Implementation of SAP-GRC with the Pictet Group

Implementation of SAP-GRC with the Pictet Group Olivier VERDAN, Risk Manager, Group Risk, Pictet & Cie 11 th December 2013 Zürich

Table of contents 1 Overview of the Pictet Group 2 Operational Risk Management at the Pictet Group 3 SAP-GRC Project 4 Main challenges of SAP-GRC implementation 5 Results of SAP-GRC implementation

1 Overview of the Pictet Group Founded in Geneva in 1805, the Pictet Group is today one of Europe's leading independent wealth and asset managers. 3

Facts & Figures 1805 3300 25 founded in Geneva employees offices around the world 650 investment professionals $433bn in assets under management and custody at 30 September 2013 8 partners responsible for all of the Group s activities Independently owned Group, no external shareholder pressure 4

A unique positioning around three areas of business Pictet Group Wealth management Asset management Asset services Wealth management solutions for private clients Solutions for institutional investors and distribution of investment funds Custody bank, fund administration and trading services for institutional clients and banks Pictet Wealth Management Services for independent asset managers Pictet Asset Management Pictet Alternative Investments Pictet Asset Services Trading 5

2 Operational Risk Management at the Pictet Group 6

Monitoring at business lines and Group legal entities level CFO COO Compliance Officer Risk Officer CFO COO Compliance Officer Risk Officer Monitoring at Group level Pictet Organisation of Operational Risk Management Philosophy = Decentralisation Pictet & Cie Partners Committee Group Internal Audit Group Risk Group Compliance Group Security Legal Department Board of Directors of the Group legal entities Senior Management of the business lines Senior Management of the Group legal entities 7

Date of closing Overall progress Deadline Overall responsible Level of Residual Risk Impact/Severity Likelihood/Frequency Level of Residual Risk Impact/Severity Likelihood/Frequency Level of Residual Risk Amount for Financial impact in CHF Impact/Severity Likelihood/Frequency Level of Residual Risk Impact/Severity Likelihood/Frequency Level of Residual Risk Impact/Severity Likelihood/Frequency Level of Residual Risk Amount for Financial impact in CHF Impact/Severity Likelihood/Frequency Effectiveness of Strategies Last update Date of Entry Legal entity / site 100'000 100'000 30.06.10 31.12.08 8051 GE 25% 31.03.11 B. Mnp 1'000'000 1'000'000 30.06.10 31.12.08 8052 GE 85% 31.12.10 A. Xyz 5'000'000 10'000'000 30.06.10 30.06.09 8053 GE / LUX GE Catégorie du risque 06/09 12/09 06/10 Tendance Avancement Echéance prévue Risk target Likelihood - Frequency 30.06.10 31.12.09 8054 Reputational damage Financial impact BL / Entity scale 200'000 Other impact or damage 200'000 Risk ranking 90% 31.12.10 G. Fgh Methodology for Operational Risk Mgmt (2007-2013) Risk Register by Group Unit Sent to Group- Risk by email Manual risks consolidation Discussion of risk map between G- R and Unit Group Risk Report released ID 1 = Rare : 5 years 2 = Unlikely : 1-5 years 3 = Possible : < 1 year 4 = Likely : monthly 5 = Almost certain : weekly Identified Risks Manual process using MS Office tools Unit Risk Description Risk Category PF xxx Organisation PF xxx Technique 1 = Insignificant : 2 = Minor : 3 = Moderate : 4 = Major : 5 = Extreme : Description by Unit Contrôles / réconciliation quotidienne des positions... Reporting des incidents Contrôle 4 yeux pour chaque opération No media attention. Minor complaint. No media attention. Multiple minor complaints. Local media reporting. Moderate complaints. National & international media reporting. Major complaints. Long term negative image. Substantial complaints with losses. Group Risk Register for Operational Risks Existing Controls / Mitigation Techniques H 2 1 L 3 2 PF xxx Humain xxx M 2 4 PF xxx Externe xxx H 4 1 1 = 2 = 3 = 4 = 5 = Financial Risk Min. 0 500'001 1'000'001 5'000'001 20'000'001 Reputational Risk Max. 500'000 1'000'000 5'000'000 20'000'000 Analysis & Evaluation of Residual Risk Other Risks Key Risk Indicators Description by Unit Description by Unit (short description of key elements) L 2 2 M Nombre d'incidents - 2 1 M 3 3 H 3 1 L Rapport d'erreurs H 2 2 M Nombre d'incidents 1 = Insignificant : No regulatory consequence. 2 = Minor : 3 = Moderate : 4 = Major : 5 = Extreme : - Automatisation des contrôles - Abaissement des niveaux d'alerte - Projet sécurisation des données - Projets d'évolution du MIS 3 2 2 3 M 4 3 H 4 3 H Nombre de pannes xxx 3 1 No regulatory consequence. Minor reversible injury. Limited regulatory consequence. Moderate reversible injury. Significant regulatory consequence. Major injury. Closure of major part of business. Irreversible injury. Unit / Date EXCEL Action plan to reduce risk Evaluation of Target Risk Financial Risk Reputational Risk L 2 2 M Other Risks M 3 2 M 3 1 L M 2 2 M 2 1 L L 3 3 H 3 1 L 1-3 Low Risk 4-6 Moderate Risk 8-12 High Risk 15-25 Extremely High Risk Sévérité 5 4 3 2 1 0 0 1 11 Zone des risques modérés et faibles non détaillés 2 1 12 17 3 2 4 Fréquence POWERPOINT 9 4 1 5 1 4 PCS Sévérité 5 4 3 2 1 0 0 1 Unité Descriptif PCS Xxxxx PCS Erreurs d'exécution xxxx PCS Survenance d'un problème xxxxx 1 1 1 1 1 2 3 4 Fréquence Lors de la réévaluation au 30 juin, un nouveau risque élevé a été identifié concernant xxxxxxx xxx Si le risque d erreurs dans l exécution d un ordre de xxxxx est toujours évalué globalement comme élevé, son évolution actuelle est considérée en amélioration par PCS. En effet, le nombre d erreurs et l impact financier 5 des incidents sont moins importants que durant les semestres précédents. Plan d actions & responsables / Commentaires WORD Xxxx xxx xx xxx xxxx Fin. 2011 Responsable : M. Xyv 1) xxxxx x xxx xxxx. 2) xxxx xxxx xxx x xxx 2011 Responsable : A. Ghj Xxxxx xx xx xx xx x xx xx Xxx xx xxx xxxx. 2011 Responsable : R. Hgk 8

