1 / 66

test

test

hogayoga
Télécharger la présentation

test

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GRC & MeasurementScott L. MitchellCEO, Open Compliance & Ethics Group (OCEG)smitchell@oceg.org

  2. Objectives • Demonstrate to the Board that the company's GRC initiatives are delivering outcomes that really matter to the business. • Explore a standardized framework for consistently evaluating and communicating the performance of a corporate GRC program. • Acquire and apply performance metrics, measurements, and relevant indicators that have been successfully applied to GRC programs worldwide. • Evaluate step-by-step examples of best practices from diverse organizations that are optimizing the performance of their GRC programs. • Assess whether or not the money their company initially allocated for a compliance mandate or adverse audit has been, and continues to be, well spent. • Measure the true value and cost of their compliance initiatives. • WORLD PEACE (c) OCEG

  3. Our PURPOSE OCEG is a nonprofit think tank that helps organizations drive principled performance® by providing standards, frameworks and resources that help to enhance corporate culture and improve corporate governance, risk management, internal control and compliance (GRC) capabilities. Community • Interdisciplinary, Cross-Industry • Benchmarking • Education, Webinars and Events Content • Standards & Guidelines (technical, process, content) • Repositories of Laws, Regulations and Related Standards • Media, Research and other Resources Certification • Individuals • Entire Programs or Components of a Program • Solutions, Products and Services Over 19,000 members in the OCEG Community (c) OCEG

  4. Charter & Leadership Council Members 19,000+ individuals and growing (c) OCEG

  5. OCEG Resources CAWORLD2008 (c) OCEG

  6. Agenda Key Concepts 1 Q&A 3 2 Best Practices Measurement (c) OCEG

  7. My Perspective • Audit / Tax • Systems Integration / Technology • Venture Capital / Board Member (c) OCEG

  8. Agenda Key Concepts 1 Q&A 3 2 Best Practices Measurement (c) OCEG

  9. Big Picture MANDATED BOUNDARY boundary established by external forces including laws, government regulation and other mandates. OBSTACLES OPPORTUNITIES OBJECTIVESstrategic, operational, customer, process, compliance objectives BUSINESS MODEL strategy, people, process, technology and infrastructure in place to drive toward objectives OPPORTUNITIES OPPORTUNITIES VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies. (c) OCEG

  10. The Bottom Line an organization must clearly define WHATit will achieve and how it will CREATE VALUE while addressingUNCERTAINTY, PROTECTING VALUE and staying within BOUNDARIES Principled Performance® (c) OCEG

  11. Integrated GRC PRINCIPLED PERFORMANCE requires the integration of a number of processes, most notably Governance, Risk Management & Compliance GRC (c) OCEG

  12. Definitions Governanceis the collection of internal and external policies, structures, activities, information, and the underlying culture that allocates power between stakeholders to objectively direct and control an organization. Riskis the estimated likelihood, impact and timing of an event that could, at least in part, adversely affect objectives. Risk Management is a primarily strategic activity designed to identify and optimize the way an organization addresses risk. Complianceis the act of adhering to, and ability to demonstrate adherence to requirements defined by external laws and regulations as well as contracts, internal policies and other voluntary commitments. (c) OCEG

  13. GRC Defined System of people, processes and technology that enables an organization to: • Understand and prioritize stakeholder expectations; • Optimize business objectives to be aligned with values and risks; • Achieve objectives and enhance value while addressing risks and protecting value; • Operate within legal, contractual, internal, social and ethical boundaries; • Provide relevant, reliable and timely information to appropriate stakeholders; and • Provide assurance that the system is effective. (c) OCEG

  14. Big Picture MANDATED BOUNDARY boundary established by external forces including laws, government regulation and other mandates. OBSTACLES OPPORTUNITIES OBJECTIVESstrategic, operational, customer, process, compliance objectives BUSINESS MODEL strategy, people, process, technology and infrastructure in place to drive toward objectives OPPORTUNITIES OPPORTUNITIES VOLUNTARY BOUNDARY boundary defined by management including public commitments, organizational values, contractual obligations, and other voluntary policies. (c) OCEG

  15. Criticism… Governance, Risk, Compliance & Ethics are the departments of NO (c) OCEG

  16. …Response Not every enterprise would describe itself as a “fast car,” however, most organizations want to drive toward objectives – while avoiding bumps in the road. FASTEST CARS have (should have) the BEST BRAKES (c) OCEG

