governance, risk, and compliance sales awareness level 1
TRANSCRIPT
Governance, Risk, and Compliance Sales Awareness Level 1
2
• Introduction to GRC
• Solution Overview
• Customer Reference and Case studies
• Target Audience
• Key Takeaways
• Key Contacts and Resources
Agenda
3
Fraud on the Rise in 2008
Madoff made off with $50Bof investors’ money
B. Ramalinga Raju admitting falsifying $1B Corp. account
Societe Generale lost €6.3Bas Jerome Kerviel went rogue
Siemens agrees to pay $1.3B in bribery settlement
4
Corporate Governance in Asia
“Corporate governance can affect the share price, growth strategies and shareholder returns”
- Bill Sohn, UBS Managing Director of Investment Research
July 22, 2009
5CONFIDENTIAL: All capabilities and dates are for planning purposes only and may not be used in any contract
… And Predicted to Spike in 2009
Increasing Fraud Risk
91%91% of public corporations expect fraud to increase or remain the same in 20091
• Layoffs and pay cuts result in disgruntled employees
• Restructuring throws segregation of duties controls into disarray
• Outsourcing and global expansion heightens risk of bribery & corruption
Heightened by Cost Cutting Measures
Lead to Heightened Regulatory Alert
The Public Company Accounting Oversight Board issued a 33-page alert to auditors, telling them to plan their audits with an eye towards the new risks that spring from management acting under economic pressure.
1Source: Compliance Week and Deloitte Financial Advisory Services Survey, 20091Source: Compliance Week and Deloitte Financial Advisory Services Survey, 2009
6
Calls for Increased Regulatory Scrutiny
Obama JintaoSarkozyGordon
AMERICAS • HIPAA• FDA CFR 21 Part 11• OMB Circular A-123• SEC and DoD Records Retention• USA PATRIOT Act• Gramm-Leach-Bliley Act• Federal Sentencing Guidelines • Foreign Corrupt Practices Act• Market Instruments 52 (Canada)
EMEA• EU Privacy Directives• UK Companies Law• Restriction of Hazardous
Substances (ROHS/WEE)
APAC• J-SOX, C-SOX, K-S0X, C49 • CLERP 9: Audit Reform and
Corporate Disclosure Act (Australia)
• Stock Exchange of Thailand Code on Corporate Governance
GLOBAL• International Accounting Standards• Basel II (Global Banking)• OECD Guidelines on Corporate
Governance
7
While Cost of Compliance Continues to Rise
“Governance, risk management, and compliance (GRC) spending will exceed $32 billion for 2008, up 7.4% from 2007, as companies shift toward identifying, assessing, and managing risk across numerous business and IT areas.”
The Governance, Risk Management, and Compliance Spending Report, 2008–2009,-- AMR Research
$29Billion
$32Billion
8
Burden Stems from Core Challenges
Challenge: Multiple Requirements, Fragmented Response
Challenge:Largely Manual Efforts
Challenge:GRC Not Integrated
into the Business
Finance SOX, JSOX
Groups
C1b C2b C3b
C5b C6b C7b
C9b C10b C11b
R1 R2 R3 R1 R2 R3 R1 R2 R3
C1c C2c C3c
C5c C6c C7c
C9c C10c C11c
C1a C2a C3a
C5a C6a C7a
C9a C10a C11a
GRC
Business Processes
Business Assessment /Audit Groups
IT Security / Risk Mgmt
Groups
9
Smart Strategies to Manage Risk and ComplianceActions You Can Take Immediately
Strategy:Consolidate Multiple GRC
Activities and Groups onto a Single Platform
Strategy:Automate Critical GRC Tasks
Strategy: Embed Controls into Standard
Business Processes
R1 R2 R3
C1 C2 C3
C5 C6 C7
C9 C10 C11
Business Process
GRC
Regulation A
Standard C
Risk B
10
• Introduction to GRC
• Solution Overview
• Customer Reference and Case studies
• Target Audience
• Key Takeaways
• Key Contacts and Resources
Agenda
11
Oracle GRC ControlsOracle GRC Controls
Oracle GRC ManagerOracle GRC Manager
Oracle GRC IntelligenceOracle GRC Intelligence
Oracle GRC Applications
Strategy:Consolidate Multiple GRC
Activities and Groups onto a Single Platform
Strategy:Automate Critical GRC Tasks
Strategy: Embed Controls into Standard
Business Processes
Smart Strategies to Manage Risk and ComplianceActions You Can Take Immediately
12
Oracle GRC ControlsOracle GRC Controls
Oracle GRC ManagerOracle GRC Manager
Oracle GRC IntelligenceOracle GRC Intelligence
Oracle GRC Applications
Strategy:Consolidate Multiple GRC
Activities and Groups onto a Single Platform
Strategy:Automate Critical GRC Tasks
Strategy: Embed Controls into Standard
Business Processes
Smart Strategies to Manage Risk and ComplianceActions You Can Take Immediately
13
Oracle GRC ControlsOracle GRC Controls
Oracle GRC ManagerOracle GRC Manager
Oracle GRC IntelligenceOracle GRC Intelligence
Oracle GRC Applications
Strategy:Consolidate Multiple GRC
Activities and Groups onto a Single Platform
Strategy:Automate Critical GRC Tasks
Strategy: Embed Controls into Standard
Business Processes
Smart Strategies to Manage Risk and ComplianceActions You Can Take Immediately
14
Oracle GRC ControlsOracle GRC Controls
Oracle GRC ManagerOracle GRC Manager
Oracle GRC IntelligenceOracle GRC Intelligence
Oracle GRC Applications
Strategy:Consolidate Multiple GRC
Activities and Groups onto a Single Platform
