GRC Sales Playbook Soumya Das Senior Director, GRC Product Marketing

GRC Sales Playbook

Soumya Das

Senior Director, GRC Product Marketing

2

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. The development, release, and timing of any features or functionality described for LogicalApps' products remains at the sole discretion of LogicalApps.

Disclaimer

3

Agenda

• GRC Market Drivers

• Value Propositions

• Stakeholders

• GRC Solution Overview

• Competitive Overview

• Summary and Q&A

4

GRC Market Opportunity Today

Source: AMR 2007

Total GRC Spend

Technology$9.8B

Services$7.3B

Headcount$12.6B

The combination of

• GRC Controls (LogicalApps)

• GRC Manager

• GRC Intelligence

rounds out Oracle’s ability to attack the $10B GRC technology market

By 2008, > 75% of large and midsize companies will purchase new compliance management, monitoring & automation solutions (0.8 probability).

- Gartner, 2006

5

GRC Applications Market Drivers

Continuing Rise in Complexity & Number of Regulations•By 2012, the number of regulations that directly affect IT operations will double •By 2012, 90% of public companies will face mandatory, audited public reporting requirements for financial controls, and 50% will face mandatory non-financial reporting

Source: Gartner, 2006

Continuing Failure in Financial Reporting and Business Process•1,876 earnings restatements were filed with the SEC in 2006, compared with 1,296 in 2005, and 650 in 2004. •4 out of 5 companies have been the victim of corporate fraud in the past 3 years. Average loss of $20M at companies with revenues of $5B and above.

Source: AuditAnalytics 2006, Kroll Global Fraud Report, 2007

Continuing Need for GRC Visibility by C-Suite and Board•Boards of directors cite compliance and risk management as areas where better information is most needed from the audit committee•A global survey of 741 CFOs blames increasing job turnover partially on the tedium of meeting regulatory demands.

Source: Mckinsey, 2006; Duke University, 2007

6

Heavy Burden of Compliance

36%

28%

Public trust in 2006Public trust in 2002, Peak of corporate scandal

Erosion of Public Trust,Call for Greater Transparency

Source: Mckinsey, 2007

Unabated Spending on Compliance

Source: AMR Research, Feb 2007

Technology$9.8B

Services$7.3B Headcount

$12.6B

Increasing Number & Complexity of Regulations

Sarbanes-Oxley Act

Fair Credit Reporting Act

Family Education Rights

Privacy Protection Act

Federal Rules of Civil Procedure

Title 21 CFR Part 11

Computer Fraud & Abuse Act

Health Insurance Portability & Accountability Act

Children’s Online Privacy Protection Act

Gramm-Leach Bliley Act

Patriot Act

Domestic Security Enhancement Act

… and many more

High Stakes for Brand and Reputation

Source: BusinessWeek, 2007

$12B$12B=Brand Value

7

Compounded by Risk and Uncertainty

FACT: Between 2004-2007, 62% of global companies experienced risk events* • 87% of those risks were non-financial• Almost half were not prepared• Only half manage risk formally

*Source: IBM Global CFO Study, 2008

RiskLevel

MarketRisk

ComplianceRisk

StrategicRisk

CreditRisk

LitigationRisk

InformationRisk

Risk Type

AcceptableThreshold

8

Greater Visibility into GRC is a Must Have

Lackof

high

Top 6 Problems with a Siloed Compliance Approach

Source: Lee Dittmar, Demystifying GRC, Q4 2007

Boards of directors cite compliance and risk management as areas where better information is most needed from the audit committee.

Continuing Need for GRC Information

Mckinsey & Company

Management regularly fails to communicate risks to directors on a timely basis, imperiling the value of a company’s securities and ensuring embarrassment (or worse) when inevitable crises occur for which the company is unprepared.

