About SAP GRC – Behind The Scenes

About SAP GRC – Behind The Scenes

Important: this is a behind-the-scenes document about SAP GRC that is based mainly on experience and customer comments. Its purpose is to give a quick introduction to SAP GRC for Xpandion customers.


Introduction – Where did SAP GRC come from?

Like a couple of other products in the SAP world of applications, SAP GRC was an external purchase by SAP, who bought a company named Virsa Systems back in 2006 (see here: SAP Launches Governance, Risk and Compliance Management Business Unit to Lead New, Emerging Market). In those days, the hype over financial regulations for Governance, Risk and Compliance (GRC) was just beginning. SAP identified this trend and couldn’t leave the scene without its own product, so it bought Virsa Systems. The name of the product was changed to “SAP GRC” to reflect its target market. The name change was a really clever move from a marketing point of view too, because from then on, when people search for a solution to comply with GRC regulations in the SAP world, they type “SAP GRC” in Google and are sent directly to SAP’s product page as the first result.

SAP GRC - Don't Risk It

Starting from its initial days, SAP GRC was not sold as part of the standard ERP system, but as an external product. It was priced very high based on the amount of users, and then the price model changed to focus mainly on the client’s revenues. Today, SAP is still pricing SAP GRC very high comparing to other competitive products, although we have witnessed cases where SAP has suggested customers to get SAP GRC licenses free of charge (but the implementation is still not free and in fact can become very expensive). The free offer is dependent on the customer’s size, location and the strength of competition in this area.

Interesting fact: Some clients still call their SAP GRC software “Virsa” although it changed names to “SAP GRC” eight (8) years ago!


Implementing SAP GRC

Implementing SAP GRC is said to be long and relatively complex, like other high-end enterprise software products. It can be understood, though, as SAP GRC is mainly targeting large enterprises with a lot of different tailored business processes and this product needs to be compatible with them all. From talking with SAP customers, we discovered that they find the implementation of SAP GRC as complex as any other SAP products, and 1-2 years of implementation doesn’t seem odd to most of them.

If you’re going to implement SAP GRC, our findings show that the best five pieces of advice for you are:

  1. Prepare your implementation well – Choose an external consulting firm to assist you in the implementation of SAP GRC, and focus on those that have already succeeded in such implementations. The first step in succeeding in SAP GRC is knowing that implementing SAP GRC is not a simple task.
  2. Get Management Support – SAP GRC is probably the most complex and thorough software in the GRC area within the SAP environment. Therefore, it is not surprising to know that some SAP GRC projects do not end successfully. We have witnessed that the more decisive the customer is, the more they will achieve successful implementation, and the better the chance of finishing the project.
  3. Define small goals – Most successful customers define small goals and a plan for achieving them. When organizations insist on going in the opposite direction, to define broad goals with a lot of sub-projects, their chance of having a successful project on time and on budget is significantly lower.
  4. Focus on compliance – Remember that SAP GRC is all about compliance, so don’t put other tasks on it, like maintaining authorizations for example. Most successful customers that run SAP GRC take an even narrower approach and implement only part of the full suite – access control. The more focused you are, the more your chances to succeed will increase.
  5. Don’t forget Licensing – And we’re referring to SAP GRC licensing itself. Remember that SAP GRC licensing is based on named users, software engines and sometimes even more parameters. Be aware of this when closing the contract for SAP GRC, and don’t forget to also evaluate the required future maintenance fees at the closing stage.

SAP GRC is not the only way to maintain compliance. Contact us to find out about Xpandion’s unique tool that easily identifies and solves GRC violations.

 Competition in the SAP GRC environment

Competition in the SAP GRC environment

During the years, the need to comply with financial regulations and the need to prevent leakage of sensitive information that can lead to fraud and other risks, has driven more companies to search for solutions in the GRC area. Some companies demand more cost-effective solutions than SAP GRC, and some require solutions with more features like multi-system monitoring, and solving conflicts, not just discovering them. In this ecosystem, SAP GRC faces competition from SAP-focused solution vendors such as SecurityWeaver, or Xpandion with its multi-platform GRC tool, ProfileTailor Dynamics GRC, which can advise about the best way to solve conflicts.

Do you want to hear more about Xpandion’s effective GRC tool? Contact us now!



157 Yigal Alon Street,

Tel Aviv 67443, Israel


US Office


33 West 19th Street, New York,

NY 10011, USA


India Office


C 103, Akruti Orchid Park, Andheri-Kurla Road,

Andheri East, Mumbai, India