Download - Internal Controls and Monitoring 28 9-2015
Jose Manuel Garcelan 1
PROGRAMA DE COMPLIANCE
Madrid, 27 Abril de 2015How to Conduct a Comprehensive Compliance Risk Assessment and Build an Effective Compliance Program
Jose Manuel Garcelan 2
Bio IntroductionAn experienced Ethics & Compliance Director, supported by a wide background occupying positions of increasing responsibility in Compliance, Ethics, Privacy and Finance
and in other functions in the Internal Control and optimization of resources. Experience in successful
implementation and management of robust integrated customized compliance programs across various
countries.
Jose Manuel Garcelanes.linkedin.com/in/JoseManuelGarcelan
Jose Manuel Garcelan 3
2004 MBA Executive Master in Pharma business MADRID, SPAINEPHOS-Escuela Superior de Estudios Farmacéuticos
1991-1993 Degree in ECONOMICS Specialty in Finance MADRID, SPAIN
Universidad Complutense de Madrid 1987-1990 Graduate in BUSINESS ADMINISTRATION MADRID, SPAIN
Specialty: Marketing Escuela Univ. de Estudios Empresariales Complutense
LANGUAGES Spanish – Mother Tongue. Fluent in ENGLISH and basic knowledge of French. FUTHER LEGAL TRAINING• 2015 Legal-Compliance Post-grade - Universidad Carlos III De Madrid• 2010 Healthcare Compliance Ethics & Regulation Certification - Seton Hall Law/ Sciencespo Paris, FRANCE• 2013 Certified Information Privacy Profesional/Europe - (Cipp/E) International Association
Jose Manuel Garcelanes.linkedin.com/in/JoseManuelGarcelan
Education
Jose Manuel Garcelan 4
APRIL 2015-PRESENT COMPLIANCE CONSULTANCY
2009-2015 MERCK SHARP & DOHME Chief Compliance & Privacy Officer Director Spain and Portugal
1996-2009 SCHERING-PLOUGH 2006 -2009 Compliance & Business Practices Director 2001-2005 Accounting, Internal Audit And Tax Asoc. Director1996-2000 Controlling And Reporting Finance Manager
1995 - 1996 QUESERÍAS BEL ESPAÑA Administration Manager
1990 - 1995 SWATCH Finance Manager
1986 - 1990 ZAMBELETTI ESPAÑA Finance Senior Analyst
Jose Manuel Garcelanes.linkedin.com/in/JoseManuelGarcelan
Professional Experience
Jose Manuel Garcelan 5
Madrid, 27 Abril de 2015
AGENDAMONITOTING ,EVALUATING , REPORTING & AUDITING
Defense lines and Risk Concept How to trace payments through Monitoring Working with finance, internal audit and accounting departments in Compliance
Reporting Auditing Reporting findings to compliance officers, audit committees and legal counsel How to implement controls to prevent improper payments and fraud
WHISHTLEBLOWINGINVESTIGATIONS & REMEDIATION DISCIPLINE & RESPONSE
Why you need a whistleblowing program and how to make it work in Spain Data Protection the new face of privacy compliance Employees facing corruption aligning anti-corruption measures to the influencing
factors of decision-making
Jose Manuel Garcelan 6
MONITOTING ,EVALUATING , REPORTING & AUDITING
Jose Manuel Garcelan 7
Jose Manuel Garcelan 8
Jose Manuel Garcelan 9
Jose Manuel Garcelan 10
Jose Manuel Garcelan 11
Jose Manuel Garcelan 12
Jose Manuel Garcelan 13
Jose Manuel Garcelan 14
Jose Manuel Garcelan 15
Jose Manuel Garcelan 16
Jose Manuel Garcelan 17
ESTRATEGIA
RIESGO
PROCESOS
PROCEDIMIENTOS
CONTROL
EVIDENCIA
CONTROLPROCEDIMIENTOS
POLITICAS
Jose Manuel Garcelan 18
MonitorizaciónEl CMS debe ser monitorizado para asegurar suadecuado rendimiento. Esta monitorización debe sercontinua.La monitorización de Compliance es el proceso por elcual se obtiene información indicativa de la efectividaddel CMS y su rendimiento. Incluye, entre otras cosas:1. ‐ Efectividad de la formación.2. ‐ Efectividad de los controles mediante muestreos.3. ‐ Efectividad de la asignación de responsabilidades deCompliance.4. ‐ Efectividad en corregir las no conformidades y los nocumplimientos, etc.
Jose Manuel Garcelan 19
Jose Manuel Garcelan 20
Métodos para captar de información
Existen muchos métodos para obtener información útilpara poder valorar el rendimiento del CMS y la cultura decumplimiento, entre los cuales están: ‐ Los informes y reportes periódicos que se realicen ante no
cumplimientos. ‐ La obtenida por los canales de comunicación y/o
denuncia.- La obtenida por barómetros de cumplimiento y DD. ‐ La que se obtiene de sistemas de Control y data analytics
- ..etc….
Jose Manuel Garcelan 21
Jose Manuel Garcelan 22
Análisis de información y clasificación.
