Michael Rasmussen, a risk management and compliance analyst with Cambridge, Mass.-based Forrester Research, says that Oracle still needs to articulate its overall compliance message to customers. Meanwhile, he says, SAP is showing a definite commitment to doing just that with its recent acquisition of Virsa Systems.
In this SearchOracle.com interview, Rasmussen explains where he thinks SAP and Oracle are succeeding -- and failing -- in the area of compliance.
What do you think of Oracle's overall compliance strategy?
Michael Rasmussen: Oracle in my mind doesn't have a great compliance strategy. They've got some pieces of the puzzle but they really haven't knitted it together into an overall compliance architecture very well. I think they've started to go down that road but they haven't [completed the task] yet.
Which "pieces of the puzzle" are missing from Oracle's strategy?
Rasmussen: Oracle has got a lot of building components for compliance. [With compliance] there's a median requirement. There are pieces to the puzzle that you need to implement from a technology infrastructure point of view to be compliant with the law. But then there are also solutions to help you document and manage compliance. Oracle has got pieces of both. They've got encryption features of their databases to meet certain privacy and mandatory disclosure laws. They have identity solutions to meet identity and access management requirements. But they don't have much on the compliance management side to help you document and manage compliance. They've got components in some of their content and workflow-type cases, but they don't have an overall software platform for documenting and managing compliance.
What does Oracle need to do to be more effective in regards to compliance?
Rasmussen: They need to finish their messaging and really be able to promote with some white papers the different solutions that they're selling to different types of [industry] verticals. [The messaging should] address compliance across the Oracle solution set. More specifically, they need to go beyond just having some technology that is appropriate and applicable to compliance to building compliance-specific applications. The competitors are starting to go that way. SAP is quickly trying to build what I call a GRC (governance, risk and compliance) message with their acquisition of Virsa recently. SAP is quickly trying to build out a broader compliance application -- something that Oracle doesn't have today.
Is SAP ahead of Oracle with regard to compliance initiatives, and what else is SAP doing right or wrong in this arena?
Rasmussen: Yes. [SAP is ahead of Oracle, but] SAP has things that they need to work on too. Their MIC [SAP Management of Internal Controls] platform has been very weak. It hasn't been able to get a lot of market share. So they need to really expand their documentation-type controls. SAP's acquisition of Virsa shows a definite commitment to the GRC space, specifically around the automated controls and business rules pieces too, which enforce compliance rules within SAP applications.
What other trends do you see taking shape in the compliance market today?
Rasmussen: All of the ERP vendors are really starting to take a look at this [GRC] space as well as business process management (BPM). Historically, a lot of the compliance management space has been very focused on content management. It's now moving to BPM in ERP areas. There is starting to be more growth among the ERP vendors. And SAP definitely in my mind has the lead on Oracle in developing a very comprehensive strategy for GRC.