Governance Risk Compliance An Integrated Framework People Processes

Governance, Risk & Compliance An Integrated Framework People, Processes & Platform Dr Neil Dodgson Director Risk and Compliance Solutions EMEA Financial Services

Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 2

Why Bother? 3

Governance, Risk, and Compliance (GRC) At-a-Glance Governance Culture • Set and evaluate • Establish an organizational performance against objectives climate and individual mindset that promotes trust, integrity, and accountability Governance • Authorize business • Identify, assess, and k Risk Management address potential obstacles to achieving objectives • Identify / address violation of mandated and voluntary boundaries Co mp lia Culture nc e strategy & model to achieve objectives Compliance • Encourage / require compliance with established policies and boundaries • Detect non-compliance and respond accordingly Source: Open Compliance and Ethics Group 4

Good GRC is Good Business: Reputational & Strategic Risk Executives Seek Returns from GRC Investment Share-price performance of companies complying with SOX rules Price of control deficiency for $1 billion company 28% 26% $10 million in higher cost of equity capital Reported control weakness 2004 -05 No control weaknesses in 2004 -05 Control weakness in 2004, but none in 2005 6% Source: Lord & Benoit, 2006 Savings on legal liability avoidance from GRC investment Spending on Compliance Savings on Lower Legal Liability $1 $5 Source: General Counsel Roundtable, 2006 Source: University of Wisconsin, 2006 Opportunity cost of siloed GRC Cost of GRC Resources for innovation Ad hoc Approach Platform Approach # of GRC projects 5

What Are the GRC Management Challenges? Enterprise-Wide Responsibility CFO / VP of Finance C E O § Reducing the total cost of GRC Chief Compliance Officer (CCO) § Increasing efficiency & consistency of compliance processes § Timely notification of control issues, material weaknesses and violations § Accurate & comprehensive information on financial results, compliance and audit § Reducing fees & regulatory actions by reducing compliance violations § Planning and oversight of compliance management resources Chief Risk Officer (CRO) CIO § Balancing the § Ensuring § Evaluating § Automating GRC range of enterprise risks business requirements and technical risk capabilities § Reducing organizational cost of risk exposure and cost of mitigation or acceptance Auditable, secure information management § Eliminating multiple internal GRC solutions § Implementing IT platform for GRC standardization, simplification & security § Identifying and implementing optimal detective & preventive controls 6

Risk & Compliance Officers What Keeps You Awake at Night? Prison DATA 7

GRC Requirements and Complexity Increase Across the Map SOX JSOX Basel II IT Governance France China Canada HIPAA GLBA … Strategic Alignment Manufacturing Records Retention Credit Risk Mgmt Japan U. K. EU Directives Engineering U. S. Germany FDA Financial Reporting Compliance Market Risk Mgmt Data Privacy Sales & Mktg Purchasing Audit Management Legal Discovery India Workforce Governance Operational Risk Mgmt Service Level Compliance Supply Chain Traceability Finance Suppliers Customers Apps Server Data Warehouse Database Mainframes Mobile Devices Enterprise Applications 8

Traditional Approach? ? 9

Integrated Risk & Compliance Framework Capital Management/Basel II/Solvency II/BI Dashboards Economic Capital RAPM Risk Management Market Credit Operational HR ALM Learning Management Internal Controls & SOX Loss RCSA Process Mapping Actions KRI / KCI Documentation Monitoring & Compliance AML Fraud KYC/CDD Mi. FID Financial Control & Reporting Core Financials Budgeting & Planning BI Enterprise Content Management Records Management Legal Discovery Change Management COBIT: Security, Identity & Data Management Encryption Audit Master Data Segregation of Duties Identity Mgmt Data Warehousing BPEL Workflow Management 10

Governance, Risk & Compliance People Know Your Employee

Foster a Culture of Ethics and Excellence with Workforce Governance Self-Paced Employee Learning • Ensure employees understand regulations and policies in most time- and cost-effective manner • Prove employee acknowledgment of accountability • Trust single source of authoritative information for policy and procedure reference Central Policy & Procedure Portal 12

Governance, Risk & Compliance Processes

A Holistic GRC framework for: § SOX requires Identification of Risks and the management of Controls thru Assessments § RCSA - Operational Risk requires the Identification of Risks and the management of Controls thru Self Assessments § Mi. FID and Reg. NMS require Client Suitability and Transaction Surveillance § AML requires KYC and Transaction Surveillance § Fraud Detection Requires both Transaction Monitoring and Risk & Control Self Assessment A Common Process understanding for Compliance and Operational Risk would be a first step to GRC convergence 14

GRC framework: Converging Requirements AML Mi. Fi. D Reg. NMS KYC COBIT Info Security Audit Internal Controls Basel ORAMA Analytics & Reporting Capital Calculations GRC Framework Attestations Action Planning Case Management Behavior Detection Controls Testing RCSA KRI Events Management Process Maps, Reference Data, Oversight Library GRC Infrastructure 15

Recent Incidents and possible lessons learned • Identifies the need for an independent Compliance monitoring system that • • can detect suspicious or irregular activity among all trades and orders in the organization. Identifies danger of using in-house systems for Compliance monitoring Identifies lack of adequate Surveillance and Behaviour Pattern Detection. Good Risk management DOES NOT Equal Good COMPLIANCE Identifies an ongoing need for Operational Risk to be more closely monitored and enforced within the financial organizations. Near-Real-Time alert generation of potentially fraudulent behaviours, irregular behaviours, excessively large positions, and other suspicious patterns An holistic view across all areas is required to provide transparency across multiple-asset classes and jurisdictions to avoid hidden P&L Integrated GRC systems 16

