420 likes | 786 Views
Project Update David Crawford Audit Manager Emeritus, UT System OCEG Steering Committee Scott L. Mitchell Chairman & CEO smitchell@oceg.org. ®.
E N D
Project Update David CrawfordAudit Manager Emeritus, UT SystemOCEG Steering Committee Scott L. MitchellChairman & CEOsmitchell@oceg.org ® A 501(c)3 nonprofit that provides standards, guidelines, benchmarks and online resources to help organizations drive performance and integrity through improved governance, risk management, and compliance processes
Agenda • OCEG Mission & Brief History • OCEG Framework Overview • OCEG Evaluation & Benchmarking • Q&A (c) Open Compliance & Ethics Group
What is OCEG? OCEG is a nonprofit that helps organizations drive performance and enhance their corporate culture by integrating governance, risk management, and compliance processes via: • Guidelines & Standards • Process standards (key concepts, components and terminology) • Technical standards (key systems and integration points) • Both High-Level and detailed guidance • Evaluation Criteria & Metrics • Effectiveness & performance evaluation (suitable criteria) • Reporting & disclosure guidance • Free tools & technologies • Community of Practice • Discover, create and evolve guidelines • Use online tools & resources • Place for multiple disciplines to collaborate and drive adoption of the framework (c) Open Compliance & Ethics Group
Governance, Risk Management, Compliance & Culture(GRC + C) capability to set and evaluate performance against objectives; authorize a business strategy and model to achieve objectives while staying within mandated (legal) and voluntary boundaries mindsets of individuals and an organizational climate that promotes ethics, integrity, respect, trust and accountability while driving corporate performance GOVERNANCE CULTURE capability to proactively identify, rigorously assess and address potential obstacles to achieving objectives; and the risk that the organization will step outside of mandated (legal) and voluntary boundaries capability to proactively encourage compliance with established policies and boundaries; the ability to detect noncompliance; and the ability respond accordingly RISK MGT COMPLIANCE (c) Open Compliance & Ethics Group
Integration OCEG brings together multiple disciplines and professions to collaborate and pursue a common objective: • Governance • Risk Management • Compliance / Legal Management • Human Capital Management • Change Management • Ethics Management • Internal Audit • Quality Management • Project Management • Underwriters • Creditors • Ratings Agencies • Board Members • Investors (c) Open Compliance & Ethics Group
Advisory Board • B. Charles Ames, Co-Chair, OCEG Advisory Board; Vice-Chair, Clayton, Dubilier & Rice • Alex Brigham, Co-Chair, OCEG Advisory Board; President and CEO, Corpedia Education • Ray J. Groves, Co-Chair, OCEG Advisory Board; Former CEO, Ernst & Young • Scott L. Mitchell, Chairman and CEO, OCEG; President and CEO, DoubleDrum Capital • Ron Berenbeim, Director of Ethics Research, The Conference Board • Alfred Berkeley, Former Vice-Chair, NASDAQ • Beth Brooke, Vice-Chair, Ernst & Young • John J. Castellani, President, The Business Roundtable • Miles Everson, Partner and U.S. Practice Leader, Governance, Risk & Compliance, PricewaterhouseCoopers • Charles Elson, Executive Director, Center for Corporate Governance, University of Delaware • Bob Felton, Managing Partner for Corporate Governance Practice, McKinsey & Co. • Jean FitzSimon, General Counsel, Whitehall, Inc. • Stephen J. Friedman, President of the Practising Law Institute; former Commissioner of SEC; president Pace Law School • Peter Gleason, COO, National Association of Corporate Directors • Jack Hampton, Executive Director, The U.S. Risk and Insurance Management Society • Joseph Hardiman, Former CEO, NASD and NASDAQ; former President of Alex Brown • David Heller, Chief