implementation of sap-grc with the pictet · pdf fileimplementation of sap-grc with the pictet...
TRANSCRIPT
Implementation of SAP-GRC with the Pictet Group
Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Olivier VERDAN, Risk Manager, Group Risk, Pictet & Cie
11th December 2013
Zürich
Table of contents
Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
1 Overview of the Pictet Group
2 Operational Risk Management at the Pictet Group
3 SAP-GRC Project
4 Main challenges of SAP-GRC implementation
5 Results of SAP-GRC implementation
1
Overview of the Pictet Group
3 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Founded in Geneva in 1805, the Pictet Group is today one of
Europe's leading independent wealth and asset managers.
Facts & Figures
4 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
1805 3300 25 founded in Geneva employees offices around the world
8 partners responsible for all
of the Group’s activities
$433bn
Independently owned Group, no
external shareholder
pressure
in assets under
management
and custody at
30 September 2013
650 investment professionals
A unique positioning around three areas of business
5 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Wealth management
solutions for private clients
Custody bank, fund administration and
trading services for institutional clients and banks
Solutions for institutional investors and
distribution of investment funds
Pictet Group
Wealth management Asset management Asset services Asset services
Pictet Wealth Management
Services for independent asset managers
Pictet Asset Management
Pictet Alternative Investments
Pictet Asset Services
Trading
2
Operational Risk Management at the Pictet Group
6 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Pictet Organisation of Operational Risk Management
7 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Pictet & Cie Partners’ Committee
Group Internal Audit Group Risk Group
Compliance Group Security
Legal Department
Board of Directors of the Group legal entities
Senior Management of the Group legal entities
CFO
COO
Comp
liance
Offic
er
Risk O
fficer
Senior Management of the business lines
CFO
COO
Comp
liance
Offic
er
Risk O
fficer
Monit
oring
at bu
siness
lines
and
Grou
p lega
l enti
ties le
vel
Monit
oring
at
Grou
p leve
l
Philosophy = Decentralisation
Methodology for Operational Risk Mgmt (2007 - 2013)
8 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
PCS Lors de la réévaluation au 30 juin, un nouveau risque
élevé a été identifié concernant xxxxxxx xxx
Si le risque d’erreurs dans l’exécution d’un ordre de
xxxxx est toujours évalué globalement comme élevé, son
évolution actuelle est considérée en amélioration par
PCS. En effet, le nombre d’erreurs et l’impact financier
des incidents sont moins importants que durant les
semestres précédents.
Unité Descriptif
Caté
go
rie
du
ris
qu
e
06
/09
12
/09
06
/10
Te
nd
an
ce
Plan d’actions & responsables / Commentaires
Avan
ce-
men
t
Ech
éan
ce
pré
vu
e
Ris
k t
arg
et
PCS Xxxxx
Xxxx xxx xx xxx xxxx
.
Responsable : M. Xyv
Fin
2011
PCS Erreurs d'exécution xxxx
1) xxxxx x xxx xxxx .
2) xxxx xxxx xxx x xxx
Responsable : A. Ghj
2011
PCS Survenance d'un problème xxxxx
Xxxxx xx xx xx xx x xx xx
Xxx xx xxx xxxx .
