Planning and visual control systems for companies

Anuncio
Planning and visual control systems for
companies with risk processes
Rosa Ana Doniz Campos and Manuel Pérez Cota
Escuela Superior Ingenieria Informatica, Universidad de Vigo
Campus Universitario As Lagoas s/n 32004 Ourense, Spain
rdcampos@correo.ei.uvigo.com
http://www.uvigo.es/
Abstract. This paper tries to do a baseline assessment of the systems
used in large enterprises for planning and visual control of risk processes.
In addition, it tries to find out the expectations for the future that these
systems are having on the so-called business intelligence. It specifies how
business intelligence through Governance, Risk and Compliance (GRC)
allows a more adequate planning and control decision-making in current
systems in companies with large volumes of data.
Keywords: business intelligence, risk management, decision making,information,
knowledge, decision, BI tools, strategic planning, GRC
Resumen
En este trabajo se trata de hacer una evaluación inicial de los sistemas utilizados
en las grandes empresas para la planificación y el control visual de procesos de
riesgo. Además, se intenta averiguar las expectativas para el futuro que estos
sistemas están teniendo en la llamada inteligencia de negocios. En él se especifica
cómo la inteligencia de negocios a través de Gobierno, Riesgo y Cumplimiento
permite una planificación más adecuada y control de la toma de decisiones en
los sistemas actuales en las empresas con grandes volúmenes de datos.
Integración de Business Intelligence y Gobierno, Riesgo y
Cumplimiento (GRC)
En la última década, la influencia de la crisis mundial ha provocado la globalización y el aumento de la competitividad entre las empresa. Además de esto,
las empresas privadas y las agencias públicas se enfrentan cada vez con más
regulaciones y estándares que cumplir. Consecuentemente surgió la necesidad de
gestionar estas medidas y a partir de ahı́ nacieron las soluciones “Governance,
Risk and Compliance” o simplemente GRC.
Open Compliance and Ethics Group’s (OCEG’s) define GRC como un sistema “de personas, procesos y tecnologı́a que permite a una organización: 1)
Comprender y priorizar las expectativas de los accionistas. 2) Establecer los objetivos de negocio que sean congruentes con los valores y los riesgos. 3) Alcanzar
2
Planning and visual control systems for companies with risk processes
los objetivos y optimizar el perfil de riesgos y la proteccin de valor. 4) Operar
dentro de los lı́mites legales, contractuales, internos, sociales y éticos. 5) Proporcionar información relevante, confiable y oportuna a las partes interesadas
pertinentes. 6) Permitir la medición del desempeño y eficacia del sistema”.
Si además estos sistemas se integran con la llamada inteligencia de negocio
(BI) se mejorarı́a considerablemente la toma de decisiones, la medición del desempeño de los diferentes procesos que tienen lugar en la empresa y una visión
clara de los riesgos que puedan surgir o que puede implicar correrlos. Además,
utilizando información actual e histórica, nos permitirı́a hacer una predicción
de lo que podrı́a suceder en el futuro. De hecho, la gestión de riesgos no puede
funcionar bien sin BI.
Hay métricas que nos permiten conocer como de arriesgado es una actividad.
Estas métricas son los key risk indicators (KRIs), estos nos indican la probabilidad de que alguna actividad impacte negativamente en la empresa. Este
concepto no se debe confundir con los key performance indicators (KPIs), ya
que estos nos indican el rendimiento o como de bien se está haciendo algo.
Un artı́culo publicado recientemente por Gartner Inc sitúa a IBM, Microsoft,
Oracle Corp and SAP AG como los mejores vendedores de software en 2010.
Estas compañı́as recientemente han adquirido o han propuesto implementaciones
propias muy amplias y con BI integrado como soluciones GRC, a excepción de
Microsoft que presenta una solución que a dı́a de hoy carece de competitividad
en el mercado actual de software GRC.
En este artı́culo se explican las arquitecturas de IBM Openpages, GRC Oracle
Suite y SAP BusinessObjects GRC 10.0 y se hace una comparativa entre ellas.
Plataformas
SAP ha sacado su última versión en este año 2011. Se puede decir que se ha
realizado una perfecta integración de la gestión de riesgos en los procesos de
negocio y en la toma de decisiones. Además se ha unificado el look and feel de
los tres modulos principales que son SAP BO Access Control, Process Control y
Risk Management que en las versiones anteriores era un poco inconsistente. La
solución realiza una monitorización continua de todos los controles, en concreto
de las “Segregation of Duties”.
SAP dispone de módulos especializados en medio ambiente, salud y seguridad
(EH&S), y también para el cumplimiento de las regulaciones para el comercio
interior y exterior (importaciones y exportaciones). Tiene partners especializados en proveer soluciones de industria tales como Novell, CA, Greenlight and
SenSage.
Esta nueva versión de la solución GRC todavı́a no está demasiado extendida
debido a su reciente liberación. SAP esta presente y da soporte en todo el mundo.
Oracle hace énfasis en la integración de su plataforma GRC con Hyperion Financial Manager y con Enterprise Performance Management. Otra caracterı́stica
es que la plataforma GRC muchas veces va incluida con la venta de su ERP.
