560 likes | 905 Views
GRC Sales Playbook. Soumya Das Senior Director, GRC Product Marketing. Disclaimer.
E N D
GRC Sales Playbook Soumya Das Senior Director, GRC Product Marketing
Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. The development, release, and timing of any features or functionality described for LogicalApps' products remains at the sole discretion of LogicalApps.
Agenda • GRC Market Drivers • Value Propositions • Stakeholders • GRC Solution Overview • Competitive Overview • Summary and Q&A
Total GRC Spend Technology$9.8B Headcount$12.6B Services$7.3B Source: AMR 2007 GRC Market Opportunity Today • The combination of • GRC Controls (LogicalApps) • GRC Manager • GRC Intelligence rounds out Oracle’s ability to attack the $10B GRC technology market By 2008, > 75% of large and midsize companies will purchase new compliance management, monitoring & automation solutions (0.8 probability). - Gartner, 2006
Continuing Failure in Financial Reporting and Business Process • 1,876 earnings restatements were filed with the SEC in 2006, compared with 1,296 in 2005, and 650 in 2004. • 4 out of 5 companies have been the victim of corporate fraud in the past 3 years. Average loss of $20M at companies with revenues of $5B and above. • Source: AuditAnalytics 2006, Kroll Global Fraud Report, 2007 GRC Applications Market Drivers Continuing Rise in Complexity & Number of Regulations • By 2012, the number of regulations that directly affect IT operations will double • By 2012, 90% of public companies will face mandatory, audited public reporting requirements for financial controls, and 50% will face mandatory non-financial reporting • Source: Gartner, 2006 Continuing Need for GRC Visibility by C-Suite and Board • Boards of directors cite compliance and risk management as areas where better information is most needed from the audit committee • A global survey of 741 CFOs blames increasing job turnover partially on the tedium of meeting regulatory demands. • Source: Mckinsey, 2006; Duke University, 2007
Erosion of Public Trust,Call for Greater Transparency 36% 28% Public trust in 2002, Peak of corporate scandal Public trust in 2006 Source: Mckinsey, 2007 High Stakes for Brand and Reputation Unabated Spending on Compliance Services$7.3B $12B $12B Headcount$12.6B = Brand Value Technology$9.8B Source: BusinessWeek, 2007 Source: AMR Research, Feb 2007 Heavy Burden of Compliance Increasing Number & Complexity of Regulations Sarbanes-Oxley Act Fair Credit Reporting Act Family Education Rights Privacy Protection Act Federal Rules of Civil Procedure Title 21 CFR Part 11 Computer Fraud & Abuse Act Health Insurance Portability & Accountability Act Children’s Online Privacy Protection Act Gramm-Leach Bliley Act Patriot Act Domestic Security Enhancement Act … and many more
Compounded by Risk and Uncertainty Risk Level FACT: Between 2004-2007, 62% of global companies experienced risk events* • 87% of those risks were non-financial • Almost half were not prepared • Only half manage risk formally AcceptableThreshold Risk Type Credit Risk Market Risk Litigation Risk Compliance Risk Information Risk StrategicRisk *Source: IBM Global CFO Study, 2008
Communication Breakdown Jeopardizes the Board Management regularly fails to communicate risks to directors on a timely basis, imperiling the value of a company’s securities and ensuring embarrassment (or worse) when inevitable crises occur for which the company is unprepared. Steve Mitchell, OCEG, Compliance Week, Dec 2007 Continuing Need for GRC Information Boards of directors cite compliance and risk management as areas where better information is most needed from the audit committee. Mckinsey & Company Greater Visibility into GRC is a Must Have Top 6 Problems with a Siloed Compliance Approach Consequences at a Board and C-Suite Level Leaders lack an enterprise view of risks Compliance & risk aren’t considered in core processes and decision-making IT assets aren’t aligned with risk or compliance management needs Lack of high Governance processes aren’t consistently defined and communicated Businesses do not have the high quality information they need Organizations lack a common language around risk Source: Lee Dittmar, Demystifying GRC, Q4 2007
