1. Governance, Risk & Compliance An Integrated Framework
People, Processes & Platform
Dr Neil Dodgson
Director Risk and Compliance Solutions
EMEA Financial Services

2. Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3. Why Bother?

4. Governance, Risk, and Compliance (GRC) At-a-Glance
Set and evaluate performance against objectives
Authorize business strategy & model to achieve objectives
Culture
Establish an organizational climate and individual mindset that promotes trust, integrity, and accountability
Governance
Culture
Risk Management
Identify, assess, and address potential obstacles to achieving objectives
Identify / address violation of mandated and voluntary boundaries
Risk
Compliance
Compliance
Encourage / require compliance with established policies and boundaries
Detect non-compliance and respond accordingly
Key Message: Governance, risk and compliance management should be viewed as related functions, with common activities, that are best approached in a comprehensive and integrated fashion.
We can go through and define the individual components of GRC further. Governance authorizes the strategic directives for an organization to follow. Risk management assesses the areas of exposure and potential impacts. And Compliance is the tactical action to mitigate risk.
The essential takeaway though is that governance, risk and compliance management should be viewed as related functions, with common activities, that are best approached in a comprehensive and integrated fashion.
Common information, processes and systems can be leveraged to help address all three functions, so that they no longer lead separate “lives” within the company. At its essence, GRC can and should help to overcome the cost and risk of silos – whether these are organizational, functional, or process silos.
Source: Open Compliance and Ethics Group

5. Good GRC is Good Business: Reputational & Strategic Risk Executives Seek Returns from GRC Investment
Source: Lord & Benoit, 2006
Share-price performance of companies complying with SOX rules
28%
26%
6%
Control weakness in 2004, but none in 2005
No control weaknesses in
Reported control weakness
Price of control deficiency for
$1 billion company
Source: University of Wisconsin, 2006
$10 million in higher cost of equity capital
Savings on legal liability avoidance from GRC investment
Source: General Counsel Roundtable, 2006
Spending on Compliance
Savings on Lower Legal Liability $1 $5
# of GRC projects
Ad hoc Approach
Platform Approach
Resources for innovation
Opportunity cost of siloed GRC
Cost of GRC
Key Message: GRC Drives Principled Performance
There is no doubt that organizations are very concerned about the cost of compliance. Research from the industry analyst AMR estimates that spending on compliance will total $27 billion, and efforts by regulatory bodies to simplify and provide further guidance to organizations attests to the continuing outcry to contain costs.
In light of this focus on cost containment, is it even practical to talk about gaining returns from a GRC investment? The answer is yes. As the Open Compliance and Ethics Group elegantly states, the whole point of GRC is to drive “principled performance”. A recent study conducted by the consulting firm Lord & Benoit revealed that companies that reported a clean bill of health with respect to financial reporting saw their share-price performance increase by 28%. In contrast, those companies that had ongoing violations saw their share prices drop by 6%. Perhaps the most interesting finding however, is in the second column, that shows that companies can recover – if they fixed control violations in year 2, their performance also improved by 26%.
Another way to look at the benefits of overall good GRC is in the cost of borrowing. A recent study from the University of Wisconsin shows that companies reporting internal control deficiencies have an increased risk of misstating their financials, which causes the cost of equity to increase by about 1 percent. For a company with a market capitalization of $1 billion, a 1 percent increase in capital cost would be equivalent to a $10 million movement.
Looking from the perspective of legal liability, there are concrete returns to be had from compliance spending. Research from the General Counsel Roundtable finds that each additional dollar of compliance spending saves an organization, on average, $5.21 in improved avoidance of legal liabilities, harm to the organization’s reputation and lost productivity.
Finally, while an ad-hoc, or as some would call it “fig-leaf” approach to GRC, may initially cost less, over time as the number and complexity of GRC requirements increase, a project by project approach will invariably cost more than a platform approach which addresses multiple requirements simultaneously.
Lord & Benoit Study:
University of Wisconsin Study:
General Counsel Roundtable:

