<Insert Picture Here>

NASACTGrants Management: Are States Ready to Manage More Federal Grant Funds?

March 2, 2010

Agenda

• Oracle: Did you know?

• What is “G-R-C”?

• GRC Offering

• Benefits

• Key Take-Aways

Oracle

Did you know?

• #1 in North America• #1 in HR• #1 in Public Sector Globally• Project “Oracle”, 1977• Longest running relationship with government of any software

vendor

Scale

• $22.4 in revenue for FY 08• 320,000 customers in 145 countries• 92,000 employees (1 in 3 joined from acquisitions)

Innovation and Investment

• Over 3,000 products with over 2,000 patents

• $3b R&D• 20,000+ developers, running over

300,000 test scripts nightly• 6,500 customer-driven

enhancements yearly• 1 million students supported• 7,500 customer support specialists

speaking 27 languages• 20,000+ implementation

consultants

What is “G-R-C”?

Creating Public TrustGRC in the Public Sector

IntegrityIntegrity

GovernanceGovernance

Risk

Risk

Com

plia

nce

Com

plia

nce

Governance + Risk Management + Compliance = Integrityequates to

Structures + Threat Mitigation + Proofing = Public Trust

Motivation

Rationalization Opportunity

Fraud Triangle Reducing Fraud in Government

• As much as 7% of annual budget*

•That is $70m per billion of budget

Pednault, S. (2009). Fraud 101: Techniques and Strategies for Understanding Fraud, 3rd ed. Hoboken, NJ: John Wiley & Sons, p. xi.

• Need to break one leg of the triangle

• Motivation and Opportunity easiest to address

• Rationalization may be impossible to manage

FRAUD

Human Perform

ance Improvement

Kohlberg Moral S

tagesGRC

Risk-Controls Relationships

Correct Outcome

Correct Outcome

Risk

Controls

No

Yes

NoYes

Possible Loss

Possible Waste

Oracle’s GRC Offering

10

GRC Controls Management

Access Controls

Configuration Controls

Transaction Controls

GRC Manager

Risks AssessmentsIssuesProcesses

PoliciesProcedures Remediation

GRC Intelligence

ReportsDashboards Alerts

Key Risk & Control Indicators

Applications

Infrastructure

Finan

cial

Com

pliance

IT G

overn

ance

Regula

tory

Polic

y M

gmt

Info

rmat

ion P

rivac

y

Enviro

nmenta

l

Product

Qual

ity &

Saf

ety

Global

Tra

de Mgm

t

Finan

cial

Ser

vice

s

GRC Intelligence “If only we had a dash board that could

highlight real time application access and / or transactional risk…”

• Pre-built role-based Dashboards & KPI's

• Tailored diagnostics for all GRC initiatives

• Processes / Controls

• Documents

• Certification

• Assessments & Test Results

• Single source of GRC information across orgs and locations

Oracle GRC Applications Suite Benefits

GRC Manager

Risks Assessments IssuesProcesses

PoliciesProcedures Remediation

Customers

Suppliers

Sales

Legal

HR

Finance

Customers

Suppliers

Sales

Legal

CustomersCustomers

SuppliersSuppliers

SalesSales

LegalLegal

HRHR

FinanceFinance

Preventive Controls

13

GRC Manager

Risks AssessmentsIssuesProcesses

PoliciesProcedures Remediation

GRC Intelligence

ReportsDashboards Alerts

Key Risk & Control Indicators

Finan

cial

Com

pliance

IT G

overn

ance

Regula

tory

Polic

y M

gmt

Info

rmat

ion P

rivac

y

Enviro

nmenta

l

Product

Qual

ity &

Saf

ety

Global

Tra

de Mgm

t

Finan

cial

Ser

vice

s

Oracle GRC Applications Suite Benefits

GRC Manager

RisRisks Assessments IssuesProcesses

PoliciesProcedures Remediation

Customers

Suppliers

Sales

Legal

HR

Finance

Customers

Suppliers

Sales

Legal

CustomersCustomers

SuppliersSuppliers

SalesSales

LegalLegal

HRHR

FinanceFinance

GRC Manager “We can’t manage nor have the visibility of all

the GRC initiatives across the enterprise….

