1 / 52

Standards for Integrated Governance, Risk and Compliance Management

Standards for Integrated Governance, Risk and Compliance Management. Scott L. Mitchell CEO, Open Compliance & Ethics Group smitchell@oceg.org. Agenda. Big Picture of GRC GRC Standards Integration of GRC – OCEG Framework GRC and Corporate Performance. What is OCEG?.

emiko
Download Presentation

Standards for Integrated Governance, Risk and Compliance Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Standards for Integrated Governance, Risk and Compliance Management Scott L. Mitchell CEO, Open Compliance & Ethics Group smitchell@oceg.org

  2. Agenda • Big Picture of GRC • GRC Standards • Integration of GRC – OCEG Framework • GRC and Corporate Performance

  3. What is OCEG? OCEG is a nonprofit organization that uniquely seeks to: • Provide a universal framework for integrating the principles of good corporate governance, risk management, and compliance while promoting ethics and integrity in the daily practice of business • Cross-Industry (pharmaceutical, financial, etc.) • Cross-Topical (employment, environmental, etc) • Drive adoption of the framework through a multi-industry and multi-disciplinary coalition of stakeholders • Lead a community of practice for exchanging information and continuously improving the framework and related tools for implementation

  4. OCEG Resources • Guidelines & Standards • Evaluation Criteria & Metrics • Online Environment

  5. Big Picture

  6. Stay in the Green

  7. Criticism… Governance, Risk Management & Compliance are the departments of NO

  8. …Response The Fastest Cars Have the Best Brakes

  9. Basic Principles GO STEER BRAKE Historically, 99% of business investment is focused here “Brakes” are a critical component to executing strategy and realizing long-term value

  10. …and just to belabor the metaphor • Although the parts are located throughout the vehicle, the brakes should work as a single, integrated system • In organizations, this system or “program” should address the total portfolio of governance, risk management and compliance processes

  11. Integration of GRC + C capability to set and evaluate performance against objectives; authorize a business strategy and model to achieve objectives while staying within mandated (legal) and voluntary boundaries mindsets of individuals and an organizational climate that promotes ethics, integrity, respect, trust and accountability capability to proactively identify, rigorously assess and address potential obstacles to achieving objectives; and the risk that the organization will step outside of mandated (legal) and voluntary boundaries capability to proactively encourage compliance with established policies and boundaries; the ability to detect noncompliance; and the ability respond accordingly

  12. Standards & Frameworks

  13. Reduce Cost Design Implementation Integration Evaluation Increase Objectivity Benchmarking Internal Evaluation External Evaluation Leverage Experience Multi-Industry Multi-Functional Opportunity for Recognition from Stakeholders Benefits of Standards Increased Performance

  14. Types of Standards • Principles-Oriented • Process-Oriented • Technical

  15. Governance SOX, SEC, NYSE, NASDAQ BRT, NACD, Conference Board TIAA-CREF, CalPERS, AFL-CIO, CII OECD American Law Institute Compliance / Legal Management Federal Sentencing Guidelines / Thompson Australian Standards OCEG Standards Various agency guidelines (e.g., HHS OIG) Ethics / Corporate Social Responsibility AA1000, SA8000, ISO CSR Global Reporting Initiative ILO Conventions, UN Global Compact, Sullivan Principles Sigma Guidelines (UK) Q-RES (Italian) European Corporate Sustainability Risk Management GARP, PRMIA standards Australian Standards Basel II Guidelines COSO ERM (2004) Internal Audit / Anti-Fraud COSO Internal Control (1992), COCO SAS 99 IT Control / Security COBIT SysTrust, WebTrust Performance Management Balanced Scorecard EVA McKinsey; BAH; Accenture Human Capital / Training ASTD Bloom’s Taxonomy Kirkpatrick Communication / Change Management Quality Management ISO 9000 series Six Sigma Project Management Project Management Institute PMBOK® Disciplines / Standards

  16. Exercise • What standards / frameworks do you use?

  17. OCEG Framework

  18. Involvement 200+ individuals 100+ organizations

  19. Integration • OCEG integrates effective practices associated with multiple disciplines into a framework for managing compliance and ethics • Governance • Compliance / Legal Management • Ethics Management • Risk Management • Internal Audit • Human Capital Management • Training Development / Design • Change Management • Quality Management • Project Management

  20. Aon* Archer Daniels Midlands Baker Hughes Cisco Corpedia Education* Dell* Deloitte* DuPont Ernst & Young* EthicsPoint* Freddie Mac Gevity Global Compliance Svs* Grant Thornton* Interactive Alchemy* Littler Mendelson* LRN* Lyondell Chemical Marsh* Microsoft* PETCO PricewaterhouseCoopers* Qwest* Roche Diagnostics Sears Staples The Integrity Institute* Unilever Wachovia Corporation Others Pending… Leadership Council

