Harvard Pilgrim Healthcare Oracle GRC case study gen7982 update# 3

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Oracle Risk Management (GRC) Product Strategy Update GEN7982

Sid Sinha Oracle Application Development Oct 27, 2015

Presented with

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

2

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

• Chuck Scheller – Director of Business Systems, Harvard Pilgrim HealthCare. Chuck

manages the application lifecycle of HPHC’s Oracle eBusiness Suite. This work includes: solutions knowledge, planning and feasibility, projects and execution, maintenance and support, and infrastructure and training. Chuck has been with HPHC since 1984 and was Program Director responsible for selecting and implementing Oracle as HPHC’s financial application solution in 2001.

Introductions

Oracle Confidential – Internal/Restricted/Highly Restricted 3

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Agenda

Oracle GRC Product Strategy Update

Case Study: Skechers

Case Study: Harvard Pilgrim HealthCare

KPMG Best Practice Update

Wrap-up

1

2

3

4

5

4

Leveraging Oracle GRC Advanced Controls

Agenda

1. Background

2. Project Approach

3. Key Benefits for Harvard Pilgrim

4. ROI Framework

5. AIM to AACG Integration

6. Questions

5

Background

About Harvard Pilgrim Health Care

Harvard Pilgrim Health Care is a not-for-profit health services

company serving more than one million members in New

England. Founded in 1969, the health plan has built its

reputation on pragmatic innovation with a goal of lowering

costs, improving care and enhancing the overall member

experience. Harvard Pilgrim is known for its excellent clinical

programs, customer service, health improvement strategies

and innovative tools that offer consumers greater

transparency and empower them to make better decisions

about their health care.

6

Background (continued)

As Director of Business Systems, my role is to manage the

application lifecycle of HPHC’s Oracle eBusiness Suite. This

work includes: solutions knowledge, planning and feasibility,

projects and execution, maintenance and support, and

infrastructure and training. I’ve been with HPHC since 1984

and was Program Director responsible for selecting and

implementing Oracle as HPHC’s financial application solution

in 2001.

HPHC runs over 30 V12.2.4 eBS apps on 11G Db as a single

instance in a Linux RAC environment.

7

Project Approach – Oracle GRC Manager (2010)

Harvard Pilgrim engaged with PwC in late 2010 to implement

Oracle Governance Risk and Compliance Manager solution

for Model Audit Rule (MAR) and SSAE16 compliance activities

and reporting

As a part of this initiative, PwC team members worked closely

with HPHC’s Financial Controls Manager to design and

implement data repository for compliance content and

automate periodic assessment activities and reporting for MAR

and SSAE16.

8

Project Approach – Oracle GRC Manager (2010)

Highlights of HPHC’s GRC Manager Program

– Which part of HPHC business owns the Financial Audit process?

(Internal Audit, Controller, Compliance office.. ) - Finance via Controller

owns this process

– Are external auditors involved in the process? - Yes we have an external

audit of our financial statements annually as well as an SSAE 16 audit

annually. Model Audit Rule work is done only via internal audit.

– Was there a single driver for adopting GRC Manager? - We wanted to

have one place to document all of our controls that could be easily

updated and accessed for audit support.

– What was the method used before GRC Manager (spreadsheets.

emails?) - Mainly spreadsheets

9

Project Approach – Oracle GRC Manager (2010)

Highlights of HPHC’s GRC Manager Program (continued)

– How many controls are documented? - Approximately 150

– How often are assessments done? - For Model Audit Rule we do an

annual and a mid-year assessment update of controls - just to see if

anything material is new.

– How are results reported? - Results are reported to senior management

and Audit Committee annually but more often with an internal group who

is responsible for model audit rule - that is done at least twice a year.

– How are issues handled? - Issues are discussed with the control owners

and reported from internal audit to the group in finance which is

responsible for Model Audit Rule program.

10

Project Approach – Oracle GRC Manager (2010)

Highlights of HPHC’s GRC Manager Program (continued)

– Is it important to link documented financials controls (GRC Manager)

with automated controls testing results (Access Controls, Transactions

controls) in the long run? - Yes and hopefully in the long run when the

automated controls are documented and assessed, it would be easier to

reduce reliance on non-automated controls.

11

Project Approach – Oracle GRC Manager (2010)

“Harvard Pilgrim selected Oracle Fusion Advanced Controls to

help improve controls through automation, improve efficiencies

in the audit and testing process and to ultimately help the

Company reduce costs while still maintaining a robust system

of internal controls,” said Michelle Clayman, corporate

controller at Harvard Pilgrim Health Care.

