Why GRC is important to you

and your customers/prospects

What do we mean by GRC?
How does it relate to Oracle?
Brian Gregory, ACA, EMEA GRC
 Safe Harbor Statements
The following is intended to outline our general product
direction. It is intended for information purposes only, and
may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing
decisions.
The development, release, and timing of any features or
functionality described for Oracle’s products remains at the
sole discretion of Oracle.
 Safe Harbor Statement
Caution
The following presentation will challenge
your current views. The presenter has no
responsibility for any distress you may
suffer from having your views changed
and/or your sales horizons expanded. In
the event of a panic attack take deep
breaths and if necessary hold the hand of
the person next to you!
3
X
2 Compelling Reasons
One Product alone could be
worth
£82m
in UK
One sale this year was just
short of
$1 Million
Competition
 3rd Reason
Confidence and Trust
But what is Governance, Risk
and Compliance?
 What does GRC Mean?
• Governance
• Set and evaluate performance against objectives
• Authorize business strategy & model to achieve objectives
• Risk
• Identify, assess, and address potential obstacles to achieving
objectives
• Identify / address violation of mandated and voluntary boundaries
• Compliance
• Encourage / require compliance with established policies and
boundaries
• Detect non-compliance and respond accordingly
 Or put another way
• Governance
• Managing the “business” efficiently and effectively
• Ensuring “No Surprises”
• Risk
• Identifying and seeking to mitigating risks that could lead to
surprises
• For example, compliance fails [SOX, Basel II] but also operational
risks
• Data Security [HMRC]
• Ethics [Primark]
• Compliance
• The obvious one – legal and regulatory failures
 It is about trying to prevent
“Surprises” from happening
GRC Terminology
Best Practices
• Financial Governance (COSO)
Processes • Operational Risk Management
(ISO, 6Sigma)
• IT Governance (COBIT, ITIL)

Risk Assurance Partners

Risks • Specialists
• Audit Firms

• Automated Controls
• Detective & Preventative
Controls • Reports/Documentation
• Attestation (“I confirm that...”)
Governance
Risk
C
Compliance
ompliance
What is the Oracle GRC
Strategy?
Oracle GRC Has Come A Long
Way
July 2006 May 2008
SAP needs to put urgency
“ SAP definitely in my
mind has the lead on “ into fleshing out its GRC
management capabilities to
Oracle in developing a match its vision…Until SAP
very comprehensive does so, enterprise GRC
strategy for GRC.” platform buyers should look
to Oracle and the many best-
of-breed EGRC platform
vendors.”*
Michael Rasmussen, Forrester
July 5, 2006 French Caldwell, Gartner
May 22, 2008

Shift Happens!
* As Quoted in Article by Courtney Bjorlin, News Editor29 May 2008 | SearchSAP.com
 Acquired Innovation Timeline:
Scale, technology and vertical specialization
drive growth across all product lines

4 Acquisitions 15 Acquisitions* 12 Acquisitions** 16 Acquisitions

Oracle FY2005 Oracle Fiscal Year 2006 Oracle Fiscal Year 2007 Oracle FY 2008 YTD
* Excludes acquisitions of Covansys and Hexaware operations.
** Acquisition of Mantas through majority-owned i-flex solutions company.
Magic Quadrant for Enterprise Governance,
Risk and Compliance Platforms
• Committing adequate
investment to an
aggressive development
road map with plans for
many vertical-specific
versions of GRC
Manager
• A suite of controls
products, such as Oracle
Application Access
Controls Governor and
Oracle Transaction
Controls Governor, that is
integrated into the GRC
Manager platform
 Shift Has Happened
• New Products
• Applications
• GRC Controls [aka LogicalApps]
• Automated Detection and Enforcement of key,
foundational controls
• Any ERP customer
• Technology
• Identity Management and Database Vault now
certified for EBS
 How Oracle GRC Solutions help
Regulation
Regulation Risk
Risk Standard
Standard
Challenge:
Solution: A A BB C C

Multiple Requirements,
Consolidate R1 R2 R3 R1 R2 R3 R1 R2 R3
R1 R2 R3
Fragmented Response
C1a C2a C3a C1b
C1 C2b
C2 C3b
C3 C1c C2c C3c