Responsable : R. Hgk
2011
1
1
1
1
Sévérité
5
4
3
2
1
0
Fréquence
543210
1
9
12
17
11
Sévérité
5
4
3
2
1
0
Fréquence
543210
1
4
2
1
4
1
Zone des risques
modérés et faibles
non détaillés
EXCEL WORD POWERPOINT Manual process
using MS Office
tools
1 =
2 =
3 =
4 =
5 =
Le
ga
l en
tity / s
ite
ID
Date
of E
ntry
La
st u
pd
ate
Unit Risk DescriptionRisk
CategoryDescription by Unit
Effe
ctiv
en
ess o
f
Stra
teg
ies
Lik
elih
ood/F
requency
Impact/S
everity
Am
ount fo
r Fin
ancia
l impact
in C
HF
Level o
f Resid
ual R
isk
Lik
elih
ood/F
requency
Impact/S
everity
Level o
f Resid
ual R
isk
Lik
elih
ood/F
requency
Impact/S
everity
Level o
f Resid
ual R
isk
Description
by Unit
Description by Unit
(short description
of key elements)
Lik
elih
ood/F
requency
Impact/S
everity
Am
ount fo
r Fin
ancia
l impact
in C
HF
Level o
f Resid
ual R
isk
Lik
elih
ood/F
requency
Impact/S
everity
Level o
f Resid
ual R
isk
Lik
elih
ood/F
requency
Impact/S
everity
Level o
f Resid
ual R
isk
Ove
rall re
sp
on
sib
le
De
ad
line
Ove
rall p
rog
ress
Da
te o
f clo
sin
g
GE
80
51
31
.12
.08
30
.06
.10
PF xxx OrganisationContrôles / réconciliation
quotidienne des positions...H 2 1
10
0'0
00
L 2 2 M Nombre d'incidents - 2 1
10
0'0
00
L 2 2 M
GE
80
52
31
.12
.08
30
.06
.10
PF xxx Technique
Reporting des incidents
Contrôle 4 yeux pour chaque
opération
L 3 2
1'0
00
'00
0
M 3 3 H 3 1 L Rapport d'erreurs
- Automatisation des
contrôles
- Abaissement des
niveaux d'alerte
3 2
1'0
00
'00
0
M 3 2 M 3 1 L
B. M
np
31
.03
.11
25
%
GE
/ LU
X
80
53
30
.06
.09
30
.06
.10
PF xxx Humain xxx M 2 4
10
'00
0'0
00
H 2 2 M Nombre d'incidents
- Projet sécurisation des
données
- Projets d'évolution du
MIS
2 3
5'0
00
'00
0
M 2 2 M 2 1 L
A. X
yz
31
.12
.10
85
%
GE
80
54
31
.12
.09
30
.06
.10
PF xxx Externe xxx H 4 1
20
0'0
00
M 4 3 H 4 3 H Nombre de pannes xxx 3 1
20
0'0
00
L 3 3 H 3 1 L
G. F
gh
31
.12
.10
90
%
Evaluation of Target RiskIdentified RisksAction plan to reduce risk
Financial RiskReputational
Risk
Key Risk
IndicatorsOther RisksFinancial Risk
Reputational
RiskOther Risks
Min.
0
Max.
1'000'000
5'000'000
20'000'000
500'000
Analysis & Evaluation of
Residual Risk
Existing Controls /
Mitigation
Techniques
5'000'001
20'000'001
Group Risk Register for Operational Risks Unit / Date
500'001
1'000'001
1 = Rare : ≥ 5 years
2 = Unlikely : 1 - 5 years
3 = Possible : < 1 year
4 = Likely : monthly
5 = Almost certain : weekly
Lik
elih
ood -
Fre
quen
cy
1 - 3 Low Risk
4 - 6 Moderate Risk
8 - 12 High Risk
15 - 25 Extremely High Risk
Ris
k r
ankin
g
1 = Insignificant :No media attention.
Minor complaint.
2 = Minor :No media attention.
Multiple minor complaints.
3 = Moderate :Local media reporting.
Moderate complaints.
4 = Major :National & international media
reporting. Major complaints.
5 = Extreme :Long term negative image.
Substantial complaints with losses.
Rep
uta
tion
al d
amag
e
1 = Insignificant : No regulatory consequence.
2 = Minor :No regulatory consequence.
Minor reversible injury.
3 = Moderate :Limited regulatory consequence.
Moderate reversible injury.
4 = Major :Significant regulatory consequence.
Major injury.
5 = Extreme :Closure of major part of business.
Irreversible injury.
