1. XeroRisk Corporate Risk GovernanceEnterprising risk management

2. Contents Risk Governance Overview Why manage risks ? Risk Maturity Integrated Risk Management Line Xero Background Services XeroRisk XeroRisk: A flexible deployment solution Roadmap 3. Why manage risks ?A companys objectives, its internal organisation and the environment in which it operatesare continually evolving and as a result, the risks it faces are continually changing. Asound system of internal control therefore depends on a thorough and regular evaluationof the nature and extent of the risks to which the company is exposed. Since profits are,in part, the reward for successful risk-taking in business, the purpose of internal control isto help manage and control risk appropriately rather than to eliminate it.The guidance is based on the adoption by a companys board of a risk-based approach to establishing a sound system of internal control and reviewing its effectiveness. This should be incorporated by the company within its normal management and governance processes. It should not be treated as a separate exercise undertaken to meet regulatory requirements.Turnbull Report, September 1999 4. The Evolution of Risk ManagementPreviously Now Historical risks only Non-traditional risks Expert management Causes of risk Statistical analysis Organisation-wide involvement Senior management buy-in Risk indicators 5. Risk Governance MaturityMaturing Simplistic framework Departmental Limited corporate visibility Risk exposure may be inaccurate Mitigation plans may be used to identify prioritiesMature Flexible governance framework Whole of company Corporate visibility & control Risk appetite known & monitored Use of risk data to drive Immatureinvestments & priorities Risk management is ad-hoc Individuals or small teams No corporate visibility Appetite & exposure unknown Risk data not used to drive strategy 6. Integrated risk management Risk management must be a whole of company process Requires board level buy-in to objectives and methods of risk management Risks are controlled at the appropriate level within the business, by the most appropriate people Control & management of risks must be part of the normal business process not an add-on or afterthought Risks must be balanced at the corporate level Without risk co-ordination, perceived risks may be blown out of proportion There must be mechanisms to escalate risks to the appropriate level. The risk management system needs to support the risk process without beingintrusive Intrusion usually results in non-use Risk co-ordination & challenge processes become big stick exercises. 7. Integrating RM & strategic processesQuantify risk Identify risksIdentify risk: Impact & Agree acceptable & understand Related actions mitigationRisk levelsoriginsrequiredCost/benefit Identify actionsMonitor Monitor externalUpdateAgree strategicRequired & likely implementation & internal Assumptions &goals effectsof actionschanges goals 8. Line Xero : Company Overview Formed in 1990 as an IT strategy consultancy Provides IT Design Authority services to a number of FTSE-100companies Created XeroRisk as a product in 2004 Originally built for United Utilities Strong take up in asset intensive & regulated businesses Operates e-commerce web application facilities on behalf ofseveral Internet based businesses 9. Line Xero: XeroRisk Overview Simplicity Licensing Easy & flexible licensing schemes Trust based Clear commercials Support Dedicated support team Dedicated support telephone number & self-service portal Development Clear roadmap Zero cost upgrades & functional improvements 10. Line Xero: Hosting Services Operate two datacentres Melton Mowbray Production Maidenhead Disaster Recovery 1 DR failover in 2006 (for 3 hours) networkoutage Mirrored database services 15min recovery Clustered in-centre d/b services Tape backups & tape shipping 11. XeroRisk: A risk management solution Fully web based application Integrates with existing businessApplication Riskprocessesof Actions Assessment Simple to deploy& Controls Very intuitive to use Risks identified, managed & Assignment controlled on the ground of Corporate exposure valued & ownershipmonitored through escalation and& monitoringaggregation 12. XeroRisk: Functional Coverage 13. Standards Based Compliance Supports the core requirements of AS/NZS 4360:1999 The only recognised risk management standard approved by ISO Ensures the full traceability of risk management and mitigation actions Supports elements of Basel II A risk management process for banking & financial environments Requires the risk process and associated systems to support bothBoard & Senior Management oversight of risk exposure. 