C5a C6a C7a C5b

C5 C6b
C6 C7b
C7 C5c C6c C7c

C9a C10a C11a C9b C10

C9 C10b C11
C11b C9c C10c C11c

Risk
Solution:
Challenge: Policy

Process Assessment

Automate
Insufficient Resources, Reporting & Detective
Manual Efforts Diagnostics Control

Preventive
Remediation Control
Issues

Challenge:
Solution: GRC

GRC
Embedas an Afterthought GRC
Or
Holding Up the Business Business
BusinessProcess
Processes

Sources: Adapted from Deloitte Consulting, Open Compliance and Ethics Group, and IDC
 Oracle Solutions for GRC

9
GRC Reporting & Analytics Purpose-built business
solutions for key
Access Policy Risk & Control Certification
KPIs KPIs KPIs industries and GRC
initiatives
GRC Process Management
Documentation Management Issues &
& Reporting Assessments

GRC Application Controls

Remediation
9 Best-in-class GRC core
solutions to support all
mandates and regulations
SOD & Application Transaction
Access Configuration Monitoring

Identity
GRC Infrastructure Controls
Data Systems Records & Digital
9 Pre-integrated with
Oracle applications and
technology, supports
Mgmt Security Mgmt Content Mgmt Rights heterogeneous
environments

Custom or Legacy Applications

 Oracle GRC Product Set
GRC Reporting and Analytics
• Fusion GRC Intelligence
GRC Reporting & Analytics GRC Process Management
• GRC Manager
Dashboards Reporting KRI & Alerts
GRC Application Controls
GRC Process Management • Application Access Controls
Governor
Audit
Management Issue & Event & • Configuration Controls Governor
Assessment Remediation Loss Mgmt • Transaction Controls Governor
• Preventive Controls Governor
GRC Application Controls
GRC Infrastructure Controls
SOD & Application Transaction
Access Configuration Monitoring
• Identity Manager
• Access Manager
• Role Manager
GRC Infrastructure Controls • Database Vault
Identity Data Systems Records & Digital • Audit Vault
Mgmt Security Mgmt Content Mgmt Rights • Advanced Security
• Secure Backup
• Enterprise Manager
Custom or Legacy Applications
• Universal Content Management
• Universal Records Management
• Information Rights Management
 Policies and Procedures
Document, Evaluate, Verify and
Conclude
Step 5 – Secure the IT Infrastructure. User
Indemnity Management across all systems,
security of data, availability of systems etc are all Step 1 - Understand what your policies and
important. Of course you also need to be able to procedures are and whether they are adequate.
show that the IT policies and procedures are Where are the weaknesses and are there any
adequate and functioning mitigating controls

Secure IT Infrastructure People

User Access and Provisioning, Align required skills and
Data Security, Availability competencies with staff

Step 2 - Ensure that your

staff have the necessary
Step 4 – Plan your business and have Business skills and experience to
Intelligence systems that monitor performance undertake their duties. Of
and alert to possible deviations. Of course you course this is an on-
on-going
should understand the processes for creating the process
budgets and forecasts.

Plan, Forecast and Monitor Step 3 – Automate the flow of transactions and Automate
Create, Manage, Controls, Approvals and
approvals as much as possible. Of course this
Update and Report Business flows
requires a link to HR. Simplify the number of
processes and ERP.
Oracle GRC Reporting & Analytics
Run your Business Better and Prove It
t ty
ce gm cy fe t s
ian
c e M va ta l S a gm i ce r s
p l n ic y r i n & M rv cto ce h
o m r n a o l
n
P m
e lity d e S e
Se i en
tai
l
Tec
C e P i o n a r a l c e
l ov ry at vir
o u T ia lic S R gh
ncia T G a to r m n c t Q b al a nc ub L ife Hi
I l fo E u lo n P
na gu In od Fi
Fi Re Pr
G

GRC Reporting & Analytics 9 Pre-built dashboards aggregate

information from all sources

Dashboards Reporting KRI & Alerts 9 Combine performance & GRC

information
9 Respond to KRI and issues
GRC Process Management
9 Produce attestations and
Policy & Issues & disclosures
Procedures Certification
Remediation 9 Configure to meet your specific
needs
GRC Application Controls
SOD & Application Transaction
Access Configuration Monitoring

