governance, risk, and compliance sales awareness level 1

Governance, Risk, and Compliance Sales Awareness Level 1

2

• Introduction to GRC

• Solution Overview

• Customer Reference and Case studies

• Target Audience

• Key Takeaways

• Key Contacts and Resources

Agenda

3

Fraud on the Rise in 2008

Madoff made off with $50Bof investors’ money

B. Ramalinga Raju admitting falsifying $1B Corp. account

Societe Generale lost €6.3Bas Jerome Kerviel went rogue

Siemens agrees to pay $1.3B in bribery settlement

4

Corporate Governance in Asia

“Corporate governance can affect the share price, growth strategies and shareholder returns”

- Bill Sohn, UBS Managing Director of Investment Research

July 22, 2009

5CONFIDENTIAL: All capabilities and dates are for planning purposes only and may not be used in any contract

… And Predicted to Spike in 2009

Increasing Fraud Risk

91%91% of public corporations expect fraud to increase or remain the same in 20091

• Layoffs and pay cuts result in disgruntled employees

• Restructuring throws segregation of duties controls into disarray

• Outsourcing and global expansion heightens risk of bribery & corruption

Heightened by Cost Cutting Measures

Lead to Heightened Regulatory Alert

The Public Company Accounting Oversight Board issued a 33-page alert to auditors, telling them to plan their audits with an eye towards the new risks that spring from management acting under economic pressure.

1Source: Compliance Week and Deloitte Financial Advisory Services Survey, 20091Source: Compliance Week and Deloitte Financial Advisory Services Survey, 2009

6

Calls for Increased Regulatory Scrutiny

Obama JintaoSarkozyGordon

AMERICAS • HIPAA• FDA CFR 21 Part 11• OMB Circular A-123• SEC and DoD Records Retention• USA PATRIOT Act• Gramm-Leach-Bliley Act• Federal Sentencing Guidelines • Foreign Corrupt Practices Act• Market Instruments 52 (Canada)

EMEA• EU Privacy Directives• UK Companies Law• Restriction of Hazardous

Substances (ROHS/WEE)

APAC• J-SOX, C-SOX, K-S0X, C49 • CLERP 9: Audit Reform and

Corporate Disclosure Act (Australia)

• Stock Exchange of Thailand Code on Corporate Governance

GLOBAL• International Accounting Standards• Basel II (Global Banking)• OECD Guidelines on Corporate

Governance

7

While Cost of Compliance Continues to Rise

“Governance, risk management, and compliance (GRC) spending will exceed $32 billion for 2008, up 7.4% from 2007, as companies shift toward identifying, assessing, and managing risk across numerous business and IT areas.”

The Governance, Risk Management, and Compliance Spending Report, 2008–2009,-- AMR Research

$29Billion

$32Billion

8

Burden Stems from Core Challenges

Challenge: Multiple Requirements, Fragmented Response

Challenge:Largely Manual Efforts

Challenge:GRC Not Integrated

into the Business

Finance SOX, JSOX

Groups

C1b C2b C3b

C5b C6b C7b

C9b C10b C11b

R1 R2 R3 R1 R2 R3 R1 R2 R3

C1c C2c C3c

C5c C6c C7c

C9c C10c C11c

C1a C2a C3a

C5a C6a C7a

C9a C10a C11a

GRC

Business Processes

Business Assessment /Audit Groups

IT Security / Risk Mgmt

Groups

9

Smart Strategies to Manage Risk and ComplianceActions You Can Take Immediately

Strategy:Consolidate Multiple GRC

Activities and Groups onto a Single Platform

Strategy:Automate Critical GRC Tasks

Strategy: Embed Controls into Standard

Business Processes

R1 R2 R3

C1 C2 C3

C5 C6 C7

C9 C10 C11

Business Process

GRC

Regulation A

Standard C

Risk B

10




• Target Audience

• Key Takeaways


Agenda

11

Oracle GRC ControlsOracle GRC Controls

Oracle GRC ManagerOracle GRC Manager

Oracle GRC IntelligenceOracle GRC Intelligence

Oracle GRC Applications





Business Processes


12









Business Processes


13









Business Processes


14









Business Processes


15

Oracle GRC Intelligence Timely Access to GRC Information, Better Decisions

100+ pre-built KPIs for risk, certification, controls, and issues enable personalized reporting