14. XeroRisk Features Full organisation model support Role based security Fully configurable risk assessmentcategories & levels Email escalation & notification Full audit trail of all user riskmanagement activities Built in reporting functions includeExcel export, graphs etc Support for unlimited users, risks,organisation units, hierarchy levels 15. A flexible deployment solution Quick Implementation XeroRisk doesnt require installation on each client Generic branded product available off the shelf Branding to follow corporate styles can be quickly developed Reduced support costs New releases & updates are installed on central servers Does not impact corporate desktop builds or current security policies True Thin-Client There are no ActiveX or Java components downloaded to the client Partners or contractors can be quickly added without IS intervention Low client hardware demands Only a standard web browser is required for access Integrates with standard or thin client desktops (e.g. Citrix) Industry leading components Windows 2003 Server or higher (Windows 2003 server recommended) Microsoft SQL Server 2000 (Microsoft SQL Server 2005 SP2 recommended) 16. Deployment: Delivery mechanisms Intranet Installed on your hardware Managed by in-house team Internet Installed on your hardware Managed by your existing service provider Hosted (ASP) Dedicated Solution Installed on dedicated Line Xero hardware All system resources dedicated to you, with bespoke control over security, DR, backup regimes etc. Managed by Line Xero support personnel Hosted (ASP) Shared Solution Installed on Line Xero hardware You share the application server & database resources with other clients Managed by Line Xero support personnel 17. Deployment: Choosing the modelIntranet Internet HostedSharedDedicatedDo you need absolute control of your data ? using 128-bit SSL using 128-bit SSL or VPNor VPNWill you allow contractors or partners access ? / Do you need XeroRisk to follow your corporate style ? Will you need bespoke functionality developing tomeet your risk management process ? Do you require a system availability of 24 x 7 ? Can your in-house IS support team manage thetechnical environment used by XeroRisk ?Do you need to integrate XeroRisk data with otherbusiness systems ? 18. Deployment: Professional Services Implementation management & consultancy Project management of end-to-end solution Customisation of base product to support client requirements. Definition of process and training needs Product branding (skinning) to follow corporate styles Technical Support Definition of deployment architecture Hardware & infrastructure definition Capacity planning and hardware sizing CD Backups Applicable for hosted deployments Includes production & delivery of regular database archives Training Training solutions including train-the-trainer, group training etc. 19. Deployment: Security ArchitectureExternalWeb BrowserWeb BrowserInternal UsersUsersOptional 128-bit SSL FirewallLogin and Authentication Access control & permissionsRole based permissions Administrator functions Security applied on per-To functional areasfor account/system maintenanceobject basisDemilitarised ZoneDRPrimary Secondary DatabaseMirroring Database Log shippingDatabase 20. Deployment: Technical Architecture Microsoft Windows 2003 Server Microsoft Windows 2003 Server StoredWeb BrowserCOM+Procedures(Java Script)WebComponents SQL Server LAN/WAN 2005 orIIS (.Net)InternetSMTP 21. Integration with Collaborative Products Business Process Management Integration with Business Objects Management suite Currently integrated at the portal level Reporting & Analytical tools Published database schema Accessible with most reporting toolkits e.g. Business Objects, Forest & Trees 22. Industry PositioningUK markets Example Water Clients Utilities Gas Communications Postal Services Water Electricity Public Services Transport Police Local Authorities Rail Operators Rail Maintenance AirlinesInternational markets Utilities Water Electricity 23. Development RoadmapOctober 2007January 2008April 2008 July 2008DevelopmentRelease 5.3 Release 6.0Release 5.3Production Release 6.0Promotion of client installations from R5.2.1 to R5.3 will be agreed through normal change controlprocesses.Promotion to R6.0 will be a longer process due to extensive re-engineering of the underlyingpresentation technology. Hub installations will require additional cross-business testing. 24. Release Features Release 6.0 Hierarchical configuration Pie & 3D Charting Specific ordering (Organisation units) ASP.Net Re-code On-screen calendaring Opportunities Active indicator for picklist items Web Services/The Hub User groups & Teams improvements Action list tick boxes Straight to Action Plan tab Scheduled reporting improvements Flag high impact/low likelihood risks Integrated SMS notification Mobile XeroRisk Running commentary My Home page XeroRisk Dashboard 25. Web Services BusinessApplication Web Service1. User logs onto the business application XeroRisk v6.02. The user is authenticated by the security services4. The security object provided bythe business application is3. A request is made to access riskchecked dataXeroRisk 5. If the user has appropriate V6.0privileges, the risk data isretrieved 6. The data is transferred through anXML schema 26. The HubThe HubObject permissions Security objectsAuthority to link Link requestsObject views Message updatesCompanyCompany ABExternalFinance Asset MgmtHR Financeservices Link data Risk updatesInternal risks 27. Any Questions? 28. Demonstration 29. Thank you