Standards for Integrated Governance, Risk and Compliance Management Scott L. Mitchell CEO, Open Compliance & Ethics Group [email protected]
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Standards for Integrated Governance, Risk and Compliance Management
Scott L. MitchellCEO, Open Compliance & Ethics
Agenda
• Big Picture of GRC• GRC Standards• Integration of GRC – OCEG Framework• GRC and Corporate Performance
What is OCEG?
• Provide a universal framework for integrating the principles of good corporate governance, risk management, and compliance while promoting ethics and integrity in the daily practice of business– Cross-Industry (pharmaceutical, financial, etc.)– Cross-Topical (employment, environmental, etc)
• Drive adoption of the framework through a multi-industry and multi-disciplinary coalition of stakeholders
• Lead a community of practice for exchanging information and continuously improving the framework and related tools for implementation
OCEG is a nonprofit organization that uniquely seeks to:
OCEG Resources
• Guidelines & Standards• Evaluation Criteria & Metrics• Online Environment
Big Picture
Stay in the Green
Criticism…
Governance,Risk Management & Compliance
are the departments of
NO
…Response
The Fastest CarsHave the Best Brakes
Basic Principles
GO STEER BRAKE
Historically, 99% of business investment is focused here
“Brakes” are a critical component to executing
strategy and realizing long-term value
…and just to belabor the metaphor
• Although the parts are located throughout the vehicle, the brakes should work as a single, integrated system
• In organizations, this system or “program” should address the total portfolio of governance, risk management and compliance processes
Integration of GRC + C
capability to set and evaluate performance against objectives; authorize a business strategy and model to achieve objectives while staying within mandated (legal) and voluntary boundaries
capability to proactively identify, rigorously assess and address potential obstacles to achieving objectives; and the risk that the organization will step outside of mandated (legal) and voluntary boundaries
capability to proactively encourage compliance with established policies and boundaries; the ability to detect noncompliance; and the ability respond accordingly
mindsets of individuals and an organizational climate that promotes ethics, integrity, respect, trust and accountability
Standards & Frameworks
Benefits of Standards
• Reduce Cost– Design– Implementation– Integration– Evaluation
• Increase Objectivity– Benchmarking– Internal Evaluation– External Evaluation
• Leverage Experience– Multi-Industry– Multi-Functional
• Opportunity for Recognition from Stakeholders
IncreasedPerformance
Types of Standards
• Principles-Oriented• Process-Oriented• Technical
Disciplines / Standards
• Governance– SOX, SEC, NYSE, NASDAQ– BRT, NACD, Conference Board– TIAA-CREF, CalPERS, AFL-CIO, CII– OECD– American Law Institute
• Compliance / Legal Management– Federal Sentencing Guidelines / Thompson– Australian Standards– OCEG Standards– Various agency guidelines (e.g., HHS OIG)
• Ethics / Corporate Social Responsibility– AA1000, SA8000, ISO CSR– Global Reporting Initiative– ILO Conventions, UN Global Compact,
Sullivan Principles– Sigma Guidelines (UK)– Q-RES (Italian)– European Corporate Sustainability
• Risk Management– GARP, PRMIA standards– Australian Standards– Basel II Guidelines– COSO ERM (2004)
• Internal Audit / Anti-Fraud– COSO Internal Control (1992), COCO– SAS 99
• IT Control / Security– COBIT– SysTrust, WebTrust
• Performance Management– Balanced Scorecard– EVA– McKinsey; BAH; Accenture
• Human Capital / Training– ASTD– Bloom’s Taxonomy– Kirkpatrick
• Communication / Change Management
• Quality Management– ISO 9000 series– Six Sigma
• Project Management– Project Management Institute PMBOK®
Exercise
• What standards / frameworks do you use?
