001 - Implementation of SAP-GRC With The Pictet Group - 11.12.2013

Implementation of SAP-GRC
with the Pictet Group

Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Olivier VERDAN, Risk Manager, Group Risk, Pictet & Cie
11
th
December 2013
Zrich
Table of contents
Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
1 Overview of the Pictet Group
2 Operational Risk Management at the Pictet Group
3 SAP-GRC Project
4 Main challenges of SAP-GRC implementation
5 Results of SAP-GRC implementation
1
Overview of the Pictet Group
3 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Founded in Geneva in 1805, the Pictet Group is today one of
Europe's leading independent wealth and asset managers.
Facts & Figures

1805 3300 25
founded in Geneva
employees
offices around the world
8
partners responsible for all
of the Groups activities
$433bn
Independently
owned Group, no
external shareholder
pressure
in assets under
management
and custody at
30 September 2013
650
investment professionals
A unique positioning around three areas of business

Wealth management
solutions for
private clients

Custody bank, fund administration and
trading services for institutional clients and
banks

Solutions for institutional investors and
distribution of investment funds
Pictet Group
Wealth management Asset management Asset services Asset services
Pictet Wealth Management
Services for independent
asset managers
Pictet Asset Management
Pictet Alternative
Investments
Pictet Asset Services
Trading
2
Operational Risk Management at the
Pictet Group
Pictet Organisation of Operational Risk Management
Pictet & Cie Partners Committee
Group Internal
Audit
Group Risk
Group
Compliance
Group
Security
Legal
Department
Board of Directors
of the Group legal entities
Senior Management
of the Group legal entities
C
F
O

C
O
O

C
o
m
p
l
i
a
n
c
e

O
f
f
i
c
e
r

R
i
s
k

O
f
f
i
c
e
r

Senior Management
of the business lines
C
F
O

C
O
O

C
o
m
p
l
i
a
n
c
e

O
f
f
i
c
e
r

R
i
s
k

O
f
f
i
c
e
r

M
o
n
i
t
o
r
i
n
g

a
t

b
u
s
i
n
e
s
s

l
i
n
e
s

a
n
d

G
r
o
u
p

l
e
g
a
l

e
n
t
i
t
i
e
s

l
e
v
e
l

M
o
n
i
t
o
r
i
n
g

a
t

G
r
o
u
p

l
e
v
e
l

Philosophy = Decentralisation
Methodology for Operational Risk Mgmt (2007 - 2013)
PCS Lors de la rvaluation au 30 juin, un nouveau risque
lev a t identifi concernant xxxxxxx xxx

Si le risque derreurs dans lexcution dun ordre de
xxxxx est toujours valu globalement comme lev, son
volution actuelle est considre en amlioration par
PCS. En effet, le nombre derreurs et limpact financier
des incidents sont moins importants que durant les
semestres prcdents.

Unit Descriptif
C
a
t
g
o
r i e

d
u
r i s
q
u
e

0
6
/ 0
9

1
2
/ 0
9

0
6
/ 1
0

T
e
n
d
a
n
c
e

Plan dactions & responsables /
Commentaires
A
v
a
n
c
e
-
m
e
n
t
E
c
h
a
n
c
e

p
r
v
u
e

R
i s
k
t a
r g
e
t
PCS Xxxxx

Xxxx xxx xx xxx xxxx
.
Responsable : M. Xyv

Fin
2011

PCS Erreurs
d'excution xxxx

1) xxxxx x xxx xxxx .

2) xxxx xxxx xxx x xxx

Responsable : A. Ghj

2011

PCS Survenance d'un
problme xxxxx

Xxxxx xx xx xx xx x xx xx
Xxx xx xxx xxxx .

Responsable : R. Hgk

2011

1
1
1
1
Svrit
5
4
3
2
1
0
Frquence
5 4 3 2 1 0
1
9
12
17
11
Svrit
5
4
3
2
1
0
Frquence
5 4 3 2 1 0
1
4
2
1
4
1
Z
o
n
e
d
e
s
ris
q
u
e
s

