Maximising Productivity and Agility in Risk Management and Compliance blueprints

The Microsoft vision for Risk Management and Compliance culture, environment and infrastructure

Risk Management and Compliance ranks among the top strategic initiatives at most companies. Many companies are reviewing their current and future states of risk and compliance capabilities to better manage their risk exposures and adopt compliance best practices.
The Microsoft approach to simplifying enterprise risk management and compliance is holistic and flexible. It includes best-of-breed partner support and a scalable, cost-effective and integrated platform of software plus services to effectively support risk management and compliance practices. We believe that new efficiency is the way forward as companies seek productive, innovative, and cost-effective ideas to maximise and extend their existing and future investments. Based on industry research, we have compiled a future state checklist as well as emerging trends in this area.

The Microsoft approach building future-state risk and compliance blueprints for the masses
At Microsoft, our vision is to help you build an integrated, efficient and productive risk management and compliance culture, environment and infrastructure with focus on simpler, faster and cost-effective adoption. Microsoft continues to strengthen the focus on people, policies, processes, workflows, data and reporting as the basic building blocks for risk management and compliance initiatives. Risk and compliance in everyday activities Agility and productivity in risk and compliance Efficient last-mile risk management and compliance

Future state of Risk Management and Compliance your checklist!

R  isk and compliance workspace integrated online workplace for employees to collaborate for managing risk and compliance R  isk taxonomy and repository consistent and standardised way of managing risk management and compliance related content C  RO dashboard integrated, enterprise-wide risk prole E  -discovery search, discovery, and hold of information C  ontrol room centralised compliance monitoring and surveillance R  ecords compliance streamline electronically stored information (ESI) S  elf-serve unlock data for self-serve risk analysis at right time in right format S  preadsheet controls manage risk across unstructured information H  igh performance computing refresh risk computing capabilities I T compliance automation automate regular repetitive tasks N  ext generation risk management and compliance architectures

Trends in the Risk Management and Compliance world are you prepared for it?
People centric risk management and compliance approach  Buy-in and empowerment of risk management and compliance for front line employees across the organisation  Productivity and efciency in risk management and compliance for employees  Cross company collaboration in risk management and compliance as a key success factor  Key role of collaboration in risk management and compliance efforts  Managing electronically stored information (ESI) and records for compliance Risk assessment as key element of every business process Emergence of IT compliance as a discipline  Risk management and compliance agility as a competitive advantage  End user driven data-centric analysis to provide risk and business insight Enhanced risk models and methodologies  Manage risk across structured/unstructured business information  More strategic and longer term view of risk management and compliance architectural blueprints  Embed risk management and compliance in organisational DNA

Risk Management and Compliance

Ten reasons to choose our capabilities for Risk and Compliance projects
Maximise existing investments and capabilities  Familiarity end user ease-of-use and familiarity for reduced cost of training  Efciency integrated offerings help in efcient workows and processes  Productivity save valuable hours for employees in everyday compliance  Last-mile embed last-mile compliance workow at desktop level  Everyday activities embed solutions in employees regular daily activities  Self-service right information, right time in right format for end users  Rich ecosystem of best-of-breed solution providers  Total cost of ownership  Rapid deployment quick and easy deployment for fast track projects

Our technology game changers and their impact on Risk and Compliance
 Advanced visualisation capabilities Risk and compliance analysis will get more visual  Business Intelligence (BI) and analytics for the masses Everybody will have access to business insights and analytics  Centralised Excel services Centrally host and control business critical spreadsheets  High performance computing at desktop High capacity number crunching at ngertips  Enterprise content management for the masses Everybody manages business records  Spatial technology for images Use of images for risk and compliance  Search technology Pattern recognition and discovery  Collaborative workspaces Collaboration in risk and compliance

Our principles Microsoft has five principles in our people-centric approach to help companies execute their long-term risk management and compliance vision and blueprints: M  aximise existing tools and investments for risk and compliance D  rive efciency and productivity in risk management compliance tasks  Embed simpler risk and compliance controls in everyday activities Empower risk and compliance culture by focusing on last-mile Automation in current and future state blueprints. Technology changes and impacts on risk management and compliance but with Microsofts new wave of innovative capabilities, we expect to have a positive impact on the current and future state of risk management and compliance blueprints. Buy, build or blend Buy If you prefer to buy, we have a rich ecosystem of industry-oriented, best-of-breed partner solutions. We currently collaborate with more than 100 enterprise-level global and local industry solution providers in the risk and compliance area. These partners provide industry and vertical specific experience, helping simplify the adoption of enterprise risk management and compliance practices. A list of our rich ecosystems is available in our annual risk and compliance partner solutions guide. Build If you prefer to extend or build on your existing framework for risk management and compliance solutions, we can help map your needs to our core technology and capabilities for rapid deployment. For example, Microsoft Office SharePoint Server is an integrated platform with content management, forms and templates, collaboration, BI, and search capabilities. These capabilities lend themselves very well towards rapid deployment of enterprise risk management and compliance frameworks. Blend An alternative approach is to blend elements of the buy and build offerings.

