january 31, 2013 presentation by wilma wallace vp … presentations/webinars... · metricstream...
TRANSCRIPT
MetricStream Webinar
January 31, 2013
Presentation by Wilma Wallace
VP Deputy General Counsel, Gap Inc.
1
Specialty retailer headquartered in San Francisco
Founded in 1969
Sells apparel clothing, shoes, accessories and personal care products under the Gap, Banana Republic, Old Navy, Athleta brands; Piperlime and our newly acquired company, Intermix
Sells through traditional retail and outlet stores, and through our web sites
More than 3,200 retail store locations in the U.S., Canada, the U.K., France, Japan, China and Italy
More than 145,000 employees
Franchise operations in more than 40 countries
Sourcing operations in more than 43 sourcing countries across the globe, including China and South East Asia.
2
Defining Scope and Objectives of Corporate Compliance
Programs
Designing a Corporate Compliance Program:
Organizational Structure
Adopting a Risk Based Approach to Compliance
Due Diligence and Anti-Corruption Programs
Refelctions on Effective Compliance Training and
Communications
3
1. A Written Program. The organization must have standards and procedures to prevent and detect criminal conduct.
2. Board Oversight. The organization’s board of directors must be knowledgeable about the content and operation of the compliance program and must exercise reasonable oversight of its effectiveness.
3. Responsible Persons. One individual among the organization's high-level personnel must be assigned overall responsibility for the compliance program.
4. Operating and Reporting. One or more individuals must be delegated day-to-day operational responsibility for the compliance program. They must report periodically to high-level personnel and, as appropriate, to the board of directors or its audit committee on the effectiveness of the program.
5. Management's Record of Compliance. The organization must use reasonable efforts not to hire personnel who have substantial authority and whom the organization knows or should know through the exercise of due diligence have engaged in illegal activities.
6. Communicating and Training. The organization must take reasonable steps to communicate periodically in a practical manner its standards of compliance to directors, officers, executives, managers, employees and agents -- by conducting effective training programs and otherwise disseminating information appropriate to the individuals’ respective roles and responsibilities.
6. Monitoring and Evaluating; Anonymous Reporting. The organization must take reasonable steps to (a) ensure its compliance program is followed, including auditing to detect criminal conduct, (b) evaluate periodically program effectiveness and (c) publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report criminal conduct without fear of retaliation.
7. Consistent Enforcement -- Incentives and Discipline. The organization’s compliance program must be promoted and enforced consistently through appropriate (a) incentives to perform and (b) disciplinary measures for engaging in criminal conduct or failing to prevent it.
8. The Right Response. After criminal conduct has been detected, the organization must take reasonable steps to respond appropriately and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance program.
9. Assessing the Risk. The organization must periodically assess the risk of criminal conduct and take appropriate steps to modify its compliance program to reduce the risk of criminal conduct identified through this process.
The Elements of An Effective Compliance Program
The U.S. Sentencing Guidelines establish the bar for determining
the effectiveness of an organizations compliance program.
4
“Compliance programs should be designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.”
U.S. Principles of Federal Prosecution of Business Organizations
5
Board Oversight: Audit & Finance Committee is responsible for ensuring an
effective compliance program. 2x Annual reporting on the program elements to the Board. Annual reporting on legal and compliance risks by General
Counsel.
Senior Management Corporate Compliance Committee meets quarterly.
Chief Compliance Officer and General Counsel:
Executive management accountability for program effectiveness.
Direct oversight: Corruption, Employment and Labor; Insider Trading, Anti-Trust, Data-Privacy/Security.
