310 likes | 477 Views
Turning Compliance into Opportunity. How to Leverage Regulatory Requirements to Create Other Efficiencies. Karen Kronauge CIA, MBA Director of policyIQ ® Resources Global Professionals. Some Numbers to Ponder:.
E N D
Turning Compliance into Opportunity How to Leverage Regulatory Requirements to Create Other Efficiencies Karen Kronauge CIA, MBA Director of policyIQ® Resources Global Professionals
Some Numbers to Ponder: 20 New laws enacted throughout the world in the 2 years following 9/11 that impact how organizations gather and disseminate information 5.8 $US in Billions that are estimated to be spent in 2005 alone on compliance with the Sarbanes-Oxley Act of 2002* 2 Primary reasons to address governance – mitigation of risk; an optimization of operations 1 The number of additional years (maximum) that non- accelerated filers recently received to comply with the Sarbanes-Oxley Act of 2002 * Estimate by AMR Research
Common Threads: • Identification of business risks • Documentation of business processes • Systems to house the information centrally – knowledge management
1. Enterprise Risk Management (ERM): Risk1 Risk2 Risk3 Risk4 Risk5 Control1 Control3 Control5 Control7 Control2 Control4 Control6
Melcalfe’s Law for Enterprise Content Management Value Value of network = Connections2 People & Connections
2. Documentation of Business Processes (incl. policy)3. Knowledge / Content Management System • Increases productivity and accuracy • Automates business processes • Replaces paper • Reduces liability
Problems occur when one or more of the following are present: • Failure to plan for multi-regulatory environment • Little rationalization of various regulations (e.g., SOX w/ EU Data Protection Directive, GLB, HIPAA, New Exchange rules, etc ) • Focus on IT policies and procedures, without detailed understanding of whether the systems are in compliance with the policies • Leads to regulatory non-compliance and charges of deceptive practices • Failure to adequately inventory the key information systems and extended entity IT sharing relationships • collecting and documenting all key application and general computer controls & how information is shared with affiliates, subsidiaries, and joint ventures. • Focus is only concentrated on financial line item mapping to the control activities without consideration of IT Infrastructure and COSO entity level controls. 16
Content Management Infrastructure Alternatives: Low-Tech • Binders and Manuals • Hard-copy documentation Mid-Tech • Intranet Site • E-mail High-Tech • Policy Management Software • Knowledge Management Platforms Which does your company use? How easy is it for you to communicate changes in policy or procedure?
Knowledge Management Infrastructure Alternatives: Low-Tech • Binders and Manuals • Hard-copy documentation
Knowledge Management Infrastructure Alternatives: Mid-Tech • Intranet Site • E-mail
Knowledge Management Infrastructure Alternatives: High-Tech • Policy Management Software • Knowledge Management Platforms
Defining “Content Management” The content management process is a continuous cycle similar to the sales, expenditure, and payroll cycles. Review Publication Authoring Content Management Process Revision Communication Compliance
Effective Content Management The Effective Content Management best practice consists of 10 steps positioned throughout the policy management process. Delegate Responsibility Control Issuing Authority Be Clear and Concise Organize Logically Review Publication Authoring Content Management Process Provide Central Access Document Changes Communicate Updates Timely Communication Revision Compliance Document & Test Compliance Force Periodic Review Encourage Feedback
Make the content easy to read and understand Define Benefits Challenges • Shorter is better • Separate policy from procedure • Easier to update • Easier to share between activities and departments • Faster to find information • Sharing content requires mgmt process • Building a “puzzle” Be clear and concise Delegate responsibility Control issuing authority Organize logically Provide central access Communicate updatestimely Document and test compliance Encourage feedback Force periodic review Document changes
Delegate responsibilities and empower employees to develop content Define Benefits Challenges Notes • Remove bottleneck • Reserve publishing control • Faster completion • Different perspectives • Personal development • Motivate contributors • Different writing styles • Similar to writing your own evaluation • Good project in down-time Be clear and concise Delegate responsibility Control issuing authority Organize logically Provide central access Communicate updatestimely Document and test compliance Encourage feedback Force periodic review Document changes
Control who has the authority to issue certain content types Define Benefits Challenges • Restrict publishing authority to management • Balance empowerment with control • Improve efficiency while maintaining control • Documentation of review provides audit trail • Empowerment requires periodic audit Be clear and concise Delegate responsibility Control issuing authority Organize logically Provide central access Communicate updatestimely Document and test compliance Encourage feedback Force periodic review Document changes
Organize content in a logical way Define Benefits Challenges • Organize by context • Avoid organizing alphabetically, by issue date, or by document number • Improves employee understanding • Better able to lead employees to related content • Easier to identify gaps • More difficult than other methods Be clear and concise Delegate responsibility Control issuing authority Organize logically Provide central access Communicate updatestimely Document and test compliance Encourage feedback Force periodic review Document changes
