TEACHERS RETIREMENT BOARD. AUDITS AND RISK MANAGEMENT COMMITTEE Item Number: 9 SUBJECT: Scope and Structure of the Enterprise Compliance Program

Transcription

1 TEACHERS RETIREMENT BOARD AUDITS AND RISK MANAGEMENT COMMITTEE Item Number: 9 SUBJECT: Scope and Structure of the Enterprise Compliance Program CONSENT: ATTACHMENT(S): 3 ACTION: DATE OF MEETING: / 30 mins INFORMATION: X PRESENTER(S): Deena Mount PURPOSE The purpose of this item is to provide the ARM Committee with a detailed Scope and Framework for the Enterprise Compliance Management (ECM) Program, now referred to as the Enterprise Compliance Oversight Program. BACKGROUND In June 2016, the ARM Committee approved the creation of the ECM program, with General Counsel as the Chief Compliance Officer, and approved hiring a Compliance Program Director. In July 2017, the ARM Committee requested a detailed framework and scope for the program moving forward, upon securing the Compliance Program Director. In August, 2017, after a lengthy recruitment process, Deena Mount was hired as Compliance Program Director. DISCUSSION/SUMMARY Over the past 90 days, the Enterprise Compliance Oversight Program has made progress augmenting prior efforts initiated by the Ethics and Compliance team. In an effort to streamline all CalSTRS compliance functions under an Enterprise umbrella, the Enterprise Compliance Oversight Program has developed a Scope and Framework to include all business areas within the organization. Program development and progress includes: Scope: Enterprise Compliance Oversight Program overview (Attachment 1) o Definition of Enterprise Compliance Oversight Program o Address Board s inquiry: What are we complying with? o Compliance Program Purpose o Compliance Program Activities o Framework (PowerPoint presentation) 4-year Implementation Plan (Attachment 2) ATTACHMENTS/POWERPOINT Attachment 1 Enterprise Compliance Oversight Program Overview Attachment 2 Enterprise Compliance Oversight Program Four-Year Implementation Plan PowerPoint 1 Compliance Program Framework ARM 357

2 Attachment 1 Audits and Risk Management Committee Item 9 Page 1 ENTERPRISE COMPLIANCE OVERSIGHT PROGRAM OVERVIEW Enterprise Compliance Management reaches across all business areas in the operating infrastructure of an organization to ensure an environment or culture of doing business ethically and within the letter and spirit of all applicable laws and regulations. Compliance is about doing things right, and doing the right thing. The Enterprise Compliance Oversight Program will direct efforts to ensure CalSTRS establishes and/or maintains compliance with all regulatory requirements within all business areas. This Program Overview is intended to accomplish the following: Address the Board s question, What are we complying with? ; Identify a Compliance Framework and Implementation Plan; Propose the creation of a Compliance Advisory Group to maximize limited resources; Develop an Organizational Chart and Resource Need Projection; and Provide draft Monitoring Procedures, Scope, Methodology and Report template. Compliance Program Purpose To address the question, What are we complying with? the compliance team offers this response, We are complying with regulatory requirements. Regulatory requirements present themselves through laws, policies, and procedures, in descending order of authority. How well we are complying is the purpose and function of a compliance program. There is no level of acceptable statutory non-compliance. The Federal Sentencing Guidelines established by the United States Sentencing Commission identify the standards for effective compliance programs, which include preventing and detecting violations of law and exercising due diligence in seeking to prevent and detect criminal conduct. ECOP will be based upon the compliance program standards identified in the Federal Sentencing Guidelines and is designed to ensure all CalSTRS business areas operate in compliance with regulatory requirements. Compliance is the only proactive and preventative function in an organization - that works realtime within every business area - to guide and direct all employees to do the right thing, and is therefore very different from both the risk assessment function and the audit function. Compliance addresses risk mitigation and helps ensure what we do follows the law through policies and procedures. Risk assessments identify functions within an organization that show potential for problems if not addressed, and liability if not mitigated. Risk assessment is an on-going activity that identifies risks that are already realized, or predicts future risks. Risk management is both a reactive and proactive approach to problem resolution. ARM 358

