Planning and visual control systems for companies with risk processes Rosa Ana Doniz Campos and Manuel Pérez Cota Escuela Superior Ingenieria Informatica, Universidad de Vigo Campus Universitario As Lagoas s/n 32004 Ourense, Spain rdcampos@correo.ei.uvigo.com http://www.uvigo.es/ Abstract. This paper tries to do a baseline assessment of the systems used in large enterprises for planning and visual control of risk processes. In addition, it tries to find out the expectations for the future that these systems are having on the so-called business intelligence. It specifies how business intelligence through Governance, Risk and Compliance (GRC) allows a more adequate planning and control decision-making in current systems in companies with large volumes of data. Keywords: business intelligence, risk management, decision making,information, knowledge, decision, BI tools, strategic planning, GRC Resumen En este trabajo se trata de hacer una evaluación inicial de los sistemas utilizados en las grandes empresas para la planificación y el control visual de procesos de riesgo. Además, se intenta averiguar las expectativas para el futuro que estos sistemas están teniendo en la llamada inteligencia de negocios. En él se especifica cómo la inteligencia de negocios a través de Gobierno, Riesgo y Cumplimiento permite una planificación más adecuada y control de la toma de decisiones en los sistemas actuales en las empresas con grandes volúmenes de datos. Integración de Business Intelligence y Gobierno, Riesgo y Cumplimiento (GRC) En la última década, la influencia de la crisis mundial ha provocado la globalización y el aumento de la competitividad entre las empresa. Además de esto, las empresas privadas y las agencias públicas se enfrentan cada vez con más regulaciones y estándares que cumplir. Consecuentemente surgió la necesidad de gestionar estas medidas y a partir de ahı́ nacieron las soluciones “Governance, Risk and Compliance” o simplemente GRC. Open Compliance and Ethics Group’s (OCEG’s) define GRC como un sistema “de personas, procesos y tecnologı́a que permite a una organización: 1) Comprender y priorizar las expectativas de los accionistas. 2) Establecer los objetivos de negocio que sean congruentes con los valores y los riesgos. 3) Alcanzar 2 Planning and visual control systems for companies with risk processes los objetivos y optimizar el perfil de riesgos y la proteccin de valor. 4) Operar dentro de los lı́mites legales, contractuales, internos, sociales y éticos. 5) Proporcionar información relevante, confiable y oportuna a las partes interesadas pertinentes. 6) Permitir la medición del desempeño y eficacia del sistema”. Si además estos sistemas se integran con la llamada inteligencia de negocio (BI) se mejorarı́a considerablemente la toma de decisiones, la medición del desempeño de los diferentes procesos que tienen lugar en la empresa y una visión clara de los riesgos que puedan surgir o que puede implicar correrlos. Además, utilizando información actual e histórica, nos permitirı́a hacer una predicción de lo que podrı́a suceder en el futuro. De hecho, la gestión de riesgos no puede funcionar bien sin BI. Hay métricas que nos permiten conocer como de arriesgado es una actividad. Estas métricas son los key risk indicators (KRIs), estos nos indican la probabilidad de que alguna actividad impacte negativamente en la empresa. Este concepto no se debe confundir con los key performance indicators (KPIs), ya que estos nos indican el rendimiento o como de bien se está haciendo algo. Un artı́culo publicado recientemente por Gartner Inc sitúa a IBM, Microsoft, Oracle Corp and SAP AG como los mejores vendedores de software en 2010. Estas compañı́as recientemente han adquirido o han propuesto implementaciones propias muy amplias y con BI integrado como soluciones GRC, a excepción de Microsoft que presenta una solución que a dı́a de hoy carece de competitividad en el mercado actual de software GRC. En este artı́culo se explican las arquitecturas de IBM Openpages, GRC Oracle Suite y SAP BusinessObjects GRC 10.0 y se hace una comparativa entre ellas. Plataformas SAP ha sacado su última versión en este año 2011. Se puede decir que se ha realizado una perfecta integración de la gestión de riesgos en los procesos de negocio y en la toma de decisiones. Además se ha unificado el look and feel de los tres modulos principales que son SAP BO Access Control, Process Control y Risk Management que en las versiones anteriores era un poco inconsistente. La solución realiza una monitorización continua de todos los controles, en concreto de las “Segregation of Duties”. SAP dispone de módulos especializados en medio ambiente, salud y seguridad (EH&S), y también para el cumplimiento de las regulaciones para el comercio interior y exterior (importaciones y exportaciones). Tiene partners especializados en proveer soluciones de industria tales como Novell, CA, Greenlight and SenSage. Esta nueva versión de la solución GRC todavı́a no está demasiado extendida debido a su reciente liberación. SAP esta presente y da soporte en todo el mundo. Oracle hace énfasis en la integración de su plataforma GRC con Hyperion Financial Manager y con Enterprise Performance Management. Otra caracterı́stica es que la plataforma GRC muchas veces va incluida con la venta de su ERP. Planning and visual control systems for companies with risk processes 3 Además esta desarrollando un gran número de productos relacionados con GRC pero no está muy claro cual es el enfoque que van a seguir en el futuro. Los puntos fuertes de Oracle son la gestión de riesgos y de polı́ticas. Utiliza métodos cualitativos mediante simulación con el método de Montecarlo y cuantitativos para la gestión de riesgos. El aspecto visual está muy bien y muy claro para usuarios experimentados pero resulta difı́cil de utilizar para usuarios nuevos o menos experimentados. Esta solución de Oracle ha experimentado una