Organization Audit, Risk and Compliance (ARC) Introductory Session October 31, 2017

Transcription

1 Organization Audit, Risk and Compliance (ARC) Introductory Session October 31, 2017

2 Agenda Introductions and vision - Grace ARC Administrator Paige Discussion regarding Charter structure and function Proposed ARC Reporting Framework Management Agreed Upon Responses Policy, Practice Directives and Procedures Next Steps

3 Organization s Strategic Plan

4 Governance & Compliance

5 Program Structure Compliance and Ethics program supports the organization s business objectives, identifies the boundaries of legal and ethical behavior, and establishes a system to alert management when we are getting close to (or crossing) a boundary or approaching an obstacle that prevents the achievement of our Strategic Plan Integrate in all aspects of institutional operations Adopt and follow policies and practices Monitor and maintain of sound practices Address issues promptly and effectively

6 Federal Sentencing Guidelines Federal Sentencing Guidelines for Organizations (FSGO) Applies to all public and private sector organizations Key Objectives: Reduce sentencing punishment Incentivize organizations to develop internal controls to achieve and maintain compliance Reduce, prevent crime, promote ethical conduct and business practices

7 Seven Elements Compliance Officer reporting to highest level of leadership Involvement & oversight from leadership Clear Standards of Conduct and Compliance Appropriate education, training and communication Monitoring, auditing and reporting of non-compliance Corrective/remedial action for non-compliant behavior Appropriately responding and preventing further non-compliance Usually the structure will include committee s workgroups, key policies, and approval flow *Based on the Federal Sentencing Guidelines across industry and nationwide **Rating based on S&P ERM Maturity Model 1-5 scale

8 ARC Functions Data and reports are gathered for ARC meetings by the Chief of Institutional Policy & Compliance in coordination with Audit, Risk, OPRS, and others as needed A calendar is set for the year staging review of reports and presentations, with the expectation that serious risk events may occur that will change the agenda Risk owners may be called to present periodically to the ARC and the Chief of Institutional Policy & Compliance and will facilitate preparation of report

9 Sample Reporting Framework (using existing information and reports you already have) Monitor degree of progress of 7 elements of a Compliance Program Compliance Related Groups report issues of non-compliance Financial report on significant budget risks and presentation of financial statements LRAP KPI monitoring Key Stakeholders with KPIs that are not met present at ARC Meeting Audit & Advisory Services Report on findings with focus on outstanding management responses. Key stakeholders with items due over 60 days present at ARC meeting ERM & EH&S report on Cost of Risk, Complex Claims, Trends Semiannual Legal & A&AS reports on Investigations and Whistle Blower matters and trends Risk Registry Key Stakeholders report in on mitigation efforts on top Residual Risks Policy Group Brings Policies forward for review and approval Bimonthly ARC Quarterly SERMP IT Security Management Program present dashboard on progress

10 Sample Risk Owner Report Form ARC Report one simple template for reporting. Will aim to have key stakeholder report on all known interrelated issues. Policy Group Audit & Advisory Services ERM & EH&S Compliance Program LRAP Audit Risk Register Missing LRAP KPI by >20%, also impacts Residual Risk #4, and has one related Management Agreed Response for this area. Finance and Budget LRAP KPI monitoring Investigations & Whistle Blower Risk Registry SERMP Pat Lucky KPI #1 target 85% customer satisfaction Risk Registry - #4 high residual risk MAR #33 for this same area of operation is 68 days overdue Mitigation plan is to process map current state and reduce steps to increase Customer satisfaction in relation to completion of Service Requests. In 6 months will have app developed to handle process.

11 Audit Assurance Mission The mission of the Internal Audit Department is to provide independent, objective assurance and support designed to add value and improve the organization s operations and systems of internal controls. The Internal Audit Department assists the organization with its objectives by bringing systematic, disciplined approach to evaluate and improve the effectiveness of enterprise risk management, control, and governance processes. Scope and Responsibilities Internal audit assists the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management, control systems, and operational efficiency. It will monitor and evaluate the effectiveness of the organization s enterprise risk management system relating to the governance, operations, and information systems

12 Management Agreed Upon Responses Reports generated using a common framework for each stakeholder (stakeholder departments identified) Schedule meetings with each stakeholder and obtain either documentation of corrective action plans implemented or agreeing on a future action, accountability, and an implementation deadline (recommendations/agreed upon actions to discuss) Incorporate lessons learned and best practices into a selfassessment program

13 Potential Framework for Enterprise ARC - An Integrated Approach 5 Critical Steps IDENTIFY Incident Reporting Reports from Existing Committees Data Analysis Hotline ASSESS Risk Registry Retrospective Reviews EVALUATE ARC Committee KPI Dashboard Accountability MITIGATE RISK & INCREASE VALUE Fraud Awareness Program Governance & Compliance Framework Code of Conduct Self-Assessments MONITOR & RESPOND Management Agreed upon Responses ARC Charter and Plan Policy, Practice Directives & Procedures

14 Policies/Practice Directive ARC Function will include policy review Recommending body Will conduct a review of best practices for the drafting and approval of institutional policies Policies should provide clear and concise language, with references to other applicable policies in order to enhance compliance, knowledge and understanding of legal expectations and requirements

15 Procedures Have a narrower focus Are subject to change and continuous improvement Are a more detailed description of activities Are statements of how, when and/or who & sometimes what Detail a process Approved by the Policy Management Office

16 Risk Registry A tool is used to drive the evaluation process We start with our Strategy Community Objective Expand Childcare Financial Risk Affordability Cost overruns Insurance and Claims expense Operational Risk Poor service Threat & Security Legal Parental Control Process is not understood Facility Maintenance Control over Vendors is not understood Compliance Risk CANRA Health & Safety Public Health Technical & Reporting Risk Data systems do not support reporting requirements Notification process is not sufficient to safeguard children Strategic Risk Not built to plan Does not meet need Reputation is damaged Mitigation Budget process Project management Loss Prevention and Control Mitigation Investment in education and training is ongoing Expert guidance Audit Mitigation Education and Training Expert Guidance Audit Mitigation Subject matter experts guide IT decisions and process Appropriate technology is purchased Mitigation Appropriate level of governance Communication plan and response is known and practiced Residual Risk is determined after consideration of mitigation

17 ARC Next Steps