Turning Compliance into Opportunity

1
Turning Compliance into Opportunity

• How to Leverage Regulatory Requirements to Create
  Other Efficiencies

Karen Kronauge CIA, MBA Director of
policyIQ Resources Global Professionals
2
Some Numbers to Ponder

• 20 New laws enacted throughout the world in the
  2 years following 9/11 that impact how
  organizations gather and disseminate information
• 5.8 US in Billions that are estimated to be
  spent in 2005 alone on compliance with the
  Sarbanes-Oxley Act of 2002
• 2 Primary reasons to address governance
  mitigation of risk an optimization of
  operations
• 1 The number of additional years (maximum) that
  non- accelerated filers recently received to
  comply with the Sarbanes-Oxley Act of 2002
• Estimate by AMR Research

3
Global ImpactGlobal regulations regulatory
bodies
Industry USA Canada Europe AsiaPac
Telecom CRTC CCITT, OFTEL
Financial Services CFTC, FDICIA, FRB, NAIC, NASD, OSFI, SEC CCA, FSA, GCIS, IMF, Basel
Pharmaceuticals FDA, TPD CPMP, EMEA
Engineering APQP, QS ISO9000, ISO14000
Government DoD, PIPEDA, RDIMS PRO, VERS
Healthcare Insurance HIPAA
Cross-Industry COCO, OSHA, SEC, SOX, Bill 198 (Canada) King II, KonTraG, Legge 321, LSF, Turnbull
4
Common Threads

• Identification of business risks
• Documentation of business processes
• Systems to house the information centrally
  knowledge management

5
1. Enterprise Risk Management (ERM)
Risk1
Risk2
Risk3
Risk4
Risk5
Control1
Control3
Control5
Control7
Control2
Control4
Control6
6
Melcalfes Law for Enterprise Content Management
Value
Value of network Connections2
People Connections
7
2. Documentation of Business Processes (incl.
policy)3. Knowledge / Content Management System

• Increases productivity and accuracy
• Automates business processes
• Replaces paper
• Reduces liability

8
Problems occur when one or more of the following
are present

• Failure to plan for multi-regulatory environment
• Little rationalization of various regulations
  (e.g., SOX w/ EU Data Protection Directive, GLB,
  HIPAA, New Exchange rules, etc )
• Focus on IT policies and procedures, without
  detailed understanding of whether the systems are
  in compliance with the policies
• Leads to regulatory non-compliance and charges of
  deceptive practices
• Failure to adequately inventory the key
  information systems and extended entity IT
  sharing relationships
• collecting and documenting all key application
  and general computer controls how information
  is shared with affiliates, subsidiaries, and
  joint ventures.
• Focus is only concentrated on financial line item
  mapping to the control activities without
  consideration of IT Infrastructure and COSO
  entity level controls.

16
9
Content Management Infrastructure Alternatives

• High-Tech
• Policy Management Software
• Knowledge Management Platforms

• Mid-Tech
• Intranet Site
• E-mail

• Low-Tech
• Binders and Manuals
• Hard-copy documentation

Which does your company use?
How easy is it for you to communicate changes in
policy or procedure?
10
Knowledge Management Infrastructure Alternatives

• Low-Tech
• Binders and Manuals
• Hard-copy documentation

11
Knowledge Management Infrastructure Alternatives

• Mid-Tech
• Intranet Site
• E-mail

12
Knowledge Management Infrastructure Alternatives

• High-Tech
• Policy Management Software
• Knowledge Management Platforms

13
Defining Content Management
The content management process is a continuous
cycle similar to the sales, expenditure, and
payroll cycles.
Review
?
Publication
Authoring
?
?
Content Management Process
?
?
Revision
Communication
?
Compliance
14
Effective Content Management
The Effective Content Management best practice
consists of 10 steps positioned throughout the
policy management process.
? Control Issuing Authority
? Delegate Responsibility
? Organize Logically
? Be Clear and Concise
Review
?
Publication
Authoring
?
?
Content Management Process
? Provide Central Access
? Communicate Updates Timely
? Document Changes
?
?
Communication
Revision
?
Compliance
? Document Test Compliance
? Force Periodic Review
? Encourage Feedback
15
Make the content easy to read and understand

• Define
• Benefits
• Challenges

• Shorter is better
• Separate policy from procedure
• Easier to update
• Easier to share between activities and
  departments
• Faster to find information
• Sharing content requires mgmt process
• Building a puzzle

1. Be clear and concise
2. Delegate responsibility
3. Control issuing authority
4. Organize logically
5. Provide central access
6. Communicate updatestimely
7. Document and test compliance
8. Encourage feedback
9. Force periodic review
10. Document changes

16
Delegate responsibilities and empower employees
to develop content

• Define
• Benefits
• Challenges
• Notes

• Remove bottleneck
• Reserve publishing control
• Faster completion
• Different perspectives
• Personal development
• Motivate contributors
• Different writing styles
• Similar to writing your own evaluation
• Good project in down-time

1. Be clear and concise
2. Delegate responsibility
3. Control issuing authority
4. Organize logically
5. Provide central access
6. Communicate updatestimely
7. Document and test compliance
8. Encourage feedback
9. Force periodic review
10. Document changes

17
Control who has the authority to issue certain
content types

• Define
• Benefits
• Challenges

• Restrict publishing authority to management
• Balance empowerment with control
• Improve efficiency while maintaining control
• Documentation of review provides audit trail
• Empowerment requires periodic audit

1. Be clear and concise
2. Delegate responsibility
3. Control issuing authority
4. Organize logically
5. Provide central access
6. Communicate updatestimely
7. Document and test compliance
8. Encourage feedback
9. Force periodic review
10. Document changes