Self-service analysis and reporting with interactive dashboards and automated alerts

Integrated financial statement and GRC information

GRC Reporting & Analysis

Configure Risk & Control KPIsConfigure Risk & Control KPIs

Review GRCDashboardsReview GRCDashboards

Investigate Troubling KPIs

Investigate Troubling KPIs

Monitor All Open Issues Monitor All Open Issues

16

Oracle GRC ManagerManage Enterprise Risk & Compliance Activities

Central repository for policy, risk and compliance documentation

Automate certifications, audits, and management assessments

Capture issues and manage remediation

Standards & Mandates

Controls

RisksRisks

Compliance Management Process

Assess Scope Based on Risk

Assess Scope Based on Risk

Certify and Publish

Certify and Publish

Document Risk& Control MatrixDocument Risk& Control Matrix

Test Controls and AnalyzeExceptions

Test Controls and AnalyzeExceptions

Remediate & Optimize Remediate & Optimize

17

Oracle GRC Controls Suite Detect and Prevent Control Failure

What usershave done

What’s changed in the

process

What are the execution patterns

Detective Controls

What userscan do

How is the process setup

How users execute

processes

Preventive Controls

ACCESSACCESSControlsControlsACCESSACCESSControlsControls

CONFIGURATIONCONFIGURATIONControlsControls

CONFIGURATIONCONFIGURATIONControlsControls

TRANSACTIONTRANSACTIONControlsControls

TRANSACTIONTRANSACTIONControlsControls

Enforce Policies in Context

Monitor Control Effectiveness

18

Oracle Application Access Controls GovernorEnforce Proper Segregation of Duties in Applications

Simplify segregation of duties enforcement with simulation and remediation

Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails

Accelerate deployment and time to value with pre-delivered controls library

Access AnalysisAccess Analysis

CompensatingPolicies

CompensatingPolicies

Define AccessControls

Define AccessControls

Remediation(Clean-up)

Remediation(Clean-up)

PreventiveProvisioning Preventive

Provisioning

Detect Prevent

19

Oracle Configuration Controls GovernorEnsure Integrity of Critical Application Setups

Achieve consistent application setup and operating standards across multiple instances

Track complete audit trails for changes to key configurations

Tightly control change management to accelerate development and test time

Document or CompareConfigurations

Document or CompareConfigurations

Manage Data

Integrity

Manage Data

Integrity

Define Configuration

Controls

Define Configuration

Controls

Monitor Configuration

Changes

Monitor Configuration

Changes

EnforceChange Control

EnforceChange Control

Detect Prevent

20

Continuously monitor accuracy of transactions and mitigate exposure to fraud

- Test against thresholds

- Search for anomalies

- Perform transaction sampling

Pre-delivered Transaction Controls

Suspect Transactions

Pre-delivered Transaction Controls

Suspect Transactions

Perform Transaction

Analysis

Perform Transaction

Analysis

Define Transaction

Controls

Define Transaction

Controls

Review and Address Suspects

Review and Address Suspects

Preventive Transaction

Controls

Preventive Transaction

Controls

Detect Prevent

Oracle Transaction Controls GovernorIdentify Inaccurate or Fraudulent Transactions

21




• Target Audience

• Key Takeaways


Agenda

22

Sample of GRC Customers

High Tech / Comms / Media

Public Sector

Financial Services

Consumer / Retail

Life Sciences

Manufacturing

23

COMPANY OVERVIEW

• Industry leading software and financial services company with products like Consumer Tax and QuickBooks

• Employees: 7,500

• Annual Revenue: 2.35 billion

CHALLENGES / OPPORTUNITIES

• Inappropriate responsibilities being granted to employees without review and approval

• Oracle configurations being modified without notification to the SOX Compliance Team

• Inefficient manual controls associated with SOX compliance

SOLUTIONSOracle GRC Controls Suite

RESULTS

• 55% time savings among internal departments

• 65% reduction in controls testing

• 42% reduction in External auditor engagement

• Less than five months payback period for the current installation

CUSTOMER PERSPECTIVE“We’ve been able to realize significant returns on our investment in the Oracle GRC Controls Suite to date. The 8.0 release of Oracle Application Access Controls Governor should help us continue our efforts to deliver well-controlled and efficient business processes, not only across the E-Business Suite, but also in our PeopleSoft and Siebel applications.”

