compliance 2020- the future of grc compliance

Compliance 2020The Future of Ethics & ComplianceJanuary 2013

Michael Rasmussen, J.D., GRCP, OCEG Fellow, CCEPChief GRC Pundit

Compliance in the Midst of Transformation

Compliance in the past

Past

Present2020 -Future

Most organizations rely on

manual ad hoc processes to

manage risk and compliance

change.

This involves individuals that are

overwhelmed with information

who fire off an emails and

manage documents — leading to,

in varying degrees…

Past: The Hydra of compliance inefficiency

Excessive emails, documents,

and paper trails

Lack of an audit trail

Limited reporting

Files and documents out of sync

Wasted resources and spending

Poor visibility across the enterprise

Overwhelming complexity

Lack of business agility

Greater exposure and vulnerability

No accountability

Past: The Hydra of compliance inefficiency

PAST: Too many formats and approaches are inefficient, ineffective, and lack agility

The Winchester Mystery House

• 160 rooms

• 47 fireplaces

• 6 kitchens

• 10,000 windows

• 65 doors to blank walls

• 13 staircases abandoned

• 25 skylights – in floors

• 147 builders/no architects

• Built without a blueprint

• $5.5 million over 38 years

Past: The state of compliance in many organizations

Not Agile

Not Efficient

PAST: Silos lead to greater risk

A non-integrated approach to compliance impacts business

performance and how it is managed and executed, resulting in:

o Poor visibility across the enterprise. A reactive approach to GRC leads

to siloed initiatives that never see the big picture.

o Redundant and inefficient processes. Silos of GRC lead to redundancy,

gaps, and wasted resources.

o Overwhelming complexity. Varying GRC approaches introduce greater

complexity to the business environment.

o Lack of business agility. Complexity drives inflexibility - the organization

is not agile to the dynamic business environment it operates in.

o Greater exposure and vulnerability. A reactive approach leads to

greater exposure and vulnerability.

Not Effective

Past

Present2020 -Future

Compliance Today

OECD

NACD

SEC

NYSErules

SOX

NASDAQrules

ALI

Employment& Labor

AS 3806

FSGThompson

Memo

TIAACREFF

PCAOB

CalPERS

ISO9000

6 Sigma

ERM

COSOERM

AS 4360

BIS

Baldrige

EuropeanQuality

CSRGRI

AA 1000SA 8000

ISO: CSRISO14000

TIAACREFF

Quality

LegalCompliance

ProsecutorialGuidance

Wage &Hour

WorkplaceViolence

FDA

CII

AS 4269

GovernmentContracts

Anti-Discrimination

Anti-Harassment

ContingentWorkforce

Hiring &Retention

HIPAA

InformationManagement

EmployeeInformation

GLBAISO 17709

CCA &FISCAM

GAO XBRL

COBIT

NIST

GlobalMobility

Whistle-Blowing

Turnbull

AFL-CIO

King II

21(a)Seaboard

Caremark

ISO: CSR

ILOConventions

AICPASAS 99 & 70

FFIEC

WebTrustSysTrust

COSOInternal Control

OCC

COCO

CMM

FCPA

OFEHOFederalReserve

HumanCapital CMM

CISA

HHSGuidance

AbbotDecision

DoD

IIAGuidance

EPAAnti-

Money Laundering

Anti-Trust Anti-FruadUSA

PATRIOTDII

IRS & TaxCompetitive

Practices

CCGG

SAS 94

Present: Volume & Complexity

Global Markets &Jurisdictions

Outsourcing &Extended Enterprise

M&A

National, State/Provincial & Local Jurisdictions

Present: Are you focused only on the compliance risks you see?

“Never in all history have we

harnessed such formidable

technology. Every scientific

advancement known to man has

been incorporated into its design.

The operational controls are

sound and foolproof!”

E.J. Smith, Captain of the Titanic

Present: Pressures Upon Compliance

Compliance & Ethics

Governments

Enforcement Agencies

Stakeholders

Younger Generation

Globalization

Social Media

Information Technology

Common Practices

Inability to gain a clear view of compliance dependencies;

High cost of consolidating silos of compliance information;

Difficulty maintaining accurate compliance information;

Failure to trend across compliance assessment /reporting periods;

Present: The pain organizations have expressed

Incapable to provide compliance intelligence to support business decisions and strategic planning;

Redundant approaches limit correlation, comparison and integration of information; and

Lack of agility to respond timely to changing regulations, laws, and situations.

