How To Manage Risk

Transcription

1 Oracle Applications Day Zürich, 1. Juli 2009 Risk und Performance Management in Stürmischen Zeiten mit Oracle GRC Steven Hagner EMEA GRC Sales Organization 1

2 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 2

3 Agenda Business Challenges Solution Overview Customer Success 3

4 Fraud on the Rise Societe Generale lost 6.3B as Jerome Kerviel went rogue B. Ramalinga Raju reveals falsifying $1B Corp. account Siemens agrees to pay $1.3B in bribery settlement Fannie Mae IT contractor indicted for planting malware 4

5 Call for Increased Regulatory Scrutiny Obama Gordon Sarkozy Jintao AMERICAS HIPAA FDA CFR 21 Part 11 OMB Circular A-123 SEC and DoD Records Retention USA PATRIOT Act Gramm-Leach-Bliley Act Federal Sentencing Guidelines Foreign Corrupt Practices Act Market Instruments 52 (Canada) EMEA EU Privacy Directives UK Companies Law Restriction of Hazardous Substances (ROHS/WEE) GLOBAL International Accounting Standards Basel II (Global Banking) OECD Guidelines on Corporate Governance APAC J-SOX, C-SOX, K-S0X, C49 CLERP 9: Audit Reform and Corporate Disclosure Act (Australia) Stock Exchange of Thailand Code on Corporate Governance 5

6 The Big Picture What is Governance, Risk, and Compliance Voluntary Boundary Boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies Business Model Strategy, people, process, technology and infrastructure in place to drive toward objectives Obstacles impede progress toward achieving objectives Obstacles Objectives Strategic, operational, customer, compliance and reporting objectives cascaded throughout the organization Mandated Boundary Boundary established by external forces including laws, government regulation and other mandates. OCEG 6

7 Governance, Risk & Compliance Governance is the process of deciding and documenting how the organization operates. Risk Management is the process of ensuring that the right levels of risk are taken. Compliance is the process of ensuring and proving that policies (internal and external) are being followed. 7

8 While Cost of Compliance Continues to Rise $29Billion $32Billion Governance, risk management, and compliance (GRC) spending will exceed $32B for 2008, up 7.4% from 2007, as companies shift toward identifying, assessing, and managing risk across numerous business and IT areas. The Governance, Risk Management, and Compliance Spending Report, , -- AMR Research 8

9 Burden Stems from Core Challenges Challenge: Multiple Requirements, Fragmented Response Finance SOX, JSOX Groups IT Security / Risk Mgmt Groups C1b C2b C3b Business Assessment / Audit Groups R1 R2 R3 R1 R2 R3 R1 R2 R3 C1a C2a C3a C1c C2c C3c C5a C6a C7a C9a C10a C11a C5b C6b C7b C9b C10b C11b C5c C6c C7c C9c C10c C11c Challenge: No Proactive Risk Management Risk React Challenge: Ad-hoc Approach with Manual Controls GRC Business Processes 9

10 How Oracle GRC Applications Help Solution: Consolidate multiple standards and regulations onto a single platform GRC Intelligence GRC Manager Regulation A Risk B R1 R2 R3 C1 C2 C3 C5 C6 C7 C9 C10 C11 Standard C Solution: Manage risk in a disciplined & consistent fashion GRC Intelligence GRC Manager Solution: Embed automated controls into standard business processes GRC Controls GRC Business Process 10

12 A Proactive and Integrated Approach Rationalizes Common Processes and Components Finance SOX, JSOX Groups R1 R2 R3 C1a C2a C3a C5a C9a C6a C7a C10a C11a IT Security / Risk Mgmt Groups R1 R2 R3 C1b C2b C3b C5b C6b C7b Business Assessment / Audit Groups R1 R2 R3 C1c C2c C3c C5c C6c C7c C9c C10c C11c Enterprise GRC Platform Common Processes: Identify Requirements Establish Objectives Assess Risk Evaluate Controls Remediate Issues Report and Respond Common Components: Regulations Mandates Frameworks Process Risks Controls Systems C9b C10b C11b 12

