Standards for Integrated Governance, Risk and Compliance Management

1
Standards for Integrated Governance, Risk and
Compliance Management

• Scott L. Mitchell
• CEO, Open Compliance Ethics Group
• smitchell_at_oceg.org

2
Agenda

• Big Picture of GRC
• GRC Standards
• Integration of GRC OCEG Framework
• GRC and Corporate Performance

3
What is OCEG?
OCEG is a nonprofit organization that uniquely
seeks to

• Provide a universal framework for integrating the
  principles of good corporate governance, risk
  management, and compliance while promoting ethics
  and integrity in the daily practice of business
• Cross-Industry (pharmaceutical, financial, etc.)
• Cross-Topical (employment, environmental, etc)
• Drive adoption of the framework through a
  multi-industry and multi-disciplinary coalition
  of stakeholders
• Lead a community of practice for exchanging
  information and continuously improving the
  framework and related tools for implementation

4
OCEG Resources

• Guidelines Standards
• Evaluation Criteria Metrics
• Online Environment

5
Big Picture
6
Stay in the Green
7
Criticism
Governance, Risk Management Compliance are the
departments of NO
8
Response
The Fastest Cars Have the Best Brakes
9
Basic Principles
GO
STEER
BRAKE
Historically, 99 of business investment is
focused here
Brakes are a critical component to executing
strategy and realizing long-term value
10
and just to belabor the metaphor

• Although the parts are located throughout the
  vehicle, the brakes should work as a single,
  integrated system
• In organizations, this system or program should
  address the total portfolio of governance, risk
  management and compliance processes

11
Integration of GRC C
capability to set and evaluate performance
against objectives authorize a business strategy
and model to achieve objectives while staying
within mandated (legal) and voluntary boundaries
mindsets of individuals and an organizational
climate that promotes ethics, integrity, respect,
trust and accountability
capability to proactively identify, rigorously
assess and address potential obstacles to
achieving objectives and the risk that the
organization will step outside of mandated
(legal) and voluntary boundaries
capability to proactively encourage compliance
with established policies and boundaries the
ability to detect noncompliance and the ability
respond accordingly
12
Standards Frameworks
13
Benefits of Standards

• Reduce Cost
• Design
• Implementation
• Integration
• Evaluation
• Increase Objectivity
• Benchmarking
• Internal Evaluation
• External Evaluation
• Leverage Experience
• Multi-Industry
• Multi-Functional
• Opportunity for Recognition from Stakeholders

Increased Performance
14
Types of Standards

• Principles-Oriented
• Process-Oriented
• Technical

15
Disciplines / Standards

• Governance
• SOX, SEC, NYSE, NASDAQ
• BRT, NACD, Conference Board
• TIAA-CREF, CalPERS, AFL-CIO, CII
• OECD
• American Law Institute
• Compliance / Legal Management
• Federal Sentencing Guidelines / Thompson
• Australian Standards
• OCEG Standards
• Various agency guidelines (e.g., HHS OIG)
• Ethics / Corporate Social Responsibility
• AA1000, SA8000, ISO CSR
• Global Reporting Initiative
• ILO Conventions, UN Global Compact, Sullivan
  Principles
• Sigma Guidelines (UK)
• Q-RES (Italian)
• European Corporate Sustainability
• Risk Management

• Internal Audit / Anti-Fraud
• COSO Internal Control (1992), COCO
• SAS 99
• IT Control / Security
• COBIT
• SysTrust, WebTrust
• Performance Management
• Balanced Scorecard
• EVA
• McKinsey BAH Accenture
• Human Capital / Training
• ASTD
• Blooms Taxonomy
• Kirkpatrick
• Communication / Change Management
• Quality Management
• ISO 9000 series
• Six Sigma

16
Exercise

• What standards / frameworks do you use?

