Implementation of SAP-GRC with the Pictet Group

Transcription

Implementation of SAP-GRC
with the Pictet Group
Olivier VERDAN, Risk Manager, Group Risk, Pictet & Cie
11th December 2013
Zürich
Pictet & Cie | Implementation of SAP-GRC with the Pictet Group
Table of contents
1
Overview of the Pictet Group
2
Operational Risk Management at the Pictet Group
3
SAP-GRC Project
4
Main challenges of SAP-GRC implementation
5
Results of SAP-GRC implementation
1
Overview of the Pictet Group
Founded in Geneva in 1805, the Pictet Group is today one of
Europe's leading independent wealth and asset managers.
3
Facts & Figures
1805
3300
25
founded in Geneva
employees
offices around the world
650
investment professionals
$433bn
in assets under
management
and custody at
30 September 2013
8
partners responsible for all
of the Group’s activities
Independently
owned Group, no
external shareholder
pressure
4
A unique positioning around three areas of business
Pictet Group
Wealth management
Asset management
Asset
Asset services
services
Wealth management
solutions for
private clients
Solutions for institutional investors and
distribution of investment funds
Custody bank, fund administration and
trading services for institutional clients and
banks
Pictet Wealth Management
Pictet Asset Management
Pictet Asset Services
Services for independent
asset managers
Pictet Alternative
Investments
Trading
5
2
Operational Risk Management at the
Pictet Group
6
Pictet Organisation of Operational Risk Management
Philosophy = Decentralisation
Group Internal
Audit
Group
Compliance
Group Risk
Group
Security
Legal
Department
Board of Directors
of the Group legal entities
Risk Officer
Compliance
Officer
COO
CFO
Senior Management
of the Group legal entities
Risk Officer
Compliance
Officer
COO
Senior Management
of the business lines
CFO
Monitoring at business lines and
Group legal entities level
Monitoring at
Group level
Pictet & Cie Partners’ Committee
7
Methodology for Operational Risk Mgmt (2007 - 2013)
Local media reporting.
Moderate complaints.
3=
1'000'001
5'000'000
National & international media
reporting. Major complaints.
4=
5'000'001
20'000'000
Long term negative image.
Substantial complaints with losses.
5=
1 = Insignificant :
No regulatory consequence.
2 = Minor :
No regulatory consequence.
Minor reversible injury.
3 = Moderate :
4 = Major :
5 = Extreme :
20'000'001
Limited regulatory consequence.
Moderate reversible injury.
Significant regulatory consequence.
Major injury.
Existing Controls /
Mitigation
Techniques
Identified Risks
1
5
2
Date of closing
L
3
3
H
3
1
L
90%
L
G. Fgh
1
31.12.10
2
85%
M
A. Xyz
2
L
31.12.10
2
1
25%
M
0
3
Z
m one
od d
no érés es r
n
i
dé et f squ
ta aib es
ill le
és s
1
1
17
1
9
Unité
PCS
1
1
1
3
4
Si le risque d’erreurs dans l’exécution d’un ordre de
xxxxx est toujours évalué globalement comme élevé, son
évolution actuelle est considérée en amélioration par
PCS. En effet, le nombre d’erreurs et l’impact financier
des incidents sont moins importants que durant les
semestres précédents.
1
2
5
Descriptif
Xxxxx
Plan d’actions & responsables /
Commentaires
Xxxx xxx xx xxx xxxx