13 Consolidate Compliance Activities Oracle GRC Manager Why? Mandates PCI What? Risk Impact Likelihood How? Process Review & Improve SOX 404 Business Process Report & Respond Identify Requirements FFIEC CASB 1386 EU Privacy Directive Framework ISO COSO COBIT ITIL Remediate Issues Establish Objectives HIPAA FDA System Evaluate Controls Assess Risk 13

14 Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms Committing investment to an aggressive development road map with plans for many vertical-specific versions of GRC Manager A suite of controls products, such as Oracle Application Access Controls Governor and Oracle Transaction Controls Governor, that is integrated into the GRC Manager platform 14

15 Enterprise Risk Management Audit Projects Financial Compliance IT Risk & Compliance Environment, Health & Safety Green Compliance & Sustainability Legal & Regulatory Compliance Product Quality & Safety Supply Chain Risk Service Provider Risk Management Multiple GRC Solutions from a Single Platform Real-Time Insight 15

16 The Oracle Difference Enterprise GRC Platform Leader* 1 One Platform Satisfies Multiple Regulations 2 GRC Controls Integration Enforces Policy 3 Role-Based Dashboards Provide Real Time Insight Financial Reporting Data Privacy Green Compliance Policy R1 R2 R3 C1c C2c C3c Controls C5c C6c C7c C9c C10c C11c *Source: Gartner Magic Quadrant for Enterprise GRC Platforms,

18 18

19 The Convergence of EPM and GRC 19

20 Management Excellence: Risk Management Competitive Advantage MANAGEMENT EXCELLENCE Risk Risk Management- Enabling Risk-Based Decisions OPERATIONAL EXCELLENCE Time Copyright 2008, Oracle and / or its affiliates. All rights reserved. 20

21 Risk Management is proactive Performance Management One unique EPM and GRC solution for Good Governance= No Surprise Better Risk Management = No Surprise Transactions Reporting CFO Dashboard Enterprise Risk Management CFO Automated Risk Control Enforcement ERP: Oracle, SAP, Legacy, Other Hyperion Financial Management And Data Quality Management Strategic Planning Financial Planning Cost & Profitability Management Financial Reporting and Compliance Infrastructure Services CIO 21

22 Establish Risk Lifecycle Processes Oracle GRC Manager Establish a single unified approach to managing risk across the enterprise Support an iterative top down or bottom up approach to managing risk Define and analyze risks in terms that match your business model 22

23 Apply at Every Level of Enterprise Oracle GRC Manager Levels Executive Departments Regions Projects Stakeholders Board of Directors C-Level Executives Senior Management Legal, HR Finance Production Americas Europe Asia Africa Cross-functional Global 23

24 Gain 360 Visibility into Enterprise Risk Oracle GRC Intelligence and GRC Manager Financial Reporting Integrity Health & Safety Supply Chain RISK EXPOSURE RISK MODELLING RISK TREATMENT Information Security Environmental Sustainability 24

25 Risk Analysis Visualization Guided Risk Management Steps 25

26 Oracle Risk Management Solutions Oracle GRC Manager Web-based, Enterprise Risk Management solution. Establish a systematic process for Risk Management Assess multiple risk classes and monitor overall risk health Oracle Crystal Ball Predictive modeling, forecasting, simulation and optimization. Enable accurate Risk Probabilities and Monte Carlo Simulation Financial Services Deep Industry-specific solutions covering Financial Services Compliance and Risk 26