OCEG Framework
Involvement
200+ individuals100+ organizations
Integration
• OCEG integrates effective practices associated with multiple disciplines into a framework for managing compliance and ethics
– Governance– Compliance / Legal Management– Ethics Management– Risk Management– Internal Audit– Human Capital Management– Training Development / Design– Change Management– Quality Management– Project Management
Leadership Council
• Aon*• Archer Daniels Midlands• Baker Hughes• Cisco• Corpedia Education*• Dell*• Deloitte*• DuPont• Ernst & Young*• EthicsPoint*• Freddie Mac• Gevity• Global Compliance Svs*• Grant Thornton*• Interactive Alchemy*
• Littler Mendelson*• LRN*• Lyondell Chemical• Marsh*• Microsoft*• PETCO• PricewaterhouseCoopers*• Qwest*• Roche Diagnostics• Sears• Staples• The Integrity Institute*• Unilever• Wachovia Corporation• Others Pending…
The Compliance Consortium Acquisition
• Axentis• Corpedia• Approva• Hyperion• Hyland• Intuition• Jefferson Wells• Navigant• The Network• Staffware
• Objectives– Increase understanding of how to
apply technology– Reduce risks/cost of implementation– Reduce risks/cost of integration
• Approach– Solution Providers + End-Users– Open Process
First Working Group Announced 7/19
“Whistleblower Hotlines/Helplines”
Hotline/Helpline Working Group
• EthicsPoint• Global Compliance Services• Listen Up Group• My Safe Workplace• The Network
• Micron• ITT• University of Texas• Microsoft• ADM• Qwest• Gap• Goodrich• Starbucks
• Wal-Mart• Wachovia• EthicsSA• Catholic Health• Staples• GA Technical Institute• Ernst & Young• Better Business Bureau• Lucent• RadioShack• CIBC• Interpublic Group• Johnson Controls• Countrywide Financial• Delphi Group
OCEG Foundation Guidelines - Status• Public Draft made available May, 2004
– 5,000+ downloads– 100+ organizations and individuals provided
feedback– 50+ person Steering Committee vetted the draft and
the comments
• Application Draft made available May, 2005
• Organizations of all sizes are invited to Beta Test the OCEG Foundation to ensure that the guidelines are practical. OCEG is specifically studying implementation at:
– ADM– DuPont– Gevity– Qwest– Staples– Wachovia– Dell
• Aim to finalize by end of March, 2006
register at www.oceg.org
OCEG Framework
The Foundation describes common elements of an effective program that integrates the principles of good corporate governance, risk management, compliance and ethics/culture
Foundation
Domains provide topical or industry-specific information that integrates with and assumes the OCEG Foundation is in place
Company
Companies can build on top of these models to customize and configure their capability to address unique requirements
Domains
OCEG Foundation
TECHNOLOGY
ORGANIZATION
CULTURE
PROCESS
Company
Domains
detailed view of foundationFoundation
Integration
• Federal Sentencing Guidelines
• Sarbanes-Oxley• COSO Internal Control• COSO ERM• ISO 9000 series• ISO 14000 series• Various regulatory
frameworks and guidance (e.g. HHS)
• Various CSR frameworks and guidance (AA1000, SA8000, etc.)
Practical&
ActionableGuidance
Translate
Integrate
Simplify
RESPOND / IMPROVE
OCEG Foundation
PREVENT / PROTECT /
PREPARE
MONITOR / DETECT / EVALUATE
PLAN / ORGANIZE
ORGANIZATION
CULTURE
PROCESS
TECHNOLOGY
INFORMATION / COMMUNICATION
INFORMATION & COMMUNICATION
OCEG Foundation - Reality
ORGANIZATION
CULTURE
PROCESS
PLAN /ORGANIZE
PREVENT /PROTECT /PREPARE
MONITOR /DETECT /
EVALUATERESPOND /IMPROVE
Continuous Execution and Overlap of Key Processes
TECHNOLOGY
TECHNOLOGY
OCEG Foundation
ORGANIZATION
CULTURE
PROCESS
PLAN / ORGANIZE
• PR1 – Controls, Policies & Procedures• PR2 – Code of Conduct• PR3 – Training & Education• PR4 – Workforce Management• PR5 – Physical Infrastructure• PR6 – Risk Sharing & Insurance• PR7 – Preparedness & Practice
ONGOING MONITORING• M1 – Control Assurance & Audit• M2 – Hotline & Helpline ReportingPERIODIC EVALUATION• E1 – Evaluation Planning & Reporting• E2 – Effectiveness Evaluation (DE, OE)• E3 – Program Performance Evaluation
• R1 – Issue Management• R2 – Special Investigations• R3 – Crisis Response• R4 – Discipline & Disclosure• R5 – Remediation & Improvement
• PO1 – Scope & Objectives• PO2 – Business Model & Context• PO3 – Boundary Identification• PO4 – Event Identification• PO5 – Risk Assessment• PO6 – Program Design & Strategy
C1 – Ethical Culture C2 – Risk Culture C3 – Governance Culture C4 – Workforce Culture
O1 – Leadership & Champions O2 – Oversight Personnel O3 – Strategic Personnel O4 – Operational Personnel
PREVENT / PROTECT / PREPARE MONITOR / DETECT / EVALUATE RESPOND / IMPROVE
T1 - Technology
INFORMATION / COMMUNICATION
• I1 – Information & Records Management • I2 – Communication • I3 – Internal Reporting • I4 – External Reporting & Filings
Risk Area DomainsThe Risk Area Domain Guidelines identify a number of areas to which most organizations are exposed. Each organization is unique and will focus on specific domains as appropriate.
