improving compliance activities through technology · chief information officer chief financial...
TRANSCRIPT
1
Improving Compliance Activities Through Technology
Session 203: Monday March 2, 2009 1:00-2:30
SCCE’s Utilities & Energy Compliance & Ethics Conference
Panelists:
Mike Milton, Director, GRC Solutions, MetricStream
Gary M. Fingerhut, Sr. VP and Co-Founder, Axentis
Chris von der Lieth, VP of Sales, BWise
Moderator:Judy Pokorny, Director, Huron Consulting
Session Title: 203 Improving Compliance Activities Through Technology
2
The Companies, Our Panelists Represent, are Leaders
in GRC Technology: Forrester’s Wave Report
GRC Technology Solutions
Provide the tool to tie together the critical elements of Compliance Management, ERM, Internal Audit, SOX, Process Improvement and IT
3
Compliance Activities Can Be Improved Through Technology
• Change Management Process– Frequently Changing Regulations– Increased Technical Complexity– Multiple Jurisdictions
• Increasing Employee Awareness– Visibility into Remote Locations– Training Program Management
• Data Management– Managing the Increased Documentation Requirements– Improving Data Accuracy, Protection and Security– Multiple Databases and Version Control– Timely Response to Auditors
• Reporting– Automation of Regular Reports– Greater Sorting and Integration Capability– Consistency Between Operating Units– Integration with ERM and Corporate Performance Management
Planning your Enterprise GRC RoadmapMarch 02, 2009
Gaurav Kapoor – CFO and General Manager
MetricStream
Global Governance, Risk & Compliance SolutionsDelivered Through
Content, Software & Services
GRC Wave Leaders Quadrant
GRC Magic Quadrant Leader –Highest score, completeness of vision
4
MetricStreamGovernance, Risk, Compliance & Quality Management
Ethics Governance Risk Compliance Alerts TrainingQuality
Compliance
Enterprise GRC – Broad Scope
� Internal Audit Management
� Risk Management
� Compliance Management
� Internal Audit� Policy
Management� Document
Creation & Management
� Contract Management
� Stock Option Tracking
� Code of Conduct
� Corporate Social Responsibility
� Case Management
� Operational Risk Management
� Loss Management
� KRI Tracking � Risk/ Control
Matrix
� IT-GRC� Issues
Management� Surveys/
Certifications� Regulatory
Compliance (e.g., AML, FCPA)
� Federated Compliance Dashboard
� Filings
� Non-Compliance Alerts
� Notification of Changes to Laws & Regulations
� Automated email Distribution of Compliance Information
� e-Learning� Employee
certification� Training
content� Integration
with Compliance-online.com
� Branch audits� Supplier
Quality Management
� ISO Certification
� Environmental Health & Safety
� Change Management
MetricStream Solution Footprint
MetricStreamGovernance, Risk, Compliance & Quality Management
Goal: Automate Enterprise GRC Processes
Map Policies, Risks, Requirements
Executive Visibility
Regulatory / Documentation
Compliance Assessment
Internal Audit &Approvals
Alerts & Reports
Gap Remediation/CAPA Issues Management
5
MetricStreamGovernance, Risk, Compliance & Quality Management
9
� Air Resources Board, Local Air Pollution Control District, Water Resources Board, Department of Toxic Substance Control
� Air Emissions Management � California Highway Patrol � California Public Utilities Commission (CPUC)
Decisions � Code of Federal and State Regulations
(Building code, fire code/State Fire Marshall, Americans with Disability Act)
� Code of Federal Regulations (CFR) � Department of Energy � Department of Fair Employment and Housing � Department of Forestry � Department of Justice (DOJ) � Department of Motor Vehicles � Department of Transportation (DOT) � Equal Employment Opportunity Commission
(EEO) � Federal and State Environmental Protection
Agency (EPA) � Federal and State Occupation Safety Health
Administration (OSHA)
100’s of Regulators – 1000’s of Regulations
� Federal Energy Regulatory Commission (FERC)
� Federal Homeland Security � Federal Sentencing Guidelines (FSG) � Federal, State, City and County Legislation � Financial Accounting Standards Board � Local Air Quality Management Districts, e.g.,
