DMS for First American

1
MetricStream Governance, Risk, Compliance
Quality Management Solutions
ERM Execution Framework
Gaurav Kapoor General Manager and CFO September
11, 2008
2
AGENDA

• Need for enterprise wide Risk Management
• Framework for ERM
• Case Study
• About MetricStream

3
Increasing Risk of large losses
Allied Irish Bank 750 Mi Internal Fraud / Lack
of Internal Controls
Enterprise Risk Management
Barings Bank 1.6bn Poor Operational Risk
Management
Daiwa Bank 1.1bn Poor Management Control
Morgan Grenfell 640Mi Misrepresentation
Sumitomo Corp 1.8bn Fraud and Forgery
Proctor Gamble 157Mi Lack of Management
Understanding
Orange County 1.7bn Lack of Management Control
4
Increasing Risk of non-compliance
Source CFO Research Services
5
Drivers of change and development

• Global Regulatory developments
• Rating agency views
• Capital Market Shocks
• Convergence of financial products, markets,
  globalization
• Board attention due to publics demands for
  certain assurances

6
Integrated GRC - Stakeholders

• Executive sponsor for overall company compliance
  processes
• Co-certify Sarbanes Oxley Compliance
• Ensure compliance with government regulations

• Oversee GRC processes
• Set compliance tone for the company

Chief Executive Officer
Board of Directors
Internal Audit
Chief Compliance Officer
Chief Information Officer
Chief HR Officer
Chief Risk Officer
Chief Financial Officer

• Information integrity
• Systems integrity
• Data security

• Compliance to industry regulations
• Compliance with government regulations (e.g.,
  Anti-Money Laundering, Foreign Corrupt Practices
  Act)
• Implementation and management of company
  compliance architecture

• Compliance with HR policies and procedures
• Compliance with government health and safety
  regulations
• Certification training

• Enterprise Risk Management (Financial
  Operational)
• External Risk Management

• Company-wide financial compliance
• Sarbanes Oxley Certification
• Financial integrity

Chief Quality Officer
Chief Legal Officer

• Compliance with quality standards
• ISO, 6 sigma
• Industry quality like TS, ISO13485 etc

• Code of Ethics
• Options Management
• Corporate Governance

7
AGENDA

• Need for enterprise wide Risk Management
• Framework for ERM
• Case Study
• About MetricStream

8
Enterprise Risk Model
Inherent Risk
Risk Mitigation
Risk Factors
Likelihood
Residual Risk
Impact
9
Business Risk Matrix
Terminate
Reduce Risk
Risk Level
Extreme
Accept
Reduce Control
High
Likelihood
Moderate
Low
Ignore
Impact
10
Risk Pyramid
Risk/Cost of Mitigation
Risk Management Strategies
Description

• Identification of Future Threats

• Ongoing Monitoring of Internal and External Risks

• Periodic Assessment of Risk

• Implementation of Business Financial Controls
  to Mitigate Risk

• Attestation That Management Has Financial
  Controls in Place

11
SP Risk Management Framework
Enterprise Risk Management
Risk Management Culture Governance
Strategic Risk Management
Emerging Risks
Risk Controls
Company Operations
12
Enterprise Risk Management
Risk Assessment

• Develop strategies for lowering risk

Risk Mitigation
Risk Scoping
Force-Ranking of Risks

• Location/Division
• Statutory Group
• Product Line
• Commodity Group

Inherent Risks
Residual Risk
Risk Mitigation
Management Consensus
Library of Risks
Controls
Internal Audit

• e.g.,
• Financial
• External, e.g., Political
• Operational

• Gain management consensus for risk assessment

Risk Factors
Compliance Strategy
3rd Party Testing
Self Audit
Risk Analytics
13
Key Risk Indicator
Executive KRIs
External Feeds
Data. Mart
KRI Dashboard
Data. Mart
Legacy Systems
MetricStream
Data. Mart
Loss Management
Data. Mart
Risk Self Assessment
Controls Testing
Issues Management
14
Governance, Risk and Compliance Cycle
GRC Dashboards

• Risk Heat Maps
• Scorecards
• Analytics

Certification

• Executive sign-offs,
• Process certification,
• Letters of representation
• Regulatory reporting

