11 th September 2007 Dr Neil Dodgson Director Risk and Compliance Solutions EMEA Financial Services

1. Governance, Risk & Compliance Informationtion Risk Management 11th September 2007 Dr Neil Dodgson Director Risk and Compliance Solutions EMEA Financial Services

2. Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3. What Are the GRC Management Challenges?Enterprise-Wide Responsibility CIO Chief Compliance Officer (CCO) Chief Risk Officer (CRO) CFO / VP of Finance CEO • Increasing efficiency & consistency of compliance processes • Reducing fees & regulatory actions by reducing compliance violations • Planning and oversight of compliance management resources • Identifying and implementing optimal detective & preventive controls • Reducing the total cost of GRC • Timely notification of control issues, material weaknesses and violations • Accurate & comprehensive information on financial results, compliance and audit • Balancing the range of enterprise risks • Evaluating business requirements and technical risk capabilities • Reducing organizational cost of risk exposure and cost of mitigation or acceptance • Ensuring Auditable, secure information • Automating GRC information management • Eliminating multiple internal GRC solutions • Implementing IT platform for GRC standardization, simplification & security

4. Share-price performance of companiescomplying with SOX rules Price of control deficiency for $1 billion company 28% 26% $10 million in higher cost of equity capital Reported control weakness 2004-05 No control weaknesses in 2004 -05 Control weakness in 2004, but none in 2005 6% Source: Lord & Benoit, 2006 Source: University of Wisconsin, 2006 Savings on legal liability avoidancefrom GRC investment Opportunity cost of siloed GRC Spending on Compliance Resources for innovation Ad hocApproach Cost of GRC $1 Savings on Lower Legal Liability PlatformApproach $5 # of GRC projects Source: General Counsel Roundtable, 2006 Good GRC is Good BusinessExecutives Seek Returns from GRC Investment

5. Why Bother?

6. Process & Technology Complexity Drives Costs Duplicate Processes, Controls, and Systems Information Silos Ad hoc Approach Compliance Costs Standardized Processes, Controls, and Systems Consolidated Information Strategic Approach Complexity

7. GRC: Under Pressure

8. Risk & Compliance Officers What Keeps You Awake at Night? DATA Prison

9. Engineering IT Governance StrategicAlignment U.S. Germany Japan U.K. France China Canada India RecordsRetention EU Directives HIPAA SOX JSOX FDA Basel II CreditRiskMgmt Sales & Mktg WorkforceGovernance GLBA MiFID Purchasing Financial ReportingCompliance AuditManagement Service OperationalRiskMgmt Data Privacy Service LevelCompliance Finance MarketRiskMgmt SupplyChainTraceability Suppliers LegalDiscovery Customers GRC Requirements and Complexity Increase Across the Map Manufacturing Apps Server Data Warehouse EnterpriseApplications Database Mainframes Mobile Devices

10. Integrated Risk & Compliance Framework Capital Management & Basel II Dashboards Economic Capital RAPM Risk Management HR Market Credit Operational ALM Learning Management Loss Internal Controls & SOX Actions RCSA Process Mapping KRI / KCI Documentation Monitoring & Compliance KYC/CDD AML Fraud MiFID Financial Control & Reporting Core Financials Budgeting & Planning BI Enterprise Content Management Records Management Legal Discovery Change Management COBIT:Security, Identity & Data Management Encryption Audit Segregation of Duties Identity Mgmt Data Warehousing Master Data BPEL Workflow Management

11. Identity Management Business Process Management & Workflow Clients / Counterparties Upstream Business Process Onboarding Account Provisioning Business Approval Transform & Load Business Rules Management Compliance KYC / AML Data Acqn. & Distribution Data Quality Management Credit Batch Load Account Management Portal Client / Counterparty / Account & Transaction Viewer Real-time Sync. & Query Clients / Counterparties / Accounts Data Management Application Integration External Connectivity Data Librarian Management Reporting Employees Downstream Business Process Domains (Order Mgmt, Trading, Risk Mgmt, Accnts etc.) Business Intelligence GRC Solution The Vision

