DS SOX404 Embedding Toolkit Part I: Organisation Design & Resourcing (OD&R). London 21 November, 2005. The purpose of this toolkit is to provide detailed guidance on how to deliver the Organisational Design & Resourcing requirements of the DS SOX404 Embedding workstream.
The purpose of this toolkit is to provide detailed guidance on how to deliver the Organisational Design & Resourcing requirements of the DS SOX404 Embedding workstream There are four key deliverables for OD&R required from AoO Embedding Focal Points: • Confirmation of Completeness– ensure all of the detailed SOX404 activities required to achieve sustainable SOX404 compliance in your AoO are included in your Transition Organisation structure. This includes responsibilities of and support required from Controllers department, GRA function, IT and Tax. • Detailed Resource Analysis– develop your AoO’s base Transition Organisation structure by determining the number and type of FTEs necessary to ensure the SOX404 requirements are delivered in 2006 and sustained beyond. • Development and roll out of Resourcing Strategy– ensure that all roles and responsibilities identified as part of Deliverable 1 and 2 are resourced in a efficient and effective manner under an integrated plan. The resourcing strategy will provide essential input into your AoO’s Knowledge Transfer and Training plan. • Timely feedback of issues, risks, concerns, and learningsto the DS Embedding team via the Regional EFPs to ensure maximum efficiency in resolution, integration and sharing of learnings. • You should have received and reviewed the Introduction to DS SOX404 Embedding – Organisation Design & Resourcing” slide pack • The guidance in this toolkit will assist you to achieve the key deliverables • The Knowledge Transfer & Training team will send a complimentary KT&T toolkit to assist with transfer of knowledge from the project and ensure competency gaps are identified and adequately addressed • Regional EFPs will communicate any additional Deliverables specific to your Region to ensure maximum synergy is achieved by Country/Region.
The following table summarises the Actions, Supplementary Information provided and Due Date for each Key Deliverable
SECTION ADeliverable 1: Confirmation of Completeness • Review background information (slides 5-7) • Review RASCI (slide 8) in conjunction with detailed activities in Appendix (slides 17-28) • Relate RASCI and detailed activities to own AoO (highly recommended that AoO RASCI’s developed). Key Stakeholder engagement necessary • Complete Completeness checklist (e-mail attachment) and return to OD&R team
The SOX404 management process* defines the specific activities that need to be executed by your AoO, - these have been allocated to SOX404 roles in order to determine SOX404 responsibilities The Role of the SOX404 Process Owner in DS • The Shell SOX404 methodology outlines the role of SOX404 Process Owners. A SOX404 Process Owner is the individual who is responsible for the end-to-end SOX404 financial process (control register) in an AoO and as such is required to sign off on all of the SOX404 controls that exist within that financial process (as per GreenLight). • The structure of the DS organisation is such that a SOX404 Process Owner role, as described above, typically does not currently exist. There is no single point SOX404 process owner accountability for each SOX404 financial process (control register) that has been captured in Greenlight. • Consequently, for the purposes of Embedding, the responsibilities which would ‘normally’ be taken up by SOX404 Process Owners have been reallocated to other key roles within the SOX404 process (i.e. Control Owners, AoO CoB/S Leaders). This has been reflected in the RASCI charts and Detailed SOX404 activity descriptions in this toolkit. When determining how SOX404 roles and responsibilities will interact/integrate with business roles, it is critical that due consideration be given to the relationship with the DS CoB/S Global Process Owners and their respective requirements *Refer Appendix pages 15 & 16 Section A: Deliverable 1
