Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
Okay, let's move forward. The next keynote is the one which will be given by Karl Markoff managing director at eon it game behalf. He'll talk about compliance, driven identity and access governance. Here we are. Okay. Or that way can take it also. It cannot take that way. There's a microphone and, oh, sorry. I know it's correct. Here are your slides here. You can go forward. I think it's a very interesting project. I'm a little familiar with it and it's really about best practice now. Yeah. Thanks a lot, Martin. So good afternoon, ladies and gentleman.
So I would like to tell you a bit why for eon for a big company identity and access management is so important. To be honest, don't expect too much technical experience from my side. I'm only a bit over overhead function. So I'm in the board of eon it. That is where we run it at eon. That is a 3000 company people company. The expertise is maybe a bit with you, but from my presentation, I would like to point out from a management point of view. Why is that so important in a quiet, boring industry you would say, and a swell because it has changed a lot dramatically over the years.
And I would explain how we really tackled that change in our industry and then focus a bit on the project we successfully completed with the help of cooking, a coal as well. So that is a bit, allow me five minutes. I know it's not very entertaining to present a bit. The company I do it very shortly. The second is I would like to explain a bit the compliance topic in a, in a trading business. It's not a bank. It's an energy trading company. ZUS eon global commodities approach to be compliant in a real fast changing builds.
And fourth one slide about our lessons learned from the bold perspective. So, you know, we are Ian, we are acting in Europe, in Russia, in us, and we try to be follow us long. That means cleaner and better energy and cleaner. I think it's quite obvious to reduce CO2, to protect our environment. Better energy means a bit streamlining our processes as well. And the project we did contributed a lot in streamlining our user access management, as we did before a non-automated standard, a lot of audit findings to that where we are coming now to real a very, very automated process.
And we made a bit our auditors. So PW Z it's much more satisfied with us after that project as they were before. I think where I'm focusing today. So we have six pillars in the company where I'm focusing today is optimization and trading. So you know that we are trading in the energies. So we trade in 40 countries. We have a strong presence. Only the European energy changes. What we trade is power net regards, energy, oil products, coal freight, and carbon. So that means that is a very Compli drift organization. But to be very honest with you.
So there are some representatives from the bank industry. We haven't had that experience that you did. So we started it with trading 10 years ago, and we tried to really recruit the best people from the banks. But to be honest, if you work in maybe German bank organization in the trading area, as a trader, you would probably earn at least five, six, maybe up to 10 times, and you earn in a, in a, as a trade and energy business. So therefore I would say we are a bit behind for a bit more behind the bank industry, what you do our, our best.
So you see we've had a foundation in 2008, we are now active in a lot of exchanges in Europe and us. We are going now to Singapore, to other countries and we have 1500 or hundred employees in this law for centralized that. And that's it about the young company presentation? Why is that so important to have that compliance focus in it in a big organization like eon? It's very simple because the business model we were acting on has changed dramatically. You see on the left hand side in Europe, so we had monopoly market. We had regulated market.
We are the only generation we had transmission and we had retail. Now we are coming to strongly liberalize market. So we have generation, we have our part, which term speaking of today, it's the wholesale trading part. We have the transmission part, we have distribution and we have retail and we call that unbundling. So we need to act on a very, very, I would say segregated separation of all of the different value chains.
You see, opportunities we have, of course we can earn. First of all, we hatch our power plants. That that is most important. We do that three years in advance. That is what the traders are doing for us. It's not so interesting.
Secondly, of course, we can speculate a bit on the energy market. We can speculate in two years time, is it cold? Is it not cold? Nobody knows. But sometimes we earn some money. Sometimes we lose a lot. The thirties, of course, we can a bit optimize the sales business and that what we buy, maybe a good example is the long term contracts from gas problems. So there we are doing optimizing and trading as well, but we have a lot of new risk and you see one which came up. I think it was the 5th of June, 2012.