Compliance Officer, Qwest • Jack Kemp, chairman, Corporate Diagnostics; former US Congressman; Cabinet Secretary and VP Candidate • Jack Jennings, Vice President, Hobbs Group; Executive Advisory Council of St. John's University • Richard Koppes, of counsel, Jones Day; co-chair of Stanford Law School Executive Education; former general counsel and deputy officer of CalPERS • Peter Kreindler, General Counsel, Honeywell International, Inc. • Patricia Leonard, COO, American Management Association • Lee Dittmar, Partner, Governance, Deloitte Consulting • Andrall E. Pearson, Founding Chairman, Tricon • Joseph J. Plumeri, Executive Chairman and CEO, Willis Group Holdings LTD • Ned Regan, Former President, Baruch College; former Comptroller State of New York • Gerald Rosenfeld, CEO, Rothschild • Doug Shulman, President, NASD Regulatory & Compliance Services • Richard Steinberg, Author, COSO Internal Control & COSO ERM; Partner, Steinberg Governance Advisors • Gabe Shawn Varges, Chief Compliance Officer, Zurich Financial Services • Christopher E. Watson, Chairman and CEO, Gulf Insurance (c) Open Compliance & Ethics Group
Key Partners • Institute of Internal Auditors (IIA) • ISACA (author of COBIT) • American Institute of Certified Public Accountants (AICPA) • Practising Law Institute (PLI) • Ethics Resource Center (ERC) • The Business Roundtable • The Conference Board • Association of Corporate Counsel (ACC) • ABA (various sections) • Risk and Insurance Management Society (RIMS) • National Association of Corporate Directors (NACD) • American Society of Corporate Secretaries (ASCS) • National Association of Pension Plan Attorneys (NAPPA) • and others… (c) Open Compliance & Ethics Group
Steering Committee Trent GazzawayCo-Chair, Steering CommitteePartner, National Director of Corporate Governance, Grant Thornton Pat HarnedCo-Chair, Steering CommitteeActing President, Ethics Resource Center (ERC) Richard X. FisherCo-Chair, Steering CommitteeAssociate General Counsel, Compliance Sears, Roebuck & Company Worth MacMurrayCo-Chair, Steering CommitteePrincipal, Compliance Initiatives; Former chief compliance officer, Peregrine Systems Lynn BrewerPresident, The Integrity Institute, Inc.;Author - "Confessions of an Enron Executive" Brian S. ChevlinDeputy General Counsel, Unilever United States, Inc. David ChildersPresident and CEO, EthicsPoint, Inc. Andrew CohenSenior Counsel and Director, EMC Corporation David CrawfordJD Systems; audit manager emeritus, University of Texas Systems; author of “Effective Compliance Systems: a Practical Guide for Educational Institutions Joe DeFeoPresident, Juran Institute Carlo DiFlorioSenior Manager, PricewaterhouseCoopers Marjorie W. DoyleAssociate General Counsel andChief Compliance Counsel, Dupont Corporate Compliance Committee, Dupont Jean FitzSimonPrincipal, Bridge Associates LLC Bruce GambleTrustee, DC Pension Plan Holly GregoryPartner, Weil Gotschall Richard GrunerProfessor, Whittier Law School; member Ad Hoc Committee for Federal Sentencing Guidelines for Organizations Odell GuytonSenior Corporate Attorney / Director ofCompliance, US Legal-Finance & Operations Microsoft Susan HackettSenior Vice President and General Counsel, Association of Corporate Counsels (ACC) Dave HellerVP Risk Management and Chief Compliance Officer, Qwest Michael HorowitzPartner, Cadwalader, Wickersham & Taft; member Unites States Sentencing Commission (USSC) Lisa KucaDirector of Corporate Compliance,Corporate Integrity Services, Inc.; member Ad Hoc Committee for Federal Sentencing Guidelines for Organizations Sally LaFondAttorney, Hogan & Hartson Sandord Liebesman, PhD Principal, Sandford Quality Consulting Evan LongVice President, Marsh, Inc. Douglas LanklerAssociate General Counsel and Chief Compliance Officer, Pfizer Jay MartinPartner, Winstead, Sechrest & Minick Gary MathiasonPartner, Littler Mendelson Erich MerrillPartner, Miller Nash John F. Morrow, CPAVice