Title: Turning Compliance into Opportunity
1Turning Compliance into Opportunity
- How to Leverage Regulatory Requirements to Create
Other Efficiencies
Karen Kronauge CIA, MBA Director of
policyIQ Resources Global Professionals
2Some Numbers to Ponder
- 20 New laws enacted throughout the world in the
2 years following 9/11 that impact how
organizations gather and disseminate information - 5.8 US in Billions that are estimated to be
spent in 2005 alone on compliance with the
Sarbanes-Oxley Act of 2002 - 2 Primary reasons to address governance
mitigation of risk an optimization of
operations - 1 The number of additional years (maximum) that
non- accelerated filers recently received to
comply with the Sarbanes-Oxley Act of 2002 - Estimate by AMR Research
3Global ImpactGlobal regulations regulatory
bodies
Industry USA Canada Europe AsiaPac
Telecom CRTC CCITT, OFTEL
Financial Services CFTC, FDICIA, FRB, NAIC, NASD, OSFI, SEC CCA, FSA, GCIS, IMF, Basel
Pharmaceuticals FDA, TPD CPMP, EMEA
Engineering APQP, QS ISO9000, ISO14000
Government DoD, PIPEDA, RDIMS PRO, VERS
Healthcare Insurance HIPAA
Cross-Industry COCO, OSHA, SEC, SOX, Bill 198 (Canada) King II, KonTraG, Legge 321, LSF, Turnbull
4Common Threads
- Identification of business risks
- Documentation of business processes
- Systems to house the information centrally
knowledge management
51. Enterprise Risk Management (ERM)
Risk1
Risk2
Risk3
Risk4
Risk5
Control1
Control3
Control5
Control7
Control2
Control4
Control6
6Melcalfes Law for Enterprise Content Management
Value
Value of network Connections2
People Connections
72. Documentation of Business Processes (incl.
policy)3. Knowledge / Content Management System
- Increases productivity and accuracy
- Automates business processes
- Replaces paper
- Reduces liability
8Problems occur when one or more of the following
are present
- Failure to plan for multi-regulatory environment
- Little rationalization of various regulations
(e.g., SOX w/ EU Data Protection Directive, GLB,
HIPAA, New Exchange rules, etc ) - Focus on IT policies and procedures, without
detailed understanding of whether the systems are
in compliance with the policies - Leads to regulatory non-compliance and charges of
deceptive practices - Failure to adequately inventory the key
information systems and extended entity IT
sharing relationships - collecting and documenting all key application
and general computer controls how information
is shared with affiliates, subsidiaries, and
joint ventures. - Focus is only concentrated on financial line item
mapping to the control activities without
consideration of IT Infrastructure and COSO
entity level controls.
16
9Content Management Infrastructure Alternatives
- High-Tech
- Policy Management Software
- Knowledge Management Platforms
- Mid-Tech
- Intranet Site
- E-mail
- Low-Tech
- Binders and Manuals
- Hard-copy documentation
Which does your company use?
How easy is it for you to communicate changes in
policy or procedure?
10Knowledge Management Infrastructure Alternatives
- Low-Tech
- Binders and Manuals
- Hard-copy documentation
11Knowledge Management Infrastructure Alternatives
- Mid-Tech
- Intranet Site
- E-mail
12Knowledge Management Infrastructure Alternatives
- High-Tech
- Policy Management Software
- Knowledge Management Platforms
13Defining Content Management
The content management process is a continuous
cycle similar to the sales, expenditure, and
payroll cycles.
Review
?
Publication
Authoring
?
?
Content Management Process
?
?
Revision
Communication
?
Compliance
14Effective Content Management
The Effective Content Management best practice
consists of 10 steps positioned throughout the
policy management process.
? Control Issuing Authority
? Delegate Responsibility
? Organize Logically
? Be Clear and Concise
Review
?
Publication
Authoring
?
?
Content Management Process
? Provide Central Access
? Communicate Updates Timely
? Document Changes
?
?
Communication
Revision
?
