19/05/2014

1

CCS PowerPoint Template Version 2-0

Public - Slide 1

19 May 2014. Version 1.0

SCCE Are your vendors meeting YOUR compliance requirements?Session 202

Janet Himmelreich, CCEP, CCEP-I

BT Head of Client Compliance Services (CCS)

Steve Kilmister, CCEP-IBT CCS Operations and Assurance Director

Public - Slide 2

Objectives of session

• Has a vendor been selected to manage a function for your company or has a department been outsourced? If so, were your compliance requirements identified and included?

• Are you/were you consulted regarding an outsource?• Was a vendor option scrapped due to concerns that a vendor couldn’t

possibly meet your compliance requirements?

Discuss the compliance conundrum to understand the dilemma you face as Compliance Officers:

Identify ways to flow compliance requirements to your vendors

• Key controls – how internal controls demonstrate quality and compliance• Assessment activities• Cost efficient assessment and assurance

Learn a strategy to ensure YOUR requirements are being met

Answer the question – can you solve the compliance conundrum?

Have five things to do when you leave this session

Public - Slide 3

Agenda

A role play “Outsourcing with YOUR compliance requirements”

Module 1 – The “Compliance Conundrum”

Module 2 - Flow downs

Module 3 – How to de-risk outsourcing with Key Controls and Assurance

Closing Thoughts

Five things to do when you leave this session

Questions and Answers

Additional Information

19/05/2014

2

Public - Slide 4

Outsourcing Services when you have compliance obligations

How many of you recognise this conversation?

Role Play

Public - Slide 5

J.S. Inc.

I’m Steve Kilmister, COO for J.S. Inc. …

• Need to keep non-core spending flat; goal is to enable our pipeline to mature and revenue grow from a new product launch

• We agreed the area of the business where we can achieve cost savings AND improve our internal operations to gain efficiencies is in our IT Department

• The dilemma is how to create an ‘agile’ strategy to support the explosive growth in BYOD and need for security of our IP?

• These represent parallel and conflicting demands upon an IT team that we have constrained to a fixed budget

Challenges

• A blue-chip global company operating in 70 countries worldwide, across 250+ locations; the CEO has asked the management team to consider outsourcing to lower costs

J.S. Corporate Profile

• Cut costs but not quality and ensure ability to budget going forward

• Responsiveness to needs of the business by access to a breadth of skills and resources globally –consistent framework put in place

• Centralized management including program and project management to ensure the solution is within budget but is also accessible

• Greatly improve the speed and the security of our IT infrastructure to “best in class”

• Enable “Bring Your Own Device” and still secure our Intellectual Property

Intended Benefits

• Outsource the management of existing IT services and all suppliers to a single supplier/vendor

• Migrate technical people and equipment assets to a qualified service provider who takes ‘ownership’ - has decision making authority

• Require a standardized infrastructure all over the world so that anyone in the company can work anywhere and it will be fast and efficient

• Measure performance and define SLAs to business needs via a contract – thus, we need an RFP and a team to solicit the right vendor

Solution

Public - Slide 6

J.S. Inc.

• Compliance has also been challenged to reduce costs

• Local processes not aligned to corporate compliance strategy

• Senior management “talking the talk” not “walking the walk”

• Adherence to processes still inconsistent

• Training people around the world in local language is expensive and time consuming

• We know our competitors have had problems in their IT departments when they outsourced

Challenges

• We’ve been struggling to maintain compliance in light of internal restructuring, reducing budgets and increasing scrutiny by regulators.

J.S. Compliance Profile

• Fiduciary responsibility to the board

• Fines & Penalties

• Brand and reputational Impacts

• Increased costs through required remediation actions

• Speed and agility at the cost of quality and control

• Unending Audit Cycles – costly and time consuming

In light of all of the this how could we ever consider outsourcing?

Consequences

• Compliance Organization and ethics code of conduct now required by law

• Anti-bribery and corruption training

• Sarbanes-Oxley reporting

• Industry specific Health and Safety

• Governmental Reporting

• Data Protection and Privacy

• Enforcement has really been stepped up since the UK Anti-bribery Act

• Increasing scrutiny in our industry in IT because of security concerns and data breaches

Regulatory Imperatives

I’m Janet Himmelreich, Chief Compliance Officer for J.S. Inc. …

19/05/2014

3

Public - Slide 7

J.S. Inc.