President, AICPA Jim NortzVice President, Business Ethics & Compliance, Adecco DeWitt RogersPartner, Troutman Sanders; founder, The Carter Center Council of Ethical Business Practices; former board member, Transparency International (USA) Scott RoneyVice President, Corporate Compliance and Regulatory Affairs, Archer Daniels Midland (ADM) John SkousenCorporate Compliance OfficerPeregrine Systems, Inc. Mike EvansPartner, Ernst & Young Richard SteinbergFounder, Steinberg Governance Advisors; Former Corporate Governance Practice Leader, PwC; Author COSO Internal Control / COSO ERM Dan SwansonAssistant Vice President, Professional Services, The Institute of Internal Auditors (IIA) Ken ThrasherCEO, Compli Dan UntchDirector of Compliance and IntegrityCaremark, Inc. Gabe Shawn VargasChief Compliance OfficerZurich Financial Thomas AllmanSenior Counsel, Mayer, Brown, Rowe & Maw; Former General Counsel, BASF Ted BanksSenior Counsel, Kraft USA James BarrettPartner, Latham & Watkins Carol BasriPresident, Corporate Lawyering Group LLC; Member, PLI Corporate General Counsel Advisory Committee; co-chair PLI Corporate Compliance Institute Ronald BerenbeimDirector of Ethics Research, The Conference Board Jim BlissPresident, Governmental Interinsurance Exchange and Bliss McKnight, Inc., Tort Trial and Insurance Practice Section, American Bar Association, member of the Council (c) Open Compliance & Ethics Group
Leadership Council • Aon* • Archer Daniels Midlands • Axentis • Baker Hughes • Cisco • Corpedia Education* • Dell* • Deloitte* • DuPont • Ernst & Young* • EthicsPoint* • Freddie Mac • Gevity • Global Compliance Services* • Grant Thornton* • Interactive Alchemy* • Littler Mendelson* • LRN* • Lyondell Chemical • Marsh* • Microsoft* • Open Pages • PETCO • PricewaterhouseCoopers* • Qwest* • Roche Diagnostics • Staples • Sun Microsystems • The Integrity Institute* • Unilever • Wachovia Corporation • Wal-Mart • Others Pending… * Indicates founding member (c) Open Compliance & Ethics Group
Technology Council All Leadership Council Members Plus: • Axentis • Approva • Hyperion • Hyland • Intuition • Jefferson Wells • Navigant • Open Pages • The Network • MySafeWorkplace • Listen Up Group • Sun Microsystems Objectives • Increase understanding of how to apply technology • Reduce risks/cost of implementation • Reduce risks/cost of integration Approach • Solution Providers + End-Users • Open Process Deliverables • OCEG Reference Architecture • OCEG Working Group Strategy First Working Group Announced 7/19 “Whistleblower Hotlines/Helplines” (c) Open Compliance & Ethics Group
Hotline/Helpline Working Group • EthicsPoint * • Global Compliance Services * • The Network * • Listen Up Group • My Safe Workplace • Micron • AES • ITT • University of Texas • Microsoft • ADM * • Qwest • Gap • Goodrich • Starbucks • PETCO • Wal-Mart • Wachovia * • EthicsSA • Catholic Health • Staples • GA Technical Institute • Ernst & Young • Better Business Bureau • Lucent * • ERC • RadioShack • CIBC • Interpublic Group • Johnson Controls • Countrywide Financial • Delphi Group • …and others * Indicates co-chair (c) Open Compliance & Ethics Group
Big Picture (c) Open Compliance & Ethics Group
Criticism… Risk Management / Compliance are the departments of NO (c) Open Compliance & Ethics Group
…Response The Fastest Cars Have the Best Brakes (c) Open Compliance & Ethics Group
Go, Steer…AND Brake GO STEER BRAKE Historically, 99% of business investment is focused here “Brakes” are a critical component to executing strategy and realizing long-term value (c) Open Compliance & Ethics Group
Big Picture All organizations need a capability or “program” to ensure that business is conducted within boundaries and that obstacles are appropriately addressed (c) Open Compliance & Ethics Group
