Evolving from Financial Compliance to Next Generation GRC
Gary PrincePrincipal Solution Specialist - GRC
2
Agenda
• Business Challenges
• Oracle’s Leadership in Governance, Risk and Compliance
• Solution Overview
• Solution Demo
3
Financial Compliance is Only the First Step Pressure mounts to fortify financial compliance foundation
3Real-Time Public
Exposure of Misdeeds
Instantaneous media communication increases
risk of reputational damage
2Vulnerability to
Information Breaches
Growing recognition that information breaches stem from inside the organization
1Regulations Go Beyond
Financial Reporting
Increasing number of regulations pose challenge
to sustainable GRC
IT Governance Patriot
Act
E-Discovery
HIPAA
AML
ERM
Records Retention
PCI
Basel II
NERC/FERC
OFACCFR
4
IT Governance
Supply ChainSupply ChainTraceabilityTraceability
Service LevelService LevelComplianceCompliance
FinancialReporting
Compliance
Compliance &Compliance &Ethics ProgramsEthics Programs
Audit Audit ManagementManagement
Data Privacy
RecordsRetention
LegalLegalDiscoveryDiscovery
AntiAnti--MoneyMoneyLaunderingLaundering
Apps Server
Data Warehouse Database Mainframes Mobile DevicesEnterprise
Applications
GRC is the “New Normal”Requirements Increase in Number and Complexity
Mandates
Regions
Technology
People
LegalFinance HRSalesSuppliers CustomersR&D Mfg
SOXSOX JSOXJSOX HIPAAHIPAA Basel IIBasel IIEU Directives
EU Directives GLBAGLBA PCIPCI ……Patriot
ActPatriot
Act SB1386SB1386
Source: Open Compliance and Ethics Group
5
New Risks to Your Business: Credit Card / Identity Theft
<Insert Picture Here>• TJ Maxx
8 class-action lawsuits filed as of March 23; a Massachusetts-led investigation by attorneys general from 30 states; a pretax charge of $25 million spent to date.
Source: 2006 Annual Report, March 2007
• Chipotle Fast food chain stored full range of customer data from credit card accounts. Roughly 2,000 fraudulent charges against Chipotle customers totalled $1.3M, additional fines from Visa and Mastercard amounted to $1.7M, and legal fees racked up another $1.3M.
Source: Computerworld, December 2005
• Dollar TreeCustomers of the discount store have reported money stolen from their bank accounts due to unauthorized ATM withdrawals. Cyber-thieves have stolen as much as $700,000 from personal accounts during the last two months.
Source: Eweek, August 2006
• Life is GoodBoston-based retailer today disclosed a security breach in which hackers accessed a database containing 9,250 customers'credit card numbers.
Source: Boston.com, Sept. 2006
6
Security Breaches are increasingly Expensive
Costs are increasing • Breaches cost companies an average of $182 per compromised record
• This was a 31% increase over 2005
• In 2006 31 companies experienced a data breach.
• The total costs for each loss ranged from $1 Million to over $22 MillionSource: The Ponemon Institute, October 2006
Penalties are Severe
• Companies can be barred from processing credit card transactions, higher processing fees can be applied; and in the event of a serious security breach, fines of up to $500,000 can be levied for each instance of non-compliance.
Source http://www.internetretailer.com/internet/marketing-conference/80146-compliance-dilemma.html
7
Proactive Security Is Cheaper
The cost of a breach can reach at least $90 per customer, for companies with at least 100,000 accounts, versus $6 to $16 per account per year to strongly protect that data.
Source Gartner Study: 16 September 2005 “Data Protection is less costly than breaches”
8
Complementary Compliance Efforts
Sarbanes-Oxley• Requires that public companies have effective internal controls on
financial information with independent auditor attestation.• Prudent private companies comply as well.• It comes down to this:
• Access control: Who has access to what information?• Auditability: Can you monitor and track access to information?
Gramm-Leach-Bliley Act• Requires that financial institutions safeguard “Personally
Identifiable information” (PII) • Prudent retailers consider GLBA compliance a “best practice”• Personal service depends on secure access to PII.