Burden Stems from Core Challenges Regulation A Risk B Standard C Challenge: Multiple Requirements, Fragmented Response R1 R2 R3 R1 R2 R3 R1 R2 R3 C1a C2a C3a C1b C2b C3b C1c C2c C3c C5a C6a C7a C5b C6b C7b C5c C6c C7c C9a C10a C11a C9b C10b C11b C9c C10c C11c Challenge: Insufficient Resources, Manual Efforts Challenge: GRC as an Afterthought, Holding Up the Business GRC Business Processes Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC
How Oracle GRC Solutions Help Regulation A Risk B Standard C Solution: Consolidate R1 R2 R3 C1 C2 C3 C5 C6 C7 C9 C10 C11 Risk Solution: Automate Policy Process Assessment Reporting &Diagnostics Detective Control PreventiveControl Remediation Issues Solution: Embed GRC Business Process Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC
Policy The Oracle Difference 1 2 3 Best in Class, Engineered to Work Together Policy Tied to Active Enforcement Open Platform, Industry Depth Financial Services Public Sector Life Sciences HighTech Retail Utilities
Agenda • GRC Market Drivers • Value Propositions • Stakeholders • GRC Solution Overview • Competitive Overview • Summary and Q&A
Oracle GRC Applications Value Proposition Only Oracle lets you… Simplify GRC and Reduce Costs • Reduce cost and complexity by managing global mandates with one system • Align policy documentation with best-practice frameworks and automated controls • Rely on tamper-proof chain of evidence for all compliance activities Safeguard Brand and Reputation • Control user access & enforce segregation of duties with business-driven rules • Reduce risk of fraud with continuous monitoring of master data, setup, and transactions • Enforce effective preventive and detective controls across heterogeneous applications ! Run Your Business Better and Prove It • Leverage a single source of GRC information across departments and locations • Tailor role-based GRC dashboards to the needs of specific organizations and functions • Analyze risk and control status with rapid report creation using pre-delivered metrics
COMPLIANCE CONTROL PERFORMANCE ASSURANCE Who We Sell to CONSOLIDATION INNOVATION Finance IT Internal Audit CFO Chief Audit Executive CIO Controller VP Audit IT Director Accounting Director Audit Manager Apps Manager Accounting Manager Internal Auditors DBA/Bus. Analyst
CONTROL PERFORMANCE Challenges/Capabilities/Value:CFO, Controller… CHALLENGES CAPABILITIES VALUE • We need to lower spending and resources devoted to compliance • The organization needs to move from manual to automated controls • Policy and process documentation is a challenge • We need visibility into our high risk areas • Comprehensive GRC platform for recording, enforcing and reporting internal controls • Automation of control testing and audit trails; simplified report generation with more accurate results • Controls embedded seamlessly into daily business operations • Role-based dashboards for risk and control intelligence • Reduced audit time and costs; faster, easier validation of compliance • Reduced risk and increased confidence in financial integrity • Better decision-making armed with real-time diagnostics • Enhanced morale of finance staff and free resources for value-added activities SAMPLE QUESTIONS • Where are your greatest costs associated with Sarbanes-Oxley or other regulatory compliance issues? Would it help if you could automate the entire process, from documentation to controls testing & reporting? • What percentage of your key controls are manual? Are you interested in automating more of your controls? • Can you measure the effectiveness of your compliance programs? Do you have a single view for this? Oracle Differentiator
CONSOLIDATION INNOVATION Challenges/Capabilities/Value:CIO, IT Director… CHALLENGES CAPABILITIES VALUE • Automated controls monitoring and segregation of duties enforcement • Unified GRC reporting, alerts and tracker for business user • Preventive and mitigating controls to ensure data quality and process integrity • Form and workflow configuration through GUI based system • Manage by exception; reduce time and cost spent on compliance • Improved support of Internal Audit and LOB compliance needs with less effort • Accelerate response to user provisioning requests; ensure data security • Consistent environments, full audit trail of changes, easier migration/upgrade • High percentage of IT budget devoted to compliance, and away from innovation • Disparate silos of information; difficult to create reports to satisfy the business • Unsatisfied with current state of application data access and security • Unable to enforce best-practices for configuration and change management SAMPLE QUESTIONS • Are you looking for opportunities to reduce the time and money you spend on compliance, so you can focus on projects that grow the business? • Would it help if Finance and Audit had self-service dashboards and could create their own reports? • How often do you receive application customization requests and much effort does it take to make the change every time? Oracle Differentiator