Planning and visual control systems for companies with risk processes
3
Además esta desarrollando un gran número de productos relacionados con GRC
pero no está muy claro cual es el enfoque que van a seguir en el futuro. Los
puntos fuertes de Oracle son la gestión de riesgos y de polı́ticas. Utiliza métodos
cualitativos mediante simulación con el método de Montecarlo y cuantitativos
para la gestión de riesgos. El aspecto visual está muy bien y muy claro para
usuarios experimentados pero resulta difı́cil de utilizar para usuarios nuevos o
menos experimentados.
Esta solución de Oracle ha experimentado una fuerte subida en el mercado
desde 2009. Pasando de no ser prácticamente competitivo en este terreno a estar
entre los mejores y mayores vendedores de este tipo de software. A dı́a de hoy
está presente y da soporte en todo el mundo.
IBM OpenPages tiene todas las funciones básicas, y además cuenta con un
buen soporte para la gestión de riesgos empresariales y operacionales. IBM OpenPages ha desarrollado una solución sólida y ha sido el punto de referencia para
que muchos competidores midan su propio progreso. Esta solución se centra en
la mejora de informes de KPI y KRI, añadir contenido y la integración de IBM’s
Finance y la solución integrada de gestión de riesgos. Cabe destacar el módulo
de OpenPages IT GRC, ya que SAP y Oracle no tienen ningn módulo especı́fico
para IT GRC. Está orientado a la banca, seguros, mercados energéticos y empresas de servicio público, con capacidades especı́ficas de la industria. Permite
realizar un análisis excelente de eventos de pérdidas bancarias. Sólo está presente
en norte América y Europa.
1
Introduction
In the last decade, the influence of the global crisis in the financial environment and the globalization of markets have enhanced the competitiveness of
enterprises. Nowadays, these cause that risk management and business intelligent (BI) form a fundamental part of a company’s decision making and strategic
planning. Business Intelligent strategies was created to address the issues to and
to help to convert business investments to real business value [18].
Increasingly, big private companies and public agencies, they face greater
regulations and standards to be met, which are defined internally (partners,
shareholders or directors) or externally (by governments, agencies regulators,
financial institutions, etc.) such as Sarbanes-Oxley-Act of 2002, HIPAA, PCIDSS, ISO 27001, LOPD or Basel II. It is difficult to take these measures and the
danger involved with the failure to comply with this regulations. The traditional
tools dont help to incorporate these measures in their daily management. To
address these needs we have solutions called ”Governance, Risk and Compliance”
or simply GRC. Approximately there are about 64 vendors of GRC over the
world.
A widely accepted definition of governance risk and compliance was published
for Open Compliance and Ethics Group’s (OCEG’s) defines GRC as a “system
of people, processes, and technology that enables an organization to:
4
Planning and visual control systems for companies with risk processes
–
–
–
–
–
Understand and prioritize stakeholder expectations.
Set business objectives that are congruent with values and risks
Achieve objectives while optimizing risks profile and protecting value.
Operate within legal, contractual, internal, social, and ethical boundaries
Provide relevant, reliable, and timely information to appropriate stakeholders.
– Enable the measurement of the performance and effectiveness of the system”
[5].
Governance describes the overall processes through which a companys boards,
its shareholders and other stakeholders direct and control the entire organization
with effectiveness, efficiency, transparency and respect for the law.
In these processes they set the objectives for an organization and oversee
progress toward those objectives using a combination of management information and hierarchical management control structures. Corporate governance activities provide the most complete, accurate and timely information to the executive team for decision making [15].
Risk management is defined by the Committee of Sponsor in Organizations of
the Treadway Commission (COSO) as “a process, effected by an entity’s board of
directors, management and other personnel, applied to identify potential events
that may affect the entity, and manage risks to be within its risk appetite, to
provide reasonable assurance regarding the achievement of objectives” [24].
Compliance means conforming to stated requirements. At an organizational
level, it is achieved through management processes which identify the applicable
requirements (defined for example in laws, regulations, contracts, strategies and
policies), assess the state of compliance, assess the risks and potential costs of
non-compliance against the projected expenses to achieve compliance, and hence
prioritize, fund and initiate any corrective actions deemed necessary.
Business intelligence (BI) is about showing important and timely data to
the end user for analysis and helping him to decide what action must perform
[25]. BI allows making decisions, measuring the performance of the different
processes that take place in the company and a clear view of the risks that may
arise or which may involve running. Furthermore, using current and historical
information, it allows predictive analysis of what can happen in the future.
The decision to be taken determines what data is needed. In the other direction, from information in the data, knowledge comes (Fig. 1). Then knowledge
is the basis for decisions that may be accurate or not depending on the wealth
of information.
Fig. 1. Decision determines data
Planning and visual control systems for companies with risk processes
5
Data mining allows the implementation of business intelligence through the
extraction of knowledge from simulations and identifying the relationships between the business variables. This provides the decision-makers have better information to open new fields of business, investment and formulate new strategies
[2].
To get the really useful business intelligence, decision-makers at all levels
must communicate what the needs are and direct the process value-added that
creates BI systems. BI and risk management are closely linked in the sense
that it can provide a high level of transparency, so that executives who make
decisions can have an overview of all categories of risk and thus improve the
overall performance business.
