so SAP is facing a different community of buyers to those who bought AC. RM, whilst closely aligned with PC, is again different, appealing to Risk Managers and Boards wanting control of the business.

Our view is that SAP and its community will get there and this will be a market leader, but that it will be slower to get taken up than needs be until the message gets clearer. su53 spends a lot of time looking at these things and we feel we “get it” and it looks like a good solution – we’re certainly investing hard in skilling up in how to apply the full AC/PC/RM suite to issues in our clients.

Another marked area of progress looks likes the adoption of technology partners for GRC. The ones that jump out at us are:

Greenlight (www.greenlightcorp.net)

• Extending the use of SAP GRC across non SAP applications to give an holistic view of risk

SenSage (www.sensage.com)

• Providing high performance event management logging and analysis from almost any data source (SAP, Windows, devices) against which risk events can be identified

Crowdcast (www.crowdcast.com)

• A very innovative risk prediction tool that uses the intelligence of the community – usually your employees – to assess the likelihood of risk events

RunBook (www.runbook.com)

• Fast close across the enterprise leveraging an intelligent scheduler. Solution has been extended to embed compliance measures and automatic controls.

Attendees this year appeared to reflect the profile last year – generally more senior or expert people with a clear agenda, rather than people just using this to get up to speed (which it is a great event for in our view, if Finance/GRC/HR is your scope). The organisers tell us that some 2,500 people attended, of which between 15%-20% were from Europe. The growing scale of the GRC event in autumn in Europe (scheduled in November in Barcelona) suggests this proportion may reduce in years to come.

We had a strong team here – 5 of us – and I think we have all been flat out for most of the time talking, listening, learning and absorbing, or contributing through expert sessions and presentations. The event winds down today leaving us to wade through our notes, business cards, mindmaps, and thoughts, looking to align the week’s activity to enhanced strategy and then back home at the weekend to share the knowledge with the whole company: execution starts Monday!