9/20/2013

1

CCS PowerPoint Template Version 2-0

Public - Slide 1

Tuesday, October 8 2013 1:30 – 2:30pm

SCCE - Compliance and Ethics Institute 2013 607 – Outsourcing Compliance –

yes it can be done!

Janet Himmelreich, CCEP BT Head of Client Compliance Services (CCS)

Steve Kilmister BT CCS Operations and Assurance Director

Public - Slide 2

A little about today’s session

• About how to outsource your

Compliance Department

• Or how to transfer compliance

requirements from your

organization to another

• An endorsement of outsourcing

for all organizations

It is not

• About how to integrate your

compliance requirements into

your relationship with your

vendors

• How to be sure compliance,

ethics, quality and security

governance requirements are

included in the relationship –

preferably from the start!

It is

Outsourcing Compliance – Yes it can be done! What it is and what it is not

9/20/2013

2

Public - Slide 3

Agenda

•Module 1 – The Compliance Conundrum

•Module 2 – Internal Controls and Assurance

•Module 3 – The Quality Management System

•Closing Thoughts

•Questions and Answers

•Additional Information

Public - Slide 4

The Compliance Conundrum

Module 1

9/20/2013

3

Public - Slide 5

The Compliance Conundrum

GxP

Bribery -

FCPA SFO

Proceeds of

Crime Act

Increasing worldwide regulations across all industries and a heightened focus

on the enforcement of their requirements, combined with pressure to reduce

costs in line with challenging economic conditions.

Public - Slide 6

The Compliance Conundrum Continued

The Outsourcing Handbook; Kogan Page, Ltd 2006

“No matter what industry you are in,

you need to look at key attributes

when evaluating an outsourcing

vendor. First, you need to know that

the vendor can meet compliance

standards for your industry.”

What can you, as a Compliance and Ethics Professional do to influence the

decisions and address the conundrum? Your goal is to meet the business

imperatives while ensuring the compliance requirements are met.

“The enormous pressure to improve shareholder value often results in a strategic

business decision to outsource, however, managers must look…

…beyond rudimentary cost calculations focused on short-term profit, such as the

cost of labour or the ex-factory cost and incorporate the total cost and risk of

extended international supply chains.”

The Boeing Debacle - Forbes Website 2013

“Government regulations will continue

to be enforced and companies will

need to adapt and find better, more

efficient ways to handle compliance,

legal and financial risk.”

IAOP Top 10 Outsourcing Trends for 2013

9/20/2013

4

Public - Slide 7

A few key concepts

•Outsource

•Sourcing - the act of transferring work from one entity to another

•Out – the act of transferring the work to an external party

Always three parts to any outsourcing initiative:

•Client – organization transferring the work

•Vendor – strategic partner, supplier or service provider – the

organization that conducts the work and in the case of a complex

endeavor, the party that makes the decision to implement and provide the

service transferred

•Program or Project – the well defined scope of work – whether a small

consulting job or a completely outsourced research & development

department – that will be implemented by the vendor, monitored by the

client and mutually governed

Public - Slide 8

Can you outsource and still meet YOUR requirements?

It depends on what, exactly, you are going to outsource

• Understand the strategic business case

• Make sure you are part of the evaluation team – from the beginning

• If the function being considered impacts your regulatory compliance

requirements, then the competence of the suppliers being considered as

well as a formal written agreement must be in place – the EU data privacy

and protection requirements are an example

What are the key drivers?

• Core business functions that are well-known and understood – e.g. payroll

and some HR functions

• Non-core functions that can be obtained more cheaply and efficiently from

well known sources –e.g. manufacturing processes

• Key business functions that if outsourced, will enable cost, efficiency,

agility and innovation capabilities that allow the organization to focus more

resources on strategic initiatives

In our experience, Compliance, Quality and Security Governance teams are too

often not consulted at all or are consulted very late in the outsourcing life cycle.

9/20/2013

5

Public - Slide 9

Outsourcing Requirements

•Should always be gathered by the client from all the stakeholders

• Including core compliance, security and quality principals!

•Large outsourced agreements are often driven by the C-level and

managed by Procurement

•Procurement tends to focus on costs, service level agreements, and

typical Terms and Conditions, billing terms, taxation and data privacy

•Frequently at the very end of protracted negotiations, Legal review can

then introduce Quality, Compliance and Security items – resulting in

additional requirements that were not accounted for in either party’s

business case

Public - Slide 10

Success Factors for Strategic Partnerships

•The Client must embrace change

•Different ways of working, different cultures and ethnicities

•Good negotiating and relationship building

•5% inspiration and 95% perspiration

•It is hard work, requiring commitment and transparency

Ten common traps of outsourcing*

1. Lack of management commitment

2. Minimal knowledge of outsourcing methodologies

3. Lack of an outsourcing communications plan

4. Failure to recognize outsourcing business risks

5. Failure to tap into external sources of knowledge

6. Not dedicating the best and brightest internal resources

7. Rushing through the initiative

8. Not appreciating cultural differences [people & companies]

9. Minimizing what it will take to make the vendor productive

10. Poor relationship management programs

*Based on Power, Bonifazi and Desouza (2004)

