380 likes | 619 Views
Journey to Sustainable SOX 404 Compliance. Summary. Update on the embedding work: Architecture; organization & resourcing processes roles & responsibilities Culture & Behaviors Training. The SOX embedding journey – critical elements and priorities. Embedded in Hearts and Minds.
E N D
Summary • Update on the embedding work: • Architecture; • organization & resourcing • processes • roles & responsibilities • Culture & Behaviors • Training
The SOX embedding journey – critical elements and priorities Embedded in Hearts and Minds Embedded in Daily Activities • Behaviors of all stakeholders aligned • Incentives aligned and consequence management performed Embedded in Processes and Structure • Resources in place, ramp-down of temporary staff • Skills and capabilities levels raised • Tools in place • Functioning continuous improvement loops Initial Compliance • Definition and implementation of - Processes - Roles and responsibilities - Org. structures • Integration of SOX compliance assurance with the GRA framework Testing and Remediation • Attestation • External audit • Design effective tests • Self assessments • Remediation and re-testing • Internal audit Documentation effort • Processes • Controls • Test Scripts • Project Phase • Outside of normal business structure • High temporary resource levels • Transition Period • Roles and structures in transition toward steady state • Retain higher level of staffing for oversight and support • Steady State • Normal element of day-to-day business
RDS SOX-ready by 31/12/05 and compliant by 31/12/06; sustainable compliance is a multi year program Current Status Year End • Defined methodology/processes in place, including management assessment pilot executed • Organizational Design, Roles & Responsibilities + staffing completed • Embedding training given to process owners and selected process executors • Self-testing and remediation actions executed by Businesses and Functions • IAF provides QA and additional financial auditing in areas of risk • No need for formal attestation by external auditors. Control registers to be used for annual Financial audit. Controls Assurance. • Working on an integrated compliance culture • Further embedding in 2006 – transitioning of SOX404 knowledge • Group is ensuring compliance with SOX404 as a project • Group wide initiative • Highest business priority • Defined deadlines for completion • Project team of in total 1000+ FTEs – winding down end 2005 • Project is moving to self-testing of controls and subsequent remediation • Group has decided not to extend the project timeline in response to the change in the legislative deadline. • Year-end 2005 SOX404-readiness is a huge challenge
Architecture Overview annual SOX processes Management Assessment process Deficiency evaluation & reporting
High level annual SOX processes Key Processes Triggered Periodic Retest Plan and Perform Self Testing Plan and Execute Remediation Management Assessment Monitor change and assess impact Reassess Scope Adapt controls and documen-tation SOX Routine Processes IAF People Processes SOX Support Processes Maintain Methodology Provide tools
Key elements of the routine processes…. Triggered Periodic Retest Plan and Perform Self Testing Plan and Execute Remediation Management Assessment Monitor change and assess impact Reassess Scope Adapt controls and documen-tation • Risk-based response plan • Identify affected controls/process • Adapt/implement controls/process • Update tools & documentation • Test design effectiveness • Terminate old Controls • QC • Identify/Capture SOX relevant change to: • Processes • Environment • Assess risk • Support Qly 302 certification • QC • Change-driven (e.g., M&A, new site) and annual • Re-evaluate in-scope locations and key controls • Develop and execute risk-based, integrated test plan • Enter data in Greenlight • Analyze, consolidate and report results • Execute roll-over testing when necessary • QC • Materiality-based prioritization • Process-level remediation • Higher level synthesis • Monitor and report progress • QC • Quantify, analyze and aggregate test results • Full quarterly review • Regular ongoing review and escalation of key issues • Report upward/ communicate downward • Quarterly sign-off Greenlight • Sign off at all hierarchical levels SOX Routine Processes IAF • Plan independent auditing • Perform independent auditing • Populate Greenlight • Analyse and report results
… and support processes Key Process Elements People Processes • Leadership agenda and tone at the top • Manage communication and information flow • Build skills and capabilities including recruitment, training, values & behaviors • Align with recognition systems and consequence management Maintain Methodology SOX Support Processes • Assess regularly whether updates are required • Perform and communicate updates Provide tools • IT infrastructure • Greenlight • Other supporting IT • Guidelines and manuals