Risk management can not work effectively without BI. BI infrastructure
within an organization needed to collect and analyze data in a very detailed
level, and from there, use the information gathered for decision making. The advantages of using BI on risk management systems are represented in four points.
The first point is the identification and elimination of risk factors within the
organization. The second advantage is to consider opportunities of business taking risky strategies, for instance, new products, new investments or acquisitions.
The third point is the assessment of potential risks to advance the company’s
strategic direction and new initiatives. Finally, the forth point is the application of the analysis in risk management to global business framework to provide
decision-makers executives with a clear vision not only risks but also where there
is an opportunity to take strategic risks to make better business decisions.
One of the advantages of GRC is to identify risk factors that may compromise
the continuity of an organization, a task that could be implemented with the
involvement of people with heterogeneous perspectives and the help of specialized
tools as a platform GRC. There are metrics that allow us to know as a risky
activity. These metrics are the Key Risk Indicators (KRIs), these indicate the
possibility of activities that may negatively impact the company. This concept
should not be confused with the key performance indicators (KPIs), as these
indicate the performance or how well they are doing something.
According to PriceWaterhouseCoopers “The compliance and risk landscape
is continually changing. To remain competitive, companies must have in place
a governance, risk management and compliance strategy that keeps pace with
new laws, regulations and stakeholder expectations. An effective strategy can
positively impact shareholder value and empower organizations to:
– Improve strategic business decisions by clearly defining associated risks and
opportunities
– Minimize operational surprises with more proactive and effective monitoring
– Protect and enhance reputation and brand by capitalizing on business opportunities while reducing the likelihood of negative events
– Increase organizational efficiency
– Avoid fines, penalties and damage to reputation” [1].
Gartner Inc published recently an article which places IBM, Microsoft, Oracle Corp. and SAP AG as the best four business intelligence vendors, owning
6
Planning and visual control systems for companies with risk processes
two-thirds of the $6 billion BI market because they have optimized their BI platforms to work well with their respective enterprise and information management
applications. These companies have recently acquired or proposed implementations of GRC solutions with integrated BI, except Microsoft that presents a
solution that today lacks competitiveness in the GRC software market today. A
good starting point could be an analysis of what GRC software SAP, Oracle and
IBM have.
Therefore this research was fulfilled in order to compare GRC Software of
these important BI vendors, how much are GRC and BI integrated and what is
expected in the future of these systems.
2
The methodological framework and state of the art
The methodology applied in this research consists of three stages. It is important to emphasize those analysts who assess software quality, and GRC software
vendors dont define GRC as it is defined by the OCEG. No single vendor has a
solution that integrates every GRC processes on a common platform. Because
GRC has so many different definitions, first we reviewed the most recognized
explanation about what are the processes and functions GRC must comply. Secondly, we analyze three of the big four BI vendors GRC software (SAP, Oracle
and IBM) and the integration with the BI solutions that this companies have.
In a third stage, a comparison between them is done and what is expected in
the future.
3
Prior research
Some research has been carried out by several leading independent research firms
such as Gartner, Forrester Research and AMR Research, and by the Open Ethics
and Compliance Group(OCEG).
Forrester published ‘The Forrester Wave: Enterprise Governance, Risk, And
Compliance Platforms, Q3 2009” [17]. This study evaluated 14 enterprise GRC
platform vendors using 80 criteria. The evaluation shows that AXENTIS, BWise,
MetricStream, OpenPages, and Thomson Reuters are leaders. Archer, Cura,
MEGA, Methodware, Protiviti, and Strategic Thought are strong performers.
SAI Global, SAP, and Trintech are contenders. The result can be seen in figure
2.
Another research is Gartner Magic Quadrant for Enterprise Governance, Risk
and Compliance Platforms, 2010. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. This report is published
yearly (Fig. 3).
As far as research on integrated GRC software is concerned, Racz et al conducted “Governance, Risk & Compliance (GRC) Status Quo and Software Use:
Results from a Survey among Large Enterprises”. This reseabrch evaluates how
integrated GRC and GRC software are perceived and applied in large enterprises.
Planning and visual control systems for companies with risk processes
7
Fig. 2. Forrester Wave: Enterprise Governance, Risk, And Compliance Platforms, Q3
’09.
Fig. 3. Gartner Magic Quadrant for EGRC Platforms, 2010
8
Planning and visual control systems for companies with risk processes
The results reveal that some organizations have deployed integrated GRC software that helps leverage the benefits of GRC. But on the other hand, solutions
developed in-house are more often used than standard solutions. Racz et al.
write another article “Governance, Risk & Compliance (GRC) Software An
Exploratory Study of Software Vendor and Market Research Perspectives” that
says through a survey among GRC software vendors that they share a common
basis in their GRC understanding but they deliver diverse functionality. The
products technology architectures mainly differ in their degree of integration.
Finally, none of them explain the GRC architecture and GRC solutions some
of the big four BI vendors such as SAP, Oracle and IBM, and the integration
with the BI solutions.
4
4.1
The original contribution
Governance, Risk and compliance
Nowadays there are various definitions of what GRM is and what are the processes and functions that should be included in GRC.
The definition given by the OCEG is one of the most complete and clear.
