forms as compliance controls · vio\൬ations of regulation z’s credit card requirements were...
TRANSCRIPT
FORMS AS COMPLIANCE CONTROLSIMPROVE COMPANY COMPLIANCE USING FORMS
DUSTIN BORKLUND 1
DUSTIN BORKLUND
Certified Forms Consultant
Certified Compliance and Ethics Professional
Plain Language
Electronic Forms Technologies
Economic Order Quantity
Healthcare
Auto Finance
www.linkedin.com/in/borklund
DUSTIN BORKLUND 2.
I WASN’T ALWAYS A COMPLIANCE PERSON
Constantly wanting to eliminate or rewrite required disclosures to make them readable.
Frustrated with legalese.
Revisions from outside counsel made no sense.
Never provided the law that the form was trying to comply with.
Lawyers would sometimes review my forms and simply use a red pen to add redundant words.
I had to explain to my form owners that features and words were legally required.
I wanted to include dynamic features in electronic forms but Legal needed to see all permutations.
Many customer complaints were related to problems I was trying to fix.
Legal/Compliance would write disclosures themselves or copy disclosures directly from the law.
Review cycle took too long.
Translation lawyers would fight with professional translators over minor words.
DUSTIN BORKLUND 3
FORMS ARE THE COMPLIANCE PROGRAM’S BEST FRIEND
Blank forms are evidence of a company’s compliance program working.
Forms are scrutinized in regulatory compliance exams.
Forms are requested in investigations and discovery.
Forms are often the only contact a customer will have with a company like Toyota.
Forms are the face of the company to many customers.
Forms were constantly updated to meet legal requirements – about 5% of forms per year at TFS.
Forms can contain field-level validations that make the user fill it out correctly, check for math errors, etc.
Forms can contain form-level validations that prevent the form from being sent if it is not complete (or not compliant).
Well designed forms reduce risk.
Unreviewed, stale and unnecessary forms increase risk.
DUSTIN BORKLUND 4
WHAT WE WILL COVER TODAY…
The Doctor’s Office
Compliance 101
Compliance Failures
Plain Language
Forms Compliance
PracticesExamples Q & A
DUSTIN BORKLUND 5
THE DOCTOR’S OFFICE
DUSTIN BORKLUND 6
THE CLIPBOARD
New Patient Questionnaire (Why?)
Insurance information (On the card)
Privacy Policy (Did I get it?)
Health History (a hundred Yes/No questions)
Communications Consent
Some you are signing in blank
Some obligate you to pay whatever they say regardless of what the insurance company says
DUSTIN BORKLUND 7
IS YOUR HEALTHCARE AS GOOD AS YOUR FORMS?
DUSTIN BORKLUND 8
COMPLIANCE 101A QUICK INTRODUCTION TO COMPLIANCE AND ETHICS
DUSTIN BORKLUND 9
COMPLIANCE IS THE SECOND LINE OF DEFENSE AGAINST RISK
…customer facing operational management has ownership, responsibility and accountability for directly assessing, controlling and mitigating risks
DUSTIN BORKLUND HTTPS://WIKI.TREASURERS.ORG/WIKI/THREE_LINES_OF_DEFENCE_MODEL 10
1st
2nd
3rd
…consists of independent risk management, compliance and operational risk functions, including oversight…monitors the implementation of effective risk management practices by operational management and assists the risk owners in reporting adequate risk related information.
…internal audit, reporting directly to the board. Internal audit reviews and reports on both the first and the second lines of defense.
COMPLIANCE IS…
a system of individuals, processes, and policies and procedures developed to ensure compliance with all applicable federal and state laws, industry regulations, and private contracts governing the actions of the organization.
a living, ongoing process that is part of the fabric of the organization.
a commitment to an ethical way of conducting business and a system for helping individuals to do the right thing.
DUSTIN BORKLUND 11
education enforcement prevention detection collaboration
COMPLIANCE IS NOT…
the responsibility of the Compliance Department.
DUSTIN BORKLUND 12
education enforcement prevention detection collaboration
COMPLIANCE’S VALUE PROPOSITION
US Federal Sentencing Guidelines for Organizations
“An organization “shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement [of its compliance and ethics program] to reduce the risk of criminal conduct identified through this process.” (§8B2.1(c))
“Risk management elements: Standards and Procedures (Internal Controls), monitoring, auditing, periodic evaluation. (§8B2.1(b)(1)(5))
DUSTIN BORKLUND 13
SEC CFPB DOL FTC HHS OIG
COMPLIANCE’S VALUE PROPOSITION
US Federal Sentencing Guidelines for Organizations
Have a working CMS (Compliance Management System)
Self Disclose
DUSTIN BORKLUND 14
SEC CFPB DOL FTC HHS OIG
COMPLIANCE’S VALUE PROPOSITION
Reduce Fraud Association of Certified Fraud Examiners has
determined that the typical company loses 5-6% of its annual revenue to fraud
DUSTIN BORKLUND 15
Keep people out of jail Officers and owners who knowingly
permitted compliance failures could face jail time.