The “CEO” of J.S. Inc.

• We have to give a plan to the board that explains how we are going to demonstrate £xM worth of savings by FY 2015/16 – SO YOU BETTER GET YOUR ACTS TOGETHER OR… YOU’RE FIRED!

J.S. CEO/CIO Statement to the COO & CCO

The way forward…• A person from the Compliance team will be a member

of the outsourcing steering committee• Compliance, Quality and Security requirements

provided early to procurement • Procurement will only use recognized vendors in our

field• Client and Vendor business cases will be aligned

• Assure a strategic partnership with vendor• Know how the vendor will meet the compliance

requirements• Ensure Legal interests are represented and consistent

• We will maintain internal monitoring and assurance

Public - Slide 8

Solving the Compliance ConundrumModule 1

Public - Slide 9

The Compliance Conundrum defined

GxP

Bribery -FCPASFO

Proceeds of Crime Act

Increasing worldwide regulations across all industries and a heightened focuson the enforcement of their requirements, combined with pressure to reducecosts in line with challenging economic conditions

19/05/2014

4

Public - Slide 10

Why the conundrum? Why so important now?

Increasing regulations14,000 regs. & guidelines in 2013 alone!

Increased enforcement

Worldwide economic pressures

Use of lower cost economiesMedia attention on previous

failures

Industry specific economic pressures e.g. Pharma patent cliff

The need to balance controlling costs while maintaining compliance

Increased fines & penaltiesMulti-national operations

difficult to track, trace & audit

Public - Slide 11

The Compliance Conundrum Continued

The Outsourcing Handbook; Kogan Page, Ltd 2006

“No matter what industry you are in, you need to look at key attributes when evaluating an outsourcing

vendor. First, you need to know that the vendor can meet compliance

standards for your industry.”

What can you, as a Compliance and Ethics Professional do to influence thedecisions and address the conundrum? Your goal is to meet the business

imperatives while ensuring the compliance requirements are met.

“The enormous pressure to improve shareholder value often results in a strategic business decision to outsource, however, managers must look…

…beyond rudimentary cost calculations focused on short-term profit, such as the cost of labour or the ex-factory cost and incorporate the total cost and risk of

extended international supply chains.”The Boeing Debacle - Forbes Website 2013

“Government regulations will continue to be enforced and companies will need to adapt and find better, more efficient ways to handle compliance,

legal and financial risk.”

IAOP Top 10 Outsourcing Trends for 2013

Public - Slide 12

Responding to the Compliance Conundrum

•Organisations have no choice but to respond to this conundrum

•So, what are the options…•Reduce workforce?

•Use lower cost economies?

•Automate functions?

•Outsource?

•Specialise & Simplify?

•A growing trend is for organisations to consider outsourcing

elements of their business to external vendors who are able to

provide the same or better service at a lower cost to allow the

organisation to focus on their core business.

•But…in this scenario, how do you ensure your compliance

obligations are met?

19/05/2014

5

Public - Slide 13

To answer the question….

It depends on what, exactly, you are going to use a vendor for: • Understand the strategic business case• Make sure your compliance team are part of the evaluation team – from the

beginning• If the function/service being considered impacts your regulatory compliance

requirements, then the competence of the suppliers being considered as well as a formal written agreement must be in place – e.g. EU data privacy and protection

In general, what areas are considered?• Core business functions that are well-known and understood – e.g.

payroll and some HR functions • Non-core functions that can be obtained more cheaply and efficiently from

well known sources –e.g. manufacturing processes• Key business functions that if outsourced to a vendor, will enable cost,

efficiency, agility and innovation capabilities that allow the organization to focus more resources on strategic initiatives

In our experience, Compliance, Quality and Security Governance teams are too often not consulted at all or are consulted very late in the process

Slide 14 - Internal - © BT Plc. 2014

Increasingly, compliance obligations drive requirements to vendors

Continual spotlight on corporate malfeasance keeps the emphasis on corporate compliance

and ethics programs that are supposed to prevent just that malfeasance that makes the

news every day

Compliance programs are required today in many laws and if not outright required, are

highly recommended or part of the implementation regulations – most well known are the US Federal Sentencing guidelines and

