 |
Branding Laws · Internet Marketing · eMarketing · Internet Advertising · Online Branding |
|
Branding Laws · Internet Marketing · eMarketing · Internet Advertising · Online Branding |
|
PRESENTATION OPEN PUBLISH CONFERENCE 2005
O COMPLIANCE - komodocms.com
... David is also a member of the ADMA eMarketing Council, a member of the Fundraising
and Development Sub-committee of the not-for-profit Western Chances and a ...
ORGANISATIONAL COMPLIANCE
PRESENTATION OPEN PUBLISH CONFERENCE 2005
2005 - Copyright Komodo CMS Pty Ltd
ORGANISATIONAL COMPLIANCE PRESENTATION
David Warwick BA MBA AIMM AACS
David is one of the architects behind successful web content management system,
Komodo CMS, as well as Director of the corporate communications and design
consultancy Smart Works Pty Ltd., and Apple Authorised Reseller Crunch IT Pty Ltd.
David is also a member of the ADMA eMarketing Council, a member of the Fundraising
and Development Sub-committee of the not-for-profit Western Chances and a business
case writer for the Melbourne Business School. Recently David and Komodo CMS have
been working with compliance and legal services experts in the development of a
Corporate Governance Solution called Novation CGS.
An arts graduate from Monash in the disciplines of English and Sociology, David is also
an MBA graduate from Melbourne Business School and a member of numerous
professional organisations including the Open Compliance and Ethics Group (OCEG),
the Content Management Community of Practice (CMPros), the International Association
of Business Communicators (IABC), the Australian Institute of Management (AIM), the
Melbourne Press Club, the Australian Computer Society (ACS), the Australian Direct
Marketing Association (ADMA), the Australian Graphic Design Association (AGDA),
the Australia Interactive Media Industry Association (AIMIA), and the Australian Internet
Industry Association (IIA).
SCOPE
SCOPE & DEFINITIONS
Definition of Compliance
A structure of relationships and processes to direct and control the enterprise in order to
achieve the enterprise’s goals by adding value while balancing risk versus return over IT
and its processes (I.T.G.I., 2000).
Session Extract
Today’s compliance systems need to deliver quality information, ensure competency,
measure knowledge penetration and automate exchange. The best solutions integrate
with other systems and share resources. Compliance has always been a key area and is
now impacting on emerging technologies such as content management and mobile
communications. Hear where compliance is headed, including issues and emerging
technical models.
Compliance Subsets
Organisational Compliance [Governance, Risk Management, Procedural Systems]
Software Compliance
Technical Standards Compliance
MACRO FACTORS
INNOVATION CONTROL
11 Days > 10 Years > 9 > 8 > 1995
In eleven days time, it will be the 10th Anniversary of the day Netscape was launched on the US stock market. A
day that has been called by many commentators the commercial birth date of the Internet. How quickly we forget
what the world was like before 9 August 1995.
On that day, the dot.com boom began with Netscape doubling its launch price of US$28 on the same day. The seed
was sewn for the corporate collapses that would trigger a rush to improve investor confidence in commercial
markets through improved compliance with much more stringent financial regulation.
9 Days > 3 Years > 19 > 7 > 2002
Nine days ago, it was the 3rd Anniversary of the passage of the Sarbanes-Oxley (SOX) Act in the United States.
The political equivalent to a knee-jerk to the massive Enron collapse and the similar but less dramatic collapses
that had preceded it.
If ten years ago, the Netscape float marked the beginning of the dot.com era and the departure of corporate sense,
then Sarbanes-Oxley, three years ago brought the curtain down. Now three years on, organisations are grappling
with Compliance and how to make it sustainable.
“The first and often only reaction from governments to abhorrent corporate behaviour – however isolated the
incident – is to enact new legislation and give the regulators more power” (Arbouw, 2005). But this rush to
legislative judgement may be a threat to the economy.
