Improving Compliance Activities Through Technology · Chief Information Officer Chief Financial...

1

Improving Compliance Activities Through Technology

Session 203: Monday March 2, 2009 1:00-2:30

SCCE’s Utilities & Energy Compliance & Ethics Conference

Panelists:

Mike Milton, Director, GRC Solutions, MetricStream

Gary M. Fingerhut, Sr. VP and Co-Founder, Axentis

Chris von der Lieth, VP of Sales, BWise

Moderator:Judy Pokorny, Director, Huron Consulting

Session Title: 203 Improving Compliance Activities Through Technology

2

The Companies, Our Panelists Represent, are Leaders

in GRC Technology: Forrester’s Wave Report

GRC Technology Solutions

Provide the tool to tie together the critical elements of Compliance Management, ERM, Internal Audit, SOX, Process Improvement and IT

3

Compliance Activities Can Be Improved Through Technology

• Change Management Process– Frequently Changing Regulations– Increased Technical Complexity– Multiple Jurisdictions

• Increasing Employee Awareness– Visibility into Remote Locations– Training Program Management

• Data Management– Managing the Increased Documentation Requirements– Improving Data Accuracy, Protection and Security– Multiple Databases and Version Control– Timely Response to Auditors

• Reporting– Automation of Regular Reports– Greater Sorting and Integration Capability– Consistency Between Operating Units– Integration with ERM and Corporate Performance Management

Planning your Enterprise GRC RoadmapMarch 02, 2009

Gaurav Kapoor – CFO and General Manager

MetricStream

Global Governance, Risk & Compliance SolutionsDelivered Through

Content, Software & Services

GRC Wave Leaders Quadrant

GRC Magic Quadrant Leader –Highest score, completeness of vision

4

MetricStreamGovernance, Risk, Compliance & Quality Management

Ethics Governance Risk Compliance Alerts TrainingQuality

Compliance

Enterprise GRC – Broad Scope

� Internal Audit Management

� Risk Management

� Compliance Management

� Internal Audit� Policy

Management� Document

Creation & Management

� Contract Management

� Stock Option Tracking

� Code of Conduct

� Corporate Social Responsibility

� Case Management

� Operational Risk Management

� Loss Management

� KRI Tracking � Risk/ Control

Matrix

� IT-GRC� Issues

Management� Surveys/

Certifications� Regulatory

Compliance (e.g., AML, FCPA)

� Federated Compliance Dashboard

� Filings

� Non-Compliance Alerts

� Notification of Changes to Laws & Regulations

� Automated email Distribution of Compliance Information

� e-Learning� Employee

certification� Training

content� Integration

with Compliance-online.com

� Branch audits� Supplier

Quality Management

� ISO Certification

� Environmental Health & Safety

� Change Management

MetricStream Solution Footprint


Goal: Automate Enterprise GRC Processes

Map Policies, Risks, Requirements

Executive Visibility

Regulatory / Documentation

Compliance Assessment

Internal Audit &Approvals

Alerts & Reports

Gap Remediation/CAPA Issues Management

5


9

� Air Resources Board, Local Air Pollution Control District, Water Resources Board, Department of Toxic Substance Control

� Air Emissions Management � California Highway Patrol � California Public Utilities Commission (CPUC)

Decisions � Code of Federal and State Regulations

(Building code, fire code/State Fire Marshall, Americans with Disability Act)

� Code of Federal Regulations (CFR) � Department of Energy � Department of Fair Employment and Housing � Department of Forestry � Department of Justice (DOJ) � Department of Motor Vehicles � Department of Transportation (DOT) � Equal Employment Opportunity Commission

(EEO) � Federal and State Environmental Protection

Agency (EPA) � Federal and State Occupation Safety Health

Administration (OSHA)

100’s of Regulators – 1000’s of Regulations

� Federal Energy Regulatory Commission (FERC)

� Federal Homeland Security � Federal Sentencing Guidelines (FSG) � Federal, State, City and County Legislation � Financial Accounting Standards Board � Local Air Quality Management Districts, e.g.,

Sacramento Metro. Air Quality Management District

� Local Fire Districts� Local Sewer Districts � National Fire Protection Association � National Labor Relations Board � Office of Federal Contract Compliance � Public Utilities Code (PU Code) � Securities and Exchange Commission (SEC),

e.g., Sarbanes Oxley Legislation� State Attorney General � State Board of Equalization � State Bureau of Automotive Repair (part of

CHP) � State Energy Commissions (CEC) � State Office of Emergency Services � Water Quality Control Boards


