OrganizationAudit, Risk and Compliance
(ARC)Introductory Session
October 31, 2017
• Introductions and vision - Grace• ARC Administrator – Paige• Discussion regarding Charter structure and function• Proposed ARC Reporting Framework• Management Agreed Upon Responses• Policy, Practice Directives and Procedures• Next Steps
Agenda
Organization’s Strategic Plan
Governance & Compliance
• Compliance and Ethics program supports the organization’s business objectives, identifies the boundaries of legal and ethical behavior, and establishes a system to alert management when we are getting close to (or crossing) a boundary or approaching an obstacle that prevents the achievement of our Strategic Plan– Integrate in all aspects of institutional operations– Adopt and follow policies and practices – Monitor and maintain of sound practices– Address issues promptly and effectively
Program Structure
• Federal Sentencing Guidelines for Organizations (FSGO)
• Applies to all public and private sector organizations
• Key Objectives:– Reduce sentencing punishment– Incentivize organizations to develop internal controls
to achieve and maintain compliance– Reduce, prevent crime, promote ethical conduct and
business practices
Federal Sentencing Guidelines
Compliance Officer reporting to highest level of leadership
Involvement & oversight from leadership
Clear Standards of Conduct and Compliance
Appropriate education, training and communication
Monitoring, auditing and reporting of non-compliance
Corrective/remedial action for non-compliant behavior
Appropriately responding and preventing further non-compliance
*Based on the Federal Sentencing Guidelines across industry and nationwide**Rating based on S&P ERM Maturity Model 1-5 scale
Usually the structure will include committee’sworkgroups, key policies, and approval flow
Seven Elements
• Data and reports are gathered for ARC meetings by the Chief of Institutional Policy & Compliance in coordination with Audit, Risk, OPRS, and others as needed
• A calendar is set for the year staging review of reports and presentations, with the expectation that serious risk events may occur that will change the agenda
• Risk owners may be called to present periodically to the ARC and the Chief of Institutional Policy & Compliance and will facilitate preparation of report
ARC Functions
ARCPolicy GroupBrings Policies forward for review and approval
Audit & Advisory Services Report on findings with
focus on outstanding management responses.
Key stakeholders with items due over 60 days present at ARC meeting
ERM & EH&S report on Cost of Risk, Complex
Claims, Trends
Monitor degree of progress of 7 elements of
a Compliance ProgramCompliance Related
Groups report issues of non-compliance
Financial report on significant budget risks
and presentation of financial statements LRAP KPI monitoring
Key Stakeholders with KPIs that are not met
present at ARC Meeting
Legal & A&AS reports on Investigations and
Whistle Blower matters and trends
Risk RegistryKey Stakeholders report in on mitigation efforts on top Residual Risks
SERMP IT Security Management Program present dashboard on
progressBimonthly Quarterly
Semiannual
Sample Reporting Framework (using existing information and reports you already have)
Policy Group
Audit & Advisory Services
ERM & EH&S
Compliance Program
Finance and Budget
LRAP KPI monitoring
Investigations & Whistle Blower
Risk Registry
SERMP
ARC Report – one simple template for reporting. Will aim to have key stakeholder report on all known interrelated issues.
LRAPAudit
Risk Register
Pat Lucky
Missing LRAP KPI by >20%, also impacts Residual Risk #4, and has one related Management Agreed Response for this area.
KPI #1 target 85% customer satisfaction
Risk Registry - #4 high residual risk
MAR #33 for this same area of
operation is 68 days overdue
Mitigation plan is to process map current state and reduce steps to increase Customer satisfaction in relation to completion of Service Requests. In 6 months will have app developed to handle process.
Sample Risk Owner Report Form
Mission
The mission of the Internal Audit Department is to provide independent, objective assurance and support designed to add value and improve the organization’s operations and systems of internal controls. The Internal Audit Department assists the organization with its objectives by bringing systematic, disciplined approach to evaluate and improve the effectiveness of enterprise risk management, control, and governance processes.
Scope and Responsibilities
Internal audit assists the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management, control systems, and operational efficiency. It will monitor and evaluate the effectiveness of the organization’s enterprise risk management system relating to the governance, operations, and information systems
Audit Assurance
• Reports generated using a common framework for each stakeholder (stakeholder departments identified)
• Schedule meetings with each stakeholder and obtain either documentation of corrective action plans implemented or agreeing on a future action, accountability, and an implementation deadline (recommendations/agreed upon actions to discuss)
• Incorporate lessons learned and best practices into a self-assessment program
Management Agreed Upon Responses
IDENTIFY
ASSESS
EVALUATE
MITIGATE RISK & INCREASE VALUE
MONITOR & RESPOND
Incident Reporting Reports from
Existing Committees Data Analysis Hotline
Risk Registry Retrospective Reviews
ARC Committee KPI Dashboard Accountability
Management Agreed upon Responses ARC Charter
and Plan Policy,
Practice Directives & Procedures
5 Critical Steps
Fraud Awareness Program Governance &
Compliance Framework Code of Conduct Self-Assessments
Potential Framework for Enterprise ARC- An Integrated Approach
Policies/Practice Directive
• ARC Function will include policy review• Recommending body• Will conduct a review of best practices for the
drafting and approval of institutional policies• Policies should provide clear and concise language,
with references to other applicable policies in order to enhance compliance, knowledge and understanding of legal expectations and requirements
Procedures
• Have a narrower focus• Are subject to change and continuous improvement • Are a more detailed description of activities• Are statements of how, when and/or who &
sometimes what • Detail a process • Approved by the Policy Management Office
Com
mun
ityO
bjec
tive Expand Childcare
Fina
ncia
l Risk Affordability
Cost overrunsInsurance and Claims expense
Ope
ratio
nal R
isk Poor serviceThreat & SecurityLegal Parental Control Process is not understoodFacility MaintenanceControl over Vendors is not understood
Com
plia
nce
Risk CANRA
Health & SafetyPublic Health
Tech
nica
l & R
epor
ting
Risk Data systems do not
support reporting requirementsNotification process is not sufficient to safeguard children
Stra
tegi
c Ri
sk Not built to planDoes not meet needReputation is damaged
Miti
gatio
n Budget processProject managementLoss Prevention and Control M
itiga
tion Investment in
education and training is ongoingExpert guidanceAudit
Miti
gatio
n Education and TrainingExpert GuidanceAudit M
itiga
tion Subject matter
experts guide IT decisions and processAppropriate technology is purchased
Miti
gatio
n Appropriate level of governance Communication plan and response is known and practiced
Residual Risk is determined after consideration of mitigation
A tool is used to drive the evaluation processWe start with our Strategy
Risk Registry
ARC Next Steps