TIMING
GLOBAL FORCES
The rush to comply
The financial year just closed has been a busy year for standards and legislation, “with
the AASB issuing the Australian equivalents to the International Financial Reporting
Standards (AIFRS), the Auditing and Assurance Standards Board (AuASB) issuing seven
new auditing standards and CLERP 9 being passed by Parliament” (Locke, 2005).
Compliance and Content Management Systems
AIIM International conducted a survey in late 2004 of 1,200 users and potential users of
Content Management Systems to determine their main purchase drivers; 24 percent
included risk-driven issues, 19 percent included compliance and 5 percent included
business continuity (Henschen, 2005).
Also reflecting compliance concerns, the top-ten project priorities reported in the survey
include at Number 1: Records Management and Archiving; at Number 2: Document
Control; at Number 3: Email Management; at Number 4: Information Capture; at Number
8: Statutory and Regulatory Management; at Number 9: Technical Document
Management; and at Number 10: Process Automation (Henschen, 2005).
No less than 7 out of the top 10 project drivers for Content Management installations
related to Compliance related issues.
IMMATURITY
SQUARE PEG ROUND HOLE
Benefits
Workflow – Ability to align compliance process with internal resources and an approval path.
Accessibility – Real-time storage and retrieval.
Archival – Ability to store and meet record management requirements.
Due Diligence – Demonstration of senior managerial commitment to compliance.
Streamlined Verification – Internal and auditor access to required material.
Security and Access – Privacy, Security and Risk Controls are assisted.
Sustainability – The first steps to ‘established and structural’ compliance (Kugal, 2003).
Weaknesses
Quality and effectiveness of process
Accountability and specific role in process (qualification and determination)
Risk assessment (compliance related tool-kits)
Risk controls (integration into other management and reporting environments)
Communication (pull communication rather than push)
Deficiency testing
The key weakness is that the user organization must develop and maintain the compliance process, legislation
requirements, communication methods and reporting pieces. This is generally specialised knowledge not resident
within the organisation.
TRENDS
COMPLIANCE IS SO HOT RIGHT NOW!
Movement at the station
Record Information Management (RIM) has caught the attention of Content Management (CMS) vendors who
have snapped up proven products and integrated them into their own product offerings (Mitchell, 2005). One of the
problems, however, is that no organisation is ever going to have a single repository of all its records.
Microsoft CEO, Steve Ballmer believes that “compliance in general is a very strong focal point for CEOs and
CIOs. IT products that facilitate compliance will be quite popular. In Microsoft’s case, to some degree we'll have
some new products that help with compliance. But in large measure, we're going to continue to build into our
existing products features that support compliance, and try to get people to upgrade because they want those
features. In some senses, part of the way we've been selling our rights management product so far has been to
facilitate certain compliance scenarios. So we're already kind of hard at work on at least aspects of compliance, as
are a number of our partners”. (Ricadela, 2005).
Specific examples
> e-OneHundred (financial compliance software)
acquired by Stellent Inc. (ECM) in June 2005 for US$7 million to produce Stellent Sarbanes-Oxley Solution.
> Certus (aligned with Hummingbird ECM)
> Paisley Consulting (aligned with Documentum ECM – owned by EMC Storage)
BUSINESS THINKING
RATIONALE FOR COMPLIANCE AND SYSTEMS
Current statistics on compliance
BT Governance Advisory Service research on the ASX Top 200 companies in 2005 found
that “83 percent had no formal oversight of bad business practices … 46 percent did not
disclose policies protecting whistleblowers … and over 50 percent did not disclose
policies to protect against violations of customer privacy” (Gettler, 2005). This is borne
out by recent compliance controversies involving blue-chips such as Coles Myer, Telstra,
Woolworths, Boral, Visy Industries and Rural Press.
Doing the right thing while no one is looking
No organisation can assume that is ethical without some form of deliberate activity to
promote ethical behaviour, train on ethics and assess the decision making methods of the
organisation (Weiss, 2005 - 2).