Oth
er
impact
or
dam
age
Fin
ancial im
pact
BL
/ En
tity scale
Risk Register
by Group Unit
Sent to
Group-
Risk by
Manual risks
consolidation
Discussion
of risk map
between G-
R and Unit
Group
Risk
Report
released
3
SAP-GRC Project
9 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Main objectives of the SAP-GRC Project
10 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Reduce the risk of operational risks non-detection by interlinking
information
Reduce the administrative workload to concentrate on tasks with
high added value
A unique tool in the Group for the management of all types of
operational risks
Provide a complete functional coverage in a structured and
standardized framework
Improve compliance to Finma-Circ. 08/24 Supervision and internal
control – banks and Finma Circ. 08/21 Operational risks at banks
Preliminary phases
11 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
2011
Study of market risk management tools
Contacts with various banks that have deployed integrated tools for operational
risk management
Choice of the tool ORC (Interexa), used by
2012
Workshops with Interexa : March - April
Workshops with Unit Risk Managers : June
Decision to stop ORC and start SAP : August
• Final estimated cost too high
• ORC doesn’t provide an internal control module
• Presentation by SAP of GRC (including internal control module)
• Strong sponsorship by Pictet IT as SAP already used for Finances and HR
SAPPORO Project – Risk Management module
12 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Selection of SAP-GRC : August 2012
Proof of Concept : November 2012
Start of SAPPORO Project :
Preliminary phase with Riscomp : February-March 2013
Business Blueprint : April 2013
Implementation and UAT with Riscomp : May-July 2013
Training and UAT with Unit Risk Managers : May-June 2013
Go-Live : 29th July 2013
The 3 phases of the SAPPORO Project
13 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Internal Control Syst.
Study - Implementation
Phase 2
08.2013 06.2014
Risk Management
Study - Implementation
Phase 1
Incidents
Study - Implementation
Phase 3
4
Main challenges of SAP-GRC implementation
14 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Main challenges
15 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
1. Decentralised operational risk management
Challenges were:
- Collecting Unit Risk Managers needs, with very different
maturity on the operational risk management process
- Various approaches (bottom up, top down, mixed)
- Implement a solution that suits all, within a reasonable budget
Integration of decentralised Unit Risk Managers throughout
the project
Pictet Methodology
Pictet Group
Policy for
Operational Risks
Main challenges
16 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
1. Decentralised operational risk management
2. Matrix organisation
Pictet Methodology
Pictet Group
Policy for
Operational Risks
Matrix Organisation
17 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Multiple business lines, crossed with multiple legal entities, in 25 sites in the world. Reporting needs:
By business line (for the Management) By legal entity (for Supervision
Authority) By site (for local Management)
Pictet Wealth Management
Pictet Asset Management Distribution
Pictet Asset Services
Pictet Asset Management
Investment
Négoce
Etc…
Example of business lines Example of legal entities
Pictet & Cie (Europe) SA
Paris Branch
Italian Branch
Hong Kong Branch
Etc…
Pictet Funds SA
Bank Pictet (Asia) Ltd, Singapore
Pictet Asset Management Ltd
Pictet Investment Co. Ltd, London
Etc…
Solution = 3 costumed defined fields within the
Organisational Unit:
• Team name
• Company name
• Site name
Matrix Organisation
18 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Company Name
Risk Response
Site
Org. Unit
Main challenges
19 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
1. Decentralised operational risk management
2. Matrix organisation
Pictet Methodology
Pictet Group
Policy for
Operational Risks
Because full organisation requires to download 1544 organisational units, others challenges were: - Response time was too long for users with limited
access (Unit Risk Managers) - Temporary solution : partial organisation
loaded into SAP-GRC only (567 org units)
- SAP has improved response time
- Automatic update of the organisation
5
Results of SAP-GRC implementation
20 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Outcomes of the project
Positive:
Pictet Methodology fits in SAP-GRC (risk
valuation, risk categories)
Ops Risk Mgmt Framework more robust
Time saving: less administrative tasks
more added-value works
Heatmap immediate reporting tool, with
extended drill down / selection capabilities
Unique Ops Risks Register
Negative:
SAP-GRC seemed not matured enough:
we encountered a lot of bugs which tend to
demonstrate the tool was not tested
extensively. Examples:
Impossible to remove a Response from a
Risk
Risk Aspect worked on Org. Name, not Org.
ID
Ergonomics not user friendly
Graphical view incomplete
Response can be saved without compulsory
info (name)
But good reactivity of SAP to correct bugs
21 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Most desired improvements
Response time
Automatic update of Organisation / Risk Thresholds
Underlying Risks: possibility to include or exclude them in the Heatmap
Validity extension of a Risk
22 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Implementation of SAP-GRC with the Pictet Group
23 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Questions ?
Thank you for your attention