12. Integrated Risk & Compliance Framework Capital Management & Basel II Dashboards Economic Capital RAPM Risk Management HR Market Credit Operational ALM Learning Management Loss Internal Controls & SOX Actions RCSA Process Mapping KRI / KCI Documentation Monitoring & Compliance KYC/CDD AML Fraud MiFID Financial Control & Reporting Core Financials Budgeting & Planning BI Enterprise Content Management Records Management Legal Discovery Change Management COBIT:Security, Identity & Data Management Encryption Audit Segregation of Duties Identity Mgmt Data Warehousing Master Data BPEL Workflow Management

13. Ultimate Goal of GRC • Regulatory Reporting • Economic Capital v Regulatory Capital • Basel II • Solvency II • RAPM • RAROC • Risk Based Pricing • Profitability • MIS • Dashboards • Monitoring

14. Enterprise Risk,Compliance & Performance Management Databases BI Dashboards Analytics Server Profitability / Risk Engine Data Warehouse Managing Risk, Performance & Profitability Across the Enterprise Compliance Performance Risk Management Profitability • Multi Dimensional Profitability • Customer Profitability Available to Front Office • Product and Branch Profitability • Activity Based Costing • Transfer Pricing • Planning & Budgeting • Performance Scorecards • Operational Cost Analysis • Risk Adjusted Performance Mgmt • Risk Assessment/Quantification • Credit, Market & Operational Risk • Complete & Transparent Audit Trail • Asset/Liability Mgmt • Regulatory Compliance • Basel II • SOX • Anti-Money Laundering • Regulatory Reporting • Internal Controls Manager

15. COMPANY OVERVIEW • Fifth largest bank holding company in the US, based on assets under mgmt • Third-largest U.S. full-service brokerage firm, based on client assets under mgmt • $700 million in managed assets • 110,000 employees CUSTOMERPERSPECTIVE "We have been extremely impressed with the ability to bring data together from disparate sources and make it easy to access and leverage across the organization.” Brian Collins, Technical Sponsor CHALLENGES / OPPORTUNITIES • Lack of a centralized view of Investment Bank Deposit, Loans, Product Fees, and Sales • GRC-related data from multiple, non-integrated data sources & applications • Time-consuming and labor-intensive core data management • Poor data quality and inadequate user satisfaction RESULTS • Delivered role-based access to multiple data sources for Fixed Income, Treasury, and Investment Banking in 100 days • Provided over 300 key performance, risk and compliance metrics on a consolidated, real-time dashboard • Saved up to 80 hours each month with Automated Variance Analysis • Expects to increase cross sell and up sell revenue by 75% SOLUTIONS • Business Intelligence (Analytics) • Reveleus Basel II

17. Customer ExampleTier 2 Regional Bank, within US Top 25, 321 branches Reporting Executive Dashboard Top Bottom Products RAROC Scorecard Profitability Transactions Role based dashboards driving insight from robust detail account level data containing statistical information, revenue, expense and derived calculations from a single source

19. Integrated Risk & Compliance Framework Capital Management & Basel II Dashboards Economic Capital RAPM Risk Management HR Market Credit Operational ALM Learning Management Loss Internal Controls & SOX Actions RCSA Process Mapping KRI / KCI Documentation Monitoring & Compliance KYC/CDD AML Fraud MiFID Financial Control & Reporting Core Financials Budgeting & Planning BI Enterprise Content Management Records Management Legal Discovery Change Management COBIT:Security, Identity & Data Management Encryption Audit Segregation of Duties Identity Mgmt Data Warehousing Master Data Workflow Management

20. - The Credit Crunch

21. FSI’s: Compliance is Converging With Operational Risk • Operational Risk is emerging as the top risk management requirement in many FSIs • Credit and Market Risk functions are well seasoned in most FSIs, but Operational Risk is still at early stage of emergence • Increasingly, Financial Services Institutions are articulating that an isolated view of compliance initiatives won’t pass muster • Financial Services Institutions are driving a rapid convergence of compliance with operational risk requirements • Clients increasingly seeking a single solution spanning Operational Risk, Controls Management, General Compliance • Analysts are validating this trend • Vendors migrating from silo “point” solutions to broader applications

