Transcript Document

Governance, Risk &
Compliance
An Integrated Framework
People, Processes & Platform
Dr Neil Dodgson
Director Risk and Compliance Solutions
EMEA Financial Services
Safe Harbor Statement
The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into
any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decision. The
development, release, and timing of any features
or functionality described for Oracle’s products
remains at the sole discretion of Oracle.
2
Why Bother?
3
Governance, Risk, and Compliance (GRC) At-a-Glance
Culture
Governance
• Set and evaluate
performance against
objectives
Governance
• Authorize business
• Establish an organizational
climate and individual
mindset that promotes trust,
integrity, and accountability
strategy & model to
achieve objectives
Culture
Risk Management
Compliance
• Identify, assess, and
address potential obstacles
to achieving objectives
• Encourage / require
compliance with
established policies and
boundaries
• Identify / address violation
of mandated and voluntary
boundaries
• Detect non-compliance and
respond accordingly
Source: Open Compliance and Ethics Group
4
Good GRC is Good Business: Reputational & Strategic Risk
Executives Seek Returns from GRC Investment
Share-price performance of companies
complying with SOX rules
Price of control deficiency for
$1 billion company
28%
26%
$10 million in
higher cost of
equity capital
Reported control
weakness 2004-05
No control
weaknesses
in 2004 -05
Control weakness
in 2004, but none
in 2005
6%
Source: Lord & Benoit, 2006
Savings on legal liability avoidance
from GRC investment
Source: University of Wisconsin, 2006
Opportunity cost of siloed GRC
Spending on
Compliance
Savings on Lower
Legal Liability
$1
Cost of
GRC
Resources for
innovation
Ad hoc
Approach
Platform
Approach
$5
Source: General Counsel Roundtable, 2006
# of GRC projects
5
What Are the GRC Management Challenges?
Enterprise-Wide Responsibility
CFO / VP of
Finance
C
E
O
 Reducing the total
cost of GRC
 Timely notification of
control issues,
material weaknesses
and violations
 Accurate &
comprehensive
information on
financial results,
compliance and audit
Chief Compliance
Officer (CCO)
 Increasing efficiency
& consistency of
compliance
processes
 Reducing fees &
regulatory actions by
reducing compliance
violations
 Planning and
oversight of
compliance
management
resources
 Identifying and
Chief Risk Officer
(CRO)
CIO
 Balancing the range
 Ensuring Auditable,
 Evaluating business
 Automating GRC
of enterprise risks
requirements and
technical risk
capabilities
 Reducing
organizational cost of
risk exposure and
cost of mitigation or
acceptance
secure information
information
management
 Eliminating multiple
internal GRC
solutions
 Implementing IT
platform for GRC
standardization,
simplification &
security
implementing optimal
detective & preventive
controls
6
Risk & Compliance Officers
What Keeps You Awake at Night?
Prison
DATA
7
GRC Requirements and Complexity Increase Across the Map
SOX
JSOX
Basel II
IT
Governance
Canada
GLBA
…
Strategic
Alignment
Credit
Risk
Mgmt
Financial
Reporting
Compliance
Manufacturing
Market
Risk
Mgmt
Workforce
Governance
Data
Privacy
Legal
Discovery
India
Sales & Mktg
Purchasing
Audit
Management
France
China
HIPAA
Records
Retention
Japan
U.K.
EU
Directives
Engineering
U.S.
Germany
FDA
Operational
Risk
Mgmt
Service
Service
Level
Compliance
Supply
Chain
Traceability
Finance
Suppliers
Customers
Apps
Server
Data
Warehouse Database Mainframes
Mobile Devices
Enterprise
Applications
8
Traditional Approach????
9
Integrated Risk & Compliance Framework
Capital Management/Basel II/Solvency II/BI
Dashboards
RAPM
Economic Capital
Risk Management
Market
Credit
Operational
HR
ALM
Learning Management
Internal Controls & SOX
Loss
RCSA
Process Mapping
Actions
KRI / KCI
Documentation
Monitoring & Compliance
AML
Fraud
KYC/CDD
MiFID
Financial Control & Reporting
Core Financials
Budgeting & Planning
BI
Enterprise Content Management
Records Management
Legal Discovery
Change Management
COBIT:Security, Identity & Data Management
Encryption
Audit
Master Data
Segregation of Duties
Identity Mgmt
Data Warehousing
BPEL Workflow Management
10
Governance, Risk &
Compliance
People
Know Your Employee
Foster a Culture of Ethics and Excellence
with Workforce Governance
Self-Paced Employee Learning
• Ensure employees
understand regulations
and policies in most
time- and cost-effective
manner
• Prove employee
acknowledgment of
accountability
• Trust single source of
authoritative information
for policy and procedure
reference
Central Policy & Procedure Portal
12
Governance, Risk &
Compliance
Processes
A Holistic GRC framework for:
 SOX requires Identification of Risks and the management of Controls
thru Assessments
 RCSA - Operational Risk requires the Identification of Risks and the
management of Controls thru Self Assessments
 MiFID and RegNMS require Client Suitability and Transaction
Surveillance
 AML requires KYC and Transaction Surveillance
 Fraud Detection Requires both Transaction Monitoring and Risk &
Control Self Assessment
A Common Process understanding for Compliance and
Operational Risk would be a first step to GRC convergence
14
GRC framework: Converging Requirements
AML
MiFiD
RegNMS
KYC
COBIT
Info
Security
Audit
Internal
Controls
Basel ORAMA
Analytics & Reporting









