automating your compliance program your ted banks · 2014. 9. 3. · 1 automating your compliance...
TRANSCRIPT
1
Automating Your Compliance Program Automating
YourComplianceprogram
Ted BanksCompliance & Competition Consultants LLC
Scharf Banks Marmor LLC
The Key Concepts• Capture knowledge electronically
& reuse it automatically
• Figure out what you do during your compliance activities, and
use automation tools to do it better.
• Make it your goal to have every employee want to partake of compliance because it is so wonderful.
“Three Rules to Build Your Digital Experience Strategy”*
1. Design dopamine digital experiences.– “I can’t wait.”
– “This is fun.”
– “I got it done.”
2. Be everywhere.
3. Stay fresh.
*J. Rymer & M. Gualtieri, KM World (Sept. 2012)
2
Acknowledgement
• Inspiration: ABA Tech Show 60 Sites in 60 Minutes, which became 60 Apps in 60 Minutes
• Today: A few “big” systems, a few small applications, and a bunch of ideas, some of which you may find useful.
The CCO Job
• Protect the company
• Do it by– Doing your job more efficiently (back office)
– Reaching employees more effectively (front office)
Priorities?
• #1 Help employees do their job better
• #2 Make your job better
• My philosophy: employees come first
3
Getting Help (or Inspiration)
• Vendors– Beware the BS
• Your IT Department
• Benchmarking with other companies
• Analogies from other systems
The Vendors1. They use adjectives instead of facts: “The Acme System is a robust compliance system designed to deliver the results you need. It has been specifically designed to be the most comprehensive and function tool available. It streamlines your job and will improve profitability. Call for a demonstration.”
The Vendors2. They are afraid of competition: We don’t want our competitors to copy our great ideas.
4
The Vendors
3. They don’t really know how to get the word out.
The Reality
• Good ideas can come from anywhere
• I am not endorsing the vendors I mention in this presentation,
but present them as examples of what can be done
• The toughest job: conceptualizing what you want
Paradigm 1: Filling Out a Form
• Forms are a powerful tool
• To work:– Requires that you know what
questions to ask
– Requires that it is used at the right time
– Requires that can be practically used by those who should do so
5
Learning from Data
Centralizing Data
• Avoid repetitive due diligence questionnaires
• Example: Trace International TRAC system for 3rd party verification
http://tracnumber.com
Paradigm 2: Painless Access
• Make compliance a seamless part of business processes
• Make access to information painless
• Make the compliance experience special
6
What Technology?
Real Biz Shorts -- www.corpedia.com
The Business Process
• Do you know what processes happen in your company that can incorporate a compliance step? (Siemens example later)
Making access to compliance information painless
• Instantaneous
• Automatic
• Fits the way the employee communicates –does not require new behavior
• Do you use an iPad?
www.intertek.com
7
Ease of Access to Information
Do you use a smart phone (or even a not-so-smart phone)?
Use it for compliance!
Send a text message• The To-do List
– Type: todo <message>
– Example: todo draft social media policy
• Voting/Poll– Type: vote
<number>
– Example: vote 3
1-646-606-2806
WoltersKluwer ComplyTrack 6 Alpha www.mediregs.com/complytrack-suite
8
Make the Compliance Experience Special
• Can you use a geographic analogy to convey other compliance topics?
http://company.zynga.com/privacy/privacyville
www.trueoffice.com
True Office Mobile Compliance Games
What do you know about jobs?
• The Amazon model:– Based on what you buy, we know what you
probably want
• The compliance model:– Based on what you do, we know
your compliance risks
– Therefore, we target ourcompliance program
9
Linking Jobs to Risks
www.lrn.com
• No agreement on what compliance means
• So beware of companies that advertise “compliance” software, e.g., using compliance to mean document management or workflow
Regulatory Compliance
• Health care, financial services
• For compliance officer, or subject matter expert
• Make technical information more accessible
• Make sure that processes are followed
10
Regulated Industry Example: Health Care
www.mediregs.com
Look at each step of the compliance process: What can you automate?
