On March 6th and 7th, TAC Insights and SAP brought together the SAP for Internal Controls, Compliance and Risk Management and the SAP for Cyber Security and Data Protection events under one roof in Brussels and into one single event under the theme RISE with SAP GRC.

We were very fortunate to have many customers join us to share their stories on enterprise risk management, control automation, cross-application segregation of duty risk management, security monitoring, and much more.

In today’s blog, I wanted to get exclusive insights from the keynote speakers and the conference chairs on what they heard during this conference and their perspective.

I thought I would start with Marie-Luise Wagener-Kirchner and Vishal Verma – who delivered the opening keynote. Marie-Luise was also co-chair on the internal control, compliance, and risk management track.

Thomas: During your keynote, you shared SAP’s key focus areas for the next 18-24 months. What would you say were the roadmap items that resonated the most with the audience?

Marie-Luise: I believe the fact that we are here to stay and continuously invest into our solutions. Highlighting recent innovations as well as outlining the exciting use cases we are planning to deliver together with an outlook on our GRC 2026 release where we plan to further harmonize our GRC solution portfolio.

Vishal:  Clarity on “RISE with SAP” program that takes enterprises on a transformation journey that’s tailored exactly to their needs, and how SAP Solutions for GRC fits well with it. Audience also liked the way forward for SAP Identity Services and planned collaboration with Microsoft Entra.

Since we finished the first day with a live demo illustrating how SAP systems are targeted by passionate hackers (with the help of Google!), I thought I would ask Vincent Doux, chair of the cyber security and data protection track about what concerns companies the most and what they are doing to protect their landscape.

Thomas: Presenters all highlighted the increasing number of attacks they are experiencing on all IT systems. But from what you have heard during the event, would you say that the level of attack sophistication has increased or is it relatively similar vectors and patterns year over year?

 Vincent: Right from the live demonstration on how SAP systems can be targeted by hackers with relative ease, it has been a real eye-opener about the level of sophistication in cyberattacks today. Existing SAP security measures play a crucial role in defending against common vulnerabilities and exposure patterns. However, the complexity and expertise in these attacks, unfortunately, are seeing a significant increase. Our customers' testimonials, be it BP, SANOFI, or GSK, strongly seconded this sentiment. They brought diverse perspectives on the challenges they've faced and how SAP's GRC & Security solutions have been instrumental in their defense strategy. One major observation across all testimonies was the need for a robust customized security strategy. Leveraging SAP's security solutions, they could maintain their competitive edge by preventing security incidents, ensuring data protection, and system integrity. The goal has always been to make sure that we're not just reactive but proactive. As our event theme suggests – RISE with SAP GRC, the emphasis is on staying ahead, innovatively addressing evolving threat vectors, and continuously improving the robustness of the security processes. Our job is to anticipate, adapt, and ensure that SAP security framework evolves faster than the threat landscape.

Thomas: From what organizations have shared on stage and your breakout discussion, what are companies concentrating on to protect against these threats?

Vincent: From the discussions, it is clear that our client organizations are focusing on three crucial areas.  First is strengthening their internal controls and compliance through tools like SAP's GRC 3 Lines of Defense platform. Second, they are actively identifying and addressing vulnerabilities for proactive threat management in the SAP application layer and not only in the IT infrastructure. And lastly, they are creating a security-aware culture through regular trainings and simulations to involve not only IT population but also the business users. These concerted efforts ensure that they are well-prepared to combat any cybersecurity threats.

Michael Rasmussen shared an insightful session on the future of GRC with Business-Integrated GRC, “the next generation of GRC technology with a view focused on performance” and where “GRC becomes an integrated part of the business management platform”. In my opinion, a perfect topic to discuss with the 2 co-chairs of the internal controls, compliance, and risk management track – Marie-Luise Wagener-Kirchner and Michael Heckner!

Thomas: Within Business-Integrated GRC, Michael Rasmussen – GRC Analyst & Pundit at GRC 20/20 Research, mentioned Artificial Intelligence to enhance GRC capabilities but also cited the rising importance of environmental, social and governance (ESG) as key considerations. From what you have heard from customers, is work already ongoing to address these matters or are we still at the investigation and discovery phase?

Marie-Luise: While our customers heavily invest in smartness and automation, ESG is still closely monitored also with regards to upcoming requirements. Our customers have shared interesting use cases for Robotic Process Automation (RPA) and how they have built in internal controls to ensure stabilized business processes, they also shared insights in their reporting dashboards to foster clever decision making as well as their continued investments into smart automated controls.

Michael: I do see an interest in both, AI and ESG. Most of our customers, and at all levels, are currently enquiring about getting help from AI for various risk and compliance tasks. AI clearly is currently at the top of its hype cycle. What is often overlooked is that the repetitive, mundane, manual GRC tasks can already today be automated with advanced GRC platforms like SAP GRC towards continuous monitoring. Taking the human labour – and human error – out of the equation. AI will certainly add another level to it, but the available capabilities are not yet fully utilized.
ESG is a different story. Here the ESG-focused specialists of course see the common requirements between traditional GRC processes and ESG processes. Both ESG and GRC processes aim to ensure that organizations operate in a responsible and sustainable manner. They both involve assessing and managing risks, complying with regulations and standards, and monitoring performance. Additionally, both ESG and GRC processes require organizations to establish robust governance structures and frameworks to effectively manage and report on their activities. By integrating ESG and GRC processes, organizations can enhance their overall sustainability, risk management, and compliance efforts, leading to improved long-term performance and stakeholder trust.

Finally, in his closing keynote “A Future Beyond Comprehension”, Chris Johnston - Head of Finance and Risk Customer Solution Advisory EMEA-North at SAP, gave us a lot of reasons to hope for a very exciting future powered by AI. I therefore wanted to finish this blog on a similar positive mindset and asked the colleagues for a few words on their expectations for top GRC advances in the years to come.

Thomas: What technological progress do you think we can expect for GRC in the years to come?

Marie-Luise: Integration, smartness, and automation. Customer landscapes will remain and even become more heterogenous and technically challenging, thus requiring integration to achieve and sustain a holistic overview of business risks and their mitigations. Smartness with the different flavours of AI will be accompanied by automation to reduce complex manual tasks and to support the end-users in their daily work.

Vincent: In the future, we can expect generative AI and machine learning to revolutionize the GRC landscape with advancements in risk detection and automated compliance. Additionally, we’ll see more integration between GRC solutions and business processes for a unified view. Plus, as ESG considerations become prioritized, companies will leverage technology to effectively manage these. Overall, GRC is poised to become more efficient, integrated, and responsive to social responsibility.

Michael: I do see an increasing adoption of emerging technologies ranging from robotic process automation and continuous monitoring all the way to applying artificial intelligence. These technologies will enable more efficient and effective risk assessment, compliance monitoring, and governance processes.
While this will provide enhanced risk intelligence, we will also need to keep a close watch on emerging risks, esp. with new technologies like AI.
Overall, new technologies like AI will help to identify patterns, detect anomalies, and provide real-time insights in an unprecedented way.

If you attended the conference, I would be very interested in reading your comments either in this blog or on Twitter @TFrenehard

And it you couldn’t attend in 2024, I hope that you will consider joining us next year!

If you are interested in learning more about SAP solutions for Governance, Risk, and Compliance, feel free to fill-in the demo request form!