But as in other areas in the business applications market where the two companies continually go head-to-head, Oracle is facing a stiff competitor: SAP.
Oracle announced March 5 the release of a new Governance, Risk and Compliance Application Suite that brings together functionality from Stellent, a company Oracle acquired WHEN, with compliance capabilities from the Oracle E-Business Suite and PeopleSoft Enterprise Suite.
What Stellent brings to the table is content management capabilities that help companies to manage compliance initiatives in heterogeneous environments.
The Stellent GRC framework manages risk and compliance across a company by creating a centralized hub of risk and compliance documentation, assessments, analyses and loss information from related parts of the business, according to Oracles Web site.
That capability is added to the compliance pieces already inherent in the Oracle EBS and PeopleSoft, which offer basic compliance applications.
The new GRC Application Suite from Oracle has three distinct components: infrastructure, a GRC process layer and a GRC intelligence layer.
The infrastructure layer includes security technologies that cover identity management, data encryption and label-based security.
It also manages enterprise change management, consolidated data audits and content and record management that categorizes and stores GRC information.
The process layer has been broadened to work across heterogeneous environments—meaning Oracle users can integrate controls for the E-Business Suite as well as the suites Oracle has acquired: PeopleSoft, JD Edwards and Siebel CRM.
This layer also tracks mandates across all geographies, particularly those vertical industries that are heavily regulated, including financial services, life sciences, manufacturing and the federal government, according to Folia Grace, Oracles vice president of application marketing.
"Each mandate is like meta data," said Grace, in Redwood Shores, Calif. "We have frameworks built in for financial and IT governance—basic covenants that underlie mandates that are coming up in different countries. Then you can define additional frameworks."
The GRC process layer also brings expanded policy, procedure and control functionality, tied to financial statements for example, through Stellents document management capability.
This application access control functionality provides capabilities like pre-defined segregation rules—the same person who writes a purchase order cannot also write the check to pay for the order—including the ability to detect and prevent access control violations.
A GRC Manager monitors business process risk and control performance, highlighting areas of control weakness and initiating corrective actions.
The intelligence component enables risk assessment and control monitoring and risk-intelligent reporting.
It provides a dashboard and reports to help users manage performance, react to risk events, monitor compliance mandates and deliver audit-ready reporting, according to Grace. It also tracks risk hotspots, according to Oracles Grace.
"To set a context, there is market risk, credit risk and operational risk," said Grace. "Market risk is, whats the risk of fluctuating prices and rates? Credit risk is someone defaulting on a loan and operational risk is problems in the supply chain, not passing a compliance audit or war in a country you do business in. Some require special systems for tracking the underlying data, and [our] dashboards take those and provide a snapshot of that information."
Grace said that Oracle offers a lot of specific products to track risk—clinical trials, network optimization, trade management and anti-money laundering—as well as generic workflows to track areas that Oracle doesnt cover.
Oracle, however, is not alone in its focus on the GRC market.
In April 2006 SAP acquired Virsa Systems, an enterprise risk management software developer that was also certified as both an SAP and Mia Microsoft Gold partner.
Prior to its acquisition Virsa also collaborated closely with SAP to certify its software on NetWeaver, SAPs integration platform.
The two companies also shared about 150 customers through Versas Compliance Calibrator and Access Enforcer suites.
The companys software includes its Continuous Compliance suite of automation applications that enable collaboration, workflow and built in rules for business intelligence.
The software takes the approach of "embedding" risk prevention capabilities into business processes that span applications from ERP vendors including Oracle, SAP, PeopleSoft, custom and legacy applications, according to Virsas Web site just prior to its acquisition.
"GRC is really a big issue, and no one tackles it quite the way SAP does," said Greenbaum. "SAP talks in terms of governance for risk. And theyre ahead. They made this investment in Versa a year ago, and have had a full year to really pull ahead, and they are sprinting with it, as opposed to Oracle who is just getting out of the blocks."