• End-to-End GRC business process

• Reduce cost and complexity by managing multiple global mandates with one system

• Rely on tamper proof chain of evidence for all financial compliance processes

• Align policies and processes with best practice risk and control frameworks

GRC Controls Management

Access Controls

Configuration Controls

Transaction Controls

Applications

Infrastructure

Preventive Controls

Multiple hierarchies exist to represent frameworks, business models and financial structures.

Relationships are managed from the hierarchy down to the objectives, risks and controls in a many to many structure.

Oracle GRC workflow automatically generates emails to compliance staff of action items.

These emails link the user directly back to Oracle GRC Manager with a single mouse click.

Easy to Use testing screens allow conclusions and supporting comments.

TrackIssues until they are closed with immediate access to who is currently tasked and how long they have been working on it.

19

GRC Manager

Risks AssessmentsIssuesProcesses

PoliciesProcedures Remediation

GRC Intelligence

ReportsDashboards Alerts

Key Risk & Control Indicators

Finan

cial

Com

pliance

IT G

overn

ance

Regula

tory

Polic

y M

gmt

Info

rmat

ion P

rivac

y

Enviro

nmenta

l

Product

Qual

ity &

Saf

ety

Global

Tra

de Mgm

t

Finan

cial

Ser

vice

s

Access Controls “The SOD process is very manually intensive

and only covers a fraction of the application landscape”

• Best practice SOD Library

• Cross Application SOD Enablement

• Real-time Simulation & Remediation

• Preventive User Provisioning

• Library of prepackaged reports

• Accelerates role design and implementation

Oracle GRC Applications Suite Benefits

GRC Manager

Risks Assessments IssuesProcesses

PoliciesProcedures Remediation

Customers

Suppliers

Sales

Legal

HR

Finance

Customers

Suppliers

Sales

Legal

CustomersCustomers

SuppliersSuppliers

SalesSales

LegalLegal

HRHR

FinanceFinance

GRC Controls Management

Access Controls

Configuration Controls

Transaction Controls

Applications

Infrastructure

Preventive Controls

20

GRC Manager

Risks AssessmentsIssuesProcesses

PoliciesProcedures Remediation

GRC Intelligence

ReportsDashboards Alerts

Key Risk & Control Indicators

Finan

cial

Com

pliance

IT G

overn

ance

Regula

tory

Polic

y M

gmt

Info

rmat

ion P

rivac

y

Enviro

nmenta

l

Product

Qual

ity &

Saf

ety

Global

Tra

de Mgm

t

Finan

cial

Ser

vice

s

Configuration Controls “If only we had a dash board that could

highlight real time application access and / or transactional risk…”

• Ease of deploying change management controls

• Enable risk management controls by enforcing policy procedures within the application

• Increase confidence in the management of data integrity.

• Repository of audit trails in change management reports

• Increase business confidence in efficiency and data integrity of the system.

Oracle GRC Applications Suite Benefits

GRC Manager

Risks IAssessments Issuesssues

Processes

PoliciesProcedures Remediation

Customers

Suppliers

Sales

Legal

HR

Finance

Customers

Suppliers

Sales

Legal

CustomersCustomers

SuppliersSuppliers

SalesSales

LegalLegal

HRHR

FinanceFinance

GRC Controls ManagementAccess Controls

Configuration Controls

Transaction Controls

Applications

Infrastructure

Preventive Controls

21

GRC Manager

Risks AssessmentsIssuesProcesses

PoliciesProcedures Remediation

GRC Intelligence

ReportsDashboards Alerts

Key Risk & Control Indicators

Finan

cial

Com

pliance

IT G

overn

ance

Regula

tory

Polic

y M

gmt

Info

rmat

ion P

rivac

y

Enviro

nmenta

l

Product

Qual

ity &

Saf

ety

Global

Tra

de Mgm

t

Finan

cial

Ser

vice

s

Transaction Controls “We currently manage this on an ad-hoc basis

that is manual and often error prone”