3 Attachment 1 Audits and Risk Management Committee Item 9 Page 2 Audits are a systematic activity that provide independent and objective assurance that selected functions (often those identified as high risk in an enterprise-wide risk assessment) perform as intended, to test if we are doing what we said we would do (looking at the past and present). Compliance on the other hand primarily addresses compliance risk evaluating does what we said we would do ensure compliance (looking at the present and towards the future). What compliance looks like at CalSTRS is best demonstrated by what non-compliance looks like, and its impact on an organization ranging from investigation and remediation, to negative publicity, fines, liability and litigation. Each business area presents specific potential impact of noncompliance to CalSTRS as a whole. Compliance Program Activities Compliance is an objective look at the existing environment/culture from every business area to identify whether operationalized functions have been translated accurately and topically from laws, to policies, to procedures and if those procedures are being followed. ECOP creates a strategic framework to illustrate operational development over time. Eight pillars represent the construct for the compliance program, which builds on the existing foundational culture of integrity at CalSTRS. The program elements are based on compliance industry best practices, tailored to meet CalSTRS program needs. Each year is measured by key metrics and milestones that contribute to broader organizational goals. Compliance Implementation Plan To accompany the program framework, the compliance team developed a four-year implementation plan. The implementation plan (Attachment 2) details specific activities to assess current business activities, identify business activity gaps, and implement monitoring protocols. Each phase is designed to provide an update to the ARM Committee on the implementation of the compliance program. Compliance Advisory Group (CAG) In order for the compliance program to achieve the key metrics and milestones of the framework, ECOP identified the need for a compliance advisory group (CAG). The CAG is a group of eleven members, ten subject matter experts (SMEs) from each of the ten business areas and one compliance specialist. The CAG addresses the staffing shortage for the compliance program by utilizing CalSTRS expert staff in business areas that can provide ongoing support to the compliance program. Specifically, the CAG will provide the compliance program input on the need to update or develop policies and procedures from the identified business areas, train fellow staff on compliance related issues, and assist to identify non-compliant activities. ARM 359

4 Attachment 1 Audits and Risk Management Committee Item 9 Page 3 Code of Ethics and Business Conduct The cornerstone to the ethics and compliance program is the Code of Ethics and Business Conduct which provides law, code and policies for proper business conduct for all employees and contractors. The Code, as outlined in the framework, will be supplemented with annual training for employees. Compliance Monitoring An initial review and analysis of each business area will determine initial/baseline levels of compliance with statutory requirements and written policy and procedure standards. Business areas needing remediation will be provided guidance, education and training. Annual Compliance Reports will be provided to executives and affected business area managers, and regular updates on overall/enterprise compliance will be provided to the Audits and Risk Management Committee. Compliance Education, Training and Communication Regular and ongoing compliance education, training and communication strategies will be developed and implemented in concert with CalSTRS internal training program. All staff, management, and board members will be provided annual education and training in compliance requirements, expectations and best practices. ARM 360

5 ENTERPRISE COMPLIANCE OVERSIGHT PROGRAM Four-Year Implementation Plan Attachment 2 Page 1 Program Structure, Design, & Oversight Legal and Compliance Risk Management Policies, Standards, & Procedures Training Communications Allegation Reporting & Investigations Discipline & Incentives Program Measurement & Monitoring Culture of Integrity Page 1 of 9 ARM 361

6 Page 2 PROGRAM STRUCTURE, DESIGN,& OVERSIGHT Understand key laws and regulations that the compliance program must cover. Identify and evaluate existing policies, standards, procedures and quality assurance practices. Create Compliance Advisory Group using program liaisons to increase local compliance presence. Outline compliance program purpose and objectives. Communicate role and performance expectations at the corporate level. Staff program to effectively meet objectives. Approval from CEO / Executives to participate in and sign off on annual Compliance function plans. Report on progress against the elements of the Federal Sentencing Guidelines Create and communicate suggested compliance management performance objectives for senior business leaders. Use Compliance Advisory Group to drive program objectives across functions. Report on progress against the elements of the Federal Sentencing Guidelines. Approval from CEO/ Executive to sign-off on business unit compliance plans. Ensure Compliance Program purpose and objectives are integrated into Business and Strategic Plans. Creation of Compliance Advisory Group Define compliance program framework and scope Appropriate staffing/resources Progress report Percentage of integration of compliance objectives within Business/Strategic plan. LEGAL AND COMPLIANCE RISK MANAGEMENT Identify and engage subject matter experts to identify key risks across the organization. Conduct a gap analysis to understand organization-wide compliance and legal risks and current control gaps: - Develop an initial list of core risks to review. Convene subject matter experts across the organization to assess key risks. Document company and industry-specific legal and regulatory requirements. Create uniform criteria to assess legal and compliance risks across likelihood and severity. Survey employees to understand core culture, employee perceptions, and related risks. Survey business units regularly to uncover changes in compliance risk exposures. Update potential list of risk exposures with (potential) changes to legal and regulatory landscape. Facilitate business unit-owned risk self-assessments that roll up to the corporate center. Work with the business to develop risk mitigation plans. Integrate compliance risk assessments with enterprisewide risk identification efforts. Develop detailed risk-specific compliance standards for business units. Align business unit-owned risk self-assessments and mitigation plans with strategic business plans. Page 2 of 9 ARM 362