NINE COMPONENTS OF A CMS
Risk Assessments
Policies & Procedures
Support from the Top
Third Party Management
Training
Testing and Monitoring
Reporting and Investigating
Enforcement
Prevention
DUSTIN BORKLUND 16
RISK ASSESSMENTS
Risk Assessments
Policies & Procedures
Support from the Top
Third Party Management
Training
Testing and Monitoring
Reporting and Investigating
Enforcement
Prevention
DUSTIN BORKLUND 17
EXTERNAL AND INTERNAL INPUTS
EXTERNAL INPUTS
Trade journals, business press
Legal notices and subscriptions
Enforcement activities and trends
Social Media and marketplace trends
Industry benchmarking and practices
Complaints
DUSTIN BORKLUND 18
INTERNAL INPUTS
Talk to managers and front-line people
Past incidents and investigations
New business operations
Security issues
Internal audit
Changing Incentives
Hotline records
INHERENT VS RESIDUAL RISKS
DUSTIN BORKLUND 19
INHERENT RISK
Risk without any management activity or before controls are in place.
EXAMPLE: Automated Expense Reports cause disbursement of funds based on whatever is reported, instantly.
RESIDUAL RISK
Level of risk that remains after appropriate controls have been put in place.
EXAMPLE: Expense Reports have built-in limits, approval authorities, and validations that must be met before funds are disbursed.
SCORE RESIDUAL RISKS ON TWO OR MORE LEVELS
Scope
Impact
Financial
Legal
Reputational
Likelihood
DUSTIN BORKLUND 20
DEVELOP AN ACTION PLAN
ACTION PLAN
Allocate resources based on Risk Appetite
Implement new or revised Policies & Procedures
Conduct targeted training
Recommend stronger technology controls
Suggest Org Chart changes
Performance Management
DUSTIN BORKLUND 21
DON’T FORGET
Compliance Department doesn’t implement controls, they recommend, check, evaluate, report, etc. the controls put in place by the company.
CMS
Compliance Department oversees the Compliance Management System to track all of this.
POLICIES & PROCEDURES
DUSTIN BORKLUND 22
POLICIES
The rules written by and for the company.
The WHAT
PROCEDURES
The guidelines or steps written by the company in order to support the Policies.
The HOW
CODE OF CONDUCT
DUSTIN BORKLUND HTTPS://WWW.VERIZON.COM/ABOUT/OUR-COMPANY/CODE-CONDUCT 23
CODE OF CONDUCT
CODE OF CONDUCT TOPICS
Sexual harassment policy
Workplace violence
Employee privacy
Misconduct off the job
Conflicts of interest
Insider trading
Whistleblower/Non-retaliation
DUSTIN BORKLUND 24
Use of company equipment
Company information nondisclosures
Expectations for customer relationships and suppliers
Policy on accepting or giving gifts to customers or clients
Bribes
Relationships with competition
EXECUTIVE MANAGEMENT / TONE FROM THE TOP
DUSTIN BORKLUND 25
CEO
CFO COO CIO General Counsel
CCO
Executive Assistant
VENDOR MANAGEMENT
DUSTIN BORKLUND 26
TRAINING AND COMMUNICATION
DUSTIN BORKLUND 27
Questions a Compliance Officer asks:
Is it targeted?
Is it measured?
Is it required?
Is it online, in person, of sufficient length and depth?
Does it address the risks?
Is it documented?
Is it current/accurate?
Is it in the language of the audience?
HOTLINE AND NON-RETALIATION
DUSTIN BORKLUND 28
Managed by a third-party?
Non-retaliation statement for good faith reports?
Periodic reports to the Board or Owners?
Timely investigations?
Multiple avenues (phone, email, web form, etc.)?
Language appropriate?
COMPLIANCE FAILURE
DUSTIN BORKLUND 29
COMPLIANCE FAILURE
DUSTIN BORKLUND 30
PLAIN LANGUAGE
DUSTIN BORKLUND 31
PLAIN LANGUAGE
DUSTIN BORKLUND 32
Use a Plain Language Checklist
Get the Checklist approved by Legal, Marketing and Compliance
Write a Corporate Policy for Plain Language
Provide materials to, or hold a class for, other writers in your company
Employ a Plain Language expert to evaluate your company
PLAIN LANGUAGE
DUSTIN BORKLUND 33
Resources
http://centerforplainlanguage.org/
https://writing.wisc.edu/Handbook/ClearConciseSentences.html
https://www.michbar.org/generalinfo/plainenglish/home
http://www.plainenglish.co.uk/how-to-write-in-plain-english.html
www.faa.gov/about/initiatives/plain_language/basic_course/
https://www.plainlanguage.gov/
OTHER AREAS FORMS PROS HELP
DUSTIN BORKLUND 34
Was the form approved by all necessary stakeholders?
Do you have the forms translated properly?
What problems does the Audit Department see in our Expense Reports?
Are there prohibited or unfair questions on our Credit Applications or our Employment Applications?
Is the information in the small type more important than the information in the large type?
IN CONCLUSION…
DUSTIN BORKLUND 35
Forms are a reflection of the company or government agency.
Compliance is increasingly important and forms play a role.
As a Forms Professional you have an opportunity to impact compliance.
FORMS AS COMPLIANCE CONTROLSIMPROVE COMPANY COMPLIANCE USING FORMS
DUSTIN BORKLUND 36
Q&A