– Rob Singleton, Manager, Controls Advisory Office

24

COMPANY OVERVIEW

• Established in 1817

• Total assets of $312 billion

• 35,000 employees

• Retail banking, wealth managementand investment banking


• User access was too broad; corporate assets not protected effectively

• No way to track changes to ERP application data, including who, what, when and why changes were made

• Segregation of Duties (SOD) analysis process was expensive and distracting from the core business

SOLUTIONSOracle GRC Controls

RESULTS

• Cut SOD review time from 2 months to 2 days

• Eliminated all known SOD conflicts

• Created detailed access rules protecting corporate assets

• Created comprehensive audit trails

CUSTOMER PERSPECTIVE

“We’ve reduced the time it takes to complete routine audits from two months to two days.”

– Darlene Mac Cormac, VP, Procurement & Strategic Sourcing, Harris Bank

25

COMPANY OVERVIEW

• Technology leader in communications, electronics, life sciences and chemical analysis

• Revenue > $5 billion

• 20,000 employees


• Identify and eliminate Segregation of Duties (SOD) conflicts for 90 operating units

• World’s largest single Oracle EBS instance

• 20,000 Active users

• 50,000 Oracle responsibilities

SOLUTIONS

• Oracle GRC Controls Suite

• Oracle GRC Manager

RESULTS

• Implemented 200 automated controls in 8 weeks

• Avoided six-month customization effort, and estimated cost of $1 million

• Eliminated SOD conflicts to meet SOX compliance requirements on time


“Oracle’s automated method quickly identifies SOD issues and resolves in a timely manner. In addition, the solution is easily adaptable as interpretations of SOX legislation changes or business conditions dictate.”

– Penny Kosley, Agilent Technologies

26

COMPANY OVERVIEW

• Insurance Industry

• Employees: 10,000+

• Revenue: Over US$ 10.5B

• Has subsidiaries in Canada and the UK


• Lack of version control and security

• Redundancy in documentation

• Inadequate gap analysis

• Poor exception reporting

• Lack of visibility into the progress of compliance activities

SOLUTIONS

• Oracle GRC Manager

• Oracle Universal Content Management

RESULTS

• Reduced number of SOX-related docs stored by eliminating redundant data

• Better assignment of responsibilities & sharing of efficiencies for global roll out

• Single repository with linkage of common controls and processes

• Stronger focus on significant risks & true key controls

• Culture for compliance with senior buy in, training on the tool & greater control awareness


“Using the Oracle system has helped us focus on significant risks and true key controls. This has improved our ability to resolve compliance issues in a timely fashion .”

– Danny Waxenberg, AVP Internal Controls

27




• Target Audience

• Key Takeaways


Agenda

28


Strategy:Consolidate

Strategy:Automate

Strategy: Embed

Consolidate multiple GRC activities and groups onto a single platform

Automate critical GRC tasks

Embed controls into standard business processes

• GRC Manager• GRC Intelligence

• GRC Manager• GRC Controls

• GRC Controls

29

Oracle Governance, Risk, and Compliance

Reduce Compliance

Costs & Control Risks

• Address multiple regulations

• Works across any application

• Instant visibility to critical risks

• Automated controls for E-Business Suite, PeopleSoft, JD Edwards, & Siebel

• Top-to-bottom segregation of duties

• Compliant user-provisioning

Enterprise GRC Platform LeaderEnterprise GRC Platform Leader

In-Depth Controls AutomationIn-Depth Controls Automation

30

Who’s Buying GRC?All Sizes, All Industries, All Business Types

• Rev Range $50M - $200B

• Installed Base Accounts

• New Business/Greenfield

• Drivers:

• Sarbanes-Oxley (SOX)

