scce - compliance and ethics institute 2013...9/20/2013 1 ccs powerpoint template version 2-0 public...
TRANSCRIPT
9/20/2013
1
CCS PowerPoint Template Version 2-0
Public - Slide 1
Tuesday, October 8 2013 1:30 – 2:30pm
SCCE - Compliance and Ethics Institute 2013 607 – Outsourcing Compliance –
yes it can be done!
Janet Himmelreich, CCEP BT Head of Client Compliance Services (CCS)
Steve Kilmister BT CCS Operations and Assurance Director
Public - Slide 2
A little about today’s session
• About how to outsource your
Compliance Department
• Or how to transfer compliance
requirements from your
organization to another
• An endorsement of outsourcing
for all organizations
It is not
• About how to integrate your
compliance requirements into
your relationship with your
vendors
• How to be sure compliance,
ethics, quality and security
governance requirements are
included in the relationship –
preferably from the start!
It is
Outsourcing Compliance – Yes it can be done! What it is and what it is not
9/20/2013
2
Public - Slide 3
Agenda
•Module 1 – The Compliance Conundrum
•Module 2 – Internal Controls and Assurance
•Module 3 – The Quality Management System
•Closing Thoughts
•Questions and Answers
•Additional Information
Public - Slide 4
The Compliance Conundrum
Module 1
9/20/2013
3
Public - Slide 5
The Compliance Conundrum
GxP
Bribery -
FCPA SFO
Proceeds of
Crime Act
Increasing worldwide regulations across all industries and a heightened focus
on the enforcement of their requirements, combined with pressure to reduce
costs in line with challenging economic conditions.
Public - Slide 6
The Compliance Conundrum Continued
The Outsourcing Handbook; Kogan Page, Ltd 2006
“No matter what industry you are in,
you need to look at key attributes
when evaluating an outsourcing
vendor. First, you need to know that
the vendor can meet compliance
standards for your industry.”
What can you, as a Compliance and Ethics Professional do to influence the
decisions and address the conundrum? Your goal is to meet the business
imperatives while ensuring the compliance requirements are met.
“The enormous pressure to improve shareholder value often results in a strategic
business decision to outsource, however, managers must look…
…beyond rudimentary cost calculations focused on short-term profit, such as the
cost of labour or the ex-factory cost and incorporate the total cost and risk of
extended international supply chains.”
The Boeing Debacle - Forbes Website 2013
“Government regulations will continue
to be enforced and companies will
need to adapt and find better, more
efficient ways to handle compliance,
legal and financial risk.”
IAOP Top 10 Outsourcing Trends for 2013
9/20/2013
4
Public - Slide 7
A few key concepts
•Outsource
•Sourcing - the act of transferring work from one entity to another
•Out – the act of transferring the work to an external party
Always three parts to any outsourcing initiative:
•Client – organization transferring the work
•Vendor – strategic partner, supplier or service provider – the
organization that conducts the work and in the case of a complex
endeavor, the party that makes the decision to implement and provide the
service transferred
•Program or Project – the well defined scope of work – whether a small
consulting job or a completely outsourced research & development
department – that will be implemented by the vendor, monitored by the
client and mutually governed
Public - Slide 8
Can you outsource and still meet YOUR requirements?
It depends on what, exactly, you are going to outsource
• Understand the strategic business case
• Make sure you are part of the evaluation team – from the beginning
• If the function being considered impacts your regulatory compliance
requirements, then the competence of the suppliers being considered as
well as a formal written agreement must be in place – the EU data privacy
and protection requirements are an example
What are the key drivers?
• Core business functions that are well-known and understood – e.g. payroll
and some HR functions
• Non-core functions that can be obtained more cheaply and efficiently from
well known sources –e.g. manufacturing processes
• Key business functions that if outsourced, will enable cost, efficiency,
agility and innovation capabilities that allow the organization to focus more
resources on strategic initiatives
In our experience, Compliance, Quality and Security Governance teams are too
often not consulted at all or are consulted very late in the outsourcing life cycle.
9/20/2013
5
Public - Slide 9
Outsourcing Requirements
•Should always be gathered by the client from all the stakeholders
• Including core compliance, security and quality principals!
