january 31, 2013 presentation by wilma wallace vp … presentations/webinars... · metricstream...

MetricStream Webinar

January 31, 2013

Presentation by Wilma Wallace

VP Deputy General Counsel, Gap Inc.

1

Specialty retailer headquartered in San Francisco

Founded in 1969

Sells apparel clothing, shoes, accessories and personal care products under the Gap, Banana Republic, Old Navy, Athleta brands; Piperlime and our newly acquired company, Intermix

Sells through traditional retail and outlet stores, and through our web sites

More than 3,200 retail store locations in the U.S., Canada, the U.K., France, Japan, China and Italy

More than 145,000 employees

Franchise operations in more than 40 countries

Sourcing operations in more than 43 sourcing countries across the globe, including China and South East Asia.

2

Defining Scope and Objectives of Corporate Compliance

Programs

Designing a Corporate Compliance Program:

Organizational Structure

Adopting a Risk Based Approach to Compliance

Due Diligence and Anti-Corruption Programs

Refelctions on Effective Compliance Training and

Communications

3

1. A Written Program. The organization must have standards and procedures to prevent and detect criminal conduct.

2. Board Oversight. The organization’s board of directors must be knowledgeable about the content and operation of the compliance program and must exercise reasonable oversight of its effectiveness.

3. Responsible Persons. One individual among the organization's high-level personnel must be assigned overall responsibility for the compliance program.

4. Operating and Reporting. One or more individuals must be delegated day-to-day operational responsibility for the compliance program. They must report periodically to high-level personnel and, as appropriate, to the board of directors or its audit committee on the effectiveness of the program.

5. Management's Record of Compliance. The organization must use reasonable efforts not to hire personnel who have substantial authority and whom the organization knows or should know through the exercise of due diligence have engaged in illegal activities.

6. Communicating and Training. The organization must take reasonable steps to communicate periodically in a practical manner its standards of compliance to directors, officers, executives, managers, employees and agents -- by conducting effective training programs and otherwise disseminating information appropriate to the individuals’ respective roles and responsibilities.

6. Monitoring and Evaluating; Anonymous Reporting. The organization must take reasonable steps to (a) ensure its compliance program is followed, including auditing to detect criminal conduct, (b) evaluate periodically program effectiveness and (c) publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report criminal conduct without fear of retaliation.

7. Consistent Enforcement -- Incentives and Discipline. The organization’s compliance program must be promoted and enforced consistently through appropriate (a) incentives to perform and (b) disciplinary measures for engaging in criminal conduct or failing to prevent it.

8. The Right Response. After criminal conduct has been detected, the organization must take reasonable steps to respond appropriately and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance program.

9. Assessing the Risk. The organization must periodically assess the risk of criminal conduct and take appropriate steps to modify its compliance program to reduce the risk of criminal conduct identified through this process.

The Elements of An Effective Compliance Program

The U.S. Sentencing Guidelines establish the bar for determining

the effectiveness of an organizations compliance program.

4

“Compliance programs should be designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.”

U.S. Principles of Federal Prosecution of Business Organizations

5

Board Oversight: Audit & Finance Committee is responsible for ensuring an

effective compliance program. 2x Annual reporting on the program elements to the Board. Annual reporting on legal and compliance risks by General

Counsel.

Senior Management Corporate Compliance Committee meets quarterly.

Chief Compliance Officer and General Counsel:

Executive management accountability for program effectiveness.

Direct oversight: Corruption, Employment and Labor; Insider Trading, Anti-Trust, Data-Privacy/Security.

Indirect oversight: Fraud, Product Safety Compliance, Import Compliance, Environmental Compliance, Political Contribution Compliance, Vendor Compliance

Gap Inc.’s Compliance Structure: A Collaborative Federated Model

6

Global Integrity & Compliance Team:

Day to Day Responsibility for Program Effectiveness Deputy General Counsel, VP; Associate General Counsel;

Manager of Operations; Manager of Employee Engagement; Data Analyst

Legal Team: Provide subject matter expertise (corruption and bribery,

privacy) Audits Investigations Global Coverage

Internal Audit Audits Investigations

Gap Inc.’s Compliance Structure: A Collaborative Federated

Model

7

Conduct regular risk assessments

Informal Formal (Enterprise Risk Assessments, 3rd party Audits)

Internal Audit

Internal systems audits Program effectiveness

Reporting Mechanisms

Compliance Committees

Board and Management Oversight

Enforcement, Business and Sector Trends

8

Identify your risks but keep it simple Develop a program that is responsive to your risks. Establish a process to evaluate new risks.