It was explicitly during our project phase where we need to communicate to public, that we had the risk that we will lose some billions after traders irregulatory. And then of course, as a CIO of that trading organization, it gets a bit warm cause hundreds of people are coming in investigating not only PWC internal audits. And then of course you need to prove as a COO that you did everything in order to prevent the company from fraud. And at the end of the day, the outcome was that it was really not about ISAs systems is what a bit.
We didn't lose millions, to be honest, it was much less than that, but we had at least some improvements in the processes, in our risk area. And through, of course at that business is coming up, being more attractive in the future, we have a new set of compliance requirements and we have a lot of new laws. So European market infrastructure regulation re so that is what the banks already are doing since years. And that is applied to the trading business at the moment as well. So therefore for us compliance user access in a very detailed one is very, very important.
Just a bit to give you a flavor where we changed and what impact it has for compliance user access management, identity management. So we changed the whole boat during the last five years. The last change was some of you in Europe may know eon Rugers. So it disappeared two weeks ago. So it's now eon global commodities. So Rugers is integrated. So we did it successfully, but of course the consequ advances in such a journey is that you have a lot of manual workarounds. You have a lot of outed findings and you always need to prove your board.
And I've seen the risk committee of E I G quite often, the last two, three years, you always need to prove that you're fully compliant. And the CFO and the CEO is always asking that you really ensure that everything is done, that we are compliant. Even if you change 100% of the organization, you see a bit of my target for the last years. So it was more or less in the compliance area, always the same. So it just want to highlight the last three or four. So we did a lot of regular forensic audits. We of course, tried to improve it.
Compliance governance, increase awareness of rules and procedures. It's very important with traders because they always find their way out and forced to improve our user access management. It's a very detailed one. Normally you don't get that as a CEO, but remembering that, what I told before that there were, of course, some risk, there were maybe some irregulatory that was part of a target, which I tried to fulfill the last years. And you see a bit why that is so important in a company like eon. So we run and are accountable for 75 of eon sales. So remembering it was 130 billion.
It's quite a lot. We are managing 80% of our company risk. We have a risk capital at the moment of nearly 500 million Euro, which is out every day. The traders at HCS or young global commodities have the lever to sign business deals and carry high financial responsibility. And you have a lot of pressure from the regulatory to more or less, have lot more transparency on every deal on every day to the different organizations they are building up. And you see that is coming back to you. Having a lot of internal audits we had in the last year, more than 50 internal audits.
And of course, then you get a bit more detail. User access management is one key, even if it is very detailed one. So we had a long discussion how we get better. And in the board we decided at the end of the day, we do really a comprehensive approach. We don't do internally, let's say AFL eyes. So we don't heal some parts of the compliance pieces.
We said, okay, we do really a comprehensive and overall program. And we said, at least in the energy training business, we want to be best in laws. So in part, so in terms of procedures, it's not only about it, about role concepts and about of cruise our systems. So first of all, we started a bit with assessing our compliance culture and we were shocked at the end of the day in the board, to be honest, because it was, I would say, even in the front office, a quite a quite challenging one, if I would like express like that. So they didn't take care too much of that topic.
They didn't take care too much of risk policies we had implemented. So that was the starting point. And that convinced us that we should move forward with, with that comprehensive approach. Then we enhanced a bit, our user access management, which was at that time, very, very manual. We had five trading systems. We tried to bring it together. We are successful now with starting next week, but he said, okay, we need one central access repository.
So for all traders in the front office, and especially from the back office, we found a lot of user roles that I could bring in a deal for millions of euros and could release the deal on the other hand. So we wouldn't have seen, if that money goes out in the freight business, we saw a lot of privileges of user, which could pay millions of dollars, two vessels, which carried our L G or our coal. And we wouldn't have seen that. So that was a bit the starting point.