•Large outsourced agreements are often driven by the C-level and
managed by Procurement
•Procurement tends to focus on costs, service level agreements, and
typical Terms and Conditions, billing terms, taxation and data privacy
•Frequently at the very end of protracted negotiations, Legal review can
then introduce Quality, Compliance and Security items – resulting in
additional requirements that were not accounted for in either party’s
business case
Public - Slide 10
Success Factors for Strategic Partnerships
•The Client must embrace change
•Different ways of working, different cultures and ethnicities
•Good negotiating and relationship building
•5% inspiration and 95% perspiration
•It is hard work, requiring commitment and transparency
Ten common traps of outsourcing*
1. Lack of management commitment
2. Minimal knowledge of outsourcing methodologies
3. Lack of an outsourcing communications plan
4. Failure to recognize outsourcing business risks
5. Failure to tap into external sources of knowledge
6. Not dedicating the best and brightest internal resources
7. Rushing through the initiative
8. Not appreciating cultural differences [people & companies]
9. Minimizing what it will take to make the vendor productive
10. Poor relationship management programs
*Based on Power, Bonifazi and Desouza (2004)
9/20/2013
6
Public - Slide 11
When things tend to go wrong
•Limiting the scope of the business case
•Comparing the cost of a resource in the US or UK to a similar role in a
low cost economy
• Improving shareholder value without a full understanding of the total cost
and implications
•Basing the outsourcing decision on limited past experience or on the
recommendations of others without a complete life cycle management
approach to the evaluation:
1. strategic assessment
2. needs analysis
3. vendor assessment
4. negotiation and contract management
5. project initiation and transition
6. relationship management
7. continuance, modification or exit strategies
A dedicated team with
Executive level involvement
is the proven way to avoid
problems; it is this team
which you should be part of
from the start.
Public - Slide 12
How to avoid things going wrong
•Contract properly
• Identify ALL requirements upfront
• Institute a partnership governance model early on that includes the
C-levels of both the client and the vendor, in addition to an on-going
basis
•Do not get rid of all your internal knowledge and expertise – you still
need to manage the vendor and assure the work being done meets
your requirements
•Be clear and specific about those requirements – including those
policies and processes that the vendor must follow
•Require cohesive oversight and quality control in a multi-vendor
environment
•Assure audit and monitoring is part of the solution that is developed
by the vendor
• Include a Quality Management System* (QMS) in your agreement
*Discussed further in Module 3
9/20/2013
7
Public - Slide 13
Key takeaways from Module 1
1. Complex and key components that are outsourced from a client require
a strategic partnership with well-defined governance
2. The contract must be clear as to what frames or underpins the
responsibility and decision making of the vendor
3. Any policies and processes the vendor needs to comply with should be
identified and made available as soon as possible in order to maintain
a transparent and fair relationship
4. Ensure the vendor clearly understands the compliance requirements,
and can specifically demonstrate (evidence, not words) their ability to
meet these
5. Make sure you have a seat at the table right from the beginning – don’t
let your compliance and regulatory or security requirements be “thrown
in” at the very end – it can derail negotiations, damage both party’s
business cases and potentially damage the trust that is required
between the partners.
Public - Slide 14
Internal Controls & Assurance
Module 2
9/20/2013
8
Public - Slide 15
Internal Control
• Most widely accepted definition is by COSO* (Committee of Sponsoring
Organisations of the Treadway Commission):
• Internal control as a process, affected by an entity's board of directors, management and
other personnel, designed to provide "reasonable assurance" regarding the achievement of
objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable global or local laws and regulations
Safeguarding of Assets
• The COSO framework involves several key concepts:
• Internal control is a process. It is a means to an end, not an end in itself.
• Internal control is affected by people. It's not merely policy, manuals, and forms, but people
at every level of an organization.
• Internal control can be expected to provide only reasonable assurance, not absolute
assurance, to an entity's management and board.
• Internal control is geared to the achievement of objectives in one or more separate but
overlapping categories.
* Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accoun tants (AICPA), the
Institute of Internal Auditors (IIA) and Financial Executives International (FEI).
Public - Slide 16
The Importance of Internal Controls During Outsourcing
•A detailed understanding of your internal control landscape will ensure
you know what you are asking your vendor to deliver
•Decide the extent to which “how” your vendors deliver is important
•Defining how the vendors must satisfy the requirements will create
consistency across vendors and likely reduce the internal costs of
managing the vendors.
•However, this will increase the costs to the vendors and reduce their
ability to leverage “standard” services, thus increasing their overall
pricing.
•Using a recognized industry standard to map controls between
organizations can help leverage third-party assurance activities as an
additional monitoring mechanism on vendor performance
9/20/2013
9
Public - Slide 17
Control Mapping
Vendor
Contract
Client
Control
Framework
In-scope
Controls
External
Control
Framework
Vendor
Control
Framework
What should be mapped is not just
the control Wording but the control
Objective.
