19/05/2014
1
CCS PowerPoint Template Version 2-0
Public - Slide 1
19 May 2014. Version 1.0
SCCE Are your vendors meeting YOUR compliance requirements?Session 202
Janet Himmelreich, CCEP, CCEP-I
BT Head of Client Compliance Services (CCS)
Steve Kilmister, CCEP-IBT CCS Operations and Assurance Director
Public - Slide 2
Objectives of session
• Has a vendor been selected to manage a function for your company or has a department been outsourced? If so, were your compliance requirements identified and included?
• Are you/were you consulted regarding an outsource?• Was a vendor option scrapped due to concerns that a vendor couldn’t
possibly meet your compliance requirements?
Discuss the compliance conundrum to understand the dilemma you face as Compliance Officers:
Identify ways to flow compliance requirements to your vendors
• Key controls – how internal controls demonstrate quality and compliance• Assessment activities• Cost efficient assessment and assurance
Learn a strategy to ensure YOUR requirements are being met
Answer the question – can you solve the compliance conundrum?
Have five things to do when you leave this session
Public - Slide 3
Agenda
A role play “Outsourcing with YOUR compliance requirements”
Module 1 – The “Compliance Conundrum”
Module 2 - Flow downs
Module 3 – How to de-risk outsourcing with Key Controls and Assurance
Closing Thoughts
Five things to do when you leave this session
Questions and Answers
Additional Information
19/05/2014
2
Public - Slide 4
Outsourcing Services when you have compliance obligations
How many of you recognise this conversation?
Role Play
Public - Slide 5
J.S. Inc.
I’m Steve Kilmister, COO for J.S. Inc. …
• Need to keep non-core spending flat; goal is to enable our pipeline to mature and revenue grow from a new product launch
• We agreed the area of the business where we can achieve cost savings AND improve our internal operations to gain efficiencies is in our IT Department
• The dilemma is how to create an ‘agile’ strategy to support the explosive growth in BYOD and need for security of our IP?
• These represent parallel and conflicting demands upon an IT team that we have constrained to a fixed budget
Challenges
• A blue-chip global company operating in 70 countries worldwide, across 250+ locations; the CEO has asked the management team to consider outsourcing to lower costs
J.S. Corporate Profile
• Cut costs but not quality and ensure ability to budget going forward
• Responsiveness to needs of the business by access to a breadth of skills and resources globally –consistent framework put in place
• Centralized management including program and project management to ensure the solution is within budget but is also accessible
• Greatly improve the speed and the security of our IT infrastructure to “best in class”
• Enable “Bring Your Own Device” and still secure our Intellectual Property
Intended Benefits
• Outsource the management of existing IT services and all suppliers to a single supplier/vendor
• Migrate technical people and equipment assets to a qualified service provider who takes ‘ownership’ - has decision making authority
• Require a standardized infrastructure all over the world so that anyone in the company can work anywhere and it will be fast and efficient
• Measure performance and define SLAs to business needs via a contract – thus, we need an RFP and a team to solicit the right vendor
Solution
Public - Slide 6
J.S. Inc.
• Compliance has also been challenged to reduce costs
• Local processes not aligned to corporate compliance strategy
• Senior management “talking the talk” not “walking the walk”
• Adherence to processes still inconsistent
• Training people around the world in local language is expensive and time consuming
• We know our competitors have had problems in their IT departments when they outsourced
Challenges
• We’ve been struggling to maintain compliance in light of internal restructuring, reducing budgets and increasing scrutiny by regulators.
J.S. Compliance Profile
• Fiduciary responsibility to the board
• Fines & Penalties
• Brand and reputational Impacts
• Increased costs through required remediation actions
• Speed and agility at the cost of quality and control
• Unending Audit Cycles – costly and time consuming
In light of all of the this how could we ever consider outsourcing?
Consequences
• Compliance Organization and ethics code of conduct now required by law
• Anti-bribery and corruption training
• Sarbanes-Oxley reporting
• Industry specific Health and Safety
• Governmental Reporting
• Data Protection and Privacy
• Enforcement has really been stepped up since the UK Anti-bribery Act
• Increasing scrutiny in our industry in IT because of security concerns and data breaches
Regulatory Imperatives
I’m Janet Himmelreich, Chief Compliance Officer for J.S. Inc. …
19/05/2014
3
Public - Slide 7
J.S. Inc.
