Improving Financial Performance With Better Visibility and Management of Risks & Controls Business Roundtable on GRC Treasury & Risk Magazine March 17, 2009 Christopher Daugherty, CA Corey M. Benish, CISA, Jefferson Wells

Overview of Key Points The Current Environment & Risk Key Challenges How GRC is Defined What is the True Problem? How Mature is Your GRC Program? Questions Next: The Role of Software (CA)

The Current Environment & Risk

Key Challenges

How GRC is Defined

What is the True Problem?

How Mature is Your GRC Program?

Questions

Next: The Role of Software (CA)

The Current Environment Unprecedented times? Perhaps… How it’s similar: Big declines in the stock market 47% loss between September – November 1929 42% loss between Oct. 2 and Oct. 27, 2008 Banking system shaken by bad loans and speculation How it’s different: Just recently moved into a recession Fed moved to reduce to the cost of capital (vs. increasing rates in 1929 and 1930) Aggressive intervention by the world’s central banks

Unprecedented times? Perhaps…

How it’s similar:

Big declines in the stock market

47% loss between September – November 1929

42% loss between Oct. 2 and Oct. 27, 2008

Banking system shaken by bad loans and speculation

How it’s different:

Just recently moved into a recession

Fed moved to reduce to the cost of capital (vs. increasing rates in 1929 and 1930)

Aggressive intervention by the world’s central banks

The Current Environment & Risk Risk & Compliance in 2009 Troubled Asset Relief Program is expected to come with additional compliance requirements Early congressional sessions are rumored to hold more compliance overhead Correlation between economic strife and increase in fraud Global sales of security software to rise 13 percent in 2009 (source: Gartner Research) Greater need for holistic and cost effective management of governance, risk, and compliance (“GRC”)

Risk & Compliance in 2009

Troubled Asset Relief Program is expected to come with additional compliance requirements

Early congressional sessions are rumored to hold more compliance overhead

Correlation between economic strife and increase in fraud

Global sales of security software to rise 13 percent in 2009 (source: Gartner Research)

Greater need for holistic and cost effective management of governance, risk, and compliance (“GRC”)

What is “Governance, Risk and Compliance”? GRC is a management discipline that enables an organization to clearly define its principles and goals, determine how it will address risks and uncertainties, and grow and protect value. 1 1 Source: OCEG

Key Challenges Compliance managed on a per-regulation basis Inability to view risk across the enterprise Silos of compliance create control gaps and duplication Controls testing is manual and is often done repeatedly Controls information becomes outdated quickly Risk are not often reconciled to Controls June 9, 2009 GRC Manager Business Presentation

Compliance managed on a per-regulation basis

Inability to view risk across the enterprise

Silos of compliance create control gaps and duplication

Controls testing is manual and is often done repeatedly

Controls information becomes outdated quickly

Risk are not often reconciled to Controls

Polling Question What tools do you currently use to manage your governance risks, controls, and reporting?” Spreadsheets “ SOX tool” Business Intelligence software other

What tools do you currently use to manage your governance risks, controls, and reporting?”

Spreadsheets

“ SOX tool”

Business Intelligence software

other

Fast Facts S&P announced it is basing part of their corporate ratings on the risk management maturity within the company. A bad risk management review yields a bad corporate rating, which has negative financial impacts (higher borrowing rates, etc). Average Cost of Compliance per employee: According to Competitive Enterprise Institute (www.cei.org) Company size Cost per employee Small (<20) $7.6K Medium (20-500) $5.4K Large (>500) $5.2K Consider that every year, the US Government issues almost 4,000 final rules requiring compliance and there have been 51,000 rules since 1995 June 9, 2009 GRC Manager Business Presentation

S&P announced it is basing part of their corporate ratings on the risk management maturity within the company. A bad risk management review yields a bad corporate rating, which has negative financial impacts (higher borrowing rates, etc).

Average Cost of Compliance per employee: According to Competitive Enterprise Institute (www.cei.org)

Company size Cost per employee

Small (<20) $7.6K

Medium (20-500) $5.4K

Large (>500) $5.2K

Consider that every year, the US Government issues almost 4,000 final rules requiring compliance and there have been 51,000 rules since 1995

Spending Still on Rise

Comments of Interest from SEC December 2, 2008 While many firms are considering reductions and cost-cutting measures, we remind you of your firm's legal obligation to maintain an adequate compliance program reasonably designed to achieve compliance with the law … Now more than ever, companies need to take a long-term view on compliance and realize that their fiduciary responsibility requires a constant commitment to investors. That means sustaining their support for compliance during this market turmoil, and beyond it as well.&quot; http://www.sec.gov/news/speech/2008/spch111308cc.htm

