Iga5 5063-playing-smart!-strategies-for-mitigating-online-risk2. Agenda
Online Gaming – A New Challenge for Boards and Management
Beyond Technology Risk – Managing Reputational Risk
Online Gaming Reputational Risk
Compliance Risk
Operational Risk
Technical Risk
KPMG’s Holistic Model for Governance, Risk and Compliance (GRC)
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 1
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
3. Online Gaming – A New Challenge for Boards and Management
Managing risk, governance and compliance for online gaming
Forward thinking
executive Management
Silo’ed approaches to risk
and Boards are seeking
There is an increased management has led to
Online gaming is a line of local AND global best
responsibility and scrutiny duplication of functions
business for practices within AND
regarding the board’s role, and increased costs yet
organizations, NOT a outside the industry to
capabilities and not provided Management
technology endeavor. address online and
governance standards. and Board with
emerging mobile phone
assurance.
challenges and
opportunities.
Board of Directors and Executive Management in gaming organizations are facing new
levels of risk and compliance issues with online gaming.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 2
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
4. Beyond Technology Risk – Managing Reputational Risk
Business
regulated online gaming is behind the non-regulated Operational
offerings, and the reputational risks of association or Compliance Risk
Risk
Reputational control deficiency are very high.
risk is a
combination Operational Technical
Risk
of several changes in processes and regulations that are not fully
risk factors: developed to deal with online gaming are problematic.
Technology
moving away from traditional lottery and gaming products
and delivery models requires a fundamental shift towards
highly available and secure infrastructure. Reputational Risk
Considering business, operational, and technology risk, and compliance is critical to managing
reputational risk.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 3
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
5. Online Gaming Reputational Risk
Online, mobile phone and tablet gaming risks ranked below:
Organization Structure Corporate Governance Gaming
Legal System Security Integrity
Access Data Privacy
Training
Likely System Availability
(High) Strategic Planning
Political Corporate Image
Business Planning Technological Developments Fraud
Illegal Acts
Infrastructure Data Integrity
Regulatory
Probability
Customer
Possible Service
Economic Catastrophic Loss
(Moderate)
Product
Development
Competition
Financial
Reporting System Development
Processes
Remote System Maintenance
(Low)
User Acceptance Testing
Low Medium High
Consequences
Reputational risk is the cornerstone.
Online gaming can have a significant impact on the reputation of the organization.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 4
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
6. Compliance Risk
Gaming Act not complete. Could impact the initial
rollout of online gaming, and potential pool of online
gamers.
Standards are not universally accepted or defined
Competition have limited or no compliance overhead
Legal considerations not fully mitigated
Current rules based on historical gaming
Mobile devices are not subject to consistent standards
Compliance with laws and standards is not new to industry, however, with online gaming there are
elements that are codified and many that are not.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 5
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
7. Operational Risk
Traditional lottery and gaming controls are of limited value
Potentially additional requirements for Internal Audit and Security/Compliance
Training considerations
Research, development and validation of new products
Mitigating risks of online fraud is complex
Game integrity will require additional approaches
With online gaming , lottery and gaming organization need o review and enhance traditional control
processes to meet the new risks. This will impact controls in all elements of their organization and
may be impacted by external sources.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 6
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
8. Technical Risk
Online gaming requires both a high performance and a highly available system for players to connect
with and undertake transactions
Redundancy factor requires companies move to a 99.999 percent uptime -- IT infrastructure, security
and resources
Disaster recovery plans (DRP) need to address new users and processes
Online vulnerabilities increase exposure to organization
Data integrity is key driver of success in online gaming
System and user access controls will now have to be extended to individuals outside of the
organization
Strategic and business plans will have to incorporate the need for additional IT resources and costs
Online game testing is critically different
Any player-facing application is under a higher degree of scrutiny from the external perspective. With
online gaming there is additional consideration that needs to be taken in relation to the impact on
“behind the scenes” systems and processes.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 7
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
9. A Holistic Model for Gaming Governance, Risk & Compliance (GRC)
KPMG’s integrated approach for developing and establishing a successful and sustainable
GRC Framework within the organization.
Governance, Organization
& Infrastructure
■ Accountability and
responsibilities
Strategy
Enterprise
RESILIENCE
MISSION
Assurance
Values Compliance
Risk Profile ■ Continuous
Business monitoring
Business Model ■ Risk drivers Performance
Process ■ Effectiveness
■ Emerging Risks and efficiency
■ Interdependencies review
Value Drivers
■ Integrated
reporting
Culture & Behavior
■ Motivation / incentives
■ Ethics and compliance
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 8
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
10. A Holistic Approach to Governance, Risk & Compliance
Risk Profile
■ Drivers
■ Emerging risks
■ Interdependencies
Are different parts of the operation looking at risks in different ways?
■ Player registration and knowing your customer
■ Player deposit
■ Play
■ Bonus management
■ Withdrawal and knowing your customer commitments
■ Protection of customer information ongoing
With mobile devices and new form factors such as tablets playing an increasing role in online gaming,
lottery and gaming corporations must consider the origin and point of access players will use to
access online gaming functionality.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 9
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
11. A Holistic Approach to Governance, Risk & Compliance
Governance Organization and Infrastructure
■ Accountability and responsibilities
Are the teams using the same systems?
■ Regulator
■ Operations
■ Internal compliance
To ensure consistency of risk coverage it will be important to understand the roles of all key
stakeholders and how they will measure risks and success.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 10
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
12. A Holistic Approach to Governance, Risk & Compliance
Enterprise Assurance
■ Continuous monitoring
■ Effectiveness and efficiency review
■ Integrated reporting
Are the teams sharing results and experiences?
■ How can this be achieved
Organizations looking at online gaming need to understand the codified elements, and have in place
controls or mitigating elements for the ones that are still not developed.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 11
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
13. A Holistic Approach to Governance, Risk & Compliance
Culture and Behaviour
■ Motivation/incentives
■ Ethics and compliance
Are there different drivers within the organization
■ Volume vs quality
■ Responsible gaming
To be successful, GRC needs to be directly linked to organization culture and ethics, scalable and
take into account all known responsible gaming initiatives.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 12
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
14. A Holistic Approach to Governance, Risk & Compliance
Where is risk being managed in your organization?
■ What risk is being managed where?
■ Identify how risk is being managed: systems,
processes, reports
■ Identify tolerance levels being applied
■ Identify incompatibilities
■ Identify overlaps
■ Bring everything together
Online gaming will require that organizations review and enhance traditional control processes to
meet the new risks introduced. This will impact controls in all elements of their organization and may
be impacted by external sources.
© 2011 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of independent member firms 13
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
15. Thank you
Louie Velocci, CA, CISA, Archie Watt
CISSP, GCFA, CGEIT Director KPMG LLC (UK)
Director, IT Advisory archiew@kpmg.co.im
Performance and Technology
+44 (0) 1624 681007
lvelocci@kpmg.ca
(902)483-0577
KPMG has a team of dedicated gaming
professionals who work with lotteries and
casinos globally.
www.kpmg.ca
16. © 2011 KPMG LLP, a Canadian limited liability partnership
and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative
(“KPMG International”), a Swiss entity. All rights reserved.
The KPMG name, logo and “cutting through complexity” are
registered trademarks or trademarks of KPMG International
Cooperative (“KPMG International”).