slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
11 th September 2007 Dr Neil Dodgson Director Risk and Compliance Solutions EMEA Financial Services PowerPoint Presentation
Download Presentation
11 th September 2007 Dr Neil Dodgson Director Risk and Compliance Solutions EMEA Financial Services

Loading in 2 Seconds...

play fullscreen
1 / 42

11 th September 2007 Dr Neil Dodgson Director Risk and Compliance Solutions EMEA Financial Services - PowerPoint PPT Presentation


  • 120 Views
  • Uploaded on

Governance, Risk & Compliance Informationtion Risk Management. 11 th September 2007 Dr Neil Dodgson Director Risk and Compliance Solutions EMEA Financial Services. Safe Harbor Statement.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '11 th September 2007 Dr Neil Dodgson Director Risk and Compliance Solutions EMEA Financial Services' - herbert


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Governance, Risk & Compliance

Informationtion Risk Management

11th September 2007

Dr Neil Dodgson

Director Risk and Compliance Solutions

EMEA Financial Services

safe harbor statement
Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

what are the grc management challenges enterprise wide responsibility
What Are the GRC Management Challenges?Enterprise-Wide Responsibility

CIO

Chief Compliance Officer (CCO)

Chief Risk Officer (CRO)

CFO / VP of

Finance

CEO

  • Increasing efficiency & consistency of compliance processes
  • Reducing fees & regulatory actions by reducing compliance violations
  • Planning and oversight of compliance management resources
  • Identifying and implementing optimal detective & preventive controls
  • Reducing the total cost of GRC
  • Timely notification of control issues, material weaknesses and violations
  • Accurate & comprehensive information on financial results, compliance and audit
  • Balancing the range of enterprise risks
  • Evaluating business requirements and technical risk capabilities
  • Reducing organizational cost of risk exposure and cost of mitigation or acceptance
  • Ensuring Auditable, secure information
  • Automating GRC information management
  • Eliminating multiple internal GRC solutions
  • Implementing IT platform for GRC standardization, simplification & security
good grc is good business executives seek returns from grc investment

Share-price performance of companiescomplying with SOX rules

Price of control deficiency for

$1 billion company

28%

26%

$10 million in higher cost of equity capital

Reported control weakness 2004-05

No control weaknesses in 2004 -05

Control weakness in 2004, but none in 2005

6%

Source: Lord & Benoit, 2006

Source: University of Wisconsin, 2006

Savings on legal liability avoidancefrom GRC investment

Opportunity cost of siloed GRC

Spending on Compliance

Resources for innovation

Ad hocApproach

Cost of GRC

$1

Savings on Lower Legal Liability

PlatformApproach

$5

# of GRC projects

Source: General Counsel Roundtable, 2006

Good GRC is Good BusinessExecutives Seek Returns from GRC Investment
process technology complexity drives costs
Process & Technology Complexity Drives Costs

Duplicate Processes, Controls, and Systems

Information Silos

Ad hoc Approach

Compliance Costs

Standardized Processes, Controls, and Systems

Consolidated Information

Strategic Approach

Complexity

slide8

Risk & Compliance Officers

What Keeps You Awake at Night?

DATA

Prison

grc requirements and complexity increase across the map

Engineering

IT Governance

StrategicAlignment

U.S.

Germany

Japan

U.K.