Compliance
? Document Test Compliance
? Force Periodic Review
? Encourage Feedback
15Make the content easy to read and understand
- Define
- Benefits
- Challenges
- Shorter is better
- Separate policy from procedure
- Easier to update
- Easier to share between activities and
departments - Faster to find information
- Sharing content requires mgmt process
- Building a puzzle
- Be clear and concise
- Delegate responsibility
- Control issuing authority
- Organize logically
- Provide central access
- Communicate updatestimely
- Document and test compliance
- Encourage feedback
- Force periodic review
- Document changes
16Delegate responsibilities and empower employees
to develop content
- Define
- Benefits
- Challenges
- Notes
- Remove bottleneck
- Reserve publishing control
- Faster completion
- Different perspectives
- Personal development
- Motivate contributors
- Different writing styles
- Similar to writing your own evaluation
- Good project in down-time
- Be clear and concise
- Delegate responsibility
- Control issuing authority
- Organize logically
- Provide central access
- Communicate updatestimely
- Document and test compliance
- Encourage feedback
- Force periodic review
- Document changes
17Control who has the authority to issue certain
content types
- Define
- Benefits
- Challenges
- Restrict publishing authority to management
- Balance empowerment with control
- Improve efficiency while maintaining control
- Documentation of review provides audit trail
- Empowerment requires periodic audit
- Be clear and concise
- Delegate responsibility
- Control issuing authority
- Organize logically
- Provide central access
- Communicate updatestimely
- Document and test compliance
- Encourage feedback
- Force periodic review
- Document changes
18Organize content in a logical way
- Define
- Benefits
- Challenges
- Organize by context
- Avoid organizing alphabetically, by issue date,
or by document number - Improves employee understanding
- Better able to lead employees to related content
- Easier to identify gaps
- More difficult than other methods
- Be clear and concise
- Delegate responsibility
- Control issuing authority
- Organize logically
- Provide central access
- Communicate updatestimely
- Document and test compliance
- Encourage feedback
- Force periodic review
- Document changes
19Provide a central place to access all content
- Define
- Benefits
- Challenges
- Notes
- One central place online or manual
- Reduces risk of employees reading old content
- Without technology, maintaining a central
location can be time consuming - Significant risk can exist
- Be clear and concise
- Delegate responsibility
- Control issuing authority
- Organize logically
- Provide central access
- Communicate updatestimely
- Document and test compliance
- Encourage feedback
- Force periodic review
- Document changes
20Communicate new content and updates as they occur
- Define
- Benefits
- Challenges
- Timely communication of each change or addition
- Right infrastructure provides faster
implementation of business decisions - Reduces repetitive questions
- Requires communication diligence
- Requires communication infrastructure
- Be clear and concise
- Delegate responsibility
- Control issuing authority
- Organize logically
- Provide central access
- Communicate updates timely
- Document and test compliance
- Encourage feedback
- Force periodic review
- Document changes
21Document and test employees review and
compliance with policies
- Define
- Benefits
- Challenges
- Require employee signoff on policies and
procedures - Use documentation as audit trail
- Improve control structure
- Address Sarbanes-Oxley
- Improve external audit efficiency
- Determine cost-effective balance between
self-audit and internal audit
- Be clear and concise
- Delegate responsibility
- Control issuing authority
- Organize logically
- Provide central access
- Communicate updatestimely
- Document and test compliance
- Encourage feedback
- Force periodic review
- Document changes
22Provide feedback mechanism for employee questions
and comments
- Define
- Benefits
- Challenges
- Notes
- Provide method for asking questions
- Continuous policy improvement
- Improved employee morale
- Managing the feedback process
- Encouraging employee comments
- Best source of improvements / innovation
- Be clear and concise
- Delegate responsibility
- Control issuing authority
- Organize logically
- Provide central access
- Communicate updatestimely
- Document and test compliance
- Encourage feedback
- Force periodic review
- Document changes
23Force periodic review and update of all content
by their respective managers
- Define
- Benefits
- Challenges
- Notes
- Treat content review like cycle counting
inventory - Address biggest risk that policies become
outdated - Right way to force periodic review by managers
- Infrastructure to manage revisions
- Combine right infrastructure with stick (vs.
carrot)
- Be clear and concise
- Delegate responsibility
- Control issuing authority
- Organize logically
- Provide central access
- Communicate updatestimely
- Document and test compliance
- Encourage feedback
- Force periodic review
- Document changes
24Track all content changes when, why, and who
- Define
- Benefits
- Challenges
- Comprehensive documentation of changes
- Control over prior revisions
- Audit trail eliminates confusion
- Powerful control when combined with right
culture - Requires diligence in documentation
- Basic infrastructure needed
- Be clear and concise
- Delegate responsibility
- Control issuing authority
- Organize logically
- Provide central access
- Communicate updatestimely
- Document and test compliance
- Encourage feedback
- Force periodic review
- Document changes
25Knowledge Management Obstacles
- Not sure how to tackle such a big project
- Missing the necessary infrastructure to
effectively manage the policies and procedures - The business has succeeded to date in spite of
its internal controls in spite of a lack of
documented policies and procedures - High employee turnover results in a project with
no champion - Other priorities and lack of time or resources
- Negative Content Cycle
- Management doesnt update policies because
nobody reads them - Nobody reads policies because they are outdated
and irrelevant
26Lessons Learned from the Past 2 Years
- Content management is more than a smart idea
- Business knowledge is related to all regulations
(current and future) - Advertise! What is the tone at the top?
- It takes a village to create content
- Work smart use technology
- Use the right tool for the job
27Lessons Learned from the Past 2 Years
Indicators that internal communication has
improved
- Building relationships
- Sense of community
- Opportunities created for networking and sharing
of best practices - Trust fostered
- Participation encouraged from all staff
- Immediate feedback provided
- Everyone gets the same message at the same time
- Common understanding facilitated
- Team building encouraged
- Informed decisions enhanced through information
sharing - Achievements and contributions are celebrated and
recognized - Performance improved
- Improvements in efficiency and effectiveness of
operations - Face-to-face and two-way communications are
emphasized - Staff are empowered
- Learning and development opportunities created
28How to Build Momentumby Bob Frelinger, Sun
Microsystems
- Get the word out in a meaningful way
- Demonstrate linkage between CobiT and process
refinement methodologies adopted - Consult with process owners to map their efforts
to CobiT so that a common language is used - IT Infrastructure Library used to deliver the
how
29Conclusions and Wrap-Up
- Content management is a verb, not a noun
- Enterprise content management is a strategy, not
a product - Always evaluate risk
- Change in culture is often necessary from We
to I - Involve everyone in the process
- Self-assessment approach for long-term (and for
cost savings) - Management commitment at all levels is critical
- Standardize, when possible
- Technology facilitates more widespread and
effective communication - E-mail is not enough
30Questions?
31Thank you kindlyfor your time today!