Enterprise GRC – Many Stakeholders

Chief ComplianceOfficer

Chief InformationOfficer

Chief FinancialOfficer

� Company-wide financial compliance

� Sarbanes Oxley Certification

� Financial integrity

� Information integrity

� Systems integrity

� Data security

� Compliance to industry regulations

� Compliance with government regulations (e.g., Anti-Money Laundering, Foreign Corrupt Practices Act)

� Implementation and management of company compliance architecture

� Executive sponsor for overall company compliance processes

� Co-certify Sarbanes Oxley Compliance

� Ensure compliance with government regulations

Chief HR Officer

� Compliance with HR policies and procedures

� Compliance with government health and safety regulations

� Certification training

Chief Quality Officer

Chief RiskOfficer

� Enterprise Risk Management (Financial & Operational)

� External Risk Management

� Compliance with quality standards

� ISO, 6 sigma

� Industry quality like TS, ISO13485 etc

Chief Legal Officer

� Code of Ethics

� Options Management

� Corporate Governance

Chief Executive OfficerBoard of Directors

� Oversee GRC processes

� Set compliance tone for the company

Internal Audit

6


Enterprise GRC – Growing Maturity

11

Source: Deloitte

GRC Maturity Model:

� Regulatory Maturity—New regulations & updates

� Best Practice Maturity—Industry best practice develops over time

� Organizational Maturity—Organizational commitment is required

� GRC Implementation Maturity—From unmanaged risks to automated management


Start with a Roadmap of Your Requirements

7


Use a Solutions Framework

Issues Management/ Remediation

Compliance Management (e.g., SOX,

Reg. Compl.)

Internal Audit Management

Policy & Document

Mgmt.

EnterpriseRisk

Management

Dashboards & Reporting

� Manage Control Hierarchy

� Controls testing� Remediation� 302 Certification

� Other Compliance Reporting

� Enterprise Risk Assessment

� Define audit universe

� Closed Loop Issues Management

� Federated Compliance Reporting

� Work Program Library� Electronic Workpapers� Scheduling� Remediation� Reporting� Resource Management

� Email Integration� Document

Interoperability


Acquire Functional Framework & Content

Enterprise Compliance PlatformEnterprise Compliance Platform

Compliance Audits TrainingDocumentsRisk Change CAPA/Issues Submissions

Professional ServicesProfessional Services

Business Process Consulting

AdvisoryServices

ComplianceOnline.comComplianceOnline.com

Training

Best Practices

Experts

Community

Workflows Alerts/NotificationsSecurityForms Reports/Dashboards/Analytics Offline Briefcase

Best PracticesBest Practices

IndustrySpecific

FunctionSpecific

Integration

Access Control Management

Change Control Management

Document Management

Internal Audit Management

Security Management

Risk Management

Incident Management

Disaster Recovery Planning

Training Management

Vulnerability Management

Vendor Management

Document Management

Disaster Recovery Planning

8


Stay Informed -- Compliance Online Portal

Community consensus, best practice, training courses, and Compliance

updates are important to maintaining a strong Enterprise GRC solution.

ComplianceOnline.com is the largest portal for compliance community wisdom.


Executive Visibility & Program Management

Task Assignments

Issue Status and Progress Tracking

9


Enterprise GRC Benefits

17

Source: Lord & Benoit, 2006

Share-price performance of companiescomplying with SOX rules

��28%

��26%

��6%Control weakness in

2004, but none in 2005No control

weaknesses in 2004 -05

Reported control weakness 2004-05

Price of control deficiency for$1 billion company

Source: University of Wisconsin, 2006

$10 million in higher cost of equity capital

Savings on legal liability avoidancefrom GRC investment

Source: General Counsel Roundtable, 2006

Spending on Compliance

Savings on Lower Legal Liability $1$5

# of GRC projects

Ad hocApproach

PlatformApproach

Resources for innovation

Opportunity cost of siloed GRC

Cost of GRC


One Remediation Place for the Enterprise

Common data set for managing

Issues & Actions

Risk Risk

ManagementManagementCompliance Compliance

ManagementManagement

Third Party Third Party

SolutionsSolutionsAudit Audit

ManagementManagement

Monitoring Issues & Actions

Root Cause analysis

Track Issues to closure

Risk

Control

Schedule

Regulations

Process

Rules

Planning

Work-Papers

Findings

Projects

Technical

Business

10


Thank You

19

Why implement a comprehensive GRC solution and applying 5 Quick Wins for more effective Reliability and Regulatory Compliance.