7 Page 3 Identification of top corporate compliance risks Documentation and assessment of most significant compliance and legal risks to company Progress against risk mitigation plans Year-over-year changes in business unit risk assessment results Code of Ethics and Business Conduct POLICIES, STANDARDS & PROCEDURES Create a Code of Ethics (CODE) and Business Conduct to inform employees of organization-wide standards and values: - Include in content: Key risks and core values. - Include workplace-relevant learning aids (e.g., links to relevant policies). Present to CEO Identify software for ethics hotline Completion of the CODE and post to Central Identify 3-4 potential software for hotline Disseminate the CODE to staff. Certify staff against the CODE. Use software to establish a centralized policy library that links to policies, procedures, and forms/templates directly from the CODE. Percentage of staff aware of the CODE (All Employee Survey) Policy Management Regularly communicate the value behind the CODE. Enlist corporate managers to reinforce the CODE s importance. Certify staff against the CODE. Number of internal hits on the CODE intranet portal Percentage of staff aware of the CODE Establish the CODE as the main internal policy and ethics information portal (CODE intranet strategy). Refresh CODE training and comprehension aids. Certify staff against the CODE. Number of internal hits on the CODE intranet portal Percentage of staff aware of the CODE Review and document existing policies (through interviews with business units and subject matter experts). Identify critical policy gaps. Identify software for policy management Make accessible to all employees an inventory of compliance and ethics policies, procedures, and guidelines. Establish a formal process for creating policies in response to new laws or internal developments, including formation of policy committee. Review needs for new policies (and the possible elimination of redundant policies), creating new policies and procedures based upon risks. Review existing policies and procedures to ensure readability (and up-to-date translations), standardization, and clarity in required action. Work with partners to ensure business unit integration / alignment of policies and procedures. Develop business unit-specific compliance manuals (guides on appropriate procedures). Page 3 of 9 ARM 363

8 Page 4 Number of newly created policies Review of outdated policies Identify 3-4 potential software policy management solutions Completion of policy inventory Number of policy gaps as identified by Internal Audit Number of newly created policies Number of policy gaps as identified by Internal Audit Number of newly created policies Number of policy gaps as identified by Internal Audit Page 4 of 9 ARM 364

9 Page 5 Develop a risk-based compliance and ethics training curriculum. Determine whether to develop training inhouse or to purchase modules from a vendor (cost analysis). Conduct CODE training. Develop a compliance and ethics training calendar for all employees. Conduct CODE training. Conduct mandatory training for employees by job category and role. Conduct CODE training. Implement content review procedure with subject matter experts and refresh training content as necessary. TRAINING Create relevant training modules. Customize delivery options for trainings and build in assessments and certifications. Number of created training modules Percentage of managers completion of mandatory training Percentage of employees completing mandatory training by assigned deadline Percentage of managers completion of mandatory training Percentage of employees completing mandatory training by assigned deadline Percentage of managers completion of mandatory training Percentage of employees completing mandatory training by assigned deadline Changes in employee survey results and incidents of misconduct COMMUNICATIONS Determine communications strategy that aligns with training calendar. Identify communication topics, e.g., CODE, articles about ethics, news stories, and trade research. Develop internal branding for the Compliance and Ethics Office. Create a compliance communications calendar outlining messaging issued from the CEO and the Compliance Office. Refresh compliance helpline materials (e.g. posters, advertisements). Prepare key compliance and ethics messages tied to the CODE and conflicts of interest disclosure. Tailor communications for discrete employee audiences. Determine expanded audience for communications, e.g., agents, Board. Concentrate on enabling managers to deliver compliance and ethics messages. Annual communications calendar created Percentage of clicks on compliance link Percentage clicks on compliance link Employee feedback Page 5 of 9 ARM 365