fuerte subida en el mercado desde 2009. Pasando de no ser prácticamente competitivo en este terreno a estar entre los mejores y mayores vendedores de este tipo de software. A dı́a de hoy está presente y da soporte en todo el mundo. IBM OpenPages tiene todas las funciones básicas, y además cuenta con un buen soporte para la gestión de riesgos empresariales y operacionales. IBM OpenPages ha desarrollado una solución sólida y ha sido el punto de referencia para que muchos competidores midan su propio progreso. Esta solución se centra en la mejora de informes de KPI y KRI, añadir contenido y la integración de IBM’s Finance y la solución integrada de gestión de riesgos. Cabe destacar el módulo de OpenPages IT GRC, ya que SAP y Oracle no tienen ningn módulo especı́fico para IT GRC. Está orientado a la banca, seguros, mercados energéticos y empresas de servicio público, con capacidades especı́ficas de la industria. Permite realizar un análisis excelente de eventos de pérdidas bancarias. Sólo está presente en norte América y Europa. 1 Introduction In the last decade, the influence of the global crisis in the financial environment and the globalization of markets have enhanced the competitiveness of enterprises. Nowadays, these cause that risk management and business intelligent (BI) form a fundamental part of a company’s decision making and strategic planning. Business Intelligent strategies was created to address the issues to and to help to convert business investments to real business value [18]. Increasingly, big private companies and public agencies, they face greater regulations and standards to be met, which are defined internally (partners, shareholders or directors) or externally (by governments, agencies regulators, financial institutions, etc.) such as Sarbanes-Oxley-Act of 2002, HIPAA, PCIDSS, ISO 27001, LOPD or Basel II. It is difficult to take these measures and the danger involved with the failure to comply with this regulations. The traditional tools dont help to incorporate these measures in their daily management. To address these needs we have solutions called ”Governance, Risk and Compliance” or simply GRC. Approximately there are about 64 vendors of GRC over the world. A widely accepted definition of governance risk and compliance was published for Open Compliance and Ethics Group’s (OCEG’s) defines GRC as a “system of people, processes, and technology that enables an organization to: 4 Planning and visual control systems for companies with risk processes – – – – – Understand and prioritize stakeholder expectations. Set business objectives that are congruent with values and risks Achieve objectives while optimizing risks profile and protecting value. Operate within legal, contractual, internal, social, and ethical boundaries Provide relevant, reliable, and timely information to appropriate stakeholders. – Enable the measurement of the performance and effectiveness of the system” [5]. Governance describes the overall processes through which a companys boards, its shareholders and other stakeholders direct and control the entire organization with effectiveness, efficiency, transparency and respect for the law. In these processes they set the objectives for an organization and oversee progress toward those objectives using a combination of management information and hierarchical management control structures. Corporate governance activities provide the most complete, accurate and timely information to the executive team for decision making [15]. Risk management is defined by the Committee of Sponsor in Organizations of the Treadway Commission (COSO) as “a process, effected by an entity’s board of directors, management and other personnel, applied to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of objectives” [24]. Compliance means conforming to stated requirements. At an organizational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritize, fund and initiate any corrective actions deemed necessary. Business intelligence (BI) is about showing important and timely data to the end user for analysis and helping him to decide what action must perform [25]. BI allows making decisions, measuring the performance of the different processes that take place in the company and a clear view of the risks that may arise or which may involve running. Furthermore, using current and historical information, it allows predictive analysis of what can happen in the future. The decision to be taken determines what data is needed. In the other direction, from information in the data, knowledge comes (Fig. 1). Then knowledge is the basis for decisions that may be accurate or not depending on the wealth of information. Fig. 1. Decision determines data Planning and visual control systems for companies with risk processes 5 Data mining allows the implementation of business intelligence through the extraction of knowledge from simulations and identifying the relationships between the business variables. This provides the decision-makers have better information to open new fields of business, investment and formulate new strategies [2]. To get the really useful business intelligence, decision-makers at all levels must communicate what the needs are and direct the process value-added that creates BI systems. BI and risk management are closely linked in the sense that it can provide a high level of transparency, so that executives who make decisions can have an overview of all categories of risk and thus improve the overall performance business. Risk management can not work effectively without BI. BI infrastructure within an organization needed to collect and analyze data in a very detailed level, and from there, use the information gathered for decision making. The advantages of using BI on risk management systems are represented in four points. The first point is the identification and elimination of risk factors within the