compliance (SAP GRC Access Control; SAP GRC Process Control; SAP GRC
Global Trade Services; and SAP applications for environment, health, and
safety compliance management).
Further, harkening back to the beginning of this chapter, as governance seeks
to break down barriers between risk and compliance activities, each of the
SAP GRC applications is designed to support the overall goals of the company’s
governance framework. For example, SAP GRC Risk Management provides
support for best practices such as collaborative risk analysis, predefined risk
responses, and continuous monitoring and reporting. The SAP GRC Global
Trade Services application embeds regulatory and corporate compliance into
core logistical processes. And the applications for environment, health, and
safety align business processes with environmental, occupational safety,
and product safety regulations as well as internal policies to make manage-
ment of all three sharper and more efficient.
From a governance perspective, these applications feed into the SAP GRC
Repository — the central IT tool for governance — in order to centralize
management in terms of documentation, testing, remediation, and control
monitoring. As such, the SAP GRC Repository centrally documents and stores
all governance, risk, and compliance information for enterprise-wide and
industry specific needs, and provides the means to centrally manage compli-
ance structures, policies, processes, risk and control libraries, test plans,
remediation cases and evidence.
In addition, the application links risks and controls to multiple external
security and control modalities — such as the Committee of Sponsoring
Organizations and Control Objectives for Information and Related
Technologies — as well as to financial reporting requirements and health,
and safety regulations.
GRC Repository - Central System of Record Drives
Governance, Increases Transparency
- Correlates regulations with internal
compliance policies and procedures
as evidence of compliance
- Centralizes knowledge base
of content contributed from
GRC Ecosystem
- Rationalizes controls against
multiple frameworks
GRC
Repository
Regulations& Industry
Mandates
CPoliorpocies &rate
Procedures
CommitteeBOD &
Minutes
FramewoControlrks
Best Practices (COSO, Cobit)
PeMeasurformanres &ce Risk & LibraCriesontrol
Benchmarks
InfluenCounccilse
(AuditoAdvisors, Attory Servirneys)ces PoliIntecrnalies
GoveAgenrnmentalcies
Figure 3-1:
The SAP GRC
Repository
centralizes
all relevant
policies and
information
for a unified
approach to
governance.
84 Part I: Governance, Risk, and Compliance Demystified