The “CEO” of J.S. Inc.
• We have to give a plan to the board that explains how we are going to demonstrate £xM worth of savings by FY 2015/16 – SO YOU BETTER GET YOUR ACTS TOGETHER OR… YOU’RE FIRED!
J.S. CEO/CIO Statement to the COO & CCO
The way forward…• A person from the Compliance team will be a member
of the outsourcing steering committee• Compliance, Quality and Security requirements
provided early to procurement • Procurement will only use recognized vendors in our
field• Client and Vendor business cases will be aligned
• Assure a strategic partnership with vendor• Know how the vendor will meet the compliance
requirements• Ensure Legal interests are represented and consistent
• We will maintain internal monitoring and assurance
Public - Slide 8
Solving the Compliance ConundrumModule 1
Public - Slide 9
The Compliance Conundrum defined
GxP
Bribery -FCPASFO
Proceeds of Crime Act
Increasing worldwide regulations across all industries and a heightened focuson the enforcement of their requirements, combined with pressure to reducecosts in line with challenging economic conditions
19/05/2014
4
Public - Slide 10
Why the conundrum? Why so important now?
Increasing regulations14,000 regs. & guidelines in 2013 alone!
Increased enforcement
Worldwide economic pressures
Use of lower cost economiesMedia attention on previous
failures
Industry specific economic pressures e.g. Pharma patent cliff
The need to balance controlling costs while maintaining compliance
Increased fines & penaltiesMulti-national operations
difficult to track, trace & audit
Public - Slide 11
The Compliance Conundrum Continued
The Outsourcing Handbook; Kogan Page, Ltd 2006
“No matter what industry you are in, you need to look at key attributes when evaluating an outsourcing
vendor. First, you need to know that the vendor can meet compliance
standards for your industry.”
What can you, as a Compliance and Ethics Professional do to influence thedecisions and address the conundrum? Your goal is to meet the business
imperatives while ensuring the compliance requirements are met.
“The enormous pressure to improve shareholder value often results in a strategic business decision to outsource, however, managers must look…
…beyond rudimentary cost calculations focused on short-term profit, such as the cost of labour or the ex-factory cost and incorporate the total cost and risk of
extended international supply chains.”The Boeing Debacle - Forbes Website 2013
“Government regulations will continue to be enforced and companies will need to adapt and find better, more efficient ways to handle compliance,
legal and financial risk.”
IAOP Top 10 Outsourcing Trends for 2013
Public - Slide 12
Responding to the Compliance Conundrum
•Organisations have no choice but to respond to this conundrum
•So, what are the options…•Reduce workforce?
•Use lower cost economies?
•Automate functions?
•Outsource?
•Specialise & Simplify?
•A growing trend is for organisations to consider outsourcing
elements of their business to external vendors who are able to
provide the same or better service at a lower cost to allow the
organisation to focus on their core business.
•But…in this scenario, how do you ensure your compliance
obligations are met?
19/05/2014
5
Public - Slide 13
To answer the question….
It depends on what, exactly, you are going to use a vendor for: • Understand the strategic business case• Make sure your compliance team are part of the evaluation team – from the
beginning• If the function/service being considered impacts your regulatory compliance
requirements, then the competence of the suppliers being considered as well as a formal written agreement must be in place – e.g. EU data privacy and protection
In general, what areas are considered?• Core business functions that are well-known and understood – e.g.