organization. The second advantage is to consider opportunities of business taking risky strategies, for instance, new products, new investments or acquisitions. The third point is the assessment of potential risks to advance the company’s strategic direction and new initiatives. Finally, the forth point is the application of the analysis in risk management to global business framework to provide decision-makers executives with a clear vision not only risks but also where there is an opportunity to take strategic risks to make better business decisions. One of the advantages of GRC is to identify risk factors that may compromise the continuity of an organization, a task that could be implemented with the involvement of people with heterogeneous perspectives and the help of specialized tools as a platform GRC. There are metrics that allow us to know as a risky activity. These metrics are the Key Risk Indicators (KRIs), these indicate the possibility of activities that may negatively impact the company. This concept should not be confused with the key performance indicators (KPIs), as these indicate the performance or how well they are doing something. According to PriceWaterhouseCoopers “The compliance and risk landscape is continually changing. To remain competitive, companies must have in place a governance, risk management and compliance strategy that keeps pace with new laws, regulations and stakeholder expectations. An effective strategy can positively impact shareholder value and empower organizations to: – Improve strategic business decisions by clearly defining associated risks and opportunities – Minimize operational surprises with more proactive and effective monitoring – Protect and enhance reputation and brand by capitalizing on business opportunities while reducing the likelihood of negative events – Increase organizational efficiency – Avoid fines, penalties and damage to reputation” [1]. Gartner Inc published recently an article which places IBM, Microsoft, Oracle Corp. and SAP AG as the best four business intelligence vendors, owning 6 Planning and visual control systems for companies with risk processes two-thirds of the $6 billion BI market because they have optimized their BI platforms to work well with their respective enterprise and information management applications. These companies have recently acquired or proposed implementations of GRC solutions with integrated BI, except Microsoft that presents a solution that today lacks competitiveness in the GRC software market today. A good starting point could be an analysis of what GRC software SAP, Oracle and IBM have. Therefore this research was fulfilled in order to compare GRC Software of these important BI vendors, how much are GRC and BI integrated and what is expected in the future of these systems. 2 The methodological framework and state of the art The methodology applied in this research consists of three stages. It is important to emphasize those analysts who assess software quality, and GRC software vendors dont define GRC as it is defined by the OCEG. No single vendor has a solution that integrates every GRC processes on a common platform. Because GRC has so many different definitions, first we reviewed the most recognized explanation about what are the processes and functions GRC must comply. Secondly, we analyze three of the big four BI vendors GRC software (SAP, Oracle and IBM) and the integration with the BI solutions that this companies have. In a third stage, a comparison between them is done and what is expected in the future. 3 Prior research Some research has been carried out by several leading independent research firms such as Gartner, Forrester Research and AMR Research, and by the Open Ethics and Compliance Group(OCEG). Forrester published ‘The Forrester Wave: Enterprise Governance, Risk, And Compliance Platforms, Q3 2009” [17]. This study evaluated 14 enterprise GRC platform vendors using 80 criteria. The evaluation shows that AXENTIS, BWise, MetricStream, OpenPages, and Thomson Reuters are leaders. Archer, Cura, MEGA, Methodware, Protiviti, and Strategic Thought are strong performers. SAI Global, SAP, and Trintech are contenders. The result can be seen in figure 2. Another research is Gartner Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms, 2010. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. This report is published yearly (Fig. 3). As far as research on integrated GRC software is concerned, Racz et al conducted “Governance, Risk & Compliance (GRC) Status Quo and Software Use: Results from a Survey among Large Enterprises”. This reseabrch evaluates how integrated GRC and GRC software are perceived and applied in large enterprises. Planning and visual control systems for companies with risk processes 7 Fig. 2. Forrester Wave: Enterprise Governance, Risk, And Compliance Platforms, Q3 ’09. Fig. 3. Gartner Magic Quadrant for EGRC Platforms, 2010 8 Planning and visual control systems for companies with risk processes The results reveal that some organizations have deployed integrated GRC software that helps leverage the benefits of GRC. But on the other hand, solutions developed in-house are more often used than standard solutions. Racz et al. write another article “Governance, Risk & Compliance (GRC) Software An Exploratory Study of Software Vendor and Market Research Perspectives” that says through a survey among GRC software vendors that they share a common basis in their GRC understanding but they deliver diverse functionality. The products technology architectures mainly differ in their degree of integration. Finally, none of them explain the GRC architecture and GRC solutions some of the big four BI vendors such as SAP, Oracle and IBM, and the integration with the BI solutions. 