1

Automating Your Compliance Program Automating

YourComplianceprogram

Ted BanksCompliance & Competition Consultants LLC

Scharf Banks Marmor LLC

The Key Concepts• Capture knowledge electronically

& reuse it automatically

• Figure out what you do during your compliance activities, and

use automation tools to do it better.

• Make it your goal to have every employee want to partake of compliance because it is so wonderful.

2

“Three Rules to Build Your Digital Experience Strategy”*

1. Design dopamine digital experiences.– “I can’t wait.”

– “This is fun.”

– “I got it done.”

2. Be everywhere.

3. Stay fresh.

*J. Rymer & M. Gualtieri, KM World (Sept. 2012)

Acknowledgement

• Inspiration: ABA Tech Show 60 Sites in 60 Minutes, which became 60 Apps in 60 Minutes

• Today: A few “big” systems, a few small applications, and a bunch of ideas, some of which you may find useful.

3

The CCO Job

• Protect the company

• Do it by– Doing your job more efficiently (back office)

– Reaching employees more effectively (front office)

Priorities?

• #1 Help employees do their job better

• #2 Make your job better

• My philosophy: employees come first

4

Getting Help (or Inspiration)

• Vendors– Beware the BS

• Your IT Department

• Benchmarking with other companies

• Analogies from other systems

The Vendors1. They use adjectives instead of facts: “The Acme System is a robust compliance system designed to deliver the results you need. It has been specifically designed to be the most comprehensive and function tool available. It streamlines your job and will improve profitability. Call for a demonstration.”

5

The Vendors2. They are afraid of competition: We don’t want our competitors to copy our great ideas.

The Vendors

3. They don’t really know how to get the word out.

6

The Reality

• Good ideas can come from anywhere

• I am not endorsing the vendors I mention in this presentation,

but present them as examples of what can be done

• The toughest job: conceptualizing what you want

Paradigm 1: Filling Out a Form

• Forms are a powerful tool

• To work:– Requires that you know what

questions to ask

– Requires that it is used at the right time

– Requires that can be practically used by those who should do so

7

Learning from Data

Centralizing Data

• Avoid repetitive due diligence questionnaires

• Example: Trace International TRAC system for 3rd party verification

http://tracnumber.com

8

Paradigm 2: Painless Access

• Make compliance a seamless part of business processes

• Make access to information painless

• Make the compliance experience special

What Technology?

Real Biz Shorts -- www.corpedia.com

9

The Business Process

• Do you know what processes happen in your company that can incorporate a compliance step? (Siemens example later)

Making access to compliance information painless

• Instantaneous

• Automatic

• Fits the way the employee communicates –does not require new behavior

• Do you use an iPad?

www.intertek.com

10

Ease of Access to Information

www.corpedia.cominfo@corpedia.com

Do you use a smart phone (or even a not-so-smart phone)?

Use it for compliance!

11

Send a text message• The To-do List

– Type: todo <message>

– Example: todo draft social media policy

• Voting/Poll– Type: vote

<number>

– Example: vote 3

1-646-606-2806

WoltersKluwer ComplyTrack 6 Alpha www.mediregs.com/complytrack-suite

Make the Compliance Experience Special

• Can you use a geographic analogy to convey other compliance topics?

http://company.zynga.com/privacy/privacyville

12

www.trueoffice.com

True Office Mobile Compliance Games

What do you know about jobs?

• The Amazon model:– Based on what you buy, we know what you

probably want

• The compliance model:– Based on what you do, we know

your compliance risks

– Therefore, we target ourcompliance program

13

Linking Jobs to Risks

www.lrn.com

• No agreement on what compliance means

• So beware of companies that advertise “compliance” software, e.g., using compliance to mean document management or workflow

14

Regulatory Compliance

• Health care, financial services

• For compliance officer, or subject matter expert

• Make technical information more accessible

• Make sure that processes are followed

Regulated Industry Example: Health Care

www.mediregs.com

15

Look at each step of the compliance process: What can you automate?