6. What Are the GRC Management Challenges? Enterprise-Wide Responsibility
CFO / VP of
Finance
Chief Compliance Officer (CCO)
Chief Risk Officer (CRO)
CIO
CEO
Increasing efficiency & consistency of compliance processes
Reducing fees & regulatory actions by reducing compliance violations
Planning and oversight of compliance management resources
Identifying and implementing optimal detective & preventive controls
Reducing the total cost of GRC
Timely notification of control issues, material weaknesses and violations
Accurate & comprehensive information on financial results, compliance and audit
Balancing the range of enterprise risks
Evaluating business requirements and technical risk capabilities
Reducing organizational cost of risk exposure and cost of mitigation or acceptance
Ensuring Auditable, secure information
Automating GRC information management
Eliminating multiple internal GRC solutions
Implementing IT platform for GRC standardization, simplification & security
Creating transparency in risk management processes is essential to helping organizations build trust and control performance volatility. Yet delivering this transparency requires more than a framework. Companies need leadership that can manage risk across business units and integrate financial techniques with organizational best practices. Many enterprises have established an executive position to handle this challenge: the Chief Risk Officer (CRO). In this emerging role, the CRO must weigh business requirements against technical capabilities, balance a range of risk portfolios, and compare the cost of risk exposure against the cost of mitigation or acceptance.
Responsibilities of the compliance Program Management Office and chief compliance and governance officers are expanding to oversight of the processes developed in enterprise risk management. Compliance and corporate governance needs are driving organizational changes and reskilling. Board members and senior executives are demanding better “control” over more timely corporate information throughout their organization.

7. Risk & Compliance Officers
What Keeps You Awake at Night?
DATA
Prison

8. GRC Requirements and Complexity Increase Across the Map
Records Retention
IT Governance
Financial Reporting Compliance
Workforce Governance
Data Privacy
Audit Management
Credit Risk Mgmt
Market Risk Mgmt
Operational Risk Mgmt
Strategic Alignment
Legal Discovery
Supply Chain Traceability
Service Level Compliance
Service
Finance
Sales & Mktg
Purchasing
Suppliers
Customers
Engineering
SOX
JSOX
FDA
Basel II
EU Directives
HIPAA
GLBA …
U.S.
Germany
Japan
U.K.
France
China
Canada
India
Manufacturing
Apps Server
Data Warehouse
Database
Mainframes
Enterprise Applications
Mobile Devices

9. Traditional Approach????

10. Integrated Risk & Compliance Framework
Capital Management/Basel II/Solvency II/BI
Dashboards
RAPM
Economic Capital
Risk Management HR
Market
Credit
Operational
ALM
Learning Management
Loss
Internal Controls & SOX
Actions
Process Mapping
RCSA
KRI / KCI
Documentation
Monitoring & Compliance
AML
Fraud
KYC/CDD
MiFID
Financial Control & Reporting
Core Financials
Budgeting & Planning BI
Enterprise Content Management
Records Management
Legal Discovery
Change Management
COBIT:Security, Identity & Data Management
Encryption
Audit
Segregation of Duties
Identity Mgmt
Master Data
Data Warehousing
BPEL Workflow Management

11. Governance, Risk & Compliance
People
Know Your Employee

12. Foster a Culture of Ethics and Excellence with Workforce Governance
Self-Paced Employee Learning
Ensure employees understand regulations and policies in most time- and cost-effective manner
Prove employee acknowledgment of accountability
Trust single source of authoritative information for policy and procedure reference
<Business Driver> Federal sentencing guidelines in the U.S. and corporate governance practices in the EU outline the importance of training all company employees on critical compliance and ethics standards. If we think back to the OCEG diagram for GRC, that essential concept of a culture for compliance is the essence of workforce governance.
<Need> Global organizations need to deliver standardized and up-to-date training on a variety of concerns where a heightened risk of improper conduct exist. These areas include for example, vendor relations, intellectual property, revenue recognition, sexual harassment, and so on. Companies must prove that employees have undertaken the training and demonstrate adequate understanding.
<Oracle’s Solution> Oracle’s enterprise-wide learning management system delivers targeted seminars, courses, and tests to employees online and on-demand. In this way, companies can significantly reduce training costs, ensure that staff are adequately and consistently trained in the latest GRC requirements, and monitor the results of the training. For example, if there is an area where employees consistently score low in terms of understanding, perhaps the policy needs to be simplified or the training material needs to be improved. With Oracle’s learning management system and policy and procedure portal, this insight can be fed back into the Compliance and Ethics Program Group for further optimization. Moreover, records showing employee sign-off on training programs provide evidence of employee acknowledgment and accountability.
Central Policy & Procedure Portal