A Stanford Business School survey of 800 MBA students across the USA and Europe in
2004 found that 97 percent of respondents “would forego significant financial benefits to
work for an organization with a better reputation for ethics and corporate social
responsibility” (Weiss, 2005 – 2).
“Organizations recognize the importance of implementing good corporate governance,
risk management, compliance and ethics into business operations operations, but often
struggle, with how to put these principles into practice.” (Mitchell, S., 2005).
A FRAMEWORK
COMPLIANCE ANALYSIS OF KEY AREAS
Marketing and the 4 P's / 7 P's
Compliance and the ...
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
FIFTEEN P - COMPLIANCE MODEL™
1-3 PROCEDURES ET. AL.
CON
H
THE COMPANY MANUAL - 2005
Stillborn, but still kicking!
The Zombie of the Information World.
Lets take a closer look ...
Procedures
Policies
Protocols
(you can add some more if you want)
Provisions
Platitudes
Procrastination(s)
Padding (very important)
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
FIFTEEN P - COMPLIANCE MODEL™
4 PROSCRIPTION
CON
H
Compliance Content ...
10-K (SEC)
21 CFR 11
AGLS
AS/NZS 2124/ 2125 / 2127 / 4121 / 4269 / 4360 / 4801 / 4804 / 5037 / 8000
ASX Rules
AS/NZS ISO 9000 / 9001 / 9004 / 14000 / 15489 / 17799
Basel II
CLERP 9
CMMI
Common Law (per jurisdiction)
Corporations Law
COBIT
COSO
FERPA
FTA
FISM
FSG 2004
GLBA
HIPAA
IAS
IRS 1099
NYSE Rule 431
OPC5
SAS 70
SOX
SP1386
W3C (HTML, CSS, WAI)
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
Plan (5)
Prioritize (6)
FIFTEEN P - COMPLIANCE MODEL™
5-6 PLAN / PRIORITIZE
MAN
H
What needs to be in a compliance system?
Legal requirements?
Organisational objectives?
Risk reduction and management?
Business drivers?
Sustainability!!!
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
Produce (7)
Plan (5)
Prioritize (6)
FIFTEEN P - COMPLIANCE MODEL™
7 PRODUCE
MAN
H
CON
H
SYS
H
SYN
H
Would the person who wants to write the procedures please step forward!
Lets just call this hard and be done with it!
Management buy-in or pass down the line?
External consultants - that will fix it!
Lets do it all ourselves - even better!
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
Produce (7)
Publish (8)
Plan (5)
Prioritize (6)
FIFTEEN P - COMPLIANCE MODEL™
8 PUBLISH
SYS
H
We have control !!! - Phew
We have the processes and everyone knows what to do!
The hard realities of organisational knowledge.
Tacit - Explicit and the road home.
Otherwise called (by me at least) the Rainbow Effect
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
Produce (7)
Publish (8)
Persuade (9)
Plan (5)
Prioritize (6)
FIFTEEN P - COMPLIANCE MODEL™
9 PERSUADE
MAN
H
CON
H
SYS
H
SYN
H
Delivery matters
Banned from the ranch (lawyers, engineers, management consultants)
Management by proxy and physical systems
Quality and engagement of content
Clarity, tone and simplicity
Ease and form of access
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
Produce (7)
Publish (8) Penetrate (10)
Persuade (9)
Plan (5)
Prioritize (6)
FIFTEEN P - COMPLIANCE MODEL™
10 PENETRATE
MAN
H
Culture, management and relevance
Staff turnover and retention
Criticality and relevance of material
Level of mandate and organisation wide focus
Perseverance, patience and persistence (3 more Pees)
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
Produce (7)
Publish (8) Penetrate (10)
Persuade (9) Probe (11)
Plan (5)
Prioritize (6)
FIFTEEN P - COMPLIANCE MODEL™
11 PROBE
MAN
H
CON
H
SYS
H
SYN
H
Competency Assessment, BPM, Surveys, KPI analysis
We know our business and we have processes in place!