Steve Mitchell, OCEG, Compliance Week, Dec 2007

Communication Breakdown Jeopardizes the Board

Consequences at a Board and C-Suite Level

Organizations lack a

common language

around risk

Leaders lack an

enterprise view of risks

Governance processes

aren’t consistently defined and

communicated

Businesses do not have

the high quality

information they need

Compliance & risk aren’t

considered in core processes and decision-

making

IT assets aren’t aligned

with risk or compliance

management needs

9

Burden Stems from Core Challenges

Regulation A

Standard C

Risk B

C1b C2b C3b

C5b C6b C7b

C9b C10b C11b

R1 R2 R3 R1 R2 R3 R1 R2 R3

C1c C2c C3c

C5c C6c C7c

C9c C10c C11c

C1a C2a C3a

C5a C6a C7a

C9a C10a C11a

Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC

Challenge:

Multiple Requirements, Fragmented Response

Challenge:

Insufficient Resources, Manual Efforts

Challenge:

GRC as an Afterthought, Holding Up the Business Business Processes

GRC

10

How Oracle GRC Solutions Help

Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC

Solution:

Consolidate

Solution:

Automate

Solution:

Embed

Regulation A

Standard C

Risk B

R1 R2 R3

C1 C2 C3

C5 C6 C7

C9 C10 C11

Business Process

GRC

Process

PolicyRisk

Assessment

Detective Control

PreventiveControl

Issues

Remediation

Reporting &Diagnostics

11

The Oracle Difference

3Open Platform, Industry Depth

2Policy Tied to Active

Enforcement

1Best in Class, Engineered

to Work Together

Policy Financial Services

Public Sector

Life Sciences

HighTech Retail Utilities

12

Agenda

• GRC Market Drivers

• Value Propositions

• Stakeholders



• Summary and Q&A

13

Run Your Business Better and Prove It • Leverage a single source of GRC information across departments and locations • Tailor role-based GRC dashboards to the needs of specific organizations and

functions• Analyze risk and control status with rapid report creation using pre-delivered metrics

Safeguard Brand and Reputation • Control user access & enforce segregation of duties with business-driven rules• Reduce risk of fraud with continuous monitoring of master data, setup, and transactions• Enforce effective preventive and detective controls across heterogeneous applications

Simplify GRC and Reduce Costs• Reduce cost and complexity by managing global mandates with one system• Align policy documentation with best-practice frameworks and automated controls• Rely on tamper-proof chain of evidence for all compliance activities

Only Oracle lets you…

!!

Oracle GRC Applications Value Proposition

14

Finance

CONTROL PERFORMANCE

IT

CONSOLIDATION INNOVATION

Internal Audit

COMPLIANCE ASSURANCE

Accounting Manager

Accounting Director

Controller

CFO

DBA/Bus. Analyst

IT Director

CIO

Apps Manager

Internal Auditors

Audit Manager

VP Audit

Chief Audit Executive

Who We Sell to

15

• We need to lower spending and resources devoted to compliance

• The organization needs to move from manual to automated controls

• Policy and process documentation is a challenge

• We need visibility into our high risk areas

CHALLENGES

• Comprehensive GRC platform for recording, enforcing and reporting internal controls

• Automation of control testing and audit trails; simplified report generation with more accurate results

• Controls embedded seamlessly into daily business operations

• Role-based dashboards for risk and control intelligence

• Reduced audit time and costs; faster, easier validation of compliance

• Reduced risk and increased confidence in financial integrity

• Better decision-making armed with real-time diagnostics

• Enhanced morale of finance staff and free resources for value-added activities

Oracle Differentiator

CAPABILITIES VALUE

Challenges/Capabilities/Value:CFO, Controller…

CONTROL PERFORMANCE

SAMPLE

QUESTIONS

• Where are your greatest costs associated with Sarbanes-Oxley or other regulatory compliance issues? Would it help if you could automate the entire process, from documentation to controls testing & reporting?

• What percentage of your key controls are manual? Are you interested in automating more of your controls?

• Can you measure the effectiveness of your compliance programs? Do you have a single view for this?

16

• High percentage of IT budget devoted to compliance, and away from innovation

• Disparate silos of information; difficult to create reports to satisfy the business

• Unsatisfied with current state of application data access and security

• Unable to enforce best-practices for configuration and change management

CHALLENGES

• Automated controls monitoring and segregation of duties enforcement

• Unified GRC reporting, alerts and tracker for business user

• Preventive and mitigating controls to ensure data quality and process integrity

• Form and workflow configuration through GUI based system

• Manage by exception; reduce time and cost spent on compliance

• Improved support of Internal Audit and LOB compliance needs with less effort

• Accelerate response to user provisioning requests; ensure data security

• Consistent environments, full audit trail of changes, easier migration/upgrade

CAPABILITIES VALUE

Challenges/Capabilities/Value:CIO, IT Director…

CONSOLIDATION INNOVATION


SAMPLE

QUESTIONS

• Are you looking for opportunities to reduce the time and money you spend on compliance, so you can focus on projects that grow the business?