GRC Infrastructure Controls

Identity Data Change Records Digital
Mgmt Security Mgmt Mgmt Rights

Custom or Legacy Applications

 Oracle GRC Intelligence
Better decisions, more timely access to information,
balanced performance

• Pre-built
dashboards
aggregate
information from all
sources
• Combine
performance &
GRC information
• Respond to KRI
and issues
• Role based
• Configure to meet
your specific needs
Consolidated view of financial balances and
risk rating
GRC Intelligence for SOD
 Oracle GRC Process Management
Simplify GRC and Reduce Costs
t ty
ce gm cy fe t s
ian
c e M va ta l S a gm i ce r s
p l n ic y r i n & M rv cto ce h
o m r n a o l
n
P m
e lity d e S e
Se i en
tai
l
Tec
C e P i o n a r a l c e
l ov ry at vir
o u T ia lic S R gh
ncia T G a to r m n c t Q b al a nc ub L ife Hi
I l fo E u lo n P
na gu In od Fi
Fi Re Pr
G

Reporting & Analytics

Dashboards Reporting KRI & Alerts

GRC Process Management 9 GRC system of record

9 End-to-end GRC process
Management Issue & Event &
Audit management
Assessment Remediation Loss Mgmt
9 Platform independent
GRC Application Controls 9 Integrated control management

SOD & Application Transaction 9 Closed-loop issue remediation

Access Configuration Monitoring

GRC Infrastructure Controls

Identity Data Change Records Digital
Mgmt Security Mgmt Mgmt Rights

Custom or Legacy Applications

GRC Manager
Example of a process: basics
Example of a process: Risks
Example of a process: Controls
 Manage Compliance Processes
Automate Labor Intensive, Manual Processes

Is it time to do an
assessment
again?
Oracle GRC Applications Controls
Protect Brand and Reputation
t ty
ce gm cy fe t s
ian
c e M va ta l S a gm i ce r s
p l n ic y r i n & M rv cto ce h
o m r n a o l
n
P m
e lity d e S e
Se i en
tai
l
Tec
C e P i o n a r a l c e
l ov ry at vir
o u T ia lic S R gh
ncia T G a to r m n c t Q b al a nc ub L ife Hi
I l fo E u lo n P
na gu In od Fi
Fi Re Pr
G

Reporting & Analytics

Dashboards Reporting KRI & Alerts

GRC Process Management

Management Issue & Event &
Audit
Assessment Remediation Loss Mgmt

GRC Application Controls 9 Preventive and detective

controls
SOD & Application Transaction
Access Configuration Monitoring 9 What-if risk simulation
9 Automated controls testing
GRC Infrastructure Controls
Identity Data Change Records Digital
Mgmt Security Mgmt Mgmt Rights

Custom or Legacy Applications

 Oracle GRC Controls
Monitor Control Effectiveness

Detective Controls
What’s What are the
What users changed in the execution
have done environment patterns

ACCESS
ACCESS CONFIGURATION
CONFIGURATION TRANSACTION
TRANSACTION
Controls
Controls Controls
Controls Controls
Controls

What users How How users

can do the environment execute
is setup processes
Preventive Controls

Enforce Policies in Context

 Oracle GRC Controls
Monitor Control Effectiveness

Detective Controls
What’s What are the
What users changed in the execution
have done environment patterns

ACCESS
ACCESS CONFIGURATION
CONFIGURATION TRANSACTION
TRANSACTION
Controls
Controls Controls
Controls Controls
Controls

What users How How users

can do the environment execute
is setup processes
Preventive Controls

Enforce Policies in Context

Segregation of Duties
You mean I can’t
approve my own
expenses?
 Integrity of Accounting
• Segregation of Duties [SOD]
• Fraud
• Accuracy
• Foundation to ANY accounting system
• Strong control is essential to ALL accounting
operations – X-Industry - Private, Public, Public
Sector, Not for Profit etc
• NOT DRIVEN BY ANY SPECIFIC
LEGISLATION
Oracle Application Access Controls Governor
Enforce proper segregation of duties in applications

9 Simplify segregation of duties

enforcement with simulation and
remediation
• Conflict Paths
• Policy Library
9 Mitigate risk of privileged user
access to enterprise applications
with approval workflow and audit
trails
9 Accelerate deployment and time
to value with pre-delivered
controls library

