View
226
Download
1
Embed Size (px)
Citation preview
GRC Sales Playbook
Soumya Das
Senior Director, GRC Product Marketing
2
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. The development, release, and timing of any features or functionality described for LogicalApps' products remains at the sole discretion of LogicalApps.
Disclaimer
3
Agenda
• GRC Market Drivers
• Value Propositions
• Stakeholders
• GRC Solution Overview
• Competitive Overview
• Summary and Q&A
4
GRC Market Opportunity Today
Source: AMR 2007
Total GRC Spend
Technology$9.8B
Services$7.3B
Headcount$12.6B
The combination of
• GRC Controls (LogicalApps)
• GRC Manager
• GRC Intelligence
rounds out Oracle’s ability to attack the $10B GRC technology market
By 2008, > 75% of large and midsize companies will purchase new compliance management, monitoring & automation solutions (0.8 probability).
- Gartner, 2006
5
GRC Applications Market Drivers
Continuing Rise in Complexity & Number of Regulations•By 2012, the number of regulations that directly affect IT operations will double •By 2012, 90% of public companies will face mandatory, audited public reporting requirements for financial controls, and 50% will face mandatory non-financial reporting
Source: Gartner, 2006
Continuing Failure in Financial Reporting and Business Process•1,876 earnings restatements were filed with the SEC in 2006, compared with 1,296 in 2005, and 650 in 2004. •4 out of 5 companies have been the victim of corporate fraud in the past 3 years. Average loss of $20M at companies with revenues of $5B and above.
Source: AuditAnalytics 2006, Kroll Global Fraud Report, 2007
Continuing Need for GRC Visibility by C-Suite and Board•Boards of directors cite compliance and risk management as areas where better information is most needed from the audit committee•A global survey of 741 CFOs blames increasing job turnover partially on the tedium of meeting regulatory demands.
Source: Mckinsey, 2006; Duke University, 2007
6
Heavy Burden of Compliance
36%
28%
Public trust in 2006Public trust in 2002, Peak of corporate scandal
Erosion of Public Trust,Call for Greater Transparency
Source: Mckinsey, 2007
Unabated Spending on Compliance
Source: AMR Research, Feb 2007
Technology$9.8B
Services$7.3B Headcount
$12.6B
Increasing Number & Complexity of Regulations
Sarbanes-Oxley Act
Fair Credit Reporting Act
Family Education Rights
Privacy Protection Act
Federal Rules of Civil Procedure
Title 21 CFR Part 11
Computer Fraud & Abuse Act
Health Insurance Portability & Accountability Act
Children’s Online Privacy Protection Act
Gramm-Leach Bliley Act
Patriot Act
Domestic Security Enhancement Act
… and many more
High Stakes for Brand and Reputation
Source: BusinessWeek, 2007
$12B$12B=Brand Value
7
Compounded by Risk and Uncertainty
FACT: Between 2004-2007, 62% of global companies experienced risk events* • 87% of those risks were non-financial• Almost half were not prepared• Only half manage risk formally
*Source: IBM Global CFO Study, 2008
RiskLevel
MarketRisk
ComplianceRisk
StrategicRisk
CreditRisk
LitigationRisk
InformationRisk
Risk Type
AcceptableThreshold
8
Greater Visibility into GRC is a Must Have
Lackof
high
Top 6 Problems with a Siloed Compliance Approach
Source: Lee Dittmar, Demystifying GRC, Q4 2007
Boards of directors cite compliance and risk management as areas where better information is most needed from the audit committee.
Continuing Need for GRC Information
Mckinsey & Company
Management regularly fails to communicate risks to directors on a timely basis, imperiling the value of a company’s securities and ensuring embarrassment (or worse) when inevitable crises occur for which the company is unprepared.