DS SOX404 AoO Roles The SOX404Control Owneris the person responsible for • ensuring the control design is fit-for-purpose for the mitigation of the associated financial process risk • updating and maintaining the control description and required documentation in GreenLight • ensuring that the control is executed in accordance with the design and is operating effectively • “locking” the control in GreenLight to trigger the sign-off process. The SOX404Control Executoris the person responsible for • operating the control in accordance with control design • advising the Control Owner of operational changes that may impact the effectiveness of, and/or require updates to, the design of the control On an exception basis, the Control Owner and Control Executor can be the same person DS SOX404 AoO Greenlight Sign-off requirements First Sign Off: is each CoB/S Leader in an AoO who must sign off for all SOX404 controls within their CoB/S at an AoO level. Consequently, the First Sign Off may comprise several signatures. Second Sign off: is the AoO Controller(who typically will also be the Country Controller for DS) who must sign off for all SOX404 controls at an AoO level. Consequently, the Second Sign-Off will have only one signature. Section A: Deliverable 1
RASCI charts have been used to clearly assign the SOX404 activities to the SOX404 roles using Role Codes Role Code characteristics • (R) Responsible (to get it done) – the person in this role is responsible for initiating the activity and ensuring it is carried out as intended. May or may not be directly involved in performing the activity. Only ONE person is assigned this role per activity to ensure single point accountability and clarity of ownership. • (A) Accountable/Approval (right to veto) – the person in this role is the ultimate owner of the activity and therefore has the right to influence the activity. Approval may be required of more than one person. • (S) Support – the person in this role must provide required support in order for the activity to be executed. Support may be required of more than one person • (C) Consult – the person in this role has valuable information, insights or experience and should be sought out by (R) for two-way communication. Consultation may be required of more than one person. • (I) Inform – the person in this role is a key stakeholder who must be kept informed of progress and/or changes by (R) responsible person. RASCI Chart Design Roles Section A: Deliverable 1
SOX404 AoO Transition RASCI* developed by DS for AoO customisation DS AoO AoO Controller • The OD&R team highly recommend that you adapt the RASCI chart provided to correctly reflect your AoO • Use the SOX404 detailed activity lists in the Appendix (pages 17-28) to ensure all required AoO SOX404 activities have been accounted for in your AoO • It is critical that you advise the OD&R team if there are SOX404 activities listed that you believe should not be the responsibility of your AoO • It is also critical that you advise the OD&R team if you believe the SOX404 activity list is incomplete for your AoO. Roles CoB/S Leader Responsibilities * Refer e-mail attachment for RASCI charts by AoO Risk Level Section A: Deliverable 1
SECTION BDeliverable 2: Detailed Resource Analysis • Review background information (slides 10-11) • Review Resource Calculator Tool guidelines (e-mail attachment) • Complete Resource Calculator Tool for AoO and return to OD&R team • Complete Resource Analysis checklist (e-mail attachment) and return to OD&R team
The first step in the resource analysis process is to assess the total SOX404 workload in your AoO using the Resource Calculator tool* Incremental Workload Assessment • The SOX404 process requires new activities to be performed in an AoO in order to meet the requirements of the RDS SOX404 methodology. • The OD&R team need to assess the impact of these activities in every in-scope AoO in order to ensure there are adequate resources in place to meet all SOX404 requirements during 2006, and on an on-going, sustainable basis in the future • A Resource Calculator tool, with detailed guidance has been developed which, based on specified inputs and assumptions, will calculate the FTE impact of SOX404 activities on your AoO. • The calculated FTE number will need to be further analysed against the ability of the AoO to absorb the activities during 2006, and in the future. Two possibilities exist : 1) the increased workload can be absorbed by existing staff, or 2) new resources need to be engaged to perform all activities • The Resource Calculator tool takes into account where the AoO is on the ‘SOX404 learning curve’ today. • The Resource Calculator tool does NOT take into account any additional FTE requirements which result from SOX PROJECT-specific activities which need to be delivered during 2006 and are performed by Project-staff *Refer to e-mail attachment Section B: Deliverable 2