• Risk Assessment
• Compliance standards and procedures
• Organizational infrastructure
• Due care in delegation• Communicate compliance
standards
• Monitor and audit
• Appropriate discipline
• Periodically update the program (triggers from reports)
• Generating heat map with audience response system
• Managing policies
• Track training of board, executives, compliance program for RIFs
• Background checks
• Conversion of PowerPoint to training; link of training to job descriptions; automated certification process
• Screens; automated email monitoring; expense monitoring
• Investigation process
• Triggers from reports
Training: WeComply Reporting Dashboard
www.wecomply.com
11
Back Office System
• Challenge: just too much to do and keep track of all of it
• Response: a comprehensive compliance system
Slide 32
PWC UK Enterprise Compliance Portal [email protected]
Slide 33
Assessment – Template selection
12
Slide 34
Assessment - Self assessment summary
Slide 35
Assessment - Self assessment details / data entry
Assessment - Remediation plan details
13
Slide 37
Self certification - Dashboard
Slide 38
Self certification - Confirmation / sign off
Slide 39
Reports - Global assessment heatmap
14
Slide 40
Reports - Compliance dashboard report
Reports - Response breakdown report
Slide 42
Reports - Assessment against remediation progress
15
Slide 43
Reports - Level of risk details
Document library
Risk Assessment• Resolver Ballot + Protiviti: using audience
response systems
www.protiviti.com
16
Policy Management
• Could be something like SharePoint
• Central source for policies– On line copies linked to master
• Version control– Authority to alter
• Distribution to impacted employees
• Reminder to update
Policy & Procedure ManagementCreation, Review, Approve,
Organize
Certification and Self Assessments
Mapping to Risksand Controls
Alerts and Notifications
Awareness and Training
Tracking and Visibility
Policies related to -Gifts- Regulatory Compliance-Commission Payment-Expense Re-imbursement-Payment-Travel and Entertainment-Employee Background
Enforcing the policy and guidelines and ensuring compliance on employees and Third Parties
www.MetricStream.com
Training
• The garbage in-garbage out problem
• LMS,LCMS important for compliance
• What do I need to know to do my job?
• We fail– Overinclusive or underinclusive
– Static, boring
– irrelevant
17
Convert PowerPoint to eLearning: Articulate
www.articulate.com
Full Escape from PowerPoint
• The Khan Academy Blackboard Approach
• If you know your stuff, you should be able to teach it this way
www.khanacademy.org
Track Training of 3rd Parties:Eduneering Compliance Wire
www.uleduneering.com
18
Prevent
Training Program Effectiveness
Policy Certification
Detect
Performance of Controls
KPI/KRI Breach
Risk Assessments Audit Results
Respond
On-time Remediation mechanism
Resource and Time Management
Effectiveness of Compliance Program
Example fromMetric Stream
Administering Compliance Rules
• Train to use tool before certain actions, such as giving or receiving gifts
• Can combine automated process with manual review
Protection notice / Copyright noticeFor internal use only / © Siemens AG 2012
Policies and electronic tools help identify risk andbalance competing interests
Payment of - Meal- Gift- Local Travel
Acceptance of- Meal / Gift- Entertainment- Travel- Accomodation
Payment of - Entertainment- Non-local travel- Lodging
Government Officials: Mandatory
Private Sector: Voluntary
Voluntary
Government Officials& "critical" participants*:
Mandatory
Other participants:Voluntary
Provision Scorecard
AcceptanceScorecard
SpoDoM Tool
*Related Parties of Government Officials, healthcare providers, members of the purchasing department, invitees actively involved in the acceptance of a bid or the awarding of a tender
19
Protection notice / Copyright noticeFor internal use only / © Siemens AG 2012
Scorecards are used when gifts and/or meals are provided to Government Officials
Protection notice / Copyright noticeFor internal use only / © Siemens AG 2012Page 56
Pre-approval of sponsorships, donations, corporatememberships, other contributions and hospitalitypackages must be obtained via SpoDoM tool
Siemens supports many organizations around the world through sponsorship, hospitalitypackages, donations and other contributions.