Una clasificación y gestión eficaz de la información esfundamental. El CMS debe incorporar un sistema declasificación de la información según, por ejemplo, suorigen, departamento, descripción del no cumplimiento,indicadores, etc.
La información bien gestionada permite analizar lasraíces de los no cumplimientos y detectar problemas
recurrentes.. Jose Manuel Garcelan 23
Desarrollo de indicadoresSon necesarios indicadores que permitan conocer si se han alcanzado los objetivos de cumplimiento y poder así cuantificar el rendimiento de la organización en materia de Compliance. Estos indicadores son importantes para evidenciar la efectividad del CMS. Pueden incluir, entre otras cosas:
Indicadores activos ‐ Porcentajes y frecuencia de formación. ‐ Nivel de utilización de mecanismos de
retroalimentación (canales de comunicación/denuncia), etc.Indicadores reactivos ‐ No cumplimientos detectados y sus consecuencias así
como acciones correctivas, etc.Indicadores predictivos ‐ Tendencias de no cumplimiento, nuevos riesgos de cumplimiento, etc.
Jose Manuel Garcelan 24
Jose Manuel Garcelan 25
My Expertise and Specialty : Compliance Analytics“The bar is raised “ Compliance Monitoring now requires big data analytics
Area Observations Management Actions Owner Due Date1. Not clear if l ist of 51 government intermediaries is complete (customs agents, meeting logistics agencies)
1. Edi t the customer master file and incl ude an indicator i f customer is gvt intermediary or not i n SAP
Dmi try & Marina De Rosa
2. Unclear if the right peopl e are on the l ist.
2. Reconfirm the accurracy and completeness of l ist - ensure only the gvt intermediaries that need to be on the l ist are & provide dialogue to management on why certain items are on the l ist or not.
Nicolai
Training Completion
1. Signifi cant percentage of colleagues in Russia that have NOT taken training: FCPA: 35% (324 colleagues incomplete) FYEO: 48% (444 colleagues incomplete) Privacy: 54% (505 colleagues incomplete) OVS: 90% (836 due by 10/31)
1. Focus on Getting FCPA training complete in October.
1. Two open audit commitments due in Sep (Di ethard) (6/29/2012-"Distributor Margins for Tender Business" and 2/27/2012-"Travel & Entertainment")
1. Close open audit items from September Diethard
2. One open audit commitment due in Dec from 2/27/2012 - "Meetings with HCPS" Marina De Rosa Dec-121. Turnover rate i s steadily around 22%; no s ignificant increase or decrease in the past 12 months2. 13 out of 99 procedures do not have any dates (no creation/last update)3. 31 out of 99 procedures were l ast updated 2-3 years ago. 1. 5 out of 14 distributors have inconsistent gross to net percentage. Typical= 7%, range of 5 outliers are 16% -37%
1. Investigate root cause
2. One distributor has negative sales 2. Investigate root cause3. 13 out of 60 products (22%) have inconsistencies in distributor bonus, composing 10.5% of total sales(42 track consistently, 5 onl y have 1 distributor)
3. Investigate the 13 products and determine root cause for deviation from typical bonus
1. 12% of employees on average exceed the 8000p l imit per month2. 351000p reimbursed above June l imit3. Fourth highest risk score, is the 2nd biggest spender4. 15 people have over 20 rounded (to the nearest 500p) transactions in over 6 months (doesn't incl ude per diem)5. 50% of spend is made up of mi ni meetings and gasoline (51Mp)
Grants 1. Total dollars in grants: 8.1Mp (250K USD) across 25 entities. Not clear if transactions went through company's donations committee.
1. Confi rm with the minutes of the donation committee that all transactions went through the committee
HCP 1. Unclear if data is accurate1. Get new set of data, and upload to spotfire. Re-assess how many HCPs are over the l imit.2. Use payroll to veri fy aggregate number
1. Not able to clearly monitor total spend by meeting or expense type: Inconsistent recordi ng of expenses across meeting types & expense types 1. Need launch of new meeting management system
2. Not all meetings are Planned into SAP: Manual Aggregate Spend Includes Estimates 2. Edit accounts in SAP. Determine timing if October or Jan 1.
Russia Business Analytics Observations - October 2012
Employees
Audit Commitments
1. Investigate root cause
Meetings
Government Intermediaries
Distributor
Data Range: January 2012- June 2012
T&E
DashboardAction Items
CORRECT
DETECT
PREVENT
AnalysisRECOGNITION; BEST SELF-STARTER I have created a new Spotfire model to be able to manage: Prevention ,
detection and correction of Compliance Risks in the Organization
Jose Manuel Garcelan 26
Compliance Dashboard Design
• Sales Activities Gross to Net Sales & Trend Sales by Products/Customers Discounts Free Goods Credit Notes/Returns Payments to Sales Customers Distributor Interactions (Tenders) Government Intermediaries (Distributors)
• HCP/AHCP Interactions Fees for Services Sponsorships T&E Samples
• Disbursements Grants, Donations and Charitable
Contributions All Other third party Payments Government Intermediaries (Other)
• Compliance Activities Training Audit Remediation Promotional Materials Employee Patient Programs Product Safety Request
Each risk and domain are evaluated per market for relevancy and data availability.Local markets may choose to add additional monitoring elements based on market needs.