Moreover, its credibility is higher since it has not been developed only by software
vendors, but also by experts in risk, compliance, legal and internal audit and
other members of the OCEG.
OCEG recommends that GRC applications fulfill a list of processes and functions. The recommended processes are executed by different people in different
departments. GRC processes ranging from board management, through strategy
settings, business performance management or audit to IT security. In the following table 1 the processes are named and related with the people who should
execute them [5].
Importantly, no software vendor has implemented their solution in all processes and functions defined in OCEG. Normally, these have built a few, so it is
important before purchasing any of the software, make a study of what is needed
for each company.
In the following sections, it is described how SAP, ORACLE and IBM have
implemented their solutions.
4.2
SAP BusinessObjects GRC 10.0
SAP GRC 10.0 is today the proposal to the GRC business philosophy. It is
part of SAP BusinessObjects (Fig. 4). The new version has a user interface
common to Risk Management, Access Control and Process Control, GRC suite
applications. SAP Access Control, Risk Management, Process Control processes
applications share data and specifications for different industries and business
lines. It allows reporting from SAP GRC components, using Crystal Reports and
Xcelsius visualizations and also has graphical tools to define and inventory risks.
The new capabilities make the use of the GRC platform is much easier by getting
Planning and visual control systems for companies with risk processes
9
Table 1. List of processes and functions defined by OCEG
Recommended Processes
Executed by
Governance
The board of director, corporate secretaryand governance
professionals including boardmanagement
Strategy and business per- Chief Executive Officer (CEO) or “c-suite”
formance management
Risk management
Chief Risk Officer (CRO), business line and other executives
Audit
Chief Audit Executives, internal audit, audit committee
and external auditors
Legal
The general counsel and legal staff
Compliance
The general counsel, chief compliance and ethics officer,
compliance professionals and other legal staff
Information Technology
Chief Information Officer (CIO), privacy officer and /or
security officer
Ethics & Corporate Social Chief Ethics Officer and Chief Responsibility Officer
Responsibility
Quality Management
Quality professionals throughout the Organization
Human Capital & Culture
Human resource professionals and organizational design
and development professionals
10
Planning and visual control systems for companies with risk processes
all staff to pay attention to the risks facing the company, without specialized
knowledge. It is note worthy that by integrating GRC activities within the major
business processes and applications, executives have the opportunity to manage
their business in a proactive and strategic, rather than reactively, ie full-scale
BI. With this release, SAP has taken a major step forward [13, 16].
Fig. 4. SAP Bussiness Objects
The components of SAP Business Objects GRC 10.0 are: Risk Management,
Access Control, Process Control, Global Trade Services, Environment, Health
and Safety Management and Sustainability Performance Management.
SAP BO Risk Management helps to identify risks in the company and
allows the implementation of mitigation strategies (Fig. 5). It includes four areas
that allow enterprises to manage risk activities: [20] 1) Plan: This phase is used
to scope activities, decide about risk scope and establish the risk tolerance and
map risks to the business. 2) Identify and Analyze: This stage sets up the key risk
indicators (KRIs). 3) Respond: In this phase, appropriate responses or controls
are documented or identified to avoid, mitigate, transfer or prevent risks. 4)
Monitor: enterprises should always monitor the response effectiveness to the
risks and control risk level given by the KRIs.
SAP BO GRC Access Control facilitates the separation of functions and
helps companies decide which users can access them .Standards and regulations
worldwide require compliance with access and authorization measures. This tool
gives the following functionality: 1) Prevent unauthorized access: identifying and
monitoring the assignments of permits and risk authoritation. It controls the use
of permissions of type superuser. 2) Minimize the time and cost of access risk
management: Automatic removal of access and authorization risk identified in
the rules defined. Enforce segregation of duties across applications and business
units. 3) Achieve real- time visibility into access risk: Provides a set of reports
on key risk indicators.
SAP BusinessObjects Process Control creates new controls, changes
the rules and automates workflows related to risk and compliance (Fig. 6). It
Planning and visual control systems for companies with risk processes
11
Fig. 5. SAP Bussiness Objects Risk Management
is the software solution for compliance and policy management [3]. It has an
automated rules framework. This application allows cross-system visibility and
a unified repository of compliance information for managing multiple initiatives
efficiently.
Fig. 6. SAP BusinessObjects Process Control
SAP Business Object Global Trade Services (SAP GTS) [22] automates global trade processes. To understand the state and the logistics supply
chain and order status such as service providers and customers, both imports
and imports, thus avoiding unnecessary costs for delays. It also helps to Comply
with Regulations Legal changing.
12
Planning and visual control systems for companies with risk processes
For example, if a vice president of supply chain wants to improve distribution
efficiency, these solutions can be used to establish key risk indicators (KPIs) are
quantifiable and measure and monitor aspects of the order to help ensure that
deadlines are met. These KPIs quantifiable estimate the financial impact that
may have different risk factors, showing executives how those vulnerabilities can
affect its business lower.
SAP Business Object Environment, Health and Safety (SAP EHS)
[23] helps customers comply proactively and automatically all EHS requirements
and policies applicable corporate sustainability in its various business operations.
At the same time, SAP EHS Management can work with third-party solutions,
despite being integrated into SAP Business Suite.