RDS Plc. Certifying Officers CEO & CFO SOX 404 Assessment External auditors attestation • Reporting of • Controls deficiencies / remediation (GreenLight) • Periodic sign-off • Assurance OU / AoO Management Assessment Process Overview* Financial Reporting Controls Committee “FRCC” • Review, evaluate, challenge • Advise EC on assessment • Review / validate reports from businesses/functions • Analyse / aggregate • Advise FRCC Business / Function (via Region/CoB as appropriate) Central SOX 404 Evaluation Team • Interpret / evaluate deficiencies • Summarise / categorise • Report to central evaluation team • Periodic sign-off • Assurance • Other controls data: • External audits • Internal Audits • BCIs *to be tested in pilot starting 15/9 GreenLight data Primary Reporting and Dialogue Information
Sign Off Cascade…. part of the Management Assessment Process FRCC Business EP/OP/Chem/G&P/GS/Trading/ Renewables Functions Controller/Treasury/Tax HR/CIO/S&D Corp Affairs/Legal Region/Class of Business, If appropriate Region/ Business Internal Service Providers in Functions Pensions / SPS / FCA / SSSC GroupService Providers Group Reporting Treasury AoO Functions in AoO IT Taxation Sign off cascade Confirmation to internal users via GreenLight Access
Architecture Design Principles Roles and Responsibilities Organizational Design
Key Design Principles • Reinforce common objective: Shell Group obtains and retains compliance • Enable sustainability and continuous improvement • Provide consistency across businesses • Embed into existing/planned mgt framework, processes and support structures • Moving at the same pace towards the same goals, starting point may be different • Clear individual roles & responsibilities and reporting and escalation lines • Optimise low cost and high value add • Embed into existing/planned management framework, processes (incl. change processes) and support structures. • Reinforce Business ownership of compliance • Position Centre to take strong role in ensuring compliance in global processes • Enable clarity and transparency including definitions, risks, and consequences • Enable sustainability and continuous improvement • SOX will be folded into GRA organization
GRA Cascaded controls structure….. FCC Group GRA Group Business/ Function Region/ CoB AoO Business/Function GRA Manager Region/CoB GRA Manager Local GRA Focal point Network
Organisation – Embedding of Controls Structures • Roles, responsibilities, and tools will be largely the same. • The Business Sectors are pursuing common approaches to embedding organizational control structures. • There will be organizational support for controls at the Global, Regional, and Local levels. • Exact organization control structures will be embedded into the business sector structures and will vary somewhat with those structures. Steady State – EP view Group-CFO Group GRA EVPF Internal Audit EP GRA Regional VPF Regional GRA Finance Mgr.OU OU GRA Focal point
Embedded State – Downstream CIO CFO RDS FCC GRA Mgr DS EVP FN&IT&CP 1) 2) DS Controller DS CIO CoB/S, GB VPs FN CoB/S, GB GRA Mgrs DS IT Compl. Mgr DS Acc. Policy Advisor DS SOX 404 Compl. Mgr DS GRA Manager Regional Controllers Regional Acc. Policy Advisors Regional SOX Focal Points Regional GRA Focal Points Local Controllers Local Acc. Policy FPs Local SOX FPs Local GRA FPs Process Owners Process Executors Control Owners Control Executors
High Level Responsibilities and Approvals View (1 of 2) (by SOX process)
High Level Responsibilities and Approvals View (2 of 2)(by SOX process)
Opportunity to achieve improved performance & risk management Integrating SOX activities in the GRA framework presents process improvement opportunities and embeds SOX in the existing management and control framework Enhance Risk Management Toolkit • Build on the SOX404 foundations to improve controls and business processes • Full alignment with Risk-based control framework Build on Ability to Sense and Adapt to Emerging Risks • Integrate Risk Management across the organization, transform processes, delivering sustainable value • Global processes (with SOX-embedded controls) & standard systems contribute to smarter controls & improved Business Performance • Develop fit-for-purpose approach for AoOs currently out of SOX scope Continue to Address Integration Challenge Explicitly Address Behaviour and Corporate Culture • Absorb “Hearts & Minds” approach from HSE • Enable single framework based on RDS plc Set of Standards
Implementation FTE Requirement Competency development Recruitment Strategy
Questions to be answered (Time Stamped) • - How many FTEs, Grade level and Mix? • - Recruit at local vs. regional vs. DS vs. RDS level; • Embedded in current CoB/S roles or held in separate Sox team • Integration SOX in GRA Framework/Organization • How many Shell staff vs contractors (Testing, Knowledge Transfer) • - Organizational emphasis on business process instead SOX activities • Impact of Controls Framework Simplification & Standardization • Implications roll-out GSAP, Streamline • Use of SSSC/Central SOX Factory • What are the competency gaps and need to go outside for recruitment • Recruitment strategy