1. Fraud

2. Corruption

3. Employment/Labor

4. Data Privacy/Security

5. Product Safety

6. Insider Trading

7. Import Compliance

8. Anti-Trust

9. Environmental Compliance

10. Political Contribution Compliance

11. Vendor Compliance*

Step 1: Evaluate your Inherent Risk for a Fortune 100 U.S. based

Global Apparel Retailer of X size and X complexity.

Step 2: Evaluate your organization’s Residual Risk.

9

To Be Determined by You

Companies may be held responsible for the improper conduct of third parties acting on their behalf.

3rd Parties could include: Agents (marketing, real estate) Consultants, lobbyists Exporters Contractors/subcontractors Lawyers

Develop Due Diligence Program that meets your risk (geographical scope, services provided.)

10

Conduct Due Diligence Questionnaire Reputation, business history, past and present clients Relationship with government officials Consider a 3rd party to conduct due diligence Establish approval or rejection process Consider annual certification Update due diligence process

Other elements to an Anti-Corruption program

Written contracts with agents and consultants Audit rights Withdrawal or termination rights Controls around approval of sub-contractors Periodic communications to 3rd parties stating

expectations of compliance Review expense records of high risk groups (Government

Relations)

Know Who You Do Business With and Who You Shouldn’t

11

One Size Does Not Fit All

Regular communications by leadership and

management.

Comprehensive and alternative training

On-line

Live

Interactive

Email

Web-portals or Blogs

Videos

Refresher training

Board Education

12

One Size Does Not Fit All

Leverage Enterprise Risk Assessments

Identify external and internal risk trends

Recognize cultural and language differences

Target training for appropriate employee groups

Create engaging e-learning Interactive format

Relevant examples for target audience

Be creative and fun

Manage company’s “gulp” rate and your budget Maximize each course

Use informal communications

13

© 2013 MetricStream, Inc. All Rights Reserved.

Ethics & Corporate Compliance Programs- Creating Business Value

January 31, 2013

Keri Dawson VP of ComplianceOnline Advisory Services

MetricStream


Corporate Compliance - Establish Scope, Roles and Responsibilities

Meeting Regulatory

Requirements

Training Partners and Other

Stakeholders

Certifications with regard to

business practices

Auditing Partner/Supplier

Business processes and

practices

Performing Impact

Analysis/Risk Assessments

A Complex Situation –

Maintaining Independence

Vs Providing Access

Have a Complete View to

include Compliance Program

Status of Third

Parties/Partners


Components of Corporate Compliance Programs

• Policy Management

– Create, manage and communicate

various policies

• Risk Management

– Risk Identification

– Risk Assessment

– Risk scoring and rating

– Risk Mitigation

• Compliance Management

– Compliance Regulations

– Create and Manage Controls

– Compliance Assessments

– Certifications

• Audit Management

– Audit Planning and Scheduling

– Audit Check list

– Issue & Remediation & Reporting

• Training Management

– Department specific

– Geography specific

– Regulation Specific

– Evaluate training effectiveness

• Issue & Corrective / Preventive Actions

– Centralize management of issues,

corrective and preventive actions

• Real-time Reporting and dashboards


MetricStream GRC - Integrated approach to Corporate Compliance


Adopt Risk-based Approach to Compliance & Audit

Library of

Risks

Risk Factors

Residual Risk Inherent Risks

Controls

Ranking of Risks

Risk Scoping

Location/Division

Statutory Group

Product Line

Commodity Group

What-If Analysis

Risk Mitigation

3rd Party

Testing

Internal Audit

Internal Audit

Risk

Mitigation

Compliance

Strategy

Bribery

Criminal Misconduct

Policy Gaps

Value of business with

governmental entities

and other high risk

organizations

use of agents and

other intermediaries


Monitor Regulatory Updates

Alert Channels Structured Content Channels

Email RSS

Infolet

Database

Forms & Reports

Subscriptions

Data Feeds

•Global Trade compliance

• SOX

•IFRS

•EPA Retail

•OSHA

•CPSIA

•EH&S

Channels

Issues

Review Alerts

-Title

- Body

- Attachments

Alerts

Notify Users

Review Alerts &

Trigger Issues

http://www.google.com/imgres?imgurl=http://www.londonmet.ac.uk/londonmet/fms/MRSite/psd/dmcf/PR-Pages/August_09/rss-icon.jpg&imgrefurl=http://www.londonmet.ac.uk/londonmet/news/social-networks.cfm&usg=__BE10YMvulpnMOKZcQg4CzbKQPTI=&h=300&w=450&sz=15&hl=en&start=1&itbs=1&tbnid=A9zPscd9IDQqJM:&tbnh=85&tbnw=127&prev=/images?q=rss&hl=en&safe=off&gbv=2&tbs=isch:1