UK Antibribery Adequate Procedures

Evidencing compliant behavior and robust detection programs are essential for companies expanding into new economies/markets in order

to operate in a multitude of geographies with massive numbers of local and regional rules

and recommendations

Thus, companies need to assess what their vendors can do, are doing and might do re: requirements and then determine how their performance will be evaluated – properly

constructed controls enable assessment or audit to provide evidence and demonstrate

quality and compliance oversight internally and externally

“A sound compliance program is a key component required to build a risk-resilient organization. An effective program fosters resilience by both (1) creating the breathing space necessary to absorb shocks and allow for thoughtful responses to events…..considered responses to events as they occur and (2) helping establish the adaptive capacity needed to exploit new opportunities.”

PwC report 2013

Public - Slide 15

Procurement

•The internal procurement or evaluation team should always gather

upfront performance and capability requirements

•Including core compliance, security and quality principals

•Which are frequently overlooked or given a “minority” status in the

evaluation considerations

•Large outsourced agreements are often driven by the C-level and

managed by Procurement

•Procurement tend to focus on costs, service level agreements, and

typical Terms and Conditions, billing terms, taxation and data privacy

•Frequently at the very end of protracted negotiations, Legal review can

then introduce Quality, Compliance and Security items

•Resulting in additional requirements that were not accounted for in

either party’s business case

19/05/2014

6

Public - Slide 16

Success Factors for Strategic Partnerships

•The Client must embrace change •Different ways of working, different cultures and ethnicities

•Good negotiating and relationship building•5% inspiration and 95% perspiration

•It is hard work, requiring commitment and transparency Ten common traps of outsourcing*

1. Lack of management commitment

2. Minimal knowledge of outsourcing methodologies

3. Lack of an outsourcing communications plan

4. Failure to recognize outsourcing business risks

5. Failure to tap into external sources of knowledge

6. Not dedicating the best and brightest internal resources

7. Rushing through the initiative

8. Not appreciating cultural differences [people & companies]

9. Minimizing what it will take to make the vendor productive

10. Poor relationship management programs

*Based on Power, Bonifazi and Desouza (2004)

Public - Slide 17

Key takeaways from Module 1

One approach to the financial side of the conundrum is to consider using a vendor to perform some functions

It is key that Compliance and Ethics professionals get a seat at the table early in the process of evaluation – depending on the size and what is being considered, being part of the team may be crucial

There are service providers and then there are service providers – evaluate the credentials and knowledge in your field as well as speaking to their customers to assess if the vendor is a match to your requirements

Part of the evaluation and the long term relationship should include how the vendor’s performance regarding activities impacting compliance will be evaluated and measured

Good contracting in this environment needs to specify what the vendor will be doing for you regarding compliance activities, how it will be assessed and managed --- this brings us to Module 2 - Flowing “down” your requirements

Public - Slide 18

Flowing down your requirements to your vendors

Module 2

19/05/2014

7

Public - Slide 19

De

livery P

artner D

eliv

ery

Par

tner

Vendor

Compliance Requirements Flow Down

Contract

Client Organization

RegulatorIn the majority of cases there will be no direct link from the client’s regulator to the vendor.

Therefore, it is essential that the flow of compliance requirements is maintained by use of contractual terms and conditions.

One of the biggest mistakes organisations make is to simply “assume” that their vendors will meet their quality and compliance requirements

Public - Slide 20

I

Specific requirements need to really be specific

•A contract between strategic partners must be a living, breathing

agreement • Frames the specific requirements

• Defines commercial terms including service level agreements (SLA)

• Specifies the standards, policies and procedures that must be followed

• Specifies governance, reporting, the meanings of terms

• “T’s and C’s” (terms and conditions)

•Specific duties and/or activities may delegated to the service provider that

impact your compliance such as:• Managing personally identifiable data on your behalf

• Manufacturing items to your specifications

• Using minerals on your behalf that are subject to specific monitoring – e.g. diamonds

• Delivering items that have specific time frames that must be met (blood, nuclear isotopes)

• Managing an environment for you that must meet specific regulatory requirements – such as

FDA for pharmaceuticals or medical device companies

• Producing reporting of controls that will indicate conformance to regulations such as SOX

• Once defined, the relevant policies and procedures that underpin the requirements

should be provided by or referenced from the contract with specifications as to

how to update them over time

Public - Slide 21

What can you do to ensure YOUR requirements are flowed through to your vendors?