Does anyone know about them, are they working, are they complete,
are they effective and how many are used, worked around or out-of-date.
Testing needs to be carried out against key items.
Analysis of effectiveness needs to be made.
Soft analysis also needs to be carried out.
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
Produce (7)
Publish (8) Penetrate (10)
Persuade (9)
Punish (12)
Probe (11)
Plan (5)
Prioritize (6)
FIFTEEN P - COMPLIANCE MODEL™
12 PUNISH
MAN
H
The 'stick'
Identifying the organisational weaknesses
Evidence for HR hearings and negotiations
Ability to moderate process and managerial style
Large potential negative impact on motivation
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
Produce (7)
Publish (8) Penetrate (10)
Persuade (9)
Punish (12)
Probe (11)
Plan (5)
Prioritize (6)
Prove (13)
FIFTEEN P - COMPLIANCE MODEL™
13 PROVE
SYS
H
Evidence, discovery, storage and reporting
We store everything!
eMail, Instant Messaging, Laptops, Wireless Communication, Analogue?
Discovery of the appropriate material in real-time is the implied requirement.
More and more legislation and standards require substantive reporting.
Lets talk about hardware and software implications ...
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
Produce (7)
Publish (8) Penetrate (10)
Persuade (9)
Punish (12)
Probe (11)
Plan (5)
Prioritize (6)
Prove (13)
Pronounce (14)
FIFTEEN P - COMPLIANCE MODEL™
14 PRONOUNCE
MAN
H
Core Promises
Management never claim compliance unless they can prove it!
Core promises and the effect of Sarbanes Oxley (SOX) Section 404
'Substantiation of Integrity'
Now organisation have to prove compliance (quickly)!
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
Produce (7)
Publish (8) Penetrate (10)
Persuade (9)
Punish (12)
Probe (11)
Plan (5)
Prioritize (6)
Prove (13)
Perform (15) Pronounce (14)
FIFTEEN P - COMPLIANCE MODEL™
15 PERFORM
MAN
H
CON
H
SYS
H
SYN
H
The 'Holy Grail'
Why does an organisation exist?
"To perform when measured against relevant outcomes"
(14) Pronouncing compliance sends a signal of competitive advantage
(10) Penetration of knowledge increases skill levels & effectiveness
(9) Persuasion (or internal motivation and clarity) aligns effort
AND
(4) Compliance with the law is a hygiene factor
Integration of these 15 elements creates a high barrier to entry!
DELIVERY PROCESS
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
Produce (7)
Publish (8) Penetrate (10)
Persuade (9)
Punish (12)
Probe (11)
Plan (5)
Prioritize (6)
Prove (13)
Perform (15) Pronounce (14)
FIFTEEN P - COMPLIANCE MODEL™
+10 MORE PEES
MAN
H
CON
H
SYS
H
SYN
H
In other words ...
16 - Sustainability
17 - Relevance
18 - Flexibility
19 - Data Integrity
20 - Mandate
21 - Reality
22 - Change
23 - Innovation
24 - Business Focus
25 - Competitive Adv.
Permanence
(16)
Permit (20)
Patience (21)
Pain (22)
Progress (23)
Profitable (24)
Pertinence (17) Permeability
(18)
Position (25)
Purge (19)
DELIVERY PROCESS
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
Produce (7)
Publish (8) Penetrate (10)
Persuade (9)
Punish (12)
Probe (11)
Plan (5)
Prioritize (6)
Prove (13)
Perform (15) Pronounce (14)
FIFTEEN P - COMPLIANCE MODEL™
+10 MORE PEES
MAN
H
CON
H
SYS
H
SYN
H
In other words ...
16 - Sustainability
17 - Relevance
18 - Flexibility
19 - Data Integrity
20 - Mandate
21 - Reality
22 - Change
23 - Innovation
24 - Business Focus
25 - Competitive Adv.
