Abiding by the Rules – Digitally

GRC was on the agenda at the 10th CIBI Innovation Day in Munich (photo: Christiane Stagge)
GRC was on the agenda at the 10th CIBI Innovation Day in Munich (photo: Christiane Stagge)

With the introduction of laws and conventions such as GoBS, BilMoG, and MaRisk, the regulatory requirements for companies in Germany are getting tighter. GRC software helps companies to stick to the rules.

Germany needs to catch up

Data digitalization, global markets, and strict regulations imposed by authorities are forcing companies to rethink their processes and IT landscapes and adopt an approach known as governance, risk, and compliance, or GRC for short. But GRC is by no means practiced by all German companies. In summer 2009, ibi Research – a company based at the University of Regensburg in Germany – launched a survey to discover the truth.

Over a period of three months, it questioned 565 survey participants. And what did the team discover? Some 17% of those surveyed use software for IT governance, 45% deploy IT risk programs, and 24% of the companies are IT-compliant. So it looks as though German companies have some catching up to do in terms of GRC. But in addition, the survey revealed that companies are keen to comply: Although only a few companies are certified according to ISO 27001 and ISO/IEC 27001, they observe the provisions of these standards.

Implementing minimum standards for IT

The ibi study showed that the reasons for failing to implement GRC are usually linked to a lack of financial means and staff, as well as poor acceptance among employees.

At the 10th Innovation Day held on October 5 by CIBI (the Conference on Innovation in the Banking Industry) in Munich, visitors had the opportunity to find out what GRC looks like in practice. Michael Kunzewitsch, responsible for IT compliance and IT organization at Volkswagen Financial Services, described in his presentation how his company implemented minimum IT standards, and how the approach could be applied to other organizations.

He stressed the importance of taking into account independent units, subsidiaries, and minority investments, as well as international branches and varying cultures. Kunzewitsch suggested three different approaches to GRC: hierarchical, self-determined, and cooperative. In his opinion, the best approach is the cooperative one. Here, a groupwide standard is defined that can be applied to the smallest as well as the biggest unit within the whole organization. The advantage of this is that the system is standardized yet is still flexible.

Next page: GRC software from SAP

Keeping tabs on all risks with SAP GRC Access Control (screenshot: SAP AG)
Keeping tabs on all risks with SAP GRC Access Control (screenshot: SAP AG)

GRC solutions from SAP

SAP provides GRC solutions from the SAP BusinessObjects portfolio. The products are tailored to the automotive industry, the banking sector, the chemicals and consumer products industries, the healthcare sector, the high tech and electronics industry, and the public sector. The software supports all current standards, including Basel II, the Sarbanes-Oxley Act, and the International Financial Reporting Standards (IFRS).

SAP BusinessObjects Risk Management analyzes, monitors, and documents potential risks. Using the application, you can create standard risk profiles. Because SAP BusinessObjects Risk Management is a business intelligence (BI) solution, you can simulate what-if scenarios. These enable you to analyze risks with regard to their probability and play through new business scenarios. Role-based dashboards tailored to the company’s authorization concept are another interesting feature. When the dashboard is launched, key figures and warning notifications provide information about possible risks.

With the SAP BusinessObjects Process Control application, you can automatically monitor and control business processes such as procurement, order processing, and financial reporting. Where manual control tests are necessary, they are automatically forwarded to the employees responsible.

The SAP BusinessObjects Global Trade Services application helps you reduce the cost and risk of international trade. It supports companies in complying with import and export regulations and fulfilling local and regional requirements. The application also works with non-SAP systems. SAP BusinessObjects Global Trade Services maps global supply chains and supports electronic communication with authorities. Other functions include global import and export processing, trade preference management, and restitution management.

SAP’s portfolio also contains special products for environment, health, and safety management: The SAP Environment, Health, and Safety Management (SAP EHS Management) application helps companies implement environmental directives and supports regulations related to products and materials, while SAP Recycling Administration ensures compliance with worldwide legislation on packaging and batteries, and with the disposal of waste according to the European Union’s WEEE (Waste Electrical and Electronic Equipment) directive.


IT governance is part of corporate governance, and focuses on companies’ information technology systems and their performance and risk management. IT governance deals with all regulations (for example, the principles for proper computer-based accounting systems), processes, and IT resources such as staff, technology, documentation, and personnel availability.

IT risk is the risk connected with information technology that always exists if requirements are not met, for example, if data gets lost. Companies therefore endeavor to keep IT risks as low as possible, using risk management or security management. Special software enables organizations to identify, measure, and manage risks.

IT compliance is the observance of regulations and legislation within a company’s IT systems. Software for security and risk management helps companies abide by the rules. To prove that they meet IT compliance regulations, companies must regularly demonstrate their risk management mechanisms.

When talking about compliance, there’s a distinction between compliance of IT and compliance through IT. Compliance of IT means that all of a company’s IT systems comply with the applicable rules and laws. Compliance through IT means that these rules and laws are mapped in a company’s IT systems, for example, in payroll or the human resources department.

Related articles: