1. Standards for Integrated Governance, Risk and Compliance Management Scott L. Mitchell
CEO, Open Compliance & Ethics Group
smitchell@oceg.org
2. Agenda Big Picture of GRC
GRC Standards
Integration of GRC – OCEG Framework
GRC and Corporate Performance
3. What is OCEG? Provide a universal framework for integrating the principles of good corporate governance, risk management, and compliance while promoting ethics and integrity in the daily practice of business
Cross-Industry (pharmaceutical, financial, etc.)
Cross-Topical (employment, environmental, etc)
Drive adoption of the framework through a multi-industry and multi-disciplinary coalition of stakeholders�
Lead a community of practice for exchanging information and continuously improving the framework and related tools for implementation
4. OCEG Resources Guidelines & Standards
Evaluation Criteria & Metrics
Online Environment
5. Big Picture
6. Stay in the Green
7. Criticism…
8. …Response
9. Basic Principles
10. …and just to belabor the metaphor Although the parts are located throughout the vehicle, the brakes should work as a single, integrated system�
In organizations, this system or “program” should address the total portfolio of governance, risk management and compliance processes
11. Integration of GRC + C
12. Standards & Frameworks
13. Benefits of Standards Reduce Cost
Design
Implementation
Integration
Evaluation�
Increase Objectivity
Benchmarking
Internal Evaluation
External Evaluation
Leverage Experience
Multi-Industry
Multi-Functional
Opportunity for Recognition from Stakeholders
14. Types of Standards Principles-Oriented
Process-Oriented
Technical
15. Disciplines / Standards Governance
SOX, SEC, NYSE, NASDAQ
BRT, NACD, Conference Board
TIAA-CREF, CalPERS, AFL-CIO, CII
OECD
American Law Institute�
Compliance / Legal Management
Federal Sentencing Guidelines / Thompson
Australian Standards
OCEG Standards
Various agency guidelines (e.g., HHS OIG)�
Ethics / Corporate Social Responsibility
AA1000, SA8000, ISO CSR
Global Reporting Initiative
ILO Conventions, UN Global Compact, Sullivan Principles
Sigma Guidelines (UK)
Q-RES (Italian)
European Corporate Sustainability�
Risk Management
GARP, PRMIA standards
Australian Standards
Basel II Guidelines
COSO ERM (2004)
Internal Audit / Anti-Fraud
COSO Internal Control (1992), COCO
SAS 99�
IT Control / Security
COBIT
SysTrust, WebTrust�
Performance Management
Balanced Scorecard
EVA
McKinsey; BAH; Accenture�
Human Capital / Training
ASTD
Bloom’s Taxonomy
Kirkpatrick�
Communication / Change Management
Quality Management
ISO 9000 series
Six Sigma�
Project Management
Project Management Institute PMBOK®
16. Exercise What standards / frameworks do you use?
17. OCEG Framework
18. Involvement
19. Integration OCEG integrates effective practices associated with multiple disciplines into a framework for managing compliance and ethics�
Governance
Compliance / Legal Management
Ethics Management
Risk Management
Internal Audit
Human Capital Management
Training Development / Design
Change Management
Quality Management
Project Management
20. Leadership Council Aon*
Archer Daniels Midlands
Baker Hughes
Cisco
Corpedia Education*
Dell*
Deloitte*
DuPont
Ernst & Young*
EthicsPoint*
Freddie Mac
Gevity
Global Compliance Svs*
Grant Thornton*
Interactive Alchemy* Littler Mendelson*
LRN*
Lyondell Chemical
Marsh*
Microsoft*
PETCO
PricewaterhouseCoopers*
Qwest*
Roche Diagnostics
Sears
Staples
The Integrity Institute*
Unilever
Wachovia Corporation
Others Pending…
21. The Compliance Consortium Acquisition Axentis
Corpedia
Approva
Hyperion
Hyland
Intuition
Jefferson Wells
Navigant
The Network
Staffware
22. Hotline/Helpline Working Group EthicsPoint
Global Compliance Services
Listen Up Group
My Safe Workplace
The Network�
Micron
ITT
University of Texas
Microsoft
ADM
Qwest
Gap
Goodrich
Starbucks Wal-Mart
Wachovia
EthicsSA
Catholic Health
Staples
GA Technical Institute
Ernst & Young
Better Business Bureau
Lucent
RadioShack
CIBC
Interpublic Group
Johnson Controls
Countrywide Financial
Delphi Group
23. OCEG Foundation Guidelines - Status Public Draft made available May, 2004
5,000+ downloads
100+ organizations and individuals provided feedback
50+ person Steering Committee vetted the draft and the comments�
Application Draft made available May, 2005
Organizations of all sizes are invited to Beta Test the OCEG Foundation to ensure that the guidelines are practical. OCEG is specifically studying implementation at:
ADM
DuPont
Gevity
Qwest
Staples
Wachovia
Dell�
Aim to finalize by end of March, 2006
24. OCEG Framework
25. OCEG Foundation
26. Integration Federal Sentencing Guidelines
Sarbanes-Oxley
COSO Internal Control
COSO ERM
ISO 9000 series
ISO 14000 series
Various regulatory frameworks and guidance (e.g. HHS)
Various CSR frameworks and guidance (AA1000, SA8000, etc.)
