Risk Cloud (GRC) Product Strategy (gen7982) update# 1

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Oracle Risk Management (GRC) Product Strategy Update GEN7982

Sid Sinha Oracle Application Development Oct 27, 2015

Presented with


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

2


Agenda

Oracle GRC Product Strategy Update

Case Study: Skechers

Case Study: Harvard Pilgrim HealthCare

KPMG Best Practice Update

Wrap-up

1

2

3

4

5

3


Oracle Risk Management Product Strategy

Oracle Confidential – Internal/Restricted/Highly Restricted

Digitize Best Practices across the

Extended Enterprise and

Predict Risk using

Data Analysis

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Oracle Confidential –

Challenges

6

Risk managers and auditors are unable to spend time on the most important business risks that destroy market value

01

Idea Watch: Harvard Business Review July–August 2015

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Oracle Confidential – 7

Missed Opportunity

Strategic

Legal & Compliance

Operational Risks

Financial Reporting Risks

6% 13%

42%

39% 3%

86%

9% 2%

Time Spent $ Loss in Shareholder Value % of Risk Failure leading to a 40+%

drop in Market Capitalization CEB - Executive Guidance - Reducing Risk Management’s Organizational Drag - 2014

risk managers and auditors spend more than half their time on financial reporting, legal, and compliance risks, even though the vast majority of big losses in market value occur because of mismanaged strategic risks “

“


Challenges

8

Risk teams want to increase their use of data analytics to detect issues early and generate new value

CEB - State of the Internal Audit Function- 2014

CEB - State of the Internal Audit Function- 2014

02


Challenges

9

“91% plan to reorganize or reprioritize risk management in the next three years”

03

Idea Watch: Harvard Business Review July–August 2015


Strategic

Legal & Compliance

Operational Risks

Financial Reporting Risks

6%

13%

42%

39%

Time Spent

Reduce Time & Effort • More Process Automation • More Data Analytics • Better Communication

Eliminate Preventable Risks

Focus on Strategic Risks

Enable Business with Risk

Intelligence

Making Risk Management Mission Critical

10

Internal Audit, Compliance, Quality, IT Security & Safety


MANUAL 70% of Risk Professionals use out dated technology like spreadsheets, emails,

custom apps 1

SILOED Business partners are required to complete multiple, overlapping

assessments, questionnaires and

surveys2

NARROW Risk and Audit teams fail to measure and communicate

value creation KPI that engage LOB partners in a

dialog3

Manual data intensive and coordination tasks consume

valuable FTE capacity

Check the box mentality undermines risk management

Process improvements, finding and fixing high risk control

failures

1 OCEG SURVEY • 2014 GRC Technology Strategy Survey • www.OCEG.org HOW ORGANIZATIONS APPROACH AND ADAPT THEIR TECHNOLOGY STRATEGY FOR GRC 2 CEB - Executive Guidance - Reducing Risk Management’s Organizational Drag - 2014 3 CEB - State of the Internal Audit Function- 2014

Risk Execution Pain Points

11

Internal Audit, Compliance, Quality, IT Security & Safety

http://www.OCEG.org


1

2

3

Dashboards, Reports and Alerts

Notifications Worklists Email Perspectives Search

Risk, Controls & Compliance Management

Reviews Documentation Assessments Remediation Surveys

Continuous Controls & Risk Monitoring

Setups Access Master Data Audit Tests Transactions

Engage business partners with actionable risk intelligence that amplifies value creation KPIs

Streamline risk processes to promote collaboration, transparency and accountability

Early detection of potential issues through automated data collection and analysis

Oracle’s Product Strategy

12


Announcing New ERP Cloud Services

13

Risk Management

Advanced Financial Controls Cloud

(coming soon)

Financial Reporting Compliance Cloud

(R10)

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Oracle Confidential

Oracle Risk Management Cloud

14

Data-driven, Integrated & Collaborative

Digitize Internal Processes to certify financial results 01

Streamline Collaboration with External Auditors 02

Automate Data Analysis to Prevent High-Risk Transactions 03

Rapid Deployment with Best Practice Controls 04

Integrated with Oracle Cloud for a Unified Experience 05

Highlights


Oracle Risk Management

Cloud

CFO (Houston)

VP Finance (Dallas)

VP Audit (Dallas)

AP Control Owner (Ireland)

AR Control Owner (Ireland)

IT Control Owner (Philipines)

01 Digitize Internal Processes

15

Review and Fix Issues

Complete Assessments

Certify Controls

Update Documentation

Risk Based Scoping of Controls

Enforce Manual Controls



Audit Partner (Austin)

Engagement Mgr. (Houston)

Senior Auditor (Seattle)

Senior Auditor (San Diego)

IT Analysts (Philippines)

SOD Analysts (Philippines)