COMPLIANCE ASSURANCE Challenges/Capabilities/Value:Chief Compliance Officer, VP Audit… CHALLENGES CAPABILITIES VALUE • Automated control testing, assessments, and evidence through self-service interface • Centralized risk/control library; Links to automated controls and control tests. • Pre-built, web-based reports (SoD conflicts, config changes, data changes, etc.) • Integrated audit operations and compliance management solutions • Faster information flow and better visibility for quicker identification of potential issues • Reduced audit time and efforts through self-service reporting and online, centralized evidence • Better utilization of audit resources and coordinated efforts • Timely and accurate information • Closed-loop remediation and better risk management • Audit data and reports difficult to generate – require significant IT and LOB support • We need efficient reporting and comprehensive audit trail • We need a consistent and cost-effective way to manage business processes, risk, controls visibility • We need to document corporate policies and collaborate with line of business owners • Would it help if you didn’t have to rely on IT to see the data to support your test scripts? • Would it reduce your audit fees if you could show increasing levels of controls automation to your external auditors? • Are you interested in promoting accountability for compliance to the LOB experts, so that you could focus on overall business assurance? SAMPLE QUESTIONS Oracle Differentiator
Oracle Governance, Risk, and Compliance Simplify GRC and Reduce Costs Safeguard Brand and Reputation Run Your Business Better and Prove It
Agenda • GRC Market Update • Customer Pitch • Top Opportunities • GRC Solution Overview • Competitive Overview • Summary and Q&A
Who’s Buying GRC? PUBLIC PRIVATE GOVERMENT • Federal, State & Local • Education • Agencies • Civil • Dept. of Defence • Aerospace & Defence • Intelligence • 5% of LogicalApps customer base • Drivers: • OMB A-123 • Improper payments • Privacy act • FISMA • $250M & higher • Cross Industry • Financial Services • Telecomm • Pharmaceuticals • Manufacturing • High-tech • 64% of LogicalApps customer base • Drivers: • Sarbanes-Oxley (SOX) • Segregation of Duties • Change Management • $1B & higher • Cross Industry • Financial Services • Media • Retail • Distribution • Manufacturing • 31% of LogicalApps customer base • Drivers: • Segregation of Duties • Change Management • Internal Audit
What to Look For Pain 1 • Reported material weaknesses, financial restatements • SEC investigations, CFO or Controller turnover • Changed auditors, increases in audit fees Maturity Level 2 • Heavily regulated industries, • Heavy investment in internal audit teams, separate audit officer • Have already bought a documentation point solution ERP Upgrades 3 • Look for companies implementing upgrades to their Oracle or PeopleSoft ERP systems, including instance consolidation & standardization
GRC CustomersOver 300 Customers Across Multiple Industries High Tech / Communications Consumer / Retail Financial Services Manufacturing Public Sector Life Sciences/Pharmaceuticals
COMPANY OVERVIEW • Technology leader in communications, electronics, life sciences and chemical analysis • Revenue > $5 Billion • 20,000 employees CUSTOMERPERSPECTIVE “It would have taken more than 6 months of application customization and easily cost a couple of million dollars to create the 200 controls we implemented in only 8 weeks.” Ravi Mahajani, ERP Solution Expert, Agilent • CHALLENGES / OPPORTUNITIES • Identify and eliminate Segregation of Duties (SOD) conflicts for 90 operating units • World’s largest single Oracle EBS instance • 20,000 Active users • 50,000 Oracle responsibilities • RESULTS • Implemented 200 controls in 8 weeks • Eliminated SOD conflicts to meet SOX compliance requirements on time • Avoided 6-month customization effort, millions of dollars • SOLUTIONS • Oracle GRC Manager • GRC Control Suite