France

China

Canada

India

RecordsRetention

EU Directives

HIPAA

SOX

JSOX

FDA

Basel II

CreditRiskMgmt

Sales & Mktg

WorkforceGovernance

GLBA

MiFID

Purchasing

Financial ReportingCompliance

AuditManagement

Service

OperationalRiskMgmt

Data Privacy

Service LevelCompliance

Finance

MarketRiskMgmt

SupplyChainTraceability

Suppliers

LegalDiscovery

Customers

GRC Requirements and Complexity Increase Across the Map

Manufacturing

Apps Server

Data Warehouse

EnterpriseApplications

Database

Mainframes

Mobile Devices

integrated risk compliance framework
Integrated Risk & Compliance Framework

Capital Management & Basel II

Dashboards

Economic Capital

RAPM

Risk Management

HR

Market

Credit

Operational

ALM

Learning Management

Loss

Internal Controls & SOX

Actions

RCSA

Process Mapping

KRI / KCI

Documentation

Monitoring & Compliance

KYC/CDD

AML

Fraud

MiFID

Financial Control & Reporting

Core Financials

Budgeting & Planning

BI

Enterprise Content Management

Records Management

Legal Discovery

Change Management

COBIT:Security, Identity & Data Management

Encryption

Audit

Segregation of Duties

Identity Mgmt

Data Warehousing

Master Data

BPEL Workflow Management

grc solution the vision

Identity

Management

Business Process

Management &

Workflow

Clients /

Counterparties

Upstream

Business

Process

Onboarding

Account

Provisioning

Business

Approval

Transform

& Load

Business Rules

Management

Compliance

KYC / AML

Data Acqn.

& Distribution

Data Quality

Management

Credit

Batch

Load

Account

Management

Portal

Client /

Counterparty /

Account

& Transaction

Viewer

Real-time

Sync. &

Query

Clients /

Counterparties /

Accounts

Data

Management

Application

Integration

External

Connectivity

Data

Librarian

Management

Reporting

Employees

Downstream Business

Process Domains

(Order Mgmt, Trading,

Risk Mgmt, Accnts etc.)

Business

Intelligence

GRC Solution The Vision
integrated risk compliance framework1
Integrated Risk & Compliance Framework

Capital Management & Basel II

Dashboards

Economic Capital

RAPM

Risk Management

HR

Market

Credit

Operational

ALM

Learning Management

Loss

Internal Controls & SOX

Actions

RCSA

Process Mapping

KRI / KCI

Documentation

Monitoring & Compliance

KYC/CDD

AML

Fraud

MiFID

Financial Control & Reporting

Core Financials

Budgeting & Planning

BI

Enterprise Content Management

Records Management

Legal Discovery

Change Management

COBIT:Security, Identity & Data Management

Encryption

Audit

Segregation of Duties

Identity Mgmt

Data Warehousing

Master Data

BPEL Workflow Management

ultimate goal of grc
Ultimate Goal of GRC
  • Regulatory Reporting
  • Economic Capital v Regulatory Capital
  • Basel II
  • Solvency II
  • RAPM
  • RAROC
  • Risk Based Pricing
  • Profitability
  • MIS
  • Dashboards
  • Monitoring
enterprise risk compliance performance management
Enterprise Risk,Compliance & Performance Management

Databases

BI Dashboards

Analytics Server

Profitability /

Risk Engine

Data Warehouse

Managing Risk, Performance & Profitability Across the Enterprise

Compliance

Performance

Risk Management

Profitability

  • Multi Dimensional Profitability
  • Customer Profitability Available to Front Office
  • Product and Branch Profitability
  • Activity Based Costing
  • Transfer Pricing
  • Planning & Budgeting
  • Performance Scorecards
  • Operational Cost Analysis
  • Risk Adjusted Performance Mgmt
  • Risk Assessment/Quantification
  • Credit, Market & Operational Risk
  • Complete & Transparent Audit Trail
  • Asset/Liability Mgmt
  • Regulatory Compliance
  • Basel II
  • SOX
  • Anti-Money Laundering
  • Regulatory Reporting
  • Internal Controls Manager
slide15

COMPANY OVERVIEW

  • Fifth largest bank holding company in the US, based on assets under mgmt
  • Third-largest U.S. full-service brokerage firm, based on client assets under mgmt
  • $700 million in managed assets
  • 110,000 employees

CUSTOMERPERSPECTIVE

"We have been extremely impressed with the ability to bring data together from disparate sources and make it easy to access and leverage across the organization.”