Present: The pain organizations have expressed

Past

Present2020 -Future

The Future of Compliance: Year 2020

Future: Focus on Corporate Integrity

Compliance

Consistency

Efficiency

Effectiveness

Agility

Transparency

Accountability

Future: Needs of Compliance

GRC technology delivers actionable and reliable information

Future: Technology Benefits

10 Shifts to Compliance Strategy

Compliance 2020

12

3

4

56

7

8

9

10

Risk Management

Compliance will have an active seat at the table of risk management.

There will be improved methodologies and implementations for modeling compliance risk across the organization based on information that is readily accessible to target areas of risk exposure for compliance and integrity to the organization.


Compliance 2020

12

3

4

56

7

8

9

10

Code(s) of Conduct

Employees with have an interactive code environment.

They will get be educated on the code through a portal of written, interactive content, and resources that includes:

o Training

o Video

o Ability to get answers to questions

o Reporting on the organizations

performance against the code.


Compliance 2020

12

3

4

56

7

8

9

10

Policy & Procedure Management

Similar to the code, policies will be accessed in user-friendly environment through a portal aligned with the organization brand.

Employees will easily be able to find the current policy and read the policy with interactive tools to explain the policy to them.

Policy resources and related forms will be part of the portal.


Compliance 2020

12

3

4

56

7

8

9

10

Training

As a result of the interactive

policy management portal,

learning management and

delivery of training will be an

integrated part of the portal itself

and not require disconnected

platforms to be integrated.


Compliance 2020

12

3

4

56

7

8

9

10

Monitoring & Assessment

The compliance department will have removed the shackles of spreadsheets and documents

Core platform for compliance assessments with a single survey and assessment engine.

This relieves the burden on the business by having a common interface while allowing compliance to easily report on compliance.

Freeing up time spent on reconciling documents to improving corporate integrity


Compliance 2020

12

3

4

56

7

8

9

10

Investigations

The organization will have a single system to record and capture issues, incidents, and events that integrate with hotlines.

Management can readily capture reports made at all levels of the organization.

Investigators will have a core system to manage and record investigations.

As there is one system for managing incidents and investigations, loss information from incidents is easily fed into risk models to improve risk management.


Compliance 2020

12

3

4

56

7

8

9

10

Change Management

Compliance will be able to integrate process and technology with information from content providers to rapidly assess changing:

o Risks,

o Regulations,

o Developments around the world, and

o Understand how they impact policy and the integrity of the organization.

When the business changes, such as through mergers and acquisitions, compliance will be able assess and harmonize policies, controls, and processes driving efficiency and effectiveness into business change.


Compliance 2020

12

3

4

56

7

8

9

10

Mobility

There’s an app for compliance!

Compliance will embrace mobile technology on tablets and other devices.

o Issue reporting will be readily done through mobile devices.

o Tablets will be used to deliver policies, training, and other interactive content to employees –particularly those without desktop workstation access.

o Mobile devices will be used in conducting investigations, audits, and compliance assessments.

o The ability to record pictures and video right into compliance applications will make these processes more efficient and effective.


Compliance 2020

12

3

4

56

7

8

9

10

3rd Party Management

Compliance will more effectively manage and communicate integrity across its business relationships with:

o Vendors,

o Suppliers,

o Outsourcers,

o Contractors,

o Consultants,

o Service providers, and

o Temporary workers.

This enables corporate integrity to be managed throughout the business ecosystem.


Compliance 2020

12

3

4

56

7

8

9

10

Metrics & Benchmarking

Integrated information architecture external content the compliance organization will have an optimized infrastructure:

o Report on metrics,

o Trends,

o Benchmarking of compliance to identify how compliance is

performing, and

o Alignment with business performance, strategy, and execution

Future: Compliance Value

EFFECTIVE• Design Effectiveness – Is the system is

logically designed to meet legal and other defined requirements?

• Operating Effectiveness – Does the system operate as designed?

EFFICIENT• Financial Efficiency – How much financial

capital is required?

• Human Capital Efficiency – What type and level of individual(s) are required?

RESPONSIVE• Cycle Time – How much time does it take?

• Adaptability – Can the system adapt to the changing environment including new requirements/business units?

Questions?Michael Rasmussen, J.D, GRCP,

OCEG Fellow, CCEP

[email protected]

+1.888.365.4560

GRC 20/20 Newsletter

LinkedIn: GRC 20/20

Blog: GRC Pundit

Twitter: GRCPundit

Events: GRC 20/20

LinkedIn: Michael Rasmussen

mailto:[email protected]

compliance 2020- the future of grc compliance

Business