Current Situation Sarbanes-Oxley Federal Sentencing Guidelines Antitrust Risk Management Fragmented Piecemealed No Common Ground FDA OCC OFHEO DOJ (Thompson Memo) DII DOL Export Controls GRI EPA ISO FCPA SEC Enhanced Business Reporting 6σ OSHA XBRL COSO Internal Control USA PATRIOT HHS COSO ERM Anti-Money Laundering Quality Management Basel II Listing Agencies Human Capital Management Privacy Data Security Treasury (c) Open Compliance & Ethics Group
OCEG Framework The OCEG Framework provides a common operational approach to address governance, risk management and compliance issues Integrates areas of commonality, overlap and best practices into a baseline foundation Ensures alignment with important existing and emerging standards / frameworks UNIFY & SIMPLIFY (c) Open Compliance & Ethics Group
Analogy to Nature and Science • The Human Genome Project – Completed 2003 after 13 years. • 20,000-25,000 Genes Identified and Mapped. • Determine Sequences of 3 Billion chemical base pairs making up human DNA. • Has Changed Everything Making Biology the Science of the 21st Century. • Risk Assessments, Prevention, and Cures (c) Open Compliance & Ethics Group
Analogy to Nature and Science • Identifying Compliance Practices – classifying them. • Thousands of Guidelines – tens of thousands of Practices. • A Common Model – Technological Enabled. • Compliance Becomes the Biology of the 21st Century. • Risk Assessment, Prevention, and Corrective Action (Cure or Litigation Defense). (c) Open Compliance & Ethics Group
OCEG Framework Company Companies can build on top of these models to customize and configure their capability to address unique requirements Domains Domains provide topical or industry-specific information that integrates with and assumes the OCEG Foundation is in place Foundation The Foundation describes common elements of an effective program that integrates the principles of good corporate governance, risk management, compliance and ethics/culture (c) Open Compliance & Ethics Group
OCEG Foundation Company Domains Foundation detailed view of foundation CULTURE ORGANIZATION PROCESS TECHNOLOGY (c) Open Compliance & Ethics Group
Federal Sentencing Guidelines DOJ Thompson Memo Sarbanes-Oxley SEC 21(a) Enforcement Decisions Caremark & Abbott COSO Internal Control COSO ERM ISO 9000 series Various regulatory frameworks and guidance (e.g. HHS) Various CSR frameworks and guidance (AA1000, SA8000, etc.) Various Governance Guidance OCEG Conceptual Framework - Foundation Practical & Actionable Guidance Suitable Assessment Criteria Translate Integrate Simplify (c) Open Compliance & Ethics Group
OCEG Foundation CULTURE ORGANIZATION PROCESS PLAN / ORGANIZE PREVENT / PROTECT / PREPARE MONITOR / DETECT / EVALUATE RESPOND / IMPROVE INFORMATION / COMMUNICATION TECHNOLOGY (c) Open Compliance & Ethics Group
OCEG Foundation CULTURE C1 – Ethical Culture C2 – Risk Culture C3 – Governance Culture C4 – Workforce Culture ORGANIZATION O1 – Leadership & Champions O2 – Oversight Personnel O3 – Strategic Personnel O4 – Operational Personnel PROCESS PLAN / ORGANIZE PREVENT / PROTECT / PREPARE MONITOR / DETECT / EVALUATE RESPOND / IMPROVE • PO1 – Scope & Objectives • PO2 – Business Model & Context • PO3 – Boundary Identification • PO4 – Event Identification • PO5 – Risk Assessment • PO6 – Program Design & Strategy • PR1 – Controls, Policies & Procedures • PR2 – Code of Conduct • PR3 – Training & Education • PR4 – Workforce Management • PR5 – Physical Infrastructure • PR6 – Risk Sharing & Insurance • PR7 – Preparedness & Practice • ONGOING MONITORING • M1 – Control Assurance & Audit • M2 – Hotline & Helpline Reporting • PERIODIC EVALUATION • E1 – Evaluation Planning & Reporting • E2 – Effectiveness Evaluation (DE, OE) • E3 – Program Performance Evaluation • R1 – Issue Management • R2 – Special Investigations • R3 – Crisis Response • R4 – Discipline & Disclosure • R5 – Remediation & Improvement INFORMATION / COMMUNICATION • I1 – Information & Records Management • I2 – Communication • I3 – Internal Reporting • I4 – External Reporting & Filings TECHNOLOGY T1 - Technology (c) Open Compliance & Ethics Group