4 4.1 The original contribution Governance, Risk and compliance Nowadays there are various definitions of what GRM is and what are the processes and functions that should be included in GRC. The definition given by the OCEG is one of the most complete and clear. Moreover, its credibility is higher since it has not been developed only by software vendors, but also by experts in risk, compliance, legal and internal audit and other members of the OCEG. OCEG recommends that GRC applications fulfill a list of processes and functions. The recommended processes are executed by different people in different departments. GRC processes ranging from board management, through strategy settings, business performance management or audit to IT security. In the following table 1 the processes are named and related with the people who should execute them [5]. Importantly, no software vendor has implemented their solution in all processes and functions defined in OCEG. Normally, these have built a few, so it is important before purchasing any of the software, make a study of what is needed for each company. In the following sections, it is described how SAP, ORACLE and IBM have implemented their solutions. 4.2 SAP BusinessObjects GRC 10.0 SAP GRC 10.0 is today the proposal to the GRC business philosophy. It is part of SAP BusinessObjects (Fig. 4). The new version has a user interface common to Risk Management, Access Control and Process Control, GRC suite applications. SAP Access Control, Risk Management, Process Control processes applications share data and specifications for different industries and business lines. It allows reporting from SAP GRC components, using Crystal Reports and Xcelsius visualizations and also has graphical tools to define and inventory risks. The new capabilities make the use of the GRC platform is much easier by getting Planning and visual control systems for companies with risk processes 9 Table 1. List of processes and functions defined by OCEG Recommended Processes Executed by Governance The board of director, corporate secretaryand governance professionals including boardmanagement Strategy and business per- Chief Executive Officer (CEO) or “c-suite” formance management Risk management Chief Risk Officer (CRO), business line and other executives Audit Chief Audit Executives, internal audit, audit committee and external auditors Legal The general counsel and legal staff Compliance The general counsel, chief compliance and ethics officer, compliance professionals and other legal staff Information Technology Chief Information Officer (CIO), privacy officer and /or security officer Ethics & Corporate Social Chief Ethics Officer and Chief Responsibility Officer Responsibility Quality Management Quality professionals throughout the Organization Human Capital & Culture Human resource professionals and organizational design and development professionals 10 Planning and visual control systems for companies with risk processes all staff to pay attention to the risks facing the company, without specialized knowledge. It is note worthy that by integrating GRC activities within the major business processes and applications, executives have the opportunity to manage their business in a proactive and strategic, rather than reactively, ie full-scale BI. With this release, SAP has taken a major step forward [13, 16]. Fig. 4. SAP Bussiness Objects The components of SAP Business Objects GRC 10.0 are: Risk Management, Access Control, Process Control, Global Trade Services, Environment, Health and Safety Management and Sustainability Performance Management. SAP BO Risk Management helps to identify risks in the company and allows the implementation of mitigation strategies (Fig. 5). It includes four areas that allow enterprises to manage risk activities: [20] 1) Plan: This phase is used to scope activities, decide about risk scope and establish the risk tolerance and map risks to the business. 2) Identify and Analyze: This stage sets up the key risk indicators (KRIs). 3) Respond: In this phase, appropriate responses or controls are documented or identified to avoid, mitigate, transfer or prevent risks. 4) Monitor: enterprises should always monitor the response effectiveness to the risks and control risk level given by the KRIs. SAP BO GRC Access Control facilitates the separation of functions and helps companies decide which users can access them .Standards and regulations worldwide require compliance with access and authorization measures. This tool gives the following functionality: 1) Prevent unauthorized access: identifying and monitoring the assignments of permits and risk authoritation. It controls the use of permissions of type superuser. 2) Minimize the time and cost of access risk management: Automatic removal of access and authorization risk identified in the rules defined. Enforce segregation of duties across applications and business units. 3) Achieve real- time visibility into access risk: Provides a set of reports on key risk indicators. SAP BusinessObjects Process Control creates new controls, changes the rules and automates workflows related to risk and compliance (Fig. 6). It Planning and visual control systems for companies with risk processes 11 Fig. 5. SAP Bussiness Objects Risk Management is the software solution for compliance and policy management [3]. It has an automated rules framework. This application allows cross-system visibility and a unified repository of compliance information for managing multiple initiatives efficiently. Fig. 6. SAP BusinessObjects Process Control SAP Business Object Global Trade Services (SAP GTS) [22] automates global trade processes. To understand the state and the logistics supply chain and order status such as service providers and customers, both imports and imports, thus avoiding unnecessary costs for delays. It also helps to Comply with Regulations Legal changing. 