18
Organize content in a logical way

• Define
• Benefits
• Challenges

• Organize by context
• Avoid organizing alphabetically, by issue date,
  or by document number
• Improves employee understanding
• Better able to lead employees to related content
• Easier to identify gaps
• More difficult than other methods

1. Be clear and concise
2. Delegate responsibility
3. Control issuing authority
4. Organize logically
5. Provide central access
6. Communicate updatestimely
7. Document and test compliance
8. Encourage feedback
9. Force periodic review
10. Document changes

19
Provide a central place to access all content

• Define
• Benefits
• Challenges
• Notes

• One central place online or manual
• Reduces risk of employees reading old content
• Without technology, maintaining a central
  location can be time consuming
• Significant risk can exist

1. Be clear and concise
2. Delegate responsibility
3. Control issuing authority
4. Organize logically
5. Provide central access
6. Communicate updatestimely
7. Document and test compliance
8. Encourage feedback
9. Force periodic review
10. Document changes

20
Communicate new content and updates as they occur

• Define
• Benefits
• Challenges

• Timely communication of each change or addition
• Right infrastructure provides faster
  implementation of business decisions
• Reduces repetitive questions
• Requires communication diligence
• Requires communication infrastructure

1. Be clear and concise
2. Delegate responsibility
3. Control issuing authority
4. Organize logically
5. Provide central access
6. Communicate updates timely
7. Document and test compliance
8. Encourage feedback
9. Force periodic review
10. Document changes

21
Document and test employees review and
compliance with policies

• Define
• Benefits
• Challenges

• Require employee signoff on policies and
  procedures
• Use documentation as audit trail
• Improve control structure
• Address Sarbanes-Oxley
• Improve external audit efficiency
• Determine cost-effective balance between
  self-audit and internal audit

1. Be clear and concise
2. Delegate responsibility
3. Control issuing authority
4. Organize logically
5. Provide central access
6. Communicate updatestimely
7. Document and test compliance
8. Encourage feedback
9. Force periodic review
10. Document changes

22
Provide feedback mechanism for employee questions
and comments

• Define
• Benefits
• Challenges
• Notes

• Provide method for asking questions
• Continuous policy improvement
• Improved employee morale
• Managing the feedback process
• Encouraging employee comments
• Best source of improvements / innovation

1. Be clear and concise
2. Delegate responsibility
3. Control issuing authority
4. Organize logically
5. Provide central access
6. Communicate updatestimely
7. Document and test compliance
8. Encourage feedback
9. Force periodic review
10. Document changes

23
Force periodic review and update of all content
by their respective managers

• Define
• Benefits
• Challenges
• Notes

• Treat content review like cycle counting
  inventory
• Address biggest risk that policies become
  outdated
• Right way to force periodic review by managers
• Infrastructure to manage revisions
• Combine right infrastructure with stick (vs.
  carrot)

1. Be clear and concise
2. Delegate responsibility
3. Control issuing authority
4. Organize logically
5. Provide central access
6. Communicate updatestimely
7. Document and test compliance
8. Encourage feedback
9. Force periodic review
10. Document changes

24
Track all content changes when, why, and who

• Define
• Benefits
• Challenges

• Comprehensive documentation of changes
• Control over prior revisions
• Audit trail eliminates confusion
• Powerful control when combined with right
  culture
• Requires diligence in documentation
• Basic infrastructure needed

1. Be clear and concise
2. Delegate responsibility
3. Control issuing authority
4. Organize logically
5. Provide central access
6. Communicate updatestimely
7. Document and test compliance
8. Encourage feedback
9. Force periodic review
10. Document changes

25
Knowledge Management Obstacles

• Not sure how to tackle such a big project
• Missing the necessary infrastructure to
  effectively manage the policies and procedures
• The business has succeeded to date in spite of
  its internal controls in spite of a lack of
  documented policies and procedures
• High employee turnover results in a project with
  no champion
• Other priorities and lack of time or resources
• Negative Content Cycle
• Management doesnt update policies because
  nobody reads them
• Nobody reads policies because they are outdated
  and irrelevant

26
Lessons Learned from the Past 2 Years

• Content management is more than a smart idea
• Business knowledge is related to all regulations
  (current and future)
• Advertise! What is the tone at the top?
• It takes a village to create content
• Work smart use technology
• Use the right tool for the job

27
Lessons Learned from the Past 2 Years
Indicators that internal communication has
improved

• Building relationships
• Sense of community
• Opportunities created for networking and sharing
  of best practices
• Trust fostered
• Participation encouraged from all staff
• Immediate feedback provided
• Everyone gets the same message at the same time
• Common understanding facilitated
• Team building encouraged

• Informed decisions enhanced through information
  sharing
• Achievements and contributions are celebrated and
  recognized
• Performance improved
• Improvements in efficiency and effectiveness of
  operations
• Face-to-face and two-way communications are
  emphasized
• Staff are empowered
• Learning and development opportunities created

28
How to Build Momentumby Bob Frelinger, Sun
Microsystems

• Get the word out in a meaningful way
• Demonstrate linkage between CobiT and process
  refinement methodologies adopted
• Consult with process owners to map their efforts
  to CobiT so that a common language is used
• IT Infrastructure Library used to deliver the
  how

29
Conclusions and Wrap-Up

• Content management is a verb, not a noun
• Enterprise content management is a strategy, not
  a product
• Always evaluate risk
• Change in culture is often necessary from We
  to I
• Involve everyone in the process
• Self-assessment approach for long-term (and for
  cost savings)
• Management commitment at all levels is critical
• Standardize, when possible
• Technology facilitates more widespread and
  effective communication
• E-mail is not enough

30
Questions?
31
Thank you kindlyfor your time today!