22. What are the analysts saying? Chartis Research May 2007 Chartis forecast that the worldwide Operational Risk Management (ORM) market will grow fuelled by replacement of first generation ORM systems, new markets for ORM systems and increased focus on ORM as an initiative with strategic business benefits

23. Citigroup case study • Completeness of Solution Framework • All RCSA approaches supported • Full support for Multiple Regulations, Internal Controls, General compliance • Flexibility of the Solution Framework • Multiple Organizational arrangements supported concurrently • Multiple Process Maps supported concurrently • Track record of performance • Prior successes with BASEL Credit Risk regulatory capital • Scalability proof points • Solution designed for use by the end-user • Metadata based solution architecture • Highly configurable solution reduces IT burden • Open, flexible and scalable • Open APIs (for data and metadata) • Industrial strength technology with flexible deployment capability

24. Integrated Risk & Compliance Framework Capital Management & Basel II Dashboards Economic Capital RAPM Risk Management HR Market Credit Operational ALM Learning Management Loss Internal Controls & SOX Actions RCSA Process Mapping KRI / KCI Documentation Monitoring & Compliance KYC/CDD AML Fraud MiFID Financial Control & Reporting Core Financials Budgeting & Planning BI Enterprise Content Management Records Management Legal Discovery Change Management COBIT:Security, Identity & Data Management Encryption Audit Segregation of Duties Identity Mgmt Data Warehousing Master Data Workflow Management

25. OPERATIONS REPORTING COMPLIANCE STRATEGIC Internal Environment Objective Setting SUBSIDIARY Event Identification BUSINESS UNIT DIVISION Risk Assessment ENTITY - LEVEL Risk Response Control Activities Information and Communication Monitoring Is The GRC Landscape Interlinked? 2. COSO Internal Controls (1992) & ERM (2004) Integrated Frameworks

26. GRC framework: Overlapping Requirements GRC Framework

27. COBIT PO1 Define a Strategic IT Plan PO2 Define the Information Architecture - Data Dictionary, Data Classification, Data Integrity PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships – Risk, Security & Compliance PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks – Governance, Assessment, Events, Controls, Action Planning PO10 Manage Projects

28. Integrated KYC & AML: Continuous Feedback Loop Integrated Comprehensive Customer Monitoring: • Alerts displayed to KYC analyst to assist in risk assessment and consideration of past behavior • KYC Risk ratings used in AML monitoring to apply risk-appropriate thresholds • AML monitors transactions for the appearance of customers names that have been rejected or for whom accounts have been closed as a result of KYC reviews • Alerts generated by scenarios can be used to force more frequent or immediate customer reviews based on variations from expected behavior or suspicious behavior • Significant changes to Customer or Account information trigger KYC reviews Continuous Comprehensive Monitoring

29. Regulations, Drivers Best Practices & Frameworks, General Compliance BASEL II AMA SOX - COBIT Transparency Oversight & Capital Calculations Management & Regulatory Reporting Internal Controls & Financial Reporting Management & Regulatory Reporting Economic Capital Calculations & Reporting Economic Capital Calculations & Reporting Risk Mitigation & Independent Validation Action Planning, Risk Transfer Mechanisms Action Planning, Risk Transfer Mechanisms Action Planning, Risk Transfer Mechanisms Testing and Audit Testing and Audit Testing and Audit Functional Components Risk & Control libraries Risk & Control Self Assessment KRI Loss Collection Scenarios Common Operational Risk Infrastructure & Definitions Administration, Security, Workflow, Notifications Existing Bank Data Assets/Sources Basel II, SOX, COBIT, Best Practices & General Compliance

