Implementation of SAP-GRC with the Pictet Group
Transcription
Implementation of SAP-GRC with the Pictet Group
Implementation of SAP-GRC with the Pictet Group Olivier VERDAN, Risk Manager, Group Risk, Pictet & Cie 11th December 2013 Zürich Pictet & Cie | Implementation of SAP-GRC with the Pictet Group Table of contents 1 Overview of the Pictet Group 2 Operational Risk Management at the Pictet Group 3 SAP-GRC Project 4 Main challenges of SAP-GRC implementation 5 Results of SAP-GRC implementation Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 1 Overview of the Pictet Group Founded in Geneva in 1805, the Pictet Group is today one of Europe's leading independent wealth and asset managers. Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 3 Facts & Figures 1805 3300 25 founded in Geneva employees offices around the world 650 investment professionals $433bn in assets under management and custody at 30 September 2013 8 partners responsible for all of the Group’s activities Pictet & Cie | Implementation of SAP-GRC with the Pictet Group Independently owned Group, no external shareholder pressure 4 A unique positioning around three areas of business Pictet Group Wealth management Asset management Asset Asset services services Wealth management solutions for private clients Solutions for institutional investors and distribution of investment funds Custody bank, fund administration and trading services for institutional clients and banks Pictet Wealth Management Pictet Asset Management Pictet Asset Services Services for independent asset managers Pictet Alternative Investments Trading Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 5 2 Operational Risk Management at the Pictet Group Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 6 Pictet Organisation of Operational Risk Management Philosophy = Decentralisation Group Internal Audit Group Compliance Group Risk Group Security Legal Department Board of Directors of the Group legal entities Pictet & Cie | Implementation of SAP-GRC with the Pictet Group Risk Officer Compliance Officer COO CFO Senior Management of the Group legal entities Risk Officer Compliance Officer COO Senior Management of the business lines CFO Monitoring at business lines and Group legal entities level Monitoring at Group level Pictet & Cie Partners’ Committee 7 Methodology for Operational Risk Mgmt (2007 - 2013) Local media reporting. Moderate complaints. 3= 1'000'001 5'000'000 National & international media reporting. Major complaints. 4= 5'000'001 20'000'000 Long term negative image. Substantial complaints with losses. 5= 1 = Insignificant : No regulatory consequence. 2 = Minor : No regulatory consequence. Minor reversible injury. 3 = Moderate : 4 = Major : 5 = Extreme : 20'000'001 Limited regulatory consequence. Moderate reversible injury. Significant regulatory consequence. Major injury. Existing Controls / Mitigation Techniques Identified Risks 1 5 2 Date of closing L 3 3 H 3 1 L 90% L G. Fgh 1 31.12.10 2 85% M A. Xyz 2 L 31.12.10 2 1 25% M 0 3 Z m one od d no érés es r n i dé et f squ ta aib es ill le és s 1 1 17 1 9 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group Unité PCS 1 1 1 3 4 Si le risque d’erreurs dans l’exécution d’un ordre de xxxxx est toujours évalué globalement comme élevé, son évolution actuelle est considérée en amélioration par PCS. En effet, le nombre d’erreurs et l’impact financier des incidents sont moins importants que durant les semestres précédents. 1 2 5 Descriptif Xxxxx Plan d’actions & responsables / Commentaires Xxxx xxx xx xxx xxxx . Fin 2011 Responsable : M. Xyv 4 4 PCS Erreurs d'exécution xxxx 1) xxxxx x xxx xxxx . 2) 0 xxxx xxxx xxx x xxx 2011 Responsable : A. Ghj PCS 1 2 3 4 5 Fréquence EXCEL 1 0 11 12 0 Manual process using MS Office tools 1 1 2 3 B. Mnp 1 M M 31.03.11 3 M 2 Deadline Nombre de pannes xxx 2 3 Overall progress H 2 Impact/Severity 3 3 L Level of Residual Risk 4 2 4 4 Overall responsible H - Projet sécurisation des données Nombre d'incidents - Projets d'évolution du MIS Impact/Severity 3 2 Likelihood/Frequency 4 1 3 Level of Residual Risk M 2 200'000 1 - Automatisation des contrôles - Abaissement des niveaux d'alerte 5'000'000 4 Rapport d'erreurs 1'000'000 H M L 5 Fréquence 100'000 xxx 2 1 Lors de la réévaluation au 30 juin, un nouveau risque élevé a été identifié concernant xxxxxxx xxx Sévérité 2 Reputational Other Risks Risk Likelihood/Frequency Externe 2 Nombre d'incidents - 3 Impact/Severity xxx H Description by Unit (short description of key elements) Level of Residual Risk 4 H Description by Unit Likelihood/Frequency 2 High Risk Extremely High Risk Evaluation of Target Risk Financial Risk Amount for Financial impact in CHF M M 3 Impact/Severity xxx 2 3 200'000 Humain 2 10'000'000 xxx L M Key Risk Indicators Level of Residual Risk 2 Impact/Severity 1 3 8 - 12 15 - 25 Action plan to reduce risk Other Risks Likelihood/Frequency 2 L Level of Residual Risk H Reporting des incidents Contrôle 4 yeux pour chaque opération 1'000'000 Technique 100'000 xxx Contrôles / réconciliation quotidienne des positions... Reputational Risk Likelihood/Frequency 30.06.10 PF Organisation Impact/Severity 30.06.10 8054 31.12.09 GE 8053 30.06.09 GE / LUX PF xxx Description by Unit Level of Residual Risk 30.06.10 PF Risk Category Amount for Financial impact in CHF 30.06.10 GE 8052 31.12.08 GE 8051 31.12.08 PF Risk Description Effectiveness of Strategies Unit Likelihood/Frequency Last update Date of Entry Legal entity / site ID Moderate Risk Unit / Date Analysis & Evaluation of Residual Risk Financial Risk Low Risk 4-6 3 Closure of major part of business. Irreversible injury. Group Risk Register for Operational Risks PCS Sévérité 1-3 Risk target 1'000'000 Avancement 5 = Extreme : 500'000 500'001 Echéance prévue weekly 4 = Major : 0 2= 06/10 5 = Almost certain : 3 = Moderate : Max. 1= Tendance monthly Min. No media attention. Minor complaint. No media attention. Multiple minor complaints. 