Indirect oversight: Fraud, Product Safety Compliance, Import Compliance, Environmental Compliance, Political Contribution Compliance, Vendor Compliance
Gap Inc.’s Compliance Structure: A Collaborative Federated Model
6
Global Integrity & Compliance Team:
Day to Day Responsibility for Program Effectiveness Deputy General Counsel, VP; Associate General Counsel;
Manager of Operations; Manager of Employee Engagement; Data Analyst
Legal Team: Provide subject matter expertise (corruption and bribery,
privacy) Audits Investigations Global Coverage
Internal Audit Audits Investigations
Gap Inc.’s Compliance Structure: A Collaborative Federated
Model
7
Conduct regular risk assessments
Informal Formal (Enterprise Risk Assessments, 3rd party Audits)
Internal Audit
Internal systems audits Program effectiveness
Reporting Mechanisms
Compliance Committees
Board and Management Oversight
Enforcement, Business and Sector Trends
8
Identify your risks but keep it simple Develop a program that is responsive to your risks. Establish a process to evaluate new risks.
1. Fraud
2. Corruption
3. Employment/Labor
4. Data Privacy/Security
5. Product Safety
6. Insider Trading
7. Import Compliance
8. Anti-Trust
9. Environmental Compliance
10. Political Contribution Compliance
11. Vendor Compliance*
Step 1: Evaluate your Inherent Risk for a Fortune 100 U.S. based
Global Apparel Retailer of X size and X complexity.
Step 2: Evaluate your organization’s Residual Risk.
9
To Be Determined by You
Companies may be held responsible for the improper conduct of third parties acting on their behalf.
3rd Parties could include: Agents (marketing, real estate) Consultants, lobbyists Exporters Contractors/subcontractors Lawyers
Develop Due Diligence Program that meets your risk (geographical scope, services provided.)
10
Conduct Due Diligence Questionnaire Reputation, business history, past and present clients Relationship with government officials Consider a 3rd party to conduct due diligence Establish approval or rejection process Consider annual certification Update due diligence process
Other elements to an Anti-Corruption program
Written contracts with agents and consultants Audit rights Withdrawal or termination rights Controls around approval of sub-contractors Periodic communications to 3rd parties stating
expectations of compliance Review expense records of high risk groups (Government
Relations)
Know Who You Do Business With and Who You Shouldn’t
11
One Size Does Not Fit All
Regular communications by leadership and
management.
Comprehensive and alternative training
On-line
Live
Interactive
Web-portals or Blogs
Videos
Refresher training
Board Education
12
One Size Does Not Fit All
Leverage Enterprise Risk Assessments
Identify external and internal risk trends
Recognize cultural and language differences
Target training for appropriate employee groups
Create engaging e-learning Interactive format
Relevant examples for target audience
Be creative and fun
Manage company’s “gulp” rate and your budget Maximize each course
Use informal communications
13
© 2013 MetricStream, Inc. All Rights Reserved.
Ethics & Corporate Compliance Programs- Creating Business Value
January 31, 2013
Keri Dawson VP of ComplianceOnline Advisory Services
MetricStream
© 2013 MetricStream, Inc. All Rights Reserved.
Corporate Compliance - Establish Scope, Roles and Responsibilities
Meeting Regulatory
Requirements
Training Partners and Other
Stakeholders
Certifications with regard to
business practices
Auditing Partner/Supplier
Business processes and
practices
Performing Impact
Analysis/Risk Assessments
A Complex Situation –
Maintaining Independence
Vs Providing Access
Have a Complete View to
include Compliance Program
Status of Third
Parties/Partners
© 2013 MetricStream, Inc. All Rights Reserved.
Components of Corporate Compliance Programs
• Policy Management
– Create, manage and communicate
various policies
• Risk Management
– Risk Identification
– Risk Assessment
– Risk scoring and rating
– Risk Mitigation
• Compliance Management
– Compliance Regulations
– Create and Manage Controls
– Compliance Assessments
– Certifications
• Audit Management
– Audit Planning and Scheduling
– Audit Check list
– Issue & Remediation & Reporting
• Training Management
– Department specific
– Geography specific
– Regulation Specific
– Evaluate training effectiveness
• Issue & Corrective / Preventive Actions
– Centralize management of issues,
corrective and preventive actions
• Real-time Reporting and dashboards
© 2013 MetricStream, Inc. All Rights Reserved.
