Enabling Agile Businesses … with Oracle Governance, Risk ... · 1 Dr. Frank Schoenthaler, PROMATIS software GmbH Vienna, September 27 th, 2010 Enabling Agile Businesses … with

11

Dr. Frank Schoenthaler, PROMATIS software GmbHVienna, September 27th, 2010

Enabling Agile Businesses

… with Oracle Governance, Risk, and Compliance Management (GRC) Solutions

Enabling Agile BusinessesContents

� About the Nature of Agile Businesses

� Governance, Risk and Compliance− Core Competence of Agile Businesses

− Influencing Factors and GRC Mechanisms

− GRC Covers all Spheres of Business Activity

� Avoidance of Information Islands

22 © 2010 PROMATIS software GmbH September 27, 2010

� Avoidance of Information Islands− Business Modeling Drives Complexity out of GRC

− Example Model: Excerpt from Finance- & Audit GRC

� Oracle GRC Solutions− Initial Orientation: Solution Landscape

− Dedicated Oracle GRC Products

� Conclusion

About the Nature of Agile BusinessesLong-Term Planning in „Traditional“ Businesses

Investors

Cap

ital

Business Organization

LaborMarket

Labor

SuppliersPre-ProductsTrade Goods


Environment

Natural

Resources

MarketsProducts

Mission Goals StrategiesBusiness

ProcessesOrganization& IT-Systems

Society

Values, Rules

Raw MaterialSuppliers

Raw Material

About the Nature of Agile BusinessesContinuous Change in Today‘s Business Environmts.

Mission Goals StrategiesBusiness

Processes

Organization& IT-Systems


� Continuous monitoring and improvement of business processes and information systems.

� Monitoring and benchmarking of the effectiveness and sustainability of business models and strategies.

About the Nature of Agile BusinessesDemands on Agile Businesses

� Agile Businesses are prepared and enabled for Continuous Change.

� Scenario-based Strategic- and Tactical Planning.

55 © 2010 PROMATIS software GmbH

sustainability of business models and strategies.

September 27, 2010

Agile BusinessesGovernance-, Risk- &

Compliance Management

severe challenges

Strong Interactions:

enables

� Effective, forward-looking, and secure Piloting and management becomes the most critical success factor of agile businesses!

Governance, Risk and ComplianceCore Competence of Agile Businesses

� Governance is the management of a company based on clearly and understandably formulated business goals and codes of conduct. Important conditions come from conformity with legal guidelines and completeness. Governance spans across all business areas and levels.

� Risk Management describes the entirety of all measures to handle known and unknown internal and external business risks. This includes the establishment of early warning systems to recognize risks, as well as measures


establishment of early warning systems to recognize risks, as well as measures to eliminate risk potentials and to treat occurred risks.

� Compliance describes the fulfillment, accordance and/or conformity with governmental laws and with rules and specifications, with (ethnical and moral) principles and procedures as well as with standards (e.g. ISO) and conventions, which are clearly defined. The fulfillment of compliance can be either based on restraints (e.g. by law) or also on a voluntary basis (e.g. abiding standards).

September 27, 2010

Governance, Risk and ComplianceInfluencing Factors and GRC Mechanisms

GovernanceGovernance

Norms andNorms and

Valuesand

EthicalFundamentals

Valuesand

EthicalFundamentals

BusinessGoals

BusinessGoals

RiskRisk

LawsLaws


Prevention ReactionExecution

ComplianceManagementCompliance

ManagementRisk

ManagementRisk

Management RisksRisks

Norms andStandardsNorms andStandards Codes of Conduct,

Monitoring, andControlling

Codes of Conduct,Monitoring, and

Controlling

RegulationsRegulations

RiskDirectives

RiskDirectives

BusinessModel

BusinessModel

Governance, Risk and ComplianceGRC Covers all Spheres of Business Activity

Strategies

BusinessProcesses

Finance- & Audit GRC


Processes

BusinessSoftware

IT Platform

Legal- & Process

GRC

IT GRC

Avoidance of Information IslandsBusiness Modeling Drives Complexity out of GRC

ObjectModel

Responsibility

Typification of Object StoresE

xecu

tion

Execution /Responsibility / Affiliation

OrganizationModel

Roles

Employees

Affiliation ResourceModel

Ow

ners

hip

Ownership


ProcedureModel

Activity

Refinement

Object Stores

Compliance

RuleModel

Exe

cutio

n

Ow

ners

hip

RiskContext

Key FigureContext

Ownership

RiskPrecaution

Key FigureModel

RiskModel

[Source: Horus GRC Manager™]