Steve Mitchell, OCEG, Compliance Week, Dec 2007
Communication Breakdown Jeopardizes the Board
Consequences at a Board and C-Suite Level
Organizations lack a
common language
around risk
Leaders lack an
enterprise view of risks
Governance processes
aren’t consistently defined and
communicated
Businesses do not have
the high quality
information they need
Compliance & risk aren’t
considered in core processes and decision-
making
IT assets aren’t aligned
with risk or compliance
management needs
9
Burden Stems from Core Challenges
Regulation A
Standard C
Risk B
C1b C2b C3b
C5b C6b C7b
C9b C10b C11b
R1 R2 R3 R1 R2 R3 R1 R2 R3
C1c C2c C3c
C5c C6c C7c
C9c C10c C11c
C1a C2a C3a
C5a C6a C7a
C9a C10a C11a
Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC
Challenge:
Multiple Requirements, Fragmented Response
Challenge:
Insufficient Resources, Manual Efforts
Challenge:
GRC as an Afterthought, Holding Up the Business Business Processes
GRC
10
How Oracle GRC Solutions Help
Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC
Solution:
Consolidate
Solution:
Automate
Solution:
Embed
Regulation A
Standard C
Risk B
R1 R2 R3
C1 C2 C3
C5 C6 C7
C9 C10 C11
Business Process
GRC
Process
PolicyRisk
Assessment
Detective Control
PreventiveControl
Issues
Remediation
Reporting &Diagnostics
11
The Oracle Difference
3Open Platform, Industry Depth
2Policy Tied to Active
Enforcement
1Best in Class, Engineered
to Work Together
Policy Financial Services
Public Sector
Life Sciences
HighTech Retail Utilities
12
Agenda
• GRC Market Drivers
• Value Propositions
• Stakeholders
• GRC Solution Overview
• Competitive Overview
• Summary and Q&A
13
Run Your Business Better and Prove It • Leverage a single source of GRC information across departments and locations • Tailor role-based GRC dashboards to the needs of specific organizations and
functions• Analyze risk and control status with rapid report creation using pre-delivered metrics
Safeguard Brand and Reputation • Control user access & enforce segregation of duties with business-driven rules• Reduce risk of fraud with continuous monitoring of master data, setup, and transactions• Enforce effective preventive and detective controls across heterogeneous applications
Simplify GRC and Reduce Costs• Reduce cost and complexity by managing global mandates with one system• Align policy documentation with best-practice frameworks and automated controls• Rely on tamper-proof chain of evidence for all compliance activities
Only Oracle lets you…
!!
Oracle GRC Applications Value Proposition
14
Finance
CONTROL PERFORMANCE
IT
CONSOLIDATION INNOVATION
Internal Audit
COMPLIANCE ASSURANCE
Accounting Manager
Accounting Director
Controller
CFO
DBA/Bus. Analyst
IT Director
CIO
Apps Manager
Internal Auditors
Audit Manager
VP Audit
Chief Audit Executive
Who We Sell to
15
• We need to lower spending and resources devoted to compliance
• The organization needs to move from manual to automated controls
• Policy and process documentation is a challenge
• We need visibility into our high risk areas
CHALLENGES
• Comprehensive GRC platform for recording, enforcing and reporting internal controls
• Automation of control testing and audit trails; simplified report generation with more accurate results
• Controls embedded seamlessly into daily business operations
• Role-based dashboards for risk and control intelligence
• Reduced audit time and costs; faster, easier validation of compliance
• Reduced risk and increased confidence in financial integrity
• Better decision-making armed with real-time diagnostics
• Enhanced morale of finance staff and free resources for value-added activities
Oracle Differentiator
CAPABILITIES VALUE
Challenges/Capabilities/Value:CFO, Controller…
CONTROL PERFORMANCE
SAMPLE
QUESTIONS
• Where are your greatest costs associated with Sarbanes-Oxley or other regulatory compliance issues? Would it help if you could automate the entire process, from documentation to controls testing & reporting?
• What percentage of your key controls are manual? Are you interested in automating more of your controls?
• Can you measure the effectiveness of your compliance programs? Do you have a single view for this?
16
• High percentage of IT budget devoted to compliance, and away from innovation
• Disparate silos of information; difficult to create reports to satisfy the business
• Unsatisfied with current state of application data access and security
• Unable to enforce best-practices for configuration and change management
CHALLENGES
• Automated controls monitoring and segregation of duties enforcement
• Unified GRC reporting, alerts and tracker for business user
• Preventive and mitigating controls to ensure data quality and process integrity
• Form and workflow configuration through GUI based system
• Manage by exception; reduce time and cost spent on compliance
• Improved support of Internal Audit and LOB compliance needs with less effort
• Accelerate response to user provisioning requests; ensure data security
• Consistent environments, full audit trail of changes, easier migration/upgrade
CAPABILITIES VALUE
Challenges/Capabilities/Value:CIO, IT Director…
CONSOLIDATION INNOVATION
Oracle Differentiator
SAMPLE
QUESTIONS
• Are you looking for opportunities to reduce the time and money you spend on compliance, so you can focus on projects that grow the business?
