Governance, Risk, and Compliance Application Suite

Presenter Name
Presenter Title
Safe Harbor Statement

The following is intended to outline our general

product direction. It is intended for information
purposes only, and may not be incorporated into
any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decision. The
development, release, and timing of any features
or functionality described for Oracle’s products
remains at the sole discretion of Oracle.

2
 Oracle At-a-Glance

Globally…
#1 in Database
#1 in Supply Chain Mgmt
#1 in Customer Relationship Mgmt
#1 in Human Capital Mgmt
#1 in Industries
Founded in 1977. Headquarters in Redwood Shores,
CA with operations in 145 countries. - Retail

• 275,000 total customers • 17,700 partners - Communications

• 220,000 database customers
• 30,000 applications customers
• 19,000 SMB apps customers
• 30,000 middleware customers
• 60,000 employees - Public Sector
• 14,000 developers - Professional Services
• 7,000 support staff - Financial Services

3
Agenda

• Business Challenges
• Oracle’s Leadership in GRC
• Solution Overview
• Customer Success
• Recommended Next Steps

4
Heavy Burden of Compliance

Erosion of Public Trust,

Increasing Number & Complexity Call for Greater Transparency
of Regulations
Sarbanes-Oxley Act Health Insurance Portability & 36%
Accountability Act
Fair Credit Reporting Act
Family Education Rights
Children’s Online Privacy 28%
Protection Act
Privacy Protection Act Gramm-Leach Bliley Act
Federal Rules of Civil
Patriot Act
Procedure Public trust in 2002, Public trust in 2006
Domestic Security Peak of corporate scandal
Title 21 CFR Part 11
Enhancement Act
Computer Fraud & Abuse Act … and many more Source: Mckinsey, 2007

High Stakes for Unabated Spending on

Brand and Reputation Compliance

Services

$12B
$7.3B Headcount

Brand Value
= $12.6B

Technology
$9.8B

Source: BusinessWeek, 2007 Source: AMR Research, Feb 2007

5
 Compounded by Risk and Uncertainty

Risk
Level

Acceptable
Threshold

Risk Credit Market Litigation Compliance Information Strategic

Type Risk Risk Risk Risk Risk Risk

FACT: Between 2004-2007, 62% of global companies experienced risk events*

• 87% of those risks were non-financial
• Almost half were not prepared
• Only half manage risk formally

*Source: IBM Global CFO Study, 2008

6
 Greater Visibility into GRC is a Must Have
Top 6 Problems with a Siloed Consequences at a Board
Compliance Approach and C-Suite Level

Visibility &
Communication
Leaders Breakdown is a Threat
lack an
enterprise Management regularly fails to
view of communicate risks to directors on a
risks timely basis, imperiling the value of a
company’s securities and ensuring
Compliance & IT assets embarrassment (or worse) when
risk aren’t aren’t aligned inevitable crises occur for which the
considered in with risk or company is unprepared.
core processes compliance
and decision- management Steve Mitchell, OCEG, Compliance Week, Dec 2007
making Lackneeds
of
high Continuing Need for
Governance Businesses
processes do not have Organizations GRC Information
aren’t the high lack a
consistently quality common Boards of directors cite
defined and information language compliance and risk management as
communicated they need around risk areas where better information is most
needed from the audit committee.
Source: Lee Dittmar, Demystifying GRC, Q4 2007 Mckinsey & Company

7
 Burden Stems from Core Challenges
Challenge: Regulation
A
Risk
B
Standard
C

Multiple Requirements, R1 R2 R3 R1 R2 R3 R1 R2 R3
Fragmented Response
C1a C2a C3a C1b C2b C3b C1c C2c C3c

C5a C6a C7a C5b C6b C7b C5c C6c C7c

C9a C10a C11a C9b C10b C11b C9c C10c C11c

Challenge:
Insufficient Resources,
Manual Efforts

Challenge:
GRC
GRC as an Afterthought,
Holding Up the Business Business Processes

Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC
8
 How Oracle GRC Solutions Help
Solution: Regulation
A
Risk
B
Standard
C

Consolidate
R1 R2 R3

C1 C2 C3

C5 C6 C7

C9 C10 C11

Risk
Solution: Policy

Process Assessment

Automate Reporting & Detective

Diagnostics Control

Preventive
Remediation Control
Issues

Solution: GRC

Embed
Business Process

Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC
9
 GRC Stakeholder Challenges & Value Props

CONTROL PERFORMANCE CONSOLIDATION INNOVATION COMPLIANCE ASSURANCE

FINANCE
FINANCE VALUE PROPOSITIONS
CHALLENGES IT VALUE PROPOSITIONS
CHALLENGES AUDIT VALUE PROPOSITIONS
CHALLENGES

•• Reduced
We need risk and increased
visibility into our high High percentage
• Manage of IT budget
by exception; reduce We need a consistent
• Closed-loop and
remediation cost-
and
confidence
risk areas in financial integrity devoted
time andto compliance,
cost and away
of compliance effective
better riskway to manage
management
from innovation business processes, risk, controls
•• Better
We needdecision-making armed
to lower spending with
and • Accelerate response to user • Faster information flow and better
visibility
real-time
resourcesdiagnostics
devoted to compliance • Unsatisfied with
provisioning currentensure
requests; state of visibility for quicker identification
application
data securitydata access and
& confidentiality • Wepotential
of need efficient
issues reporting and
•• Reduced audit time
The organization and costs;
needs to move
security comprehensive audit trail
faster, easier to
from manual validation of
automated • Consistent environments, full • Reduced audit time and efforts
compliance
controls • Unable to of
audit trail enforce best-practices
changes, easier • We needself-service
through to document corporate
reporting and
for configuration and change
migration/upgrade policiescentralized
online, and collaborate with line
evidence
•• Free
Policyupand
resources
processand time for
management of business owners
core value-add activities;
documentation is a challenge • Improved support of Internal • Timely and accurate information
Enhanced morale of finance staff • Disparate
Audit silos compliance
and LOB of information;
needs • Audit data and reports difficult to
• Better utilization of audit
difficult
with lesstoeffort
create reports to satisfy generate – require significant IT
resources and coordinated efforts
the business and LOB support