Memberships in associations and contributions to certain groups and activities arean essential part of our Corporate Social Responsibility program, our leadership in industry initiatives and our programs to strengthen the Siemens brand.
The Sponsoring, Donation and Membership (SpoDoM) Tool helps to- focus these strategic efforts- enhance controls over associated costs- ensure compliance with applicable legal requirements
No contribution may be promised, offered or made to secure inappropriate competitive advantages All contributions must be clear, plausible and visible No contribution may be made to recipients whose goals are incompatible with
Siemens‘ corporate principles or which would damage Siemens reputation No contribution may be paid to private accounts.
Protection notice / Copyright noticeFor internal use only / © Siemens AG 2012
Pre-approval of entertainment, non-local travel, & lodging provided to certain 3rd parties must be obtained via SpoDoM tool
Entertainment, Non-Local Travel, or Lodging
Is the Invitee: Government Relative of government Health care provider Member of the purchasing department Actively involved in a purchasing decision or
the acceptance of a bid
Responsibility for decision on invitations not fulfilling any of these criteria – even expensive ones – is fully taken by the business.
SpoDoMApprovalRequired
NoSpoDoMApproval
No Yes
Exceptions (e.g. approval not necessary for…)
Company-organized events if the purpose of which is to provide scientific
or technical information or to serve as a forum for the discussion of cultural or economic topics the information is useful for the invitee there is a link to Company business food is limited to snacks and drinks no gifts or only small gifts (“giveaways”) of
nominal value are provided
Employee guests at company-organized events hosted exclusively for employees (e.g. company picnics or holiday parties).
Hospitality required by contract if contractual clauses are reviewed by legal.
Page 57
20
How do people communicate?• Talking is easier than keyboarding
• People love those Apple ads for SIRI because they love the idea of the freedom to communicate with a computer by speaking to it.
• Capture the inclination of peopleand make it work for you.
• SIRI and Google Voice Search actually work very well.
Compliance Advice on the Smartphone
• Question 1
Compliance Advice on the Smartphone
• Question 2
21
Concept: Voice Search
• You have a defined database– Code of Conduct
– Compliance Policies
– Business procedures
– Q&As and other communications
• If an employee has a compliance question, let them ask.
• Use voice input to provide data for other programs (e.g., ComplyTrack)
Concept: QR Codes for Compliance Info
For more info on any subject, take a picture of the related QR code
Artificial Intelligence Example: Neota Logic
• Capture legal rules and apply to a process
• The compliance challenge:1. Need to transfer customer or employee data
from one country to another.
2. Legal review of compliance requirements (notifications, forms, encryption, etc.) was costing as much as $30,000 per request.
• Can the process be automated?
http://www.neotalogic.com/
22
Neota Logic
• Step 1: Get the rules.
– Law firm compiled rules for 50+ countries
– Result: giant stack of memos
• Step 2: Operationalize the knowledge
– Create an expert system that takes the knowledge and asks questions about the nature and circumstances of the proposed transfer and then returns a list of the required compliance steps.
– Integrate with the company's existing internal workflow system
23
24
What can I do?
• Look for compliance gaps and ask yourself: How can I make better?
• Be familiar with commercial products
• Look for tools used by other companies
• Every time you hear about any automation advance, think: Can I use this in compliance?
But I’m not a techie . . .• Remember every moment you
said to yourself “I wish I could do . . .” - - and ask if it could be done.
• Make friends with IT Dept in company.
• Develop resources at local colleges to get young programmers who need jobs.
• Keep asking!
25
…but it can help you do your job better.
Remember . . .
Thank you.