12 Planning and visual control systems for companies with risk processes For example, if a vice president of supply chain wants to improve distribution efficiency, these solutions can be used to establish key risk indicators (KPIs) are quantifiable and measure and monitor aspects of the order to help ensure that deadlines are met. These KPIs quantifiable estimate the financial impact that may have different risk factors, showing executives how those vulnerabilities can affect its business lower. SAP Business Object Environment, Health and Safety (SAP EHS) [23] helps customers comply proactively and automatically all EHS requirements and policies applicable corporate sustainability in its various business operations. At the same time, SAP EHS Management can work with third-party solutions, despite being integrated into SAP Business Suite. SAP Business Object Sustainability Performance Management (SAP SPM) helps businesses to manage and monitor their strategic goals of sustainability. This software is designed to integrate with different SAP and non SAP solutions or to work independently. Its main objective is to facilitate users reporting either an externally and internally. Users have a central library of KPIs, where they can choose from a variety of metrics that best meet their needs, and also can create and update their own KPIs that will allow. 4.3 Oracle GRC Applications Suite Oracle proposes a GRC solution integrated by business intelligence, process management, and automated controls enforcement to enable sustainable risk and compliance management (Fig. 7). There are 3 major components or layers. Oracle GRC product suite is formed by GRC Intelligence, GRC Manager and GRC Controls. The controls are represented in the following modules AACG (Application Access Control Governor), CCG (Change Control Governor), TCG (Transaction Control Governor) and PCG (Preventive Control governor). They can be acquired as a complete suite or as individual modules [19]. Oracle’s Governance, Risk and Compliance Suite was born in Applimation, a NYC based company with the initial named as Integra Apps. It was formed by 4 modules: Apps, Access, Transaction and Codebase. This company was bought by another company, Logical Apps in Feb 2007. Shortly after, this was bought by Oracle in Oct, 2007 and this product has been rechristened under Oracle’s Governance, Risk and Compliance Suite. In the following paragraphs it will be the main components of the Oracle GRC product suite [21]: GRC Manager: It has a centralized repository for all content related to GRC, in addition to workflow, evaluation, and management tasks. Features include cross- enterprise, risk-based trending, analysis, simulation, mitigation and treatment capabilities. It is based on Java EE and it is platform independent. It can manage multiple regulations and it covers the integral process management. GRC Intelligence: [12] Integrates interactive role-based dashboards, full ad hoc query and analysis, and proactive intelligence for GRC and visibility across GRC initiatives and applications. This solution is built on Oracle’s industryleading BI foundation and it is based on business intelligence technology from Planning and visual control systems for companies with risk processes 13 Fig. 7. Oracle GRC Application Suite Siebel. This enables users at all levels to have crucial information to meet regulatory compliance requirements and effectively manage risk. The solution is able pre-built dashboards with information of GRC and performance from all sources. KRI and responses to the issues can be visualized. It is totally configurable to meet the specific needs. Oracle GRC Applications Controls arose from the need of ensures confidentiality, integrity, timeless and security of sensitive data mandate by various regulations. The key mechanisms followed are preventive and detective controls, what-if risk simulations and automated controls testing. Firstly, many applications built their own mechanisms into individual applications but these often prevent from centralized and automated security controls. That is the reason for the needed of these controls. The controls are described more specifically below. Oracle Application Access Controls Governor (AACG) uses graphical modeling tools to look into access points, detect SOD (Segregation of Duties) conflicts, and evaluate treatment options. The graphics are designed to provide real-time monitoring of SOD controls and make it easy for managers to preview the issues and advise on the best remediation, performing what-if analysis for proposed changes to access rights. Oracle Configuration Controls Governor (CCG) provides a changes tracking in real-time of key controls of Oracle. It lets view and compare to determine what is different when a problem occurs. Monitor consistency of controls across Instances, Versions, Points in Time, Operating Units and Sets of Books and actively enforces change controls on key setups based on policies and best practices. It also creates snapshots which automate time-stamped documentation of key controls across all Oracle Applications modules. 14 Planning and visual control systems for companies with risk processes Oracle Transaction Controls Governor (TCG) is the software solution for compliance and policy management. It is formed by algorithms and pattern analysis that automatically analyze transactions for anomalies with internal policies, which might be signs of fraud, regulatory-compliance fails, or errors that could result in significant cash leakage. It allows seeing problems to prevent heavy losses, and limiting exposure to fraud and waste, and reduce the time and cost of errors and repairs, prevent worsening of the risk and optimize business performance. It is continuously monitoring accuracy of transactions, testing against thresholds and searching for anomalies. Oracle Preventive Control Governor (PCG) works with the other modules in the Oracle Governance, Risk and Compliance Suite controls to prevent unauthorized changes to critical application data and settings of time and enforce policy-real changes at a granular level of applications. Oracle Preventive Controls Governor provides the simulation of scenarios of SOD mitigating risk of application changes, as well as monitoring and preventing unauthorized changes to critical data. These enforce business policy through automated processes. There are other Oracle IT infrastructure solutions, such as the Oracle Audit Vault, Oracle Database Vault, Oracle Identity Manager, and the Oracle Enterprise Manager that are compatible with the applications listed above. 