payroll and some HR functions • Non-core functions that can be obtained more cheaply and efficiently from
well known sources –e.g. manufacturing processes• Key business functions that if outsourced to a vendor, will enable cost,
efficiency, agility and innovation capabilities that allow the organization to focus more resources on strategic initiatives
In our experience, Compliance, Quality and Security Governance teams are too often not consulted at all or are consulted very late in the process
Slide 14 - Internal - © BT Plc. 2014
Increasingly, compliance obligations drive requirements to vendors
Continual spotlight on corporate malfeasance keeps the emphasis on corporate compliance
and ethics programs that are supposed to prevent just that malfeasance that makes the
news every day
Compliance programs are required today in many laws and if not outright required, are
highly recommended or part of the implementation regulations – most well known are the US Federal Sentencing guidelines and
UK Antibribery Adequate Procedures
Evidencing compliant behavior and robust detection programs are essential for companies expanding into new economies/markets in order
to operate in a multitude of geographies with massive numbers of local and regional rules
and recommendations
Thus, companies need to assess what their vendors can do, are doing and might do re: requirements and then determine how their performance will be evaluated – properly
constructed controls enable assessment or audit to provide evidence and demonstrate
quality and compliance oversight internally and externally
“A sound compliance program is a key component required to build a risk-resilient organization. An effective program fosters resilience by both (1) creating the breathing space necessary to absorb shocks and allow for thoughtful responses to events…..considered responses to events as they occur and (2) helping establish the adaptive capacity needed to exploit new opportunities.”
PwC report 2013
Public - Slide 15
Procurement
•The internal procurement or evaluation team should always gather
upfront performance and capability requirements
•Including core compliance, security and quality principals
•Which are frequently overlooked or given a “minority” status in the
evaluation considerations
•Large outsourced agreements are often driven by the C-level and
managed by Procurement
•Procurement tend to focus on costs, service level agreements, and
typical Terms and Conditions, billing terms, taxation and data privacy
•Frequently at the very end of protracted negotiations, Legal review can
then introduce Quality, Compliance and Security items
•Resulting in additional requirements that were not accounted for in
either party’s business case
19/05/2014
6
Public - Slide 16
Success Factors for Strategic Partnerships
•The Client must embrace change •Different ways of working, different cultures and ethnicities
•Good negotiating and relationship building•5% inspiration and 95% perspiration
•It is hard work, requiring commitment and transparency Ten common traps of outsourcing*
1. Lack of management commitment
2. Minimal knowledge of outsourcing methodologies
3. Lack of an outsourcing communications plan
4. Failure to recognize outsourcing business risks
5. Failure to tap into external sources of knowledge
6. Not dedicating the best and brightest internal resources
7. Rushing through the initiative
8. Not appreciating cultural differences [people & companies]
9. Minimizing what it will take to make the vendor productive
10. Poor relationship management programs
*Based on Power, Bonifazi and Desouza (2004)
Public - Slide 17
Key takeaways from Module 1
One approach to the financial side of the conundrum is to consider using a vendor to perform some functions
It is key that Compliance and Ethics professionals get a seat at the table early in the process of evaluation – depending on the size and what is being considered, being part of the team may be crucial
There are service providers and then there are service providers – evaluate the credentials and knowledge in your field as well as speaking to their customers to assess if the vendor is a match to your requirements
Part of the evaluation and the long term relationship should include how the vendor’s performance regarding activities impacting compliance will be evaluated and measured
Good contracting in this environment needs to specify what the vendor will be doing for you regarding compliance activities, how it will be assessed and managed --- this brings us to Module 2 - Flowing “down” your requirements
Public - Slide 18
Flowing down your requirements to your vendors
Module 2
19/05/2014
7
Public - Slide 19
De
livery P
artner D
eliv
ery
Par
tner
Vendor
Compliance Requirements Flow Down
Contract
Client Organization
RegulatorIn the majority of cases there will be no direct link from the client’s regulator to the vendor.
Therefore, it is essential that the flow of compliance requirements is maintained by use of contractual terms and conditions.
One of the biggest mistakes organisations make is to simply “assume” that their vendors will meet their quality and compliance requirements
Public - Slide 20
I
Specific requirements need to really be specific
•A contract between strategic partners must be a living, breathing
agreement • Frames the specific requirements
• Defines commercial terms including service level agreements (SLA)
• Specifies the standards, policies and procedures that must be followed
• Specifies governance, reporting, the meanings of terms
• “T’s and C’s” (terms and conditions)
•Specific duties and/or activities may delegated to the service provider that
impact your compliance such as:• Managing personally identifiable data on your behalf
• Manufacturing items to your specifications
• Using minerals on your behalf that are subject to specific monitoring – e.g. diamonds
• Delivering items that have specific time frames that must be met (blood, nuclear isotopes)
• Managing an environment for you that must meet specific regulatory requirements – such as
FDA for pharmaceuticals or medical device companies
• Producing reporting of controls that will indicate conformance to regulations such as SOX
• Once defined, the relevant policies and procedures that underpin the requirements
should be provided by or referenced from the contract with specifications as to
how to update them over time
Public - Slide 21
What can you do to ensure YOUR requirements are flowed through to your vendors?