So therefore we said, okay, we focus very much on the user access management we did with the help of auditors, a lot of application compliance assessment. So sitting down with different applications with the business, assess if we are really compliant to different policies, we have published, we try to reduce every interim solution because that is always peering a bit of risk that you never know what he's doing. And how is that connected to rest of the business world reduced as well? The dependency on individuals, we try to bring it more to teams to have at least four eye principles, etc.
So all that is a bit of a matter of cruise. We updated our security concept. It took it quite seriously. We started a security campaign in the group last but not least. We tried in every application and that was very important to ensure functional separation and segregation of duty, to avoid irregular access, to training and other systems. Let me give you one example, and that is the example we did together with the company who is hosting the event today, do not know too much about your company, but I heard you did a good job. Thank you for that.
So that was the central access repository implemented to enhance our user access management. I heard we work quite fast. At least my people tell me that I hope it was true. So we tried to ramp it up in 11 months so that we really have an overview who is having what access to what systems and are we compliant with the current situation? What we did in additional was defining and automate the user access management processes together with the business. So important was that we had more or less the driving part from myself and our chief risk officer. And we had two parts.
So one coming from the businesses project lead and one coming from it. And we said, okay, we need to design and describe and assign and communicate, which is very important and teach the clear roles and responsibilities of user access management so that you have a business application owner that you have an user access controller that you have somebody who has the role of a user access manager. So that is what we did very boring chop, but I think it is very helpful to bring a bit of a light in the, in the tunnel. And then we designed and implemented new role concepts for applications.
I think it's not very new finding. And then we established a single source for Drews for user identification. So we ramped up one centralized team who is responsible for that and who is reporting into the audit part as well, all in the is organization. And then we tried during the whole project to change the mindset of our people. And at the moment I would say the achievement is we are not fully through because we thought it goes much quicker. So we have 300 to 250 applications. I think we have now live the most important one and it's less than 30.
So we are still in a boat to have every application live, but all the trading applications are in there. And now we are moving on with the, I would say, medium important system at the moment. What are the lessons learned after 11 months?
So, first of all, I would say it's always a joint initiative between business and it. So I would never do that alone as a CIO, even if I'm board member of a big it organization, that will be never successful. So you always need, at least the trading business, your chief risk officer in that project, and you need really a double responsibility between business line it and the project lead. The second is implement not only an is solution, but implement of course, whole new setup of processes. So clear role concept that was the best to be done. The duties integrated with your HR department.
That was the most of the discussion we had because they were so slow. They just, the trader was fired. To be honest, it took us sometimes three weeks that we got that information that we should bring him out of the different systems. So that is something you need to make quicker. And that is what we achieved together with DHR organization. The third is access with your individual compliance culture before, because then, you know, if you need a comprehensive project or you just can tackle a few points to, to improve the force, don't look for off the shelf solutions there is known.
So we had really a lot of customizing due to hundreds of mandates to customize the solution we bought from AAL company to meet the requirements we had and we are not through yet. So we are still working on that and the costs a bit more time that we have assumed, or at least I have assumed at the beginning, I would always involve our auditors beforehand. So in that sense, it was quite a wise decision because they always will check it once more. And if you involve them very, very early, I would say they're a bit more friendly than usual.
I would say calculate significant effort for implementing the solution. So in our case, it was more than 3 million euros costs of that project. And I would always use a bit the momentum. I do not know how strong you are in your company, but I would say it's a very unpopular topic and you need a bit of a tricker case to bring that forward. Maybe you can convince your CEO or CFO every day. So in my case, I couldn't do that, but we had a lot of trigger cases. We had of course, audit findings. We had a lot of changes.
We had a bit, as you have seen on the slide in Bloomberg, we had a bit of a fraud case, and that is creating a lot of more understanding from the top top Mon management in a, in a tax company in Germany. Therefore, that is what we used. And that is the last lesson learned. And we start having that.
I would be through that presentation and I hope you have seen a bit, the parts I couldn't contribute too much on the technical solutions, but I would say the management part for that topic and the management attachment has really significantly increased since the implementation and the first baby, which was born with introducing that application. Thanks a lot.