4.4 IBM OpenPages IBM acquired OpenPages in 2010, one of the largest vendors of GRC software, to further extend the Business Analytics portfolio with a GRC solution. The OpenPages modules are Financial Controls Management (FCM), Operational Risk Management (ORM), IT Governance (ITM), Policy and Compliance Management (PCM), and Internal Audit Management (IAM) (Fig. 8). All the modules share some characteristics. Firstly, they allow sharing a common data repository for content and document management, workflow and reporting infrastructure for all risk and governance related activities. It includes entities, processes, risks, controls, tests, and test results. Secondly, they provide dynamic dashboards, charts, and dimensional reporting which give a global view of the state of risk across the organization. In third place they can be integrated with Microsoft Office and Smart Phone. And finally, they are 100% configurable by business users, including forms, workflow, reporting, and system-wide settings. OpenPages Financial Controls Management(FCM) [8] try to reduce the costs and complexity of complying with finantial regulations such us SarbanesOxley, Turnbull in the United Kingdom, JSOX in Japan,the Loi de Scurit Financire (LSF) in France, and CSA Notice 52-313 in Canada, etc. It provides a policy-based way to manage compliance with financial controls through its key features such as self-assessments, certifications, and compliance automation by means of automatic notification and tracking of activities such as operating review, risk assessments, control testing, issue remediation. FCM gives the functionalities for document management, business performance management and flexible reporting capabilities. It is intended to be used Planning and visual control systems for companies with risk processes 15 Fig. 8. OpenPages Solution Components by projects managers, external and internal auditors to document and implement controls within the company. OpenPages Internal Audit Management (IAM) [11] is a web based solution that unifies organizational risk, compliance and internal audit into a common view, allowing users to manage audits, audit phases and auditor allocations while automating operations. Nowadays, internal audit is evolving from its traditional view of policy violation and record examination to a risk mitigation role. It tries to evolve to identify risks and to meet the needs of the current market. The role of audit is viewed increasingly within the context of GRC. The Institute of Internal Auditors (IIA) offers the following definition for internal audit: “A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization’s operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes” [14] OpenPages IAM is a key factor in implementing an enterprise-wide risk management approach. Audit departments can help in risk management, acting as a strategic partner. OpenPages IAM can be completely integrated with the other products of the GRC Platform: FCM, ITG, GCM and ORM. OpenPages IT Risk and Compliance Management (ITG) [6, 7] is a software solution that integrates IT risk and compliance management. IT risk is evaluated in the context of business processes and supports regulatory certifications and audit processes. It combines IT policy, risk and operations management with corporate business initiatives, strategy, and operational standards for obtaining IT governance. In figure 9 we can see the OpenPages ITG solution. OpenPages ITG is a module that can be fully integrated with the others OpenPages for FCM, IAM, GCM and ORM. It delivers and reports on all KRI and KPI related to IT that can be utilized to manage and control risks, resulting in a reduction of IT related risk. 16 Planning and visual control systems for companies with risk processes Fig. 9. OpenPages ITG Solution IT resources can be mapped to business processes that enable a centralized approach for governance from business process to IT asset obtaining a better IT visibility through single view of risk. ITG aligns IT policy, risk and operations management with corporate business initiatives, strategy and operational standards. Furthermore, it manages IT governance across multiple regulatory mandates and frameworks, such as Cobit for an overarching governance framework, ITIL for service management and delivery and ISO/IEC 27001 and ISO/IEC 27002 for information security management. OpenPages Operational Risk Management (ORM) [9] enables to identify measure, monitor, analyze and manage operational risks. All risk data are integrated in a single environment. It creates and monitors performance indicators for KRI and controls. The metrics and thresholds are established. Notifications will be sent when these parameters are exceeded. Another feature is loss event tracking. Risk managers can control loss incidents and near hits determining which are the causes and who is the ownership. Moreover, statistical and trend analysis can be done, suggesting end-users remediation and action plans. Finally, ORM complements the risk assessment process identifying and evaluating scenarios that may impact the business. OpenPages Policy and Compliance Management (PCM) [10] is the software solution for compliance and policy management. It helps to comply with numerous industry, ethics, and private and government regulatory mandates. It has integrated business intelligence tools like dashboards and dimensional reporting which provide key decision-makers with confidence that compliances and corporate policies are achieved. It has a regulatory library of laws, regulations and best practices. Planning and visual control systems for companies with risk processes 17 With this, the regulatory norms are viewed in such a way that end-users and administrators can access quickly to the regulatory compliance from multiple angles. There are some solutions extensions that Openpages has developed to deliver customer solutions. Between then are privacy and data protection regulatory compliance, vendor risk management, strategic risk management and business continuity management. 