compliance 2020- the future of grc compliance
DESCRIPTION
Ethics & compliance programs would certainly be stronger if organizations had 20/20 hindsight to view issues across their scope, but here is another thought: can you use what you know today to frame what your compliance organization will look like in the year 2020? Both of these concepts - 20/20 hindsight and compliance in the year 2020 - build upon each other. Join Michael Rasmussen, principal analyst with GRC 20/20, who will explore the history of compliance within organizations and how that information can guide future industry growth and importance. Where it has been, Where it is now, and What it will look like in the year 2020. Particularly, he will explore the ways that compliance processes, information and technology will be commonly used in 2020 and how organizations will have greater contextual and situational 20/20 awareness of compliance across the organization. We will tackle how the present can begin taking advantage of what we believe will be best practices in 2020 and improve their compliance operations and intelligence today. Presented by: Michael Rasmussen Principal Analyst, GRC 2020 Ed Petry, Ph.D, Vice President, The Ethical Leadership GroupTRANSCRIPT
Compliance 2020The Future of Ethics & ComplianceJanuary 2013
Michael Rasmussen, J.D., GRCP, OCEG Fellow, CCEPChief GRC Pundit
Compliance in the Midst of Transformation
Compliance in the past
Past
Present2020 -Future
Most organizations rely on
manual ad hoc processes to
manage risk and compliance
change.
This involves individuals that are
overwhelmed with information
who fire off an emails and
manage documents — leading to,
in varying degrees…
Past: The Hydra of compliance inefficiency
Excessive emails, documents,
and paper trails
Lack of an audit trail
Limited reporting
Files and documents out of sync
Wasted resources and spending
Poor visibility across the enterprise
Overwhelming complexity
Lack of business agility
Greater exposure and vulnerability
No accountability
Past: The Hydra of compliance inefficiency
PAST: Too many formats and approaches are inefficient, ineffective, and lack agility
The Winchester Mystery House
• 160 rooms
• 47 fireplaces
• 6 kitchens
• 10,000 windows
• 65 doors to blank walls
• 13 staircases abandoned
• 25 skylights – in floors
• 147 builders/no architects
• Built without a blueprint
• $5.5 million over 38 years
Past: The state of compliance in many organizations
Not Agile
Not Efficient
PAST: Silos lead to greater risk
A non-integrated approach to compliance impacts business
performance and how it is managed and executed, resulting in:
o Poor visibility across the enterprise. A reactive approach to GRC leads
to siloed initiatives that never see the big picture.
o Redundant and inefficient processes. Silos of GRC lead to redundancy,
gaps, and wasted resources.
o Overwhelming complexity. Varying GRC approaches introduce greater
complexity to the business environment.
o Lack of business agility. Complexity drives inflexibility - the organization
is not agile to the dynamic business environment it operates in.
o Greater exposure and vulnerability. A reactive approach leads to
greater exposure and vulnerability.
Not Effective
Past
Present2020 -Future
Compliance Today
OECD
NACD
SEC
NYSErules
SOX
NASDAQrules
ALI
Employment& Labor
AS 3806
FSGThompson
Memo
TIAACREFF
PCAOB
CalPERS
ISO9000
6 Sigma
ERM
COSOERM
AS 4360
BIS
Baldrige
EuropeanQuality
CSRGRI
AA 1000SA 8000
ISO: CSRISO14000
TIAACREFF
Quality
LegalCompliance
ProsecutorialGuidance
Wage &Hour
WorkplaceViolence
FDA
CII
AS 4269
GovernmentContracts
Anti-Discrimination
Anti-Harassment
ContingentWorkforce
Hiring &Retention
HIPAA
InformationManagement
EmployeeInformation
GLBAISO 17709
CCA &FISCAM
GAO XBRL
COBIT
NIST
GlobalMobility
Whistle-Blowing
Turnbull
AFL-CIO
King II
21(a)Seaboard
Caremark
ISO: CSR
ILOConventions
AICPASAS 99 & 70
FFIEC
WebTrustSysTrust
COSOInternal Control
OCC
COCO
CMM
FCPA
OFEHOFederalReserve
HumanCapital CMM
CISA
HHSGuidance
AbbotDecision
DoD
IIAGuidance
EPAAnti-
Money Laundering
Anti-Trust Anti-FruadUSA
PATRIOTDII
IRS & TaxCompetitive
Practices
CCGG
SAS 94
Present: Volume & Complexity
Global Markets &Jurisdictions
Outsourcing &Extended Enterprise
M&A
National, State/Provincial & Local Jurisdictions
Present: Are you focused only on the compliance risks you see?
“Never in all history have we
harnessed such formidable
technology. Every scientific
advancement known to man has
been incorporated into its design.
The operational controls are
sound and foolproof!”
E.J. Smith, Captain of the Titanic
Present: Pressures Upon Compliance
Compliance & Ethics
Governments
Enforcement Agencies
Stakeholders
Younger Generation
Globalization
Social Media
Information Technology
Common Practices
Inability to gain a clear view of compliance dependencies;
High cost of consolidating silos of compliance information;
Difficulty maintaining accurate compliance information;
Failure to trend across compliance assessment /reporting periods;
Present: The pain organizations have expressed
Incapable to provide compliance intelligence to support business decisions and strategic planning;
Redundant approaches limit correlation, comparison and integration of information; and
Lack of agility to respond timely to changing regulations, laws, and situations.