27 Oracle Analytic Applications for Financial Services Performance Management Profitability Funds Transfer Pricing Consolidation Accounting Hub Activity-Based Costing Balance Sheet Planning Budgeting and Forecasting Credit Risk Analytical CRM Retail Credit Risk Portfolio Analytics Corporate Credit Risk Marketing Analytics Treasury Risk Service Analytics Market Risk Asset Liability Management Regulatory Capital Basel II: Credit Risk Channel Insight Channel Usage Basel II: Market Risk Channel Performance Basel II: Operational Risk Capital Adequacy/ICAAP Economic Capital EC: Credit Risk EC: Market Risk Customer Profitability Customer Profitability Product Profitability EC: Operational Risk Regulatory Compliance (Financial Crime) Anti-Money Laundering Fraud Detection Governance and Compliance Governance Compliance Risk Broker Compliance Trading Compliance Operational Risk 27

28 The Oracle Difference Transform Uncertainty into Opportunity 1 Manage All Categories of Risk Throughout the Enterprise 2 Foresee Unacceptable Levels of Risk 3 Embed Risk Management into Strategic and Operational Planning Strategic Risk Context Financial Risk Adjusted Performance Operational Risk Criteria Compliance Oracle GRC Oracle EPM 28

30 85% of internal controls at an average firm are manual. - Financial Executives Research Foundation 30

31 Automate Internal Controls Oracle GRC Controls Monitor Control Effectiveness What users have done Detective Controls What s changed in the process What are the execution patterns ACCESS Controls CONFIGURATION Controls TRANSACTION Controls What users can do How is the process setup Preventive Controls How users execute processes Enforce Policies in Context 31

32 Focus on High Risk Areas High RISK RATING OF BUSINESS PROCESSES Importance to business strategy Sales Mgmt Order to Cash Procure to Pay Hire to Retire Produce to Deliver Close to Report Capitalize to DDepreciate Revenue Recognition Bad Debt Mgmt Accounting Security Mgmt Quote to Order IT Change Mgmt Expense to Pay Vendor Mgmt Low Likelihood of control issues High 32

33 Policy Library Conflict Paths Conflict Paths Policy Library Lawson-1275 Lawson 33

34 The Oracle Difference Controls for the Business by the Business 1 Embedded Preventative and Detective Controls are Transparent to Users 2 Pre-delivered Policy Library for Controls 3 Integrated Identity Management and GRC Controls GRC Business Process Policy Library Compliant User Provisioning Oracle GRC Oracle IDM 34

37 Oracle Helps Reduce Compliance Costs and Control Risk Saves $1 million by avoiding customizations Access Controls pass rate improved by 27% Reduces controls testing by 65% Global deployment of centralized controls across 14 locations Reduces audit preparation time by 25% Reporting time reduced from 4 days to minutes Cuts Segregation of Duties audit from 2 months to 2 days User role violations reduced by 90% 37

38 38

39 39

40 GRC Value to Executive Management Integrating risk mgmt into strategic planning increases stakeholder value Managing business risk enhances operational planning & financial performance CEO & BOD Can prove risks are controlled Oversee the business with more certainty Obtain and safeguard confidence of investor and regulatory bodies CFO Has visibility into high risks and greater assurance in financial integrity Achieves better operational decision-making Lowers compliance spend and frees up resources Controlling the risk of fraud reduces disruption to information flow & systems Implementing controls addresses evolving compliance requirements & emerging risks Manages by exception and limits compliance cost Promptly identifies issues and violations for remediation CIO Accelerates response to provisioning requests and supports Audit and LOB Ensures environments stay consistent and data secure CAO Easily validates compliance and reduces audit cost Better utilizes audit resources and coordinates efforts 40

41 GRC Value to the Executive Office & Board Integrating risk mgmt into strategic planning increases stakeholder value Can prove risks are controlled Oversee the business with more certainty CEO & BOD Obtain and safeguard confidence of investor and regulatory bodies 41

42 GRC Value to the Finance Office Managing business risk enhances operational planning and financial performance CFO Has visibility into high risks and greater assurance in financial integrity Achieves better operational decisionmaking Lowers compliance spend and frees up resources 42