• Easy to use interface to manage threshold values and generate parameterized reports across multiple applications

• Readily available audit reports of suspicious activities

• Workflow enabled process to distribute suspicious activities to key personnel for action / remediation

Oracle GRC Applications Suite Benefits

GRC Manager

Risks Assessments IssuesProcesses

PoliciesProcedures Remediation

Customers

Suppliers

Sales

Legal

HR

Finance

Customers

Suppliers

Sales

Legal

CustomersCustomers

SuppliersSuppliers

SalesSales

LegalLegal

HRHR

FinanceFinance

GRC Controls Management

Access Controls

Configuration Controls

Transaction Controls

Applications

Infrastructure

Preventive Controls

22

GRC Manager

Risks AssessmentsIssuesProcesses

PoliciesProcedures Remediation

GRC Intelligence

ReportsDashboards Alerts

Key Risk & Control Indicators

Finan

cial

Com

pliance

IT G

overn

ance

Regula

tory

Polic

y M

gmt

Info

rmat

ion P

rivac

y

Enviro

nmenta

l

Product

Qual

ity &

Saf

ety

Global

Tra

de Mgm

t

Finan

cial

Ser

vice

s

Preventive Controls “We need to move from manual controls to

automated controls…”

• Automate & Streamline manual controls to become part of the transactional process

• Enforce and report data security and valid change management

• Audit

• Audit & Workflow Notifications

• Audit & Workflow Approvals

Oracle GRC Applications Suite Benefits

GRC Manager

Risks Assessments IssuesProcesses

PoliciesProcedures Remediation

Customers

Suppliers

Sales

Legal

HR

Finance

Customers

Suppliers

Sales

Legal

CustomersCustomers

SuppliersSuppliers

SalesSales

LegalLegal

HRHR

FinanceFinance

GRC Controls Management

Configuration Controls

Transaction Controls

Applications

Infrastructure

Preventive Controls

Access Controls

Oracle GRC Benefits

24

5 Key Areas Where GRC Can Reduce Risks and Costs

Activity Benefits Value Impact

SOD Analysis

Automated Preventive Controls

Configuration & Change Management

Transaction Monitoring

Governance & Compliance Visibility

• Industry proven, best practices policies• Library of prepackaged reports• Accelerates role design and implementation• Run test cases and what-if analysis

• Enforce preventive controls for data integrity and access security• Ease of creating workflow processes for Approval and notification• Library of best practices prepackaged controls

• Ease of deploying change management controls

• Enforce policy procedures within the application

• Increase confidence of data integrity

• Manage & report suspect records

across multiple applications • Readily available audit reports • Automated distribution of suspect records for review & remediation

• Capture internal and external perform-ance metrics quickly & accurately

• Fact-based continuous improvement

20-35% reductionin cost of on-going SOD auditing and monitoring

15-25% reduction in cost for IT to create and implement automated controls

20-30% reduction inaudit and compliance testing cost related to configuration change management

20% reduction inaudit and compliance costs related to investigation of transactions and fraud controls

10-40% reduction in costs of proving risk and compliance effectiveness across the enterprise

SOD = Segregation of Duties

Cost Benefit AnalysisRelative Impacts

Audit cost savings

Fraud Prevention

Mission Enhancement

Key Take-aways

Key Take-aways

GRC Suite:• Demonstrates accountability

• Increases public trust

• Lowers costs of audits

• Provides integrity

• Prevents waste, fraud, and abuse

How?• Library of prepackaged controls based on best practices

• Single source of truth for all documentation that will be audited

• Flexible reporting tool that can generate dashboards, alerts, and printed reports

Contact Information

Cindy Schwimer

Executive Director, Public Sector Solutions

Cindy.schwimer@oracle.com

Voice: 703-364-3104

Adam Schwartz

GRC Specialist

Adam.b.schwartz@oracle.com

Voice: 860-817-9403