MetricStream GRC - Integrated approach to Corporate Compliance
© 2013 MetricStream, Inc. All Rights Reserved.
Adopt Risk-based Approach to Compliance & Audit
Library of
Risks
Risk Factors
Residual Risk Inherent Risks
Controls
Ranking of Risks
Risk Scoping
Location/Division
Statutory Group
Product Line
Commodity Group
What-If Analysis
Risk Mitigation
3rd Party
Testing
Internal Audit
Internal Audit
Risk
Mitigation
Compliance
Strategy
Bribery
Criminal Misconduct
Policy Gaps
Value of business with
governmental entities
and other high risk
organizations
use of agents and
other intermediaries
© 2013 MetricStream, Inc. All Rights Reserved.
Monitor Regulatory Updates
Alert Channels Structured Content Channels
Email RSS
Infolet
Database
Forms & Reports
Subscriptions
Data Feeds
•Global Trade compliance
• SOX
•IFRS
•EPA Retail
•OSHA
•CPSIA
•EH&S
Channels
Issues
Review Alerts
-Title
- Body
- Attachments
Alerts
Notify Users
Review Alerts &
Trigger Issues
© 2013 MetricStream, Inc. All Rights Reserved.
Regulatory Change Management
• Update policy
and compliance
activities
• Impact analysis
and mapping
• Triggering
assessments,
policy updates
© 2013 MetricStream, Inc. All Rights Reserved.
Automate Corporate Compliance Programs Policy and Procedures
Creation, Distribution, Attestation
Chief Ethics & Compliance Officer Tone from the Top
Risk Assessment Qualitative and Quantitative
Compliance Management Control Libraries, Testing
Audit Management
Incident Management and
Corrective Action
Training Program
Management
© 2013 MetricStream, Inc. All Rights Reserved.
Enforce Policies for Effective Compliance
Creation, Review, Approve,
Organize
Awareness and Training
Tracking and Visibility
Policies related to
-Gift Policy
-Code of vendor conduct
-Employee Conduct
Mapping to Compliance
and Controls Alerts and Notifications
Certification and Self
Assessments
© 2013 MetricStream, Inc. All Rights Reserved.
Map Policies to Areas of Compliance
• Create new policies or
changes to existing
policies
• Map policies to
appropriate compliance
requirements
• Collaborate with multiple
teams for comments,
annotations, review and
approval
• Implement training &
communication plan
• Capture evidence that
employees and external
vendors have
read/accepted policies
Policies
Areas of
Compliance
© 2013 MetricStream, Inc. All Rights Reserved.
Compliance Risk Management & Assessment
Risk Identification
Risk Analysis
Risk Evaluation Issues and Actions
Reports & Dashboards
Start
Executive Program Management
© 2013 MetricStream, Inc. All Rights Reserved.
Manage a Centralized Compliance Repository
• Establish common
framework for multiple
compliance requirements
– Organization specific
compliance requirements
– Cross-industry mandates
and regulation
– Corruption
– Employment and Labor
– Insider Trading
– Anti-Trust
– Data-Privacy/Security
– Fraud
– Product Safety Compliance,
– Import Compliance
– Environmental Compliance
– Political Contribution Compliance
– Vendor Compliance
Regulatory Intelligence
Program Management
Compliance Documentation
Assessments
Issue /Remediation
Surveys
© 2013 MetricStream, Inc. All Rights Reserved.
Create and Map Controls for Compliance
• Control Harmonization
– Standardize controls
• Control monitoring
and enforcement
– Assessments
– Tests
– Audits
– Surveys
• Compliance
monitoring and
reporting
– Including regulatory
submissions
© 2013 MetricStream, Inc. All Rights Reserved.
Manage Assessments & Certifications
• Standardize self-
assessments
– Common taxonomies
– Evaluation criteria
– Central data repository
– Surveys
– Certifications
• Enable each
business and
functional area to
manage their own
– Compliance activities
– Facilitate control
effectiveness
monitoring
– management reporting
© 2013 MetricStream, Inc. All Rights Reserved.
