1. 6 Concrete Benefits of anIntegrated GRC Initiative A MEGA eBook Nicolas Betbeder-Matibet, Managing Director, MEGA Asia - MEGA September 2012

2. The Case for Integrated GRCIndependent Each function These functions They interactassurance functions risk management, have deployed together, butstrive to improve internal audit, comprehensive with limitedprocess efficiency, compliance, and frameworks based coordination andincrease business even business on best practices few synchronizedperformance, and continuity in order to meet their initiatives,reduce risk for the management goals typically remainingorganization delivers a certain independent value to the organization MEGA September 2012

3. Integrated GRC Increases Value Enhance process Increase the efficiency and contribution ofOrganizations effectiveness of the assurance functions toshould begin assurance functions business performanceby establishing Reduce information Expand collaborationthese basic duplication, improve between assurance transparency, and functions and businessobjectives for an increase control over groupsintegrated GRC data Reduce risk throughinitiative Provide more centralized and cross- comprehensive referenced information information and data across the organization MEGA September 2012 and a shared single truth to support business decisions

4. Integrated GRC INTEGRATED GRC Analysis & Reporting When individual assurance functions are Risk Compliance Audit BCPM integrated, they:Reporting Management Risk & Control Centralized Data coordinate with business lines through business architectureMapping Risk & Control Common Framework Risk Process Compliance Process Audit Process BCPM Process are based on a & Best Practices & Best Practices & Best Practices & Best Practices common risk &Assessment control framework Business Lines Interactions and Engagement and data Integrated GRC Processes & Best Practices provide cross- MEGA September 2012Action Plan ISO, COSO ISO, COSO The Institute Business Continuity functional analysis of Internal Audit Institute and consolidated reporting BUSINESS ARCHITECTURE

5. 6 Concrete Benefits of Integrated GRC INTEGRATED GRC Analysis & Reporting Risk Compliance Audit BCPM BenefitsReporting Management Risk & Control Centralized Data Consistent risk data & improved transparencyMapping Risk & Control Common Framework Risk Process Compliance Process Audit Process BCPM Process Best practices adopted & Best Practices & Best Practices & Best Practices & Best Practices Improved efficiency of assurance functionsAssessment Business Lines Interactions and Engagement Smooth interaction with business lines Integrated GRC Processes & Best Practices Collaboration between control functions MEGA September 2012Action Plan ISO, COSO ISO, COSO The Institute Business Continuity of Internal Audit Institute BUSINESS ARCHITECTURE Engaged business lines/more risk awareness

6. Benefit Consistent Risk Data & 1 Improved Transparency Integrated The framework Centralization and GRC offers a is shared by the standardization of centralized and assurance functions risk data creates standardized data to empower transparency repository based collaboration for executives, on a common GRC through re-use, giving access to framework reduce costs consolidated through sharing, reporting and guarantee consistency and completeness MEGA September 2012

7. Benefit Consistent Risk Data & 1 Improved Transparency Challenges Achievements Risk and control data Moved from five Leading was fragmented and incomplete repositories Healthcare duplicated: to two standardizes Organization in ones Central/South Three risk repositories Maintenance costs for America Two control repositories information reduced by more than 50%, Non-consistent while data consistency framework improved Partial analysis Risk overview reports MEGA September 2012 for executives were created on top of consolidated repositories

8. Benefit Consistent Risk Data & 1 Improved Transparency Challenges Achievements Control functions Using advanced reporting One of struggled to provide capabilities, banks can: risk analysis to support Southeast business decisions: Drill down to see risk Asias Top exposure in multiple Banks Risk data not current ways Could not do analysis in Can evaluate by different dimensions product, legal entity, business line, process, risk type, and more MEGA September 2012 Take into account ongoing mitigation action plan and control assessment

9. Benefit Best Practices Adopted 2 Integrated GRC provides the The initiative may mechanism to revisit current processes and identify potential increase value by improvements by exploring the implementing best successes of others in the practices that are industry integrated with the GRC Creates momentum favorable to solution as a starting effective change management and implementation of new point, or as a target practices that improve business for process/practice performance redesign MEGA September 2012

10. Benefit Best Practices Adopted 2 Challenges Achievements Sought world-class Adopted world-class best practices in every integrated GRC solution High Growth domain, but lacked to meet goals Bank in capability to implement Moved quickly from no Africa Goal was developing frameworks for change efficiency focus to success in change culture to create management competitive edge Improved operational Executives determined risk management to create and sustain demonstrated value of MEGA September 2012 strong growth adopting best practices Operational risk management identified as top priority