4.5 Comparison between vendors SAP has released its latest version in the year 2011. One can say that there has been a seamless integration of risk management in business processes and decision- making. It has also been unified look and feel of the three main modules that are SAP BO Access Control, Process Control and Risk Management in previous versions was a bit inconsistent. The solution performs continuous monitoring of all controls, specifically the “Segregation of Duties”. SAP have specialized modules in environment, health and safety (EH & S), and also for regulatory compliance for global trade. Partners have specialized in providing industry solutions such as Novell, CA, Greenlight and SenSage. This new version of the GRC solution is still not very widespread due to its recent release. SAP is present and supported worldwide. Oracle emphasizes the integration of its GRC platform with Hyperion Financial Manager and Enterprise Performance Management. Another feature is that the GRC platform is often included with the sale of its ERP. It is also developing a large number of products related to GRC but not very clear what the approach will continue in the future. Oracle’s strengths are risk management and policy. It uses qualitative methods by simulation with the Monte Carlo method and quantitative risk management. The visual aspect is very good and very clear to experienced users but it is difficult to use for new or less experienced users. This solution Oracle has experienced a sharp rise in the market since 2009, going from not being competitive practices in this field to be among the best and largest sellers of such software with global presence and support. OpenPages platform has all the basic functions, and also has good support for managing business and operational risks. It has developed a robust solution and has been the benchmark for many competitors measure their own progress. This solution focuses on improving KPI and KRI reports, add content and the integration of IBM’s Finance and integrated solution for risk management. It is worthy the module OpenPages IT GRC,as SAP and Oracle have no specific module for IT GRC. It is focus to banking, insurance, energy markets and utilities, with industry-specific capabilities. It allows an excellent analysis of events in bank losses. It is present only in North America and Europe. It has been a comparison of GRC software vendors that offer SAP, Oracle and IBM. This was done based on the functions and processes that establishes OCEG functions and processes that must perform a GRC solution. Table 2 with the list of the processes and functions defined by the OCEG Another comparison has been carried out on some specific highlight features (Table 3). If they have a concrete feature will be marked with “X”. 18 Planning and visual control systems for companies with risk processes Table 2. Comparative table of OCEG processes and functions SAP 10.0 March 2011 Last Version Oracle IBM OpenPages OpenPages 6.0 Governance IBM OpenPages IT Governance (ITG) Enterprise BusinessOb- Oracle Strategy and busi- SAP Strategy Performance Manness performance jects Management (SM) agement management and SAP BO Enterprise Performance Management IBM Business Analytics Software for Financial performance management and strategy Risk management SAP BO Risk Man- Oracle GRC Man- Operational agement ager Management Compliance SAP BO Control Process Oracle & Transac- Policy & Compliance tion Controls Gover- Management (PCM) nor Internal Control SAP BO Control Process Oracle Configuration Financial Controls Controls Governor Management Corporate security SAP’s BusinessOb- Oracle Application Controls jects Access Control Access Governor (AACG) (AC) Legal Information nology Risk Policy & Compliance Management (PCM) Tech- SAP Busines- GRC Intelligence sObjects business intelligence solutions (BI) Sustainability and SAP BO Envirosocial responsibility mental, Health and Safety Management, SAP sustainability performance management BI Cognos Risk and Performance Management for the Eco-Enterprise Quality management Human capital and SAP Human Capital Human Capital culture Management (HCM) Management Audit and assurance Data analytics (BI), Oracle EBS risk monitoring (RM), continuous auditing (PC, BI, and AC), and audit management (through its NetWeaver audit management functionality) IAM Finance FCM SAP FI Module Oracle ESB Planning and visual control systems for companies with risk processes 19 Table 3. Comparative of highlight features SAP X Oracle X IBM OpenPages Dashboards and reporting X X X Enterprise-class workflow X X X Internationalization X X X (6 languages) Surveys and assessments X X X Security and access control X X X Access Control Import and export capabilities X Loss event database X X X Key metrics (KPIs,KRIs, KCIs) X X X Issue remediation X X X Support of Multiple GRC Framework X X Integracion Office and Smart Phone Office X Support other ERP Works really well with SAP Pre-integrated with Many partners such Oracle applications as Oracle, Microsoft, IBM supports Websphere,IBM heterogeneous Cognos,. . . environments. Works really well with Oracle, Peoplesoft, Hyperion, and