• Risk Assessment

• Compliance standards and procedures

• Organizational infrastructure

• Due care in delegation• Communicate compliance

standards

• Monitor and audit

• Appropriate discipline

• Periodically update the program (triggers from reports)

• Generating heat map with audience response system

• Managing policies

• Track training of board, executives, compliance program for RIFs

• Background checks

• Conversion of PowerPoint to training; link of training to job descriptions; automated certification process

• Screens; automated email monitoring; expense monitoring

• Investigation process

• Triggers from reports

Training: WeComply Reporting Dashboard

www.wecomply.com

16

Back Office System

• Challenge: just too much to do and keep track of all of it

• Response: a comprehensive compliance system

Slide 32

PWC UK Enterprise Compliance Portal max.robertson@uk.pwc.com

17

Slide 33

Assessment – Template selection

Slide 34

Assessment - Self assessment summary

18

Slide 35

Assessment - Self assessment details / data entry

Assessment - Remediation plan details

19

Slide 37

Self certification - Dashboard

Slide 38

Self certification - Confirmation / sign off

20

Slide 39

Reports - Global assessment heatmap

Slide 40

Reports - Compliance dashboard report

21

Reports - Response breakdown report

Slide 42

Reports - Assessment against remediation progress

22

Slide 43

Reports - Level of risk details

Document library

23

Risk Assessment• Resolver Ballot + Protiviti: using audience

response systems

www.protiviti.com

Policy Management

• Could be something like SharePoint

• Central source for policies– On line copies linked to master

• Version control– Authority to alter

• Distribution to impacted employees

• Reminder to update

24

Policy & Procedure ManagementCreation, Review, Approve,

Organize

Certification and Self Assessments

Mapping to Risksand Controls

Alerts and Notifications

Awareness and Training

Tracking and Visibility

Policies related to -Gifts- Regulatory Compliance-Commission Payment-Expense Re-imbursement-Payment-Travel and Entertainment-Employee Background

Enforcing the policy and guidelines and ensuring compliance on employees and Third Parties

www.MetricStream.com

Training

• The garbage in-garbage out problem

• LMS,LCMS important for compliance

• What do I need to know to do my job?

• We fail– Overinclusive or underinclusive

– Static, boring

– irrelevant

25

Convert PowerPoint to eLearning: Articulate

www.articulate.com

Full Escape from PowerPoint

• The Khan Academy Blackboard Approach

• If you know your stuff, you should be able to teach it this way

www.khanacademy.org

26

Track Training of 3rd Parties:Eduneering Compliance Wire

www.uleduneering.com

Prevent

Training Program Effectiveness

Policy Certification

Detect

Performance of Controls

KPI/KRI Breach

Risk Assessments Audit Results

Respond

On-time Remediation mechanism

Resource and Time Management

Effectiveness of Compliance Program

Example fromMetric Stream

27

Administering Compliance Rules

• Train to use tool before certain actions, such as giving or receiving gifts

• Can combine automated process with manual review

Protection notice / Copyright noticeFor internal use only / © Siemens AG 2012

Policies and electronic tools help identify risk andbalance competing interests

Payment of - Meal- Gift- Local Travel

Acceptance of- Meal / Gift- Entertainment- Travel- Accomodation

Payment of - Entertainment- Non-local travel- Lodging

Government Officials: Mandatory

Private Sector: Voluntary

Voluntary

Government Officials& "critical" participants*:

Mandatory

Other participants:Voluntary

Provision Scorecard

AcceptanceScorecard

SpoDoM Tool

*Related Parties of Government Officials, healthcare providers, members of the purchasing department, invitees actively involved in the acceptance of a bid or the awarding of a tender

28

Protection notice / Copyright noticeFor internal use only / © Siemens AG 2012

Scorecards are used when gifts and/or meals are provided to Government Officials

Protection notice / Copyright noticeFor internal use only / © Siemens AG 2012Page 56

Pre-approval of sponsorships, donations, corporatememberships, other contributions and hospitalitypackages must be obtained via SpoDoM tool

Siemens supports many organizations around the world through sponsorship, hospitalitypackages, donations and other contributions.

