You may have seen an important announcement from CA Technologies and SAP today, which can be found here.

An analyst reaction to this announcement from Michael Rasmussen of Corporate Integrity can be found here.   

Michael is one of the most respected analysts in GRC, so his opinion often carries a significant amount of weight among organizations that are considering or deploying GRC solutions.

This is an interesting and important announcement, so I thought it might be useful to provide some context around this news.

The GRC market has been evolving for several years now. Despite some initial over-hype of the market, it has continued to grow and GRC solutions (of different types) have proven to provide significant value to enterprises who have adopted them.  But, as the market has matured, there has remained a separation of capabilities of products that focus on business GRC, and those that are targeted at IT GRC.  For example, organizations have formal business processes around Procure-to-Pay or Order-to-Cash that are used to run their business. But, in many cases, the IT processes that support these business processes are separate and there is relatively little centralization of information or commonality of activities.  As a result, there is often duplicated effort and increased inefficiencies because the GRC efforts underlying both the IT and business processes are not synchronized.  But, possibly even worse, the lack of a unified view across both business and IT processes makes it hard to get timely and accurate risk and compliance information, often resulting in sub-optimal decision-making.

Another factor playing into this announcement was our belief that the area of business GRC was going to be gradually absorbed and dominated by the large business application vendors, such as SAP.  Given that the expertise, experience, and product suites from CA Technologies are focused on IT management and security, we determined a focused IT GRC effort was the best alignment to our overall corporate strategy. These factors led us to the obvious conclusion that the best approach for our customers would be to work with a leader in the area of business application software, with particular strength in business GRC.  The obvious and best candidate for this is SAP, which is why we are making this announcement today.

The reasoning and benefits behind this announcement are compelling.  CA Technologies is a leader in the area of security and IT management.  Our expertise is in managing IT and automating security controls, and helping our customers reduce risk and simplify compliance.  SAP is the world leader in business applications that enable the key business processes of many of the largest companies in the world.  Our announced plans are to integrate some of the security controls from CA Technologies with the SAP GRC solution to help bridge the "silos" that exist between business and IT GRC processes and information.  Our belief is that this will help improve the quality of GRC information, and enable resources to be used more effectively.  And, in the end, it will allow for faster response to changing business conditions, which is a critical need for virtually all organizations.