OrganizationAudit, Risk and Compliance

(ARC)Introductory Session

October 31, 2017

• Introductions and vision - Grace• ARC Administrator – Paige• Discussion regarding Charter structure and function• Proposed ARC Reporting Framework• Management Agreed Upon Responses• Policy, Practice Directives and Procedures• Next Steps

Agenda

Organization’s Strategic Plan

Governance & Compliance

• Compliance and Ethics program supports the organization’s business objectives, identifies the boundaries of legal and ethical behavior, and establishes a system to alert management when we are getting close to (or crossing) a boundary or approaching an obstacle that prevents the achievement of our Strategic Plan– Integrate in all aspects of institutional operations– Adopt and follow policies and practices – Monitor and maintain of sound practices– Address issues promptly and effectively

Program Structure

• Federal Sentencing Guidelines for Organizations (FSGO)

• Applies to all public and private sector organizations

• Key Objectives:– Reduce sentencing punishment– Incentivize organizations to develop internal controls

to achieve and maintain compliance– Reduce, prevent crime, promote ethical conduct and

business practices

Federal Sentencing Guidelines

Compliance Officer reporting to highest level of leadership

Involvement & oversight from leadership

Clear Standards of Conduct and Compliance

Appropriate education, training and communication

Monitoring, auditing and reporting of non-compliance

Corrective/remedial action for non-compliant behavior

Appropriately responding and preventing further non-compliance

*Based on the Federal Sentencing Guidelines across industry and nationwide**Rating based on S&P ERM Maturity Model 1-5 scale

Usually the structure will include committee’sworkgroups, key policies, and approval flow

Seven Elements

• Data and reports are gathered for ARC meetings by the Chief of Institutional Policy & Compliance in coordination with Audit, Risk, OPRS, and others as needed

• A calendar is set for the year staging review of reports and presentations, with the expectation that serious risk events may occur that will change the agenda

• Risk owners may be called to present periodically to the ARC and the Chief of Institutional Policy & Compliance and will facilitate preparation of report

ARC Functions

ARCPolicy GroupBrings Policies forward for review and approval

Audit & Advisory Services Report on findings with

focus on outstanding management responses.

Key stakeholders with items due over 60 days present at ARC meeting

ERM & EH&S report on Cost of Risk, Complex

Claims, Trends

Monitor degree of progress of 7 elements of

a Compliance ProgramCompliance Related

Groups report issues of non-compliance

Financial report on significant budget risks

and presentation of financial statements LRAP KPI monitoring

Key Stakeholders with KPIs that are not met

present at ARC Meeting

Legal & A&AS reports on Investigations and

Whistle Blower matters and trends

Risk RegistryKey Stakeholders report in on mitigation efforts on top Residual Risks

SERMP IT Security Management Program present dashboard on

progressBimonthly Quarterly

Semiannual

Sample Reporting Framework (using existing information and reports you already have)

Policy Group

Audit & Advisory Services

ERM & EH&S

Compliance Program

Finance and Budget

LRAP KPI monitoring

Investigations & Whistle Blower

Risk Registry

SERMP

ARC Report – one simple template for reporting. Will aim to have key stakeholder report on all known interrelated issues.

LRAPAudit

Risk Register

Pat Lucky

Missing LRAP KPI by >20%, also impacts Residual Risk #4, and has one related Management Agreed Response for this area.

KPI #1 target 85% customer satisfaction

Risk Registry - #4 high residual risk

MAR #33 for this same area of

operation is 68 days overdue

Mitigation plan is to process map current state and reduce steps to increase Customer satisfaction in relation to completion of Service Requests. In 6 months will have app developed to handle process.

Sample Risk Owner Report Form

Mission

The mission of the Internal Audit Department is to provide independent, objective assurance and support designed to add value and improve the organization’s operations and systems of internal controls. The Internal Audit Department assists the organization with its objectives by bringing systematic, disciplined approach to evaluate and improve the effectiveness of enterprise risk management, control, and governance processes.

Scope and Responsibilities

Internal audit assists the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management, control systems, and operational efficiency. It will monitor and evaluate the effectiveness of the organization’s enterprise risk management system relating to the governance, operations, and information systems

Audit Assurance

• Reports generated using a common framework for each stakeholder (stakeholder departments identified)

• Schedule meetings with each stakeholder and obtain either documentation of corrective action plans implemented or agreeing on a future action, accountability, and an implementation deadline (recommendations/agreed upon actions to discuss)

• Incorporate lessons learned and best practices into a self-assessment program

Management Agreed Upon Responses

IDENTIFY

ASSESS

EVALUATE

MITIGATE RISK & INCREASE VALUE

MONITOR & RESPOND

Incident Reporting Reports from

Existing Committees Data Analysis Hotline

Risk Registry Retrospective Reviews

ARC Committee KPI Dashboard Accountability

Management Agreed upon Responses ARC Charter

and Plan Policy,

Practice Directives & Procedures

5 Critical Steps

Fraud Awareness Program Governance &

Compliance Framework Code of Conduct Self-Assessments

Potential Framework for Enterprise ARC- An Integrated Approach

Policies/Practice Directive

• ARC Function will include policy review• Recommending body• Will conduct a review of best practices for the

drafting and approval of institutional policies• Policies should provide clear and concise language,

with references to other applicable policies in order to enhance compliance, knowledge and understanding of legal expectations and requirements

Procedures

• Have a narrower focus• Are subject to change and continuous improvement • Are a more detailed description of activities• Are statements of how, when and/or who &

sometimes what • Detail a process • Approved by the Policy Management Office

Com

mun

ityO

bjec

tive Expand Childcare

Fina

ncia

l Risk Affordability

Cost overrunsInsurance and Claims expense

Ope

ratio

nal R

isk Poor serviceThreat & SecurityLegal Parental Control Process is not understoodFacility MaintenanceControl over Vendors is not understood

Com

plia

nce

Risk CANRA

Health & SafetyPublic Health

Tech

nica

l & R

epor

ting

Risk Data systems do not

support reporting requirementsNotification process is not sufficient to safeguard children

Stra

tegi

c Ri

sk Not built to planDoes not meet needReputation is damaged

Miti

gatio

n Budget processProject managementLoss Prevention and Control M

itiga

tion Investment in

education and training is ongoingExpert guidanceAudit

Miti

gatio

n Education and TrainingExpert GuidanceAudit M

itiga

tion Subject matter

experts guide IT decisions and processAppropriate technology is purchased

Miti

gatio

n Appropriate level of governance Communication plan and response is known and practiced

Residual Risk is determined after consideration of mitigation

A tool is used to drive the evaluation processWe start with our Strategy

Risk Registry

ARC Next Steps