• Segregation of Duties

• Access Management

• Change Management

• Process Management

• Internal Audit Ops

PUBLIC

• Rev Range $50M - $22B

• Installed Base Accounts

• New Business/Greenfield

• Drivers:

• Segregation of Duties

• Access Management

• Change Management

• Process Management

• Internal Audit

• IPO Readiness

• Federal, State & Local

• Education

• Agencies

• Civil

• Dept. of Defence

• Aerospace & Defence

• Intelligence

• Drivers:

• OMB A-123

• Improper payments

• Privacy act

• FISMA

PRIVATE GOVERNMENT

31

GRC Up-sell Scenarios

Primary Entry Point

Customer GRC Needs GRC Products

EBS Suite Customer on EBS needing GRC Product

• Governance, Risk, and Compliance Manager • Fusion Governance, Risk, and Compliance

Intelligence • Governance, Risk, and Compliance Controls

EBS Suite Customer on EBS and ICM needing complete analytics/ GRC Content Management

• Governance, Risk, and Compliance Manager Upgrade

• Fusion Governance, Risk, and Compliance Intelligence

• Configuration Control Governance• Transaction Control Governance

PeopleSoft Enterprise

Customer on PSFT needing GRC Product

•GRC Manager •Fusion GRC Intelligence •Application Access Control Governance

PeopleSoft Enterprise

Customer on PSFT with ICE needing Compliance Analytics/Reporting and Documentation Support

•GRC Manager •Fusion GRC Intelligence •Oracle Identity Management Suite (Tech)

32

GRC Up-sell Scenarios

Primary Entry Point

Customer GRC Needs GRC Products

Non-Oracle Customer on SAP or other ERP needing best of breed GRC platform

•GRC Manager •Fusion GRC Intelligence •Governance, Risk, and Compliance Controls

SAP Customer on SAP using Virsa for SOD within SAP and needing best of breed GRC documentation application

•GRC Manager •Fusion GRC Intelligence •GRC Infrastructure (Tech)

Mixed or Heterogeneous application infrastructure

Customer with heterogeneous environment needing GRC platform

•Governance, Risk, and Compliance Manager •Fusion GRC Intelligence •Governance, Risk, and Compliance Controls•GRC Infrastructure (Tech)

ALL Environments Customer on ICE, ICM or FCD (Stellent) and NOT happy with some aspect of the solution

•After thorough Discovery with GRC Spec Team

•GRC Manager •Fusion GRC Intelligence •Governance, Risk, and Compliance Controls•GRC Infrastructure (Tech)

33

GRC ‘Greenfield’ Sales ScenariosLook for Manual Processes in Finance and IT

• Finance/Compliance• Manual process documentation• Manual controls reporting in

Excel (pivot tables, etc.)• Manually managing

documentation on desktops and shared drives

• No chain of custody on testing or evidentiary documentation

• Manual checking of transactions • Lack of unified risk

management

• IT Department• Manually checking database

logs• Manually tracking system

changes and configurations• Manually provisioning users• Manually archiving data• Manually tracking super users

and administrators • Manually tracking segregation-

of-duties • Manually classifying electronic

records• Lack of enterprise-wide records

retention policies

34




• Target Audience

• Key Takeaways


Agenda

35

Key Takeaways

• GRC is your ticket to speak strategically to the CFO, CEO, CIO and other senior executives

• GRC unifies stakeholder challenges, budgets, and increases the strategic & monetary value of every Financials deal

• Position GRC as the centerpiece in every financials deal, not just a product add-on

• Oracle GRC has never been stronger – Including GRC in your deals will make FY10 a banner year for you!

36




• Target Audience

• Key Takeaways


Agenda

37

GRC Sales Resources

http://my.oracle.com/grc

Sales Tools

•Presentations•Solution Briefs

•Cheat Sheets •Data Sheets

Internal Sales Tools• GRC Applications Cheat Sheets• GRC Applications Sales FAQ

Customer Facing Collateral• GRC Applications Level 1 Presentation• Datasheets• Brochure• Solution Brief• Whitepapers• Analyst Reports

GRC Contact• Patrick Lim – APAC GRC Product Director

governance, risk, and compliance sales awareness level 1

Documents