Evolving from Financial Compliance to Next Generation GRC

Gary PrincePrincipal Solution Specialist - GRC

2

Agenda

• Business Challenges

• Oracle’s Leadership in Governance, Risk and Compliance

• Solution Overview

• Solution Demo

3

Financial Compliance is Only the First Step Pressure mounts to fortify financial compliance foundation

3Real-Time Public

Exposure of Misdeeds

Instantaneous media communication increases

risk of reputational damage

2Vulnerability to

Information Breaches

Growing recognition that information breaches stem from inside the organization

1Regulations Go Beyond

Financial Reporting

Increasing number of regulations pose challenge

to sustainable GRC

IT Governance Patriot

Act

E-Discovery

HIPAA

AML

ERM

Records Retention

PCI

Basel II

NERC/FERC

OFACCFR

4

IT Governance

Supply ChainSupply ChainTraceabilityTraceability

Service LevelService LevelComplianceCompliance

FinancialReporting

Compliance

Compliance &Compliance &Ethics ProgramsEthics Programs

Audit Audit ManagementManagement

Data Privacy

RecordsRetention

LegalLegalDiscoveryDiscovery

AntiAnti--MoneyMoneyLaunderingLaundering

Apps Server

Data Warehouse Database Mainframes Mobile DevicesEnterprise

Applications

GRC is the “New Normal”Requirements Increase in Number and Complexity

Mandates

Regions

Technology

People

LegalFinance HRSalesSuppliers CustomersR&D Mfg

SOXSOX JSOXJSOX HIPAAHIPAA Basel IIBasel IIEU Directives

EU Directives GLBAGLBA PCIPCI ……Patriot

ActPatriot

Act SB1386SB1386

Source: Open Compliance and Ethics Group

5

New Risks to Your Business: Credit Card / Identity Theft

<Insert Picture Here>• TJ Maxx

8 class-action lawsuits filed as of March 23; a Massachusetts-led investigation by attorneys general from 30 states; a pretax charge of $25 million spent to date.

Source: 2006 Annual Report, March 2007

• Chipotle Fast food chain stored full range of customer data from credit card accounts. Roughly 2,000 fraudulent charges against Chipotle customers totalled $1.3M, additional fines from Visa and Mastercard amounted to $1.7M, and legal fees racked up another $1.3M.

Source: Computerworld, December 2005

• Dollar TreeCustomers of the discount store have reported money stolen from their bank accounts due to unauthorized ATM withdrawals. Cyber-thieves have stolen as much as $700,000 from personal accounts during the last two months.

Source: Eweek, August 2006

• Life is GoodBoston-based retailer today disclosed a security breach in which hackers accessed a database containing 9,250 customers'credit card numbers.

Source: Boston.com, Sept. 2006

6

Security Breaches are increasingly Expensive

Costs are increasing • Breaches cost companies an average of $182 per compromised record

• This was a 31% increase over 2005

• In 2006 31 companies experienced a data breach.

• The total costs for each loss ranged from $1 Million to over $22 MillionSource: The Ponemon Institute, October 2006

Penalties are Severe

• Companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance.

Source http://www.internetretailer.com/internet/marketing-conference/80146-compliance-dilemma.html

7

Proactive Security Is Cheaper

The cost of a breach can reach at least $90 per customer, for companies with at least 100,000 accounts, versus $6 to $16 per account per year to strongly protect that data.

Source Gartner Study: 16 September 2005 “Data Protection is less costly than breaches”

8

Complementary Compliance Efforts

Sarbanes-Oxley• Requires that public companies have effective internal controls on

financial information with independent auditor attestation.• Prudent private companies comply as well.• It comes down to this:

• Access control: Who has access to what information?• Auditability: Can you monitor and track access to information?

Gramm-Leach-Bliley Act• Requires that financial institutions safeguard “Personally

Identifiable information” (PII) • Prudent retailers consider GLBA compliance a “best practice”• Personal service depends on secure access to PII.

• Data Privacy: Do your best customers trust you?