Regulatory Change Management

• Update policy

and compliance

activities

• Impact analysis

and mapping

• Triggering

assessments,

policy updates


Automate Corporate Compliance Programs Policy and Procedures

Creation, Distribution, Attestation

Chief Ethics & Compliance Officer Tone from the Top

Risk Assessment Qualitative and Quantitative

Compliance Management Control Libraries, Testing

Audit Management

Incident Management and

Corrective Action

Training Program

Management


Enforce Policies for Effective Compliance

Creation, Review, Approve,

Organize

Awareness and Training

Tracking and Visibility

Policies related to

-Gift Policy

-Code of vendor conduct

-Employee Conduct

Mapping to Compliance

and Controls Alerts and Notifications

Certification and Self

Assessments


Map Policies to Areas of Compliance

• Create new policies or

changes to existing

policies

• Map policies to

appropriate compliance

requirements

• Collaborate with multiple

teams for comments,

annotations, review and

approval

• Implement training &

communication plan

• Capture evidence that

employees and external

vendors have

read/accepted policies

Policies

Areas of

Compliance


Compliance Risk Management & Assessment

Risk Identification

Risk Analysis

Risk Evaluation Issues and Actions

Reports & Dashboards

Start

Executive Program Management


Manage a Centralized Compliance Repository

• Establish common

framework for multiple

compliance requirements

– Organization specific

compliance requirements

– Cross-industry mandates

and regulation

– Corruption

– Employment and Labor

– Insider Trading

– Anti-Trust

– Data-Privacy/Security

– Fraud

– Product Safety Compliance,

– Import Compliance

– Environmental Compliance

– Political Contribution Compliance

– Vendor Compliance

Regulatory Intelligence

Program Management

Compliance Documentation

Assessments

Issue /Remediation

Surveys


Create and Map Controls for Compliance

• Control Harmonization

– Standardize controls

• Control monitoring

and enforcement

– Assessments

– Tests

– Audits

– Surveys

• Compliance

monitoring and

reporting

– Including regulatory

submissions


Manage Assessments & Certifications

• Standardize self-

assessments

– Common taxonomies

– Evaluation criteria

– Central data repository

– Surveys

– Certifications

• Enable each

business and

functional area to

manage their own

– Compliance activities

– Facilitate control

effectiveness

monitoring

– management reporting


Compliance Audit Management

Risk Assessments and Scoping

User Homepage

Planning & Scheduling

Audit Fieldwork

Auditing Controls, High-risk

processes

Work Paper Review & Completion

Final Audit Report

Audit Remediation

Control Improvement

Recommendations

Start


Training Program Management

Assigning Courses

to Employees

Initiate Training

Report Course

Completion

Creating

Questionnaire

Administering Tests

Reports - Training

Gap

Creating and Assigning

Competency

Certification

Training Objective

Understanding Compliance and Ethics related Policies

Potential Red Flags

Reporting and Escalation Mechanism

Training Scope

Employees

3rd Party Training

Training for Employees at risk

Training Status

Reports – Training Medium, Gaps, Trained-Untrained Employee

Breakout


Automate & Manage Training Programs

• Monitor employee

training, policy,

case history

• Automate Training

Request,

Approvals

• Manage training

history &

certification details


Integrate with Case / Incident Management

Common data set

for managing

Issues & Actions

Risk

Management

Compliance

Management

Business

Operations

Audit

Management

Monitoring Issues & Actions

Root Cause analysis

Track Issues to closure

Risk

Control

Schedule

Regulations

Process

Rules

Planning

Work-Papers

Findings

Projects

Technical

Business


Manage Incidents Effectively

• Establish closed-

loop process

• Automate and

Manage entire

lifecycle

– Capture Incidents

– Analyze, Validate,

Assign

– Investigate / Root

Cause Analysis

– Remedial Action

– Approve & Close

• Manage central

repository of

incidents and

remediation


Prevent

Training Program Effectiveness

Policy Certification

Detect

Performance of Controls

KPI/KRI Breach

Risk Assessments Audit Results

Respond

On-time Remediation mechanism

Resource and Time Management

Evaluate Effectiveness of Corporate Compliance Programs


Use Case - Anti-Bribery

Prevent Detect Respond

• Training

• Policies and

Procedures

• Program

Communication

• Risk Assessment

• Performing

Internal Audits

• Defining and

strengthening

Controls

• Effective lines of

communication

• Global Case

Tracking

• Monitor

Effectiveness

Tone from the Top

Compliance Helpdesk (Global Ombudsman)

MetricStream Solution


Case Study: Fortune 500 Retail Chain

• HR Compliance:

– Duties Survey

– HR Compliance Training & Certification

– Audit

– Annual audit survey

– Store visits

• Legal/Risk:

– Product Recall

– Labeling Compliance

• Privacy:

– Privacy Policy Compliance Review

– Annual Compliance Review

– Privacy Policy Changes

– International Privacy Program

– Privacy Incident Response Program

– Privacy Impact Assessment

• Diversity Affairs:

– Sexual Harassment Education

– Signage


Selected Case Studies

Premium golf clubs and equipment brand • Global component suppliers and assembly facilities in East Asia

• Solution automatically tracks and inspects SKUs, calculates Cpks every 2 hours

Merchandise division of Multi-national mass media & Entertainment

Company • Supplier Audit Management, Monitor Licensees and Vendors to ensure review of

the CAP with the Facility

• Implementation of a corrective action plan and prompt remedy to any compliance

violations identified in the Audit

• Vendor/Licensee qualification, annual re-qualification, contract management,

maintain registration information and third party audits

One of the Largest Computer hardware, software and consumer

electronics company • Supplier, Product and Social Compliance Assessments and Audits for supplier

base

• Recording, investigation, remediation and action tracking of incidents, findings, or

suspected violations of the law, code of conduct and company policies

• Corporate Social Responsibility & Sustainability Performance Management across

100,000 suppliers


Selected Case Studies

Largest retailer and distributor of construction and maintenance products • More than 50,000 suppliers

• Vendor Information Management, on-boarding, evaluation, RFQ, auditing, selection

• Central repository for supplier governance, performance management

Largest Retail Chain in South Africa • Over 6,000 suppliers

• Supplier registration process, approval and acceptance, rejection capabilities

• Extending Supplier Management the ‘Good Business Journey’ initiative

One of the Largest Fashion Retailer • Integrated framework to streamline corporate compliance

• Over 15 different areas covered including Social, HR, Privacy, Legal, IT

• Leveraging configurability to model a wide rage of processes on the same platform

Fortune 500 Department Store chain • Social Compliance & Sustainability Solution – Vendor Management, Policy &

Compliance, Audit and Issue & CAPA Management, Vendor Partner Certification

• Facilitate factory inspection, track factory social compliance results


• Over 1,000 employees

• Headquarters in Palo Alto, California with offices worldwide

• Over 300 enterprise customers

• Privately held – backed by leading global VCs

About MetricStream

Integrated Governance, Risk and Compliance

for Better Business Performance Vision

Solutions

• Governance & Ethics

• Risk Management

• Compliance Management

• Audit Management

• Legal GRC

Partners

Differentiators

• Technology - GRC Platform – 9 Patents

• Breadth of Solutions – Single Vendor for all GRC needs

• Cross-industry Best Practices and Domain Knowledge

• ComplianceOnline.com - Largest Compliance Portal on the Web

Organization

• Supplier Governance

• Quality Management

• EHS & Sustainability

• IT-GRC

• Content and Training


GRC Solution Footprint

Governance and

Ethics Risk Management

Corporate Ethics

Code of Conduct

Contract

Compliance

Board & Entity

Management

Performance

Management

Enterprise Risk

Operations Risk

Vendor Risks

Risk-Control

Assessments

Loss Management

Heat maps, KRI

Scenario Analysis

Policy Compliance

Regulatory Content

Financial/Internal

Controls

IT Compliance

Industry Compliance

- FIRNA, FFIEC,

FERC, NERC, FDA,

HIPAA, CMS…

Internal Audit

Operational Audits

Quality, Safety

Audits

Vendor Audits

Financial & SOX

Audits

IT Compliance

Audits

Case & Matter

Management

Regulatory

Intelligence

FCPA Compliance

UK Anti-Bribery Act

Compliance

Regulatory

Examinations

Supplier

Governance

Quality

Management

Supplier Information

& On-boarding

Social Compliance

Supplier Risks

Supplier Quality -

SCAR

Supplier

Performance

Integrated QMS

NCM –CAPA

ISO 9000, 13485,

16949

FDA GXP

TQM, 6-Sigma

Equipment,

Training, DMS

CSR Reporting

EPA, OSHA, ISO

14000

Permit Tracking

Incident Mgmt.

Hazard Analysis

Carbon & Energy

Mgmt.

MSDS

IT Risk

Management

Threat &

Vulnerability

Cloud GRC

IT Governance &

Compliance –

COBIT, PCI...

IT Asset Mgmt.

Business Continuity

Content, Best

Practices

Regulatory Feeds

Alerts &

Notifications

e-Learning,

Compliance

Training

Compliance

Management Audit Management Legal GRC

EHS and

Sustainability IT- GRC Content and

Training


Thank You

Contact: Email: [email protected]

Phone: 1-650-620-2950

january 31, 2013 presentation by wilma wallace vp … presentations/webinars... · metricstream...

Documents