10
 Progress in GRC Maturity with Oracle
Optimized
Proactive
Reactive • Analyze and trend
Informal • Policies are enforced
• Automated risk
• Risks are documented • Automated Process mitigation / Predictive
• Manual risk risk assessments
• Unified, standardized
• Compliant but at a assessment and & strategic approach • GRC objectives
high cost to business reporting
• Prevent policy embedded throughout
• Manual control the organization
Maturity

• Tactical approach violation

• Adhoc approach • After the fact reporting
• No best practices

Oracle GRC Applications provide solutions for each maturity stage based
upon your present stage and objectives, and help you mature to the next

Time

11
Oracle Solutions for GRC

GRC Reporting & Analytics

Dashboards Reporting KRI & Alerts

 Purpose-built business
solutions for key
industries and GRC
initiatives
GRC Process Management
Management Issue & Event &


Audit Best-in-class GRC core
Assessment Remediation Loss Mgmt
solutions to support all
GRC Application Controls mandates and regulations
SOD & Application Transaction
Access Configuration Monitoring

Identity
GRC Infrastructure Controls
Data Systems Records & Digital
 Pre-integrated with
Oracle applications and
technology, supports
Mgmt Security Mgmt Content Mgmt Rights heterogeneous
environments

Custom or Legacy Applications

12
Oracle GRC Reporting & Analytics

 Pre-built dashboards aggregate

GRC Reporting & Analytics information from all sources
 Combine performance & GRC
Dashboards Reporting KRI & Alerts information
 Respond to KRI and issues
GRC Process Management  Produce attestations and
disclosures
Management Issue & Event &
Audit  Configure to meet your specific
Assessment Remediation Loss Mgmt
needs
GRC Application Controls
SOD & Application Transaction
Access Configuration Monitoring

GRC Infrastructure Controls

Identity Data Systems Records & Digital
Mgmt Security Mgmt Content Mgmt Rights

Custom or Legacy Applications

13
Oracle GRC Process Management

GRC Reporting & Analytics

Dashboards Reporting KRI & Alerts

 GRC system of record

GRC Process Management
 End-to-end GRC process
Management Issue & Event & management
Audit
Assessment Remediation Loss Mgmt  Platform independent
 Integrated control management
GRC Application Controls
 Closed-loop issue remediation
SOD & Application Transaction
Access Configuration Monitoring

GRC Infrastructure Controls

Identity Data Systems Records & Digital
Mgmt Security Mgmt Content Mgmt Rights

Custom or Legacy Applications

14
Oracle GRC Applications Controls

GRC Reporting & Analytics

Dashboards Reporting KRI & Alerts

GRC Process Management

Management Issue & Event &
Audit
Assessment Remediation Loss Mgmt
 Preventive and detective
GRC Application Controls controls
SOD & Application Transaction  What-if risk simulation
Access Configuration Monitoring  Automated controls testing

GRC Infrastructure Controls

Identity Data Systems Records & Digital
Mgmt Security Mgmt Content Mgmt Rights

Custom or Legacy Applications

15
Oracle GRC Infrastructure Controls

GRC Reporting & Analytics

Dashboards Reporting KRI & Alerts

GRC Process Management

Management Issue & Event &
Audit
Assessment Remediation Loss Mgmt

GRC Application Controls

SOD & Application Transaction
Access Configuration Monitoring

 Protect sensitive data

GRC Infrastructure Controls
 Enforce configurations and
Identity Data Systems Records & Digital change management
Mgmt Security Mgmt Content Mgmt Rights  Reduce risk of legal liability

Custom or Legacy Applications

16
 Services, Support & Partnerships

• Comprehensive results-based service offerings:

• Rapid Deployment
• Full Lifecycle Project Management
• Subject Matter Experts
• Risk Assessment
• Prompt Remediation
• Best-practices & Controls
• Business Processes Optimization
• Partnerships with Key Accounting & Risk Advisory Firms

17
Sample of GRC Customers
High Tech / Communications/ Media Consumer / Retail

Financial Services Manufacturing

Public Sector Life Sciences/Pharmaceuticals

18
 Recommended Next Steps

• Assess your current organizational needs

• Immediate requirements of high priority projects & risks
• Immediate, Mid and long term objectives
• Cost benefit consideration

• Evaluate Oracle’s updated GRC solution offering

• Functional product demonstration
• Technology & Architecture session
• GRC solution combined with existing Oracle infrastructure
• Enabling services and support session

19
20
 <Insert Picture Here>

To insert individual
customer stories into
this deck, refer to
http://my.oracle.com/portal/page/myo/Produc
t%20Marketing/Product%20Marketing/Apps
%20Mktg%20HmPg/GRCM%20Apps%20Mktg
%20HmPg/Customer%20Reference

21