The calculated Total SOX404 Workload FTE may not directly translate into incremental full time positions within an AoO • If an AoO disagrees with Total FTE workload as calculated by the tool, then please advise OD&R team ASAP • The FTE scenarios are critical input into the Resourcing Strategy and Knowledge Transfer & Training plan • Other FTE scenarios may exist for your AoO. Please ensure OD&R team are aware of all variations • It is essential to consider the sustainability of absorption of SOX 404 activities • The results of Deliverable 1 need to be given due consideration when determining resource requirements • Interim positions could be filled by existing project resources Part of Total Workload Absorbed By Existing AoO Positions Absorbed as capacity exists in current positions (eg through creation of efficiencies) Of the Total Workload, identify the part that can be absorbed by existing AoO positions Absorbed as capacity created by transferring some existing responsibilities to other positions Total SOX404 Workload (in FTE) (output from Resource Calculator) Total Full Time New AoO Positions Permanent Postions : expected to be in place for >4 years Full Time Temporary Positions : expected to be in place between 1 and 4 years Interim Positions : supporting, and expected to be in place less that 1 year Total Incremental Workload Workload Combined and/or Part Time Positions Combined/Part Time within AoO Combined within Country Combined within Region Fragmented Combined within Business NOTE: the Total SOX404 Workload FTE from Resource Calculator excludes SOX404 Project FTEs which may be required in 2006 to deliver the 2006 Project requirements Section B: Deliverable 2
SECTION CDeliverable 3: Resourcing Strategy • Review resourcing actions (slide 13) key stakeholder engagement necessary • Complete Resourcing Strategy checklist (e-mail attachment) and return to OD&R team
The results of Deliverables 1 & 2 require a robust Resourcing Strategy to ensure that the AoO has a Transition Organisation in place which can deliver the SOX 404 requirements in 2006 and beyond • Understand HR requirements for changing existing and creating new roles • Identify and involve HR Focal Point • Obtain generic SOX404 job descriptions prepared by Central SOX404 Embedding team • Engage with KT&T* Team to understand deliverables and toolkit support available • Ensure AoO Recruitment plans are integrated as necessary with country/region/business recruitment plans Actions for Resourcing Strategy Results of AoO Resource Analysis • Update job descriptions of existing AoO roles to cover SOX 404 responsibilities • Update job descriptions of existing roles to remove responsibilities to ensure sustainability of SOX 404 requirements • Identify where removed responsibilities will be transferred to, and update job descriptions as appropriate. • Allocate individuals to appropriate stakeholder category as required by KT&T1) plan Total Workload (in FTE) Absorbed By Existing AoO Roles Total Workload (in FTE) Full Time New AoO Roles • Identify key roles for immediate focus • Prepare AoO recruitment plan (all steps necessary for OR) and timeline for Permanent and Temporary positions (recommend to work back from required ‘resource-on-seat’ date) • Identify Interim positions available from current project pool, and sources of other interim resources • Ensure interim resources are available to adequately cover time required for OR process Total Workload (in FTE) Combined and/or Part Time Roles • Inventorise responsibilities of existing positions and adjust so as to cover fragmented workload where possible • Identify if fragmented workload can be combined with positions performing similar activities for other AoOs or Countries • Assess creation of Part-Time positions and prepare recruitment plan as necessary • Liase with Region EFP to agree strategy for pooling (Country, Region, Business) and where single point accountability for pooled teams will sit. * Knowledge Transfer & Training Section C: Deliverable 3