Detection Prevention
Define
Access Remediation Preventive Compensating
Access
Analysis (Clean-up) Provisioning Policies
Controls
 Define Access
Conflict Analysis Controls

Conflict
Analysis

Remediation
(Clean-up)

Preventive
Provisioning

Compensating
Controls

View detailed conflict reports by various

dimensions (e.g. by Application)
 Define Access
Compensating Controls Controls

Conflict
Analysis

Remediation
(Clean-up)

Preventive
Provisioning

Compensating
Controls

Implement compensating SOD

control by removing the
payment tab to enforce policy
 Define Access
Compensating Controls Controls

Conflict
Analysis

Remediation
(Clean-up)

Preventive
Provisioning

Compensating
Controls

Payment tab is removed

 What should I be looking for?
4 Simple Questions
• Are you interested in understanding who
has access to your systems?
• Are you interested to know what access
they have?
• Are you interested in finding potential
conflicts in access rights?
• Are you interested in enforcing access
controls and preventing inappropriate
access?
 Oracle GRC Controls
Monitor Control Effectiveness

Detective Controls
What’s What are the
What users changed in the execution
have done environment patterns

ACCESS
ACCESS CONFIGURATION
CONFIGURATION TRANSACTION
TRANSACTION
Controls
Controls Controls
Controls Controls
Controls

What users How How users

can do the environment execute
is setup processes
Preventive Controls

Enforce Policies in Context

Configuration Management
As you can see there have
been some changes to the
computer systems
 Integrity of Accounting
• Integrity of Financial System
• Changes
• Monitor
• Prevent
• Track
• Assess
• Strong control is essential to ALL accounting
operations – X-Industry - Private, Public, Public
Sector, Not for Profit etc
• NOT DRIVEN BY ANY SPECIFIC
LEGISLATION
 Oracle Configuration Controls Governor
Ensure integrity of critical application setups

9 Achieve consistent application

setup and operating standards
across multiple instances
9 Track complete audit trails for
changes to key configurations
9 Tightly control change
management to accelerate
development and test time

Detection Prevention
Define Document or Monitor Enforce Manage
Configuration Compare Configuration Change Data
Controls Configurations Changes Control Integrity
 Data Privacy and Data Integrity
Mask sensitive data, disable buttons, validate data input,
etc.
• Granular user interface
restrictions
• Restrict access to data or actions
Employee Update
• Embedded control enforcement
Name John Doe
Conceal SSN number if
UserAddress
is NOT from123HR dept
Main St
Center City, NY 12345

SSN XXX-XX-XXXXX

Salary $ 53,000.00

Supervisor Mary Smith

John Jones
Phil Johnson OK Cancel
Sue Thompson
Employees
Sallycan only view the
Struthers
Salary Bill
field (can’t update)
Seibel Disable Invoice action button
for Invoices created by
same user
 What should I be looking for?
4 Simple Questions
• Are you interested in understanding what
changes have been made to your
configuration?
• Are changes have been made to key data in
your systems?
• Are you interested in being able to report on
differences between configurations – both
over time and between different instances?
• Are you interested in enforcing controls over
changes?
Transaction Management
So isn’t it
strange that this
user is raising a
number of POs
just under their
approval level?
 Integrity of Accounting
• Detection and Prevention of “Unusual”
transactions
• Continuous monitoring of
• Transaction
• Master data
• Strong control is essential to ALL accounting
operations – X-Industry - Private, Public, Public
Sector, Not for Profit etc
• NOT DRIVEN BY ANY SPECIFIC
LEGISLATION
 Oracle Transaction Controls Governor
Identify inaccurate or fraudulent transactions

9 Continuously monitor accuracy

of transactions and mitigate
exposure to fraud
Pre-delivered
Transaction Controls • Test against thresholds
Suspect
• Search for anomalies
Transactions
• Perform transaction
sampling