9

Practical Lessons from Sarbanes-OxleyMost organizations progress through maturity curve

DEFINE

AUTOMATE, MONITOR &

VERIFY

RATIONALIZE

Number of Controls

Year 1 & 2 Year 3 Year 4+

Cost EMBEDDED GRC & OPERATIONAL EXCELLENCE

REMEDIATION & STANDARDIZATION

MANUAL, REDUNDANT

EFFORTS New AS5 Guidance:

• Top-down risk-basedapproach

• Tailor audit to specific company profile

• External auditors can use work of others as evidence

10

Agenda

• Business Challenges

• Oracle’s Leadership in Governance, Risk and Compliance

• Solution Overview

• Customer Success

11

Oracle’s Compliance Solution

Cross-Enterprise

Infrastructure

Enterprise Control

Management

Analytics & Performance Management

Policy and Process

Management

End-to-End Policy & Process Management Governs Risk and Compliance Activities

Enterprise Control Management Detects and Prevents Control Failures

Integrated Analytics Deliver Actionable Insight

!!

12

Oracle Compliance Solution

Cross-Enterprise

Infrastructure

Enterprise Control

Management

Analytics & Performance Management

Policy and Process

Management

End-to-End Policy & Process Management Governs Risk and Compliance Activities

Enterprise Control Management Detects and Prevents Control Failures

Integrated Analytics Deliver Actionable Insight

!!

13

A World of Paper and Manual Hand Offs Current state of risk and compliance management

Business Process Owners

Executives

Auditors

Testers

A Fragmented Approach ?

?

?

?

14

Content Management is the CornerstoneSingle system of record for compliance information

Date Effective Chain of CustodyAll Content TypesSecure Enterprise Search

Single Source of Information

Search

Central Repository

Link policies and procedures to laws, regulations, and standardsas evidence of complianceApply and track permission-based access to policy and procedure documents Leverage advanced search function with familiar look and feel

15

Manage Policies and ProceduresAlign policies to best-practice frameworks

EmbeddedFrameworks

(COSO, COBIT, ITIL)

Master Libraries of Policies & Controls

Frameworks align corporate policies and associated controls to standardsLink shared policies and controls in master libraries for easy maintenance

16

Manage Financial Compliance ProcessAutomate and streamline compliance process

Assess/Audit

Analyze

Inbox Notifying of Tasks

Document

Respond

Certify

workflow

workflow

workflow

workflow

workflow71% 69%

32%

15% 10%

65% of companies say they have been adversely impacted by redundant or inconsistent GRC processes. What are the resulting effects?

Increased general

operating expenses

Increased cost of

reconciling information

Reduced margins

Higher cost from suppliers

Higher cost of capital

Source: 2007 OCEG Benchmark Series

17

Oracle Financial Compliance Solution

Cross-Enterprise

Infrastructure

Enterprise Control

Management

Analytics & Performance Management

Policy & Process

Management

End-to-End Policy & Process Management Governs Risk and Compliance Activities

Enterprise Control Management Detects and Prevents Control Failures

Integrated Analytics Deliver Actionable Insight

!!

18

Segregation of Duties for Applications Detect access violations

Employee Check for Violations

!!Violation Detection

Evidence of Due Diligence

Violation Cleared

Authorized Access

Corrective Measures

Library of SOD Constraints

PRE-DELIVERED CONTENT

PROCESS EVIDENCE

User access deviations detected across instancesContinuous monitoring through reporting

19

Role-Based Access to Applications Prevent access violations

Assignment of Roles

Certification of Who Has Access to WhatEmployee

!!