12

Project Approach – Oracle Insight (2012)

In 2012, PwC and Oracle Insight team conducted a week-long discovery session to identify opportunity for

Harvard Pilgrim to leverage Oracle GRC Controls solution in advance of Oracle R12 upgrade. The team

identified and recommended a three phase iterative implementation project to build incremental value for

Harvard Pilgrim;

Phase 1 – Quick Wins

– Review, prioritize and identify key corporate-wide and division-specific controls for potential automation using Oracle GRC

Controls

– Maintain focus on acquiring value and decreasing manual effort by the audit teams in executing Segregation of Duties (SOD)

testing, access reviews, and configuration change management

– Implement SOD access controls (AACG) and configurations monitoring (CCG)

Phase 2 – Facilitate R12 Upgrade and Implement Transaction Controls (current stage)

– Maximize usage of AACG and CCG to facilitate R12 upgrade efforts

– Conduct workshops with business process owners to identify high risk transactional controls

– Evaluate opportunity to implement transaction controls (TCG) to address key transactional level risk exposures in Oracle EBS

Phase 3 – GRC Optimization Assessment

– Evaluate opportunity to implement preventive/approval based SOD controls

– Evaluate opportunity to implement approval based change control for key EBS configurations

– Evaluate integration between GRC Control and GRC Manager to automate Model Audit Rules testing

– Assess and provide scope for Oracle Health Insurance integration to GRC Controls

13

Key Benefits for Harvard Pilgrim

Reduce manual efforts to compile reporting packages for periodic access

reviews and configuration change controls

Maintain integrity of system configurations and provide the ability to track

unintended changes from periodic maintenance and patching activities

Establish Segregation of Duties policies to reduce the cost of R12 upgrade

and prevent remediation of access violations post go-live

Reduce the level of effort to document and manage system configuration

changes during R12 upgrade

Automate the continuous monitoring of key financial controls to reduce the

risk of fraudulent transactions

Expected reduction in external audit scope and fees through the use of

automated tool

14

HPHC ROI

Tangible Cost Savings (Total ROI 6 years)

Access Management – Leverage AACG to reduce the level of effort to

provision, monitor, and remediate access risk exposures across IT, Internal

and External Audit

Controls Management – Leverage CCG to reduce the level of effort to

manage and test Oracle configuration change controls across IT, HPHC

Business, Internal and External Audit

R12 Upgrade – Leverage AACG and CCG to facilitate R12 upgrade

activities such as instance comparison and new responsibility design

during R12 upgrade and subsequent periods

15

HPHC ROI (continued)

Risk Reduction

Reduce risk of Fraud, Waste and Abuse by leveraging continuous auditing

of access and configuration change control

- Reduce access risk exposure by defining and reviewing SOD and

Restricted Access controls at the user and function level

- Reduce risk of inappropriate changes to Oracle configuration by

enhanced ability to test configuration change controls by producing

system record of changes and audit trail evidence

Pushes controls testing responsibility & compliance ownership to business

area owners. Frees internal audit hours to pursue other IA initiatives versus

access and configuration controls testing

Preventive User Access Administration (automated SOD Policies via AIM)

16

AIM to AACG Interface

17

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Proposed Agenda

GRC Product Update

Case Study: Harvard Pilgrim HealthCare

Case Study: Skechers

KPMG Best Practice Update

Wrap-up

1

2

3

4

5

18

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Oracle Confidential –

Update Documentation Import Spreadsheets Update Process, Control & Risks Test Plans, Review, Approvals

Automate Assessments Select Controls based on Risk Conduct Surveys Design, Operating & Audit

Resolve Issues Set Priority and Due Dates Remediation Plans Notifications

Manage Incidents Assign Owners, Attach evidence

Remembers decisions for next control run (self-learning)

Graphical Authoring User Defined Controls

Eliminate False Positives Uncover Data Patterns

Detect Suspicious Transactions Pre-built Library of Controls

1350 Data Elements P2P & Expense Controls

19

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Case Studies and Speakers at OpenWorld 2015

Oracle Confidential – Internal/Restricted/Highly Restricted 20

_________________

Source-to-Settle

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 21

Follow Us & join the conversation .

Oracle GRC Advanced Controls Group _______________________________________________________________

OracleAdvControls @OracleAdvCntrls

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Risk Management Cloud Resources

22

cloud.oracle.com

Release 10 Readiness

Documentation

Customer Connect

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 23

Classroom Training

Learning Subscription

Live Virtual Class

Training On Demand

Keep Learning with Oracle University

education.oracle.com

Cloud

Technology

Applications

Industries

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

24