Detection Prevention
Define Perform Review and Preventive
Transaction Transaction Address Transaction
Controls Analysis Suspects Controls
 What should I be looking for?
4 Simple Questions
• Are you interested in being able to identify
unusual transactions in your systems?
• Are you interested in being able to identify users
trying to circumvent authority limits by
undertaking multiple transactions?
• Are you interested in being able to speed your
period close process?
• Are you interested in being able to enforce
controls over transactions?
Oracle GRC Reporting & Analytics
Run your Business Better and Prove It
t ty
ce gm cy fe t s
ian
c e M va ta l S a gm i ce r s
p l n ic y r i n & M rv cto ce h
o m r n a o l
n
P m
e lity d e S e
Se i en
tai
l
Tec
C e P i o n a r a l c e
l ov ry at vir
o u T ia lic S R gh
ncia T G a to r m n c t Q b al a nc ub L ife Hi
I l fo E u lo n P
na gu In od Fi
Fi Re Pr
G

GRC Reporting & Analytics

Dashboards Reporting KRI & Alerts

GRC Process Management

Policy & Issues &
Procedures Remediation Certification

GRC Application Controls

9 Secure the IT Infrastructure
SOD & Application Transaction 9 Extend user access and SOD to
Access Configuration Monitoring cover ALL systems
9 Secure data inside and outside IT
GRC Infrastructure Controls environment
Identity Data Change Records Digital 9 Protect sensitive data from
Mgmt Security Mgmt Mgmt Rights unauthorized access
9 Manage flow of data between
systems
Custom or Legacy Applications
Oracle Identity & Access Management
End Users Administrator Info. Sec, Auditor

Strong Authentication Identity Admin Reporting & Analytics

Risk Based Authorization Account Admin Attestation
Federation Organization Admin Segregation of Duties
Self-Service Role Management Fraud Detection
Delegated Admin

Oracle Identity Management & Security Platform

Provisioning LDAP Storage Java Platform Security

Reconciliation LDAP Synchronization Authentication For
Operating Systems
Password Mgmt. LDAP Virtualization
WS Security DB User Security

Business Apps, HR Directories, DB App Server, OS

 Compliant Access Provisioning
Segregation of Duties in User
Provisioning
IDENTITY MANAGEMENT GRC CONTROLS

!
Set Up Determine Validate with Violations
User Profile User Role SOD Policies Found

New Hire,
Change
9
of Role Provision No Remediate:
Application Access Violations •Seek Approval
•Apply Mitigating Control
•Deny Access
 Oracle Database Security
Defense-in-Depth for Security and
Compliance
Audit
Vault
Configuration Total
Management Recall

Database Vault
Label
Security

Advanced Data
Security Masking
Secure
Backup
 Oracle Database Vault
• Controls on privileged users
• Restrict highly privileged users
from application data Protection Realms
• Provide Separation of Duty Reports
• Security for database and
information consolidation Multi-Factor
Authorization
• Real time access controls
• Control who, when, where and
how data is accessed
• Make decision based on IP Command
address, time, auth… Separation
Rules of Duty
 Oracle Information Rights
Management
• Patented “distributed”
rights management
• between
centralized server
and desktop
• Centralized revocation
of rights and up-to-
date audit trail
• Transparent mobile
access to “sealed”
information
• Classification-based
rights management
• Enterprise-scalable
 Summary
• GRC is a huge opportunity
• Oracle is unique in the depth and breadth of our offering
• For every EBS and P/Soft customer [new and existing] you
should include:
• GRC Controls
• SOD is the lead
• Extend GRC C with Technology for complete
• Every system we sell is in order to automate and improve
business processes – so why not talk to them about
• GRC Manager and GRC Intelligence to record the processes?
• UPK and/or Tutor to enable staff effectiveness?
• Think beyond your comp plan
• GRC is Never about 1 product
• Our strength is the completeness of offering
• Engage with Partners
Resources for Accelerating Growth
Resources for Accelerating Growth
 Partner Communities
Partner Communities

• “Live” Partner Communities for BI, ECM, IDM, Persuasive, SOA

Material available from Partner Communities

• Technology: white papers, documentations, downloads
• Sales: sales kits, cheat sheets, references, ROI calculator
• Marketing: brochures, presentations, industry papers
• Education: Online Training & Assessments & Certification

Activities

• Regular updates available in OPN

• Monthly newsletters
• Monthly webcasts
• Quarterly Partner Community Forums
• Online Discussion Forums

Next step

•Sign up for the communities:

http://www.oracle.com/partners/home/personalized/emea/english/techn
ology/home.html