COMPANY OVERVIEW • Established in 1817 • Total assets of $312 Billion • 35,000 employees • Retail banking, wealth management, and investment banking CUSTOMERPERSPECTIVE “We’ve reduced the time it takes to complete routine audits from two months to two days.” Darlene Mac Cormac, VP of Procurement &Strategic Sourcing, Harris Bank • CHALLENGES / OPPORTUNITIES • User access was too broad; corporate assets not protected effectively • No way to track changes to ERP application data, including who, what, when and why changes were made • Segregation of Duties (SOD) analysis process was expensive and distracting from the core business. • RESULTS • Cut SOD review time from 2 months to 2 days • Eliminated all known SOD conflicts • Created detailed access rules protecting corporate assets • Created comprehensive audit trails • SOLUTIONS • GRC Control Suite
Federal Aviation Administration • COMPANY OVERVIEW • Revenues > $250B • 52,160 employees • 1 of 4 Federal Centers of Excellence (COE) CUSTOMERPERSPECTIVE “After searching for two years for a solution that would allow us to hide social security numbers from unauthorized users, LogicalApps showed us that they could selectively hide critical fields within minutes.” Michelle Overstreet, Program Manager, FAA • CHALLENGES / OPPORTUNITIES • Mask sensitive data to comply with Privacy Act • Lack of tools to identify & remediate control violations and establish effective monitoring process • Difficulty satisfying management and audit requirements • RESULTS • Eliminated programming time for application customization • Reduced detection and remediation time for control violations • Developed a sustainable model to manage regulatory compliance • SOLUTIONS • GRC Control Suite – Access & Configuration Controls
Department of Health & Human Services • ORGANIZATION OVERVIEW • Established in 1817 • Total assets of $658 Billion • 35,000 employees • World’s largest implementation of Oracle E-Business Financials • RESULTS • Resolved 85% of SOD conflicts across ERP system; implemented mitigating controls for remainder • Resolved privacy issues with access to SSN information • Created detailed access rules and comprehensive audit trails to ensure A-123 compliance • CHALLENGES / OPPORTUNITIES • User access was too broad • Privacy Act violations • No way to track changes to data, including who, what, when and why changes were made • SOD analysis process was expensive and ineffective • SOLUTIONS • GRC Control Suite
Agenda • GRC Market Update • Customer Pitch • Top Opportunities • GRC Solution Overview • Competitive Overview • Summary and Q&A
Oracle Solutions for GRC GRC Reporting & Analytics Purpose-built business solutions for key industries and GRC initiatives KRI & Alerts Dashboards Reporting GRC Process Management Management Assessment Event & Loss Mgmt Issue & Remediation Audit Best-in-class GRC core solutions to support all mandates and regulations GRC Application Controls Transaction Monitoring SOD & Access Application Configuration Pre-integrated with Oracle applications and technology, supports heterogeneous environments GRC Infrastructure Controls Data Security Change Mgmt Identity Mgmt Digital Rights Records Mgmt Custom or Legacy Applications
Oracle GRC Reporting & Analytics GRC Reporting & Analytics • Pre-built dashboards aggregate information from all sources • Combine performance & GRC information • Respond to KRI and issues • Produce attestations and disclosures • Configure to meet your specific needs KRI & Alerts Dashboards Reporting GRC Process Management Management Assessment Event & Loss Mgmt Issue & Remediation Audit GRC Application Controls Transaction Monitoring SOD & Access Application Configuration GRC Infrastructure Controls Data Security Change Mgmt Identity Mgmt Digital Rights Records Mgmt Custom or Legacy Applications
Oracle GRC IntelligenceBetter decisions, more timely access to information, balanced performance • Pre-built dashboards aggregate information from all sources • Combine performance & GRC information • Respond to KRI and issues • Produce attestations and disclosures • Configure to meet your specific needs
Oracle GRC Process Management GRC Reporting & Analytics KRI & Alerts Dashboards Reporting GRC Process Management • GRC system of record • End-to-end GRC process management • Platform independent • Integrated control management • Closed-loop issue remediation Management Assessment Event & Loss Mgmt Issue & Remediation Audit GRC Application Controls Transaction Monitoring SOD & Access Application Configuration GRC Infrastructure Controls Data Security Change Mgmt Identity Mgmt Digital Rights Records Mgmt Custom or Legacy Applications