Permanence
(16)
Permit (20)
Patience (21)
Pain (22)
Progress (23)
Profitable (24)
Pertinence (17) Permeability
(18)
Position (25)
Purge (19)
DELIVERY PROCESS
LEGISLATION / STANDARDS
ORGANISATION TYPOLOGY
Procedure (3)
Policy (2)
Protocol (1)
Proscription (4)
Produce (7)
Publish (8) Penetrate (10)
Persuade (9)
Punish (12)
Probe (11)
Plan (5)
Prioritize (6)
Prove (13)
Perform (15) Pronounce (14)
FIFTEEN P - COMPLIANCE MODEL™
+10 MORE PEES
MAN
H
CON
H
SYS
H
SYN
H
In other words ...
16 - Sustainability
17 - Relevance
18 - Flexibility
19 - Data Integrity
20 - Mandate
21 - Reality
22 - Change
23 - Innovation
24 - Business Focus
25 - Competitive Adv.
Permanence
(16)
Permit (20)
Patience (21)
Pain (22)
Progress (23)
Profitable (24)
Pertinence (17) Permeability
(18)
Position (25)
Purge (19)
MANUAL Vs CMS Vs GOVERNANCE Vs INTEGRATED SUITE
SCORING COMPARISON Weighted Scoring
Low (1) Medium (2) High (3) Very High (4)
ORGANISATIONAL COMPLIANCE
RECAP IN OTHER LANGUAGE (NO P'S)
Lessons
Champion – Mandate and imperative must come from the CEO and Board
Communication – Compliance must be a central tenet and actively communicated
Clarity – Roles and responsibilities must be clearly defined for all
Education – Education and training must be provided under a sustainable model
Ownership – IT, Finance and Operations must own their aspects of a holistic model
Alignment – Compliance should be aligned with organisational objectives
Hijacking – Compliance should not hijack the business from other development projects
REFERENCES
SOURCES ON COMPLIANCE
Arbouw, J. (2005) Irrational Exuberance and Corporate Regulation in Company Director, Australian
Institute of Company Directors, Volume 21, Number 5, June 2005, ISSN 0816-5521, pp. 8-10.
Chester, B. (2005) Content Management: Digital Compliance, in DB2 Magazine: Information on Demand,
Volume 10, Number 1, Quarter 1, 2005.
Dallas, G. (ed.) (2004) Governance and Risk: An analytical handbook for Investors, Managers,
Directors and Stakeholders, McGraw-Hill, New York, ISBN 0-07-142954-9.
Fels, A. (2005) Managing Compliance through Online Document Delivery, SAI Global Electronic
Products and Services, Standards Australia.
Field, J. (2005) Novation Fundamentals: SME Business Version, Company Brochure, Novation Corporate
Governance System, Sydney.
Grayson, D. and Hodges, A. (2005) Opportunities Knock, in Keeping good companies; Journal of
Chartered Secretaries Australia Ltd, Volume 57 Number 6, July 2005, pp. 326-330, ISSN 1444-7614.
Friedman, T. (2005) The World is Flat: A brief history of the Globalized World in the 21st Century,
Allen Lane – Penguin Group, London, ISBN 0-713-99878-4.
Gettler, L. (2005) Funds blow whistle on ethics: Australian companies are not doing enough to promote
sound business practices in The Age, Fairfax Media, 25 June 2005.
G.M.I. (2005) Corporate Governance Ratings, Governance Metrics International (GMI),
(www.gmiratings.com), accessed: 18 July 2005.
Henschen, D. (2005) Research: Cost and Compliance Issues Drive ECM in Compliance Pipeline, part of
the TechWeb Business Technology Network, CMP United Business Media (www.compliancepipeline.com),
24 May 2005.
Higgins, J. (2005) How To: Self-funding IT Governance in Compliance Pipeline, part of the TechWeb
Business Technology Network, CMP United Business Media (www.compliancepipeline.com), 7 April 2005.
Hogan, R. (2005) Less is more in CFO: The Business End of Business, Fairfax Media, July 2005, pp. 18-19.