Strategy:Automate Critical GRC Tasks
Strategy: Embed Controls into Standard
Business Processes
Smart Strategies to Manage Risk and ComplianceActions You Can Take Immediately
15
Oracle GRC Intelligence Timely Access to GRC Information, Better Decisions
100+ pre-built KPIs for risk, certification, controls, and issues enable personalized reporting
Self-service analysis and reporting with interactive dashboards and automated alerts
Integrated financial statement and GRC information
GRC Reporting & Analysis
Configure Risk & Control KPIsConfigure Risk & Control KPIs
Review GRCDashboardsReview GRCDashboards
Investigate Troubling KPIs
Investigate Troubling KPIs
Monitor All Open Issues Monitor All Open Issues
16
Oracle GRC ManagerManage Enterprise Risk & Compliance Activities
Central repository for policy, risk and compliance documentation
Automate certifications, audits, and management assessments
Capture issues and manage remediation
Standards & Mandates
Controls
RisksRisks
Compliance Management Process
Assess Scope Based on Risk
Assess Scope Based on Risk
Certify and Publish
Certify and Publish
Document Risk& Control MatrixDocument Risk& Control Matrix
Test Controls and AnalyzeExceptions
Test Controls and AnalyzeExceptions
Remediate & Optimize Remediate & Optimize
17
Oracle GRC Controls Suite Detect and Prevent Control Failure
What usershave done
What’s changed in the
process
What are the execution patterns
Detective Controls
What userscan do
How is the process setup
How users execute
processes
Preventive Controls
ACCESSACCESSControlsControlsACCESSACCESSControlsControls
CONFIGURATIONCONFIGURATIONControlsControls
CONFIGURATIONCONFIGURATIONControlsControls
TRANSACTIONTRANSACTIONControlsControls
TRANSACTIONTRANSACTIONControlsControls
Enforce Policies in Context
Monitor Control Effectiveness
18
Oracle Application Access Controls GovernorEnforce Proper Segregation of Duties in Applications
Simplify segregation of duties enforcement with simulation and remediation
Mitigate risk of privileged user access to enterprise applications with approval workflow and audit trails
Accelerate deployment and time to value with pre-delivered controls library
Access AnalysisAccess Analysis
CompensatingPolicies
CompensatingPolicies
Define AccessControls
Define AccessControls
Remediation(Clean-up)
Remediation(Clean-up)
PreventiveProvisioning Preventive
Provisioning
Detect Prevent
19
Oracle Configuration Controls GovernorEnsure Integrity of Critical Application Setups
Achieve consistent application setup and operating standards across multiple instances
Track complete audit trails for changes to key configurations
Tightly control change management to accelerate development and test time
Document or CompareConfigurations
Document or CompareConfigurations
Manage Data
Integrity
Manage Data
Integrity
Define Configuration
Controls
Define Configuration
Controls
Monitor Configuration
Changes
Monitor Configuration
Changes
EnforceChange Control
EnforceChange Control
Detect Prevent
20
Continuously monitor accuracy of transactions and mitigate exposure to fraud
- Test against thresholds
- Search for anomalies
- Perform transaction sampling
Pre-delivered Transaction Controls
Suspect Transactions
Pre-delivered Transaction Controls
Suspect Transactions
Perform Transaction
Analysis
Perform Transaction
Analysis
Define Transaction
Controls
Define Transaction
Controls
Review and Address Suspects
Review and Address Suspects
Preventive Transaction
Controls
Preventive Transaction
Controls
Detect Prevent
Oracle Transaction Controls GovernorIdentify Inaccurate or Fraudulent Transactions
21
• Introduction to GRC
• Solution Overview
• Customer Reference and Case studies
• Target Audience
• Key Takeaways
• Key Contacts and Resources
Agenda
22
Sample of GRC Customers
High Tech / Comms / Media
Public Sector
Financial Services
Consumer / Retail
Life Sciences
Manufacturing
23
COMPANY OVERVIEW
• Industry leading software and financial services company with products like Consumer Tax and QuickBooks
• Employees: 7,500
• Annual Revenue: 2.35 billion
CHALLENGES / OPPORTUNITIES
• Inappropriate responsibilities being granted to employees without review and approval
• Oracle configurations being modified without notification to the SOX Compliance Team
• Inefficient manual controls associated with SOX compliance
SOLUTIONSOracle GRC Controls Suite
RESULTS
• 55% time savings among internal departments
• 65% reduction in controls testing
• 42% reduction in External auditor engagement
• Less than five months payback period for the current installation
CUSTOMER PERSPECTIVE“We’ve been able to realize significant returns on our investment in the Oracle GRC Controls Suite to date. The 8.0 release of Oracle Application Access Controls Governor should help us continue our efforts to deliver well-controlled and efficient business processes, not only across the E-Business Suite, but also in our PeopleSoft and Siebel applications.”