December 2, 2008

While many firms are considering reductions and cost-cutting measures, we remind you of your firm's legal obligation to maintain an adequate compliance program reasonably designed to achieve compliance with the law … Now more than ever, companies need to take a long-term view on compliance and realize that their fiduciary responsibility requires a constant commitment to investors. That means sustaining their support for compliance during this market turmoil, and beyond it as well.&quot;

http://www.sec.gov/news/speech/2008/spch111308cc.htm

How GRC is Defined GRC is an integrated system of people, processes and technology, implemented by the board, management, the workforce, and the extended enterprise which provides assurance that the organization: Understands stakeholder expectations; Sets the right objectives to meet stakeholder expectations; Achieves objectives while addressing risks and protecting value; Operates within legal, contractual, internal, social and ethical boundaries; and Provides relevant, reliable and timely information about the performance of the system to internal and external stakeholders. Source: Open Compliance Ethics Group

GRC is an integrated system of people, processes and technology, implemented by the board, management, the workforce, and the extended enterprise which provides assurance that the organization:

Understands stakeholder expectations;

Sets the right objectives to meet stakeholder expectations;

Achieves objectives while addressing risks and protecting value;

Operates within legal, contractual, internal, social and ethical boundaries; and

Provides relevant, reliable and timely information about the performance of the system to internal and external stakeholders.

Source: Open Compliance Ethics Group

What is the True Problem? UK/Ireland Canada The Privacy Act 1983 PIPEDA 2001 Canada Bill 198 Asia Pacific New Zealand – Privacy Act 1993 Australia – PA/PA(PS)A 1988/2000 2001 South Korea – eCommerce Act 1999 Japan – J-SOX Taiwan – CPPDP Law 1995 Hong Kong – Personal Data 1996 South America Chile – APPD 1998 Argentina – PDPA 2000 eCommerce Act 2000 Federal Personal Data Protection Law Mexico Europe South Africa Promotion of Access to Information Act U.S.A. FCRA 1970 PA 1974/1975 RFPA 1978 CTVPA 1984 ECPA 1986 VPPA 1988 HIPAA 1996/2002 COPPA 1998/2000 DMPEA 1999/2000 FSMA/GLBA 1999/2001 CFR 21 Part 11 Sarbanes-Oxley US Patriot Act Gramm Leach Bliley Federal Rules of Civil Procedure PCI Ireland – DP(A)A 1995/2003 UK – DPA 1995/2000 UK – Turnbull Guidance on Internal Controls UK – Smith Guidance on Audit Committees Scandinavia Sweden – PDPA 1995/1998 Iceland – Protection of Privacy as regards the Processing of Personal Data Finland – FPDA 1995/1999 Denmark – DPRA 1978, APPD 1995/2000 Italy – DPA 1995/1997 Spain – DPA 1995/2000 Portugal – PDPA 1995/1998 Greece – PIPPD 1995/1997 Belgium – LPPLRPPD 1992, DPA 1995/2001 Austria – DPA 1995/2000 Germany – FDPA 1995/2001 Luxembourg – “EUD” 1995/2002 Netherlands – PDPA 1995/2001 France – ADPDFIL 1978, “EUD” 1995/Pending Eastern Europe – Estonia (96) Poland (98) Slovak (98) Slovenia (99) Hungary (99) Czech (00) Latvia (00) Lithuania (00)

Canada

The Privacy Act 1983

PIPEDA 2001

Canada Bill 198

New Zealand – Privacy Act 1993

Australia – PA/PA(PS)A 1988/2000 2001

South Korea – eCommerce Act 1999

Japan – J-SOX

Taiwan – CPPDP Law 1995

Hong Kong – Personal Data 1996

Chile – APPD 1998

Argentina – PDPA 2000

eCommerce Act 2000

Federal Personal Data Protection Law

Promotion of Access to

Information Act

FCRA 1970

PA 1974/1975

RFPA 1978

CTVPA 1984

ECPA 1986

VPPA 1988

HIPAA 1996/2002

COPPA 1998/2000

DMPEA 1999/2000

FSMA/GLBA 1999/2001

CFR 21 Part 11

Sarbanes-Oxley

US Patriot Act

Gramm Leach Bliley

Federal Rules of Civil Procedure

PCI

Ireland – DP(A)A 1995/2003

UK – DPA 1995/2000

UK – Turnbull Guidance on Internal Controls

UK – Smith Guidance on Audit Committees

Sweden – PDPA 1995/1998

Iceland – Protection of Privacy as regards the Processing of

Personal Data

Finland – FPDA 1995/1999

Denmark – DPRA 1978, APPD 1995/2000

Italy – DPA 1995/1997

Spain – DPA 1995/2000

Portugal – PDPA 1995/1998

Greece – PIPPD 1995/1997

Belgium – LPPLRPPD 1992, DPA 1995/2001

Austria – DPA 1995/2000

Germany – FDPA 1995/2001

Luxembourg – “EUD” 1995/2002

Netherlands – PDPA 1995/2001

France – ADPDFIL 1978, “EUD” 1995/Pending

Eastern Europe – Estonia (96) Poland (98) Slovak (98) Slovenia (99) Hungary (99) Czech (00) Latvia (00) Lithuania (00)

