All the challenges of risk management, compliance and governance in businesses. Our article presents the tools and best practices for implementing an effective GRC strategy. Optimize your business management and strengthen regulatory compliance with our practical guide


What is GRC (Governance, Risk Management and Compliance)?

10 minutes read

Table of contents

A project ? A question?

Contact our experts without further delay

Governance Risk Compliance

It may not ring a bell to you, but this term was invented in the early 2000s and is today not-to-be-missed in the business world, in particular in the SAP ecosystem

Think about Enron, this American company in the energy sector which bankrupted in 2001 due to some speculative operations and a massive distortion of its bank accounts. 

Would it end like that if the company has a complete GRC approach? No one could know. Nevertheless, it would have changed the destiny of this big company.

Today, in a changing environment with the boom of modern technologies and innovations, companies must reorganize, anticipate possible risks, and be conformed with the current regulation

The GRC application within your ERP SAP is the ideal management solution that helps you to face it.

What is Behind the Acronym GRC?

GRC takes part in business management. It refers to three specific ideas :

G as Governance

It is all the tools implemented to lead and control your organization and its infrastructures such as ERP like SAP. Efficient governance involves controlling and coordinating resources and empowering the employees. 

R as Risk

There are always unpredictable actions or events that might postpone or prevent you from reaching your goals. For a long time, the most important risks were the financial ones (e.g. fraud or misappropriation of money). 

We must add nowadays all risks linked to cybersecurity and malign attacks on the internet. Though it is very important to have a complete and efficient program of risk management. 

C as Compliance

Are you currently working in a start-up? An SMI? A big company? It doesn’t change anything: You have to be aware of the regulations in place. 

Moreover, these past years, investors put a lot of pressure on companies for internal controls to be more regular and efficient to improve stakeholder confidence. Otherwise, you could be exposed to sanctions such as substantial fines.

Thus, GRC is the general term for all the measures and processes which help companies to complete their control goals, identify possible risks, and correct them while they respect applicable laws or rules.

How Does GRC Work?

GRC is based on controls and audit logic. It can take various forms such as supervising the daily operation, processes, or complete dashboards. A software can provide a complete GRC Access Control solution. 

Theoretically, every solution should supply a detailed report of the compliance process thanks to real-time risk cartography. The analysis of this last gives many options to decide and assure better productivity for the company.

How can you Implement a GRC Solution in Three Steps?


Even if you don’t know yet, your current company is aligned with a GRC framework. However, the framework may randomly operates with many software with dashboards that don’t even integrate. It would be necessary to give a clear picture of what you have. 

Then, think about your targets and your demands to bring to light your business processes that could be more affected by risks and compliance issues. The only way for your decision maker to choose the appropriate GRC approach in the SAP ERP for your company is an evaluation of deficiencies and security holes.



The process can take a long time and can be expensive. Despite all, it is a long-term investment. An efficient GRC solution adapted to your company will help your employees and managers to be more focused on the development and productivity of the company. 

VASPP offers certified solutions which improve the use of your current SAP GRC Access Control tool.


Once you have selected your GRC solution and identified your security roadmap (e.g SAP GRC Access Control, one of the most popular tools today), you’ll only have to implement it within your company. It induces : 

  • The integration to your existing workflow and tools, your several SAP applications as well as your Non-SAP solutions, either on-premise or cloud applications.
  • The integration and adaptation to an SAP risk model according to the global organization, business units, and business processes rolled out across your business model. The role and responsibilities to build up your risk cartography, and classification.
  • The monitoring and the evaluation of the performance. It has to be effective no matter the condition.

What is the Secret to Success for a GRC Approach?

To prioritize the risks

Management and evaluation of the risks are mandatory. You will always have some potential threats. A company can’t eliminate them all. A good prioritization would allow you to understand better what you have to do (separation of duties, sensitive access tracking, workflow activation) but also to prove the impact of every risk on the organization.

Confidence in the executive

this ranking should be shared with decision-makers in order to ensure optimal investment from all the stakeholders. It triggers the decision process to identify what you have to protect, and where you have to free your resources. 

Thus, the relationship between decision-makers and the other members of the organization must be lasting and confidence based. Leadership is one of the key successes for change. It includes the following actions :

  • Conception: risk identification roadmap concerning the business unit and business process
  • Implementation: risk management and aligned SoD matrix
  • Exceptions: GRC Framework for the privileged access rights and authorization
  • Action plan: a remedial process of risk identified 
  • Onboarding: identity management via a hierarchical validation flow
Mise en place d'une GRC adaptée

Who is Concerned by GRC?

The answer is simple: everybody can take part in a successful adaptation of GRC. Governance, risk, and compliance elements spread from the top level of the organization to departments and work teams

Board members are not responsible to address all the details of risk management, however, the high level of risk management tracking must be a critical part of their key indicators, SoD monitoring should be part of it, as well as controlling global risks and process compliance. 

We could classify companies according to three levels of maturity :

Standard processes are non-existing and the issue suffers a lack of management when it happens. Operational risks are not correctly addressed, and responses are not listed and actioned.
data and risk analysis and treatment are executed and some SAP GRC tools are implemented to manage the possible issues.
The evaluation is complete, eases risk identification, and anticipates security breaches as automated business rules are implemented.
Previous slide
Next slide

Nowadays, most companies could be classified into the first two levels of maturity, either they are working with only manual processes, and correcting issues when they appear, and the other level with the assistance of tools like SAP GRC Access Control

Only a few companies have rolled out a preventive approach with deep and complete automated rules with GRC Process Control and Risk Management tools. 