17
OCEG Framework
18
Involvement
200 individuals 100 organizations
19
Integration

• OCEG integrates effective practices associated
  with multiple disciplines into a framework for
  managing compliance and ethics
• Governance
• Compliance / Legal Management
• Ethics Management
• Risk Management
• Internal Audit
• Human Capital Management
• Training Development / Design
• Change Management
• Quality Management
• Project Management

20
Leadership Council

• Aon
• Archer Daniels Midlands
• Baker Hughes
• Cisco
• Corpedia Education
• Dell
• Deloitte
• DuPont
• Ernst Young
• EthicsPoint
• Freddie Mac
• Gevity
• Global Compliance Svs
• Grant Thornton
• Interactive Alchemy

• Littler Mendelson
• LRN
• Lyondell Chemical
• Marsh
• Microsoft
• PETCO
• PricewaterhouseCoopers
• Qwest
• Roche Diagnostics
• Sears
• Staples
• The Integrity Institute
• Unilever
• Wachovia Corporation
• Others Pending

21
The Compliance Consortium Acquisition

• Axentis
• Corpedia
• Approva
• Hyperion
• Hyland
• Intuition
• Jefferson Wells
• Navigant
• The Network
• Staffware

• Objectives
• Increase understanding of how to apply technology
• Reduce risks/cost of implementation
• Reduce risks/cost of integration
• Approach
• Solution Providers End-Users
• Open Process

First Working Group Announced 7/19 Whistleblower
Hotlines/Helplines
22
Hotline/Helpline Working Group

• EthicsPoint
• Global Compliance Services
• Listen Up Group
• My Safe Workplace
• The Network
• Micron
• ITT
• University of Texas
• Microsoft
• ADM
• Qwest
• Gap
• Goodrich
• Starbucks

• Wal-Mart
• Wachovia
• EthicsSA
• Catholic Health
• Staples
• GA Technical Institute
• Ernst Young
• Better Business Bureau
• Lucent
• RadioShack
• CIBC
• Interpublic Group
• Johnson Controls
• Countrywide Financial
• Delphi Group

23
OCEG Foundation Guidelines - Status

• Public Draft made available May, 2004
• 5,000 downloads
• 100 organizations and individuals provided
  feedback
• 50 person Steering Committee vetted the draft
  and the comments
• Application Draft made available May, 2005
• Organizations of all sizes are invited to Beta
  Test the OCEG Foundation to ensure that the
  guidelines are practical. OCEG is specifically
  studying implementation at
• ADM
• DuPont
• Gevity
• Qwest
• Staples
• Wachovia
• Dell
• Aim to finalize by end of March, 2006

register at www.oceg.org
24
OCEG Framework
Company
Companies can build on top of these models to
customize and configure their capability to
address unique requirements
Domains
Domains provide topical or industry-specific
information that integrates with and assumes the
OCEG Foundation is in place
Foundation
The Foundation describes common elements of an
effective program that integrates the principles
of good corporate governance, risk management,
compliance and ethics/culture
25
OCEG Foundation
Company
Domains
Foundation
detailed view of foundation
CULTURE
ORGANIZATION
PROCESS
TECHNOLOGY
26
Integration

• Federal Sentencing Guidelines
• Sarbanes-Oxley
• COSO Internal Control
• COSO ERM
• ISO 9000 series
• ISO 14000 series
• Various regulatory frameworks and guidance (e.g.
  HHS)
• Various CSR frameworks and guidance (AA1000,
  SA8000, etc.)

Translate Integrate Simplify
Practical Actionable Guidance
27
OCEG Foundation
CULTURE
ORGANIZATION
PROCESS
RESPOND / IMPROVE
PREVENT / PROTECT / PREPARE
MONITOR / DETECT /
EVALUATE
PLAN / ORGANIZE
INFORMATION / COMMUNICATION
TECHNOLOGY
28
OCEG Foundation - Reality
CULTURE
ORGANIZATION
PROCESS
INFORMATION COMMUNICATION
PLAN / ORGANIZE
PREVENT / PROTECT / PREPARE
MONITOR / DETECT / EVALUATE
RESPOND / IMPROVE
TECHNOLOGY
Continuous Execution and Overlap of Key Processes
29
OCEG Foundation
CULTURE
C1 Ethical Culture C2 Risk
Culture C3 Governance Culture
C4 Workforce Culture
ORGANIZATION
O1 Leadership Champions O2 Oversight
Personnel O3 Strategic Personnel O4
Operational Personnel
PROCESS
PLAN / ORGANIZE
PREVENT / PROTECT / PREPARE
MONITOR / DETECT / EVALUATE
RESPOND / IMPROVE