Design and Documentation

• Design and document control hierarchy
• Processes, Risks, Controls
• Test plans, Alert Triggers
• Remediation workflows
• Manage documentation

Remediation

• Real-time process for resolving issues
• Deficiencies and remediation
• Loss Qualification

Control Monitoring

• Testing and Audits
• Self assessments
• Surveys
• Automated
• Triggers and Alerts

15
Loss Management Framework
Identify Loss

• Interfaces with reporting systems
• Manual entry

• Summarize losses into categories
• Management statistics on significant losses
• Define risk profile for losses

Summarize Losses by Category

• Executive reporting
• Database of information regarding losses
• Wide distribution of loss information to key
  stakeholders

Report on Losses
Launch Cases for Selected Loss Categories

• Workflow to launch loss management cases for case
  value over a threshold amount
• Loss case tracking

Monitor the Process

• Program management of loss tracking and reporting
  process

16
Business Continuity and Emergency Notification

• Via
• Email
• Phone
• SMS
• FAX
• Pager

• Deliver notifications
• Confirm delivery
• Collect responses

• Define
• Risks
• Controls
• Key Risk Indicators (KRIs)

• Monitor controls
• Surveys
• Self assessments
• Audits
• Automated testing feeds

• Emergency Notification
• Inform

• Stamp/ record in MetricStream

Incident Management
Remediation Alerts
Enterprise Risk Management
Controls Testing
Ad Hoc initiation of notification
Workflow-driven action items
Ad Hoc issue/ event

• E.g. Earthquake
• Fire

• E.g. Virus Attack

Real-Time Reporting from the Authoritative
System of Record
17
MetricStream Risk Scenarios
18
Enterprise Risk Management
FederateResponsibility Roll Up Assessments
Risk Flows into Business Performance
Risk Appetite Drives organizational behavior
Rationalize Risks Through Collaboration
Value
Collaborate on Classifying Risk
Alerts,Data Feeds
Manage Market, Credit and Operational Risk
RiskManagementSolution
Identify, Classify Document Risks
Assess Risk
Mitigate Risk
Analyze Risk
RelatedModules
19
SCREENSHOTS
20
Risk and Compliance Dashboards and Control Charts
Risk Heat Map by Process
Issue Status Tracking
21
Define Multiple Executive Reports
Trend Charts
Pareto Analysis
Heat Maps
22
Risk Analytics
Risk Assessment Classifications
Computed Risk Scores
Assess Risk across Functions / Categories
Compute Risk Score based on Impact, Likelihood,
and Weighting Factors
Risk Categories and Types are configurable
23
(No Transcript)
24
3 x 3 Risk Exposure Report
25
Risk Scorecard
Residual Risk
Inherent Risk
Cost
Risk Type ? Define Risk Score for
Entity/Process/Asset Class/Issue etc.
Inherent and Residual Risk Scores
Compliance Area
Color Codes to Highlight Thresholds
26
Loss Tracking Dashboard
External Loss Tracking (Recalls, Legislation,
Competitor Issues) (Links to External Data
Sources for Tracking Operational Losses)
Internal Loss Tracking (Dashboards for monitoring
internal losses)
27
Loss Management
Regulation Impact (e.g. FDA, EHS)
Color Coded Thresholds
Loss Amounts ()
Impact and Likelihood
28
Loss Trend Dashboard
Trend of Losses
Details of Losses
Source of Loss
Color Coded Thresholds
Break-Up of Losses by Root Cause
29
Issue Management
Organization
Issue Classification
Activity Impacted
Description
Importance
Owner
Follow Up
Action Plan Details
30
Perform Risk Assessment
Configurable Risk Types, Assessment Methodology
and algorithms
Inherent Risk Score
What If Analysis Aggregate Risk Exposure using 6
Elements
Residual Risk Score based on Inherent, Control
and Treatment Scores
31
Track Multiple Controls to Mitigate Risk
Track Multiple Treatment Procedures to Mitigate
Risk
Define Threshold Conditions and Trigger
Escalations
Track Losses and Liabilities
32
Risk Management Benefits
Quantitative Easy to measure
Qualitative Hard to measure but high impact