Public - Slide 18
The Three Lines of Defense During Outsourcing
Management
Oversight
• The marketplace is
turning to ‘Quality’ to
ensure and demonstrate
compliance
• Be clear how you will
assure the services
provided meet your
compliance requirements
• Using vendor assurance
mechanisms can be very
cost effective
• Trust must be built over
time
9/20/2013
10
Public - Slide 19
Assurance during Outsourcing
Time
Assu
ran
ce
BAU* BAU BAU
Vendor
Vendor
Vendor
Client &
External
Review
Client &
External
Review
Client &
External
Review
Trust but
verify
*Business as Usual
Public - Slide 20
Key takeaways from Module 2
1. Internal control is a process that involves people, not just a series of
policies
2. Know your internal control landscape before your outsourcing
requirements are defined
3. Using an industry standard control framework can help to bring the
control frameworks of the client and vendor together
4. The intent behind the controls is all important
5. Be sure how you will assure vendor performance against your
compliance requirements. Ensure these are contractual obligations.
6. Consider transitioning to vendor assurance mechanisms to leverage
cost efficiencies as trust develops over time.
Internal controls should form the basis of your Quality Management System
(QMS) which will be covered further in Module 3.
9/20/2013
11
Public - Slide 21
The Quality Management System J&S Case Study*
Module 3
*Based on real client experiences
Public - Slide 22
The Quality Management System
People
Process
Systems
What it is
Systems and tools are standardized and fit for purpose
Underlying infrastructure subject to appropriate level of control
Systems and tools catalogued in an inventory management system
Processes follow quality policies and good documentation practices
Processes are clear, precise, consistent and repeatable
Underpinned by robust change management including approvals, plans and risk
assessments
Element
Knowledgeable of specific industry requirements & compliance requirements
Can demonstrate qualifications to conduct each and every task they perform via
training, background and experience
Perform each and every task that is in an SOP or WI as required - with evidence
9/20/2013
12
Public - Slide 23
J.S. Inc.
I’m Steve
Kilmister, COO for
J.S. Inc. …
• Need to keep non-core spending flat;
goal is to enable our pipeline to
mature and revenue grow from a new
product launch
• We agreed the area of the business
where we can achieve cost savings
AND improve our internal operations
to gain efficiencies is in our IT
Department
• The dilemma is how to create an
‘agile’ strategy to support the
explosive growth in BYOD and need
for security of our IP?
• These represent parallel and
conflicting demands upon an IT team
that we have constrained to a fixed
budget
Challenges
• A blue-chip US-based company operating in 70
countries worldwide, across 250+ locations; the
CEO has asked the management team to consider
outsourcing to lower costs
J.S. Corporate Profile
• Cut costs but not quality and ensure
ability to budget going forward
• Responsiveness to needs of the
business by access to a breadth of
skills and resources globally –
consistent framework put in place
• Centralized management including
program and project management to
ensure the solution is within budget
but is also accessible
• Greatly improve the speed and the
security of our IT infrastructure to
“best in class”
• Technology roadmaps as part of a
governance process
Intended Benefits
• Outsource the management of
existing IT services and all suppliers
to a single supplier/vendor
• Migrate technical people and
equipment assets to a qualified
service provider who takes
‘ownership’ - has decision making
authority
• Require a standardized infrastructure
all over the world so that anyone in
the company can work anywhere and
it will be fast and efficient
• Measure performance and define
SLAs to business needs via a
contract – thus, we need an RFP and
a team to solicit the right vendor
Solution
Public - Slide 24
J.S. Inc.
• Compliance has also been
challenged to reduce costs
• Local processes not aligned to
corporate compliance strategy
• Senior management “talking the
talk” not “walking the walk”
• Inconsistent systems and tools
• Adherence to processes still
inconsistent
• Training people around the world
in local language is expensive and
time consuming
Challenges
• We’ve been struggling to maintain compliance in
light of internal restructuring, reducing budgets and
increasing scrutiny by regulators.
J.S. Compliance Profile
• Fiduciary responsibility to the
board
• Fines & Penalties
• Brand and reputational Impacts
• Increased costs through required
remediation actions
• Speed and agility at the cost of
quality and control
• Unending Audit Cycles
In light of all of the this how could
we ever consider outsourcing?
Consequences
• Compliance and ethics code of
conduct
• Anti-bribery and corruption
(training not sticking again!)