One global SOX404 management process has been developed by the Central SOX Project team, and endorsed by all businesses Key Process Steps Triggered Periodic Retest Off cycle Plan & Perform Self Testing Plan Remediation & Remediate Deficiencies Management Assessment Monitor change and assess impact Assess Scope Adapt controls & documentation • Capture change to: • Processes • Environment • Perform basic risk screening • Perform Risk-based scoping • Re-evaluate in-scope and out-of-scope accounts, entities and key controls • Off-cycle: Change and event driven re-scoping (e.g., M&A, new site, BCIs) • Based on changes to testing and documentation scope: • Adapt/ implement/ remove controls • Update documentation • Test design effectiveness • QA • Create Risk-based, integrated plan • Enter data in Greenlight • Analyse and report results • Execute roll-over testing when necessary • QA • Prioritize based on materiality • Remediate at Process-level • Synthesize at Higher level • Monitor and report progress • QA • Quantify, aggregate and analyse • Perform full quarterly review • Perform regular ongoing review and escalation of key issues • Report upward and communicate downward • Sign-off Greenlight (quarterly) • Sign off at all hierarchical levels IAF • Review design effectiveness • Perform QA & targeted testing of operational effectiveness • Populate Greenlight • Analyse and report results
The SOX404 process is underpinned by supporting processes The SOX404 Support Processes People Processes • Establish leadership agenda and tone at the top • Manage communication • Build skills and capabilities including recruitment, training, behaviour • Align with recognition systems and consequence management Maintain Methodology SOX404 Support Processes • Assess regularly whether updates are required • Perform and communicate updates Provide tools • Establish IT infrastructure • Maintain Greenlight • Maintain EUC administration requirements • Provide other supporting IT • Create and maintain guidelines and manuals
Key Roles in the SOX404 Process steps (1/7)Monitor change and Assess impact Major Activities Note: The control organisation (i.e., AoO Controller in AoO) is accountable for SOX404 activities and compliance, IAF is not mentioned in this activity overview
Key Roles in the SOX404 Process steps (2/7)Assess Scope Major Activities Note: The control organisation (i.e., AoO Controller in AoO) is accountable for SOX404 activities and compliance, IAF is not mentioned in this activity overview
Key Roles in the SOX404 Process steps (3/7)Adapt Controls and Documentation Major Activities Note: The control organisation (i.e., AoO Controller in AoO) is accountable for SOX404 activities and compliance, IAF is not mentioned in this activity overview
Key Roles in the SOX404 Process steps (4/7)Plan and Perform Testing Major Activities Note: The control organisation (i.e., AoO Controller in AoO) is accountable for SOX404 activities and compliance, IAF is not mentioned in this activity overview
Key Roles in the SOX404 Process steps (5/7)Plan Remediation and Remediate Deficiencies Major Activities Note: The control organisation (i.e., AoO Controller in AoO) is accountable for SOX404 activities and compliance, IAF is not mentioned in this activity overview
Key Roles in the SOX404 Process steps (6/7)Management Assessment Major Activities Note: The control organisation (i.e., AoO Controller in AoO) is accountable for SOX404 activities and compliance, IAF is not mentioned in this activity overview
Key Roles in the SOX404 Process steps (7/7)IAF Major Activities Note: The control organisation (i.e., AoO Controller in AoO) is accountable for SOX404 activities and compliance, IAF is not mentioned in this activity overview
Key Roles in the SOX404 Support Processes (1/5)People Process : Leadership Agenda and Tone at the Top Major Activities Note: The control organisation (i.e., AoO Controller in AoO) is accountable for SOX404 activities and compliance, IAF is not mentioned in this activity overview
Key Roles in the SOX404 Support Processes (2/5)People Process : Manage Communications Major Activities Note: The control organisation (i.e., AoO Controller in AoO) is accountable for SOX404 activities and compliance, IAF is not mentioned in this activity overview
Key Roles in the SOX404 Support Processes (3/5)People Process : Build Skills and Capabilities Major Activities Note: The control organisation (i.e., AoO Controller in AoO) is accountable for SOX404 activities and compliance, IAF is not mentioned in this activity overview
Key Roles in the SOX404 Support Processes (4/5)People Process : Align with Recognition Systems and Consequence Management Major Activities Note: The control organisation (i.e., AoO Controller in AoO) is accountable for SOX404 activities and compliance, IAF is not mentioned in this activity overview
Key Roles in the SOX404 Support Processes (5/5)Maintain Methodology; Provide Tools Major Activities Note: The control organisation (i.e., AoO Controller in AoO) is accountable for SOX404 activities and compliance, IAF is not mentioned in this activity overview