• Would it help if Finance and Audit had self-service dashboards and could create their own reports?
• How often do you receive application customization requests and much effort does it take to make the change every time?
17
• Audit data and reports difficult to generate – require significant IT and LOB support
• We need efficient reporting and comprehensive audit trail
• We need a consistent and cost-effective way to manage business processes, risk, controls visibility
• We need to document corporate policies and collaborate with line of business owners
CHALLENGES
• Automated control testing, assessments, and evidence through self-service interface
• Centralized risk/control library; Links to automated controls and control tests.
• Pre-built, web-based reports (SoD conflicts, config changes, data changes, etc.)
• Integrated audit operations and compliance management solutions
• Faster information flow and better visibility for quicker identification of potential issues
• Reduced audit time and efforts through self-service reporting and online, centralized evidence
• Better utilization of audit resources and coordinated efforts
• Timely and accurate information
• Closed-loop remediation and better risk management
CAPABILITIES VALUE
Challenges/Capabilities/Value:Chief Compliance Officer, VP Audit…
COMPLIANCE ASSURANCE
SAMPLE
QUESTIONS
• Would it help if you didn’t have to rely on IT to see the data to support your test scripts?
• Would it reduce your audit fees if you could show increasing levels of controls automation to your external auditors?
• Are you interested in promoting accountability for compliance to the LOB experts, so that you could focus on overall business assurance?
Oracle Differentiator
18
Simplify GRC and Reduce Costs
Safeguard Brand and Reputation
Run Your Business Better and Prove It
Oracle Governance, Risk, and Compliance
19
Agenda
• GRC Market Update
• Customer Pitch
• Top Opportunities
• GRC Solution Overview
• Competitive Overview
• Summary and Q&A
20
Who’s Buying GRC?
• $250M & higher
• Cross Industry
• Financial Services
• Telecomm
• Pharmaceuticals
• Manufacturing
• High-tech
• 64% of LogicalApps customer base
• Drivers:
• Sarbanes-Oxley (SOX)
• Segregation of Duties
• Change Management
PUBLIC
• $1B & higher
• Cross Industry
• Financial Services
• Media
• Retail
• Distribution
• Manufacturing
• 31% of LogicalApps customer base
• Drivers:
• Segregation of Duties
• Change Management
• Internal Audit
• Federal, State & Local
• Education
• Agencies
• Civil
• Dept. of Defence
• Aerospace & Defence
• Intelligence
• 5% of LogicalApps customer base
• Drivers:
• OMB A-123
• Improper payments
• Privacy act
• FISMA
PRIVATE GOVERMENT
21
1
2
3
Maturity Level
ERP Upgrades
Pain
What to Look For
•Reported material weaknesses, financial restatements
•SEC investigations, CFO or Controller turnover
•Changed auditors, increases in audit fees
•Heavily regulated industries,
•Heavy investment in internal audit teams, separate audit officer
•Have already bought a documentation point solution
•Look for companies implementing upgrades to their Oracle or PeopleSoft ERP systems, including instance consolidation & standardization
22
GRC CustomersOver 300 Customers Across Multiple Industries
Public Sector
High Tech / Communications
Financial Services Manufacturing
Consumer / Retail
Life Sciences/Pharmaceuticals
23
CHALLENGES / OPPORTUNITIES
• Identify and eliminate Segregation of Duties (SOD) conflicts for 90 operating units
• World’s largest single Oracle EBS instance
• 20,000 Active users
• 50,000 Oracle responsibilities
SOLUTIONS
• Oracle GRC Manager
• GRC Control Suite
CUSTOMER PERSPECTIVE“It would have taken more than 6 months of application customization and easily cost a couple of million dollars to create the 200 controls we implemented in only 8 weeks.”
