Winding Down From Compliance Week

My head is full of compliance goodness after spending 2.5 days at Compliance Week 2010. The Mayflower Hotel is a great place for a conference this size, with plenty of places to run into people.

Substance

The agenda was full of great substantive information from fellow compliance professionals. There were sessions on metrics, social media, corporate governance, ROI, organizational structures and communications. There were lots of closed door sessions that have not made their way into the blog, where compliance professionals could have more open discussions without the presence of media or vendors.

On top of that, we heard some great perspectives from top government officials, like Lanny Breur, Gary Grindler, Shelley Parratt, Barney Frank and Luis Aguilar.

Of course the best part of any conference is being able to interact with your peers. This was a great gathering of people in the compliance field.

Matt Kelly, Francine McKenna and Me

Old Friends

For me, it was great to once again spend time face-to face with old friends like Scott Cohen, Matt Kelly, Bruce Carton, Francine McKenna, Melissa Klein Aguilar, Bill Piwonka, Carole Switzer, Kathleen Edmond, and Scott Giordano.

New Friends

One of the great things about have a blog, or micro-blogging on Twitter is being able to get in touch with people prior to meeting them in person and then staying in touch with them.

Here are some of the Twitterati I was finally able to meet face-to-face:

tfoxlaw Tom Fox
@tfoxlaw
http://tfoxlaw.com
David Seide
@davidSeide
Scott Mitchell
@mitchell360
Doug Jacobson
@tradelawnews
Doug Chia
@dougchia

Of course, I met more people who don’t blog or use Twitter. It’s just harder to keep those weak ties.

Behind the Scenes

Gina Imperato, Elizabeth Busch, Anne Frey-Mott, Beckie Jankiewicz and the rest of the Event Studio team did a great job of running the conference, getting the attendees where they need to go and making the speakers look good.

Next year

…..

The 2010 OCEG GRC Achievement Awards Presentation

The Open Compliance and Ethics Group will recognize the great strides that many organizations have made in improving and integrating their approaches to governance, risk management, and compliance.

The winners were:

  • Best Buy – Ethics blog for employees
  • Capital One – GRC implementation
  • Carnival Corporation – Integrated approach to GRC Management
  • Direct TV- Embedding spreadsheet governance into everyday business
  • Tawuniya – Performance management through GRC
  • Visa – Global ERM Program & Roadmap

Carole Switzer announced the Peer Choice award winner, chosen by the Compliance Week attendees.

And the winner is . . . .

Visa!

UPDATE:

Self-Assessments: Criteria and Procedures for Evaluating GRC Programs

compliance-week-dark-blue

My notes, live, from Self-Assessments: Criteria and Procedures for Evaluating GRC Programs, with Gracie Fisher Renbarger, Chief Ethics and Compliance Officer of Dell; Nan Stout, Vice President Business Ethics of Staples; and Carole Stern Switzer, President of OCEG.

Carole started off with two observations:

  • Designing, implementing, and improving a governance, risk management and compliance (GRC) system is a time and resource-intensive proposition.
  • Periodically evaluating the design and operation of the system is essential to demonstrate that the organization’s GRC initiatives are delivering outcomes that really matter.

Carole pointed out that GRC is more than Governance, Risk and Compliance, but it is really awkward to have a 13 letter acronym.

She turned to design effectiveness. “Given our objectives and all of the risks and requirements related to these objectives, do we have controls, incentives and other structures in place that will provide reasonable assurance that we will meet these objectives?” You can also have less ambitious goals for our evaluation:

  • I’d like a “gut check” on how my hotline is designed
  • I’d like a high-level assessment of whether our risk identification has captured all of the right risks and requirements compared with my peers

Or more ambitious goals:

  • Is this compliance program deemed “effective” by an enforcement agency or external monitor?

How do you evaluate to address effectiveness? Start by determining what to evaluate and the scope of the risk assessment. One of the issues is that your effectiveness is based on the negative. It is hard to prove that something did not happen because of the program.

You want to ask:

  • Do we have SOMETHING in place?
  • Do we have the ENOUGH in place?
  • Do we have TOO MUCH in place?

The next step is to design for performance. You want to be effective, but you also want to be efficient and responsive. “There’s no point in measuring something you can’t fix.”

Carole used a standard for performance called SMART:

  • Specific/simple
  • Measurable
  • Actionable
  • Relevant
  • Timely

Not having data available is a challenge in some organizations. You need to measure perception and compare it to facts. You can say that you have a non-retaliation policy. But that does not do any good if people perceive that they will be fired for reporting a problem.

Next up was Nan to talk about their beta test of OCEG’s Burgundy Book. She thought is was important to give employees multiple ways to report problems, but wanted to store all of that information in one place.

Gracie shared her experiences with the OCEG certification at Dell. The objective of Dell’s FCPA Compliance Program is to be “Effective” and “Aligned.” “Effective” means program meets the US Federal Sentencing Guidelines’ definition of an effective compliance program. “Aligned” means program activities address actual risks and are aligned to Dell’s business objectives.

The following Elements are assessed:

Culture:

  • Processes established to monitor and address cultural indicators to ensure program is operating in a culture of integrity (i.e., employee surveys, compliance training tracking, etc.)
  • Defined program goals and objectives that align to organization objectives and strategic business initiatives (i.e., supports Dell’s profit and business goals related to “emerging market” expansion, etc.)

Organize & Oversee:

  • Defined roles and responsibilities for program oversight, assurance and day-to-day management (i.e., AC, GECC, Ethics & Compliance Office, etc.)

Assess & Align:

  • Process for identifying and assessing FCPA risk (i.e., identify whether operating in countries with high level of perceived corruption, etc.)
  • Plan to deploy program initiatives in response to risk assessment results (i.e., education rollout in China, etc.)