Assessing the staff numbers…. EP DS GP Other Group/Central yy yy yy yy Regional - self testing yy yy yy yy - QA yy yy yy yy AoO - self testing yy yy yy yy - front line staff yy yy yy yy -- -- -- -- Total xx xx xx xx Estimation method developed, is currently being refined – RBTDA materially impacts Assessment per AoO to be developed
Framework for estimating the additional resource requirements bottom-up at different organizational levels Example : Monitor Change and Assess Impact at Regional level Determine activity drivers for each process • Volatility of industry, regulation • Stability of strategic direction • Maturity of organisation Determine measures • Number of major changes, eg. • SOX regulation • Organisational changes (eg M&A) • IT systems Currently being refined Estimate the activity driver’s occurrence • 4 major changes per year Estimate time requirement per occurrence • On average 20 mandays per major change (mainly spent on thorough risk analysis and support for OU staff) Synthesize • 80 mandays per year = 0.4 FTE
Organisation (excl process execution and impact of new PCAOB/SEC guidance) – First Results of Calculation Model Activity Area OP EP Position Breakdown By Job Grade (OP View) 14 26 14 10 2 18 86 26 108 12 10 12 33 202 Monitor Change, Adapt Controls and Documentation Testing Remediation Change Management, Communication and Reporting Greenlight / Tools Management and PMO Percent 1% 4% 10% 15% 35% 35% Grade A 1 2 3 4 5 * Includes Regional and Global Business Positions • Notes: • All estimates are preliminary and require additional diligence. • Definitions of activity areas have not been fully reconciled and estimates will likely shift once reconciliation occurs. • OP has approximately twice the number of total documented controls as EP • EP estimates based on bottom-up analysis – doesn’t yet reflect optimisation of global process managed centrally? • OP estimates based on extrapolation of US estimates relative to number of controls. • All are FTE figures and not staff counts.
Next steps Embedding workstreams • Assess impact of PCAOB/SEC guidance on deliverables • (scoping, testing methodology, ie more emphasis on company • level controls, monitoring and supervisory controls) • Finalize deliverables (job descriptions + processes) • Draft and execute plan for implementation of “Architecture” • Create a network of embedding managers across • Businesses and Functions • Execute gap assessment (quantity and quality of staff) • Start recruitment and training • Finalize recruitment strategy • Progress behavioral agenda Sept 05 Communications Q4 05
Culture & Behaviours Program Compliance Culture Performance & Consequence Mgt
Compliant Culture & Behaviours • EP • Will have completed a number of pilot workshops by mid September addressing • the nature of non-compliance in general in the context of the impact that has • for sustainable SOX404 compliance. Based on the EP-experience the • programme can be tailored for use by the other Businesses/Functions • Other Businesses/Functions • Initial engagement workshops on this topic have been planned. • Architecture • Prerequisite before one can meaningfully advance this agenda
EP Compliance Opportunity Statement Preliminary HSE best practice examples Understanding how to get where you want to go: Four change lever s need to be addressed to change behaviour EPE behaviour change - Input slide EPE behaviour change - Input slide Role - modelling Communicating 4 4 Has the who, Have the 4 “. . . I see my leaders “. . . I know what is 4 what, why, when, formal leaders behaving differently” expected of me” and how been and the communicated informal throughout the opinion leaders organisation? embraced the change by role - “I will change modelling? my behaviour if . . .” Have the formal and 4 “… I have the skills “. . . the system Have training 4 informal policies and to behave in the reinforces the and procedures new way” desired culture” development (including programmes compensation and been altered to appraisal) been Developing talent Reinforcing with 4 4 reflect the new changed to reinforce and skills formal desired skill the new desired mechanisms set? behaviours?
Appendices 1. Embedding work-stream matrix 2. Detailed Activities for Process Owners and GRA 3.Draft Job Description
Detailed Activities for Process Owners and GRA Function Triggered Processes Major Activities : Process Owners and GRA (cascaded roles)
Detailed Activities for Process Owners and GRA Function Periodic Processes (1/2) Major Activities : Process Owners and GRA (cascaded)
Detailed Activities for Process Owners and GRA Function Periodic Processes (2/2) Major Activities : Process Owners and GRA (cascaded)
The Start of drafting job descriptions……..- Examples used from Chemicals and EP Middle East