The modern enterprise landscape, complete with ever-increasing security threats, bad actors, and data complexities, requires advanced access control and risk management functionality.

One of our senior-level SAP Security consultants was on the design team that paved the way for today’s GRC framework by assessing critical risks, identifying areas of improvement, considering acquisitions, and creating a product that could handle everything in the same place.

This consultant was initially brought on as an auditor to ensure the new SAP GRC product met SOX audit requirements, offering critical insight for early adopters to understand the need for a standardized security product and collaborating with clients to establish core product usability.

This article sheds light on the role our consultant played in designing the SAP GRC product and what the journey to the advanced SAP Security landscape has looked like over the years.

The Initial Idea

When the Sarbanes-Oxley Act, or SOX, was passed in 2002, large enterprise organizations were on the hunt for better data security and stronger internal controls to provide assurance to key stakeholders and employees and reduce risks associated with unauthorized access.

At this time, each of the “Big Four” organizations had its own way of monitoring business processes and maintaining regulatory compliance, typically employing an intelligent tool called ACE to extract data from client applications, run business logic to evaluate related risks and protect existing systems from bad actors.

Organizations of all sizes and sectors had access to already developed databases and matrices to manage their data within their existing organizational systems. Still, they were looking for a standard solution that provided an easy, effective way to identify user access issues and manage risk across their systems. These organizations were essentially aiming to mimic what some of the larger organizations were doing on the identity and access management front by creating a new application that enabled users to monitor risks, create audit reports, and control change.

Once SAP got wind of smaller organizations and other SAP clients in need of an effective governance risk and compliance solution to mitigate risks and protect their SAP systems, they began the charge to a modern, secure user access management landscape.

The Development Process

In the early days of advanced security and risk management strategies, companies were reliant on two main solutions: ACE for larger enterprise organizations with access to a wealth of resources and Versa for other organizations looking to enhance their access control guidelines.

SAP was behind on key data protection and compliance management solutions and needed to make a change before key clients and stakeholders began to explore the greener grass on the other side of the enterprise environment.

At this point, SAP had the right resources and connections to employ best-in-class developers, engineers, designers, and product managers to initiate the beginning of a new era in security, risk, and compliance management. Their first step? Acquire and bundle two existing security products (Versa and BusinessObjects) to accelerate time to value and keep existing clients loyal to SAP solutions.

After assessing critical business risks and recruiting talent whose experience spans the complete risk, compliance, and access management lifecycle, SAP had all the tools to create a functional, reliable solution that clients could trust.

SAP’s initial GRC module offered a single solution that combined the following features and capabilities:

  • Application Release Automation (ARA)
  • Privilege management
  • Role management
  • User provisioning
  • Access request management
  • Centralization for user experience
  • Vendor access reports
  • Corporate governance and compliance requirements

The Key Features of the Initial GRC Framework

When it came to building a solution that clients could trust to protect their critical data in the face of rising user accessibility concerns, SAP needed to do it right the first time.

No backtracks, no redos, no lost time, effort, or money.

Through extensive research and a mindset of continuous change, SAP created a robust Governance Risk and Compliance suite of applications, each with their own role in the bigger production. SAP’s GRC strategy, complete with intelligent modules built for one role, empowered users to take control of their own SAP systems, outlining risk management activities and protecting sensitive data from internal and external threats.

Here’s a closer look at how the SAP GRC development team decided on and built each module:

ARA Module

As the first module created for SAP’s Governance Risk and Compliance suite, the Application Release Automation (ARA) module required precision, agility, and integration. The ARA module set the stage for what was to come in the future of software development, coding, testing, deployment, and security, offering a reliable foundation to manage user access and protect clients from potential risks.

Built-in ARA functionality allowed software development teams for existing SAP clients to leverage version control utilities to improve programming collaboration and connection across various workstations. With a new, fully integrated ARA solution, SAP clients could access intelligent tools for risk assessment and access governance, including:

  • Application release scheduling
  • Dashboard analytics and reporting
  • Version control for development strategy
  • Sandbox-based code testing
  • Versioning and artifact management
  • Automated code testing

Process Control Module

While the O.G. Application Release Automation module was a step in the right direction, there was still more work to be done across both the access control and audit management process. The SAP Process Control solution was created to further simplify the creation of new controls, execute each control, and maintain accountability for all critical controls.

With intelligent dashboard and workflow functionality in the Process Control module, clients could now outline controls for multiple processes and build different regulations into each process, allowing for further access segmentation based on user roles and permissions.