Provide a central place to access all content Define Benefits Challenges Notes • One central place – online or manual • Reduces risk of employees reading old content • Without technology, maintaining a central location can be time consuming • Significant risk can exist Be clear and concise Delegate responsibility Control issuing authority Organize logically Provide central access Communicate updatestimely Document and test compliance Encourage feedback Force periodic review Document changes
Communicate new content and updates as they occur Define Benefits Challenges • Timely communication of each change or addition • Right infrastructure provides faster implementation of business decisions • Reduces repetitive questions • Requires communication diligence • Requires communication infrastructure Be clear and concise Delegate responsibility Control issuing authority Organize logically Provide central access Communicate updates timely Document and test compliance Encourage feedback Force periodic review Document changes
Document and test employees’ review and compliance with policies Define Benefits Challenges • Require employee signoff on policies and procedures • Use documentation as audit trail • Improve control structure • Address Sarbanes-Oxley • Improve external audit efficiency • Determine cost-effective balance between self-audit and internal audit Be clear and concise Delegate responsibility Control issuing authority Organize logically Provide central access Communicate updatestimely Document and test compliance Encourage feedback Force periodic review Document changes
Provide feedback mechanism for employee questions and comments Define Benefits Challenges Notes • Provide method for asking questions • Continuous policy improvement • Improved employee morale • Managing the feedback process • Encouraging employee comments • Best source of improvements / innovation Be clear and concise Delegate responsibility Control issuing authority Organize logically Provide central access Communicate updatestimely Document and test compliance Encourage feedback Force periodic review Document changes
Force periodic review and update of all content by their respective managers Define Benefits Challenges Notes • Treat content review like cycle counting inventory • Address biggest risk – that policies become outdated • Right way to force periodic review by managers • Infrastructure to manage revisions • Combine right infrastructure with “stick” (vs. carrot) Be clear and concise Delegate responsibility Control issuing authority Organize logically Provide central access Communicate updatestimely Document and test compliance Encourage feedback Force periodic review Document changes
Track all content changes – when, why, and who Define Benefits Challenges • Comprehensive documentation of changes • Control over prior revisions • Audit trail eliminates confusion • Powerful control when combined with right “culture” • Requires diligence in documentation • Basic infrastructure needed Be clear and concise Delegate responsibility Control issuing authority Organize logically Provide central access Communicate updatestimely Document and test compliance Encourage feedback Force periodic review Document changes
Knowledge Management Obstacles • Not sure how to tackle such a big project • Missing the necessary infrastructure to effectively manage the policies and procedures • The business has succeeded to date in spite of its internal controls – in spite of a lack of documented policies and procedures • High employee turnover results in a project with no champion • Other priorities and lack of time or resources • Negative Content Cycle • Management doesn’t update policies because nobody reads them • Nobody reads policies because they are outdated and irrelevant
Lessons Learned from the Past 2 Years: • Content management is more than a smart idea • Business knowledge is related to all regulations (current and future) • Advertise! What is the tone at the top? • It takes a village to create content • Work smart – use technology • Use the right tool for the job
Building relationships Sense of community Opportunities created for networking and sharing of best practices Trust fostered Participation encouraged from all staff Immediate feedback provided Everyone gets the same message at the same time Common understanding facilitated Team building encouraged Informed decisions enhanced through information sharing Achievements and contributions are celebrated and recognized Performance improved Improvements in efficiency and effectiveness of operations Face-to-face and two-way communications are emphasized Staff are empowered Learning and development opportunities created Lessons Learned from the Past 2 Years – Indicators that internal communication has improved:
How to Build Momentumby Bob Frelinger, Sun Microsystems • Get the word out in a meaningful way • Demonstrate linkage between CobiT and process refinement methodologies adopted • Consult with process owners to map their efforts to CobiT so that a common language is used • IT Infrastructure Library used to deliver the “how”
Conclusions and Wrap-Up • Content management is a verb, not a noun • Enterprise content management is a strategy, not a product • Always evaluate risk • Change in culture is often necessary; from “We” to “I” • Involve everyone in the process • Self-assessment approach for long-term (and for cost savings) • Management commitment at all levels is critical • Standardize, when possible • Technology facilitates more widespread and effective communication • E-mail is not enough