30. Integrated Risk & Compliance Framework Capital Management & Basel II Dashboards Economic Capital RAPM Risk Management HR Market Credit Operational ALM Learning Management Loss Internal Controls & SOX Actions RCSA Process Mapping KRI / KCI Documentation Monitoring & Compliance KYC/CDD AML Fraud MiFID Financial Control & Reporting Core Financials Budgeting & Planning BI Enterprise Content Management Records Management Legal Discovery Change Management COBIT:Security, Identity & Data Management Encryption Audit Segregation of Duties Identity Mgmt Data Warehousing Master Data Workflow Management

31. The Police : Behaviour Detection Platform Overview Reports & Analytical Tools Compliance Monitoring CONFLICTS OF INTEREST BEST EXECUTION TRADE TRANSPARENCY Case Mgmt Alert Management Data Model & Behavior Detection Data Ingestion

32. Mantas’ Developers Toolkit Enables firms to modify or develop scenarios on their own to meet dynamic business requirements

33. Monitoring Workspace

34. Integrated Risk & Compliance Framework Capital Management & Basel II Dashboards Economic Capital RAPM Risk Management HR Market Credit Operational ALM Learning Management Loss Internal Controls & SOX Actions RCSA Process Mapping KRI / KCI Documentation Monitoring & Compliance KYC/CDD AML Fraud MiFID Financial Control & Reporting Core Financials Budgeting & Planning BI Enterprise Content Management Records Management Legal Discovery Change Management COBIT:Security, Identity & Data Management Encryption Audit Segregation of Duties Identity Mgmt Data Warehousing Master Data Workflow Management

35. <Insert Picture Here> Richard Thomas Information CommissionerInformation Commissioners Office "Business and public sector leaders must take their data protection obligations more seriously… privacy must be given more priority in every UK boardroom. Organisations that fail to process personal information in line with the Principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers." How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?

36. 50% of 1,000 executives polled said information technology is the most challenging area in achieving Sarbanes-Oxley 404 compliance Information Risk Continues UnabatedInformation Security Becomes Part of Overarching GRC Strategy

37. IT Governance, Risk, and Compliance Insight Processes Ensure information reliability with content security, records retention, and identity management Protect information assets across the entire technology stack Enforce best-practice segregation of duties, configuration and change management procedures Risk & Compliance Mgmt Controls Management Policy Mgmt Industry Specific Risk & Control Intelligence Applications Oracle SAP Custom Legacy Other Operational Intelligence Infrastructure Services Content Mgmt Identity Mgmt Change Mgmt Data Security Data Audit Performance Management Repository

38. Enterprise Identity Management External Internal SOA Applications Delegated Admin Customers Partners IT Staff Employees SOA Applications Identity Management Service Access Management • Authentication & SSO • Authorization & RBAC • Identity Federation Identity Administration • Delegated Administration • Self-Registration & Self-Service • User & Group Management Auditing and Reporting Monitoring and Management Policy and Workflow Directory Services • LDAP Directory • Meta-Directory • Virtual Directory Identity Provisioning • Agent-based • Agentless • Password Synchronization Applications Systems & Repositories ERP CRM OS (Unix) HR Mainframe NOS/Directories

39. Database Vault Security Realms Multi-Factor Authorization Reports Separation of Duty Audit Command Rules

40. Authentication Mutual authentication via personalized images Virtual Authenticator devices protect passwords, PINs, and challenge questions against key loggers, man-in-the-middle attacks, OCR programs Control & randomize placement of authenticators in the browser

41. Governance, Risk & Compliance • Comprehensive GRC process management controls costs and risks • Reduce costs and complexity by managing multiple compliance requirements with one platform • Leverage a single source of information across all departments and locations • Automate testing, auditing and reporting in an integrated environment • Secure GRC infrastructure protects your resources • Mitigate and manage risk with integrated information access, monitoring, and control capabilities • Protect your enterprise with secure information across applications • Centrally manage segregation of duties and role-based changes across systems • Integrated business insight enforces accountability • Improve governance with timely compliance, risk and performance management information & applications • Increase performance with real-time communication and collaboration • Streamline visibility across workflows and user responsibilities with integrated business process and access management