Data / Risk Prioritization Model
Residual
Risk
High Work towards Obtaining Data
Dashboard Candidates
Dashboard Candidates
Medium Candidate When Available
Candidate When Available
Dashboard Candidate
Low Not included in Dashboard
Not Included in Dashboard
Not Included in Dashboard
Not currently Available
Available with Effort
Readily Available
Data Availability
Jose Manuel Garcelan 27
Examples of Signals (I)Sales Activities
PERCENTAGE OF DISCOUNT BY CUSTOMER: Are any customers getting discount above the limits per commercial policy or compared to similar customers? Ensure that customers are aligned to the type of discounts allowed.
FREE GOODS - If expectation is no free goods, check if there are any products/distributors getting discount of 100%. If there are products in this case, ensure we have controls in place to handle free goods.
Outliers
High Discounts
100% Discounts
Jose Manuel Garcelan 28
Examples of Signals (II):Disbursements & Compliance Activities
PAYMENTS: View actual payments to vendors for unusual activity such as travel expenses paid via PO, Vendors over authorization limits, or high payments to HCPs or Customers.
THIRD PARTY INTERMEDIARIES: Identify where third parties have not followed the proper approval process, documentation is missing, or contracts are invalid.
AuthorizationLimit
Outliers
Non Valid Contracts
Jose Manuel Garcelan 29
Reporte de ComplianceEl órgano de gobierno social, la alta dirección y el equipodirectivo deben estar informados del rendimiento deCompliance de la organización, incluyendo los nocumplimientos relevantes que se hayan producido. Estosupone la inclusión de diferentes mecanismos de reporteque pueden contemplar su recepción y firma.
El reporting contemplará, por ejemplo: ‐ Aspectos que deban ser reportados al regulador. ‐ No cumplimientos producidos y sus consecuencias. ‐ Acciones correctivas adoptadas. ‐ Resultados de auditorías, etc.
Jose Manuel Garcelan 30
Cuando se detecte una no conformidad o un nocumplimiento se deben tomar acciones para sucorrección y gestión de consecuencias.Se valorará la causa raíz de la no conformidad o nocumplimiento para desarrollar la acciones adecuadasy se comprobará la efectividad de las accionescorrectivas (corregir procedimientos y/o controles,variar la formación, alerta temprana cuando hayevidencias, mejorando mecanismos de escalado,etc).
Acciones frente a no conformidades yno cumplimientos
Jose Manuel Garcelan 31
Jose Manuel Garcelan 32
Mantenimiento de registros
Se deberán mantener registros adecuados que recojan las actividades de Compliance de modo que puedan ser monitorizadas o auditadas. Estarán dotados de las medidas de seguridad pertinentes.
Jose Manuel Garcelan 33
La organización desarrollará auditorías en periodos programados (auditoría planificada). La auditoría verificará que se siguen los criterios del estándar y se ejecuta adecuadamente el CMS.
La auditoría se debe desarrollar de forma que garantice la objetividad e imparcialidad.
AUDITORIA
Jose Manuel Garcelan 34
Jose Manuel Garcelan 35
Jose Manuel Garcelan 36
Jose Manuel Garcelan 37
Jose Manuel Garcelan 38
Jose Manuel Garcelan 39
Jose Manuel Garcelan 40
Jose Manuel Garcelan 41
Jose Manuel Garcelan 42
Jose Manuel Garcelan 43
Jose Manuel Garcelan 44
45Jose Manuel Garcelan
Jose Manuel Garcelan 46
Mejora continua
Toda la información obtenida y gestionada en materia de Compliance debe ser utilizada para detectar oportunidades de mejora y adoptar acciones tendentes a mejorar el CMS de manera continua.
Jose Manuel Garcelan 47
Jose Manuel Garcelan 48
Jose Manuel Garcelan 49
INVESTIGATIONS & REMEDIATIONWHTISTLEBLOWING
DISCIPLINE & RESPONSE
Why you need a whistleblowing program and how to make it work in Spain
Jose Manuel Garcelan 50
3/1000
Jose Manuel Garcelan 51
Jose Manuel Garcelan 52
Jose Manuel Garcelan 53
Jose Manuel Garcelan 54
Jose Manuel Garcelan 55
Jose Manuel Garcelan 56
Jose Manuel Garcelan 57
Jose Manuel Garcelan 58
Jose Manuel Garcelan 59
Jose Manuel Garcelan 60
61Jose Manuel Garcelan
Jose Manuel Garcelan 62
Jose Manuel Garcelan 63
Jose Manuel Garcelan 64
Some Tips
Jose Manuel Garcelan 65
Jose Manuel Garcelan 66
Jose Manuel Garcelan 67
Jose Manuel Garcelan 68
The greatest protection against corruption isan effective compliance program.
Fuentes y Referencias:• www.kpmgcumplimientolegal.es• Business Compliance