• Would it help if Finance and Audit had self-service dashboards and could create their own reports?

• How often do you receive application customization requests and much effort does it take to make the change every time?

17

• Audit data and reports difficult to generate – require significant IT and LOB support

• We need efficient reporting and comprehensive audit trail

• We need a consistent and cost-effective way to manage business processes, risk, controls visibility

• We need to document corporate policies and collaborate with line of business owners

CHALLENGES

• Automated control testing, assessments, and evidence through self-service interface

• Centralized risk/control library; Links to automated controls and control tests.

• Pre-built, web-based reports (SoD conflicts, config changes, data changes, etc.)

• Integrated audit operations and compliance management solutions

• Faster information flow and better visibility for quicker identification of potential issues

• Reduced audit time and efforts through self-service reporting and online, centralized evidence

• Better utilization of audit resources and coordinated efforts

• Timely and accurate information

• Closed-loop remediation and better risk management

CAPABILITIES VALUE

Challenges/Capabilities/Value:Chief Compliance Officer, VP Audit…

COMPLIANCE ASSURANCE

SAMPLE

QUESTIONS

• Would it help if you didn’t have to rely on IT to see the data to support your test scripts?

• Would it reduce your audit fees if you could show increasing levels of controls automation to your external auditors?

• Are you interested in promoting accountability for compliance to the LOB experts, so that you could focus on overall business assurance?


18

Simplify GRC and Reduce Costs

Safeguard Brand and Reputation

Run Your Business Better and Prove It

Oracle Governance, Risk, and Compliance

19

Agenda

• GRC Market Update

• Customer Pitch

• Top Opportunities



• Summary and Q&A

20

Who’s Buying GRC?

• $250M & higher

• Cross Industry

• Financial Services

• Telecomm

• Pharmaceuticals

• Manufacturing

• High-tech

• 64% of LogicalApps customer base

• Drivers:

• Sarbanes-Oxley (SOX)

• Segregation of Duties

• Change Management

PUBLIC

• $1B & higher

• Cross Industry

• Financial Services

• Media

• Retail

• Distribution

• Manufacturing


• Drivers:

• Segregation of Duties

• Change Management

• Internal Audit

• Federal, State & Local

• Education

• Agencies

• Civil

• Dept. of Defence

• Aerospace & Defence

• Intelligence


• Drivers:

• OMB A-123

• Improper payments

• Privacy act

• FISMA

PRIVATE GOVERMENT

21

1

2

3

Maturity Level

ERP Upgrades

Pain

What to Look For

•Reported material weaknesses, financial restatements

•SEC investigations, CFO or Controller turnover

•Changed auditors, increases in audit fees

•Heavily regulated industries,

•Heavy investment in internal audit teams, separate audit officer

•Have already bought a documentation point solution

•Look for companies implementing upgrades to their Oracle or PeopleSoft ERP systems, including instance consolidation & standardization

22

GRC CustomersOver 300 Customers Across Multiple Industries

Public Sector

High Tech / Communications

Financial Services Manufacturing

Consumer / Retail

Life Sciences/Pharmaceuticals

23

CHALLENGES / OPPORTUNITIES

• Identify and eliminate Segregation of Duties (SOD) conflicts for 90 operating units

• World’s largest single Oracle EBS instance

• 20,000 Active users

• 50,000 Oracle responsibilities

SOLUTIONS

• Oracle GRC Manager

• GRC Control Suite

CUSTOMER PERSPECTIVE“It would have taken more than 6 months of application customization and easily cost a couple of million dollars to create the 200 controls we implemented in only 8 weeks.”