• Identify ALL requirements upfront
• Institute a partnership governance model early on that includes
compliance – at all levels
•Do not get rid of all your internal knowledge and expertise – you still
need to manage the vendor and assure the work
•Be clear and specific about those requirements – including those
policies and processes that the vendor must follow
•Require cohesive oversight and quality control in a multi-vendor
environment
•Assure audit and monitoring is part of the solution that is developed
by the vendor
•Require activities impacting the identified compliance activities are
also flowed from your primary vendor to any of it’s partners
• Include a Quality Management System* (QMS) in your agreement
•Contract properly
19/05/2014
8
Public - Slide 22
Key takeaways from Module 2
Complex and key components that are outsourced to a vendor require a strategic partnership with well-defined governance
The contract must be clear as to what frames or underpins the responsibility and decision making of the vendor
Any policies and processes the vendor needs to comply with should be identified and made available as soon as possible in order to maintain a transparent and fair relationship
Ensure the vendor clearly understands the compliance requirements, and can specifically demonstrate (evidence, not words) their ability to meet these
The flow downs should be continued right on down from the primary vendor to any of it’s partners
A strategy to monitor and measure the performance needs to be part of the contract –which brings us to Module 3 – Internal Controls and Assurance
Public - Slide 23
Internal Controls & AssuranceModule 3
Public - Slide 24
Key Internal Controls – Level Set
• Most widely accepted definition is by COSO* (Committee of Sponsoring
Organisations of the Treadway Commission):• Internal control as a process, affected by an entity's board of directors, management and
other personnel, designed to provide "reasonable assurance" regarding the achievement of
objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable global or local laws and regulations
Safeguarding of Assets
• The COSO framework involves several key concepts:• Internal control is a process. It is a means to an end, not an end in itself.
• Internal control is affected by people. It's not merely policies, manuals, and forms, but
people at every level of an organisation.
• Internal control can be expected to provide only reasonable assurance, not absolute
assurance, to an entity's management and board.
• Internal control is geared to the achievement of objectives in one or more separate but
overlapping categories.
* Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the
Institute of Internal Auditors (IIA) and Financial Executives International (FEI).
19/05/2014
9
Public - Slide 25
The Importance of Internal Controls when working with Vendors
•A detailed understanding of your internal control landscape will ensure
you know what you are asking your vendor to deliver against
•Decide the extent to which “how” your vendors deliver is important
•Defining how the vendors must satisfy the requirements will create
consistency across vendors and likely reduce the internal costs of
managing the vendors.
•However, this will increase the costs to the vendors and reduce their
ability to leverage “standard” services, thus it could increase their
overall pricing (understand the business case)
•Using a recognized industry standard to map controls between
organizations can help leverage third-party assurance activities as an
additional monitoring mechanism on vendor performance
Public - Slide 26
Control Mapping
VendorContract
Client Control
Framework
In-scopeControls
External Control
Framework
Vendor Control
Framework
What should be mapped is not just the control Wording but the control Objective.