11. Benefit Improved Efficiency of 3 Assurance Functions An integrated GRC initiative When supported by an will automate low value- added activities and increase integrated GRC solution, productivity each assurance function Individually, each assurance benefits from its own function will use specific set of automation business capabilities to support capabilities to improve and improve the efficiency and effectiveness of its processes the management of its own processes MEGA September 2012

12. Benefit Improved Efficiency of 3 Assurance Functions Challenges Achievements Audit team had 45 Improved file Leading auditors in 40 countries management Managing audit through Optimal management Worldwide email and office tools of 1000+ audit Energy was inefficient and recommendations Provider costly Consistent traceability Governance goals and follow-up for 3300+ could not be met actions Gained ability to plan and manage 50 annual audit missions Developed more MEGA September 2012 efficient resource management Centralized all audit documentation Saved the cost of 2.5 FTEs

13. Benefit Improved Efficiency of 3 Assurance Functions Challenges Achievements Operational Risk Report produced Management group automatically and required to prepare instantly, saving 8 days Top Asian quarterly report for of effort Bank regulators Decentralized data Team spent 3 days gathering supported consolidating and 5 with validation ensured days validating data for by business rules and report workflows in GRC solution MEGA September 2012

14. Benefit Smooth Interaction with 4 Business Lines Business lines demand An integrated GRC will efficiency through a streamlined and non-disruptive collaborative reduce the idea that process assurance functions One of the biggest threats to encumber business success for assurance functions groups through a is to be perceived by business coordinated approach to lines as a burden assessment campaigns MEGA September 2012

15. Benefit Smooth Interaction with 4 Business Lines Challenges Achievements Non-synchronized GRC Reduced workload Leading processes created for business groups excessive information with new common Financial demands for business assessment method Institution departments that coordinates in Asia analysis campaigns Business groups reluctant to cooperate New methods help in providing information business lines provide because of excessive needed information staff time and cost quickly and easily MEGA September 2012 Better information available to business groups through improved analysis

16. Benefit Collaboration between 5 Assurance Functions With all assurance functions When supported by an involved in the integrated GRC initiative, the program is a strong integrated GRC solution, collaboration enabler the collaborative, Assurance functions typically integrated environment identify and develop even more supports and empowers interactions, creating significant interactions between the advantages for the organization different processes The value created through integrated GRC is greater than the sum of the independent assurance functions MEGA September 2012

17. Benefit Collaboration between 5 Assurance Functions Challenges Achievements Control functions Risk and compliance were siloed with little groups initiated Large Middle coordination/interaction interactions to prevent Eastern silo effects Inconsistent and Conglomerate unsynchronized Modifications of risk activities assessments triggers notifications for review Unable to achieve enterprise view of risk Logging incidents and compliance in one area sets off automated copying to MEGA September 2012 other areas

18. Benefit Engaged Business Lines/More 6 Risk Awareness By integrating the risk & When supported by control layer within business architecture, the integrated GRC a common solution, solution positions risk exposure business lines and as part of the criteria for assurance functions business performance share a common This integrated approach business & GRC supports the development of risk awareness within framework to align business lines and facilitates business performance collaboration with assurance objectives with GRC functions objectives MEGA September 2012

19. Benefit Engaged Business Lines/More 6 Risk Awareness Challenges Achievements Fast growth and rapid Comprehensive diversification required understanding of European process review for overall business processes organization lets control functions Financial and business process Conglomerate Company growth through departments work jointly acquisition created to identify relevant risks higher risk exposure and effective controls Business process approach facilitated collection, analysis and review of consolidated MEGA September 2012 information Reporting capabilities allow board members and internal control committee to make informed decisions

20. Goals and Benefits of Integrated GRC Objectives Benefits Enhance process Consistent risk data & improved efficiency and transparency effectiveness of the Best practices adopted assurance functions Improved efficiency of assurance functions Increase the Smooth interaction with business contribution of lines assurance functions Collaboration between assurance to business functions performance MEGA September 2012 Engaged business lines/more risk awareness

21. In summary Objectives Principles Concrete Benefits Enhance process Standardize & Common vocabulary and approach Consistent risk data & efficiency and harmonize to key GRC activities improved transparency effectiveness of the Best practices adopted assurance Improved efficiency of functions Coordinate risk Risk areas coordinate with one assurance functions another to afford reuse and a areas portfolio view of risk Increase the Synchronize GRC activities synchronize with Smooth interaction with contribution of with business mainline processes to reduce business lines burden on the business assurance Collaboration between functions to control functions business Engaged business lines/ MEGA September 2012 Embed in GRC activities are embedded in performance mainline processes and become part more risk awareness process of the fabric of the business itself Integrated GRC

22. For more information, please contact us at info@mega.comvisit www.mega.com - @mega_int Optimize Transform Govern Design Manage optimized Govern transformations organizations execution and growth and systems MEGA September 2012