Ravi Mahajani, ERP Solution Expert, Agilent
RESULTS
• Implemented 200 controls in 8 weeks
• Eliminated SOD conflicts to meet SOX compliance requirements on time
• Avoided 6-month customization effort, millions of dollars
COMPANY OVERVIEW
• Technology leader in communications, electronics, life sciences and chemical analysis
• Revenue > $5 Billion
• 20,000 employees
24
CHALLENGES / OPPORTUNITIES
• User access was too broad; corporate assets not protected effectively
• No way to track changes to ERP application data, including who, what, when and why changes were made
• Segregation of Duties (SOD) analysis process was expensive and distracting from the core business.
SOLUTIONS
• GRC Control Suite
CUSTOMER PERSPECTIVE“We’ve reduced the time it takes to complete routine audits from two months to two days.”
Darlene Mac Cormac, VP of Procurement &Strategic Sourcing, Harris Bank
RESULTS
• Cut SOD review time from 2 months to 2 days
• Eliminated all known SOD conflicts
• Created detailed access rules protecting corporate assets
• Created comprehensive audit trails
COMPANY OVERVIEW
• Established in 1817
• Total assets of $312 Billion
• 35,000 employees
• Retail banking, wealth management, and investment banking
25
CHALLENGES / OPPORTUNITIES
• Mask sensitive data to comply with Privacy Act
• Lack of tools to identify & remediate control violations and establish effective monitoring process
• Difficulty satisfying management and audit requirements
SOLUTIONS
• GRC Control Suite – Access & Configuration Controls
CUSTOMER PERSPECTIVE“After searching for two years for a solution that would allow us to hide social security numbers from unauthorized users, LogicalApps showed us that they could selectively hide critical fields within minutes.”
Michelle Overstreet, Program Manager, FAA
RESULTS
• Eliminated programming time for application customization
• Reduced detection and remediation time for control violations
• Developed a sustainable model to manage regulatory compliance
COMPANY OVERVIEW
• Revenues > $250B
• 52,160 employees
• 1 of 4 Federal Centers of Excellence (COE)
Federal Aviation Administration
26
CHALLENGES / OPPORTUNITIES
• User access was too broad
• Privacy Act violations
• No way to track changes to data, including who, what, when and why changes were made
• SOD analysis process was expensive and ineffective
SOLUTIONS
• GRC Control Suite
RESULTS
• Resolved 85% of SOD conflicts across ERP system; implemented mitigating controls for remainder
• Resolved privacy issues with access to SSN information
• Created detailed access rules and comprehensive audit trails to ensure A-123 compliance
ORGANIZATION OVERVIEW
• Established in 1817
• Total assets of $658 Billion
• 35,000 employees
• World’s largest implementation of Oracle E-Business Financials
Department of Health & Human Services
27
Agenda
• GRC Market Update
• Customer Pitch
• Top Opportunities
• GRC Solution Overview
• Competitive Overview
• Summary and Q&A
28
Oracle Solutions for GRC
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
GRC Process Management
AuditManagement Assessment
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
Pre-integrated with Oracle applications and technology, supports heterogeneous environments
Purpose-built business solutions for key industries and GRC initiatives
Best-in-class GRC core solutions to support all mandates and regulations
Issue & Remediation
Event & Loss Mgmt
29
Oracle GRC Reporting & Analytics
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
GRC Process Management
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
Pre-built dashboards aggregate information from all sources
Combine performance & GRC information
Respond to KRI and issues
Produce attestations and disclosures
Configure to meet your specific needs
AuditManagement Assessment
Issue & Remediation
Event & Loss Mgmt
30
Oracle GRC IntelligenceBetter decisions, more timely access to information, balanced performance
• Pre-built dashboards aggregate information from all sources
• Combine performance & GRC information
• Respond to KRI and issues
• Produce attestations and disclosures
• Configure to meet your specific needs
31
Oracle GRC Process Management
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Reporting KRI & AlertsDashboards
GRC Reporting & Analytics
Custom or Legacy Applications
GRC Infrastructure Controls
ChangeMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
GRC system of record
End-to-end GRC process management
Platform independent
Integrated control management
Closed-loop issue remediation
AuditManagement Assessment
Issue & Remediation
Event & Loss Mgmt