Ravi Mahajani, ERP Solution Expert, Agilent

RESULTS

• Implemented 200 controls in 8 weeks

• Eliminated SOD conflicts to meet SOX compliance requirements on time

• Avoided 6-month customization effort, millions of dollars

COMPANY OVERVIEW

• Technology leader in communications, electronics, life sciences and chemical analysis

• Revenue > $5 Billion

• 20,000 employees

24


• User access was too broad; corporate assets not protected effectively

• No way to track changes to ERP application data, including who, what, when and why changes were made

• Segregation of Duties (SOD) analysis process was expensive and distracting from the core business.

SOLUTIONS


CUSTOMER PERSPECTIVE“We’ve reduced the time it takes to complete routine audits from two months to two days.”

Darlene Mac Cormac, VP of Procurement &Strategic Sourcing, Harris Bank

RESULTS

• Cut SOD review time from 2 months to 2 days

• Eliminated all known SOD conflicts

• Created detailed access rules protecting corporate assets

• Created comprehensive audit trails

COMPANY OVERVIEW

• Established in 1817

• Total assets of $312 Billion


• Retail banking, wealth management, and investment banking

25


• Mask sensitive data to comply with Privacy Act

• Lack of tools to identify & remediate control violations and establish effective monitoring process

• Difficulty satisfying management and audit requirements

SOLUTIONS

• GRC Control Suite – Access & Configuration Controls

CUSTOMER PERSPECTIVE“After searching for two years for a solution that would allow us to hide social security numbers from unauthorized users, LogicalApps showed us that they could selectively hide critical fields within minutes.”

Michelle Overstreet, Program Manager, FAA

RESULTS

• Eliminated programming time for application customization

• Reduced detection and remediation time for control violations

• Developed a sustainable model to manage regulatory compliance

COMPANY OVERVIEW

• Revenues > $250B


• 1 of 4 Federal Centers of Excellence (COE)

Federal Aviation Administration

26


• User access was too broad

• Privacy Act violations

• No way to track changes to data, including who, what, when and why changes were made

• SOD analysis process was expensive and ineffective

SOLUTIONS


RESULTS

• Resolved 85% of SOD conflicts across ERP system; implemented mitigating controls for remainder

• Resolved privacy issues with access to SSN information

• Created detailed access rules and comprehensive audit trails to ensure A-123 compliance

ORGANIZATION OVERVIEW

• Established in 1817

• Total assets of $658 Billion


• World’s largest implementation of Oracle E-Business Financials

Department of Health & Human Services

27

Agenda


• Customer Pitch




• Summary and Q&A

28

Oracle Solutions for GRC

GRC Application Controls

TransactionMonitoring

SOD & Access

Application Configuration

Reporting KRI & AlertsDashboards

GRC Reporting & Analytics

GRC Process Management

AuditManagement Assessment

Custom or Legacy Applications

GRC Infrastructure Controls

ChangeMgmt

Digital Rights

Data Security

Identity Mgmt

Records Mgmt

Pre-integrated with Oracle applications and technology, supports heterogeneous environments

Purpose-built business solutions for key industries and GRC initiatives

Best-in-class GRC core solutions to support all mandates and regulations

Issue & Remediation

Event & Loss Mgmt

29

Oracle GRC Reporting & Analytics



SOD & Access







ChangeMgmt

Digital Rights

Data Security

Identity Mgmt

Records Mgmt

Pre-built dashboards aggregate information from all sources

Combine performance & GRC information

Respond to KRI and issues

Produce attestations and disclosures

Configure to meet your specific needs


Issue & Remediation

Event & Loss Mgmt

30

Oracle GRC IntelligenceBetter decisions, more timely access to information, balanced performance

• Pre-built dashboards aggregate information from all sources

• Combine performance & GRC information

• Respond to KRI and issues

• Produce attestations and disclosures

• Configure to meet your specific needs

31

Oracle GRC Process Management



SOD & Access






ChangeMgmt

Digital Rights

Data Security

Identity Mgmt

Records Mgmt

GRC system of record

End-to-end GRC process management

Platform independent

Integrated control management

Closed-loop issue remediation


Issue & Remediation

Event & Loss Mgmt


32

• GRC System of Record

• End-to-End GRC Process Management

• Platform Independent

• Integrated Control Management

• Closed-loop Issue Remediation

Oracle GRC Manager Unify risk and compliance documentation and orchestrate processes