  21. The Compliance Consortium Acquisition • Axentis • Corpedia • Approva • Hyperion • Hyland • Intuition • Jefferson Wells • Navigant • The Network • Staffware • Objectives • Increase understanding of how to apply technology • Reduce risks/cost of implementation • Reduce risks/cost of integration • Approach • Solution Providers + End-Users • Open Process First Working Group Announced 7/19 “Whistleblower Hotlines/Helplines”

  22. EthicsPoint Global Compliance Services Listen Up Group My Safe Workplace The Network Micron ITT University of Texas Microsoft ADM Qwest Gap Goodrich Starbucks Wal-Mart Wachovia EthicsSA Catholic Health Staples GA Technical Institute Ernst & Young Better Business Bureau Lucent RadioShack CIBC Interpublic Group Johnson Controls Countrywide Financial Delphi Group Hotline/Helpline Working Group

  23. OCEG Foundation Guidelines - Status • Public Draft made available May, 2004 • 5,000+ downloads • 100+ organizations and individuals provided feedback • 50+ person Steering Committee vetted the draft and the comments • Application Draft made available May, 2005 • Organizations of all sizes are invited to Beta Test the OCEG Foundation to ensure that the guidelines are practical. OCEG is specifically studying implementation at: • ADM • DuPont • Gevity • Qwest • Staples • Wachovia • Dell • Aim to finalize by end of March, 2006 register at www.oceg.org

  24. OCEG Framework Company Companies can build on top of these models to customize and configure their capability to address unique requirements Domains Domains provide topical or industry-specific information that integrates with and assumes the OCEG Foundation is in place Foundation The Foundation describes common elements of an effective program that integrates the principles of good corporate governance, risk management, compliance and ethics/culture

  25. OCEG Foundation Company Domains Foundation detailed view of foundation CULTURE ORGANIZATION PROCESS TECHNOLOGY

  26. Federal Sentencing Guidelines Sarbanes-Oxley COSO Internal Control COSO ERM ISO 9000 series ISO 14000 series Various regulatory frameworks and guidance (e.g. HHS) Various CSR frameworks and guidance (AA1000, SA8000, etc.) Integration Translate Integrate Simplify Practical & Actionable Guidance

  27. OCEG Foundation CULTURE ORGANIZATION PROCESS PLAN / ORGANIZE PREVENT / PROTECT / PREPARE MONITOR / DETECT / EVALUATE RESPOND / IMPROVE INFORMATION / COMMUNICATION TECHNOLOGY

  28. OCEG Foundation - Reality CULTURE ORGANIZATION PROCESS INFORMATION & COMMUNICATION PLAN / ORGANIZE PREVENT / PROTECT / PREPARE MONITOR / DETECT / EVALUATE RESPOND / IMPROVE TECHNOLOGY Continuous Execution and Overlap of Key Processes

  29. OCEG Foundation CULTURE C1 – Ethical Culture C2 – Risk Culture C3 – Governance Culture C4 – Workforce Culture ORGANIZATION O1 – Leadership & Champions O2 – Oversight Personnel O3 – Strategic Personnel O4 – Operational Personnel PROCESS PLAN / ORGANIZE PREVENT / PROTECT / PREPARE MONITOR / DETECT / EVALUATE RESPOND / IMPROVE • PO1 – Scope & Objectives • PO2 – Business Model & Context • PO3 – Boundary Identification • PO4 – Event Identification • PO5 – Risk Assessment • PO6 – Program Design & Strategy • PR1 – Controls, Policies & Procedures • PR2 – Code of Conduct • PR3 – Training & Education • PR4 – Workforce Management • PR5 – Physical Infrastructure • PR6 – Risk Sharing & Insurance • PR7 – Preparedness & Practice • ONGOING MONITORING • M1 – Control Assurance & Audit • M2 – Hotline & Helpline Reporting • PERIODIC EVALUATION • E1 – Evaluation Planning & Reporting • E2 – Effectiveness Evaluation (DE, OE) • E3 – Program Performance Evaluation • R1 – Issue Management • R2 – Special Investigations • R3 – Crisis Response • R4 – Discipline & Disclosure • R5 – Remediation & Improvement INFORMATION / COMMUNICATION • I1 – Information & Records Management • I2 – Communication • I3 – Internal Reporting • I4 – External Reporting & Filings TECHNOLOGY T1 - Technology

  30. Risk Area Domains The Risk Area Domain Guidelines identify a number of areas to which most organizations are exposed. Each organization is unique and will focus on specific domains as appropriate. Employment Domain Subtopics • Compensation • Executive Compensation • Workplace Violence Benefits • Anti-Harassment • Anti-Discrimination • Contingent Workforce • Hiring / Retention • Termination / Reduction • Employment Information Privacy • Accommodation / Leave • Labor / Collective Bargaining • Global Migration • Anti-Retaliation / Whistleblowing • Other Employment Torts governance employment financial assurance anti-corruption information management intellectual property environmental international dealings competitive practices product quality / safety workplace health / safety government dealings (USA)

  31. How does this affect corporate performance?

  32. Big Picture

  33. Must Stay Within Boundaries &Effectively Steer the Organization

  34. Corporate Governance MISSION VISION VALUES business model strategypeople, process, technology infrastructure objectives designed to achieve STAKEHOLDERS

  35. Bottom-Line We must understand enterprise strategy to ensure that we appropriately: • Align • Design • Implement • Manage • Operate • Evaluate …and to ensure that we get the appropriate budget to do it!