Capital Calculations

GRC Framework
Attestations




Action Planning

Case Management

Behavior Detection









Controls Testing









RCSA


















KRI

Events Management

Process Maps, Reference
Data, Oversight Library









GRC Infrastructure









15
Recent Incidents and possible lessons learned
• Identifies the need for an independent Compliance monitoring system that
•
•
•
•
•
•
•
can detect suspicious or irregular activity among all trades and orders in the
organization.
Identifies danger of using in-house systems for Compliance monitoring
Identifies lack of adequate Surveillance and Behaviour Pattern Detection.
Good Risk management DOES NOT Equal Good COMPLIANCE
Identifies an ongoing need for Operational Risk to be more closely
monitored and enforced within the financial organizations.
Near-Real-Time alert generation of potentially fraudulent behaviours,
irregular behaviours, excessively large positions, and other suspicious
patterns
An holistic view across all areas is required to provide transparency across
multiple-asset classes and jurisdictions to avoid hidden P&L
Integrated GRC systems
16
The Police : Behaviour Detection Platform Overview
Reports &
Analytical Tools
Compliance
Monitoring
Case Mgmt
Alert
Management
Data
Ingestion
Data Model
& Behavior
Detection
17
BEHAVIOR
DETECTION
PLATFORM
ENTERPRISE
SURVEILLANCE
Fraud and
Identity
Theft
Trading
Compl.
Behavior Detection
Engines
OpRisk
Key
Indicators
AML
Broker
Surveillance
Financial Services Data
Model
Customer
Cross
Sales
Workflow Manager
Investment
Manager
Surveillance
High Risk Instructions
Jrnls Btwn Unrel.
Trading Ahead
Abusive
Squeezes
ATM Fraud
Parking
Painting the Tape
Insider Trading
Sanctions List
High Risk Geo
Network of Acco
Structuring
Rapid Mvt
Hidden Networks
Possible CTR
Change In Behaviour
Price
Improvement
300+
Wash Trades
One Implementation Solves Many Problems
n
Best Ex
Cust
Suitabi.
Scenario Development
Toolkit
(FSDM)
Data Ingestion
Global Corresp. Global
Retail
Private
Banking Banking Banking
Global
Fixed
Income
Global
Capital
Markets
MBS
Asset
Retail
Brokerage Mgmt
Global
Global
Global
Instl.
Liquidity
Wholesale
Brokerage
Integrated behavior detection solution
18
Enterprise Risk,Compliance & Performance Management
Databases
BI Dashboards
Analytics Server
Profitability /
Risk Engine
Data Warehouse
Managing Risk, Performance & Profitability Across the Enterprise
•
•
•
•
•
Multi Dimensional Profitability
Customer Profitability Available to Front
Office
Product and Branch Profitability
Activity Based Costing
Transfer Pricing
Risk
Management
Performance
Profitability
•
•
•
•
Planning & Budgeting
Performance Scorecards
Operational Cost Analysis
Risk Adjusted Performance Mgmt
•
•
•
•
Risk Assessment/
Quantification
Credit, Market & Operational Risk
Complete & Transparent Audit Trail
Asset/Liability Mgmt
Compliance
•
•
•
•
•
•
Regulatory Compliance
Basel II
SOX
Anti-Money Laundering
Regulatory Reporting
Internal Controls Manager
19
COMPANY OVERVIEW
• Fifth largest bank holding company in the
US, based on assets under mgmt
• Third-largest U.S. full-service brokerage
firm, based on client assets under mgmt
• $700 million in managed assets
• 110,000 employees
CHALLENGES / OPPORTUNITIES
• Lack of a centralized view of
Investment Bank Deposit, Loans,
Product Fees, and Sales
• GRC-related data from multiple, nonintegrated data sources & applications
• Time-consuming and labor-intensive
core data management
• Poor data quality and inadequate user