 Archive and control panel for email compliance Reputation risk and discovery

Evolving global and local regulations across sectors

All sectors and industries Enterprise Risk Management, Electronic discovery (E-discovery), Financial Statements (IFRS, GAAP), Sarbanes Oxley (SOX), EuroSox, Customer Data Privacy and Protection (EU e-privacy), Business Continuity Management, Data Protection Act (EU, UK, UK, Germany), IT Security, IT Controls and Compliance (ITIL, CobiT, ISO), Payment Card Industry Data Security Standard (PCI DSS). Manufacturing Environmental and Health Safety (EHS), Restriction of Hazardous Substances (RoHS), Waste Electrical and Electronic Equipment, TREAD, Good Manufacturing Practice, Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH EU), utilities- FERC, NERC (US) Critical Infrastructure Protection (CIP), Pharmaceutical/Life Sciences EFPIA Code-EMEA, FDA CFR 21(US). Public sector OMB A-123 (US), Federal Desktop Core Conguration compliance, CIP, SAS70 (US), Federal Information Security Management Act, Defense International Trafc in Arms Regulations. Financial services Liquidity Risk, Capital Adequacy, Basel II, Solvency II, SEC 17a-4, Markets in Financial Instruments Directive (MiFID) (EU), Health Insurance Portability and Accountability Act (HIPAA), Anti-Money Laundering. Distribution and services Retail PCI DSS, Genetically Modied Organism. Communications FCC, EU Product Safety Directive, RoHS, Electromagnetic compatibility testing (EMC).

Risk Management and Compliance related projects by sector

Communications Company Leading Swiss telecom firm Leading German telecom firm Leading UK telecom firm Leading Italian telecom firm Initiative Paperless monitoring of compliance with service level agreements across 200 systems Document factory for trade regulations compliance Lower risk exposure and meet industry standards protection Information security, secure access & security Building blocks Microsoft Office SharePoint Server (MOSS) 2007, PerformancePoint Services, SQL Server 2008 MOSS 2007 Forefront Security for Exchange, MOSS 2007, Internet Security & Accelerator (ISA) Server 2006 Windows Server 2008 Enterprise, Active Directory, Network Access Protection

Distribution and services Company A UK frozen foods firm Global retail chain in USA Entertainment firm, Brazil Financial services Company Global and US leader in custodian and depository business A top 5 US financial institution Leading US insurance firm Leading US Exchange Global financial group, France Top UK bank Leading financial institution, France A securities and commodities authority, Middle East A leading US financial firm Initiative TARP funds tracking for local governments Enterprise Risk Management/Basel II Centre of Excellence - compliance & document & records management Streamline and speed up exchange audit function Regulatory reporting Risk analytics for structured derivatives Minimise loss of risk data and business continuity Business continuity, virtualisation and cost reduction Analytics Building blocks Windows Vista, Live Meeting, Project 2007, Visio 2007, SQL Server, MOSS 2007 MOSS 2007, Office InfoPath 2007, Office System2007 MOSS 2007 Visual Studio Team System 2008, .NET Framework 3.5 and Office 2007, SQL Server 2005 MOSS 2007, SQL Server 2005 Windows High Performance Computing (HPC) Server 2008 Exchange Server 2007, Cluster Continuous Replication (CCR) Hyper-V, System Center Virtual Machine Manager 2008, Windows Server 2008 Enterprise SQL Server 2008, Reporting Services Analysis Services, SQL Server Integration Services Excel Services, Office Excel 2007 Initiative Information risk management Enterprise monitoring Sarbanes Oxley Building blocks Windows Server 2008 Active Directory Rights Management Services System Center Operations Manager 2007 Dynamics AX

Healthcare Company A top US medical school and practice Leading US based hospital Initiative HIPAA compliance & auditing Compliance with governmental regulations & hazardous incidents monitoring Building blocks SQL Server 2008 Enterprise & SQL Server 2008 Compliance Software Development Kit (SDK) Exchange Server 2007, Office Professional Plus 2007

 We believe that new efficiency is the way forward as companies seek productive, innovative, and cost-effective ideas to maximise and extend their existing and future investments
4 Risk Management and Compliance