SAP Business Object Sustainability Performance Management (SAP
SPM) helps businesses to manage and monitor their strategic goals of sustainability. This software is designed to integrate with different SAP and non SAP
solutions or to work independently. Its main objective is to facilitate users reporting either an externally and internally. Users have a central library of KPIs,
where they can choose from a variety of metrics that best meet their needs, and
also can create and update their own KPIs that will allow.
4.3
Oracle GRC Applications Suite
Oracle proposes a GRC solution integrated by business intelligence, process management, and automated controls enforcement to enable sustainable risk and
compliance management (Fig. 7). There are 3 major components or layers. Oracle GRC product suite is formed by GRC Intelligence, GRC Manager and GRC
Controls. The controls are represented in the following modules AACG (Application Access Control Governor), CCG (Change Control Governor), TCG
(Transaction Control Governor) and PCG (Preventive Control governor). They
can be acquired as a complete suite or as individual modules [19].
Oracle’s Governance, Risk and Compliance Suite was born in Applimation,
a NYC based company with the initial named as Integra Apps. It was formed by
4 modules: Apps, Access, Transaction and Codebase. This company was bought
by another company, Logical Apps in Feb 2007. Shortly after, this was bought
by Oracle in Oct, 2007 and this product has been rechristened under Oracle’s
Governance, Risk and Compliance Suite. In the following paragraphs it will be
the main components of the Oracle GRC product suite [21]:
GRC Manager: It has a centralized repository for all content related to
GRC, in addition to workflow, evaluation, and management tasks. Features include cross- enterprise, risk-based trending, analysis, simulation, mitigation and
treatment capabilities. It is based on Java EE and it is platform independent. It
can manage multiple regulations and it covers the integral process management.
GRC Intelligence: [12] Integrates interactive role-based dashboards, full ad
hoc query and analysis, and proactive intelligence for GRC and visibility across
GRC initiatives and applications. This solution is built on Oracle’s industryleading BI foundation and it is based on business intelligence technology from
Planning and visual control systems for companies with risk processes
13
Fig. 7. Oracle GRC Application Suite
Siebel. This enables users at all levels to have crucial information to meet regulatory compliance requirements and effectively manage risk. The solution is able
pre-built dashboards with information of GRC and performance from all sources.
KRI and responses to the issues can be visualized. It is totally configurable to
meet the specific needs.
Oracle GRC Applications Controls arose from the need of ensures confidentiality, integrity, timeless and security of sensitive data mandate by various
regulations. The key mechanisms followed are preventive and detective controls,
what-if risk simulations and automated controls testing.
Firstly, many applications built their own mechanisms into individual applications but these often prevent from centralized and automated security controls.
That is the reason for the needed of these controls. The controls are described
more specifically below.
Oracle Application Access Controls Governor (AACG) uses graphical modeling tools to look into access points, detect SOD (Segregation of Duties)
conflicts, and evaluate treatment options. The graphics are designed to provide
real-time monitoring of SOD controls and make it easy for managers to preview
the issues and advise on the best remediation, performing what-if analysis for
proposed changes to access rights.
Oracle Configuration Controls Governor (CCG) provides a changes
tracking in real-time of key controls of Oracle. It lets view and compare to determine what is different when a problem occurs. Monitor consistency of controls
across Instances, Versions, Points in Time, Operating Units and Sets of Books
and actively enforces change controls on key setups based on policies and best
practices. It also creates snapshots which automate time-stamped documentation of key controls across all Oracle Applications modules.
14
Planning and visual control systems for companies with risk processes
Oracle Transaction Controls Governor (TCG) is the software solution for compliance and policy management. It is formed by algorithms and
pattern analysis that automatically analyze transactions for anomalies with internal policies, which might be signs of fraud, regulatory-compliance fails, or
errors that could result in significant cash leakage. It allows seeing problems to
prevent heavy losses, and limiting exposure to fraud and waste, and reduce the
time and cost of errors and repairs, prevent worsening of the risk and optimize
business performance. It is continuously monitoring accuracy of transactions,
testing against thresholds and searching for anomalies.
Oracle Preventive Control Governor (PCG) works with the other modules in the Oracle Governance, Risk and Compliance Suite controls to prevent
unauthorized changes to critical application data and settings of time and enforce policy-real changes at a granular level of applications. Oracle Preventive
Controls Governor provides the simulation of scenarios of SOD mitigating risk of
application changes, as well as monitoring and preventing unauthorized changes
to critical data. These enforce business policy through automated processes.
There are other Oracle IT infrastructure solutions, such as the Oracle Audit
Vault, Oracle Database Vault, Oracle Identity Manager, and the Oracle Enterprise Manager that are compatible with the applications listed above.
4.4
IBM OpenPages
IBM acquired OpenPages in 2010, one of the largest vendors of GRC software,
to further extend the Business Analytics portfolio with a GRC solution.
The OpenPages modules are Financial Controls Management (FCM), Operational Risk Management (ORM), IT Governance (ITM), Policy and Compliance
Management (PCM), and Internal Audit Management (IAM) (Fig. 8).
