Key Questions for Your Functional Partners. Improving Cross-Functional Collaboration in Compliance Program Activities

Transcription

1 Key Questions for Your Functional Partners Improving Cross-Functional Collaboration in Compliance Program Activities

2 WHAT IT MEANS TO BE BUILT-IN This report will help integrate compliance and ethics programs into an organization s operations by improving crossfunctional coordination of program activities. What Compliance Must Do to Build Compliance Activities into Business Operations Assess For burden and integration Design To be part of business workflows Built-in Compliance Coordinated With: Similar assurance activities that could cause overlap and unnecessary burden on employees Coordinate With related assurance activities Source: CEB, now Gartner analysis.

3 OCCASION FOR THE REPORT Context for this Report As organizations have expanded into new products and geographies and the regulatory environment has evolved, the average organization s risk profile has changed as well. To manage a growing set of risks, many organizations have established new risk management functions over the past decade (e.g., Enterprise Risk Management, Data Privacy, Information Security), often dramatically increasing the number of internal assurance functions. For compliance and ethics programs to be successful, they must learn to work with this expanded set of assurance partners on the design and execution of risk management activities. Collaboration at this level will increase program activities impact and efficiency while reducing unnecessary burden on employees. Objectives for this Report This report is a companion piece to our Interview Guides for Assessing Compliance Program Activities and Effectiveness, which helps compliance executives identify which functions create compliance risk to the organization. Use this report to increase compliance program activities efficiency and impact by identifying opportunities to collaborate with functional partners. The guidance and tools will help you: Identify key functional partners for each program activity, Structure conversations to identify areas of similar or redundant work and overlapping interests among functional partners, and Improve cross-functional collaboration at a granular, workflow-execution level.

4 HOW TO USE THIS REPORT Overview This report provides compliance executives with questions to ask relevant functional partners before beginning an activity. The questions will help uncover opportunities to improve collaboration by eliminating redundant work, cooperating on shared priorities, or improving information sharing and access. In doing so, compliance executives can increase both the efficiency and the effectiveness of program activities while reducing the burden for program staff, functional partners, and employees. How to Use the Questions in this Report Before launching new compliance initiatives, Compliance must first understand functional partners activities and use that knowledge to identify areas for closer cooperation. To enable meaningful collaboration, compliance executives should ask key functional partners questions to create visibility and assess feasibility. : Where and how are related activities happening (e.g., activity s scope, timing, and frequency and employee groups affected)? For example, if a functional partner provides training on a topic relevant to compliance and ethics, an opportunity to partner on content design or delivery may exist. : What are the barriers to coordination (e.g., activities don t meet Compliance s needs and standards, Compliance can t modify activity strategy)? For example, Compliance may not be able to embed content into a functional partner s training if that partner has no mechanism for tracking training completion.

5 COORDINATION OPPORTUNITIES AT A GLANCE Use this page to quickly identify the key functional partners to coordinate with for any given compliance and ethics program activity, or to determine which activities to discuss with a given functional partner. Activity Collaboration Matrix Training Board Reporting Communications Risk Monitoring Policy Maintenance Risk Assessment Conflicts of Interest Disclosure Third-Party Risk Management Data Privacy ERM Finance HR Information Security Internal Audit IT Learning and Development Legal Marketing and Communications Procurement Sales Source: CEB, now Gartner analysis.

6 TRAINING Output of Functional Coordination: A streamlined enterprise training calendar Data Privacy, HR, Information Security, and other functions providing employee-facing training on policies and procedures What is your current training calendar (e.g., what training do you provide employees, when)? Which employee segments do you target for training? What channels (e.g., live, online) do you use to train employees? How do you assess training impact? Are you willing to adapt current training or incorporate compliance content? Do you develop this training in-house or do you use a vendor module? Is customization of a vendor module possible? Are the costs prohibitive? Do you track training completion? Are there regulatory constraints on the training you provide (e.g., content, timing, frequency)? Finance, Learning & Development, Marketing and Communications, Procurement, Sales, and other functions providing skill training What is your current training calendar (e.g., what training do you provide employees, when)? What channels (e.g., live, online) do you use to train employees? How do you assess training impact? What are the primary skills or activities you train staff on? What tools do staff use to do their jobs? Where does your team struggle to meet compliance expectations? Where have there been compliance issues in the past? Do you develop this training in-house or do you use a vendor module? Is customization of a vendor module possible? Are the costs prohibitive? Do you track training completion?

7 BOARD REPORTING Output of Functional Coordination: Integrated board reports Data Privacy, ERM, Internal Audit, Legal, and other functions that report to the board on legal and compliance risk topics On what risks do you report to the board? What are the top findings you are planning to report on [risk]? 1 What rating scales and methodology do you use to arrive at risk findings? What is your board reporting schedule? What format do you use for your reports? How do you display risk information (e.g., heat map, barometers)? Are there any regulatory constraints on board reporting (e.g., content, frequency)? Are you willing to share and coordinate on your board reports? 1 In the bracket, insert the specific risk you are interested in.

8 COMMUNICATIONS Output of Functional Coordination: A cross-functional communications calendar Data Privacy, HR, information Security, Legal, Marketing and Communications, and other functions that send communications with legal and compliance implications to employees What is your employee-facing communication plan (e.g., which messages, when, how often)? What guidance or messages do you provide on [risk/topic of discussion]? 1 In what format do you send messages? How do you adapt communications regionally (e.g., translation, adapted content)? Are there regulatory constraints on your messaging (e.g., content, frequency)? 1 In the bracket, insert the specific risk or topic of discussion you are interested in.