Holmes, D. (2001) e.gov e-business: Strategies for Government, Nicholas Brealey Publishing, London,
ISBN 1-85788-278-4.
Howell, R. A., de Mesa Graziano, C., Sinnett, W.M. (2005) Sarbanes-Oxley Section 404 Implementation:
Practices of Leading Companies, Financial Executives Research Foundation Inc., New Jersey, USA,
ISBN 1-933130-04-0
Irsfeld, M. (2005) Sarbanes-Oxley Primer in Compliance Pipeline, part of the TechWeb Business
Technology Network, CMP United Business Media (www.compliancepipeline.com).
I.T.G.I. (2000) COBIT® 3rd Edition: Executive Summary, COBIT Steering Committee and the IT
Governance Institute, Illinois, USA, ISBN 1-893209-15-6.
Keasey, K., Thompson, S., Wright, M. (eds.) (2005) Corporate Governance: Accountability, Enterprise
and International Comparisons, John Wiley and Sons Ltd, West Sussex UK, ISBN 0-470-87030-3.
Kugel, R. (2003) Sarbanes-Oxley: The Document Management Dimension in Intelligent Enterprises, part
of the TechWeb Business Technology Network, CMP United Business Media
(www.intelligententerprise.com), June 2003.
Kugel, R. (2005) Fixing Sarbanes-Oxley: Frontlines Forum looks to future of compliance in Compliance
Pipeline, part of the TechWeb Business Technology Network, CMP United Business Media
(www.compliancepipeline.com), 20 May 2005.
Kugel, R. (2005 - 2) Sarbanes-Oxley Compliance Automation Mandatory for Larger Companies in
Intelligent Enterprises, part of the TechWeb Business Technology Network, CMP United Business Media
(www.intelligententerprise.com), 14 June 2005.
Locke, C. (2005) All change in Charter: The magazine for Australian CAs, Switzer Communications, July
2005, pp. 54-55.
Marlin, S. (2005) SOX Isn’t Just for the Big Guys in Information Week: Business Innovation Powered by
Technology, part of the TechWeb Business Technology Network, CMP United Business Media
(www.informationweek.com).
Mercx, H. (2004) Business Process Management: How to Orchestrate Your Business in Technology
Evaluation (www.technologyevaluation.com), 27 October, 2004.
Mitchell, R. (2005) Record Risks, in Enterprise Technology in Depth, ComputerWorld: The Voice of IT
Management, Vol. 27 No. 46, 15 June 2005, pp.24-25.
Mitchell, S. (President) (2005) Open Compliance and Ethics Group (OCEG): Foundation Guidelines
“Red Book”, Application Draft, Open Compliance and Ethics Group (OCEG), April 2005.
Rainbird, H., Fuller, A., Munro, A. (eds.) (2004) Workplace Learning in Context, Routledge, London,
ISBN 0-415-31631-6.
Ricadela, A. (2005) Ballmer on the ‘New World of Work’ in Information Week: Business Innovation
Powered by Technology, part of the TechWeb Business Technology Network, CMP United Business Media
(www.informationweek.com), 14 June 2005.
Sama, L. M., Shoaf, V. (2005) Reconciling Rules and Principles: An ethics-based approach to Corporate
Governance, in Journal of Business Ethics, Volume 58, April and May 2005, pp. 177-185, ISSN 0167-4544.
Tapscott, D. (2005) The Open Enterprise and IT in Compliance Pipeline, part of the TechWeb Business
Technology Network, CMP United Business Media (www.compliancepipeline.com), 1 July 2005.
Weiss, S. (2005) It’s a Slow Cure, but Healthcare gets a grip on HIPAA in Compliance Pipeline, part of
the TechWeb Business Technology Network, CMP United Business Media (www.compliancepipeline.com),
6 June 2005.
Weiss, S. (2005 - 2) The Ethical Side of Compliance in Compliance Pipeline,
part of the TechWeb Business Technology Network, CMP United Business
Media (www.compliancepipeline.com), 8 July 2005.