All the modules share some characteristics. Firstly, they allow sharing a common data repository for content and document management, workflow and reporting infrastructure for all risk and governance related activities. It includes
entities, processes, risks, controls, tests, and test results. Secondly, they provide
dynamic dashboards, charts, and dimensional reporting which give a global view
of the state of risk across the organization. In third place they can be integrated
with Microsoft Office and Smart Phone. And finally, they are 100% configurable
by business users, including forms, workflow, reporting, and system-wide settings.
OpenPages Financial Controls Management(FCM) [8] try to reduce
the costs and complexity of complying with finantial regulations such us SarbanesOxley, Turnbull in the United Kingdom, JSOX in Japan,the Loi de Scurit Financire (LSF) in France, and CSA Notice 52-313 in Canada, etc. It provides
a policy-based way to manage compliance with financial controls through its
key features such as self-assessments, certifications, and compliance automation
by means of automatic notification and tracking of activities such as operating
review, risk assessments, control testing, issue remediation.
FCM gives the functionalities for document management, business performance management and flexible reporting capabilities. It is intended to be used
Planning and visual control systems for companies with risk processes
15
Fig. 8. OpenPages Solution Components
by projects managers, external and internal auditors to document and implement
controls within the company.
OpenPages Internal Audit Management (IAM) [11] is a web based
solution that unifies organizational risk, compliance and internal audit into a
common view, allowing users to manage audits, audit phases and auditor allocations while automating operations. Nowadays, internal audit is evolving from its
traditional view of policy violation and record examination to a risk mitigation
role. It tries to evolve to identify risks and to meet the needs of the current
market. The role of audit is viewed increasingly within the context of GRC. The
Institute of Internal Auditors (IIA) offers the following definition for internal audit: “A department, division, team of consultants, or other practitioner(s) that
provides independent, objective assurance and consulting services designed to
add value and improve an organization’s operations. The internal audit activity
helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management,
control, and governance processes” [14] OpenPages IAM is a key factor in implementing an enterprise-wide risk management approach. Audit departments
can help in risk management, acting as a strategic partner. OpenPages IAM can
be completely integrated with the other products of the GRC Platform: FCM,
ITG, GCM and ORM.
OpenPages IT Risk and Compliance Management (ITG) [6, 7] is a
software solution that integrates IT risk and compliance management. IT risk
is evaluated in the context of business processes and supports regulatory certifications and audit processes. It combines IT policy, risk and operations management with corporate business initiatives, strategy, and operational standards for
obtaining IT governance. In figure 9 we can see the OpenPages ITG solution.
OpenPages ITG is a module that can be fully integrated with the others
OpenPages for FCM, IAM, GCM and ORM. It delivers and reports on all KRI
and KPI related to IT that can be utilized to manage and control risks, resulting
in a reduction of IT related risk.
16
Planning and visual control systems for companies with risk processes
Fig. 9. OpenPages ITG Solution
IT resources can be mapped to business processes that enable a centralized
approach for governance from business process to IT asset obtaining a better
IT visibility through single view of risk. ITG aligns IT policy, risk and operations management with corporate business initiatives, strategy and operational
standards.
Furthermore, it manages IT governance across multiple regulatory mandates
and frameworks, such as Cobit for an overarching governance framework, ITIL
for service management and delivery and ISO/IEC 27001 and ISO/IEC 27002
for information security management.
OpenPages Operational Risk Management (ORM) [9] enables to identify measure, monitor, analyze and manage operational risks. All risk data are integrated in a single environment. It creates and monitors performance indicators
for KRI and controls. The metrics and thresholds are established. Notifications
will be sent when these parameters are exceeded.
Another feature is loss event tracking. Risk managers can control loss incidents and near hits determining which are the causes and who is the ownership.
Moreover, statistical and trend analysis can be done, suggesting end-users remediation and action plans.
Finally, ORM complements the risk assessment process identifying and evaluating scenarios that may impact the business.
OpenPages Policy and Compliance Management (PCM) [10] is the
software solution for compliance and policy management. It helps to comply with
numerous industry, ethics, and private and government regulatory mandates. It
has integrated business intelligence tools like dashboards and dimensional reporting which provide key decision-makers with confidence that compliances and
corporate policies are achieved. It has a regulatory library of laws, regulations
and best practices.
Planning and visual control systems for companies with risk processes
17
With this, the regulatory norms are viewed in such a way that end-users and
administrators can access quickly to the regulatory compliance from multiple
angles. There are some solutions extensions that Openpages has developed to
deliver customer solutions. Between then are privacy and data protection regulatory compliance, vendor risk management, strategic risk management and
business continuity management.
4.5
Comparison between vendors
SAP has released its latest version in the year 2011. One can say that there
has been a seamless integration of risk management in business processes and
decision- making. It has also been unified look and feel of the three main modules that are SAP BO Access Control, Process Control and Risk Management
in previous versions was a bit inconsistent. The solution performs continuous
monitoring of all controls, specifically the “Segregation of Duties”.
SAP have specialized modules in environment, health and safety (EH & S),
and also for regulatory compliance for global trade. Partners have specialized in
providing industry solutions such as Novell, CA, Greenlight and SenSage. This
new version of the GRC solution is still not very widespread due to its recent
release. SAP is present and supported worldwide.