Sacramento Metro. Air Quality Management District
� Local Fire Districts� Local Sewer Districts � National Fire Protection Association � National Labor Relations Board � Office of Federal Contract Compliance � Public Utilities Code (PU Code) � Securities and Exchange Commission (SEC),
e.g., Sarbanes Oxley Legislation� State Attorney General � State Board of Equalization � State Bureau of Automotive Repair (part of
CHP) � State Energy Commissions (CEC) � State Office of Emergency Services � Water Quality Control Boards
MetricStreamGovernance, Risk, Compliance & Quality Management
Enterprise GRC – Many Stakeholders
Chief ComplianceOfficer
Chief InformationOfficer
Chief FinancialOfficer
� Company-wide financial compliance
� Sarbanes Oxley Certification
� Financial integrity
� Information integrity
� Systems integrity
� Data security
� Compliance to industry regulations
� Compliance with government regulations (e.g., Anti-Money Laundering, Foreign Corrupt Practices Act)
� Implementation and management of company compliance architecture
� Executive sponsor for overall company compliance processes
� Co-certify Sarbanes Oxley Compliance
� Ensure compliance with government regulations
Chief HR Officer
� Compliance with HR policies and procedures
� Compliance with government health and safety regulations
� Certification training
Chief Quality Officer
Chief RiskOfficer
� Enterprise Risk Management (Financial & Operational)
� External Risk Management
� Compliance with quality standards
� ISO, 6 sigma
� Industry quality like TS, ISO13485 etc
Chief Legal Officer
� Code of Ethics
� Options Management
� Corporate Governance
Chief Executive OfficerBoard of Directors
� Oversee GRC processes
� Set compliance tone for the company
Internal Audit
6
MetricStreamGovernance, Risk, Compliance & Quality Management
Enterprise GRC – Growing Maturity
11
Source: Deloitte
GRC Maturity Model:
� Regulatory Maturity—New regulations & updates
� Best Practice Maturity—Industry best practice develops over time
� Organizational Maturity—Organizational commitment is required
� GRC Implementation Maturity—From unmanaged risks to automated management
MetricStreamGovernance, Risk, Compliance & Quality Management
Start with a Roadmap of Your Requirements
7
MetricStreamGovernance, Risk, Compliance & Quality Management
Use a Solutions Framework
Issues Management/ Remediation
Compliance Management (e.g., SOX,
Reg. Compl.)
Internal Audit Management
Policy & Document
Mgmt.
EnterpriseRisk
Management
Dashboards & Reporting
� Manage Control Hierarchy
� Controls testing� Remediation� 302 Certification
� Other Compliance Reporting
� Enterprise Risk Assessment
� Define audit universe
� Closed Loop Issues Management
� Federated Compliance Reporting
� Work Program Library� Electronic Workpapers� Scheduling� Remediation� Reporting� Resource Management
� Email Integration� Document
Interoperability
MetricStreamGovernance, Risk, Compliance & Quality Management
Acquire Functional Framework & Content
Enterprise Compliance PlatformEnterprise Compliance Platform
Compliance Audits TrainingDocumentsRisk Change CAPA/Issues Submissions
Professional ServicesProfessional Services
Business Process Consulting
AdvisoryServices
ComplianceOnline.comComplianceOnline.com
Training
Best Practices
Experts
Community
Workflows Alerts/NotificationsSecurityForms Reports/Dashboards/Analytics Offline Briefcase
Best PracticesBest Practices
IndustrySpecific
FunctionSpecific
Integration
Access Control Management
Change Control Management
Document Management
Internal Audit Management
Security Management
Risk Management
Incident Management
Disaster Recovery Planning
Training Management
Vulnerability Management
Vendor Management
Document Management
Disaster Recovery Planning
8
MetricStreamGovernance, Risk, Compliance & Quality Management
Stay Informed -- Compliance Online Portal
Community consensus, best practice, training courses, and Compliance
updates are important to maintaining a strong Enterprise GRC solution.
ComplianceOnline.com is the largest portal for compliance community wisdom.