• Data Privacy: Do your best customers trust you?
9
Practical Lessons from Sarbanes-OxleyMost organizations progress through maturity curve
DEFINE
AUTOMATE, MONITOR &
VERIFY
RATIONALIZE
Number of Controls
Year 1 & 2 Year 3 Year 4+
Cost EMBEDDED GRC & OPERATIONAL EXCELLENCE
REMEDIATION & STANDARDIZATION
MANUAL, REDUNDANT
EFFORTS New AS5 Guidance:
• Top-down risk-basedapproach
• Tailor audit to specific company profile
• External auditors can use work of others as evidence
10
Agenda
• Business Challenges
• Oracle’s Leadership in Governance, Risk and Compliance
• Solution Overview
• Customer Success
11
Oracle’s Compliance Solution
Cross-Enterprise
Infrastructure
Enterprise Control
Management
Analytics & Performance Management
Policy and Process
Management
End-to-End Policy & Process Management Governs Risk and Compliance Activities
Enterprise Control Management Detects and Prevents Control Failures
Integrated Analytics Deliver Actionable Insight
!!
12
Oracle Compliance Solution
Cross-Enterprise
Infrastructure
Enterprise Control
Management
Analytics & Performance Management
Policy and Process
Management
End-to-End Policy & Process Management Governs Risk and Compliance Activities
Enterprise Control Management Detects and Prevents Control Failures
Integrated Analytics Deliver Actionable Insight
!!
13
A World of Paper and Manual Hand Offs Current state of risk and compliance management
Business Process Owners
Executives
Auditors
Testers
A Fragmented Approach ?
?
?
?
14
Content Management is the CornerstoneSingle system of record for compliance information
Date Effective Chain of CustodyAll Content TypesSecure Enterprise Search
Single Source of Information
Search
Central Repository
Link policies and procedures to laws, regulations, and standardsas evidence of complianceApply and track permission-based access to policy and procedure documents Leverage advanced search function with familiar look and feel
15
Manage Policies and ProceduresAlign policies to best-practice frameworks
EmbeddedFrameworks
(COSO, COBIT, ITIL)
Master Libraries of Policies & Controls
Frameworks align corporate policies and associated controls to standardsLink shared policies and controls in master libraries for easy maintenance
16
Manage Financial Compliance ProcessAutomate and streamline compliance process
Assess/Audit
Analyze
Inbox Notifying of Tasks
Document
Respond
Certify
workflow
workflow
workflow
workflow
workflow71% 69%
32%
15% 10%
65% of companies say they have been adversely impacted by redundant or inconsistent GRC processes. What are the resulting effects?
Increased general
operating expenses
Increased cost of
reconciling information
Reduced margins
Higher cost from suppliers
Higher cost of capital
Source: 2007 OCEG Benchmark Series
17
Oracle Financial Compliance Solution
Cross-Enterprise
Infrastructure
Enterprise Control
Management
Analytics & Performance Management
Policy & Process
Management
End-to-End Policy & Process Management Governs Risk and Compliance Activities
Enterprise Control Management Detects and Prevents Control Failures
Integrated Analytics Deliver Actionable Insight
!!
18
Segregation of Duties for Applications Detect access violations
Employee Check for Violations
!!Violation Detection
Evidence of Due Diligence
Violation Cleared
Authorized Access
Corrective Measures
Library of SOD Constraints
PRE-DELIVERED CONTENT
PROCESS EVIDENCE
User access deviations detected across instancesContinuous monitoring through reporting
19
Role-Based Access to Applications Prevent access violations
Assignment of Roles
Certification of Who Has Access to WhatEmployee
!!