What is the True Problem? Source: Open Compliance & Ethics Group

What is the True Problem? Risk & Compliance is Costly IT Sales and Marketing Human Resources Finance Accounting Mfg. Systems Internal Audit General Counsel SOX Internal Policies PCI GLBA CCO CRO Wasted resources for redundant controls testing. IT Remediation projects are hard to track. CCO CRO No visibility into total compliance cost. Missed opportunities to address business initiatives Systems

View of GRC Activities Selective Activities of GRC Controls and policy mapping Policy distribution and training attestation Control self-assessment and measurement Asset repository Automated collection of data Remediation and exception management Basic compliance reporting Compliance dashboards Risk evaluation

Selective Activities of GRC

Controls and policy mapping

Policy distribution and training attestation

Control self-assessment and measurement

Asset repository

Automated collection of data

Remediation and exception management

Basic compliance reporting

Compliance dashboards

Risk evaluation

Polling Question Do you currently have a GRC program in place? Yes No, but considering one No, not considering one

Do you currently have a GRC program in place?

Yes

No, but considering one

No, not considering one

How Mature is Your GRC Program? Three Pillars of Business Solutions Improve Cash Flow Help the organization more effectively manage its cash inflows and outflows Increase Bottom Line Help the organization drive more profit through short-term behavior changes, and long-term investments with a measurable return Enhance Competitive Advantage Help the organization beat its competitors by being more nimble, responsive, and proactive to changes in the market

Three Pillars of Business Solutions

Improve Cash Flow

Help the organization more effectively manage its cash inflows and outflows

Increase Bottom Line

Help the organization drive more profit through short-term behavior changes, and long-term investments with a measurable return

Enhance Competitive Advantage

Help the organization beat its competitors by being more nimble, responsive, and proactive to changes in the market

How Mature is Your GRC Program? Maturity Level GET COMPLIANT Single regulatory focus Controls for each regulation Manual controls REDUCE COST Automate some controls Manual testing Single controls for multiple regulations Track remediation costs OPTIMIZE Automate more controls Automate testing Improved decision making Compliance investment governance Integrated approach to GRC Develop Governance Programs Based on Business Objectives The Evolution of GRC: Governance, Risk, and Compliance Standardize Automate Consolidate Improve Cash Flow Increase Bottom Line Enhance Competitive Advantage 2005 2006 2007 2004 2008 2009 2010

GET COMPLIANT

Single regulatory focus

Controls for each regulation

Manual controls

REDUCE COST

Automate some controls

Manual testing

Single controls for multiple regulations

Track remediation costs

OPTIMIZE

Automate more controls

Automate testing

Improved decision making

Compliance investment governance

Integrated approach to GRC

Develop Governance Programs Based on Business Objectives

How Mature is Your GRC Program? Maturity Level The Evolution of GRC: Governance, Risk, and Compliance Get Compliant Reduce Cost Optimize Improve Cash Flow Increase Bottom Line Enhance Competitive Advantage Rationalize Consolidate Where are you in the process?

GRC Maturity Survey 2009 Source: ITGI/PwC Survey 2009

Governance Market Insights Companies are still reaching for definition Many are not sure how to measure success Defining acceptable results across business silos is difficult In some cases, this is the first time users are thinking ‘enterprise’ Business Ownership is tough without a vision of how technology can enable rather than define True Cost of Ownership often ignores the cost of the Operational Expansion of business; resource support, non-standard platforms, system integration expenses. Therefore, value is hard to realize. Cost Containment has been a good entry point; consolidating complex application landscapes & excess infrastructure

Companies are still reaching for definition

Many are not sure how to measure success

Defining acceptable results across business silos is difficult

In some cases, this is the first time users are thinking ‘enterprise’

Business Ownership is tough without a vision of how technology can enable rather than define

True Cost of Ownership often ignores the cost of the Operational Expansion of business; resource support, non-standard platforms, system integration expenses. Therefore, value is hard to realize.

Cost Containment has been a good entry point; consolidating complex application landscapes & excess infrastructure

Governance is considered a regulatory requirement; a cost, not a solution. Governance began piecemeal, and many are working to consolidate frameworks for a complete dashboard of progress (Risk, Compliance, Project, Operational). The real opportunity is to morph all governance silos into Corporate Governance. Control Rationalization, the art of consolidating controls across multiple regulatory requirements is well underway everywhere. Cost of Compliance is not typically understood, often only articulated in terms of external auditor costs. Risk & Compliance Market Insights

Governance is considered a regulatory requirement; a cost, not a solution.

Governance began piecemeal, and many are working to consolidate frameworks for a complete dashboard of progress (Risk, Compliance, Project, Operational).

The real opportunity is to morph all governance silos into Corporate Governance.

Control Rationalization, the art of consolidating controls across multiple regulatory requirements is well underway everywhere.

Cost of Compliance is not typically understood, often only articulated in terms of external auditor costs.

Compliance Posture

Risky Business

Risk Posture

Results that Matter

To learn more, visit: www.ca.com/grc http://blog.ca-grc.com or www.jeffersonwells.com

To learn more, visit:

www.ca.com/grc

http://blog.ca-grc.com

or

www.jeffersonwells.com