MetricStreamGovernance, Risk, Compliance & Quality Management
Executive Visibility & Program Management
Task Assignments
Issue Status and Progress Tracking
9
MetricStreamGovernance, Risk, Compliance & Quality Management
Enterprise GRC Benefits
17
Source: Lord & Benoit, 2006
Share-price performance of companiescomplying with SOX rules
����28%
����26%
����6%Control weakness in
2004, but none in 2005No control
weaknesses in 2004 -05
Reported control weakness 2004-05
Price of control deficiency for$1 billion company
Source: University of Wisconsin, 2006
$10 million in higher cost of equity capital
Savings on legal liability avoidancefrom GRC investment
Source: General Counsel Roundtable, 2006
Spending on Compliance
Savings on Lower Legal Liability $1$5
# of GRC projects
Ad hocApproach
PlatformApproach
Resources for innovation
Opportunity cost of siloed GRC
Cost of GRC
MetricStreamGovernance, Risk, Compliance & Quality Management
One Remediation Place for the Enterprise
Common data set for managing
Issues & Actions
Risk Risk
ManagementManagementCompliance Compliance
ManagementManagement
Third Party Third Party
SolutionsSolutionsAudit Audit
ManagementManagement
Monitoring Issues & Actions
Root Cause analysis
Track Issues to closure
Risk
Control
Schedule
Regulations
Process
Rules
Planning
Work-Papers
Findings
Projects
Technical
Business
10
MetricStreamGovernance, Risk, Compliance & Quality Management
Thank You
19
Why implement a comprehensive GRC solution and applying 5 Quick Wins for more effective Reliability and Regulatory Compliance.
Gary M. Fingerhut, SVP & Co-Founder
11
21
© 2009 AXENTIS Inc. • All Information Private and Confidential
Automating the Seven Elements ofEffective Compliance
Alignment with the critical components according to U.S. Sentencing Guidelines
22
© 2009 AXENTIS Inc. • All Information Private and Confidential
Standards and Regulatory Process Activities
Monitor changes in laws, rules
and regulations and analyze applicability
Monitor changes in laws, rules
and regulations and analyze applicability
Track and organize
laws, rules, regulations and map key
risks
Track and organize
laws, rules, regulations and map key
risks
Distribute and manage
impact assessments
to key stakeholders
Distribute and manage
impact assessments
to key stakeholders
Develop and manage
action plans to address
requirements
Develop and manage
action plans to address
requirements
Assess completeness and adequacy of procedures and controls
Assess completeness and adequacy of procedures and controls
Communicate procedural
expectations/ standards to internal and external
constituencies
Communicate procedural
expectations/ standards to internal and external
constituencies
Provide support
mechanisms to help people
make decisions as needed
Provide support
mechanisms to help people
make decisions as needed
Monitor and audit performance – policies, procedures, standards, controlsMonitor and audit performance – policies, procedures, standards, controls
Collect and uncover issues and remediate as neededCollect and uncover issues and remediate as needed
Supports the USSC 7 Elements of an Effective Compliance and Ethics Program
12
23
© 2009 AXENTIS Inc. • All Information Private and Confidential
What technologies are used for managing your legal and regulatory requirements?
A. Spreadsheet(s) and/or department level database(s) -largely manual
B. Enterprise solution
C. Don’t know
24
© 2009 AXENTIS Inc. • All Information Private and Confidential
Quick Win 1: Track Changing Requirements
Current State
• Multiple spreadsheets and databases
• Inconsistent data collection habits
• Difficult to manage updates
• Difficult to manage user access
• Difficult to know what actions were taken or get an enterprise status
Target State
• Centrally organized information
• Consistent collection of information
• Controlled distributed access
• Support for different organization schemes
• Accurate status and audit trail of actions taken
Monitor changes in laws, rules
and regulations and analyze applicability
Monitor changes in laws, rules
and regulations and analyze applicability
Track and organize
laws, rules, regulations and map key
risks
Track and organize
laws, rules, regulations and map key
risks
13
25
© 2009 AXENTIS Inc. • All Information Private and Confidential
Is your enterprise consistent in assessing and organizing business impacts of legal and regulatory change?
