In 2008, SAP asked me to take a leadership position in talking about GRC. I was ready for a change, as my company (Business Objects, where I had led both internal audit and risk management as a vice president) had been acquired by SAP. While I had been offered an interesting opportunity in a risk management role with the company, I was less than enthusiastic about it.
I had enjoyed speaking at IIA and other conferences and seminars over the years, and the idea of making that a full-time job was appealing.
First, I had to find out what they meant by GRC!
In all my years as a risk and audit executive, I had never heard about it.
I knew what governance, risk, and compliance were individually, but I was not familiar with this acronym and why people wanted to combine three separate activities into a single expression.
SAP had a suite of programs they called GRC. But they were limited to tools to help manage user access to its ERP, maintain trade compliance (I make no comment on their own recent trade compliance problems), perform risk management, and comply with SOX. They also had a strategy management solution, but it was managed separately without integration with the solutions in “GRC”.
SAP also had a GRC department that focused on risk management, SOX compliance testing, and high-level information security…