OCEG Foundation • Public Draft available May, 2004 • 5,000+ downloads • 100+ organizations and individuals provided feedback • 50+ person Steering Committee vetted the draft and the comments • Application Draft available April 30, 2005 • 10,000+ downloads • Organizations of all sizes invited to Beta Test the OCEG Foundation to ensure that the guidelines are: • Practical • “Implementable” • Usable • Measurable • OCEG studied implementation at: • Dell • DuPont • Staples • ADM • Gevity • Wachovia Bank • Final Draft forthcoming (c) Open Compliance & Ethics Group
OCEG Framework Company Companies can build on top of these models to customize and configure their capability to address unique requirements Domains Domains provide subject- or industry-specific information that integrates with and assumes the OCEG Foundation is in place Foundation The Foundation describes common elements of an effective program that integrates the principles of good corporate governance, risk management, compliance and ethics/culture (c) Open Compliance & Ethics Group
Illustrative Example Employment Domain Supplements Compensation Executive Compensation Workplace Violence Benefits Anti-Harassment Anti-Discrimination Contingent Workforce Hiring / Retention Termination / Reduction Employment Information Privacy Accommodation / Leave Labor / Collective Bargaining Global Mobility / Immigration Anti-Retaliation / Whistleblowing Employment Torts Domains Company Risk Area Domain Guidelines identify a number of areas to which most organizations are exposed. Each organization is unique and will focus on specific domains as appropriate. Domains detailed view of domains Foundation governance employment financial assurance / anti-fraud information management intellectual property environmental international dealings competitive practices product quality / safety workplace health / safety government dealings (USA) NOTE: Industry Sector Domain Guidelines are currently in the planning phase. (c) Open Compliance & Ethics Group
Key Principles • Do No Harm • Practical & Usable • One-size Does Not Fit All • Customizable for company-specific attributes • Size • Industry • Applicable at the macro- or micro-level • Department / Function • Business Unit • Enterprise • Extended-Enterprise • Integration of: • governance, risk management, and compliance (GRC) processes • GRC with corporate culture and ethics • GRC with broader enterprise processes • of best practices from multiple disciplines and professions to discover a well-rounded model (c) Open Compliance & Ethics Group
OCEG Unique Benefits • Reduced Cost & Increased Performance • Design and implementation • Evaluation and benchmarking • Arms-Length Objective Standard (Suitable Criteria) • Open & Public Vetting Process (c) Open Compliance & Ethics Group
Development Process assemble the right team to develop and review the product in a controlled environment assemble full working group break into subgroups (optional) analyze and consolidate findings circulate “controlled drafts”version 0.1 – 0.4 1 • co-chairs direct work product and schedule • review board works with co-chairs to make final decisions • general members participate in the process solicit public feedback so that the work product is complete and correct analyze internal feedback post “public exposure draft” version 0.5 – 0.8 2 analyze and integrate public feedback and encourage individuals to implement the product in a real environment – and solicit feedback from actual use so that the product is practical analyze public feedback post “application draft” version 0.9 3 analyze application feedback post “final draft” version 1.0 analyze and integrate feedback from those organizations that actually used the product and publish a final draft 4 (c) Open Compliance & Ethics Group