Present: The pain organizations have expressed
Past
Present2020 -Future
The Future of Compliance: Year 2020
Future: Focus on Corporate Integrity
Compliance
Consistency
Efficiency
Effectiveness
Agility
Transparency
Accountability
Future: Needs of Compliance
GRC technology delivers actionable and reliable information
Future: Technology Benefits
10 Shifts to Compliance Strategy
Compliance 2020
12
3
4
56
7
8
9
10
Risk Management
Compliance will have an active seat at the table of risk management.
There will be improved methodologies and implementations for modeling compliance risk across the organization based on information that is readily accessible to target areas of risk exposure for compliance and integrity to the organization.
10 Shifts to Compliance Strategy
Compliance 2020
12
3
4
56
7
8
9
10
Code(s) of Conduct
Employees with have an interactive code environment.
They will get be educated on the code through a portal of written, interactive content, and resources that includes:
o Training
o Video
o Ability to get answers to questions
o Reporting on the organizations
performance against the code.
10 Shifts to Compliance Strategy
Compliance 2020
12
3
4
56
7
8
9
10
Policy & Procedure Management
Similar to the code, policies will be accessed in user-friendly environment through a portal aligned with the organization brand.
Employees will easily be able to find the current policy and read the policy with interactive tools to explain the policy to them.
Policy resources and related forms will be part of the portal.
10 Shifts to Compliance Strategy
Compliance 2020
12
3
4
56
7
8
9
10
Training
As a result of the interactive
policy management portal,
learning management and
delivery of training will be an
integrated part of the portal itself
and not require disconnected
platforms to be integrated.
10 Shifts to Compliance Strategy
Compliance 2020
12
3
4
56
7
8
9
10
Monitoring & Assessment
The compliance department will have removed the shackles of spreadsheets and documents
Core platform for compliance assessments with a single survey and assessment engine.
This relieves the burden on the business by having a common interface while allowing compliance to easily report on compliance.
Freeing up time spent on reconciling documents to improving corporate integrity
10 Shifts to Compliance Strategy
Compliance 2020
12
3
4
56
7
8
9
10
Investigations
The organization will have a single system to record and capture issues, incidents, and events that integrate with hotlines.
Management can readily capture reports made at all levels of the organization.
Investigators will have a core system to manage and record investigations.
As there is one system for managing incidents and investigations, loss information from incidents is easily fed into risk models to improve risk management.
10 Shifts to Compliance Strategy
Compliance 2020
12
3
4
56
7
8
9
10
Change Management
Compliance will be able to integrate process and technology with information from content providers to rapidly assess changing:
o Risks,
o Regulations,
o Developments around the world, and
o Understand how they impact policy and the integrity of the organization.
When the business changes, such as through mergers and acquisitions, compliance will be able assess and harmonize policies, controls, and processes driving efficiency and effectiveness into business change.
10 Shifts to Compliance Strategy
Compliance 2020
12
3
4
56
7
8
9
10
Mobility
There’s an app for compliance!
Compliance will embrace mobile technology on tablets and other devices.
o Issue reporting will be readily done through mobile devices.
o Tablets will be used to deliver policies, training, and other interactive content to employees –particularly those without desktop workstation access.
o Mobile devices will be used in conducting investigations, audits, and compliance assessments.
o The ability to record pictures and video right into compliance applications will make these processes more efficient and effective.
10 Shifts to Compliance Strategy
Compliance 2020
12
3
4
56
7
8
9
10
3rd Party Management
Compliance will more effectively manage and communicate integrity across its business relationships with:
o Vendors,
o Suppliers,
o Outsourcers,
o Contractors,
o Consultants,
o Service providers, and
o Temporary workers.
This enables corporate integrity to be managed throughout the business ecosystem.
10 Shifts to Compliance Strategy
Compliance 2020
12
3
4
56
7
8
9
10
Metrics & Benchmarking
Integrated information architecture external content the compliance organization will have an optimized infrastructure:
o Report on metrics,
o Trends,
o Benchmarking of compliance to identify how compliance is
performing, and
o Alignment with business performance, strategy, and execution
Future: Compliance Value
EFFECTIVE• Design Effectiveness – Is the system is
logically designed to meet legal and other defined requirements?
• Operating Effectiveness – Does the system operate as designed?
EFFICIENT• Financial Efficiency – How much financial
capital is required?
• Human Capital Efficiency – What type and level of individual(s) are required?
RESPONSIVE• Cycle Time – How much time does it take?
• Adaptability – Can the system adapt to the changing environment including new requirements/business units?
Questions?Michael Rasmussen, J.D, GRCP,
OCEG Fellow, CCEP
+1.888.365.4560
GRC 20/20 Newsletter
LinkedIn: GRC 20/20
Blog: GRC Pundit
Twitter: GRCPundit
Events: GRC 20/20
LinkedIn: Michael Rasmussen