Manufacturing Company A leading utilities cooperative association Leading utilities services firm in Germany A major worldwide energy - natural gas engineering, procurement, & construction firm Pilot on Chemicals REACH compliance Leading Swiss biotech and life sciences MNC Initiative Credentials Audit Management Germanys Energy Industry Law (EnWG) Technical documentation compliance with document control procedures Chemicals REACH 21 CFR Part 11 document compliance Building blocks Identity Lifecycle Manager 2007 Dynamics CRM Office Basic 2007; Office Excel 2007; Office Word 2007 MOSS 2007 MOSS 2007

Mapping Microsoft capabilities to Risk and Compliance building blocks

Microsoft building blocks and capabilities can help build a risk management and compliance culture, environment and infrastructure seamlessly into day-to-day workflows and activities. Our capabilities Having the right work practices and associated technology enablers in place helps foster an efficient risk management and compliance culture across an organisation and enables easy

adoption by every employee involved. To this end, Microsoft and its rich ecosystem of partners support an integrated enterprise compliance and risk management environment based on organisation-wide end-user familiarity with Microsoft tools and capabilities. This helps organisations to maximise the value of their existing investments and plan their future roadmap. These building blocks from Microsoft fit into an integrated, five-pillar enterprise strategy that incorporates rules, policies, controls, people and business conduct, monitoring and reports, business-process workflows, technology and infrastructure. We also work closely with industry-leading, best-of-breed partners for risk management and compliance to deliver comprehensive solutions for enterprises. Microsoft focuses on five solution areas within risk and compliance: Document and records management Regulatory compliance and controls Risk analytics and reporting Security and privacy Business continuity management.

Document and Records Management Business Continuity Management

Regulatory Compliance and Controls Risk Analytics and Reporting

Security and Privacy

Document and records management

There are new compliance requirements regarding unstructured business information such as e-mail, presentations, documents, spreadsheets, images, telephone conversations, instant messages, blogs and wikis. We help enable organisations to rationalise and simplify the management of documents and records retention policies to ease the compliance burden for the employees. Our approach to enterprise content management integrates the applications and workspaces with which users are already familiar. Capability mapping
Functional need Store and retrieve business records with ease Capability Enterprise content management, document repository, search and records centre Seamless metadata connectivity with underlying applications Compliance features embedded in technology Managed folder provisioning, transport rules and journaling Building blocks Office 2007/2010 systems Office SharePoint Server 2007/2010 Office SharePoint Server 2007 for Search Office SharePoint Server 2007/2010 Business Connectivity Services Office SharePoint Server 2007/2010; privacy, confidentiality, security, user access Exchange Server 2007/2010; discovery and archiving capabilities
Information Protection Policy & Governance Records Management Capabilities Information Security, Access & Control

Integrate with existing line-of-business applications Native compliance Electronic communication storage, retention and retrieval

Regulatory compliance and controls

Different regulations mandate quality and consistency in internal controls, information access, workflows, processes and disclosures. We enable demonstrable workflows and processes for new regulations as well as existing regulatory compliance related controls activities such as E-discovery, SOX, MiFID, NERC, Corporate Governance, IT Governance, COSO, CoBIT etc. The C-level and board-level oversight activity and responsibility for regulatory and internal controls is now more stringent. This ensures the quality and consistency of the compliance programmes, information workflows, and disclosures. We focus on the foundation of regulatory compliance and controls, enablers and technology blueprints. Capability mapping
Functional need Controls and procedures for access to applications and information Electronic discovery, electronically stored information (ESI) Regulated access to information Ability to handle electronic discovery Capability Identity management, certification Hold, discover, search emails across multiple folders Prevent unauthorised access to structured and unstructured information Search, retrieve and produce information Building blocks System Center 2007, Microsoft Active Directory, Microsoft Identity Lifecycle Manager 2007 Exchange Server 2007/2010 and Exchange Hosted Services (EHS) Windows Rights Management Services Office SharePoint Server 2007/2010 for Search
IT Governance Foundation & Architecture Compliance Controls Processes & Workflows Regulatory Reporting & Dsiclosures

Risk analytics and reporting

Many firms need to improve their ability to analyse financial and operational risk, for risk management and performance measures. Our focus is to enable collection, measurement, reporting, and monitoring of an enterprise-wide risk profile. Our approach makes risk analytics pervasive in employees everyday activities with tools that are seamlessly integrated into existing applications and systems.
Risk Processes, Workflow Controls Risk Computing & Modelling Risk Reporting & Visualisation

Capability mapping
Functional need Provide an easy-to-use intuitive operational risk control self assessment tool for the business Report, monitor and compute financial risk exposures Real-time risk exposures for value-at-risk Integrated risk reporting and Basel II economic capital Capability Assessment capabilities, collection of key risk indicators/events, business-friendly forms capabilities, building enterprise-wide repository Consolidated view of the risk management exposures combined with corporate performance management Reduce the computing time of risk analytics and reporting Easy to use risk repository that integrates with existing data warehouses Building blocks SQL Server 2008-based risk repositories, SRS, SARS, Office Excel 2007/2010 and the Excel Services in Office SharePoint Server 2007/2010 PerformancePoint Services 2007/2010 Windows HPC Server 2008, Excel Services in Office SharePoint Server 2007/2010 SQL Server 2005/2008 based Data Warehouses