The Police : Behaviour Detection Platform Overview Reports & Analytical Tools Compliance Monitoring T ES ER T F IN SO T Y LIC ION NC NF UT E O C R C E PA EX NS ST A E R B ET AD R T Data Ingestion Case Mgmt Alert Management Data Model & Behavior Detection 17

BEHAVIOR DETECTION PLATFORM ENTERPRISE SURVEILLANCE Fraud and Identity Theft Trading Compl. Behavior Detection Engines Op. Risk Key Indicators AML Broker Surveillance Financial Services Data Model Customer Cross Sales Workflow Manager (FSDM) Investment Manager Surveillance High Risk Instructions Jrnls Btwn Unrel. Trading Ahead Abusive Squeezes ATM Fraud Parking Painting the Tape Insider Trading Sanctions List High Risk Geo Network of Acco Structuring Rapid Mvt Hidden Networks Possible CTR Change In Behaviour Price Improvement 300+ Wash Trades One Implementation Solves Many Problems n Best Ex Cust Suitabi. Scenario Development Toolkit Data Ingestion Global Corresp. Global Retail Private Banking Global Fixed Income Global Capital Markets MBS Retail Brokerage Asset Mgmt Global Instl. Liquidity Wholesale Brokerage Integrated behavior detection solution 18

Enterprise Risk, Compliance & Performance Management Databases BI Dashboards Analytics Server Profitability / Risk Engine Data Warehouse Managing Risk, Performance & Profitability Across the Enterprise • • • Multi Dimensional Profitability Customer Profitability Available to Front Office Product and Branch Profitability Activity Based Costing Transfer Pricing Risk Management Performance Profitability • • Planning & Budgeting Performance Scorecards Operational Cost Analysis Risk Adjusted Performance Mgmt • • Risk Assessment/ Quantification Credit, Market & Operational Risk Complete & Transparent Audit Trail Asset/Liability Mgmt Compliance • • • Regulatory Compliance Basel II SOX Anti-Money Laundering Regulatory Reporting Internal Controls Manager 19

COMPANY OVERVIEW • Fifth largest bank holding company in the US, based on assets under mgmt • Third-largest U. S. full-service brokerage firm, based on client assets under mgmt • $700 million in managed assets • 110, 000 employees CHALLENGES / OPPORTUNITIES • Lack of a centralized view of Investment Bank Deposit, Loans, Product Fees, and Sales • GRC-related data from multiple, nonintegrated data sources & applications • Time-consuming and labor-intensive core data management • Poor data quality and inadequate user satisfaction SOLUTIONS • Business Intelligence (Analytics) • Reveleus Basel II CUSTOMER PERSPECTIVE "We have been extremely impressed with the ability to bring data together from disparate sources and make it easy to access and leverage across the organization. ” Brian Collins, Technical Sponsor RESULTS • Delivered role-based access to multiple data sources for Fixed Income, Treasury, and Investment Banking in 100 days • Provided over 300 key performance, risk and compliance metrics on a consolidated, real-time dashboard • Saved up to 80 hours each month with Automated Variance Analysis • Expects to increase cross sell and up sell revenue by 75% 20

Customer Example Tier 2 Regional Bank, within US Top 25, 321 branches Executive Dashboard Scorecard Products RAROC Top Bottom Profitability Reporting Transactions Role based dashboards driving insight from robust detail account level data containing statistical information, revenue, expense and derived calculations from a single source 21

22

Liquidity Risk Analytics

Compliance Alerts: Fraud, Rogue Trader, Market Abuse, AML : 24

Governance, Risk & Compliance Platform

<Insert Picture Here> Richard Thomas Information Commissioners Office "Business and public sector leaders must take their data protection obligations more seriously… privacy must be given more priority in every UK boardroom. Organisations that fail to process personal information in line with the Principles of the Data Protection Act not only risk enforcement action by the ICO, they also risk losing the trust of their customers. " How can laptops holding details of customer accounts be used away from the office without strong encryption? How can millions of store cards fall into the wrong hands? How can online recruitment allow applicants to see each others’ forms? How can any bank chief executive face customers and shareholders and admit that loan rejections, health insurance applications, credit cards and bank statements can be found, unsecured in non-confidential waste bags? 26

Information Risk Continues Unabated Information Security Becomes Part of Overarching GRC Strategy 50% of 1, 000 executives polled said information technology is the most challenging area in achieving Sarbanes-Oxley 404 compliance Source: KPMG 404 Institute, 2006 27

Key GRC Foundation Components • Data Classification, Categorisation & Security – How customers’ use Oracle Label Security assign and protect sensitive or high risk data categories – How this can be extended to cater for non-oracle structured data • Identity & Access Management – How customers use Oracle Identity Manager, Oracle Access Manager, Oracle Risk Based Authentication and Oracle Role Manager, to attest, manage, control, provision and de-provision access to systems and data • Segregation of Duties Controls – How customers use Oracle database Vault to protect high risk data from the insider threat • Audit Controls – How customer use Oracle Audit Vault to ‘trust but verify’ access and changes to key data items 28

Integrated Risk & Compliance Framework Capital Management/Basel II/Solvency II/BI Dashboards Economic Capital RAPM Risk Management Market Credit Operational HR ALM Learning Management Internal Controls & SOX Loss RCSA Process Mapping Actions KRI / KCI Documentation Monitoring & Compliance AML Fraud KYC/CDD Trading Financial Control & Reporting Core Financials Budgeting & Planning BI Enterprise Content Management Records Management Legal Discovery Change Management COBIT: Security, Identity & Data Management Encryption Audit Master Data Segregation of Duties Identity Mgmt Data Vault BPEL Workflow Management 29

C Level Objective 30