Oracle emphasizes the integration of its GRC platform with Hyperion Financial Manager and Enterprise Performance Management. Another feature is
that the GRC platform is often included with the sale of its ERP. It is also developing a large number of products related to GRC but not very clear what the
approach will continue in the future. Oracle’s strengths are risk management and
policy. It uses qualitative methods by simulation with the Monte Carlo method
and quantitative risk management. The visual aspect is very good and very clear
to experienced users but it is difficult to use for new or less experienced users.
This solution Oracle has experienced a sharp rise in the market since 2009,
going from not being competitive practices in this field to be among the best
and largest sellers of such software with global presence and support.
OpenPages platform has all the basic functions, and also has good support
for managing business and operational risks. It has developed a robust solution
and has been the benchmark for many competitors measure their own progress.
This solution focuses on improving KPI and KRI reports, add content and the
integration of IBM’s Finance and integrated solution for risk management. It
is worthy the module OpenPages IT GRC,as SAP and Oracle have no specific
module for IT GRC. It is focus to banking, insurance, energy markets and utilities, with industry-specific capabilities. It allows an excellent analysis of events
in bank losses. It is present only in North America and Europe.
It has been a comparison of GRC software vendors that offer SAP, Oracle
and IBM. This was done based on the functions and processes that establishes
OCEG functions and processes that must perform a GRC solution.
Table 2 with the list of the processes and functions defined by the OCEG
Another comparison has been carried out on some specific highlight features
(Table 3). If they have a concrete feature will be marked with “X”.
18
Planning and visual control systems for companies with risk processes
Table 2. Comparative table of OCEG processes and functions
SAP
10.0 March 2011
Last Version
Oracle
IBM OpenPages
OpenPages 6.0
Governance
IBM OpenPages IT
Governance (ITG)
Enterprise
BusinessOb- Oracle
Strategy and busi- SAP
Strategy Performance Manness
performance jects
Management (SM) agement
management
and SAP BO Enterprise
Performance
Management
IBM Business Analytics Software for
Financial
performance management
and strategy
Risk management
SAP BO Risk Man- Oracle GRC Man- Operational
agement
ager
Management
Compliance
SAP BO
Control
Process Oracle & Transac- Policy & Compliance
tion Controls Gover- Management (PCM)
nor
Internal Control
SAP BO
Control
Process Oracle Configuration Financial Controls
Controls Governor Management
Corporate security
SAP’s BusinessOb- Oracle Application
Controls
jects Access Control Access
Governor (AACG)
(AC)
Legal
Information
nology
Risk
Policy & Compliance
Management (PCM)
Tech- SAP
Busines- GRC Intelligence
sObjects
business
intelligence solutions
(BI)
Sustainability
and SAP BO Envirosocial responsibility mental, Health and
Safety Management,
SAP
sustainability
performance
management
BI Cognos
Risk
and
Performance
Management for the
Eco-Enterprise
Quality management
Human capital and SAP Human Capital Human
Capital
culture
Management (HCM) Management
Audit and assurance Data analytics (BI), Oracle EBS
risk
monitoring
(RM),
continuous auditing (PC,
BI, and AC), and
audit
management (through its
NetWeaver
audit
management
functionality)
IAM
Finance
FCM
SAP FI Module
Oracle ESB
Planning and visual control systems for companies with risk processes
19
Table 3. Comparative of highlight features
SAP
X
Oracle
X
IBM OpenPages
Dashboards and reporting
X
X
X
Enterprise-class
workflow
X
X
X
Internationalization
X
X
X (6 languages)
Surveys and assessments
X
X
X
Security and access
control
X
X
X
Access Control
Import and export
capabilities
X
Loss event database
X
X
X
Key
metrics
(KPIs,KRIs, KCIs)
X
X
X
Issue remediation
X
X
X
Support of Multiple
GRC Framework
X
X
Integracion
Office
and Smart Phone
Office
X
Support other ERP
Works really well
with SAP
Pre-integrated with Many partners such
Oracle applications as Oracle, Microsoft,
IBM
supports
Websphere,IBM
heterogeneous
Cognos,. . .
environments.
Works really well
with Oracle,
Peoplesoft,
Hyperion, and
JDEdwards
20
5
Planning and visual control systems for companies with risk processes
Conclusions and future work
The research presented was carried out in order to find out about state of the art
of GRC software and a comparison between the available solutions from SAP,
Oracle and IBM and what characteristics they present.
A recent study by Forrester says this year 2011 GRC market will grow 20%.
This is motivated by the entry of new regulations and changes in others already established which will cause many companies to consider a tactical shift
in the management of compliance and prevent risks that could cause their failure [4]. According to this, increasing competition among software vendors GRC
will encourage more technology and service and will not be a common model
implemented by the different solutions.
In addition, it is also believed that the adoption of GRC grows horizontally
more than vertically which will mean that less importance will be given to link
GRC with the highest levels of strategy.
Business intelligence and data governance more prominently will factor in
GRC decisions. Note that the three solutions presented are seamlessly integrated
in their different applications, in regard to the BI applications available to each
vendor and the data sources.
Another new feature can be the integration of GRC with mobile, social, and
cloud technologies that will add value to the different solutions.