9 RISK MONITORING Output of Functional Coordination: A cross-functional risk monitoring plan for each major compliance risk Data Privacy, ERM, HR, Internal Audit, and other functions that conduct regular riskmonitoring exercises on the data they collect Which risks are you responsible for monitoring? How do you monitor these risks (e.g., data analytics, audits, calendar of risk monitoring or auditing activities, common control framework, database of assessment or audit findings)? Which data assets do you use to monitor risks? What are the red flags you look for as part of your monitoring? Which metrics do you track to help you quantify risk exposure? What system do you store risk information in? What are your upcoming reporting requirements (e.g., board, regulator, examiner)? Information Security, IT What are the main systems, platforms, or vendor solutions functions in the organization are using to monitor risks? Is there any obstacle to integrating these systems (e.g., security risks, hardware or software requirements, licensing fees)? Can you grant broader access to your databases? Are there any regulatory constraints on your risk monitoring exercises (e.g., reporting requirements, data format)? Will Internal Audit allow Compliance to own monitoring throughout the organization?

10 POLICY MAINTENANCE Output of Functional Coordination: A central policy inventory Data Privacy, HR, information Security, Internal Audit Legal, and other functions that create and maintain employeefacing policies with compliance implications What policies do you own, and what risks are those policies designed to manage? What guidance do you provide in your policies on [risk]? 1 What is the format of the policies you own? Where do you store your policies? Who has access to your policies, who audits them, and who keeps them up to date? Are there regulatory constraints on your policies (e.g., ownership, content, maintenance)? What is your process for drafting and approving policies? How often do you update your policies? Do you have any metrics that indicate how often employees use your policies for guidance and how valuable they find them? 1 In the bracket, insert the specific risk you are interested in.

11 RISK ASSESSMENT Output of Functional Coordination: A compatible risk taxonomy and assessment methodology ERM and any other function that conducts a stand-alone risk assessment What risk taxonomy do you use (e.g., risk categories)? What is your methodology for evaluating and scoring risks and events (e.g., what is the definition of high, medium, low)? Where do you store the risk information, and how is it used later (e.g., GRC system)? Are you using any business unit self-assessments as part of this process? When and how are you reporting results to senior leadership and/or the board? Which legal and compliance risks do you include in your risk assessment? What is the time frame for completing your next risk assessment? Internal Audit What is the audit calendar for the upcoming year? Do you have any recent audit findings that would inform our risk assessment of [business unit/geography/risk]? 1 Are there any trends in recent audit findings with implications for compliance-owned policies, procedures, or controls? Does the audit budget or schedule have flexibility to enable additional audits (e.g., auditing a third party if an internal audit is held nearby)? Can Audit tweak its methodology to accommodate Compliance s needs? 1 In the bracket, insert the specific business unit, geography, or risk you are interested in.

12 CONFLICTS OF INTEREST DISCLOSURE Output of Functional Coordination: A conflicts of interest disclosure process embedded in functional systems Finance, HR, and Procurement Do you track conflicts of interest and store related information? What is your process for uncovering or monitoring conflicts of interest (e.g., financial conflicts, conflicts with third parties)? What are your protocols for escalating this information? Are there any trends or patterns you have noticed when analyzing the conflicts data you collect? Do you have any recommendations for improving the disclosure process? Can you expand access to relevant databases or vendor systems? Can you customize any vendor systems where you house conflicts information? Internal Audit Have you ever uncovered conflicts as an issue s root cause or leading indicator? Are there any patterns, trends, or changes in audit findings with respect to conflicts of interest? Do you report on this information, and if so, to whom? Have you made any recommendations for improving the conflicts identification and remediation process as part of your audit results? Can you grant broader access to your databases? Information Security, IT What are the main systems, platforms, or vendor solutions functions in the organization are using to understand and track conflicts of interest? Is there any obstacle to integrating these systems (e.g., security risks, hardware or software requirements, licensing fees)?

13 THIRD-PARTY RISK MANAGEMENT Output of Functional Coordination: A cross-functional third-party risk management strategy (e.g., governance, processes) Data Privacy, Finance, Information Security, Legal, Procurement, and other functions conducting third-party due diligence or monitoring What is the process for conducting due diligence on a potential third party? What are your information and process requirements when completing the third-party risk management process? Can you share the information you collect from potential third parties? Do you collect any documentation from third parties or request any certifications (e.g., training, policies)? Do you use a vendor to conduct third-party due diligence? How do you monitor third parties on an ongoing basis? Information Security, IT What are the main systems, platforms, or vendor solutions functions in the organization are using to conduct due diligence and manage third parties? Is there any obstacle to integrating these systems (e.g., security risks, hardware or software requirements, licensing fees)? How do you determine whether a third party requires due diligence from your function? Can you expand access to your information databases and contract management systems? Are you willing to coordinate with Compliance during the third-party risk management process?

14 About CEB, Now Gartner Leading organizations worldwide rely on CEB services to harness their untapped potential and grow. Now offered by Gartner, CEB best practices and technology solutions equip clients with the intelligence to effectively manage talent, customers, and operations. More information is available at gartner.com/ceb. About Gartner Gartner, Inc. (NYSE: IT) is the world's leading research and advisory company. The company helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions. Gartner's comprehensive suite of services delivers strategic advice and proven best practices to help clients succeed in their mission-critical priorities. Gartner is headquartered in Stamford, Connecticut, USA, and has more than 13,000 associates serving clients in 11,000 enterprises in 100 countries. For more information, visit gartner.com Contact Us to Learn More cebglobal.com/compliance-legal