Compliance Audit Management
Risk Assessments and Scoping
User Homepage
Planning & Scheduling
Audit Fieldwork
Auditing Controls, High-risk
processes
Work Paper Review & Completion
Final Audit Report
Audit Remediation
Control Improvement
Recommendations
Start
© 2013 MetricStream, Inc. All Rights Reserved.
Training Program Management
Assigning Courses
to Employees
Initiate Training
Report Course
Completion
Creating
Questionnaire
Administering Tests
Reports - Training
Gap
Creating and Assigning
Competency
Certification
Training Objective
Understanding Compliance and Ethics related Policies
Potential Red Flags
Reporting and Escalation Mechanism
Training Scope
Employees
3rd Party Training
Training for Employees at risk
Training Status
Reports – Training Medium, Gaps, Trained-Untrained Employee
Breakout
© 2013 MetricStream, Inc. All Rights Reserved.
Automate & Manage Training Programs
• Monitor employee
training, policy,
case history
• Automate Training
Request,
Approvals
• Manage training
history &
certification details
© 2013 MetricStream, Inc. All Rights Reserved.
Integrate with Case / Incident Management
Common data set
for managing
Issues & Actions
Risk
Management
Compliance
Management
Business
Operations
Audit
Management
Monitoring Issues & Actions
Root Cause analysis
Track Issues to closure
Risk
Control
Schedule
Regulations
Process
Rules
Planning
Work-Papers
Findings
Projects
Technical
Business
© 2013 MetricStream, Inc. All Rights Reserved.
Manage Incidents Effectively
• Establish closed-
loop process
• Automate and
Manage entire
lifecycle
– Capture Incidents
– Analyze, Validate,
Assign
– Investigate / Root
Cause Analysis
– Remedial Action
– Approve & Close
• Manage central
repository of
incidents and
remediation
© 2013 MetricStream, Inc. All Rights Reserved.
Prevent
Training Program Effectiveness
Policy Certification
Detect
Performance of Controls
KPI/KRI Breach
Risk Assessments Audit Results
Respond
On-time Remediation mechanism
Resource and Time Management
Evaluate Effectiveness of Corporate Compliance Programs
© 2013 MetricStream, Inc. All Rights Reserved.
Use Case - Anti-Bribery
Prevent Detect Respond
• Training
• Policies and
Procedures
• Program
Communication
• Risk Assessment
• Performing
Internal Audits
• Defining and
strengthening
Controls
• Effective lines of
communication
• Global Case
Tracking
• Monitor
Effectiveness
Tone from the Top
Compliance Helpdesk (Global Ombudsman)
MetricStream Solution
© 2013 MetricStream, Inc. All Rights Reserved.
Case Study: Fortune 500 Retail Chain
• HR Compliance:
– Duties Survey
– HR Compliance Training & Certification
– Audit
– Annual audit survey
– Store visits
• Legal/Risk:
– Product Recall
– Labeling Compliance
• Privacy:
– Privacy Policy Compliance Review
– Annual Compliance Review
– Privacy Policy Changes
– International Privacy Program
– Privacy Incident Response Program
– Privacy Impact Assessment
• Diversity Affairs:
– Sexual Harassment Education
– Signage
© 2013 MetricStream, Inc. All Rights Reserved.
Selected Case Studies
Premium golf clubs and equipment brand • Global component suppliers and assembly facilities in East Asia
• Solution automatically tracks and inspects SKUs, calculates Cpks every 2 hours
Merchandise division of Multi-national mass media & Entertainment
Company • Supplier Audit Management, Monitor Licensees and Vendors to ensure review of
the CAP with the Facility
• Implementation of a corrective action plan and prompt remedy to any compliance
violations identified in the Audit
• Vendor/Licensee qualification, annual re-qualification, contract management,
maintain registration information and third party audits
One of the Largest Computer hardware, software and consumer
electronics company • Supplier, Product and Social Compliance Assessments and Audits for supplier
base
• Recording, investigation, remediation and action tracking of incidents, findings, or
suspected violations of the law, code of conduct and company policies
• Corporate Social Responsibility & Sustainability Performance Management across
100,000 suppliers
© 2013 MetricStream, Inc. All Rights Reserved.