• Lower incidence of loss events
• Identify positive business opportunities within
  the companys risk threshold
• More tightly manage customer credit
• Broaden the number of risk factors the
  organization is tracking and measuring
• Reduce the direct cost of risk management
  activities
• Quantify market risks and use market risk as
  another input to decision making processes

• Increase management consensus on business risks
• Build a corporate culture with higher risk
  awareness
• React faster and earlier to loss events
• Increase company credit rating (SP)
• Become a risk-management first mover
• Build shareholder value through better risk
  management practices
• Build customer confidence
• Build predictability of company performance

33
AGENDA

• Need for enterprise wide Risk Management
• Framework for ERM
• Case Study
• About MetricStream

34
Case Study I Stock Exchange

• Key Challenges in Managing Risk and Compliance
• No easy way to identify and quantify risks
• Challenge in Linking Risks to Compliance
  requirements, processes and mitigating controls
• Difficult to implement strict access control or
  deploy a streamlined process
• Solution Offering from MetricStream
• Ability to span across the enterprise and have
  standardized framework and platform that solved
  NASDAQs current business problems as well as had
  the capability to be easily extended to address
  newer emerging requirements SOX, NASD, Contract,
  Trading,Business Risk
• Value offered by MetricStreams
  ComplianceOnline.com to enable effective
  implementation and adoption of risk and
  compliance programs

35
Case Study II Large Utility

• Quick Facts
• Operates power plants with electricity
  generating capacity.
• Nuclear generator in the United States.
• Delivers electricity to utility customers
• Supplies natural gas to customers
• Operates a system composed of high-voltage
  transmission lines and transmission substations.

36
Case Study II Large Utility

• Business Issues - Used a home grown system to
  facilitate Enterprise Risk Management (ERM) and
  multiregulatory Processes.
• Disparate and fragmented view to risk and
  compliance
• Limited integration with other applications and
  portals
• Significant increase over the last several years
  in the number of compliance requirements as well
  as additional scrutiny by various regulatory
  bodies.
• More and more departments in the company put
  compliance programs in place, they are looking
  for technology solutions to help facilitate the
  process.

• Solution
• FERC, NERC, SOX, Energy Trading, Physical
  Security, Environmental Risk all on 1 platform
• Ability to co-relate risk to core operations for
  more effectiveness
• Adoption of external and internal risk factors
  into framework

37
AGENDA

• Need for enterprise wide Risk Management
• Framework for ERM
• Case Study
• About MetricStream

38
MetricStream Corporate Overview
Integrated Governance, Risk, Compliance and
Quality Management Solution Provider for Global
Enterprises to help them with better Business
Performance
Mission

• Corporate Governance
• Regulatory Compliance
• Risk Management
• Operational Compliance/ Quality Management

Solutions

• Kleiner Perkins Caufield Byers (Google, Amazon,
  Cisco, Genentech)
• Advanced Equities (Motricity, Infinera, Alien)
• Integral Capital Partners (Qualcomm, Google,
  Flextronics)

LeadingInvestors
StrategicPartners

• Technology - Enterprise Compliance Platform 9
  Patents
• Breadth of Solutions Single vendor for all
  compliance and quality needs
• Cross-industry Best Practices and Domain
  Knowledge
• ComplianceOnline.com - Largest Compliance portal
  on the web

KeyDifferentiators
39
Industry Leadership Recognition
Exclusive Go-to-Market Partner for GRC
Solutions Featured Panelist 2007 2008 GRC
Webinar
40
Compliance Online Portal

• Content from the most reliable and current
  sources, including white papers and templates on
  industry best practices
• Training from the noted industry experts
• One of the largest repository of products in
  quality and compliance
• Tailored alerts for timely and relevant
  compliance related news
• Collaboration with industry peers via community
  forums focused on specific regulations

41
Leadership

• Through Vision
• Early to see Integrated GRC and Quality
  Management
• Only Vendor to create content through
  ComplianceOnline
• Through Products
• Patented Technologies
• Platform - Integration and scalability
• ComplianceOnline Portal
• Through People
• Board and Investors
• Domain Experts Leading experts from Industry
• Through Association
• Leading Customers of the industry
• Associations and memberships OCEG, NASDAQ,
  SVLG, BAO, etc

42
Leaders work with Leaders
43
Delivering Tangible Value to all Stakeholders
44
THANK YOU