Slide 27
Assuring the services provided by your Vendor
19/05/2014
10
Public - Slide 28
Assuring the services provided by your Vendors
• When delegating portions of your regulatory responsibility to a vendor it’s
important that you (and your Auditors) know they are meeting your requirements
• The first stage for this is to ensure that “The right to Audit” is included within any
contractual arrangement with your vendors
• Trust between the client and vendor has to be built over time, and has to rely
during the early stages of the engagement on evidenced assurance
• Consider who will provide you with the assurance:• Your own assurance team
• A contracted third party audit function
• The vendor’s assurance organisations
• Consider re-use of existing audit/assurance evidence such as certification to
internationally recognised standards
Public - Slide 29
The Three Lines of Defense
Management Oversight
• The marketplace is turning to ‘Quality’ to ensure and demonstrate compliance
• Be clear how you will assure the services provided meet your compliance requirements
• Using vendor assurance mechanisms can be very cost effective
• Trust must be built over time
Public - Slide 30
Assurance during Outsourcing
Time
Ass
ura
nce
BAU* BAU BAU
Vendor
Vendor
Vendor
Client & External Review
Client & External Review
Client & External Review
Trust but verify
*Business as Usual
19/05/2014
11
Public - Slide 31
Key takeaways from Module 3
Know your internal control landscape before your outsourcing requirements are defined
Using an industry standard control framework can help to bring the control frameworks of the client and vendor together
The intent behind the controls is key to assuring a quality performance; internal control involves people, not just a series of policies/processes
Specify how you will assure vendor performance against your compliance requirements; ensure these are contractual obligations.
Consider transitioning to vendor assurance mechanisms to leverage cost efficiencies as trust develops over time
A shared control framework is a proven strategy to assuring you know your vendor is meeting YOUR requirements
Public - Slide 32
Concluding Thoughts
Including:
Five things you can do whenyou leave this conference
Public - Slide 33
When things go wrong, they can really go wrong…
Lack of vendor accountability for meeting compliance requirements
can lead to catastrophic failures•Increased regulatory scrutiny
•Brand and reputational damage
•Financial penalties
•Commercial sanctions
•Destruction of assets
•Environmental impacts
•Severe detriment to market position
•Impaired ability to continue as a ‘going concern’
•Loss of Life
Prevention is the best medicine
19/05/2014
12
Public - Slide 34
…but if you get it right, there are many benefits
•Enables the whole business to achieve objectives
•Commercial “wins” for both client and vendor
• Increased knowledge base and access to subject matter expertise
•Flexible / scalable delivery of services
• Increased visibility and transparency
•Reduced risk of outsourcing
•Maintained or improved quality results
•Consistency through the use of your vendor as an ‘agent of change’
•Reduced assurance overheads
…your vendor can make you meet your requirements more cheaply
Public - Slide 35
You can solve the compliance conundrum
• Increasing financial pressure to reduce costs and maximise profits is almost
certain to continue
• Technology continues to improve and enable things previously not thought
possible – do the potential benefits outweigh the potential risks?
• The world is so much more connected today that there is little room for error –
including your vendors in your compliance program and ensuring enforcement
helps you to minimize risks of bad publicity as you can react and mitigate before
an issue becomes a problem
• There is more to outsourcing than simply reducing heads or using a lower cost
economy's resources to perform work on your behalf – it is crucial to get a seat at
the table to ensure the compliance requirements and risks are considered in the
business case
• A service provider experienced in your industry requirements that has done it
before can be an excellent strategic partner in achieving your business case
without impacting your compliance objectives
• It can be a change agent to ensure consistency across the whole of your estate
Public - Slide 36
Five things you can do when you leave this conference
Brainstorm to assess the key regulatory issues or responsibilities that may be included in what your vendors do for you – e.g. data handling, SOX financial controls and manufacturing standards; then list out YOUR requirements
Meet procurement/legal to ascertain what your current base contracts with vendors includes; also look into standard RFP requirements and assess whether your requirements are adequately addressed
Liaise with Dept. Heads about areas of the business already outsourced to a vendor; identify any areas under consideration in the near future - get a seat at the next table and establish a defined role for compliance
Develop a plan, based on a risk assessment, to present to your management for managing vendors that may be involved now or in the future in delivering YOUR requirements
This is a great opportunity for a compliance department to demonstrate value – Assure management that “yes – we can outsource that” rather than just saying “no” by incorporating this strategy into your Annual Compliance Plan
19/05/2014
13
Public - Slide 37
and AnswersQuestions
Public - Slide 38
Contact Details
Janet K Himmelreich
BT Global Services
Client Compliance Services Centre of Excellence
Head
Email: [email protected]
Steve J Kilmister
BT Global Services
Client Compliance Services Centre of Excellence
Operations and Assurance Director
Email: [email protected]
Public - Slide 39
MaterialsAdditional
19/05/2014
14
Public - Slide 40
Biography
Janet Himmelreich, CCEP, CCEP-IHead, Client Compliance Services
Centre of Excellence - BT Global Services
Janet K. Himmelreich leads the BT Global Services Client Compliance Services Centre of Excellence. BT is a UK based globaltelecommunications service provider currently providing services to some 8,500 global organisations and the majority of theForbes top 500 global companies. Janet joined BT in 2005 as Chief Compliance Officer dedicated to the first Pharmaceuticalcustomer that contracted with BT to manage its entire network and telecommunications enterprise including contractualregulatory compliance obligations that are shared with the customer. Since 2005, the team that provides these services hasincreased to over 30 professionals’ worldwide and provides services to customers around the world.
