Evolving from Financial Compliance to Next Generation GRC Gary Prince Principal Solution Specialist - GRC
Agenda Business Challenges Oracle s Leadership in Governance, Risk and Compliance Solution Overview Solution Demo 2
Financial Compliance is Only the First Step Pressure mounts to fortify financial compliance foundation 1 Regulations Go Beyond Financial Reporting 2 Vulnerability to Information Breaches 3 Real-Time Public Exposure of Misdeeds CFR OFAC AML IT Governance Records Retention Patriot Act ERM Basel II HIPAA E-Discovery PCI NERC/FERC Increasing number of regulations pose challenge to sustainable GRC Growing recognition that information breaches stem from inside the organization Instantaneous media communication increases risk of reputational damage 3
GRC is the New Normal Requirements Increase in Number and Complexity Service Level Compliance Compliance & Ethics Programs IT Governance Records Retention Anti-Money Laundering Financial Reporting Compliance Audit Management Supply Chain Traceability Legal Discovery Data Privacy People Finance Suppliers R&D Mfg Sales HR Legal Customers Technology Enterprise Applications Data Warehouse Database Mainframes Mobile Devices Apps Server Regions Mandates SOX JSOX EU Directives HIPAA Basel II GLBA PCI Patriot Act SB1386 Source: Open Compliance and Ethics Group 4
New Risks to Your Business: Credit Card / Identity Theft TJ Maxx 8 class-action lawsuits filed as of March 23; a Massachusetts-led investigation by attorneys general from 30 states; a pretax charge of $25 million spent to date. Source: 2006 Annual Report, March 2007 Chipotle Fast food chain stored full range of customer data from credit card accounts. Roughly 2,000 fraudulent charges against Chipotle customers totalled $1.3M, additional fines from Visa and Mastercard amounted to $1.7M, and legal fees racked up another $1.3M. Source: Computerworld, December 2005 Dollar Tree Customers of the discount store have reported money stolen from their bank accounts due to unauthorized ATM withdrawals. Cyber-thieves have stolen as much as $700,000 from personal accounts during the last two months. Source: Eweek, August 2006 Life is Good Boston-based retailer today disclosed a security breach in which hackers accessed a database containing 9,250 customers' credit card numbers. Source: Boston.com, Sept. 2006 <Insert Picture Here> 5
Security Breaches are increasingly Expensive Costs are increasing Breaches cost companies an average of $182 per compromised record This was a 31% increase over 2005 In 2006 31 companies experienced a data breach. The total costs for each loss ranged from $1 Million to over $22 Million Source: The Ponemon Institute, October 2006 Penalties are Severe Companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance. Source http://www.internetretailer.com/internet/marketing-conference/80146-compliance-dilemma.html 6
Proactive Security Is Cheaper The cost of a breach can reach at least $90 per customer, for companies with at least 100,000 accounts, versus $6 to $16 per account per year to strongly protect that data. Source Gartner Study: 16 September 2005 Data Protection is less costly than breaches 7
Complementary Compliance Efforts Sarbanes-Oxley Requires that public companies have effective internal controls on financial information with independent auditor attestation. Prudent private companies comply as well. It comes down to this: Access control: Who has access to what information? Auditability: Can you monitor and track access to information? Gramm-Leach-Bliley Act Requires that financial institutions safeguard Personally Identifiable information (PII) Prudent retailers consider GLBA compliance a best practice Personal service depends on secure access to PII. Data Privacy: Do your best customers trust you? 8
Practical Lessons from Sarbanes-Oxley Most organizations progress through maturity curve Cost MANUAL, REDUNDANT EFFORTS REMEDIATION & STANDARDIZATION EMBEDDED GRC & OPERATIONAL EXCELLENCE New AS5 Guidance: Top-down risk-based approach Tailor audit to specific company profile DEFINE RATIONALIZE AUTOMATE, MONITOR & VERIFY External auditors can use work of others as evidence Number of Controls Year 1 & 2 Year 3 Year 4+ 9
Agenda Business Challenges Oracle s Leadership in Governance, Risk and Compliance Solution Overview Customer Success 10
Oracle s Compliance Solution Cross-Enterprise Policy and Process Management Enterprise Control Management Analytics & Performance Management Infrastructure End-to-End Policy & Process Management Governs Risk and Compliance Activities! Enterprise Control Management Detects and Prevents Control Failures Integrated Analytics Deliver Actionable Insight 11
Oracle Compliance Solution Cross-Enterprise Policy and Process Management Enterprise Control Management Analytics & Performance Management Infrastructure End-to-End Policy & Process Management Governs Risk and Compliance Activities! Enterprise Control Management Detects and Prevents Control Failures Integrated Analytics Deliver Actionable Insight 12
A World of Paper and Manual Hand Offs Current state of risk and compliance management Auditors?? A Fragmented Approach? Business Process Owners? Executives Testers 13
Content Management is the Cornerstone Single system of record for compliance information Search Single Source of Information Secure Enterprise Search All Content Types Date Effective Chain of Custody Central Repository Link policies and procedures to laws, regulations, and standards as evidence of compliance Apply and track permission-based access to policy and procedure documents Leverage advanced search function with familiar look and feel 14
Manage Policies and Procedures Align policies to best-practice frameworks Master Libraries of Policies & Controls Embedded Frameworks (COSO, COBIT, ITIL) Frameworks align corporate policies and associated controls to standards Link shared policies and controls in master libraries for easy maintenance 15