27. OCEG Foundation
28. OCEG Foundation - Reality
29. OCEG Foundation
30. Risk Area Domains Employment Domain Subtopics
Compensation
Executive Compensation
Workplace Violence Benefits
Anti-Harassment
Anti-Discrimination
Contingent Workforce
Hiring / Retention
Termination / Reduction
Employment Information Privacy
Accommodation / Leave
Labor / Collective Bargaining
Global Migration
Anti-Retaliation / Whistleblowing
Other Employment Torts
31. How does this affect corporate performance?
32. Big Picture
33. Must Stay Within Boundaries &�Effectively Steer the Organization
34. Corporate Governance
35. Bottom-Line We must understand enterprise strategy to ensure that we appropriately:
Align
Design
Implement
Manage
Operate
Evaluate
36. Objectives Many ways to define enterprise objectives
Common elements
Categories
Criteria
Cascading�
Perspectives
For Profit
Nonprofit
37. Balanced Scorecard
38. Stakeholders
39. Balanced Scorecard
40. Cascading Performance
41. Cascading Performance
42. System Model
43. Success Factors Simple, balanced view of the organization's progress towards its objectives�
Less is more (sometimes)
Leading and Lagging
Hard and Soft
Strategic Alignment
44. Types of Measures
45. Types of Measures
46. OCEG Performance Measurement Framework Effectiveness (Quality)
Does the program promote the right mindset and climate?
Is it properly aligned, focused and authorized?
How well does the program prevent noncompliance?
How well does the program detect noncompliance?
How well does the program react to noncompliance?
How well does the program protect the entity and reduce the impact of adverse events?
How well does the entity evaluate and continuously improve the program?�
Efficiency (Cost, Capital)
How much does it cost to execute core processes?
How well do we utilize capital?�
Responsiveness (Speed, Agility)
How quickly can the program execute core processes?
How quickly and effectively can the program respond to new requirements and change?
47. Indicator Category Relationships
48. Breakthrough Thinking
49. OCEG Performance Measurement Practice Aid
50. Tier 1 Metrics (Candidates) Culture
% workforce that believes org wants them to do the right thing
% workforce that believes climate is open to raise issues
% workforce that believes senior management does the right thing
employee satisfaction
% workforce understand how their job contributes to the enterprise
Prevent / Protect
$ Value at risk (VAR)
% risks addressed by preventative measures (code, policies, training, human capital, other control)
% workforce confirm understanding of code of conduct
# calls that prevent noncompliant actions
% controls appropriately designed Detect
% early, mid, late, un-detected
% workforce who observe noncompliance but do not report (and why)
% of controls that operate as designed
False reports
Time / $$ to confirm issue
React
Rate of resolution / close
Total time from detect to begin investigation
Time / $$ to investigate / resolve issue
Total time from detect to resolve
Actual loss per issue
51. Extra Information
52. OCEG Development Process