Gary M. Fingerhut, SVP & Co-Founder

11

21

© 2009 AXENTIS Inc. • All Information Private and Confidential

Automating the Seven Elements ofEffective Compliance

Alignment with the critical components according to U.S. Sentencing Guidelines

22


Standards and Regulatory Process Activities

Monitor changes in laws, rules

and regulations and analyze applicability



Track and organize

laws, rules, regulations and map key

risks

Track and organize


risks

Distribute and manage

impact assessments

to key stakeholders


impact assessments

to key stakeholders

Develop and manage

action plans to address

requirements

Develop and manage


requirements

Assess completeness and adequacy of procedures and controls


Communicate procedural

expectations/ standards to internal and external

constituencies



constituencies

Provide support

mechanisms to help people

make decisions as needed

Provide support



Monitor and audit performance – policies, procedures, standards, controlsMonitor and audit performance – policies, procedures, standards, controls

Collect and uncover issues and remediate as neededCollect and uncover issues and remediate as needed

Supports the USSC 7 Elements of an Effective Compliance and Ethics Program

12

23


What technologies are used for managing your legal and regulatory requirements?

A. Spreadsheet(s) and/or department level database(s) -largely manual

B. Enterprise solution

C. Don’t know

24


Quick Win 1: Track Changing Requirements

Current State

• Multiple spreadsheets and databases

• Inconsistent data collection habits

• Difficult to manage updates

• Difficult to manage user access

• Difficult to know what actions were taken or get an enterprise status

Target State

• Centrally organized information

• Consistent collection of information

• Controlled distributed access

• Support for different organization schemes

• Accurate status and audit trail of actions taken





Track and organize


risks

Track and organize


risks

13

25


Is your enterprise consistent in assessing and organizing business impacts of legal and regulatory change?

A. Not consistent

B. Somewhat consistent

C. Largely consistent

26


Quick Win 2: Automate Impact Assessments

Current State

• Difficult to consistently communicate with correct stakeholders

• Manual follow up to incomplete/ missing responses

• Difficult to aggregate responses and identify real risks

• Difficult to produce accurate high-level status

Target State

• Automated stakeholder notifications and reminders

• Consistent stakeholder distribution and tracking of assessments

• Rapid identification of high-risk gaps

• Single view of assessment responses and business area impacts


impact assessments

to key stakeholders


impact assessments

to key stakeholders

Develop and manage


requirements

Develop and manage


requirements



14

27


How do you track follow-up action plans that address changing legal and regulatory requirements?

A. Largely a manual process

B. Change or issue management solution

C. Integrated solution – inventory, assessment, action plans

28


Quick Win 3: Automate Action Plans

Current State

• Manual tracking of assignments, due dates, responsibilities, tasks to be performed, etc.

• Lack of enterprise visibility

• Time consuming follow-up and task management

• Current statuses are difficult to produce

Target State

• Single secured system with automated tracking

• Responsibilities and activities are tracked

• Current status is always available

• Multiple views of issues and plans


impact assessments

to key stakeholders


impact assessments

to key stakeholders

Develop and manage action

plans to address

requirements

Develop and manage action

plans to address

requirements



15

29


How do you communicate and track policy and procedure changes are received according to applicability?

A. Largely a manual process

B. Automated in some areas and some mandates

C. Integrated solution – automated role management, assignment notifications and attestation tracking

30


Quick Win 4: Automate Compliance Communication, Training and Attestation

Target State

• Automated, consistent notification and distribution of training and e-learning

• Defined and rules-based communication

• Current policies, procedures accessible

• Inclusion of third parties and contingent workers

• Evidence of enterprise training program

Current State

• Manual (hard copy, email) distribution, document repositories, etc.

• Inconsistent by area (language, format, etc.)

• Inaccurate/unavailable record of attestations

• Error prone and time consuming



constituencies



constituencies

Provide support



Provide support



16

31


Quick Win 5: Uniform Documentation of Policies & Procedures

Target State

• Central, controlled management

• Consistent format and structure

• Reduce time to find relevant information

• Relate policies, procedures, standards, etc

• Pinpoint relevance to business units and functions

• Version controlled

Current State

• Multiple, document locations

• Inconsistent formats and language/terms

• Difficult to locate current information

• Inability to relate policies with procedures

• Difficult to make role based



constituencies



constituencies

Provide support



Provide support



32


GRC Applications Will Enable…

• Quick Win 1: Track Changing Requirements

• Quick Win 2: Automate Impact Assessments

• Quick Win 3: Automate Action Plans

• Quick Win 4: Automate Compliance Communication, Training and Attestation

• Quick Win 5: Uniform Documentation of Policies & Procedures

17

33


Contact

Gary M. Fingerhut

SVP & Co-Founder

AXENTIS

P +1.216.896.8356

[email protected]

Building a

Business Case

and ROI

Chris von der LiethVice President of Sales

March 2nd, 2009

18

Offices and Customers

• Company founded in 1994• More than 300,000 users • More than 500 customers • In 80+ countries worldwide• Global Implementation Professionals

• Utility, Oil, & Gas Industry Experience• Marathon Oil• Husky Energy• ONEOK• Southern Company

What’s Happening?