Manage Financial Compliance Process Automate and streamline compliance process workflow Inbox Notifying of Tasks Document workflow Assess/Audit workflow workflow workflow 65% of companies say they have been adversely impacted by redundant or inconsistent GRC processes. What are the resulting effects? 71% 69% Analyze Respond 32% 15% 10% Certify Increased general operating expenses Increased cost of reconciling information Reduced margins Higher cost from suppliers Higher cost of capital Source: 2007 OCEG Benchmark Series 16
Oracle Financial Compliance Solution Cross-Enterprise Policy & Process Management Enterprise Control Management Analytics & Performance Management Infrastructure End-to-End Policy & Process Management Governs Risk and Compliance Activities! Enterprise Control Management Detects and Prevents Control Failures Integrated Analytics Deliver Actionable Insight 17
Segregation of Duties for Applications Detect access violations PRE-DELIVERED CONTENT PROCESS EVIDENCE Violation Cleared Authorized Access Library of SOD Constraints Employee Check for Violations! Violation Detection Corrective Measures Evidence of Due Diligence User access deviations detected across instances Continuous monitoring through reporting 18
Role-Based Access to Applications Prevent access violations Employee Assignment of Roles Certification of Who Has Access to What Set Up of User Profile SOD Policy! Violation Prevention Denied Grant of Role Integrated framework for user provisioning Set up of user profiles with library of constraints Segregation of duties prevention and certification across heterogeneous systems 19
Control Privileged User Access Take away the keys of the kingdom DBA TRIES TO ACCESS SUPER DBA FINANCIAL TABLES DURING ACCESS DENIED QUIET PERIOD DBA HR Realm ACCESS FIN Realm Protect from insider threats by ensuring powerful users have access to only what they need do their job Restrict access to sensitive data and ascertain that users are who they state themselves to be 20
Control Privileged User Access Take away the keys of the kingdom CRITICAL DATA SUPER USER ACCESS CONTROLS National ID/SSN 782-03 03-02750275 Time of Day Salary $ DBA 3pm Monday HR Realm IP Address HR DBA Customer Records FIN Realm Realms HR Realm FIN DBA FIN Realm Protect from insider threats by ensuring powerful users have access to only what they need do their job Restrict access to sensitive data and ascertain that users are who they state themselves to be 21
Verify System Configurations Automate and monitor application controls Ensure internal requisition source Monitoring of changes to expensing rules Monitoring of changes to document numbering Monitoring of changes to price tolerance percentage Monitoring of discounting rules Procurement Inventory Accounts Payable Requisition Purchase Goods / Services Receive Goods / Services Invoice Issue Payments PROCURE-TO TO-PAY SAP Monitors over 500 key configurations settings across instances Before and after snapshot of changes to settings with ability to revert back Automatic alerts notify managers as exceptions occur 22
Anticipate Auditor Requirements with Evidence of Enforcement IT Audit Prevent unauthorized system configuration changes with diagnostics Financial Audit Deliver auditor-ready reports for process certification and remediation analysis Identify top audit alerts by application, system, and audit event Provide evidence of best-practice periodic attestation Identify trends in control performance with snapshot comparisons Review complete audit trail for any changes to control elements 23
Oracle Financial Compliance Solution Cross-Enterprise Policy and Process Management Enterprise Control Management Analytics & Performance Management Infrastructure End-to-End Policy & Process Management Governs Risk and Compliance Activities! Enterprise Control Management Detects and Prevents Control Failures Integrated Analytics Deliver Actionable Insight 24
Oracle Financial Compliance Solution Summary Policy and process management govern risk and compliance activities Enterprise control management detects and prevents control failure Integrated financial compliance analytics deliver actionable insight Reduce cost and complexity by managing multiple global financial mandates with one system Rely on tamper-proof chain of evidence for all financial compliance processes Align policies and processes with best practice risk and control frameworks Control user access & enforce segregation of duties with business-driven rules Reduce risk of fraud with continuous monitoring of automated controls Enforce effective preventive and detective controls across all systems Leverage a single source of GRC information across departments, units and locations Improve risk responsiveness with timely control and performance analytics Tailor GRC intelligence to the needs of your specific organization and function 25
Why Choose Oracle GRC? Only Oracle Governs Risk and Compliance Activities with Policy & Process Mgmt Reduce cost and complexity by managing global financial mandates with one system Rely on tamper-proof chain of evidence for all compliance processes Align polices and processes with best-practice risk and control frameworks! Detects and Prevents Control Failures with Enterprise Control Mgmt Control user access & enforce segregation of duties with business-driven rules Reduce risk of fraud with continuous monitoring of automated controls Enforce effective preventive and detective controls across all systems Delivers GRC Insight for Better Business Performance Leverage a single source of GRC information across departments and locations Improve risk responsiveness with timely control and performance analytics Tailor GRC intelligence to the needs of your specific organization and function 26
Oracle Governance, Risk, and Compliance Simplify GRC and Reduce Costs Safeguard Brand and Reputation Run Your Business Better and Prove It