• PR1 Controls, Policies Procedures
• PR2 Code of Conduct
• PR3 Training Education
• PR4 Workforce Management
• PR5 Physical Infrastructure
• PR6 Risk Sharing Insurance
• PR7 Preparedness Practice

• ONGOING MONITORING
• M1 Control Assurance Audit
• M2 Hotline Helpline Reporting
• PERIODIC EVALUATION
• E1 Evaluation Planning Reporting
• E2 Effectiveness Evaluation (DE, OE)
• E3 Program Performance Evaluation

• R1 Issue Management
• R2 Special Investigations
• R3 Crisis Response
• R4 Discipline Disclosure
• R5 Remediation Improvement

• PO1 Scope Objectives
• PO2 Business Model Context
• PO3 Boundary Identification
• PO4 Event Identification
• PO5 Risk Assessment
• PO6 Program Design Strategy

INFORMATION / COMMUNICATION

• I1 Information Records Management

• I2 Communication

• I3 Internal Reporting

• I4 External Reporting Filings

TECHNOLOGY
T1 - Technology
30
Risk Area Domains
The Risk Area Domain Guidelines identify a number
of areas to which most organizations are exposed.
Each organization is unique and will focus on
specific domains as appropriate.

• Employment Domain Subtopics
• Compensation
• Executive Compensation
• Workplace Violence Benefits
• Anti-Harassment
• Anti-Discrimination
• Contingent Workforce
• Hiring / Retention
• Termination / Reduction
• Employment Information Privacy
• Accommodation / Leave
• Labor / Collective Bargaining
• Global Migration
• Anti-Retaliation / Whistleblowing
• Other Employment Torts

governance
employment
financial assurance
anti-corruption
information management
intellectual property
environmental
international dealings
competitive practices
product quality / safety
workplace health / safety
government dealings (USA)
31
How does this affect corporate performance?
32
Big Picture
33
Must Stay Within Boundaries Effectively Steer
the Organization
34
Corporate Governance
MISSION VISION VALUES
business model strategypeople, process,
technology infrastructure
objectives
designed to achieve
STAKEHOLDERS
35
Bottom-Line

• We must understand enterprise strategy to ensure
  that we appropriately
• Align
• Design
• Implement
• Manage
• Operate
• Evaluate

and to ensure that we get the appropriate budget
to do it!
36
Objectives

• Many ways to define enterprise objectives
• Common elements
• Categories
• Criteria
• Cascading
• Perspectives
• For Profit
• Nonprofit

37
Balanced Scorecard
FINANCIAL
To succeed financially, how should we appear to
our shareholders?
CUSTOMER
To achieve our vision, how should we appear to
our customers?
INTERNAL PROCESSES
To satisfy our shareholders and customers, what
internal processes must we excel at?
LEARNING GROWTH
To achieve our vision, how will we sustain our
ability to change and improve?
38
Stakeholders
board
management
enterprise
employees
39
Balanced Scorecard
Long-Term Shareholder Value
Growth Strategy
Productivity Strategy
Financial
Improve Cost Structure
Improve AssetUtilization
New Revenue Sources
Increase Customer Value
product / service attributes
relationship attributes
image
Price
Functionality
Quality
Availability
Selection
Service
Partnership
Brand
Customer Exp.
Operations Management Processes Supply Production
Distribution Risk Mgt
Customer Management Processes Selection Acquisiti
on Retention Growth
InnovationProcesses Opportunity R D Design Pd
Launch
Regulatory Social Processes Environmental Emplo
ymt Governance Etc
Internal Process
Human Capital (readiness, training, recruitment,
retention, etc.)
Learning Growth
Information Capital (transactional systems,
information systems, data storage,
infrastructure, etc.)
Organizational Capital (culture, leadership,
alignment, etc.)
40
Cascading Performance
Enterprise Performance
Department Performance
Team Performance
41
Cascading Performance
Compliance Ethics Program Performance
Enterprise Performance
42
System Model
employee satisfaction
ILLUSTRATIVE