• Sarbanes-Oxley
• Industry specific Health and Safety
• Governmental Reporting
• Data Protection and Privacy
• If it wasn’t documented, it wasn’t
done!
• Enforcement has really been
stepped up since the UK Anti-
bribery Act
Regulatory Imperatives
I’m Janet
Himmelreich, Chief
Compliance Officer
for J.S. Inc. …
9/20/2013
13
Public - Slide 25
J.S. Inc.
The “CEO” of J.S.
Inc.
• We have to give a plan to the board that explains
how we are going to demonstrate $xM worth of
savings by FY 2015/16 – SO YOU BETTER GET
YOUR ACTS TOGETHER OR - YOU’RE FIRED!
J.S. CEO/CIO Statement to the COO & CCO
The way forward… • A person from the Compliance team will be a member
of the outsourcing steering committee
• Compliance, Quality and Security requirements
provided early to procurement
• Procurement will only use recognized vendors in our
field
• Client and Vendor business cases will be aligned
• Assure a strategic partnership with vendor
• Know how the vendor will meet the compliance
requirements
• Ensure Legal interests are represented and consistent
• We will maintain internal monitoring and
assurance
Public - Slide 26
Deliv
ery
Partn
er D
eliv
ery
Part
ner
Vendor
Compliance Requirements Flow Down
Contract
Client Organization
Regulator Note:
In the majority of cases
there will be no direct
link from the client’s
regulator to the vendor.
Therefore, it is
essential that the flow
of compliance
requirements is
maintained by use of
contractual terms and
conditions.
9/20/2013
14
Public - Slide 27
Translating contract requirements
•A contract between strategic partners must be a living, breathing
agreement
•Frames the specific requirements
•Defines commercial agreement including service level agreements (SLA)
•Specifies the standards, policies and procedures that must be followed
•Specify governance, reporting, and “T’s and C’s”
•How does the client then share the regulatory compliance requirements?
•Shared QMS – Quality Management System
•A modular QMS allows the partners to share, monitor and measure the
effectiveness and the ability to demonstrate compliance
People Process Systems
Public - Slide 28
Creating a modular Quality Management System (QMS)
1. Client maintains overall responsibility for the QMS and
accountability to the regulator, BUT elements (“modules”) can be
managed individually
2. The contract will specify the applicable QMS modules for which the
vendor is responsible
3. Those modules must be documented and mutually agreed
4. Client and Vendor personnel must be trained on the appropriate QMS
modules
5. The entire QMS must be maintained under robust change control
9/20/2013
15
Public - Slide 29
Key takeaways from Module 3
1. A QMS incorporates People, Processes and Systems
2. When considering outsourcing, a QMS should be modular to allow
responsibility to be delegated to the vendor
3. Overall QMS accountability always remains with the client
4. Don’t assume that your regulatory responsibilities will be shared by
your vendor
5. The contract should be the mechanism by which the client’s regulatory
requirements are delegated to the vendor
6. The QMS should include evidence of vendor performance to
compliance requirements
7. Compliance can be outsourced with the right approach!
Public - Slide 30
Closing
Thoughts
9/20/2013
16
Public - Slide 31
When outsourcing goes wrong, it can really go wrong…
Lack of vendor accountability for meeting compliance requirements
can lead to catastrophic failures
•Increased regulatory scrutiny
•Brand and reputational damage
•Financial penalties
•Commercial sanctions
•Destruction of assets
•Environmental impacts
•Severe detriment to market position
•Impaired ability to continue as a ‘going concern’
•Loss of Life
Prevention is the best medicine
Public - Slide 32
…but if you get it right, there are many benefits
•Enables the whole business to achieve objectives
•Commercial “wins” for both client and vendor
• Increased knowledge base and access to subject matter expertise
•Flexible / scalable delivery of services
• Increased visibility and transparency
•Reduced risk of outsourcing
•Maintained or improved quality results
•Consistency through the use of your vendor as an ‘agent of change’
•Reduced assurance overheads
…yes it can be done!