Brian Collins, Technical Sponsor

CHALLENGES / OPPORTUNITIES

  • Lack of a centralized view of Investment Bank Deposit, Loans, Product Fees, and Sales
  • GRC-related data from multiple, non-integrated data sources & applications
  • Time-consuming and labor-intensive core data management
  • Poor data quality and inadequate user satisfaction

RESULTS

  • Delivered role-based access to multiple data sources for Fixed Income, Treasury, and Investment Banking in 100 days
  • Provided over 300 key performance, risk and compliance metrics on a consolidated, real-time dashboard
  • Saved up to 80 hours each month with Automated Variance Analysis
  • Expects to increase cross sell and up sell revenue by 75%

SOLUTIONS

  • Business Intelligence (Analytics)
  • Reveleus Basel II
slide17

Customer ExampleTier 2 Regional Bank, within US Top 25, 321 branches

Reporting

Executive Dashboard

Top Bottom

Products

RAROC

Scorecard

Profitability

Transactions

Role based dashboards driving insight from robust detail account level data containing statistical information, revenue, expense and derived calculations from a single source

integrated risk compliance framework2
Integrated Risk & Compliance Framework

Capital Management & Basel II

Dashboards

Economic Capital

RAPM

Risk Management

HR

Market

Credit

Operational

ALM

Learning Management

Loss

Internal Controls & SOX

Actions

RCSA

Process Mapping

KRI / KCI

Documentation

Monitoring & Compliance

KYC/CDD

AML

Fraud

MiFID

Financial Control & Reporting

Core Financials

Budgeting & Planning

BI

Enterprise Content Management

Records Management

Legal Discovery

Change Management

COBIT:Security, Identity & Data Management

Encryption

Audit

Segregation of Duties

Identity Mgmt

Data Warehousing

Master Data

Workflow Management

fsi s compliance is converging with operational risk
FSI’s: Compliance is Converging With Operational Risk
  • Operational Risk is emerging as the top risk management requirement in many FSIs
  • Credit and Market Risk functions are well seasoned in most FSIs, but Operational Risk is still at early stage of emergence
  • Increasingly, Financial Services Institutions are articulating that an isolated view of compliance initiatives won’t pass muster
  • Financial Services Institutions are driving a rapid convergence of compliance with operational risk requirements
  • Clients increasingly seeking a single solution spanning Operational Risk, Controls Management, General Compliance
  • Analysts are validating this trend
  • Vendors migrating from silo “point” solutions to broader applications
slide22

What are the analysts saying?

Chartis Research May 2007

Chartis forecast that the worldwide Operational Risk Management (ORM) market will grow fuelled by replacement of first generation ORM systems, new markets for ORM systems and increased focus on ORM as an initiative with strategic business benefits

citigroup case study
Citigroup case study
  • Completeness of Solution Framework
    • All RCSA approaches supported
    • Full support for Multiple Regulations, Internal Controls, General compliance
  • Flexibility of the Solution Framework
    • Multiple Organizational arrangements supported concurrently
    • Multiple Process Maps supported concurrently
  • Track record of performance
    • Prior successes with BASEL Credit Risk regulatory capital
    • Scalability proof points
  • Solution designed for use by the end-user
    • Metadata based solution architecture
    • Highly configurable solution reduces IT burden
  • Open, flexible and scalable
    • Open APIs (for data and metadata)
    • Industrial strength technology with flexible deployment capability
integrated risk compliance framework3
Integrated Risk & Compliance Framework