  17. Principled Performance & GRC Far from being a drag on the business, a high-performing and “lean” approach to GRC delivers a number of key business outcomes • 1. Accelerates risk-intelligent decisions • 2. Optimizes overall risk profile • 3. Reduces system costs (c) OCEG

  18. WHY NOW? (c) OCEG

  19. More Important Than Ever Before • Increased Shareholder Demands • Increased Volume & Complexity & Volatility • High Costs • Of “Siloed” Approach • Of Poor Information Quality • Of Getting it Wrong These challenges necessitate that we approach governance, risk, compliance and ethics in a robust and integrated way (c) OCEG

  20. Demanding Shareholders (Stakeholders) • Shareholders • Regulators • Customers • Employees • Partners & Suppliers • Media • NGOs & Watchdogs • Competitors • Community • Who’s • To whom is the organization accountable? • What’s • Financial results • Non-Financial results and intangibles • Insight into strategy and risks • How’s • Insight into operations and “how” business is conducted (c) OCEG

  21. Volume & Complexity Quality European Quality ISO14000 GRI CSR ISO: CSR OCC FCPA BIS ERM Human Capital CMM SA 8000 AA 1000 Environmental Federal Reserve OFEHO COSO ERM ISO 9000 Baldrige AS 4360 6 Sigma CMM CISA IIA Guidance EPA Anti- Money Laundering FFIEC COBIT ISO 17709 GLBA King II CCGG Anti-Trust Anti-Fraud USA PATRIOT DII WebTrust SysTrust NIST Employee Information Information Management IRS & Tax Competitive Practices Global Mobility DoD TIAA CREFF AFL-CIO COCO GAO XBRL HIPAA Turnbull SAS 94 COSO Internal Control Whistle- Blowing Hiring & Retention ILO Conventions CCA & FISCAM Government Contracts FDA TIAA CREFF NYSE rules NASDAQ rules HHS Guidance NACD CalPERS AICPA SAS 99 & 70 Contingent Workforce Anti- Harassment AS 4269 AS 3806 SOX OECD ALI CII PCAOB Workplace Violence Wage & Hour Abbott Decision Thompson Memo FSG Governance BRT Anti- Discrimination Prosecutorial Guidance Conference Board SEC 21(a) Seaboard Employment & Labor Caremark Legal Compliance (c) OCEG

  22. Volume & Complexity Quality European Quality ISO14000 GRI CSR ISO: CSR OCC FCPA BIS ERM $1.1 Trillion just to comply with regulations (Compliance with US Federal Regulations) Over 73,000 pages in the U.S. Federal Register (CFR is 25 linear feet; USCA is 55 linear feet) Human Capital CMM SA 8000 AA 1000 ISO: CSR Federal Reserve OFEHO COSO ERM ISO9000 Baldrige AS 4360 6 Sigma CMM CISA IIA Guidance EPA Anti- Money Laundering FFIEC COBIT ISO 17709 GLBA King II CCGG Anti-Trust Anti-Fruad USA PATRIOT DII WebTrust SysTrust NIST Employee Information Information Management IRS & Tax Competitive Practices Global Mobility DoD TIAA CREFF AFL-CIO COCO GAO XBRL HIPAA 4,000+ rules in the pipeline(US Unified Agenda, 2005) Turnbull SAS 94 COSO Internal Control Whistle- Blowing Hiring & Retention ILO Conventions CCA & FISCAM Government Contracts FDA TIAA CREFF NYSE rules NASDAQ rules HHS Guidance NACD CalPERS AICPA SAS 99 & 70 Contingent Workforce Anti- Harassment AS 4269 AS 3806 SOX OECD ALI CII PCAOB Workplace Violence Wage & Hour Abbot Decision Thompson Memo FSG Governance BRT Anti- Discrimination Prosecutorial Guidance Conference Board SEC 21(a) Seaboard Employment & Labor Caremark Legal Compliance (c) OCEG