– Rob Singleton, Manager, Controls Advisory Office
24
COMPANY OVERVIEW
• Established in 1817
• Total assets of $312 billion
• 35,000 employees
• Retail banking, wealth managementand investment banking
CHALLENGES / OPPORTUNITIES
• User access was too broad; corporate assets not protected effectively
• No way to track changes to ERP application data, including who, what, when and why changes were made
• Segregation of Duties (SOD) analysis process was expensive and distracting from the core business
SOLUTIONSOracle GRC Controls
RESULTS
• Cut SOD review time from 2 months to 2 days
• Eliminated all known SOD conflicts
• Created detailed access rules protecting corporate assets
• Created comprehensive audit trails
CUSTOMER PERSPECTIVE
“We’ve reduced the time it takes to complete routine audits from two months to two days.”
– Darlene Mac Cormac, VP, Procurement & Strategic Sourcing, Harris Bank
25
COMPANY OVERVIEW
• Technology leader in communications, electronics, life sciences and chemical analysis
• Revenue > $5 billion
• 20,000 employees
CHALLENGES / OPPORTUNITIES
• Identify and eliminate Segregation of Duties (SOD) conflicts for 90 operating units
• World’s largest single Oracle EBS instance
• 20,000 Active users
• 50,000 Oracle responsibilities
SOLUTIONS
• Oracle GRC Controls Suite
• Oracle GRC Manager
RESULTS
• Implemented 200 automated controls in 8 weeks
• Avoided six-month customization effort, and estimated cost of $1 million
• Eliminated SOD conflicts to meet SOX compliance requirements on time
CUSTOMER PERSPECTIVE
“Oracle’s automated method quickly identifies SOD issues and resolves in a timely manner. In addition, the solution is easily adaptable as interpretations of SOX legislation changes or business conditions dictate.”
– Penny Kosley, Agilent Technologies
26
COMPANY OVERVIEW
• Insurance Industry
• Employees: 10,000+
• Revenue: Over US$ 10.5B
• Has subsidiaries in Canada and the UK
CHALLENGES / OPPORTUNITIES
• Lack of version control and security
• Redundancy in documentation
• Inadequate gap analysis
• Poor exception reporting
• Lack of visibility into the progress of compliance activities
SOLUTIONS
• Oracle GRC Manager
• Oracle Universal Content Management
RESULTS
• Reduced number of SOX-related docs stored by eliminating redundant data
• Better assignment of responsibilities & sharing of efficiencies for global roll out
• Single repository with linkage of common controls and processes
• Stronger focus on significant risks & true key controls
• Culture for compliance with senior buy in, training on the tool & greater control awareness
CUSTOMER PERSPECTIVE
“Using the Oracle system has helped us focus on significant risks and true key controls. This has improved our ability to resolve compliance issues in a timely fashion .”