Janet is a well regarded expert in the delivery of compliant services drawing on more than 25 years of consulting experience inthe healthcare field prior to joining BT. As a Subject Matter Expert in physician billing, fraud and abuse, Medicare and Medicaidregulations, integrated healthcare delivery systems and HIPAA compliance in health systems and health plans, she served asan expert witness and provided Independent Audit services to healthcare entities as well as the US Department of Health andHuman Services.
In addition to her leadership role for the CCS CoE, Janet serves in a governance role for several of the large customer contractswith compliance obligations. This role is part of the executive leadership for several customer contracts. She also leads theteam that has developed the approach and method used for BT’s innovative and market leading proposition known as BT forLife Sciences R&D Compute and the specific proposition that provides a compliance “wrap” to the standard services known as“Conform.”
Her educational background combines a BA, MA and MBA with a certification through the Society of Corporate Compliance andEthics as a Certified Compliance and Ethics Professional. Within BT she is a member of the Data Protection Forum, theProgramme Control Board for BT for Life Sciences and is a key participant in the COO Team for BT Global Services’ verticalknown as Global Commerce. In her role she is responsible for business development, innovation as well as delivery ofcontracted services for heavily regulated industries.
Public - Slide 41
Steve Kilmister, CCEP-IOperations and Assurance Director
BT Global Services
Biography
Steve Kilmister currently serves as the Operations and Assurance Director for the BT GlobalServices Client Compliance Services Centre of Excellence. BT is a UK based globaltelecommunications service provider currently providing services to some 8,500 globalorganisations and the majority of the Forbes top 500 global companies.
Steve has over 10 years of experience developing and delivering internal assuranceprogrammes in partnership with leadership teams, business management and operations teamsand has over 7 years of experience in providing internal and external assurance over thecompliance programmes that BT operates for its clients operating in heavily regulatedindustries. He is responsible for designing and implementing the Quality Management SystemAssurance function within the Client Compliance Services Centre of Excellence and isaccountable for internal quality assurance, audit management and facilitation, qualitymonitoring, continuous improvement and security governance.
Steve’s is a respected leader, manager and subject matter expert recognised by clients andpeers alike for his passion for assurance, compliance and ethics. He believes in the ability tomanage the business risk of compliance though business as usual commitment to quality.
Public - Slide 42
Sources Consulted
The Outsourcing Handbook: How to Implement a Successful Outsourcing Process
Mark Power, Carlo Bonifazi, Kevin C. Desouza, (2006) Kogan Page
“The ten outsourcing traps to avoid”
Mark Power, Carlo Bonifazi, Kevin C. Desouza, (2004) Journal of Business Strategy, Vol. 25 Iss: 2
“The Boeing Debacle: Seven Lessons Every CEO Must Learn”
Steve Denning, http://www.forbes.com/sites/stevedenning/2013/01/17/the-boeing-debacle-seven-lessons-
every-ceo-must-learn/
“Outsourcing - Right or Wrong? 9 Key Questions”
Adam Hartung, http://www.forbes.com/sites/adamhartung/2010/09/30/outsourcing-right-or-wrong-9-key-
questions/
“Outsourcing Ins And Outs”
Ed Sperling, http://www.forbes.com/2008/08/10/cio-doerr-savvis-tech-cio-cx_es_0811doerr.html
COSO
http://www.coso.org/
19/05/2014
15
bt.com/globalservices