In terms of SAP Access control, and cybersecurity management for cloud access (SaaS), there remain several gaps to fill to cover this type of access rights, and authorizations.

Regardless of the size of your company, an active practice of the GRC is compulsory. Obviously, it won’t be the same if you work in a small company or a very large enterprise. 

Thus, according to a 2009 study published by the French anti-corruption agency (in La fonction conformité anticorruption dans l’entreprise), 72% of CAC 40 companies had created a function of compliance within their organization.

Some are totally independent whereas others are related to risk service and intern control. This tendency highlights an evolution for the company (more mature).

For the smaller companies, it’s most of the time the juridic direction who is in charge of the compliance and possibly even from the financial department. But this could bring drawbacks as these people are not getting used to interacting with other departments (internal control, human resources, IT, …) 

Vaspp Analyse GRC et tableaux de bord

What are the Main GRC Certifications and Regulations?

Considered as the central element of a company today, GRC applies in different forms. Nevertheless, it needs to respect some rules and can be optimized

To understand the process better, we would advise clearing one of the various certifications. We are going to help us to get a clearer picture of the existing options.

What are the Best Certifications and Who Can Pass Them?

There are all kinds of certifications in the market. Each one possesses its characteristics. Here is our list of five different certifications :

CRISC: Certified in Risk and Information Systems Control. You will improve your GRC skills with a specification in cyber risks. It is a 3-hour exam with 150 questions in 4 areas: risk identification, risk evaluation, risk attenuation, and reporting.

ITIL: IT Infrastructure Library. It will help to develop all concepts around IT service management, major process identification, and new technology management. To obtain it, you will have to validate all levels (ITIL Foundation, ITIL Expert, Master ITIL…).

CGEIT: Certified in the Governance of Enterprise IT: Mainly aimed at new technology managers, it deals with the governance of a company’s new technologies and their alignment with the needs and goals of the company. 4 main areas: IT service governance, IT resources, profit realization, and risk optimization.

GRCP: GRC professional. It is offered by the organization OSBL OCEG pour to understand the basics of the GRC process and acquire the skill you need to integrate governance, the intern control, and the evaluation of performance.

CRMA: Certification in Risk Management Assurance. It recognizes those involved in risk management and assurance, governance and self-assessment of controls, and thus positions them as trusted advisors to senior management. This is a two-part exam: 125 questions on the basics of internal auditing (2.5 hours), and 100 questions on auditing practices.

These certifications address all IT professionals, security specialists, business analysts and of course, compliance responsible. Some could only interest one specific position such as the CRMA for risk managers.

The GRC Regulations

Until the beginning of the 90s, GRC wasn’t really recognized with a law. The first two internal control referrals came from the United States. Thus, the COSO (Committee Of Sponsoring Organizations of the Treadway Commission) and the COBIT (Control Objectives for Information and Related Technology), created respectively in 1992 and 1993 were the first true frameworks for the internal control and its audit evaluation.

Finally, in France, big financial scandals in the 2000s lead to the creation of one institution and the vote of two laws that still govern GRC today :

  • The financial security law of France (LSF) was published in the official journal nᵒ 177 (August 2, 2003). It brought a real national legal policy about the control and monitoring of the financial flow processes. It emphasizes the involvement and the responsibilities with significant financial penalties in case of serious infringement. 
  • The French Financial Market Regulator (Autorité des marchés financiers) governs all financial products and players to ensure a good operation of the market. It also deals with the penalties when the regulation and laws are broken.
  • The law “Sapin 2”: the law on transparency, the battle against corruption, bribery, and the modernization of economic flow in 2017 in France. Companies must create a corruption heatmap, and alert the employees without forgetting the transparency in the business decision.

Our VASPP Experts Help you to implement an SAP GRC Solution adapted

At VASPP, we do everything we can to assist and support your company toward the implementation of GRC solutions aligned to your risk and control needs.

Accelerate Employee Onboarding and Risk Management with GRC Access Enforced

Our GRC add-ons for SAP GRC Access Control offer practical, efficient, and optimized solutions for access management and risk analysis, making it easier for end-users and GRC managers to work while improving the security and governance of your company.

These add-ons include features such as access request management, SoD risk analysis, detailed documentation for each risk with fraud scenario and control objective, validation of privileged access, and more.

To learn more, visit our dedicated page for GRC Access Enforced.

GRC Smart Analytics, the ideal Solution for a detailed view of all your Risks

Our solution provides a comprehensive and detailed view of the risks and best security practices within the company. It provides dashboards and audit reports to help companies better understand and analyze risks. It also allows for accurate monitoring of SoD risks and efficient management of permissions granted to users.

In addition, it provides clear and transparent tracking of access requests as well as emergency activities carried out via FireFighter.

Find out more about our GRC Smart Analytics solution.

Did you like this article? Share it!

Discovers more VASPP articles


Découvrez nos solutions VASPP et les nouveautés SAP !

Nous n'avons pas pu confirmer votre inscription.
Votre inscription est confirmée.