3 SAP-GRC Project 9

Main objectives of the SAP-GRC Project Reduce the risk of operational risks non-detection by interlinking information Reduce the administrative workload to concentrate on tasks with high added value A unique tool in the Group for the management of all types of operational risks Provide a complete functional coverage in a structured and standardized framework Improve compliance to Finma-Circ. 08/24 Supervision and internal control banks and Finma Circ. 08/21 Operational risks at banks 10

Preliminary phases 2011 2012 Study of market risk management tools Contacts with various banks that have deployed integrated tools for operational risk management Choice of the tool ORC (Interexa), used by Workshops with Interexa : March - April Workshops with Unit Risk Managers : June Decision to stop ORC and start SAP : August Final estimated cost too high ORC doesn t provide an internal control module Presentation by SAP of GRC (including internal control module) Strong sponsorship by Pictet IT as SAP already used for Finances and HR 11

SAPPORO Project Risk Management module Selection of SAP-GRC : August 2012 Proof of Concept : November 2012 Start of SAPPORO Project : Preliminary phase with Riscomp : February-March 2013 Business Blueprint : April 2013 Implementation and UAT with Riscomp : May-July 2013 Training and UAT with Unit Risk Managers : May-June 2013 Go-Live : 29 th July 2013 12

The 3 phases of the SAPPORO Project Phase 3 Incidents Study - Implementation Phase 2 Internal Control Syst. Study - Implementation Phase 1 Risk Management Study - Implementation 08.2013 06.2014 13

4 Main challenges of SAP-GRC implementation 14

Main challenges Pictet Methodology 1. Decentralised operational risk management Pictet Group Policy for Operational Risks Challenges were: - Collecting Unit Risk Managers needs, with very different maturity on the operational risk management process - Various approaches (bottom up, top down, mixed) - Implement a solution that suits all, within a reasonable budget Integration of decentralised Unit Risk Managers throughout the project 15

Main challenges Pictet Methodology 1. Decentralised operational risk management Pictet Group Policy for Operational Risks 2. Matrix organisation 16

Matrix Organisation Multiple business lines, crossed with multiple legal entities, in 25 sites in the world. Reporting needs: By business line (for the Management) By legal entity (for Supervision Authority) By site (for local Management) Example of business lines Pictet Wealth Management Pictet Asset Management Distribution Pictet Asset Services Pictet Asset Management Investment Example of legal entities Pictet & Cie (Europe) SA Pictet Investment Co. Ltd, London Pictet Funds SA Paris Branch Italian Branch Hong Kong Branch Etc Négoce Bank Pictet (Asia) Ltd, Singapore Etc Pictet Asset Management Ltd Etc 17

Matrix Organisation Solution = 3 costumed defined fields within the Organisational Unit: Team name Company name Site name Risk Response Org. Unit Name Company Site 18

Main challenges Pictet Methodology 1. Decentralised operational risk management Pictet Group Policy for Operational Risks Because full organisation requires to download 1544 organisational units, others challenges were: 2. Matrix organisation - Response time was too long for users with limited access (Unit Risk Managers) - Temporary solution : partial organisation loaded into SAP-GRC only (567 org units) - SAP has improved response time - Automatic update of the organisation 19

5 Results of SAP-GRC implementation 20

Outcomes of the project Positive: Pictet Methodology fits in SAP-GRC (risk valuation, risk categories) Ops Risk Mgmt Framework more robust Time saving: less administrative tasks more added-value works Heatmap immediate reporting tool, with extended drill down / selection capabilities Unique Ops Risks Register Negative: SAP-GRC seemed not matured enough: we encountered a lot of bugs which tend to demonstrate the tool was not tested extensively. Examples: Impossible to remove a Response from a Risk Risk Aspect worked on Org. Name, not Org. ID Ergonomics not user friendly Graphical view incomplete Response can be saved without compulsory info (name) But good reactivity of SAP to correct bugs 21

Most desired improvements Response time Automatic update of Organisation / Risk Thresholds Underlying Risks: possibility to include or exclude them in the Heatmap Validity extension of a Risk 22

Implementation of SAP-GRC with the Pictet Group Questions? Thank you for your attention 23