  23. Volume & Complexity Quality European Quality ISO14000 GRI CSR ISO: CSR OCC FCPA BIS ERM $1.1 Trillion just to comply with regulations (Compliance with US Federal Regulations) Over 73,000 pages in the U.S. Federal Register (CFR is 25 linear feet; USCA is 55 linear feet) State & Local Jurisdictions Human Capital CMM SA 8000 AA 1000 ISO: CSR Federal Reserve OFEHO COSO ERM ISO9000 Baldrige AS 4360 6 Sigma CMM CISA IIA Guidance EPA Anti- Money Laundering FFIEC COBIT ISO 17709 GLBA King II CCGG Anti-Trust Anti-Fruad USA PATRIOT DII WebTrust SysTrust NIST Employee Information Information Management Global Markets & Jurisdictions Outsourcing & Extended Enterprise IRS & Tax Competitive Practices Global Mobility DoD TIAA CREFF AFL-CIO COCO GAO XBRL HIPAA 4,000+ rules in the pipeline(US Unified Agenda, 2005) Turnbull SAS 94 COSO Internal Control Whistle- Blowing Hiring & Retention ILO Conventions CCA & FISCAM Government Contracts FDA TIAA CREFF M&A NYSE rules NASDAQ rules HHS Guidance NACD CalPERS AICPA SAS 99 & 70 Contingent Workforce Anti- Harassment AS 4269 AS 3806 SOX OECD ALI CII PCAOB Workplace Violence Wage & Hour Abbot Decision Thompson Memo FSG Governance BRT Anti- Discrimination Prosecutorial Guidance Conference Board SEC 21(a) Seaboard Employment & Labor Caremark Legal Compliance (c) OCEG

  24. High Costs… (c) OCEG

  25. High Costs… • High Costs of Silos • High Costs of Poor Information Quality A B C D E 80% of meaning can get LOST IN TRANSLATION (c) OCEG

  26. Single Version of the Truth (c) OCEG

  27. High Costs… • High Costs of Silos • High Costs of Poor Information Quality • High Costs of Getting it Wrong • Financial • Business Interruption • Workforce Productivity (both executive and non-executive) • Reputation • Other consequences … up to and including jail time (c) OCEG

  28. Transformational Opportunity Current State • Managed in silo’s • Reactive • Project or program approach • Separate from mainstream processes and decision-making • People used as middleware • Fragmented use of technology Future State • Enterprise approach • Proactive • Systematic approach • Embedded within mainstream processes and decision-making • Information managed • Architected solutions (c) OCEG

  29. GRC “Backbone” OPERATIONAL RISK COMPLIANCE RISK ECONOMIC RISK STRATEGIC RISK “Backbone” of People, Process, Technology & Content (c) OCEG

  30. GRC “Backbone” compliance risk areas(apply to most organizations) industry specifics(e.g., financial services) governance intellectual property international dealings competitive practices product quality & safety government dealings …and so on AML …and so on financial assurance / anti-fraud employment / labor anti-corruption information management environmental GLBA BSA USA PATRIOT “Backbone” of People, Process, Technology & Content (c) OCEG

  31. Governance Corporate Governance National Law Functional Governance Frameworks AS8000 series Risk COSO ERM AS/NZS 4360:2004 ISO 31000 BSI 31100 A Risk Management Standard (IRM, ALARM) RMA - Financial S&P Risk Ranking Methodology Compliance U.S. Federal Sentencing Guidelines Various regulatory frameworks and guidance AS3806 (compliance); AS4269 (hotline) Audit / Internal Control COSO Internal Control CoCo; Turnbull/Cadbury PCAOB Standards Ethics & Culture Various CSR frameworks (AA1000, SA8000, etc.) Social Psychology / Behavioral Economics Quality ISO 9000 series; ISO 14000 series Lean / Six Sigma Many Disciplines and Requirements Influence the “Backbone” Translate Integrate Simplify (c) OCEG

  32. Governance Corporate Governance National Law Functional Governance Frameworks AS8000 series Risk COSO ERM AS/NZS 4360:2004 ISO 31000 BSI 31100 A Risk Management Standard (IRM, ALARM) RMA - Financial S&P Risk Ranking Methodology Compliance U.S. Federal Sentencing Guidelines Various regulatory frameworks and guidance AS3806 (compliance); AS4269 (hotline) Audit / Internal Control COSO Internal Control CoCo; Turnbull/Cadbury PCAOB Standards Ethics & Culture Various CSR frameworks (AA1000, SA8000, etc.) Social Psychology / Behavioral Economics Quality ISO 9000 series; ISO 14000 series Lean / Six Sigma Multiple Disciplines and Requirements 75% Overlap Translate Integrate Simplify (c) OCEG