12/09 < 1 year 4 = Likely : 2 = Minor : Group Risk Report released 06/09 3 = Possible : 1 = Insignificant : Reputational damage Likelihood - Frequency 1 - 5 years Financial impact BL / Entity scale 2 = Unlikely : Risk ranking ≥ 5 years 1 = Rare : Manual risks consolidation Other impact or damage Risk Register by Group Unit Discussion of risk map between GR and Unit Catégorie du risque Sent to GroupRisk by email POWERPOINT Survenance d'un problème xxxxx Xxxxx xx xx xx xx x xx xx Xxx xx xxx xxxx . 2011 Responsable : R. Hgk WORD 8 3 SAP-GRC Project Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 9 Main objectives of the SAP-GRC Project Reduce the risk of operational risks non-detection by interlinking information Reduce the administrative workload to concentrate on tasks with high added value A unique tool in the Group for the management of all types of operational risks Provide a complete functional coverage in a structured and standardized framework Improve compliance to Finma-Circ. 08/24 Supervision and internal control – banks and Finma Circ. 08/21 Operational risks at banks Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 10 Preliminary phases 2011 Study of market risk management tools Contacts with various banks that have deployed integrated tools for operational risk management Choice of the tool ORC (Interexa), used by 2012 Workshops with Interexa : March - April Workshops with Unit Risk Managers : June Decision to stop ORC and start SAP : August • Final estimated cost too high • ORC doesn’t provide an internal control module • Presentation by SAP of GRC (including internal control module) • Strong sponsorship by Pictet IT as SAP already used for Finances and HR Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 11 SAPPORO Project – Risk Management module Selection of SAP-GRC : August 2012 Proof of Concept : November 2012 Start of SAPPORO Project : Preliminary phase with Riscomp : February-March 2013 Business Blueprint : April 2013 Implementation and UAT with Riscomp : May-July 2013 Training and UAT with Unit Risk Managers : May-June 2013 Go-Live : 29th July 2013 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 12 The 3 phases of the SAPPORO Project Phase 3 Incidents Study - Implementation Phase 2 Internal Control Syst. Study - Implementation Phase 1 Risk Management Study - Implementation 08.2013 Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 06.2014 13 4 Main challenges of SAP-GRC implementation Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 14 Main challenges Pictet Methodology Pi Gr ctet P o Op olic up era y fo Ri tion r sk s al 1. Decentralised operational risk management Challenges were: - Collecting Unit Risk Managers needs, with very different maturity on the operational risk management process - Various approaches (bottom up, top down, mixed) - Implement a solution that suits all, within a reasonable budget Integration of decentralised Unit Risk Managers throughout the project Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 15 Main challenges Pictet Methodology 1. Decentralised operational risk management Pi Gr ctet P o Op olic up era y fo Ri tion r sk s al 2. Matrix organisation Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 16 Matrix Organisation Multiple business lines, Example of business lines crossed with multiple legal entities, Pictet Wealth Management in 25 sites in the world. Pictet & Cie (Europe) SA Paris Branch Pictet Asset Management Distribution Reporting needs: By business line (for the Management) Example of legal entities Italian Branch Hong Kong Branch Etc… Pictet Asset Services By legal entity (for Supervision Authority) By site (for local Management) Pictet Investment Co. Ltd, London Pictet Asset Management Investment Pictet Funds SA Négoce Bank Pictet (Asia) Ltd, Singapore Etc… Pictet Asset Management Ltd Etc… Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 17 Matrix Organisation Solution = 3 costumed defined fields within the Organisational Unit: • Team name • Company name • Site name Response Risk Org. Unit Name Company Site Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 18 Main challenges Pictet Methodology Pi Gr ctet P o Op olic up era y fo Ri tion r sk s al 1. Decentralised operational risk management 2. Matrix organisation Because full organisation requires to download 1544 organisational units, others challenges were: - Response time was too long for users with limited access (Unit Risk Managers) - Temporary solution : partial organisation loaded into SAP-GRC only (567 org units) - SAP has improved response time - Automatic update of the organisation Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 19 5 Results of SAP-GRC implementation Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 20 Outcomes of the project Positive: Negative: Pictet Methodology fits in SAP-GRC (risk valuation, risk categories) SAP-GRC seemed not matured enough: we encountered a lot of bugs which tend to demonstrate the tool was not tested extensively. Examples: Ops Risk Mgmt Framework more robust Time saving: less administrative tasks more added-value works Heatmap immediate reporting tool, with extended drill down / selection capabilities Impossible to remove a Response from a Risk Risk Aspect worked on Org. Name, not Org. ID Ergonomics not user friendly Graphical view incomplete Response can be saved without compulsory info (name) Unique Ops Risks Register But good reactivity of SAP to correct bugs Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 21 Most desired improvements Response time Automatic update of Organisation / Risk Thresholds Underlying Risks: possibility to include or exclude them in the Heatmap Validity extension of a Risk Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 22 Implementation of SAP-GRC with the Pictet Group Questions ? Thank you for your attention Pictet & Cie | Implementation of SAP-GRC with the Pictet Group 23