– Danny Waxenberg, AVP Internal Controls
27
• Introduction to GRC
• Solution Overview
• Customer Reference and Case studies
• Target Audience
• Key Takeaways
• Key Contacts and Resources
Agenda
28
Smart Strategies to Manage Risk and ComplianceActions You Can Take Immediately
Strategy:Consolidate
Strategy:Automate
Strategy: Embed
Consolidate multiple GRC activities and groups onto a single platform
Automate critical GRC tasks
Embed controls into standard business processes
• GRC Manager• GRC Intelligence
• GRC Manager• GRC Controls
• GRC Controls
29
Oracle Governance, Risk, and Compliance
Reduce Compliance
Costs & Control Risks
• Address multiple regulations
• Works across any application
• Instant visibility to critical risks
• Automated controls for E-Business Suite, PeopleSoft, JD Edwards, & Siebel
• Top-to-bottom segregation of duties
• Compliant user-provisioning
Enterprise GRC Platform LeaderEnterprise GRC Platform Leader
In-Depth Controls AutomationIn-Depth Controls Automation
30
Who’s Buying GRC?All Sizes, All Industries, All Business Types
• Rev Range $50M - $200B
• Installed Base Accounts
• New Business/Greenfield
• Drivers:
• Sarbanes-Oxley (SOX)
• Segregation of Duties
• Access Management
• Change Management
• Process Management
• Internal Audit Ops
PUBLIC
• Rev Range $50M - $22B
• Installed Base Accounts
• New Business/Greenfield
• Drivers:
• Segregation of Duties
• Access Management
• Change Management
• Process Management
• Internal Audit
• IPO Readiness
• Federal, State & Local
• Education
• Agencies
• Civil
• Dept. of Defence
• Aerospace & Defence
• Intelligence
• Drivers:
• OMB A-123
• Improper payments
• Privacy act
• FISMA
PRIVATE GOVERNMENT
31
GRC Up-sell Scenarios
Primary Entry Point
Customer GRC Needs GRC Products
EBS Suite Customer on EBS needing GRC Product
• Governance, Risk, and Compliance Manager • Fusion Governance, Risk, and Compliance
Intelligence • Governance, Risk, and Compliance Controls
EBS Suite Customer on EBS and ICM needing complete analytics/ GRC Content Management
• Governance, Risk, and Compliance Manager Upgrade
• Fusion Governance, Risk, and Compliance Intelligence
• Configuration Control Governance• Transaction Control Governance
PeopleSoft Enterprise
Customer on PSFT needing GRC Product
•GRC Manager •Fusion GRC Intelligence •Application Access Control Governance
PeopleSoft Enterprise
Customer on PSFT with ICE needing Compliance Analytics/Reporting and Documentation Support
•GRC Manager •Fusion GRC Intelligence •Oracle Identity Management Suite (Tech)
32
GRC Up-sell Scenarios
Primary Entry Point
Customer GRC Needs GRC Products
Non-Oracle Customer on SAP or other ERP needing best of breed GRC platform
•GRC Manager •Fusion GRC Intelligence •Governance, Risk, and Compliance Controls
SAP Customer on SAP using Virsa for SOD within SAP and needing best of breed GRC documentation application
•GRC Manager •Fusion GRC Intelligence •GRC Infrastructure (Tech)
Mixed or Heterogeneous application infrastructure
Customer with heterogeneous environment needing GRC platform
•Governance, Risk, and Compliance Manager •Fusion GRC Intelligence •Governance, Risk, and Compliance Controls•GRC Infrastructure (Tech)
ALL Environments Customer on ICE, ICM or FCD (Stellent) and NOT happy with some aspect of the solution
•After thorough Discovery with GRC Spec Team
•GRC Manager •Fusion GRC Intelligence •Governance, Risk, and Compliance Controls•GRC Infrastructure (Tech)
33
GRC ‘Greenfield’ Sales ScenariosLook for Manual Processes in Finance and IT
• Finance/Compliance• Manual process documentation• Manual controls reporting in
Excel (pivot tables, etc.)• Manually managing
documentation on desktops and shared drives
• No chain of custody on testing or evidentiary documentation
• Manual checking of transactions • Lack of unified risk
management
• IT Department• Manually checking database
logs• Manually tracking system
changes and configurations• Manually provisioning users• Manually archiving data• Manually tracking super users
and administrators • Manually tracking segregation-
of-duties • Manually classifying electronic
records• Lack of enterprise-wide records
retention policies
34
• Introduction to GRC
• Solution Overview
• Customer Reference and Case studies
• Target Audience
• Key Takeaways
• Key Contacts and Resources
Agenda
35
Key Takeaways
• GRC is your ticket to speak strategically to the CFO, CEO, CIO and other senior executives
• GRC unifies stakeholder challenges, budgets, and increases the strategic & monetary value of every Financials deal
• Position GRC as the centerpiece in every financials deal, not just a product add-on
• Oracle GRC has never been stronger – Including GRC in your deals will make FY10 a banner year for you!
36
• Introduction to GRC
• Solution Overview
• Customer Reference and Case studies
• Target Audience
• Key Takeaways
• Key Contacts and Resources
Agenda
37
GRC Sales Resources
http://my.oracle.com/grc
Sales Tools
•Presentations•Solution Briefs
•Cheat Sheets •Data Sheets
Internal Sales Tools• GRC Applications Cheat Sheets• GRC Applications Sales FAQ
Customer Facing Collateral• GRC Applications Level 1 Presentation• Datasheets• Brochure• Solution Brief• Whitepapers• Analyst Reports
GRC Contact• Patrick Lim – APAC GRC Product Director