A. Not consistent
B. Somewhat consistent
C. Largely consistent
26
© 2009 AXENTIS Inc. • All Information Private and Confidential
Quick Win 2: Automate Impact Assessments
Current State
• Difficult to consistently communicate with correct stakeholders
• Manual follow up to incomplete/ missing responses
• Difficult to aggregate responses and identify real risks
• Difficult to produce accurate high-level status
Target State
• Automated stakeholder notifications and reminders
• Consistent stakeholder distribution and tracking of assessments
• Rapid identification of high-risk gaps
• Single view of assessment responses and business area impacts
Distribute and manage
impact assessments
to key stakeholders
Distribute and manage
impact assessments
to key stakeholders
Develop and manage
action plans to address
requirements
Develop and manage
action plans to address
requirements
Assess completeness and adequacy of procedures and controls
Assess completeness and adequacy of procedures and controls
14
27
© 2009 AXENTIS Inc. • All Information Private and Confidential
How do you track follow-up action plans that address changing legal and regulatory requirements?
A. Largely a manual process
B. Change or issue management solution
C. Integrated solution – inventory, assessment, action plans
28
© 2009 AXENTIS Inc. • All Information Private and Confidential
Quick Win 3: Automate Action Plans
Current State
• Manual tracking of assignments, due dates, responsibilities, tasks to be performed, etc.
• Lack of enterprise visibility
• Time consuming follow-up and task management
• Current statuses are difficult to produce
Target State
• Single secured system with automated tracking
• Responsibilities and activities are tracked
• Current status is always available
• Multiple views of issues and plans
Distribute and manage
impact assessments
to key stakeholders
Distribute and manage
impact assessments
to key stakeholders
Develop and manage action
plans to address
requirements
Develop and manage action
plans to address
requirements
Assess completeness and adequacy of procedures and controls
Assess completeness and adequacy of procedures and controls
15
29
© 2009 AXENTIS Inc. • All Information Private and Confidential
How do you communicate and track policy and procedure changes are received according to applicability?
A. Largely a manual process
B. Automated in some areas and some mandates
C. Integrated solution – automated role management, assignment notifications and attestation tracking
30
© 2009 AXENTIS Inc. • All Information Private and Confidential
Quick Win 4: Automate Compliance Communication, Training and Attestation
Target State
• Automated, consistent notification and distribution of training and e-learning
• Defined and rules-based communication
• Current policies, procedures accessible
• Inclusion of third parties and contingent workers
• Evidence of enterprise training program
Current State
• Manual (hard copy, email) distribution, document repositories, etc.
• Inconsistent by area (language, format, etc.)
• Inaccurate/unavailable record of attestations
• Error prone and time consuming
Communicate procedural
expectations/ standards to internal and external
constituencies
Communicate procedural
expectations/ standards to internal and external
constituencies
Provide support
mechanisms to help people
make decisions as needed
Provide support
mechanisms to help people
make decisions as needed
16
31
© 2009 AXENTIS Inc. • All Information Private and Confidential
Quick Win 5: Uniform Documentation of Policies & Procedures
Target State
• Central, controlled management
• Consistent format and structure
• Reduce time to find relevant information
• Relate policies, procedures, standards, etc
• Pinpoint relevance to business units and functions
• Version controlled
Current State
• Multiple, document locations
• Inconsistent formats and language/terms
• Difficult to locate current information
• Inability to relate policies with procedures
• Difficult to make role based
Communicate procedural
expectations/ standards to internal and external
constituencies
Communicate procedural
expectations/ standards to internal and external
constituencies
Provide support
mechanisms to help people
make decisions as needed
Provide support
mechanisms to help people
make decisions as needed
32
© 2009 AXENTIS Inc. • All Information Private and Confidential
GRC Applications Will Enable…
• Quick Win 1: Track Changing Requirements
• Quick Win 2: Automate Impact Assessments
• Quick Win 3: Automate Action Plans
• Quick Win 4: Automate Compliance Communication, Training and Attestation
• Quick Win 5: Uniform Documentation of Policies & Procedures
17
33
© 2009 AXENTIS Inc. • All Information Private and Confidential
Contact
Gary M. Fingerhut
SVP & Co-Founder
AXENTIS
P +1.216.896.8356
Building a
Business Case
and ROI
Chris von der LiethVice President of Sales
March 2nd, 2009
18
Offices and Customers
• Company founded in 1994• More than 300,000 users • More than 500 customers • In 80+ countries worldwide• Global Implementation Professionals
• Utility, Oil, & Gas Industry Experience• Marathon Oil• Husky Energy• ONEOK• Southern Company
What’s Happening?
Ordancesurvey:
Regulatory comp
liance
The regulatory en
vironment for Utilities is i
ncredibly complex.