Avoidance of Information IslandsExample Model: Excerpt from Finance- & Audit GRC


Oracle GRC SolutionsInitial Orientation: Solution Landscape

Strategies

BusinessProcesses

Fu

sio

n G

RC

Inte

llig

ence

En

terp

rise

Man

ager

En

terp

rise

GR

C M

anag

er

GRC Controls

Ho

rus

GR

C M

anag

er


BusinessSoftware

IT Platform

Fu

sio

n G

RC

Inte

llig

ence

En

terp

rise

Man

ager

En

terp

rise

GR

C M

anag

er

SO

A G

ove

rnan

ce

Pre

vent

ive

Con

trol

s

App

licat

ion

Acc

ess

Tran

sact

ions

Con

figur

atio

n

Ho

rus

GR

C M

anag

er

Infrastructure Controls based on Oracle infrastructure products (Fusion Middleware, Database, Enterprise Manager)

� Enterprise GRC ManagerTransparency and efficient GRC processes by automated Compliance management across application borders and different sets of rules.

− The product is based on a comprehensive documentation of critical business regulations, processes and leadership instruments, risks and problem fields.

− By means of defining and retaining controls, it can be defined how and if business processes and the connected risks have to be monitored.

Oracle GRC SolutionsDedicated Oracle GRC Products


− Across the entire organization test plans, reviews and certifications can be generated.

− Audit trails allow for a complete pursuit of all processes relevant for GRC by authorized users.

� Fusion GRC IntelligenceBI solution that delivers both role-tailored out-of-the-box dashboards as well as hundreds of pre-delivered metrics.

− Seamless interaction with financial management systems.

− Shows the progress of risk and control activities and coverage of access policies and highlights specific areas of concern such as unmitigated risks, SoDs conflicts and ineffective controls.

September 27, 2010

� GRC ControlsAutomated GRC Controls provide for the safe contact with resources of information at all levels (application, middleware, database) of the IT infrastructure.

− Application Access Controls Governor ACG is used to monitor Conflicts, which can come up in relation to roles and responsibilities regarding SOD (Segregation of Duties). This enables to avoid defenses against task-separation in the run-up.

Oracle GRC SolutionsDedicated Oracle GRC Products


defenses against task-separation in the run-up.

− Configuration Controls GovernorCCG controls and tracks changes to key application setup data. With CCG, you can ensure application integrity, audit changes, and continuously monitor setups.

− Enterprise Transaction Controls GovernorTCG recognizes program-technical abnormities and defenses with transactions. TCG helps to avoid risks at an early stage by tracking events that indicate: potential violation of internal controls, heightened levels of risk, reportable events.

− Preventive Controls Governor With PCG, you can limit or control which data fields applications users can change or see, define the types of data users can input in various fields, and limit the values of transactions to enforce regulatory or corporate guidelines.

September 27, 2010

ConclusionSummary and Recommendations

� GRC is not only a wish of the finance department, but spans all business processes and organization units of the company and includes the collaboration with customers and business partners.

� GRC is a mutual task between business and IT. The responsibility remains with the company management.

� GRC enters deep into the company and penetrates it by implementing


mechanisms that take effect across all levels – from the strategy to business processes and the application software to the IT platform.

� Oracle offers comprehensive instruments for GRC. However, when deciding on which system to buy, costs and actually retrievable benefits should be compared to one another.

� Often GRC goals can be achieved with the consequent use of standard instruments:

- up to date business models- monitoring important key figures- Business Process- and Business Rules Management

September 27, 2010

PROMATIS software GmbHPforzheimer Str. 16076275 Ettlingen (Karlsruhe Technology Region)

Contact Data

Dr. Frank Schoenthaler Chief Executive Officer

15

76275 Ettlingen (Karlsruhe Technology Region)Germany

Phone +49 7243 2179 0Fax +49 7243 2179 99

eMail: [email protected]: http://www.promatis.com/


Documents

Enabling Agile Businesses … with Oracle Governance, Risk ... · 1 Dr. Frank Schoenthaler, PROMATIS software GmbH Vienna, September 27 th, 2010 Enabling Agile Businesses … with