9/20/2013
17
Public - Slide 33
Closing thoughts
1. Get a seat at the table – EARLY
2. Select a vendor with a proven track record of satisfying
compliance requirements for other similar clients
3. Don’t lose all of your compliance subject matter expertise – it’s
still YOUR risk
4. Ensure your compliance requirements are included within any
contract – don’t assume
5. Consider your vendor an extension of your control environment
6. Provide your vendor a framework – avoid micromanagement
7. Monitor from the outset – express any contractual rights to audit
Public - Slide 34
and Answers
Questions
9/20/2013
18
Public - Slide 35
Contact Details
Janet K Himmelreich
BT Global Services
Client Compliance Services Centre of Excellence
Head
Email: [email protected]
Steve J Kilmister
BT Global Services
Client Compliance Services Centre of Excellence
Operations and Assurance Director
Email: [email protected]
Public - Slide 36
Materials
Additional
9/20/2013
19
Public - Slide 37
Biography
Janet Himmelreich, CCEP Head, Client Compliance Services
Centre of Excellence - BT Global Services
Janet K. Himmelreich leads the BT Global Services Client Compliance Services Centre of Excellence. BT is a UK based global
telecommunications service provider currently providing services to some 8,500 global organisations and the majority of the
Forbes top 500 global companies. Janet joined BT in 2005 as Chief Compliance Officer dedicated to the first Pharmaceutical
customer that contracted with BT to manage its entire network and telecommunications enterprise including contractual
regulatory compliance obligations that are shared with the customer. Since 2005, the team that provides these services has
increased to over 30 professionals’ worldwide and provides services to customers around the world.
Janet is a well regarded expert in the delivery of compliant services drawing on more than 25 years of consulting experience in
the healthcare field prior to joining BT. As a Subject Matter Expert in physician billing, fraud and abuse, Medicare and Medicaid
regulations, integrated healthcare delivery systems and HIPAA compliance in health systems and health plans, she served as
an expert witness and provided Independent Audit services to healthcare entities as well as the US Department of Health and
Human Services.
In addition to her leadership role for the CCS CoE, Janet serves in a governance role for several of the large customer contracts
with compliance obligations. This role is part of the executive leadership for several customer contracts. She also leads the
team that has developed the approach and method used for BT’s innovative and market leading proposition known as BT for
Life Sciences R&D Compute and the specific proposition that provides a compliance “wrap” to the standard services known as
“Conform.”
Her educational background combines a BA, MA and MBA with a certification through the Society of Corporate Compliance and
Ethics as a Certified Compliance and Ethics Professional. Within BT she is a member of the Data Protection Forum, the
Programme Control Board for BT for Life Sciences and is a key participant in the COO Team for BT Global Services’ vertical
known as Global Commerce. In her role she is responsible for business development, innovation as well as delivery of
contracted services for heavily regulated industries.
Public - Slide 38
Steve Kilmister Operations and Assurance Director
BT Global Services
Biography
Steve Kilmister currently serves as the Operations and Assurance Director for the BT Global
Services Client Compliance Services Centre of Excellence. BT is a UK based global
telecommunications service provider currently providing services to some 8,500 global
organisations and the majority of the Forbes top 500 global companies.
Steve has over 10 years of experience developing and delivering internal assurance
programmes in partnership with leadership teams, business management and operations teams
and has over 7 years of experience in providing internal and external assurance over the
compliance programmes that BT operates for its clients operating in heavily regulated
industries. He is responsible for designing and implementing the Quality Management System
Assurance function within the Client Compliance Services Centre of Excellence and is
accountable for internal quality assurance, audit management and facilitation, quality
monitoring, continuous improvement and security governance.
Steve’s is a respected leader, manager and subject matter expert recognised by clients and
peers alike for his passion for assurance, compliance and ethics. He believes in the ability to
manage the business risk of compliance though business as usual commitment to quality.
9/20/2013
20
Public - Slide 39
Sources Consulted
The Outsourcing Handbook: How to Implement a Successful Outsourcing Process
Mark Power, Carlo Bonifazi, Kevin C. Desouza, (2006) Kogan Page
“The ten outsourcing traps to avoid”
Mark Power, Carlo Bonifazi, Kevin C. Desouza, (2004) Journal of Business Strategy, Vol. 25 Iss: 2
“The Boeing Debacle: Seven Lessons Every CEO Must Learn”
Steve Denning, http://www.forbes.com/sites/stevedenning/2013/01/17/the-boeing-debacle-seven-lessons-
every-ceo-must-learn/
“Outsourcing - Right or Wrong? 9 Key Questions”
Adam Hartung, http://www.forbes.com/sites/adamhartung/2010/09/30/outsourcing-right-or-wrong-9-key-
questions/
“Outsourcing Ins And Outs”
Ed Sperling, http://www.forbes.com/2008/08/10/cio-doerr-savvis-tech-cio-cx_es_0811doerr.html
COSO
http://www.coso.org/
bt.com/globalservices