By offering greater visibility into key considerations like how to mask data or who can review certain sources, the Process Control product enables better connection across all business operations related to security and compliance and improves accountability for each designated control.

Audit Module

Once a solid foundation was built for the SAP GRC landscape, developers could dig a little deeper into process controls, financial reporting strategies, and the overall audit process. The SAP Audit Management module was created to automate various components of the audit process, allowing organizations to accelerate auditing and ensure regulatory compliance requirements are met.

With a comprehensive solution for audit management and control processes, companies can ensure even their most novice employees will only have access to appropriate data. The solution provides intuitive auditing and records management features that enable users to access information, generate audits, collect evidence, and manage risk — all from one location.

Fraud Detection and Management Module

In its effort to continue improving internal controls and driving more effective risk management, SAP trudged along the GRC pipeline, eventually creating intelligent fraud detection and management software housed in the existing landscape.

By creating SAP Fraud Management software, SAP marked its territory in the enterprise security realm, enabling users to identify risks, analyze heat maps for at-risk areas, and utilize industry benchmarks to compare risk with other companies and vendors.

The new Fraud Management solution enabled SAP clients to:

  • Develop and analyze heat maps for elevated risk areas
  • Identify vendors on the blacklist for fraud risk
  • Analyze and monitor risks in certain process areas
  • Manage processes across at-risk levels (i.e., warehouse, supplier, etc.)
  • Leverage industry benchmarks to compare risk with other vendors and clients

The Role of Integrations and Acquisitions in a Strong Foundation

Throughout the SAP GRC lifecycle, members of the design team had to make decisions on their feet, choosing which modules, integrations, and acquisitions made the most sense for the future of the application.

Here’s a look into how connections with two enterprise solutions helped extend security, compliance, and risk management initiatives for critical SAP solutions:


Versa was initially created by two developers working as independent contractors for larger enterprise organizations, providing the intuitive functionality needed to evaluate access risks and monitor internal controls in-house.

Before SAP created its own Governance Risk and Compliance management solution, key stakeholders discovered that existing SAP clients were buying the Versa application to handle their compliance and policy management needs.

To keep clients dedicated to the SAP brand, they decided to combine the power of existing Versa and BusinessObjects solutions in a single competency center and build a next-generation access control application that would be too good to pass up.

Once SAP acquired both Versa and BusinessObject, developers built functional SAP Risk Management, SAP Audit Management, and SAP Access Control modules based on a pre-defined security foundation to establish themselves as a leading provider of enterprise security software.


Later in the SAP GRC development process, SAP realized users were missing out on enterprise connectivity opportunities by not offering solutions that integrated with both SAP and non-SAP systems.

Greenlight, an existing enterprise security solution that enables organizations to transcend integrations with only SAP applications, promoted enterprise connection and allowed for the branching of SAP Security products to non-SAP systems in a big way.

SAP bought Greenlight software in an attempt to further expand its reach into the enterprise landscape, offering a complete solution that allows clients to build stronger enterprise connections, create APIs on the fly, expand footprints beyond the GRC application, and enhance security for core business processes across systems.

The Future of SAP GRC

It’s no secret that SAP GRC applications have proven their worth in the enterprise landscape for many years now, and there’s no sign of that impact losing its fire anytime soon.

The comprehensive suite of SAP Audit Management, SAP Process Control, SAP Identity and Access Management, SAP Enterprise Threat Detection, and other critical data security modules has paved the way for enterprise security well into the next fifty years. These solutions are designed to collect information from clients, present it in a way that makes sense to human users, allow clients to understand the roles and responsibilities of each user, and maintain SoD balance across internal teams.

And while the GRC landscape has come a long way since its inception in 2002, cybersecurity threats are consistently on the rise, and enterprise responsibilities are ever-changing, requiring an intelligent, agile solution to keep up and ensure critical data remains protected, no matter what.

The Power of Connection

Whether you’re brand new to the SAP landscape or you’ve been involved in the continuous evolution of SAP’s innovative frontier for quite a while now, additional support from subject matter experts can never hurt, right?

Our team of senior-level SAP consultants (like the one involved in designing GRC) has the extensive knowledge, skills, and real-world experience to understand your critical project needs, outline effective action plans, and prepare your organization for long-term success.

Contact Us

Contact us today for more information about the SAP GRC suite of applications or our SAP consulting services.