• Identify ALL requirements upfront

• Institute a partnership governance model early on that includes

compliance – at all levels

•Do not get rid of all your internal knowledge and expertise – you still

need to manage the vendor and assure the work

•Be clear and specific about those requirements – including those

policies and processes that the vendor must follow

•Require cohesive oversight and quality control in a multi-vendor

environment

•Assure audit and monitoring is part of the solution that is developed

by the vendor

•Require activities impacting the identified compliance activities are

also flowed from your primary vendor to any of it’s partners

• Include a Quality Management System* (QMS) in your agreement

•Contract properly

19/05/2014

8

Public - Slide 22

Key takeaways from Module 2

Complex and key components that are outsourced to a vendor require a strategic partnership with well-defined governance

The contract must be clear as to what frames or underpins the responsibility and decision making of the vendor

Any policies and processes the vendor needs to comply with should be identified and made available as soon as possible in order to maintain a transparent and fair relationship

Ensure the vendor clearly understands the compliance requirements, and can specifically demonstrate (evidence, not words) their ability to meet these

The flow downs should be continued right on down from the primary vendor to any of it’s partners

A strategy to monitor and measure the performance needs to be part of the contract –which brings us to Module 3 – Internal Controls and Assurance

Public - Slide 23

Internal Controls & AssuranceModule 3

Public - Slide 24

Key Internal Controls – Level Set

• Most widely accepted definition is by COSO* (Committee of Sponsoring

Organisations of the Treadway Commission):• Internal control as a process, affected by an entity's board of directors, management and

other personnel, designed to provide "reasonable assurance" regarding the achievement of

objectives in the following categories:

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable global or local laws and regulations

Safeguarding of Assets

• The COSO framework involves several key concepts:• Internal control is a process. It is a means to an end, not an end in itself.

• Internal control is affected by people. It's not merely policies, manuals, and forms, but

people at every level of an organisation.

• Internal control can be expected to provide only reasonable assurance, not absolute

assurance, to an entity's management and board.

• Internal control is geared to the achievement of objectives in one or more separate but

overlapping categories.

* Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), the

Institute of Internal Auditors (IIA) and Financial Executives International (FEI).

19/05/2014

9

Public - Slide 25

The Importance of Internal Controls when working with Vendors

•A detailed understanding of your internal control landscape will ensure

you know what you are asking your vendor to deliver against

•Decide the extent to which “how” your vendors deliver is important

•Defining how the vendors must satisfy the requirements will create

consistency across vendors and likely reduce the internal costs of

managing the vendors.

•However, this will increase the costs to the vendors and reduce their

ability to leverage “standard” services, thus it could increase their

overall pricing (understand the business case)

•Using a recognized industry standard to map controls between

organizations can help leverage third-party assurance activities as an

additional monitoring mechanism on vendor performance

Public - Slide 26

Control Mapping

VendorContract

Client Control

Framework

In-scopeControls

External Control

Framework

Vendor Control

Framework

What should be mapped is not just the control Wording but the control Objective.

Slide 27

Assuring the services provided by your Vendor

19/05/2014

10

Public - Slide 28

Assuring the services provided by your Vendors

• When delegating portions of your regulatory responsibility to a vendor it’s

important that you (and your Auditors) know they are meeting your requirements

• The first stage for this is to ensure that “The right to Audit” is included within any

contractual arrangement with your vendors

• Trust between the client and vendor has to be built over time, and has to rely

during the early stages of the engagement on evidenced assurance

• Consider who will provide you with the assurance:• Your own assurance team

• A contracted third party audit function

• The vendor’s assurance organisations

• Consider re-use of existing audit/assurance evidence such as certification to

internationally recognised standards

Public - Slide 29

The Three Lines of Defense

Management Oversight

• The marketplace is turning to ‘Quality’ to ensure and demonstrate compliance

• Be clear how you will assure the services provided meet your compliance requirements