Document

- Risk-Control Matrix- COSO/COBIT Frameworks- Policies and Procedures- Evidence & Records Retention

Assess

PerformSelf

Assessment

TestManualControls

Scope Audits

MonitorAutomated

Controls

AnalyzeReceive Alerts Review Reports Investigate

Exceptions

Respond

Remediate Retest Optimize

Certify

Sign-off and Publish

33

Oracle GRC Application Controls



SOD & Access



GRC Intelligence



SystemsMgmt

Digital Rights

Data Security

Identity Mgmt

Records Mgmt


Issue & Remediation

Event & Loss Mgmt

GRC Manager

Continuous controls monitoring and enforcement

Preventive and detective controls

Automated controls testing

Best practice controls across key process flows

34

What usershave done

What’s changed in theenvironment

What are the execution patterns

Detective Controls

What userscan do

Howthe environment

is setup

How users execute

processes

Preventive Controls

ACCESSControlsACCESSControls

CONFIGURATIONControls

CONFIGURATIONControls

TRANSACTIONControls

TRANSACTIONControls

Enforce Policies in Context

Monitor Control Effectiveness

Oracle GRC Controls Suite

35

Services, Support & Partnerships

• Comprehensive results-based offerings:• Rapid Deployment• Full Lifecycle Project Management• Subject Matter Experts• Risk Assessment• Prompt Remediation • Best-Practice Controls• Business Processes Optimization• Partnership with Accounting & Risk Advisory Firms

36

Agenda


• Customer Pitch




• Summary and Q&A

37

GRC Applications Suite Comparison

Heterogeneous Platform support for SOD

Contextual SOD Conflict Analysis

Embedded SOD Prevention

Cross-Platform Policy Definition

Emergency Provisioning

Access Simulation on Cross-Platform

Field-Level Access & Change Control

Pre-built Controls – Oracle & PeopleSoft

Continuous Monitoring

Risk Management Framework

Full Somewhat Minimal None

38

Gartner’s Magic Quadrant for Enterprise GRC Platforms

Source: Gartner (June 2008)

39

Approva

Strength• Cross-platform controls monitoring• Supports SAP, Oracle, PeopleSoft,

JDE and custom legacy apps

Weakness• Majority customers are on SAP

platform• Only handful of customers on Oracle

EBS• No embedded preventive controls

Background

• Based out of Reston, Virginia

• Privately held, 100+ employees

• $10M approx. Revenue in 2006

How we respond• GRC Manager and GRC Intelligence

support ALL application platforms today• GRC Controls Suite is the #1 solution for

the Oracle E-Business Suite and PeopleSoft Enterprise.

• Our new release 8.0 extends cross-platform capabilities for PeopleSoft, JDE, SAP, Hyperion, and our clients’ other business applications

What they will say• No cross-platform capability - only

operable on Oracle EBS• They are the only true agnostic, as

they have no ERP offering

40

SAP

Strength• Segregation of Duties controls• Cross-platform support• Global Trade Management

Weakness• No play in GRC infrastructure (content

& records mgmt, identity mgmt, and database security)

• No preventive control capabilities for any customer, SAP or Oracle

Background

• Dedicated GRC business unit

• Growing overlay sales org

• Recognized market visionaryHow we respond: • In the last Finance GRC MQ, Gartner rated

Oracle superior to SAP in ability to execute• To truly address GRC needs such as financial

compliance, IT governance, and information security, customers need core infrastructure in addition to purpose-built applications

• GRC Manager and GRC Intelligence support ALL application platforms today. GRC Controls Suite is the #1 solution for the Oracle E-Business Suite and PeopleSoft Enterprise. Our next release will extend cross-platform capabilities for JDE, SAP, Hyperion, and legacy applications

What they will say:• Follower in the GRC space• Not a true GRC application provider• Limited cross-platform capability

41

Recommended Next Steps

• Assess your current organizational needs• Immediate requirements of high priority projects• Mid and long term objectives• Cost benefit consideration

• Evaluate Oracle’s combined solution offering• Functional product demonstration• Combination of new solution with existing infrastructure• Enabling services and support

42

AQ&

Documents

GRC Sales Playbook Soumya Das Senior Director, GRC Product Marketing