employee productivity
employee purpose


-

errors omissions
strong formal controls
corporate performance
-
-
fraud abuse
-

-
early warning system


-

strong culture informal controls
reputation
customer loyalty
-

43
Success Factors

• Simple, balanced view of the organization's
  progress towards its objectives
• Less is more (sometimes)
• Leading and Lagging
• Hard and Soft
• Strategic Alignment

If you cant measure it, you cant manage
itKaplan and Norton, 1996
44
Types of Measures
Lagging Hard Objective Outcome Control
Leading Soft Subjective Culture /
Perceptions Leadership
45
Types of Measures
Lagging Hard Objective Outcome Control
Leading Soft Subjective Culture /
Perceptions Leadership
46
OCEG Performance Measurement Framework

• Effectiveness (Quality)
• Does the program promote the right mindset and
  climate?
• Is it properly aligned, focused and authorized?
• How well does the program prevent noncompliance?
• How well does the program detect noncompliance?
• How well does the program react to noncompliance?
• How well does the program protect the entity and
  reduce the impact of adverse events?
• How well does the entity evaluate and
  continuously improve the program?
• Efficiency (Cost, Capital)
• How much does it cost to execute core processes?
• How well do we utilize capital?
• Responsiveness (Speed, Agility)
• How quickly can the program execute core
  processes?
• How quickly and effectively can the program
  respond to new requirements and change?

Effective
Responsive
Efficient
47
Indicator Category Relationships
There is, generally, an inverse relationship
between indicator categories. For example, if an
organization seeks to increase efficiency (drive
down costs), responsiveness and effectiveness
often suffer. This is particularly true when
organizations seek incremental changes.
Effective
Responsive
Efficient
48
Breakthrough Thinking
An exception to this rule is when organizations
successfully engage in breakthrough thinking
that actually changes the size and shape of the
triangle altogether. The application of
technology and automating processes is a typical
way to accomplish this.
Effective
Responsive
Efficient
49
OCEG Performance Measurement Practice Aid
50
Tier 1 Metrics (Candidates)

• Culture
• workforce that believes org wants them to do
  the right thing
• workforce that believes climate is open to
  raise issues
• workforce that believes senior management does
  the right thing
• employee satisfaction
• workforce understand how their job contributes
  to the enterprise
• Prevent / Protect
• Value at risk (VAR)
• risks addressed by preventative measures (code,
  policies, training, human capital, other control)
• workforce confirm understanding of code of
  conduct
• calls that prevent noncompliant actions
• controls appropriately designed

• Detect
• early, mid, late, un-detected
• workforce who observe noncompliance but do not
  report (and why)
• of controls that operate as designed
• False reports
• Time / to confirm issue
• React
• Rate of resolution / close
• Total time from detect to begin investigation
• Time / to investigate / resolve issue
• Total time from detect to resolve
• Actual loss per issue

51
Extra Information
52
OCEG Development Process
assemble the right team to develop and review the
product in a controlled environment
assemble full working group
break into subgroups (optional)
analyze and consolidate findings
circulate controlled draftsversion 0.1 0.4
1

• co-chairs direct work product and schedule
• review board works with co-chairs to make final
  decisions
• general members participate in the process

solicit public feedback so that the work product
is complete and correct
analyze internal feedback
post public exposure draft version 0.5 0.8
2
Rigorous process aimed at careful and incremental
development to ensure that the work product is
complete, of high quality and practical
analyze public feedback
post application draft version 0.9
analyze and integrate public feedback and
encourage individuals to implement the product in
a real environment and solicit feedback from
actual use so that the product is practical
3
analyze application feedback
post final draft version 1.0
analyze and integrate feedback from those
organizations that actually used the product and
publish a final draft
4