Oracle GRC ManagerUnify risk and compliance documentation and orchestrate processes Sign-off and Publish Certify • GRC System of Record • End-to-End GRC Process Management • Platform Independent • Integrated Control Management • Closed-loop Issue Remediation Remediate Retest Optimize Respond InvestigateExceptions Receive Alerts Review Reports Analyze PerformSelf Assessment TestManualControls MonitorAutomated Controls Scope Audits Assess • Risk-Control Matrix • COSO/COBIT Frameworks • Policies and Procedures • Evidence & Records Retention Document
Oracle GRC Application Controls GRC Intelligence KRI & Alerts Dashboards Reporting GRC Manager Management Assessment Event & Loss Mgmt Issue & Remediation Audit GRC Application Controls • Continuous controls monitoring and enforcement • Preventive and detective controls • Automated controls testing • Best practice controls across key process flows Transaction Monitoring SOD & Access Application Configuration GRC Infrastructure Controls Data Security Systems Mgmt Identity Mgmt Digital Rights Records Mgmt Custom or Legacy Applications
Monitor Control Effectiveness DetectiveControls What’s changed in the environment What are the execution patterns What users have done How the environment is setup How users execute processes What users can do PreventiveControls Enforce Policies in Context Oracle GRC Controls Suite ACCESS Controls CONFIGURATION Controls TRANSACTION Controls
Services, Support & Partnerships • Comprehensive results-based offerings: • Rapid Deployment • Full Lifecycle Project Management • Subject Matter Experts • Risk Assessment • Prompt Remediation • Best-Practice Controls • Business Processes Optimization • Partnership with Accounting & Risk Advisory Firms
Agenda • GRC Market Update • Customer Pitch • Top Opportunities • GRC Solution Overview • Competitive Overview • Summary and Q&A
GRC Applications Suite Comparison Full Somewhat Minimal None
Gartner’s Magic Quadrant for Enterprise GRC Platforms Source: Gartner (June 2008)
Strength • Cross-platform controls monitoring • Supports SAP, Oracle, PeopleSoft, JDE and custom legacy apps Weakness • Majority customers are on SAP platform • Only handful of customers on Oracle EBS • No embedded preventive controls Background • Based out of Reston, Virginia • Privately held, 100+ employees • $10M approx. Revenue in 2006 How we respond • GRC Manager and GRC Intelligence support ALL application platforms today • GRC Controls Suite is the #1 solution for the Oracle E-Business Suite and PeopleSoft Enterprise. • Our new release 8.0 extends cross-platform capabilities for PeopleSoft, JDE, SAP, Hyperion, and our clients’ other business applications What they will say • No cross-platform capability - only operable on Oracle EBS • They are the only true agnostic, as they have no ERP offering Approva
Strength • Segregation of Duties controls • Cross-platform support • Global Trade Management Weakness • No play in GRC infrastructure (content & records mgmt, identity mgmt, and database security) • No preventive control capabilities for any customer, SAP or Oracle Background • Dedicated GRC business unit • Growing overlay sales org • Recognized market visionary SAP What they will say: • Follower in the GRC space • Not a true GRC application provider • Limited cross-platform capability How we respond: • In the last Finance GRC MQ, Gartner rated Oracle superior to SAP in ability to execute • To truly address GRC needs such as financial compliance, IT governance, and information security, customers need core infrastructure in addition to purpose-built applications • GRC Manager and GRC Intelligence support ALL application platforms today. GRC Controls Suite is the #1 solution for the Oracle E-Business Suite and PeopleSoft Enterprise. Our next release will extend cross-platform capabilities for JDE, SAP, Hyperion, and legacy applications
Recommended Next Steps • Assess your current organizational needs • Immediate requirements of high priority projects • Mid and long term objectives • Cost benefit consideration • Evaluate Oracle’s combined solution offering • Functional product demonstration • Combination of new solution with existing infrastructure • Enabling services and support
Q & A