02 Collaborate with External Auditors

16

Issues, Comment and Requests

Review Internal Audit Work

Partner Sign-offs

Review Controls Matrix, Select Key Controls

Complete Design Assessments

Operating Effectiveness Assessment



17

Oracle Risk Management Cloud Outside Legal Counsel

Review Documentation and Filings

LOB Executives KPIs and Issues

Risk Managers Access to Internal Audit Consultants

Manage Overall Process

Control Owners Assessments

Vendors Statement Audits Compliance Surveys

External Audit Review Work Competed Complete Assessments

Internal Users External Users


Millions of Transactions

Enterprise Data Graph

GR

C O

nto

logy B

ased Po

licy Engin

e

Seman

tic Reaso

nin

g Pattern

Reaso

nin

g

Engine

Transitive

Reflexive

Range

Set Ops

Benford

X-Correlation

Grap

hical A

uth

orin

g Wo

rkben

ch

Library o

f User D

efined

Co

ntro

ls

Incidents

SELF-LEARNING FEEDBACK LOOP

03 Automate Analysis to Prevent High-Risk Transactions


Payables Invoice Details Supplier Site Location Payables Invoice Batches AP Payment Payables Payment Schedule Payables Payment Term Supplier Payables Standard Invoice External Bank Account Payment Instruments Purchase Order Operating Unit Expense Items Expense Mileage Policy Expense Report Attendees Expense Report Information Expense Entertainment Policy Expense Miscellaneous Policy

Pareto Pattern (80-20 Rule) Identify top 20% of Suppliers that send 80% of duplicate invoices by amount value

Absolute Deviation Pattern Identify Invoices that are in the top 10% in price deviation from the average price

Anomaly Detection Pattern Identify T&E reports where the hotel per day charges are much higher (normal distribution) than all the other T&E reports

Clustering Pattern Identify the groups of vendors based on uncollected vendor balances

Business Objects Algorithms

Identify purchase orders that have been back-dated

Identify unusual invoices based on amount and supplier

Identify multiple invoices with 'one-time use' suppliers

Identify invoices from new or inactive suppliers

Identify Invoices from suppliers that are on watchlist

Identify active Employees who submit Expense Report Lines that appear to be duplicate reimbursements

Examples - Ready-made Controls • Identify and track the following exceptions to closure

• Provide audit assurance

Identify Employees who have personal credit card transactions claimed as cash on their expense report.

Identify duplicate Meal expenses submitted by different employees using a similar attendee list.

Identify Employees who submit split expenses for a large event on their expense report.

1,383 Data Elements available for Control Analysis

04 Rapid Deployment with Ready-Made Controls

SCM Cloud Planning & Collaboration* Manufacturing* Order

Management Inventory & Logistics

Marketing Configure, Price & Quote

Commerce Sales Service Social CX Cloud

Financial Consolidation & Close*

Account Reconciliation*

ERP Cloud

Work Life

Global HR

Talent Management

Workforce Rewards

Workforce Management HCM Cloud

Data Cloud

Apps Marketplace

PLM Procurement

DaaS for Marketing DaaS for Sales DaaS for Customer

Intelligence

* Coming Soon

EPM Cloud Enterprise Planning

Financial Reporting

Risk Management

Financials Project Portfolio Management Procurement

05 Core Part of Oracle Cloud

Procurement

Risk Management

Financials

Project Portfolio Management

• Core Part of SaaS Platform • Common Service Provisioning • Common User Experience

• Common Role, User and Security • Common Business Intelligence • Common Extensibility framework

05 Core Part of Oracle ERP Cloud


Update Documentation Import Spreadsheets Update Process, Control & Risks Test Plans, Review, Approvals

Automate Assessments Select Controls based on Risk Conduct Surveys Design, Operating & Audit

Resolve Issues Set Priority and Due Dates Remediation Plans Notifications

Manage Incidents Assign Owners, Attach evidence

Remembers decisions for next control run (self-learning)

Graphical Authoring User Defined Controls

Eliminate False Positives Uncover Data Patterns

Detect Suspicious Transactions Pre-built Library of Controls

1350 Data Elements P2P & Expense Controls

22

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Oracle Confidential

Elite panel of judges (NASA CIO, FCC CIO, Army CIO and others) have selected PA Treasury IT project as one of

the top 10 public sector projects of the nation

Pennsylvania Treasury GRC Project Wins Multiple Awards

23


Oracle GRC Wins Ventana Technology Innovation Award!

24

“Oracle’s GRC solution provides a unique approach to the problem of risk management by automating risk controls which are embedded into critical business

processes; applying leading edge technologies to solve complex risk challenges.”

- Mark Smith, CEO of Ventana Research


Case Studies and Speakers at OpenWorld 2015

Oracle Confidential – Internal/Restricted/Highly Restricted 25

_________________

Source-to-Settle

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 26

Follow Us & join the conversation .

Oracle GRC Advanced Controls Group _______________________________________________________________

OracleAdvControls @OracleAdvCntrls

https://www.linkedin.com/groups/Oracle-GRC-Advanced-Controls-5185359

https://www.linkedin.com/groups/Oracle-GRC-Advanced-Controls-5185359

https://twitter.com/OracleAdvCntrls


Risk Management Cloud Resources

27

cloud.oracle.com

Release 10 Readiness

Documentation

Customer Connect


Safe Harbor Statement

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

28