  36. Objectives • Many ways to define enterprise objectives • Common elements • Categories • Criteria • Cascading • Perspectives • For Profit • Nonprofit

  37. Balanced Scorecard FINANCIAL To succeed financially, how should we appear to our shareholders? CUSTOMER To achieve our vision, how should we appear to our customers? INTERNAL PROCESSES To satisfy our shareholders and customers, what internal processes must we excel at? LEARNING & GROWTH To achieve our vision, how will we sustain our ability to change and improve?

  38. shareholder underwriters suppliers customers regulators society Stakeholders board management enterprise employees

  39. Balanced Scorecard Productivity Strategy Long-Term Shareholder Value Growth Strategy Financial Improve Cost Structure Improve AssetUtilization New Revenue Sources Increase Customer Value product / service attributes relationship attributes image Price Functionality Quality Availability Selection Service Partnership Brand Customer Exp. Operations Management Processes Supply Production Distribution Risk Mgt Customer Management Processes Selection Acquisition Retention Growth InnovationProcesses Opportunity R & D Design Pd Launch Regulatory & Social Processes Environmental Employmt Governance Etc… Internal Process Human Capital (readiness, training, recruitment, retention, etc.) Learning & Growth Information Capital (transactional systems, information systems, data storage, infrastructure, etc.) Organizational Capital (culture, leadership, alignment, etc.)

  40. Cascading Performance Enterprise Performance Department Performance Team Performance

  41. Cascading Performance Compliance & Ethics Program Performance Enterprise Performance

  42. System Model employee satisfaction ILLUSTRATIVE + + employee purpose employee productivity + + - + strong formal controls errors & omissions corporate performance - - fraud & abuse - + - “early warning system” + + - + strong culture & informal controls reputation customer loyalty - +

  43. Success Factors Simple, balanced view of the organization's progress towards its objectives • Less is more (sometimes) • Leading and Lagging • Hard and Soft • Strategic Alignment “If you can’t measure it, you can’t manage it”Kaplan and Norton, 1996

  44. Types of Measures Lagging Hard Objective Outcome Control Leading Soft Subjective Culture / Perceptions Leadership

  45. Types of Measures Lagging Hard Objective Outcome Control Leading Soft Subjective Culture / Perceptions Leadership

  46. OCEG Performance Measurement Framework • Effectiveness (Quality) • Does the program promote the right mindset and climate? • Is it properly aligned, focused and authorized? • How well does the program prevent noncompliance? • How well does the program detect noncompliance? • How well does the program react to noncompliance? • How well does the program protect the entity and reduce the impact of adverse events? • How well does the entity evaluate and continuously improve the program? • Efficiency (Cost, Capital) • How much does it cost to execute core processes? • How well do we utilize capital? • Responsiveness (Speed, Agility) • How quickly can the program execute core processes? • How quickly and effectively can the program respond to new requirements and change? Effective Responsive Efficient

  47. Indicator Category Relationships There is, generally, an inverse relationship between indicator categories. For example, if an organization seeks to increase efficiency (drive down costs), responsiveness and effectiveness often suffer. This is particularly true when organizations seek incremental changes. Effective Responsive Efficient

  48. Breakthrough Thinking An exception to this rule is when organizations successfully engage in “breakthrough thinking” that actually changes the size and shape of the triangle altogether. The application of technology and automating processes is a typical way to accomplish this. Effective Responsive Efficient

  49. OCEG Performance Measurement Practice Aid

  50. Culture % workforce that believes org wants them to do the right thing % workforce that believes climate is open to raise issues % workforce that believes senior management does the right thing employee satisfaction % workforce understand how their job contributes to the enterprise Prevent / Protect $ Value at risk (VAR) % risks addressed by preventative measures (code, policies, training, human capital, other control) % workforce confirm understanding of code of conduct # calls that prevent noncompliant actions % controls appropriately designed Detect % early, mid, late, un-detected % workforce who observe noncompliance but do not report (and why) % of controls that operate as designed False reports Time / $$ to confirm issue React Rate of resolution / close Total time from detect to begin investigation Time / $$ to investigate / resolve issue Total time from detect to resolve Actual loss per issue Tier 1 Metrics (Candidates)

More Related