  33. Governance Corporate Governance National Law Functional Governance Frameworks AS8000 series Risk COSO ERM AS/NZS 4360:2004 ISO 31000 BSI 31100 A Risk Management Standard (IRM, ALARM) RMA - Financial S&P Risk Ranking Methodology Compliance U.S. Federal Sentencing Guidelines Various regulatory frameworks and guidance AS3806 (compliance); AS4269 (hotline) Audit / Internal Control COSO Internal Control CoCo; Turnbull/Cadbury PCAOB Standards Ethics & Culture Various CSR frameworks (AA1000, SA8000, etc.) Social Psychology / Behavioral Economics Quality ISO 9000 series; ISO 14000 series Lean / Six Sigma Many Disciplines and Requirements Influence the “Backbone” Translate Integrate Simplify Practical & Actionable Guidance (c) OCEG

  34. GRC Capability Model: High Level View 8 INTEGRATED COMPONENTS 8 UNIVERSAL OUTCOMES CULTURE & CONTEXT CULTURE & CONTEXT Achieve Business Objectives ORGANIZE & OVERSEE Enhance Organizational Culture INFORM & INTEGRATE Increase Stakeholder Confidence MONITOR & MEASURE ASSESS & ALIGN Prepare & Protect the Organization Prevent, Detect & Reduce Adversity RESPOND & RESOLVE PREVENT & PROMOTE Motivate & Inspire Desired Conduct DETECT & DISCERN Improve Responsiveness & Efficiency Optimize Economic & Social Value (c) OCEG

  35. FINE… …but I am only responsible for one of those …and I have some tough problems to solve …I can’t solve everyone’s problems! (c) OCEG

  36. OPPORTUNITY (c) OCEG

  37. Remember • Principled Performance is the new Performance • Fastest Cars have (need) the Best Brakes • Organizational and Personal Opportunity (c) OCEG

  38. Agenda Key Concepts 1 Q&A 3 2 Best Practices Measurement (c) OCEG

  39. Evaluating Effectiveness (c) OCEG

  40. WHY MEASURE? (c) OCEG

  41. Why Measure? • Improve Performance & Create ValueBecause we want to understand the effectiveness of our program and make adjustments to create value for the organization. • Send a Serious MessageBecause robust measurement sends a message to employees and other stakeholders that we are serious about achieving the goals of the program. • Improve Capital AllocationBecause we need to understand where to focus and invest our limited financial and human capital. • Secure Long Term SupportBecause any program that is unable to justify its value to the organization is unlikely to be adequately supported in the long term. • What Gets Measured Gets Done!Because measurement drives performance: “what gets measured gets done!” (c) OCEG

  42. Wag… WAG the DOG (c) OCEG

  43. Measurement Effectiveness Performance • Effectiveness is a term of art • Design Effectiveness • Operating Effectiveness • We want to keep it that way! • The law does not demand anything beyond effectiveness – BUT shareholders (stakeholders) expect more!

  44. High-Performance O U T C O M E S ACTIVITIES RESPONSIVE EFFICIENT EFFECTIVE

  45. Who Wants to Know What? • External Stakeholders • Government • Investors • Internal Stakeholders • Board • C-Suite (CEO, CFO, etc.) • Business Line Executives • Risk Executive • Compliance Executive • Internal Audit (c) OCEG

  46. OBJECTIVES & OUTCOMES (c) OCEG

  47. Define: Enterprise Objectives EveryORGANIZATIONis Unique, and will strive to achieve Unique Objectives…however

  48. Define: Enterprise Objectives BUSINESS OUTCOMES & OBJECTIVES growth profitability return total return spread future value KEY PERFORMANCE DRIVERS productivity quality customers innovation workforce brand

  49. Define: Program Objectives / Outcomes EveryPROGRAM isUnique, and will strive to achieve Unique Objectives…however

  50. Measurable Outcomes Enhance Culture Increase Stakeholder Confidence Prepare & Protect the Organization Prevent, Detect and Reduce the Impact of Adversity Motivate & Inspire Desired Conduct & Events Optimize Economic & Social Value Improve Process Excellence (c) OCEG

More Related