Selected Case Studies
Largest retailer and distributor of construction and maintenance products • More than 50,000 suppliers
• Vendor Information Management, on-boarding, evaluation, RFQ, auditing, selection
• Central repository for supplier governance, performance management
Largest Retail Chain in South Africa • Over 6,000 suppliers
• Supplier registration process, approval and acceptance, rejection capabilities
• Extending Supplier Management the ‘Good Business Journey’ initiative
One of the Largest Fashion Retailer • Integrated framework to streamline corporate compliance
• Over 15 different areas covered including Social, HR, Privacy, Legal, IT
• Leveraging configurability to model a wide rage of processes on the same platform
Fortune 500 Department Store chain • Social Compliance & Sustainability Solution – Vendor Management, Policy &
Compliance, Audit and Issue & CAPA Management, Vendor Partner Certification
• Facilitate factory inspection, track factory social compliance results
© 2013 MetricStream, Inc. All Rights Reserved.
• Over 1,000 employees
• Headquarters in Palo Alto, California with offices worldwide
• Over 300 enterprise customers
• Privately held – backed by leading global VCs
About MetricStream
Integrated Governance, Risk and Compliance
for Better Business Performance Vision
Solutions
• Governance & Ethics
• Risk Management
• Compliance Management
• Audit Management
• Legal GRC
Partners
Differentiators
• Technology - GRC Platform – 9 Patents
• Breadth of Solutions – Single Vendor for all GRC needs
• Cross-industry Best Practices and Domain Knowledge
• ComplianceOnline.com - Largest Compliance Portal on the Web
Organization
• Supplier Governance
• Quality Management
• EHS & Sustainability
• IT-GRC
• Content and Training
© 2013 MetricStream, Inc. All Rights Reserved.
GRC Solution Footprint
Governance and
Ethics Risk Management
Corporate Ethics
Code of Conduct
Contract
Compliance
Board & Entity
Management
Performance
Management
Enterprise Risk
Operations Risk
Vendor Risks
Risk-Control
Assessments
Loss Management
Heat maps, KRI
Scenario Analysis
Policy Compliance
Regulatory Content
Financial/Internal
Controls
IT Compliance
Industry Compliance
- FIRNA, FFIEC,
FERC, NERC, FDA,
HIPAA, CMS…
Internal Audit
Operational Audits
Quality, Safety
Audits
Vendor Audits
Financial & SOX
Audits
IT Compliance
Audits
Case & Matter
Management
Regulatory
Intelligence
FCPA Compliance
UK Anti-Bribery Act
Compliance
Regulatory
Examinations
Supplier
Governance
Quality
Management
Supplier Information
& On-boarding
Social Compliance
Supplier Risks
Supplier Quality -
SCAR
Supplier
Performance
Integrated QMS
NCM –CAPA
ISO 9000, 13485,
16949
FDA GXP
TQM, 6-Sigma
Equipment,
Training, DMS
CSR Reporting
EPA, OSHA, ISO
14000
Permit Tracking
Incident Mgmt.
Hazard Analysis
Carbon & Energy
Mgmt.
MSDS
IT Risk
Management
Threat &
Vulnerability
Cloud GRC
IT Governance &
Compliance –
COBIT, PCI...
IT Asset Mgmt.
Business Continuity
Content, Best
Practices
Regulatory Feeds
Alerts &
Notifications
e-Learning,
Compliance
Training
Compliance
Management Audit Management Legal GRC
EHS and
Sustainability IT- GRC Content and
Training
© 2013 MetricStream, Inc. All Rights Reserved.
Thank You
Contact: Email: [email protected]
Phone: 1-650-620-2950