governance
anti-corruption
competitive practices
employment
financial assurance
information management
international dealings
workplace health / safety
environmental
product quality / safety
government dealings (USA)
intellectual property
Employment Domain Subtopics
• Compensation• Executive Compensation• Workplace Violence Benefits• Anti-Harassment• Anti-Discrimination• Contingent Workforce• Hiring / Retention• Termination / Reduction• Employment Information Privacy• Accommodation / Leave• Labor / Collective Bargaining• Global Migration• Anti-Retaliation / Whistleblowing• Other Employment Torts
How does this affect corporate performance?
Big Picture
Must Stay Within Boundaries &Effectively Steer the Organization
Corporate Governance
objectives
business model
strategypeople, process, technologyinfrastructure
designed to achieve
shareholder
suppliers
regulators
customers
underwriters
society
board
employees
management
STAKEHOLDERS
MISSIONVISIONVALUES
Bottom-Line
We must understand enterprise strategy to ensure that we appropriately:
– Align– Design– Implement– Manage– Operate– Evaluate
…and to ensure that we get the appropriate budget to do it!
Objectives
• Many ways to define enterprise objectives
• Common elements– Categories– Criteria– Cascading
• Perspectives– For Profit– Nonprofit
Balanced Scorecard
FINANCIAL
CUSTOMER
INTERNAL PROCESSES
LEARNING & GROWTH
To succeed financially, how should we appear to our shareholders?
To achieve our vision, how should we appear to our customers?
To satisfy our shareholders and customers, what internal processes must we excel at?
To achieve our vision, how will we sustain our ability to change and improve?
Stakeholders
shareholder
customers
regulators
suppliers
underwriters
society
enterprise
board
employees
management
Balanced ScorecardLong-Term
Shareholder Value
Improve CostStructure
Improve AssetUtilization
New RevenueSources
IncreaseCustomer Value
Growth StrategyProductivity Strategy
Fina
ncia
lCu
stom
er E
xp.
Inte
rnal
Pro
cess
Lear
ning
& G
rowt
h
Price Functionality Quality Availability Selection Service Partnership Brand
Operations Management Processes
Supply ProductionDistribution Risk Mgt
Customer Management Processes
Selection AcquisitionRetention Growth
InnovationProcesses
Opportunity R & DDesign Pd Launch
Regulatory & Social Processes
Environmental EmploymtGovernance Etc…
Human Capital (readiness, training, recruitment, retention, etc.)
Information Capital (transactional systems, information systems, data storage, infrastructure, etc.)
Organizational Capital (culture, leadership, alignment, etc.)
product / service attributes relationship attributes image
Cascading Performance
Department Performance
Enterprise Performance
Team Performance
Cascading Performance
Compliance & Ethics Program Performance Enterprise Performance
System ModelILLUSTRATIVE
corporateperformance
employeeproductivity
fraud& abuse
reputation customerloyalty
employeesatisfaction
employeepurpose
errors& omissions
-
-
strongformal
controls
strongculture
& informalcontrols
“earlywarningsystem”
- +
+
+
+
-
-
-
+ +
+
+
+
-
+
Success Factors
Simple, balanced view of the organization's progress towards its objectives
– Less is more (sometimes)– Leading and Lagging– Hard and Soft– Strategic Alignment
“If you can’t measure it, you can’t manage it”Kaplan and Norton, 1996
Types of Measures
LaggingHard
ObjectiveOutcomeControl
LeadingSoft
SubjectiveCulture / Perceptions
Leadership
Types of Measures
LaggingHard
ObjectiveOutcomeControl
LeadingSoft
SubjectiveCulture / Perceptions
Leadership
OCEG Performance Measurement Framework
• Effectiveness (Quality)– Does the program promote the right mindset and
climate?– Is it properly aligned, focused and authorized?– How well does the program prevent noncompliance?– How well does the program detect noncompliance?– How well does the program react to noncompliance?– How well does the program protect the entity and reduce
the impact of adverse events?– How well does the entity evaluate and continuously
improve the program?
• Efficiency (Cost, Capital)– How much does it cost to execute core processes?– How well do we utilize capital?
• Responsiveness (Speed, Agility)– How quickly can the program execute core processes?– How quickly and effectively can the program respond to
new requirements and change?