SOD PolicySet Up of User Profile

Violation Prevention

Denied Grant of Role

Integrated framework for user provisioningSet up of user profiles with library of constraintsSegregation of duties prevention and certification across heterogeneous systems

20

SUPER DBADBA TRIES TO ACCESS FINANCIAL TABLES DURING QUIET PERIOD

ACCESS DENIED

HR Realm

FIN Realm

DBA ACCESS

Control Privileged User AccessTake away the keys of the kingdom

Protect from insider threats by ensuring powerful users have access to only what they need do their job Restrict access to sensitive data and ascertain that users are who they state themselves to be

21

Control Privileged User AccessTake away the keys of the kingdom

CRITICAL DATA SUPER USER ACCESS CONTROLS

Time of DayNational ID/SSN

Salary $

₤

Customer Records

782782--0303--02750275

HR Realm

FIN Realm

FIN DBA

HR DBA

3pm Monday

DBA IP Address

Realms HR Realm

FIN Realm

€

Protect from insider threats by ensuring powerful users have access to only what they need do their job Restrict access to sensitive data and ascertain that users are who they state themselves to be

22

Requisi-tion

Requisi-tion

PurchaseGoods /Services

PurchaseGoods /Services

Receive Goods /Services

Receive Goods /Services

InvoiceInvoice IssuePayments

IssuePayments

SAP

Monitoring of changes to expensing

rules

Monitoring of changes to

price tolerance

percentage

Monitoring of changes to document numbering

Monitoring of discounting

rules

Monitors over 500 key configurations settings across instancesBefore and after snapshot of changes to settings with ability torevert backAutomatic alerts notify managers as exceptions occur

PROCUREPROCURE--TOTO--PAYPAY

Verify System Configurations Automate and monitor application controls

Procurement Inventory Accounts Payable

Ensure internal

requisition source

23

Anticipate Auditor Requirements with Evidence of Enforcement

• Prevent unauthorized system configuration changes with diagnostics

• Deliver auditor-ready reports for process certification and remediation analysis

• Identify top audit alerts by application, system, and audit event

• Provide evidence of best-practice periodic attestation

• Identify trends in control performance with snapshot comparisons

• Review complete audit trail for any changes to control elements

IT AuditIT Audit Financial AuditFinancial Audit

24

Oracle Financial Compliance Solution

Cross-Enterprise

Infrastructure

Enterprise Control

Management

Analytics & Performance Management

Policy and Process

Management

End-to-End Policy & Process Management Governs Risk and Compliance Activities

Enterprise Control Management Detects and Prevents Control Failures

Integrated Analytics Deliver Actionable Insight

!!

25

Integrated financial compliance analytics deliver actionable insight

Integrated financial compliance analytics deliver actionable insight

Enterprise control management detects and prevents control failure

Enterprise control management detects and prevents control failure

Policy and process management govern risk and compliance activities

Policy and process management govern risk and compliance activities

Oracle Financial Compliance Solution Summary

• Control user access & enforce segregation of duties with business-driven rules

• Reduce risk of fraud with continuous monitoring of automated controls

• Enforce effective preventive and detective controls across all systems

• Leverage a single source of GRC information across departments, units and locations

• Improve risk responsiveness with timely control and performance analytics

• Tailor GRC intelligence to the needs of your specific organization and function

• Reduce cost and complexity by managing multiple global financial mandates with one system

• Rely on tamper-proof chain of evidence for all financial compliance processes

• Align policies and processes with best practice risk and controlframeworks

26

Why Choose Oracle GRC?

Only Oracle…

Governs Risk and Compliance Activities with Policy & Process Mgmt• Reduce cost and complexity by managing global financial mandates with one system• Rely on tamper-proof chain of evidence for all compliance processes• Align polices and processes with best-practice risk and control frameworks

!!Detects and Prevents Control Failures with Enterprise Control Mgmt• Control user access & enforce segregation of duties with business-driven rules• Reduce risk of fraud with continuous monitoring of automated controls• Enforce effective preventive and detective controls across all systems

Delivers GRC Insight for Better Business Performance• Leverage a single source of GRC information across departments and locations • Improve risk responsiveness with timely control and performance analytics• Tailor GRC intelligence to the needs of your specific organization and function

Oracle Governance, Risk, and Compliance

Simplify GRC and Reduce Costs

Safeguard Brand and Reputation

Run Your Business Better and Prove It