Capital Management & Basel II

Dashboards

Economic Capital

RAPM

Risk Management

HR

Market

Credit

Operational

ALM

Learning Management

Loss

Internal Controls & SOX

Actions

RCSA

Process Mapping

KRI / KCI

Documentation

Monitoring & Compliance

KYC/CDD

AML

Fraud

MiFID

Financial Control & Reporting

Core Financials

Budgeting & Planning

BI

Enterprise Content Management

Records Management

Legal Discovery

Change Management

COBIT:Security, Identity & Data Management

Encryption

Audit

Segregation of Duties

Identity Mgmt

Data Warehousing

Master Data

Workflow Management

slide25

OPERATIONS

REPORTING

COMPLIANCE

STRATEGIC

Internal Environment

Objective Setting

SUBSIDIARY

Event Identification

BUSINESS UNIT

DIVISION

Risk Assessment

ENTITY - LEVEL

Risk Response

Control Activities

Information and Communication

Monitoring

Is The GRC Landscape Interlinked?

2. COSO Internal Controls (1992) & ERM (2004) Integrated Frameworks

cobit
COBIT

PO1 Define a Strategic IT Plan

PO2 Define the Information Architecture - Data Dictionary, Data Classification, Data Integrity

PO3 Determine Technological Direction

PO4 Define the IT Processes, Organisation and Relationships – Risk, Security & Compliance

PO5 Manage the IT Investment

PO6 Communicate Management Aims and Direction

PO7 Manage IT Human Resources

PO8 Manage Quality

PO9 Assess and Manage IT Risks – Governance, Assessment, Events, Controls, Action Planning

PO10 Manage Projects

integrated kyc aml continuous feedback loop
Integrated KYC & AML: Continuous Feedback Loop

Integrated Comprehensive Customer Monitoring:

  • Alerts displayed to KYC analyst to assist in risk assessment and consideration of past behavior
  • KYC Risk ratings used in AML monitoring to apply risk-appropriate thresholds
  • AML monitors transactions for the appearance of customers names that have been rejected or for whom accounts have been closed as a result of KYC reviews
  • Alerts generated by scenarios can be used to force more frequent or immediate customer reviews based on variations from expected behavior or suspicious behavior
  • Significant changes to Customer or Account information trigger KYC reviews

Continuous

Comprehensive

Monitoring

basel ii sox cobit best practices general compliance

Regulations,

Drivers

Best Practices & Frameworks, General Compliance

BASEL II AMA

SOX - COBIT

Transparency

Oversight &

Capital

Calculations

Management &

Regulatory Reporting

Internal Controls &

Financial Reporting

Management &

Regulatory Reporting

Economic Capital

Calculations & Reporting

Economic Capital

Calculations & Reporting

Risk Mitigation & Independent Validation

Action Planning,

Risk Transfer Mechanisms

Action Planning,

Risk Transfer Mechanisms

Action Planning,

Risk Transfer Mechanisms

Testing and Audit

Testing and Audit

Testing and Audit

Functional Components

Risk & Control

libraries

Risk & Control

Self Assessment

KRI

Loss Collection

Scenarios

Common Operational Risk Infrastructure & Definitions

Administration, Security, Workflow, Notifications

Existing Bank Data Assets/Sources

Basel II, SOX, COBIT, Best Practices & General Compliance
integrated risk compliance framework4
Integrated Risk & Compliance Framework

Capital Management & Basel II

Dashboards

Economic Capital

RAPM

Risk Management

HR

Market

Credit

Operational

ALM

Learning Management

Loss

Internal Controls & SOX

Actions

RCSA

Process Mapping

KRI / KCI

Documentation

Monitoring & Compliance

KYC/CDD

AML

Fraud

MiFID

Financial Control & Reporting

Core Financials

Budgeting & Planning

BI

Enterprise Content Management

Records Management

Legal Discovery

Change Management

COBIT:Security, Identity & Data Management

Encryption

Audit

Segregation of Duties

Identity Mgmt

Data Warehousing

Master Data

Workflow Management

the police behaviour detection platform overview
The Police : Behaviour Detection Platform Overview