Risk Management and Compliance

 Firms must continue to maintain a balanced and strategic approach to their security and privacy measures, and take necessary steps to mitigate the various security risks and challenges
Security and privacy
Current regulations such as the Gramm-Leach-Bliley Act and SOX set specific requirements for organisations to ensure the safety and privacy of information as part of an overall technology risk programme. System breaches of personal data and information must be acknowledged publicly, creating public relations problems and potential financial disasters. Global organisations face additional privacy and security requirements from international authorities such as the European Union and the United States. Firms must continue to maintain a balanced and strategic approach to their security and privacy measures, and take necessary steps to mitigate the various security risks and challenges. Microsoft tools and technology can help build the environment needed to maintain data and process integrity and comply with standards for information security and privacy standards.
User Centric Security & Privacy Controls, & Capabilities Data Governance Information Security & Privacy Practices & System

Capability mapping
Functional need User access controls and data integrity Remediate loss of sensitive business records Manage security risk Capability Prevent unauthorised access Encrypt business information techniques Manage security Building blocks Windows Forefront Security Suite, Windows Rights Management Services Windows 7 BitLocker Drive Encryption, a data protection feature in Windows Vista Enterprise/ Windows 7 Enterprise, BitLocker on the Go, trustworthy computing

Business continuity management

Companies are exploring alternative work practices and workflows such as remote access technology and segregation of critical functions that ensure business continuity. Although effective, these alternatives are increasingly subject to regulatory as well as governmental oversight. Microsoft capabilities can help employees access core essential services during an incident via underlying unified communications (UC) technologies and collaborative workspaces, processes and workflows. UC technologies integrate communications into everyday work processes and existing telecom infrastructures, converging Internet Protocol (IP) telephony, mobile/remote solutions, horizontally integrated communications, expanded voice-over-IP scenarios, and common directory into a flexible, presence-based communications solution. Capability mapping
Functional need Managing operational and technology risk by effective monitoring Optimise business continuity infrastructure Business continuity management for business Regulation around electronic communications/e-mail records compliance Capability Automated monitoring of problems, events, and exceptions Hardware and software virtualisation Provide employees access to core essential services during a crisis Archiving, disaster protection and e-mail compliance services Building blocks Microsoft System Center products Windows Server 2008 Hyper-V Unified Communications Server, Groove/SharePoint Workspace Exchange Hosted Services continuity, archiving, filtering
Framework & Methodolgy Business Driven Processes & Workflows IT Architecture & Recovery Capability

Risk Management and Compliance: Microsoft guidance and publications

Guidance and research Microsoft regularly issues guidance and research on its risk management and compliance capabilities, as well as collaborating closely with leading industry and research bodies on industry studies and best practices. Recent guidance Microsoft PRMIA Future state of Risk Management, 2010 Survey Basel II Implementations: Convergence with Customer Insights and Risk-Based Financial Management IT Compliance Guide MSFT Dynamics Compliance guide Securing the Cloud MOF Risk Management Discipline for Operations 4.0 SQL Server 2008 Compliance Guide Microsofts Compliance Framework for Online Services Showcases

Document and Records Management

Document and Records Management

Compliance and Risk Management

Past guidance

Managing Records for Compliance

Microsoft PRMIA Global Enterprise Risk Management Survey 2008 Meeting the E-mail Compliance Challenge with Microsoft Exchange Server 2007 Spreadsheet Compliance in the 2007 Microsoft Office System Compliance Features in the 2007 Microsoft Office System Office Visio SOX Connector FRCP Impact - Study with Osterman Research Inc. The Regulatory Compliance Planning Guide Disaster Planning and Recovery with Office Regulatory Compliance using MOSS Security Compliance Management Toolkit Security Risk Management Guide

For more information, visit the Microsoft compliance web site at www.microsoft.com/grc or the Microsoft Industries web site www.microsoft.com/industry. Please contact your local Microsoft representative or email Sai Sireesh, ssireesh@microsoft.com or Stefan Zimmermann, stefanzi@microsoft.com.

2009 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Dynamics, Excel, Forefront, Groove, InfoPath, Hyper-V, PerformancePoint, SharePoint, SQL Server, Visual Studio, Visio, Windows, Windows Server are either registered trademarks or trademarks of the Microsoft group of companies. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Readers should take appropriate professional advice before acting on any Risk Management and Compliance issue raised herein.