Effective
Responsive Efficient
Indicator Category Relationships
Effective
Responsive Efficient
There is, generally, an inverse relationship between indicator categories. For example, if an organization seeks to increase efficiency (drive down costs), responsiveness and effectiveness often suffer. This is particularly true when organizations seek incremental changes.
Breakthrough Thinking
Effective
Responsive Efficient
An exception to this rule is when organizations successfully engage in “breakthrough thinking” that actually changes the size and shape of the triangle altogether. The application of technology and automating processes is a typical way to accomplish this.
OCEG Performance Measurement Practice Aid
Measurement, Indicators & Metrics
comments / questions should be submitted to:
Scott L. Mitchell Open Compliance & Ethics Group
7119 E. Shea Blvd Suite 109-478
Email: [email protected]
Phone: 602.234.9278 Fax: 928.441.1544
Measurement, Indicators & Metrics
comments / questions should be submitted to:
Scott L. Mitchell Open Compliance & Ethics Group
7119 E. Shea Blvd Suite 109-478
Email: [email protected]
Phone: 602.234.9278 Fax: 928.441.1544
Prevent
Scope / Objectives Aligned - % program objective mapped to entity objectives- % program objectives that are measurable
Risk Management Focused - % reduction in inherent risk
Strategy Allocated / Authorized - % strategy that is fully funded- % strategy that is fully resourced and staffed
Mindset Stakeholder Perceptions - % employees believe management wants them to do the right thing- % employees who have observed misconduct / reported misconduct
Climate Stakeholder Perceptions - % employees that believe there is an open environment to report
Knowledge / Skills Training, Communication, Helpline - % employees tested for reaction (level 1 test)- % employees tested for knowledge (level 2 test)- % employees tested for skill (level 3 test)- % employees evaluated for skill (level 3 test)
Tools / Resources Training, Communication - % employees that believe the code of conduct guided their behavior- % employees that believe training guided their behavior- % employees that believe the helpline guided their behavior
Incentives Human Capital - % employees that believe incentives are meaningful- % employees eligible for incentives, receive them
Detect
Systems / Controls - % controls that operated as designed and detected failures- % false positives- % false negatives
Hotline - # total legitimate issues, by category- % calls that resulted in legitimate issues
Periodic Assessment - % controls under evaluation that are effectively designed- % controls under evaluation that are effectively operating- % controls that were evaluated (design, operating effectiveness)
Issues - % issues that were proactively detected by the business- # issues by category (geography, type, stakeholder, severity)- # validated issues by category
React
Investigations - % investigations resolved, by category
Crisis Management - # control failures that became public- % public control failures that were proactively disclosed by organization
Discipline - # employees disciplined- % employees disciplined according to policy
Improve - % validated issues that resulted in program changes- % program controls modified
Tier 1 Metrics (Candidates)
• Culture– % workforce that believes org wants
them to do the right thing– % workforce that believes climate is open
to raise issues– % workforce that believes senior
management does the right thing– employee satisfaction– % workforce understand how their job
contributes to the enterprise
• Prevent / Protect– $ Value at risk (VAR)– % risks addressed by preventative
measures (code, policies, training, human capital, other control)
– % workforce confirm understanding of code of conduct
– # calls that prevent noncompliant actions– % controls appropriately designed
• Detect– % early, mid, late, un-detected– % workforce who observe noncompliance
but do not report (and why)– % of controls that operate as designed– False reports– Time / $$ to confirm issue
• React– Rate of resolution / close– Total time from detect to begin
investigation– Time / $$ to investigate / resolve issue– Total time from detect to resolve– Actual loss per issue
Extra Information
OCEG Development Process
assemblefull working group
break into subgroups (optional)
analyze and consolidate
findings
circulate“controlled drafts”version 0.1 – 0.4
analyzeinternal feedback
post “public exposure draft”
version 0.5 – 0.8
analyzepublic feedback
post“application draft”
version 0.9
analyzeapplication feedback
post“final draft”version 1.0
assemble the right team to develop and review the product in a controlled environment
solicit public feedback so that the work product is complete and correct
analyze and integrate public feedback and encourage individuals to implement the product in a real environment – and solicit feedback from actual use so that the product is practical
analyze and integrate feedback from those organizations that actually used the product and publish a final draft
1
2
3
4
• co-chairs direct work product and schedule• review board works with co-chairs to make final decisions• general members participate in the process
Rigorous process aimed at careful and incremental development to ensure that the work product is complete, of high quality and practical
Related Documents
