Vision behind Software AG’s GRC Platform
In September, Gartner Inc. released the 2013 Gartner Enterprise Governance, Risk and Compliance (EGRC) Magic Quadrant* and positioned Software AG in the Leaders Quadrant for the second year in a row. Software AG is appreciated by customers for the holistic and process-driven approach. Software AG has also been positioned as Leader in the Magic Quadrants for Business Process Analysis and Application Integration among other platforms. We’re very thankful for the positive evaluations of our customers, especially since this year’s Gartner’s EGRC report put much more emphasis on reference customer feedback and market expectations.
Strengths enterprise GRC of Software AG
What are the highlights of Software AG’s strengths?
Gartner awarded Software AG’s innovative approach to the market, by their vision for increasing automation and business process integration with risk management. With a strong process focus, Software AG is able to deliver integrated performance and risk management capabilities such as risk-based strategic planning and monitoring the impact of risk on business performance. ARIS Connect, an enterprise social-media-based process improvement product, enables collaborative and team-based information sharing and risk assessments.
We do see Gartner's 'Strenghts' as an enabler for success in the future. However, Software AG wants to remain a leader in many areas by continuing to anticipate trends in the market.
Trends in the market: shift of process control to customers
What trends did we observe which we need to anticipate?
Figure 1: Digitizing the Enterprise.
We noticed a trend at large enterprises starting Transformation programs in order to change their Business Model on the one hand side and figure out how they can operationalize the changed Business Model faster on the other hand side. In all industries there’s a competition going on between leaders who becomes the fittest. Companies are reinventing how to operate successful in the market towards their clients, new channels, innovations. Process-driven companies are used to adapt their end-to-end processes to the demands of the Business Model. When it comes to processes, we need to differentiate between automating processes and digitizing. Process automation is about running processes more efficient, while digitization is about realizing a more effective outcome of processes by improving the customer engagement. In the journey of digitization, process control is shifting towards customers based on the convergence of the four forces: social, mobile, big data and cloud, which will be explained later. The relation between the Business Model and the middle layer goes well. The problem starts at the third or IT layer. The IT landscape of more than ~20 years old are not build for this agility. They worked well for harmonization and standardization, but not for adapting to the changing demands of the Business Model. Software AG came up with an Agility layer on top of the application layer, solving a non-functioning silo-based application layer.
Vision Software AG
Let’s give some insights in the vision of Software AG and explain how this is related to the new trends in the market, in particular in the GRC area.
Figure 2: Convergence of four forces.
Software AG’s vision is to help our customers move into the new world of the Digital Enterprise. We help by addressing business agility through leveraging the convergence of the four forces: big data, mobile, social and cloud. Big data is the context for delivering enhanced social and mobile experiences. Mobile devices are a platform for effective social networking and new ways to work. Social links people to their work and each other in new and unexpected ways. Cloud enables delivery of information and functionality to users and systems. The forces are interrelated to create a user-driven ecosystem. Software AG’s Digital Agility Platform contains several layers to support leveraging the four forces, on top of the customer specific application layer.
Figure 3: Software AG’s Agility Platform.
Agility Platform in the context of enterprise GRC
How can the vision be executed in the context of enterprise GRC? First of all the Visualization solution makes it possible to monitor the status of all underlying layers. Specific views can be selected, such as a process specific view like order-to-cash or purchase-to-pay on:
- risk performance: KRI’s or outcomes of qualitative risk assessments (assessing probability x impact, gross and net);
- compliance performance: control testing results aggregated per law, regulation or standard;
- policy management status with some internal, international benchmarks;
- internal audit status including related issues and their status;
- business performance: e.g. process cycle time and process costs (typical leading indicators).
The Business Processes solution enables ‘Social GRC’ with collaborative modeling and process assessments by a multi-disciplinary team such as risk, compliance, legal, audit and business representatives. Design decisions can be made based on visibility in both business performance and risk & compliance performance. If certain processes outperform in being ‘in control’ but at the same time under-perform in process performance indicators, this might have been caused by implementing too many process controls. An improvement can be started by this analysis and redesign. The Integration/SOA solution makes it possible to monitor e.g. ERP and financial application transaction information to improve governance and automate the audit processes. The efficiency of automated internal control evaluation reduces costs tremendously. Besides, in contrary to controls embedded in an ERP system, with integration the internal controls can be run across the IT landscape. The end-to-end processes will guide you through detection of segregation of duties and inappropriate configurations in multiple systems in the end-to-end process. The In-Memory Big Data solution of Software AG proofed value in real-time risk analytics of high volume, unstructured data, including immediate alerting the risk and business owners. Different kind of events trigger different kind of actions. Let’s take four examples of actions & events:
- suspicious credit card transaction by correlation distance/time, which triggers an incident in the core GRC system and alerts the owner;
- exchange rate reached a defined threshold, which will trigger an ad hoc risk assessment in the core GRC system and assigns it to the risk owner:
- defect rate in production exceeded the critical mark, which triggers an issue and assigns it to the issue or process owner.
- violation SOD (segregation of duties), a user creates a new vendor in the system and also approves the payment to the vendor, which will create an ineffective test case with a short description of the event. A follow up of the test case is immediately created as well to prevent new violations.
For all types of events it is important that an immediate and appropriate action will be initiated, supported by a workflow to track an trace the status. All status changes must be logged in the audit trail of the core GRC system.
At the end, the four layers must be working in close cooperation with each other, preferably on one Agility platform.
Don’t think that you are the only one struggling with a gap between strategy and operations or in other words between the (changing) Business Model and IT operations. In the area of GRC we faced many challenges which can be solved by the Agility layer. Think about how to organize continuously changing regulatory requirements, impacting operational processes and IT. Or new risks of social media (read my blog about social media risks), like employees blogging in the media about events and incidents in the company. Or queries about what the impact will be of cloud on our security policy, do we need to organize ourselves more detective instead of preventive (read my blog about security trends)? These kind of questions make the developments of GRC Use Cases an interesting new challenge for companies and vendors. Sharing best practices is key. Don’t hesitate to contact us and our partners in the GRC eco-system to talk about lessons learned and success stories. Hope to meet you soon!
Complimentary copies of Gartner’s report are available at www.softwareag.com/recognition.
* Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms, published September 24th 2013, by French Caldwell and John A. Wheeler