• Using vendor assurance mechanisms can be very cost effective

• Trust must be built over time

Public - Slide 30

Assurance during Outsourcing

Time

Ass

ura

nce

BAU* BAU BAU

Vendor

Vendor

Vendor

Client & External Review

Client & External Review

Client & External Review

Trust but verify

*Business as Usual

19/05/2014

11

Public - Slide 31

Key takeaways from Module 3

Know your internal control landscape before your outsourcing requirements are defined

Using an industry standard control framework can help to bring the control frameworks of the client and vendor together

The intent behind the controls is key to assuring a quality performance; internal control involves people, not just a series of policies/processes

Specify how you will assure vendor performance against your compliance requirements; ensure these are contractual obligations.

Consider transitioning to vendor assurance mechanisms to leverage cost efficiencies as trust develops over time

A shared control framework is a proven strategy to assuring you know your vendor is meeting YOUR requirements

Public - Slide 32

Concluding Thoughts

Including:

Five things you can do whenyou leave this conference

Public - Slide 33

When things go wrong, they can really go wrong…

Lack of vendor accountability for meeting compliance requirements

can lead to catastrophic failures•Increased regulatory scrutiny

•Brand and reputational damage

•Financial penalties

•Commercial sanctions

•Destruction of assets

•Environmental impacts

•Severe detriment to market position

•Impaired ability to continue as a ‘going concern’

•Loss of Life

Prevention is the best medicine

19/05/2014

12

Public - Slide 34

…but if you get it right, there are many benefits

•Enables the whole business to achieve objectives

•Commercial “wins” for both client and vendor

• Increased knowledge base and access to subject matter expertise

•Flexible / scalable delivery of services

• Increased visibility and transparency

•Reduced risk of outsourcing

•Maintained or improved quality results

•Consistency through the use of your vendor as an ‘agent of change’

•Reduced assurance overheads

…your vendor can make you meet your requirements more cheaply

Public - Slide 35

You can solve the compliance conundrum

• Increasing financial pressure to reduce costs and maximise profits is almost

certain to continue

• Technology continues to improve and enable things previously not thought

possible – do the potential benefits outweigh the potential risks?

• The world is so much more connected today that there is little room for error –

including your vendors in your compliance program and ensuring enforcement

helps you to minimize risks of bad publicity as you can react and mitigate before

an issue becomes a problem

• There is more to outsourcing than simply reducing heads or using a lower cost

economy's resources to perform work on your behalf – it is crucial to get a seat at

the table to ensure the compliance requirements and risks are considered in the

business case

• A service provider experienced in your industry requirements that has done it

before can be an excellent strategic partner in achieving your business case

without impacting your compliance objectives

• It can be a change agent to ensure consistency across the whole of your estate

Public - Slide 36

Five things you can do when you leave this conference

Brainstorm to assess the key regulatory issues or responsibilities that may be included in what your vendors do for you – e.g. data handling, SOX financial controls and manufacturing standards; then list out YOUR requirements

Meet procurement/legal to ascertain what your current base contracts with vendors includes; also look into standard RFP requirements and assess whether your requirements are adequately addressed

Liaise with Dept. Heads about areas of the business already outsourced to a vendor; identify any areas under consideration in the near future - get a seat at the next table and establish a defined role for compliance

Develop a plan, based on a risk assessment, to present to your management for managing vendors that may be involved now or in the future in delivering YOUR requirements

This is a great opportunity for a compliance department to demonstrate value – Assure management that “yes – we can outsource that” rather than just saying “no” by incorporating this strategy into your Annual Compliance Plan