.
Fin
2011
Responsable : M. Xyv
4
4
PCS
Erreurs
d'exécution xxxx

1) xxxxx x xxx xxxx .
2)
0
xxxx xxxx xxx x xxx
2011
Responsable : A. Ghj
PCS
1
2
3
4
5
Fréquence
EXCEL
1
0
11 12
0
Manual process
using MS Office
tools
1
1
2
3
B. Mnp
1
M
M
31.03.11
3
M
2
Deadline
Nombre de pannes xxx
2
3
Overall progress
H
2
Impact/Severity
3
3
L
Level of Residual Risk
4
2
4
4
Overall responsible
H
- Projet sécurisation des
données
Nombre d'incidents
- Projets d'évolution du
MIS
Impact/Severity
3
2
Likelihood/Frequency
4
1
3
M
2
200'000
1
- Automatisation des
contrôles
- Abaissement des
niveaux d'alerte
5'000'000
4
Rapport d'erreurs
1'000'000
H
M
L
5
Fréquence
100'000
xxx
2
1
Lors de la réévaluation au 30 juin, un nouveau risque
élevé a été identifié concernant xxxxxxx xxx
Sévérité
2
Reputational
Other Risks
Risk
Externe
2
Nombre d'incidents -
3
Impact/Severity
xxx
H
Description by Unit
(short description
of key elements)
4
H
Description
by Unit
2
High Risk
Extremely High Risk
Evaluation of Target Risk
Financial Risk
Amount for Financial impact
in CHF
M
M
3
Impact/Severity
xxx
2
3
200'000
Humain
2
10'000'000
xxx
L
M
Key Risk
Indicators
2
Impact/Severity
1
3
8 - 12
15 - 25
Action plan to reduce risk
Other Risks
2
L
H
Reporting des incidents
Contrôle 4 yeux pour chaque
opération
1'000'000
Technique
100'000
xxx
Contrôles / réconciliation
quotidienne des positions...
Reputational
Risk
30.06.10
PF
Organisation
Impact/Severity
30.06.10
8054
31.12.09
GE
8053
30.06.09
GE / LUX
PF
xxx
Description by Unit
30.06.10
PF
Risk
Category
Amount for Financial impact
in CHF
30.06.10
GE
8052
31.12.08
GE
8051
31.12.08
PF
Risk Description
Effectiveness of
Strategies
Unit
Last update
Date of Entry
Legal entity / site
ID
Moderate Risk
Unit / Date
Analysis & Evaluation of
Residual Risk
Financial Risk
Low Risk
4-6
3
Closure of major part of business.
Irreversible injury.
Group Risk Register for Operational Risks
PCS
Sévérité
1-3
Risk target
1'000'000
Avancement
5 = Extreme :
500'000
500'001
Echéance
prévue
weekly
4 = Major :
0
2=
06/10
5 = Almost certain :
3 = Moderate :
Max.
1=
Tendance
monthly
Min.
No media attention.
Minor complaint.
No media attention.
Multiple minor complaints.
12/09
< 1 year
4 = Likely :
2 = Minor :
Group
Risk
Report
released
06/09
3 = Possible :
1 = Insignificant :
Reputational damage
Likelihood - Frequency
1 - 5 years
Financial impact
BL / Entity scale
2 = Unlikely :
Risk ranking
≥ 5 years
1 = Rare :
Manual risks
consolidation
Other impact or damage
Risk Register
by Group Unit
Discussion
of risk map
between GR and Unit
Catégorie
du risque
Sent to
GroupRisk by
email
POWERPOINT
Survenance d'un
problème xxxxx
Xxxxx xx xx xx xx x xx xx

Xxx xx xxx xxxx .
2011
Responsable : R. Hgk
WORD
8
3
SAP-GRC Project
9
Main objectives of the SAP-GRC Project
 Reduce the risk of operational risks non-detection by interlinking
information
 Reduce the administrative workload to concentrate on tasks with
high added value
 A unique tool in the Group for the management of all types of
operational risks
 Provide a complete functional coverage in a structured and
standardized framework
 Improve compliance to Finma-Circ. 08/24 Supervision and internal
control – banks and Finma Circ. 08/21 Operational risks at banks
10
Preliminary phases
 2011
 Study of market risk management tools
 Contacts with various banks that have deployed integrated tools for operational
risk management
 Choice of the tool ORC (Interexa), used by
 2012
 Workshops with Interexa : March - April
 Workshops with Unit Risk Managers : June
 Decision to stop ORC and start SAP : August
• Final estimated cost too high
• ORC doesn’t provide an internal control module
• Presentation by SAP of GRC (including internal control module)
• Strong sponsorship by Pictet IT as SAP already used for Finances and HR
11
SAPPORO Project – Risk Management module
 Selection of SAP-GRC : August 2012
 Proof of Concept : November 2012
 Start of SAPPORO Project :
 Preliminary phase with Riscomp : February-March 2013
 Business Blueprint : April 2013
 Implementation and UAT with Riscomp : May-July 2013
 Training and UAT with Unit Risk Managers : May-June 2013
 Go-Live : 29th July 2013
12
The 3 phases of the SAPPORO Project
Phase 3
Incidents
Study - Implementation
Phase 2
Internal Control Syst.
Phase 1
Risk Management
08.2013
06.2014
13
4
Main challenges of SAP-GRC
implementation
14
Main challenges
Pictet Methodology
Pi
Gr ctet
P
o
Op olic up
era y fo
Ri tion r
sk
s al
1. Decentralised operational risk management
Challenges were:
- Collecting Unit Risk Managers needs, with very different
maturity on the operational risk management process
- Various approaches (bottom up, top down, mixed)
- Implement a solution that suits all, within a reasonable budget
 Integration of decentralised Unit Risk Managers throughout
the project
15
Main challenges
Pictet Methodology
Pi
Gr ctet
P
o
Op olic up
era y fo
Ri tion r
sk
s al