SOD PolicySet Up of User Profile
Violation Prevention
Denied Grant of Role
Integrated framework for user provisioningSet up of user profiles with library of constraintsSegregation of duties prevention and certification across heterogeneous systems
20
SUPER DBADBA TRIES TO ACCESS FINANCIAL TABLES DURING QUIET PERIOD
ACCESS DENIED
HR Realm
FIN Realm
DBA ACCESS
Control Privileged User AccessTake away the keys of the kingdom
Protect from insider threats by ensuring powerful users have access to only what they need do their job Restrict access to sensitive data and ascertain that users are who they state themselves to be
21
Control Privileged User AccessTake away the keys of the kingdom
CRITICAL DATA SUPER USER ACCESS CONTROLS
Time of DayNational ID/SSN
Salary $
₤
Customer Records
782782--0303--02750275
HR Realm
FIN Realm
FIN DBA
HR DBA
3pm Monday
DBA IP Address
Realms HR Realm
FIN Realm
€
Protect from insider threats by ensuring powerful users have access to only what they need do their job Restrict access to sensitive data and ascertain that users are who they state themselves to be
22
Requisi-tion
Requisi-tion
PurchaseGoods /Services
PurchaseGoods /Services
Receive Goods /Services
Receive Goods /Services
InvoiceInvoice IssuePayments
IssuePayments
SAP
Monitoring of changes to expensing
rules
Monitoring of changes to
price tolerance
percentage
Monitoring of changes to document numbering
Monitoring of discounting
rules
Monitors over 500 key configurations settings across instancesBefore and after snapshot of changes to settings with ability torevert backAutomatic alerts notify managers as exceptions occur
PROCUREPROCURE--TOTO--PAYPAY
Verify System Configurations Automate and monitor application controls
Procurement Inventory Accounts Payable
Ensure internal
requisition source
23
Anticipate Auditor Requirements with Evidence of Enforcement
• Prevent unauthorized system configuration changes with diagnostics
• Deliver auditor-ready reports for process certification and remediation analysis
• Identify top audit alerts by application, system, and audit event
• Provide evidence of best-practice periodic attestation
• Identify trends in control performance with snapshot comparisons
• Review complete audit trail for any changes to control elements
IT AuditIT Audit Financial AuditFinancial Audit
24
Oracle Financial Compliance Solution
Cross-Enterprise
Infrastructure
Enterprise Control
Management
Analytics & Performance Management
Policy and Process
Management
End-to-End Policy & Process Management Governs Risk and Compliance Activities
Enterprise Control Management Detects and Prevents Control Failures
Integrated Analytics Deliver Actionable Insight
!!
25
Integrated financial compliance analytics deliver actionable insight
Integrated financial compliance analytics deliver actionable insight
Enterprise control management detects and prevents control failure
Enterprise control management detects and prevents control failure
Policy and process management govern risk and compliance activities
Policy and process management govern risk and compliance activities
Oracle Financial Compliance Solution Summary
• Control user access & enforce segregation of duties with business-driven rules
• Reduce risk of fraud with continuous monitoring of automated controls
• Enforce effective preventive and detective controls across all systems
• Leverage a single source of GRC information across departments, units and locations
• Improve risk responsiveness with timely control and performance analytics
• Tailor GRC intelligence to the needs of your specific organization and function
• Reduce cost and complexity by managing multiple global financial mandates with one system
• Rely on tamper-proof chain of evidence for all financial compliance processes
• Align policies and processes with best practice risk and controlframeworks
26
Why Choose Oracle GRC?
Only Oracle…
Governs Risk and Compliance Activities with Policy & Process Mgmt• Reduce cost and complexity by managing global financial mandates with one system• Rely on tamper-proof chain of evidence for all compliance processes• Align polices and processes with best-practice risk and control frameworks
!!Detects and Prevents Control Failures with Enterprise Control Mgmt• Control user access & enforce segregation of duties with business-driven rules• Reduce risk of fraud with continuous monitoring of automated controls• Enforce effective preventive and detective controls across all systems
Delivers GRC Insight for Better Business Performance• Leverage a single source of GRC information across departments and locations • Improve risk responsiveness with timely control and performance analytics• Tailor GRC intelligence to the needs of your specific organization and function
Oracle Governance, Risk, and Compliance
Simplify GRC and Reduce Costs
Safeguard Brand and Reputation
Run Your Business Better and Prove It