Memberships in associations and contributions to certain groups and activities arean essential part of our Corporate Social Responsibility program, our leadership in industry initiatives and our programs to strengthen the Siemens brand.

The Sponsoring, Donation and Membership (SpoDoM) Tool helps to- focus these strategic efforts- enhance controls over associated costs- ensure compliance with applicable legal requirements

No contribution may be promised, offered or made to secure inappropriate competitive advantages All contributions must be clear, plausible and visible No contribution may be made to recipients whose goals are incompatible with

Siemens‘ corporate principles or which would damage Siemens reputation No contribution may be paid to private accounts.

29

Protection notice / Copyright noticeFor internal use only / © Siemens AG 2012

Pre-approval of entertainment, non-local travel, & lodging provided to certain 3rd parties must be obtained via SpoDoM tool

Entertainment, Non-Local Travel, or Lodging

Is the Invitee: Government Relative of government Health care provider Member of the purchasing department Actively involved in a purchasing decision or

the acceptance of a bid

Responsibility for decision on invitations not fulfilling any of these criteria – even expensive ones – is fully taken by the business.

SpoDoMApprovalRequired

NoSpoDoMApproval

No Yes

Exceptions (e.g. approval not necessary for…)

Company-organized events if the purpose of which is to provide scientific

or technical information or to serve as a forum for the discussion of cultural or economic topics the information is useful for the invitee there is a link to Company business food is limited to snacks and drinks no gifts or only small gifts (“giveaways”) of

nominal value are provided

Employee guests at company-organized events hosted exclusively for employees (e.g. company picnics or holiday parties).

Hospitality required by contract if contractual clauses are reviewed by legal.

Page 57

How do people communicate?• Talking is easier than keyboarding

• People love those Apple ads for SIRI because they love the idea of the freedom to communicate with a computer by speaking to it.

• Capture the inclination of peopleand make it work for you.

• SIRI and Google Voice Search actually work very well.

30

Compliance Advice on the Smartphone

• Question 1

Compliance Advice on the Smartphone

• Question 2

31

Concept: Voice Search

• You have a defined database– Code of Conduct

– Compliance Policies

– Business procedures

– Q&As and other communications

• If an employee has a compliance question, let them ask.

• Use voice input to provide data for other programs (e.g., ComplyTrack)

Concept: QR Codes for Compliance Info

For more info on any subject, take a picture of the related QR code

32

Artificial Intelligence Example: Neota Logic

• Capture legal rules and apply to a process

• The compliance challenge:1. Need to transfer customer or employee data

from one country to another.

2. Legal review of compliance requirements (notifications, forms, encryption, etc.) was costing as much as $30,000 per request.

• Can the process be automated?

http://www.neotalogic.com/

Neota Logic

• Step 1: Get the rules.

– Law firm compiled rules for 50+ countries

– Result: giant stack of memos

• Step 2: Operationalize the knowledge

– Create an expert system that takes the knowledge and asks questions about the nature and circumstances of the proposed transfer and then returns a list of the required compliance steps.

– Integrate with the company's existing internal workflow system

33

34

35

36

What can I do?

• Look for compliance gaps and ask yourself: How can I make better?

• Be familiar with commercial products

• Look for tools used by other companies

• Every time you hear about any automation advance, think: Can I use this in compliance?

But I’m not a techie . . .• Remember every moment you

said to yourself “I wish I could do . . .” - - and ask if it could be done.

• Make friends with IT Dept in company.

• Develop resources at local colleges to get young programmers who need jobs.

• Keep asking!

37

…but it can help you do your job better.

Remember . . .

Thank you.