In future research, we will focus on the state of the art of GRC systems in the
public administrations and how GRC solutions can improve e-governance. We
will also provide a process model which could fill gaps between GRC software
solution and real needs in government systems.
References
1. How to execute an integrated, sustainable governance, risk management and compliance strategy. http://www.pwc.com/us/en/risk-management/index.jhtml
2. Risk management, business intelligence help execs walk the tightrope.
http://www.it-financeconnection.com/business-intelligence/
podcast-risk-management-and-business-intelligence/ (2009)
3. Balu, R.V.: Sap customer solution adoption. grc 10.0 integration guideaccess and
process control 10.0. http://www.sdn.sap.com/irj/scn/go/portal/prtroot/
docs/library/uuid/b0c3c58c-6c67-2e10-7b94-dab8f2e4078f?QuickLink=
index&overridelayout=true (2011)
4. Chris McClean, Stephanie Balaouras, N.M.H.: Governance, risk, and compliance
predictions. http://www.forrester.com/rb/Research/governance%2C_risk%2C_
and_compliance_predictions_2011_and/q/id/57689/t/2 (2010)
5. Compliance, O., Ethics Group, F.G.: Grc capability model, red book, 2.0. http:
//www.oceg.org/view/RB2Project (2009)
6. Corporation, I.: A business risk approach to it governance. http://img.en25.com/
Web/OpenPages/YTW03132USEN.pdf (2011)
7. Corporation, I.: How mature is your it risk management? http://img.en25.com/
Web/OpenPages/YTW03157USEN.pdf (2011)
Planning and visual control systems for companies with risk processes
21
8. Corporation, I.: Ibm openpages financial controls management (fcm). http://img.
en25.com/Web/OpenPages/YTD03098USEN.pdf (2011)
9. Corporation, I.: Ibm openpages operational risk management (orm). http://img.
en25.com/Web/OpenPages/YTD03103USEN.pdf (2011)
10. Corporation, I.: Ibm openpages policy and compliance management (pcm). http:
//img.en25.com/Web/OpenPages/YTD03088USEN.pdf (2011)
11. Corporation, I.: Internal audit and its evolving role in erm. http://img.en25.com/
Web/OpenPages/YTW03134USEN.pdf (2011)
12. Gaffney,
K.:
One-on-one
with
chris
leone.
http://www.
dashboardinsight.com/articles/one-on-one-with-dashboard-insight/
one-on-one-with-chris-leone.aspx (2009)
13. Goicochea, A.: Tecnologas de la informacin y estrategia. grc. http://
anibalgoicochea.com/tag/grc/ (2011)
14. of Internal Auditors, T.I.: Glossary. http://www.theiia.org/guidance/
standards-and-guidance/ippf/standards/full-standards/?i=8317
15. Lamm, J., Blount, S., Cooper, N., Boston, S., Camm, M., Cirabisi, R.: Under
Control: Governance Across the Enterprise. Apress Series, Apress (2009), http:
//books.google.com.ec/books?id=t0B-uh8R3-EC
16. Marks, N.: What
do they say
about
the latest
release
of
saps
solutions
for
grc?
http://normanmarks.wordpress.com/2011/
03/22/what-do-they-say-about-the-latest-release-of-sap’
s-solutions-for-grc/ (2011)
17. McClean, C.: The forrester wave: Enterprise governance, risk, and compliance
platforms, q3 2009. http://img.en25.com/Web/OpenPages/Forrester_wave_ent_
gov_risk_compl.pdf (2009)
18. Mehta, N.: Business intelligent blog: Bi for risk management. http://blog.
maia-intelligence.com/2009/01/19/bi-for-risk-management/ (2009)
19. Oracle: Governance, risk, and compliance management. http://www.oracle.com/
us/solutions/corporate-governance/index.html
20. Protiviti:
Proactive
risk
management
with
sap
businessobjects.
http://www.protiviti.de/de-DE/Headlines/Documents/
Proactive-Risk-Mgmt-SAP-BusinessObjects-Protiviti.pdf (2011)
21. Rasmusse, M.: Delivering enterprise value with oracle governance, risk,
and compliance. http://www.corp-integrity.com/wp-content/uploads/2010/
12/Delivering-Enterprise-Value-with-Oracle-GRC.pdf (2011)
22. Rojas, E.: Menor riesgo comercial con sap. http://www.muycomputerpro.
com/2009/04/02/actualidadnoticiasmenor-riesgo-comercial-con-sap_
we9erk2xxdb2ywtlxinrmpb3fvcupsmvhwze2bjx__0rnojdim5h_nf_y0neem3b/
(2009)
23. de Responsabilidad y Sostenibilidad Empresaria, C.: Nueva estrategia y nueva
gestin en sostenibilidad. http://comunicarseweb.com.ar/?Nueva_estrategia_
y_nueva_gestion_en_sostenibilidad&page=ampliada&id=1245&_s=&_page=
contratapa (2009)
24. of Sponsoring Organizations of Treadway Commission, C.: Enterprise risk management integrated framework, new york: Aicpa (2004)
25. website, D.: Business Intelligence Systems: Turning Data into Information and
empowering Decision Makers. http://career-resources.dice.com/articles/
content/entry/business_intelligence_systems_turning_data (2010)
Descargar