m
o
d
r
s
e
t fa
ib
le
s

n
o
n
d
ta
ill
s
EXCEL
WORD
POWERPOINT
Manual process
using MS Office
tools
1 =
2 =
3 =
4 =
5 =
L
e
g
a
l e
n
tity
/ s
ite
ID
D
a
te
o
f E
n
try
L
a
s
t u
p
d
a
te
Unit Risk Description
Risk
Category
Description by Unit
E
ffectiveness of
S
trategies
Likelihood/Frequency
Im
pact/Severity
Am
ount for Financial im
pact
in CHF
Level of Residual Risk
Im
pact/Severity
Im
pact/Severity
Description
by Unit
Description by Unit
(short description
of key elements)
Im
pact/Severity
Am
ount for Financial im
pact
in CHF
Im
pact/Severity
Im
pact/Severity
O
ve
ra
ll re
sp
o
n
sib
le
D
e
a
d
lin
e
O
ve
ra
ll p
ro
g
re
ss
D
a
te
o
f clo
sin
g
G
E
8051
31.12.08
30.06.10
PF xxx Organisation
Contrles / rconciliation
quotidienne des positions...
H 2 1
100'000
L 2 2 M Nombre d'incidents - 2 1
100'000
L 2 2 M
G
E
8052
31.12.08
30.06.10
PF xxx Technique
Reporting des incidents
Contrle 4 yeux pour chaque
opration
L 3 2
1'000'000
M 3 3 H 3 1 L Rapport d'erreurs
- Automatisation des
contrles
- Abaissement des
niveaux d'alerte
3 2
1'000'000
M 3 2 M 3 1 L
B
. M
np
31.03.11
25%
G
E
/ LU
X
8053
30.06.09
30.06.10
PF xxx Humain xxx M 2 4
10'000'000
H 2 2 M Nombre d'incidents
- Projet scurisation des
donnes
- Projets d'volution du
MIS
2 3
5'000'000
M 2 2 M 2 1 L
A
. X
yz
31.12.10
85%
G
E
8054
31.12.09
30.06.10
PF xxx Externe xxx H 4 1
200'000
M 4 3 H 4 3 H Nombre de pannes xxx 3 1
200'000
L 3 3 H 3 1 L
G
. F
gh
31.12.10
90%
Evaluation of Target Risk
Identified Risks
Action plan to reduce risk
Financial Risk
Reputational
Risk
Key Risk
Indicators
Other Risks Financial Risk
Reputational
Risk Other Risks
Min.
0
Max.
1'000'000
5'000'000
20'000'000
500'000
Analysis & Evaluation of
Residual Risk
Existing Controls /
Mitigation
Techniques
5'000'001
20'000'001
Group Risk Register for Operational Risks Unit / Date
500'001
1'000'001
1 = Rare : 5 years
2 = Unlikely : 1 - 5 years
3 = Possible : < 1 year
4 = Likely : monthly
5 = Almost certain : weekly
L i k e l i h o o d - F r e q u e n c y
1 - 3 Low Risk
4 - 6 Moderate Risk
8 - 12 High Risk
15 - 25 Extremely High Risk
R
i s k r a n k i n g
1 = Insignificant :
No media attention.
Minor complaint.
2 = Minor :
No media attention.
Multiple minor complaints.
3 = Moderate :
Local media reporting.
Moderate complaints.
4 = Major :
National & international media
reporting. Major complaints.
5 = Extreme :
Long term negative image.
Substantial complaints with losses.
R
e p u t a t i o n a l d a m
a g e
1 = Insignificant : No regulatory consequence.
2 = Minor :
No regulatory consequence.
Minor reversible injury.
3 = Moderate :
Limited regulatory consequence.
Moderate reversible injury.
4 = Major :
Significant regulatory consequence.
Major injury.
5 = Extreme :
Closure of major part of business.
Irreversible injury.
O
t h e r i m
p a c t o r d a m
a g e
Financial im
pact
B
L / E
ntity scale
Risk Register
by Group Unit
Sent to
Group-
Risk by
email
Manual risks
consolidation
Discussion
of risk map
between G-
R and Unit
Group
Risk
Report
released
3
SAP-GRC Project
Main objectives of the SAP-GRC Project
Reduce the risk of operational risks non-detection by interlinking
information

Reduce the administrative workload to concentrate on tasks with
high added value

A unique tool in the Group for the management of all types of
operational risks

Provide a complete functional coverage in a structured and
standardized framework