13. Governance, Risk & Compliance
Processes

14. A Holistic GRC framework for:
SOX requires Identification of Risks and the management of Controls thru Assessments
RCSA - Operational Risk requires the Identification of Risks and the management of Controls thru Self Assessments
MiFID and RegNMS require Client Suitability and Transaction Surveillance
AML requires KYC and Transaction Surveillance
Fraud Detection Requires both Transaction Monitoring and Risk & Control Self Assessment
A Common Process understanding for Compliance and Operational Risk would be a first step to GRC convergence 14

15. GRC framework: Converging Requirements
AML
MiFiD
RegNMS
KYC
COBIT
Info Security
Audit
Internal Controls
Basel OR- AMA
Analytics & Reporting 
Capital Calculations
Attestations
Action Planning
Case Management
Behavior Detection
Controls Testing
RCSA
KRI
Events Management
Process Maps, Reference Data, Oversight Library
GRC Infrastructure
GRC Framework

16. Recent Incidents and possible lessons learned
Identifies the need for an independent Compliance monitoring system that can detect suspicious or irregular activity among all trades and orders in the organization.
Identifies danger of using in-house systems for Compliance monitoring
Identifies lack of adequate Surveillance and Behaviour Pattern Detection.
Good Risk management DOES NOT Equal Good COMPLIANCE
Identifies an ongoing need for Operational Risk to be more closely monitored and enforced within the financial organizations.
Near-Real-Time alert generation of potentially fraudulent behaviours, irregular behaviours, excessively large positions, and other suspicious patterns
An holistic view across all areas is required to provide transparency across multiple-asset classes and jurisdictions to avoid hidden P&L
Integrated GRC systems 16

17. The Police : Behaviour Detection Platform Overview
Reports & Analytical Tools
Compliance Monitoring
CONFLICTS OF INTEREST
BEST EXECUTION
TRADE TRANSPARENCY
Case Mgmt
Alert Management
Data Model & Behavior Detection
Data Ingestion

18. One Implementation Solves Many Problems
Change In Behaviour
High Risk Instructions
Wash Trades
Improvement
Price
Possible CTR
Hidden Networks
Rapid Mvt
Structuring
Network of Acco
High Risk Geo
Sanctions List
Insider Trading
Painting the Tape
Parking
ATM Fraud
Abusive
Squeezes
Trading Ahead
Jrnls Btwn Unrel.
300+ n
ENTERPRISE SURVEILLANCE
Fraud and Identity Theft
Trading Compl.
AML
OpRisk Key Indicators
Broker
Surveillance
Customer Cross Sales
Investment Manager
Surveillance
Best Ex
Cust
Suitabi.
BEHAVIOR DETECTION
PLATFORM
Behavior Detection Engines
Financial Services Data Model
(FSDM)
Workflow Manager
Scenario Development Toolkit
Data Ingestion
Global Retail Banking
Corresp. Banking
Global Private Banking
Global Fixed Income
Global Capital Markets
MBS
Retail Brokerage
Asset
Mgmt
Global Instl Brokerage
Global Liquidity
Global Wholesale
Integrated behavior detection solution

19. Enterprise Risk,Compliance & Performance Management
Databases
BI Dashboards
Analytics Server
Profitability /
Risk Engine
Data Warehouse
Managing Risk, Performance & Profitability Across the Enterprise
Profitability
Performance
Risk Management
Compliance
Example: SBA integration into OFSA to enable end to end customer profitability
Multi Dimensional Profitability
Customer Profitability Available to Front Office
Product and Branch Profitability
Activity Based Costing
Transfer Pricing
Planning & Budgeting
Performance Scorecards
Operational Cost Analysis
Risk Adjusted Performance Mgmt
Risk Assessment/ Quantification
Credit, Market & Operational Risk
Complete & Transparent Audit Trail
Asset/Liability Mgmt
Regulatory Compliance
Basel II
SOX
Anti-Money Laundering
Regulatory Reporting
Internal Controls Manager