OCEG Unique Benefits • Reduced Cost & Increased Performance • Design and implementation • Evaluation and benchmarking • Arms-Length Objective Standard (Suitable Criteria) • Open & Public Vetting Process • Cross-Industry / Cross-Functional / Cross-Discipline • High-Level and Detailed Guidance • Technology (c) Open Compliance & Ethics Group
Evaluation & Benchmarking Evaluation &Benchmarking (c) Open Compliance & Ethics Group
OCEG Guidelines • E1 – Evaluation Planning & Reporting • Objectives • Privilege • Audience • Type and Staff • Strategy, Design and Authorization • E2 – Effectiveness Evaluation • Design Effectiveness • Operating Effectiveness • Outcome Effectiveness • E3 – Performance Evaluation • Effectiveness (from above) • Efficiency • Responsiveness (c) Open Compliance & Ethics Group
Evaluation • Effective • Design • Operation • Outcome • Responsive • Fast / Cycle-Time • Flexible • Efficient • Financial Capital • Human Capital Effective Responsive Efficient (c) Open Compliance & Ethics Group
Effectiveness • Design Effectiveness • Coverage metrics • % Key risks addressed • % Key requirements addressed (and how) • Depth of coverage (policy vs. training vs. technology) • % controls added or modified due to remediation – EXCEPTION REPORTING • Operational Effectiveness • % controls operating as designed when tested • % controls modified due to remediation • Impact / Outcome • Total loss (fines, penalties, judgments, etc.) • Total instances and types of significant noncompliance (and where) • % anonymous reports • Workforce perceptions (see next page) • Impact on enterprise objectives • New revenue • Reduced costs / loss • Talent retention • Reputation (customers, partners, employees, regulators) (c) Open Compliance & Ethics Group
Workforce Perceptions • 360-Degree View • Board members • Executives • Managers • Supervisors • Staff • About • Observing noncompliance • Reporting noncompliance (and reasons why not) • Feel comfortable to raise issues • Ethical behavior of workforce (all levels) • Feeling pressure from supervisors / management • Considerations • Constant contact w/ workforce…but don’t burn them out • Anonymous…but collect enough info to make it actionable • Collect information up and down (c) Open Compliance & Ethics Group
Performance • Key Effectiveness Metrics • Hotline & investigation metrics (what are the most important issues) • Culture metrics • Loss metrics • Efficiency • Financial Capital (total system costs and segmented costs) • Human Capital (executive time and non-executive time) • Responsiveness • Cycle time from noncompliance to detection • Cycle time from detection to resolution • Cycle time to integrate new business into compliance program strategy • Cycle time to roll out new aspect of the program (address new requirement) (c) Open Compliance & Ethics Group
OCEG.online Portal All of the information is contained in the OCEG.online Portal where it can be accessed, sliced, and diced as appropriate (c) Open Compliance & Ethics Group
Get Involved • Leadership Council • Shape the debate and standards • Drive the process and schedule • Advanced access to tools, resources and advice • Organizational Subscription • Use guidelines and standards • Participate in the debate and development • Access to tools, resources and advice • Domain Development • University Working Group • University Benchmarking Group (c) Open Compliance & Ethics Group
University • Guideline Working Group • Objectives • Supplement OCEG Foundation to address University issues • Define University Domain Supplements and related guidelines • Timeframe • Organize (June) • Work (July – November) • Finalize (December) • Benchmarking Working Group • Objectives • Enhance understanding of university programs • Timeframe • Organize / Survey Design (May) • Data Collection (June) • Analysis (July – August) • Report (September) (c) Open Compliance & Ethics Group
Q&A Q&A (c) Open Compliance & Ethics Group