Ordancesurvey:

Regulatory comp

liance

The regulatory en

vironment for Utilities is i

ncredibly complex.

Regulations differ

between sectors a

nd as a result Utilit

ies

must comply with different s

ets of rules. Multin

ational Utilities

must also comply with a

variety of regulati

ons imposed by

different countries

around the world.

.

Oil Trades Near $110 on U.S. Pipeline Leak,

Mexico Shuts PortsBy Nesa Subrahmaniyan

April 14 (Bloomberg) — Crude oil traded near $110

a barrel in New York as repairs to fix a pipeline

crack cut supplies of more than 1 million barrelsa day from the Gulf of Mexico to the U.S. Midwest.

Fraud Costs Bank $7.1 Billion

By NICOLA CLARK and DAVID JOLLYPublished: January 25, 2008

PARIS — Société Générale, one of the largest banks in Europe, was thrown into turmoil Thursday after it disclosed that a rogue employee executed a series of “elaborate, fictitious transactions” that cost the bank more than $7 billion, the biggest loss ever recorded by a single trader.

\ The Enron scandal was a financial scandal involving Enron Corporation (former NYSE ticker symbol: ENE) and its accounting firm Arthur Andersen, that was revealed in late 2001.

In addition, the scandal caused the dissolution of Arthur Andersen, which at the time was one of the five largest accounting firms in the world.

Supplier risk

Risks in

processes

Risks with

employees

New

regulations

Bnet:As one risk manager at an energy/utility company

charges, his sector perhaps uses group mutuals

and captives better than any other industry out

there. Yet all of that cooperation still did not

protect them from the aftermath of the 2005

hurricane season, nor the upcoming storms. .

Operational risks

Oil Prices Surpass $123 Per Barrel 08-05-2008 Oil prices reach new record highs Oil prices continue their ongoing climb, as crude futures

set a new record crossing USD 123 a barrel on the New York Mercantile Exchange. Many experts believe that an approaching US recession and the falling dollar are driving the high demand for the energy source. Source:

Presstv

Economy risks

19

Governance, Risk and Compliance

And also:Reduce costs of GRCImprove PerformanceIntegrate different frameworksImprove the quality of controlsImprove risk analysis

GRC is the sum of

Governance, Risk and

Compliance.

You have to get in control on:

Enterprise risks, such as:Financial & reporting risksRegulatory risksOperational risksFraud

Credit Rating AgenciesRegulationsBanks & investment community

The Challange

Solutions to Stay in Balance

Enable your organization to:

Reduce costs of GRC, both after initial project and over timeMore control by less controlsIntegrate all GRC initiatives and frameworksIncrease business performance Improve competitive advantage

20

Savings on business processesSavings on business processes

Companies have:

• 10 – 80% savings on business processes because of processoptimalization

$ Impact

Reduced Cost of CapitalReduced Cost of Capital

Risk Management may improve credit ratings significantly.

Have you quantified how much that may save your company?

Improved efficiencyImproved efficiency

Companies have reduced:

• Their number of key controls by 20%-40%.Control testing will cost $500 every time it is tested.

• Their number of key risks by 20%-40%. With an average of 4 controls per key risk, this reduced the number of key controls to be tested.

•Their costs by 8M annually by standardizing and improved business processes

Reduced cost on auditReduced cost on audit

Companies have:

•Saved 25%-70% of their external audit costs as a result of evidencecollecting, quality improvements of internal audit department and fasterand better insights

Reduced cost on insuranceReduced cost on insurance

Companies have:

•Reported to save 25% on directors and officers insurance policy.

Challenge:

Try to calculate how

much that would

save your company?

Convergence Benefits

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

12

34

56

78

910

Do

llar

Number of Regulations

Convergence Benefit

Today

BWise

Organizations on average have to comply with 70 different regulations.Regulations have an estimated 40% overlap in controls.Return on Compliance, December 2006

“Companies that choose one-off solutions to each regulatory challenge they face will spend 10 times more on compliance projects than their counterparts that take a proactive approach.”Corporate Governance Spending Disrupts Software Purchases, November 2004

21

KRI Dashboards

Questions?

Chris von der Lieth

Vice President of Sales

BWise, Inc.

1450 Broadway, 38th Floor

New York, NY 10018

Phone: 212 – 584 - 2261

Cell: 917-370-5979

E-mail: [email protected]

www.bwise.com

Improving Compliance Activities Through Technology · Chief Information Officer Chief Financial...

Documents

Transcript of Improving Compliance Activities Through Technology · Chief Information Officer Chief Financial...