Prevent & Promote:

  • Existence of Code of Conduct and FCPA Compliance Policy
  • Process for policy development (i.e., executive management approval, etc.)
  • Process for deployment of policy (i.e., website repository and blog communication, etc.)
  • Education plan (i.e., maximum, heightened, general awareness, etc.)

Detect & Discern:

  • Intake and investigations (i.e., employee reporting, investigation process, etc.)

Respond & Resolve:

  • Infrastructure for intake, investigation and resolution of incidents (i.e., staffing, case management system, etc.)
  • Remediation (i.e., discipline, recommended preventative controls, etc.)

Monitor & Measure:

  • Monitor feedback and strive for continuous improvement of the program (i.e., feedback to Ethics Managers and formal employee inquiry/response process, etc.)

Inform & Integrate:

  • Process for communicating program (i.e., blog, cascaded communications, etc.)

A question from the audience: Can you measure the change in culture? It is hard. You need to always look for indicators. Some are lead indicators and some are trailing indicators. One goal of GRC is to pull as much information as possible into one place so those indicators are in one place.

The emphasis of the session was not to advocate a specific framework, but the importance of having a process.

A key to modifying behavior is to make non-compliance more painful than compliance. But you want more than a fear of being caught. You want your employees to strive for better behavior.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Business Risk Intelligence

These are my notes from the OCEG webinar: Business Risk Intelligence.

  • Carole Stern Switzer, President of OCEG
  • Paul Shultz, Managing Director of Protiviti
  • Dave Anderson, Senior Director of SAP Business Objects

Paul frames the problem: Risk is often just an afterthought of strategy, resulting in strategic objectives that may be unrealistic and risk management being an appendage to performance management.

Paul breaks the solution down into components: enable, measure, plan, aim, aspire and protect to enable technology to build enterprise risk intelligence.

Dave views risk intelligence as a peice of performance. Risks can prevent you from reaching your goals. Strategy needs context to make decisions and needs to be connected to operations. Then there maybe a gap between the strategy and the execution.

Dave (and SAP’s) approach is to have an integrated approach to strategy and risk management, by addressing financial risk, compliance risks,market risks,process risks, and people risks.

Dave points out that S&P’s now requires enterprise risk management into their evaluation criteria as part of their credit rating calculations.

Carole pointed out that you want transparency so that risk is not hidden (whether intentionally or not).

it was interesting to hear the use of KRIs in connection with KPIs. (That is Key Risk Indicators and Key Performance Indicators.

IT for GRC: Improving Information Quality

Carole Switzer, President of OCEG and Lee Dittmar, principal of Deloitte Consulting LLP presented this webinar.

There is an imperative to improve governance, risk management and compliance processes to better manage risk, address increasing regulatory requirements, increased executive accountability and the fragmentation of information. It is about getting the right information, to the right person, at the right time. (Isn’t that knowledge management too? )

What is the information problem?

  • Managers need to know, anticipate and respond quickly and correctly
  • Stakeholders expect reliable and transparent reporting
  • Time and resources are spent searching for data
  • Data overload
  • DINK – Data Is Not Knowledge

It is not about “check the box” compliance it is about improving your business.

Lee thinks governance, risk and compliance should be viewed comprehensively and leverage common systems. Integrated systems can help overcome silos. The key is a single source of the truth.

The goal is to get GRC embedded in the core processes. To be “in the flow” instead of “above the flow.”

Lee is seeing organizations adopting the business concepts of integrated GRC (even if they do not call it GRC).

A Unified Approach to GRC

A participated in a webinar by Carole Stern Switzer of OCEG and Sumner Blount of CA, Inc. on Unified Governance, Risk and Compliance.

Governance – the culture, policies, processes, laws and institutions the define the structure by which companies are directed and managed.

Risk – the effect of uncertainty on business objectives.

Compliance – The act of adhering to and demonstrating adherence to the external regulations and standards as well as corporate policies.

GRC is the coordination of these three areas to increase efficiency and produce more complete information for better decisions-making.

After all, bad information leads to bad decision-making.

The evolution to GRC came from one-off controls and testing as each new regulation came into place. The start was generally because of Sarbanes-Oxley. In the early days the internal audit and the general counsel operated separately from the operations group. The operations are run through the internal IT systems. As more compliance groups grew, they sent more and more audit and information requests to the operation groups. The goal is to unify and simplify the risk and compliance.

The siloed information makes it hard to determine the status of compliance and difficult to map controls to regulations. Sumner proposes a global repository of audits, risks, test and test results, cross referenced to unite the silos of information. A single source of truth for compliance, risk and governance.

The unified approach should result in giving you visibility into the state of operations and risks. This could allow you to remediate problems before they become critical.

The policy lifecycle starts with (1) identifying the requirements, (2) setting polices to meet requirements, (3) creating controls to enforce policies and then (4) monitoring and remediating the controls. This lifecycle should have feedback loops so that policies and controls stay up date and functional.

Sumner sees five management tools: regulatory content, risk management, policy management, controls management and project management.

For policy management you need support for the creation, review, self-assessment and update of policy documents. You need a workflow to track approvals. You need track people having attested that they have read, comply and will comply with the policy.

With regulatory content is difficult to develop the expertise, keep the information up-to date and translated into the control objectives.  It is also great to harmonize the controls across regulations. That way you are not created redundant or even conflicting controls.

For controls management you want a centralized repository of controls mapped to the associated policies, regulations, risks and resources. You also want to store test results and assignment of actions to be done.

For project management, you want to track project status, support for an audit trail and support for reporting.

The key is to reduce costs, reduce disruptions, improve risk management, use it to drive operational improvement to gain competitive advantage.