GRC Process Management
32
• GRC System of Record
• End-to-End GRC Process Management
• Platform Independent
• Integrated Control Management
• Closed-loop Issue Remediation
Oracle GRC Manager Unify risk and compliance documentation and orchestrate processes
Document
- Risk-Control Matrix- COSO/COBIT Frameworks- Policies and Procedures- Evidence & Records Retention
Assess
PerformSelf
Assessment
TestManualControls
Scope Audits
MonitorAutomated
Controls
AnalyzeReceive Alerts Review Reports Investigate
Exceptions
Respond
Remediate Retest Optimize
Certify
Sign-off and Publish
33
Oracle GRC Application Controls
GRC Application Controls
TransactionMonitoring
SOD & Access
Application Configuration
Reporting KRI & AlertsDashboards
GRC Intelligence
Custom or Legacy Applications
GRC Infrastructure Controls
SystemsMgmt
Digital Rights
Data Security
Identity Mgmt
Records Mgmt
AuditManagement Assessment
Issue & Remediation
Event & Loss Mgmt
GRC Manager
Continuous controls monitoring and enforcement
Preventive and detective controls
Automated controls testing
Best practice controls across key process flows
34
What usershave done
What’s changed in theenvironment
What are the execution patterns
Detective Controls
What userscan do
Howthe environment
is setup
How users execute
processes
Preventive Controls
ACCESSControlsACCESSControls
CONFIGURATIONControls
CONFIGURATIONControls
TRANSACTIONControls
TRANSACTIONControls
Enforce Policies in Context
Monitor Control Effectiveness
Oracle GRC Controls Suite
35
Services, Support & Partnerships
• Comprehensive results-based offerings:• Rapid Deployment• Full Lifecycle Project Management• Subject Matter Experts• Risk Assessment• Prompt Remediation • Best-Practice Controls• Business Processes Optimization• Partnership with Accounting & Risk Advisory Firms
36
Agenda
• GRC Market Update
• Customer Pitch
• Top Opportunities
• GRC Solution Overview
• Competitive Overview
• Summary and Q&A
37
GRC Applications Suite Comparison
Heterogeneous Platform support for SOD
Contextual SOD Conflict Analysis
Embedded SOD Prevention
Cross-Platform Policy Definition
Emergency Provisioning
Access Simulation on Cross-Platform
Field-Level Access & Change Control
Pre-built Controls – Oracle & PeopleSoft
Continuous Monitoring
Risk Management Framework
Full Somewhat Minimal None
38
Gartner’s Magic Quadrant for Enterprise GRC Platforms
Source: Gartner (June 2008)
39
Approva
Strength• Cross-platform controls monitoring• Supports SAP, Oracle, PeopleSoft,
JDE and custom legacy apps
Weakness• Majority customers are on SAP
platform• Only handful of customers on Oracle
EBS• No embedded preventive controls
Background
• Based out of Reston, Virginia
• Privately held, 100+ employees
• $10M approx. Revenue in 2006
How we respond• GRC Manager and GRC Intelligence
support ALL application platforms today• GRC Controls Suite is the #1 solution for
the Oracle E-Business Suite and PeopleSoft Enterprise.
• Our new release 8.0 extends cross-platform capabilities for PeopleSoft, JDE, SAP, Hyperion, and our clients’ other business applications
What they will say• No cross-platform capability - only
operable on Oracle EBS• They are the only true agnostic, as
they have no ERP offering
40
SAP
Strength• Segregation of Duties controls• Cross-platform support• Global Trade Management
Weakness• No play in GRC infrastructure (content
& records mgmt, identity mgmt, and database security)
• No preventive control capabilities for any customer, SAP or Oracle
Background
• Dedicated GRC business unit
• Growing overlay sales org
• Recognized market visionaryHow we respond: • In the last Finance GRC MQ, Gartner rated
Oracle superior to SAP in ability to execute• To truly address GRC needs such as financial
compliance, IT governance, and information security, customers need core infrastructure in addition to purpose-built applications
• GRC Manager and GRC Intelligence support ALL application platforms today. GRC Controls Suite is the #1 solution for the Oracle E-Business Suite and PeopleSoft Enterprise. Our next release will extend cross-platform capabilities for JDE, SAP, Hyperion, and legacy applications
What they will say:• Follower in the GRC space• Not a true GRC application provider• Limited cross-platform capability
41
Recommended Next Steps
• Assess your current organizational needs• Immediate requirements of high priority projects• Mid and long term objectives• Cost benefit consideration
• Evaluate Oracle’s combined solution offering• Functional product demonstration• Combination of new solution with existing infrastructure• Enabling services and support
42
AQ&