Improve compliance to Finma-Circ. 08/24 Supervision and internal
control banks and Finma Circ. 08/21 Operational risks at banks
Preliminary phases
2011
Study of market risk management tools
Contacts with various banks that have deployed integrated tools for operational
risk management
Choice of the tool ORC (Interexa), used by
2012
Workshops with Interexa : March - April
Workshops with Unit Risk Managers : June
Decision to stop ORC and start SAP : August
Final estimated cost too high
ORC doesnt provide an internal control module
Presentation by SAP of GRC (including internal control module)
Strong sponsorship by Pictet IT as SAP already used for Finances and HR
SAPPORO Project Risk Management module
Selection of SAP-GRC : August 2012
Proof of Concept : November 2012
Start of SAPPORO Project :
Preliminary phase with Riscomp : February-March 2013
Business Blueprint : April 2013
Implementation and UAT with Riscomp : May-July 2013
Training and UAT with Unit Risk Managers : May-June 2013
Go-Live : 29
th
July 2013
The 3 phases of the SAPPORO Project
Internal Control Syst.
Study - Implementation
Phase 2
08.2013 06.2014
Risk Management
Phase 1
Incidents
Phase 3
4
Main challenges of SAP-GRC
implementation
Main challenges
1. Decentralised operational risk management

Challenges were:
- Collecting Unit Risk Managers needs, with very different
maturity on the operational risk management process
- Various approaches (bottom up, top down, mixed)
- Implement a solution that suits all, within a reasonable budget

Integration of decentralised Unit Risk Managers throughout
the project
Pictet Methodology

P
i
c
t
e
t

G
r
o
u
p

P
o
l
i
c
y
f
o
r

O
p
e
r
a
t
i
o
n
a
l

R
i
s
k
s
Main challenges
2. Matrix organisation
Pictet Methodology

P
i
c
t
e
t

G
r
o
u
p

P
o
l
i
c
y
f
o
r

O
p
e
r
a
t
i
o
n
a
l

R
i
s
k
s

Matrix Organisation
Multiple business lines,
crossed with multiple legal entities,
in 25 sites in the world.
Reporting needs:
By business line (for the Management)
By legal entity (for Supervision
Authority)
By site (for local Management)

Pictet Wealth
Management
Pictet Asset
Management
Distribution
Pictet Asset Services
Pictet Asset
Management
Investment
Ngoce
Etc
Example of business lines Example of legal entities
Pictet & Cie (Europe) SA
Paris Branch
Italian Branch
Hong Kong Branch
Etc
Pictet Funds SA
Bank Pictet (Asia)
Ltd, Singapore
Pictet Asset
Management Ltd
Pictet Investment
Co. Ltd, London
Etc
Solution = 3 costumed defined fields within the
Organisational Unit:
Team name
Company name
Site name
Matrix Organisation
Company
Name
Risk
Response
Site
Org. Unit
Main challenges
2. Matrix organisation
Pictet Methodology

P
i
c
t
e
t

G
r
o
u
p

P
o
l
i
c
y
f
o
r

O
p
e
r
a
t
i
o
n
a
l

R
i
s
k
s

Because full organisation requires to download 1544
organisational units, others challenges were:

- Response time was too long for users with limited
access (Unit Risk Managers)

- Temporary solution : partial organisation
loaded into SAP-GRC only (567 org units)

- SAP has improved response time

- Automatic update of the organisation
5
Results of SAP-GRC implementation
Outcomes of the project
Positive:
Pictet Methodology fits in SAP-GRC (risk
valuation, risk categories)
Ops Risk Mgmt Framework more robust
Time saving: less administrative tasks
more added-value works
Heatmap immediate reporting tool, with
extended drill down / selection capabilities
Unique Ops Risks Register
Negative:
SAP-GRC seemed not matured enough:
we encountered a lot of bugs which tend to
demonstrate the tool was not tested
extensively. Examples:
Impossible to remove a Response from a
Risk
Risk Aspect worked on Org. Name, not Org.
ID
Ergonomics not user friendly
Graphical view incomplete
Response can be saved without compulsory
info (name)

But good reactivity of SAP to correct bugs
Most desired improvements
Response time
Automatic update of Organisation / Risk Thresholds
Underlying Risks: possibility to include or exclude them in the Heatmap
Validity extension of a Risk
Implementation of SAP-GRC with the Pictet Group
Questions ?

Thank you for your attention

001 - Implementation of SAP-GRC With The Pictet Group - 11.12.2013

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

001 - Implementation of SAP-GRC With The Pictet Group - 11.12.2013

Diunggah oleh

Hak Cipta:

Format Tersedia

Implementation of SAP-GRC

with the Pictet Group

Anda mungkin juga menyukai