satisfaction
SOLUTIONS
• Business Intelligence (Analytics)
• Reveleus Basel II
CUSTOMER PERSPECTIVE
"We have been extremely impressed with the
ability to bring data together from disparate
sources and make it easy to access and
leverage across the organization.”
Brian Collins, Technical Sponsor
RESULTS
• Delivered role-based access to multiple
data sources for Fixed Income, Treasury,
and Investment Banking in 100 days
• Provided over 300 key performance, risk
and compliance metrics on a
consolidated, real-time dashboard
• Saved up to 80 hours each month with
Automated Variance Analysis
• Expects to increase cross sell and up sell
revenue by 75%
20
Customer Example
Tier 2 Regional Bank, within US Top 25, 321 branches
Executive Dashboard
Scorecard
Products
RAROC
Top Bottom
Profitability
Reporting
Transactions
Role based dashboards driving insight from robust detail account level data containing statistical
information, revenue, expense and derived calculations from a single source
21
22
Liquidity Risk Analytics
Compliance Alerts: Fraud, Rogue Trader, Market Abuse, AML
:
24
Governance, Risk &
Compliance
Platform
<Insert Picture Here>
Richard Thomas
Information Commissioner
Information Commissioners Office
"Business and public sector leaders must take their data protection
obligations more seriously… privacy must be given more priority in every
UK boardroom. Organisations that fail to process personal information in
line with the Principles of the Data Protection Act not only risk
enforcement action by the ICO, they also risk losing the trust of their
customers."
How can laptops holding details of customer accounts be used away from the office without strong encryption? How can
millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms?
How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance
applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?
26
Information Risk Continues Unabated
Information Security Becomes Part of Overarching GRC Strategy
50% of 1,000 executives polled said information
technology is the most challenging area in
achieving Sarbanes-Oxley 404 compliance
Source: KPMG 404 Institute, 2006
27
Key GRC Foundation Components
• Data Classification, Categorisation & Security
– How customers’ use Oracle Label Security assign and protect sensitive
or high risk data categories
– How this can be extended to cater for non-oracle structured data
• Identity & Access Management
– How customers use Oracle Identity Manager, Oracle Access Manager,
Oracle Risk Based Authentication and Oracle Role Manager, to attest,
manage, control, provision and de-provision access to systems and
data
• Segregation of Duties Controls
– How customers use Oracle database Vault to protect high risk data
from the insider threat
• Audit Controls
– How customer use Oracle Audit Vault to ‘trust but verify’ access and
changes to key data items
28
Integrated Risk & Compliance Framework
Capital Management/Basel II/Solvency II/BI
Dashboards
RAPM
Economic Capital
Risk Management
Market
Credit
Operational
HR
ALM
Learning Management
Internal Controls & SOX
Loss
RCSA
Process Mapping
Actions
KRI / KCI
Documentation
Monitoring & Compliance
AML
Fraud
KYC/CDD
Trading
Financial Control & Reporting
Core Financials
Budgeting & Planning
BI
Enterprise Content Management
Records Management
Legal Discovery
Change Management
COBIT:Security, Identity & Data Management
Encryption
Audit
Master Data
Segregation of Duties
Identity Mgmt
Data Vault
BPEL Workflow Management
29
C Level Objective
30