Regulations differ
between sectors a
nd as a result Utilit
ies
must comply with different s
ets of rules. Multin
ational Utilities
must also comply with a
variety of regulati
ons imposed by
different countries
around the world.
.
Oil Trades Near $110 on U.S. Pipeline Leak,
Mexico Shuts PortsBy Nesa Subrahmaniyan
April 14 (Bloomberg) — Crude oil traded near $110
a barrel in New York as repairs to fix a pipeline
crack cut supplies of more than 1 million barrelsa day from the Gulf of Mexico to the U.S. Midwest.
Fraud Costs Bank $7.1 Billion
By NICOLA CLARK and DAVID JOLLYPublished: January 25, 2008
PARIS — Société Générale, one of the largest banks in Europe, was thrown into turmoil Thursday after it disclosed that a rogue employee executed a series of “elaborate, fictitious transactions” that cost the bank more than $7 billion, the biggest loss ever recorded by a single trader.
\ The Enron scandal was a financial scandal involving Enron Corporation (former NYSE ticker symbol: ENE) and its accounting firm Arthur Andersen, that was revealed in late 2001.
In addition, the scandal caused the dissolution of Arthur Andersen, which at the time was one of the five largest accounting firms in the world.
Supplier risk
Risks in
processes
Risks with
employees
New
regulations
Bnet:As one risk manager at an energy/utility company
charges, his sector perhaps uses group mutuals
and captives better than any other industry out
there. Yet all of that cooperation still did not
protect them from the aftermath of the 2005
hurricane season, nor the upcoming storms. .
Operational risks
Oil Prices Surpass $123 Per Barrel 08-05-2008 Oil prices reach new record highs Oil prices continue their ongoing climb, as crude futures
set a new record crossing USD 123 a barrel on the New York Mercantile Exchange. Many experts believe that an approaching US recession and the falling dollar are driving the high demand for the energy source. Source:
Presstv
Economy risks
19
Governance, Risk and Compliance
And also:Reduce costs of GRCImprove PerformanceIntegrate different frameworksImprove the quality of controlsImprove risk analysis
GRC is the sum of
Governance, Risk and
Compliance.
You have to get in control on:
Enterprise risks, such as:Financial & reporting risksRegulatory risksOperational risksFraud
Credit Rating AgenciesRegulationsBanks & investment community
The Challange
Solutions to Stay in Balance
Enable your organization to:
Reduce costs of GRC, both after initial project and over timeMore control by less controlsIntegrate all GRC initiatives and frameworksIncrease business performance Improve competitive advantage
20
Savings on business processesSavings on business processes
Companies have:
• 10 – 80% savings on business processes because of processoptimalization
$ Impact
Reduced Cost of CapitalReduced Cost of Capital
Risk Management may improve credit ratings significantly.
Have you quantified how much that may save your company?
Improved efficiencyImproved efficiency
Companies have reduced:
• Their number of key controls by 20%-40%.Control testing will cost $500 every time it is tested.
• Their number of key risks by 20%-40%. With an average of 4 controls per key risk, this reduced the number of key controls to be tested.
•Their costs by 8M annually by standardizing and improved business processes
Reduced cost on auditReduced cost on audit
Companies have:
•Saved 25%-70% of their external audit costs as a result of evidencecollecting, quality improvements of internal audit department and fasterand better insights
Reduced cost on insuranceReduced cost on insurance
Companies have:
•Reported to save 25% on directors and officers insurance policy.
Challenge:
Try to calculate how
much that would
save your company?
Convergence Benefits
0
5,000,000
10,000,000
15,000,000
20,000,000
25,000,000
12
34
56
78
910
Do
llar
Number of Regulations
Convergence Benefit
Today
BWise
Organizations on average have to comply with 70 different regulations.Regulations have an estimated 40% overlap in controls.Return on Compliance, December 2006
“Companies that choose one-off solutions to each regulatory challenge they face will spend 10 times more on compliance projects than their counterparts that take a proactive approach.”Corporate Governance Spending Disrupts Software Purchases, November 2004
21
KRI Dashboards
Questions?
Chris von der Lieth
Vice President of Sales
BWise, Inc.
1450 Broadway, 38th Floor
New York, NY 10018
Phone: 212 – 584 - 2261
Cell: 917-370-5979
E-mail: [email protected]
www.bwise.com