2. Matrix organisation
16
Matrix Organisation
Multiple business lines,
Example of business lines
crossed with multiple legal entities,
Pictet Wealth
Management
in 25 sites in the world.
Pictet & Cie (Europe) SA
Paris Branch
Pictet Asset
Management
Distribution
 Reporting needs:
 By business line (for the Management)
Example of legal entities
Italian Branch
Hong Kong Branch
Etc…
Pictet Asset Services
 By legal entity (for Supervision
Authority)
 By site (for local Management)
Pictet Investment
Co. Ltd, London
Pictet Asset
Management
Investment
Pictet Funds SA
Négoce
Bank Pictet (Asia)
Ltd, Singapore
Etc…
Pictet Asset
Management Ltd
Etc…
17
Matrix Organisation
Solution = 3 costumed defined fields within the
Organisational Unit:
• Team name
• Company name
• Site name
Response
Risk
Org. Unit
Name
Company
Site
18
Main challenges
Pictet Methodology
Pi
Gr ctet
P
o
Op olic up
era y fo
Ri tion r
sk
s al

2. Matrix organisation
Because full organisation requires to download 1544
organisational units, others challenges were:
- Response time was too long for users with limited
access (Unit Risk Managers)
- Temporary solution : partial organisation
loaded into SAP-GRC only (567 org units)
- SAP has improved response time
- Automatic update of the organisation
19
5
Results of SAP-GRC implementation
20
Outcomes of the project
Positive:
Negative:
 Pictet Methodology fits in SAP-GRC (risk
valuation, risk categories)
 SAP-GRC seemed not matured enough:
we encountered a lot of bugs which tend to
demonstrate the tool was not tested
extensively. Examples:
 Ops Risk Mgmt Framework more robust
 Time saving: less administrative tasks 
more added-value works
 Heatmap  immediate reporting tool, with
extended drill down / selection capabilities
 Impossible to remove a Response from a
Risk
 Risk Aspect worked on Org. Name, not Org.
ID
 Ergonomics not user friendly
 Graphical view incomplete
 Response can be saved without compulsory
info (name)
 Unique Ops Risks Register
 But good reactivity of SAP to correct bugs
21
Most desired improvements
 Response time
 Automatic update of Organisation / Risk Thresholds
 Underlying Risks: possibility to include or exclude them in the Heatmap
 Validity extension of a Risk
22
Implementation of SAP-GRC with the Pictet Group
Questions ?
Thank you for your attention
23

Implementation of SAP-GRC with the Pictet Group

Transcription

Documents pareils

SOCIÉTÉS DE GESTION DE PORTEFEUILLES Palatine Asset

Marc Pictet, Vice-président

Pictet Premium Brands P

Pictet-Water

Pictet Digital Communication P

2012 / 11Côté Maison.fr> Voir le pdf

Prix International et Médaille M.-A. Pictet 2014

POUENAT - Portes en ferronnerie et serrurerie fine

Pictet-EUR Corporate Bonds-I

LeTemps.ch | «La disparition de l`investissement