JDEdwards 20 5 Planning and visual control systems for companies with risk processes Conclusions and future work The research presented was carried out in order to find out about state of the art of GRC software and a comparison between the available solutions from SAP, Oracle and IBM and what characteristics they present. A recent study by Forrester says this year 2011 GRC market will grow 20%. This is motivated by the entry of new regulations and changes in others already established which will cause many companies to consider a tactical shift in the management of compliance and prevent risks that could cause their failure [4]. According to this, increasing competition among software vendors GRC will encourage more technology and service and will not be a common model implemented by the different solutions. In addition, it is also believed that the adoption of GRC grows horizontally more than vertically which will mean that less importance will be given to link GRC with the highest levels of strategy. Business intelligence and data governance more prominently will factor in GRC decisions. Note that the three solutions presented are seamlessly integrated in their different applications, in regard to the BI applications available to each vendor and the data sources. Another new feature can be the integration of GRC with mobile, social, and cloud technologies that will add value to the different solutions. In future research, we will focus on the state of the art of GRC systems in the public administrations and how GRC solutions can improve e-governance. We will also provide a process model which could fill gaps between GRC software solution and real needs in government systems. References 1. How to execute an integrated, sustainable governance, risk management and compliance strategy. http://www.pwc.com/us/en/risk-management/index.jhtml 2. Risk management, business intelligence help execs walk the tightrope. http://www.it-financeconnection.com/business-intelligence/ podcast-risk-management-and-business-intelligence/ (2009) 3. Balu, R.V.: Sap customer solution adoption. grc 10.0 integration guideaccess and process control 10.0. http://www.sdn.sap.com/irj/scn/go/portal/prtroot/ docs/library/uuid/b0c3c58c-6c67-2e10-7b94-dab8f2e4078f?QuickLink= index&overridelayout=true (2011) 4. Chris McClean, Stephanie Balaouras, N.M.H.: Governance, risk, and compliance predictions. http://www.forrester.com/rb/Research/governance%2C_risk%2C_ and_compliance_predictions_2011_and/q/id/57689/t/2 (2010) 5. Compliance, O., Ethics Group, F.G.: Grc capability model, red book, 2.0. http: //www.oceg.org/view/RB2Project (2009) 6. Corporation, I.: A business risk approach to it governance. http://img.en25.com/ Web/OpenPages/YTW03132USEN.pdf (2011) 7. Corporation, I.: How mature is your it risk management? http://img.en25.com/ Web/OpenPages/YTW03157USEN.pdf (2011) Planning and visual control systems for companies with risk processes 21 8. Corporation, I.: Ibm openpages financial controls management (fcm). http://img. en25.com/Web/OpenPages/YTD03098USEN.pdf (2011) 9. Corporation, I.: Ibm openpages operational risk management (orm). http://img. en25.com/Web/OpenPages/YTD03103USEN.pdf (2011) 10. Corporation, I.: Ibm openpages policy and compliance management (pcm). http: //img.en25.com/Web/OpenPages/YTD03088USEN.pdf (2011) 11. Corporation, I.: Internal audit and its evolving role in erm. http://img.en25.com/ Web/OpenPages/YTW03134USEN.pdf (2011) 12. Gaffney, K.: One-on-one with chris leone. http://www. dashboardinsight.com/articles/one-on-one-with-dashboard-insight/ one-on-one-with-chris-leone.aspx (2009) 13. Goicochea, A.: Tecnologas de la informacin y estrategia. grc. http:// anibalgoicochea.com/tag/grc/ (2011) 14. of Internal Auditors, T.I.: Glossary. http://www.theiia.org/guidance/ standards-and-guidance/ippf/standards/full-standards/?i=8317 15. Lamm, J., Blount, S., Cooper, N., Boston, S., Camm, M., Cirabisi, R.: Under Control: Governance Across the Enterprise. Apress Series, Apress (2009), http: //books.google.com.ec/books?id=t0B-uh8R3-EC 16. Marks, N.: What do they say about the latest release of saps solutions for grc? http://normanmarks.wordpress.com/2011/ 03/22/what-do-they-say-about-the-latest-release-of-sap’ s-solutions-for-grc/ (2011) 17. McClean, C.: The forrester wave: Enterprise governance, risk, and compliance platforms, q3 2009. http://img.en25.com/Web/OpenPages/Forrester_wave_ent_ gov_risk_compl.pdf (2009) 18. Mehta, N.: Business intelligent blog: Bi for risk management. http://blog. maia-intelligence.com/2009/01/19/bi-for-risk-management/ (2009) 19. Oracle: Governance, risk, and compliance management. http://www.oracle.com/ us/solutions/corporate-governance/index.html 20. Protiviti: Proactive risk management with sap businessobjects. http://www.protiviti.de/de-DE/Headlines/Documents/ Proactive-Risk-Mgmt-SAP-BusinessObjects-Protiviti.pdf (2011) 21. Rasmusse, M.: Delivering enterprise value with oracle governance, risk, and compliance. http://www.corp-integrity.com/wp-content/uploads/2010/ 12/Delivering-Enterprise-Value-with-Oracle-GRC.pdf (2011) 22. Rojas, E.: Menor riesgo comercial con sap. http://www.muycomputerpro. com/2009/04/02/actualidadnoticiasmenor-riesgo-comercial-con-sap_ we9erk2xxdb2ywtlxinrmpb3fvcupsmvhwze2bjx__0rnojdim5h_nf_y0neem3b/ (2009) 23. de Responsabilidad y Sostenibilidad Empresaria, C.: Nueva estrategia y nueva gestin en sostenibilidad. http://comunicarseweb.com.ar/?Nueva_estrategia_ y_nueva_gestion_en_sostenibilidad&page=ampliada&id=1245&_s=&_page= contratapa (2009) 24. of Sponsoring Organizations of Treadway Commission, C.: Enterprise risk management integrated framework, new york: Aicpa (2004) 25. website, D.: Business Intelligence Systems: Turning Data into Information and empowering Decision Makers. http://career-resources.dice.com/articles/ content/entry/business_intelligence_systems_turning_data (2010)