19/05/2014

13

Public - Slide 37

and AnswersQuestions

Public - Slide 38

Contact Details

Janet K Himmelreich

BT Global Services

Client Compliance Services Centre of Excellence

Head

Email: janet.k.himmelreich@bt.com

Steve J Kilmister

BT Global Services

Client Compliance Services Centre of Excellence

Operations and Assurance Director

Email: steve.kilmister@bt.com

Public - Slide 39

MaterialsAdditional

19/05/2014

14

Public - Slide 40

Biography

Janet Himmelreich, CCEP, CCEP-IHead, Client Compliance Services

Centre of Excellence - BT Global Services

Janet K. Himmelreich leads the BT Global Services Client Compliance Services Centre of Excellence. BT is a UK based globaltelecommunications service provider currently providing services to some 8,500 global organisations and the majority of theForbes top 500 global companies. Janet joined BT in 2005 as Chief Compliance Officer dedicated to the first Pharmaceuticalcustomer that contracted with BT to manage its entire network and telecommunications enterprise including contractualregulatory compliance obligations that are shared with the customer. Since 2005, the team that provides these services hasincreased to over 30 professionals’ worldwide and provides services to customers around the world.

Janet is a well regarded expert in the delivery of compliant services drawing on more than 25 years of consulting experience inthe healthcare field prior to joining BT. As a Subject Matter Expert in physician billing, fraud and abuse, Medicare and Medicaidregulations, integrated healthcare delivery systems and HIPAA compliance in health systems and health plans, she served asan expert witness and provided Independent Audit services to healthcare entities as well as the US Department of Health andHuman Services.

In addition to her leadership role for the CCS CoE, Janet serves in a governance role for several of the large customer contractswith compliance obligations. This role is part of the executive leadership for several customer contracts. She also leads theteam that has developed the approach and method used for BT’s innovative and market leading proposition known as BT forLife Sciences R&D Compute and the specific proposition that provides a compliance “wrap” to the standard services known as“Conform.”

Her educational background combines a BA, MA and MBA with a certification through the Society of Corporate Compliance andEthics as a Certified Compliance and Ethics Professional. Within BT she is a member of the Data Protection Forum, theProgramme Control Board for BT for Life Sciences and is a key participant in the COO Team for BT Global Services’ verticalknown as Global Commerce. In her role she is responsible for business development, innovation as well as delivery ofcontracted services for heavily regulated industries.

Public - Slide 41

Steve Kilmister, CCEP-IOperations and Assurance Director

BT Global Services

Biography

Steve Kilmister currently serves as the Operations and Assurance Director for the BT GlobalServices Client Compliance Services Centre of Excellence. BT is a UK based globaltelecommunications service provider currently providing services to some 8,500 globalorganisations and the majority of the Forbes top 500 global companies.

Steve has over 10 years of experience developing and delivering internal assuranceprogrammes in partnership with leadership teams, business management and operations teamsand has over 7 years of experience in providing internal and external assurance over thecompliance programmes that BT operates for its clients operating in heavily regulatedindustries. He is responsible for designing and implementing the Quality Management SystemAssurance function within the Client Compliance Services Centre of Excellence and isaccountable for internal quality assurance, audit management and facilitation, qualitymonitoring, continuous improvement and security governance.

Steve’s is a respected leader, manager and subject matter expert recognised by clients andpeers alike for his passion for assurance, compliance and ethics. He believes in the ability tomanage the business risk of compliance though business as usual commitment to quality.

Public - Slide 42

Sources Consulted

The Outsourcing Handbook: How to Implement a Successful Outsourcing Process

Mark Power, Carlo Bonifazi, Kevin C. Desouza, (2006) Kogan Page

“The ten outsourcing traps to avoid”

Mark Power, Carlo Bonifazi, Kevin C. Desouza, (2004) Journal of Business Strategy, Vol. 25 Iss: 2

“The Boeing Debacle: Seven Lessons Every CEO Must Learn”

Steve Denning, http://www.forbes.com/sites/stevedenning/2013/01/17/the-boeing-debacle-seven-lessons-

every-ceo-must-learn/

“Outsourcing - Right or Wrong? 9 Key Questions”

Adam Hartung, http://www.forbes.com/sites/adamhartung/2010/09/30/outsourcing-right-or-wrong-9-key-

questions/

“Outsourcing Ins And Outs”

Ed Sperling, http://www.forbes.com/2008/08/10/cio-doerr-savvis-tech-cio-cx_es_0811doerr.html

COSO

http://www.coso.org/

19/05/2014

15

bt.com/globalservices