Reports & Analytical Tools

Compliance Monitoring

CONFLICTS OF INTEREST

BEST EXECUTION

TRADE TRANSPARENCY

Case Mgmt

Alert Management

Data Model & Behavior Detection

Data Ingestion

mantas developers toolkit
Mantas’ Developers Toolkit

Enables firms to modify or develop scenarios on their own to meet dynamic business requirements

integrated risk compliance framework5
Integrated Risk & Compliance Framework

Capital Management & Basel II

Dashboards

Economic Capital

RAPM

Risk Management

HR

Market

Credit

Operational

ALM

Learning Management

Loss

Internal Controls & SOX

Actions

RCSA

Process Mapping

KRI / KCI

Documentation

Monitoring & Compliance

KYC/CDD

AML

Fraud

MiFID

Financial Control & Reporting

Core Financials

Budgeting & Planning

BI

Enterprise Content Management

Records Management

Legal Discovery

Change Management

COBIT:Security, Identity & Data Management

Encryption

Audit

Segregation of Duties

Identity Mgmt

Data Warehousing

Master Data

Workflow Management

slide35

<Insert Picture Here>

Richard Thomas Information CommissionerInformation Commissioners Office

"Business and public sector leaders must take their data protection obligations more seriously… privacy must be given more priority in every UK boardroom. Organisations that fail to process personal information in line with the Principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers."

How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags?

information risk continues unabated information security becomes part of overarching grc strategy

50% of 1,000 executives polled said information technology is the most challenging area in achieving Sarbanes-Oxley 404 compliance

Information Risk Continues UnabatedInformation Security Becomes Part of Overarching GRC Strategy
it governance risk and compliance
IT Governance, Risk, and Compliance

Insight

Processes

Ensure information reliability with content security, records retention, and identity management

Protect information assets across the entire technology stack

Enforce best-practice segregation of duties, configuration and change management procedures

Risk & Compliance Mgmt

Controls Management

Policy Mgmt

Industry Specific

Risk & Control

Intelligence

Applications

Oracle SAP Custom Legacy Other

Operational

Intelligence

Infrastructure Services

Content Mgmt

Identity Mgmt

Change Mgmt

Data Security

Data Audit

Performance

Management

Repository

enterprise identity management
Enterprise Identity Management

External

Internal

SOA

Applications

Delegated

Admin

Customers

Partners

IT Staff

Employees

SOA

Applications

Identity Management Service

Access Management

  • Authentication & SSO
  • Authorization & RBAC
  • Identity Federation

Identity Administration

  • Delegated Administration
  • Self-Registration & Self-Service
  • User & Group Management

Auditing

and

Reporting

Monitoring

and

Management

Policy and Workflow

Directory Services

  • LDAP Directory
  • Meta-Directory
  • Virtual Directory

Identity Provisioning

  • Agent-based
  • Agentless
  • Password Synchronization

Applications

Systems & Repositories

ERP

CRM

OS (Unix)

HR

Mainframe

NOS/Directories

database vault security
Database Vault Security

Realms

Multi-Factor

Authorization

Reports

Separation of Duty

Audit

Command

Rules

authentication
Authentication

Mutual authentication via personalized images

Virtual Authenticator devices protect passwords, PINs, and challenge questions against key loggers, man-in-the-middle attacks, OCR programs

Control & randomize placement of authenticators in the browser

governance risk compliance
Governance, Risk & Compliance
  • Comprehensive GRC process management controls costs and risks
      • Reduce costs and complexity by managing multiple compliance requirements with one platform
      • Leverage a single source of information across all departments and locations
      • Automate testing, auditing and reporting in an integrated environment
  • Secure GRC infrastructure protects your resources
      • Mitigate and manage risk with integrated information access, monitoring, and control capabilities
      • Protect your enterprise with secure information across applications
      • Centrally manage segregation of duties and role-based changes across systems
  • Integrated business insight enforces accountability
      • Improve governance with timely compliance, risk and performance management information & applications
      • Increase performance with real-time communication and collaboration
      • Streamline visibility across workflows and user responsibilities with integrated business process and access management