10 Page 6 Helpline Administration Analyze hotline and reporting trends to uncover any risk hotspots or weak controls across the organization. Publicize methods by which employees can report concerns and allegations, e.g. manager, Compliance and Ethics Office. Create and/or communicate corporate speaking-up policy. Implement communication and training plans to better inform and train employees about hotlines and use of non-hotline reporting avenues. Review hotline and case management systems for efficiencies, e.g., integrate all case management efforts. Test employee comfort speaking up in employee surveys and focus groups. ALLEGATION REPORTING & INVESTIGATIONS Analysis of hotline Analyze investigations procedures including: - issue escalation criteria; - allegation taxonomy; - case management access points and rights. Number of advice calls to the helpline vs. Number of allegation reports Number of substantiated allegations to the helpline Average time required to resolve helpline calls Investigations Conduct investigations training for relevant staff. Identify and implement any opportunities to streamline the company-wide investigations process. Number of advice calls to the helpline vs. Number of allegation reports Number of substantiated allegations to the helpline Average time required to resolve helpline calls Refresh investigators training to ensure consistency in approaches and adherence to protocol across the organization. Number of advice calls to the helpline vs. Number of allegation reports Number of substantiated allegations to the helpline Average time required to resolve helpline calls Ratio of compliance-relevant cases to HR-related cases Communicate investigations team successes to broader employee base. Percentage of substantiated allegations Percentage of substantiated allegations Number and type of process changes made as results of substantiated allegations Number and type of substantiated allegations, e.g., conflict of interest, fraud Percentage of substantiated allegations Average investigation length Number and type of process changes made as results of substantiated allegations Year-over-year investigation trend analysis Percentage of substantiated allegations Average investigation length Number and type of process changes made as results of substantiated allegations Year-over-year investigation trend analysis Page 6 of 9 ARM 366

11 Page 7 Page 7 of 9 ARM 367

12 Page 8 DISCIPLINE & INCENTIVES Develop disciplinary guidelines (working with the compliance Advisory Group). Creation of disciplinary guidelines Train business unit general managers and Human Resources staff on disciplinary guidelines. Communicate disciplinary guidelines to broad employee base. Conduct background checks of all new employees. Number of disciplinary actions taken Provide real examples of compliance / CODE failures and the disciplinary actions taken. Provide managers with guides for appropriately responding to incidents of misconduct. Ensure proper background checks and screening for all employees considered for positions of authority and trust. Year-over-year disciplinary trends Create compliance and ethics performance objectives for senior leaders. Conduct background checks for employees considered for promotions to positions of authority. Year-over-year disciplinary trends Percentage of senior leaders meeting compliance and ethics objectives per the code. PROGRAM MEASUREMENT & MONITORING Translate most significant regulatory standards into testable controls and procedures across the business. Collaborate with Internal Audit to understand company-wide internal compliance controls testing. Provide Board with core metrics to track fulfilled regulatory / program measurement obligations. Partner with Internal Audit to create a compliance plan. Compare priorities against Federal Sentencing Guidelines elements. Embed compliance monitoring plans in Business and Strategic Plans. Track regulatory exam results and violations at the business unit level. Review and eliminate overlaps in internal controls testing between Compliance and Internal Audit. Track regulatory exam results and violations at the business unit level. Conduct year-over-year analysis of changes in employee perceptions. Page 8 of 9 ARM 368

13 Page 9 Analysis of Compliance and Ethics program budget and staffing Analysis of Compliance and Ethics program budget and staffing Internal Audit results Year-over-year comparison: - Analysis of Compliance and Ethics program budget and staffing Internal Audit Results Regulatory fines Year-over-year comparison: - Analysis of Ethics and Compliance program budget and staffing Percentage of employees who fear retaliation from reporting Customer satisfaction results Page 9 of 9 ARM 369