20. COMPANY OVERVIEW
Fifth largest bank holding company in the US, based on assets under mgmt
Third-largest U.S. full-service brokerage firm, based on client assets under mgmt
$700 million in managed assets
110,000 employees
CUSTOMER PERSPECTIVE
"We have been extremely impressed with the ability to bring data together from disparate sources and make it easy to access and leverage across the organization.”
Brian Collins, Technical Sponsor
CHALLENGES / OPPORTUNITIES
Lack of a centralized view of Investment Bank Deposit, Loans, Product Fees, and Sales
GRC-related data from multiple, non-integrated data sources & applications
Time-consuming and labor-intensive core data management
Poor data quality and inadequate user satisfaction
RESULTS
Delivered role-based access to multiple data sources for Fixed Income, Treasury, and Investment Banking in 100 days
Provided over 300 key performance, risk and compliance metrics on a consolidated, real-time dashboard
Saved up to 80 hours each month with Automated Variance Analysis
Expects to increase cross sell and up sell revenue by 75%
SOLUTIONS
Business Intelligence (Analytics)
Reveleus Basel II

21. Customer Example Tier 2 Regional Bank, within US Top 25, 321 branches
Executive Dashboard
Products
Top Bottom
Reporting
Scorecard
RAROC
Profitability
Transactions
Role based dashboards driving insight from robust detail account level data containing statistical information, revenue, expense and derived calculations from a single source

23. Liquidity Risk Analytics

24. Compliance Alerts: Fraud, Rogue Trader, Market Abuse, AML24

25. Governance, Risk & Compliance
Platform

26. <Insert Picture Here>
Richard Thomas Information Commissioner Information Commissioners Office
"Business and public sector leaders must take their data protection obligations more seriously… privacy must be given more priority in every UK boardroom. Organisations that fail to process personal information in line with the Principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers."
How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?

27. Information Risk Continues Unabated Information Security Becomes Part of Overarching GRC Strategy
50% of 1,000 executives polled said information technology is the most challenging area in achieving Sarbanes-Oxley 404 compliance
Source: KPMG 404 Institute, 2006
Key Message: There can be no accountability and integrity without information security
The second key driver that we’ve heard from customers with regards to GRC is in the area of information security. It’s probably safe to say that you or one of your friends and family has been a victim of a breach in information security. In my case for example, a laptop was stolen from the program office of my graduate school. That laptop contained unencrypted and sensitive information for all the students, including social security numbers, and as a consequence, I had to call all of my credit card companies and place a security alert for potential identity theft which lasted several months.
As one can imagine, the damage to the brand and reputation of an organization that suffers such a control failure, can be irreparable in terms of irate customers, patients, and constituents. Because of this, CIOs and CISOs (Chief Information Security Officers) now consider that the governance of security is part and parcel of a coherent risk management strategy. After all, how can you have accountability and integrity without information security?

28. Key GRC Foundation Components
Data Classification, Categorisation & Security
How customers’ use Oracle Label Security assign and protect sensitive or high risk data categories
How this can be extended to cater for non-oracle structured data
Identity & Access Management
How customers use Oracle Identity Manager, Oracle Access Manager, Oracle Risk Based Authentication and Oracle Role Manager, to attest, manage, control, provision and de-provision access to systems and data
Segregation of Duties Controls
How customers use Oracle database Vault to protect high risk data from the insider threat
Audit Controls
How customer use Oracle Audit Vault to ‘trust but verify’ access and changes to key data items

29. Integrated Risk & Compliance Framework
Capital Management/Basel II/Solvency II/BI
Dashboards
RAPM
Economic Capital
Risk Management HR
Market
Credit
Operational
ALM
Learning Management
Loss
Internal Controls & SOX
Actions
Process Mapping
RCSA
KRI / KCI
Documentation
Monitoring & Compliance
AML
Fraud
KYC/CDD
Trading
Financial Control & Reporting
Core Financials
Budgeting & Planning BI
Enterprise Content Management
Records Management
Legal Discovery
Change Management
COBIT:Security, Identity & Data Management
Encryption
Audit
Segregation of Duties
Identity Mgmt
Master Data
Data Vault
BPEL Workflow Management

30. C Level Objective