9/20/2013

6

Public - Slide 11

When things tend to go wrong

•Limiting the scope of the business case

•Comparing the cost of a resource in the US or UK to a similar role in a

low cost economy

• Improving shareholder value without a full understanding of the total cost

and implications

•Basing the outsourcing decision on limited past experience or on the

recommendations of others without a complete life cycle management

approach to the evaluation:

1. strategic assessment

2. needs analysis

3. vendor assessment

4. negotiation and contract management

5. project initiation and transition

6. relationship management

7. continuance, modification or exit strategies

A dedicated team with

Executive level involvement

is the proven way to avoid

problems; it is this team

which you should be part of

from the start.

Public - Slide 12

How to avoid things going wrong

•Contract properly

• Identify ALL requirements upfront

• Institute a partnership governance model early on that includes the

C-levels of both the client and the vendor, in addition to an on-going

basis

•Do not get rid of all your internal knowledge and expertise – you still

need to manage the vendor and assure the work being done meets

your requirements

•Be clear and specific about those requirements – including those

policies and processes that the vendor must follow

•Require cohesive oversight and quality control in a multi-vendor

environment

•Assure audit and monitoring is part of the solution that is developed

by the vendor

• Include a Quality Management System* (QMS) in your agreement

*Discussed further in Module 3

9/20/2013

7

Public - Slide 13

Key takeaways from Module 1

1. Complex and key components that are outsourced from a client require

a strategic partnership with well-defined governance

2. The contract must be clear as to what frames or underpins the

responsibility and decision making of the vendor

3. Any policies and processes the vendor needs to comply with should be

identified and made available as soon as possible in order to maintain

a transparent and fair relationship

4. Ensure the vendor clearly understands the compliance requirements,

and can specifically demonstrate (evidence, not words) their ability to

meet these

5. Make sure you have a seat at the table right from the beginning – don’t

let your compliance and regulatory or security requirements be “thrown

in” at the very end – it can derail negotiations, damage both party’s

business cases and potentially damage the trust that is required

between the partners.

Public - Slide 14

Internal Controls & Assurance

Module 2

9/20/2013

8

Public - Slide 15

Internal Control

• Most widely accepted definition is by COSO* (Committee of Sponsoring

Organisations of the Treadway Commission):

• Internal control as a process, affected by an entity's board of directors, management and

other personnel, designed to provide "reasonable assurance" regarding the achievement of

objectives in the following categories:

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable global or local laws and regulations

Safeguarding of Assets

• The COSO framework involves several key concepts:

• Internal control is a process. It is a means to an end, not an end in itself.

• Internal control is affected by people. It's not merely policy, manuals, and forms, but people

at every level of an organization.

• Internal control can be expected to provide only reasonable assurance, not absolute

assurance, to an entity's management and board.

• Internal control is geared to the achievement of objectives in one or more separate but

overlapping categories.

* Institute of Management Accountants (IMA), the American Accounting Association (AAA), the American Institute of Certified Public Accoun tants (AICPA), the

Institute of Internal Auditors (IIA) and Financial Executives International (FEI).

Public - Slide 16

The Importance of Internal Controls During Outsourcing

•A detailed understanding of your internal control landscape will ensure

you know what you are asking your vendor to deliver

•Decide the extent to which “how” your vendors deliver is important

•Defining how the vendors must satisfy the requirements will create

consistency across vendors and likely reduce the internal costs of

managing the vendors.

•However, this will increase the costs to the vendors and reduce their

ability to leverage “standard” services, thus increasing their overall

pricing.

•Using a recognized industry standard to map controls between

organizations can help leverage third-party assurance activities as an

additional monitoring mechanism on vendor performance

9/20/2013

9

Public - Slide 17

Control Mapping

Vendor

Contract

Client

Control

Framework

In-scope

Controls

External

Control

Framework

Vendor

Control

Framework

What should be mapped is not just

the control Wording but the control

Objective.

Public - Slide 18

The Three Lines of Defense During Outsourcing

Management

Oversight

• The marketplace is

turning to ‘Quality’ to

ensure and demonstrate

compliance

• Be clear how you will

assure the services

provided meet your

compliance requirements

• Using vendor assurance

mechanisms can be very

cost effective

• Trust must be built over

time

9/20/2013

10

Public - Slide 19

Assurance during Outsourcing

Time

Assu

ran

ce

BAU* BAU BAU

Vendor

Vendor

Vendor

Client &

External

Review

Client &

External

Review

Client &

External

Review

Trust but

verify

*Business as Usual

Public - Slide 20

Key takeaways from Module 2

1. Internal control is a process that involves people, not just a series of

policies

2. Know your internal control landscape before your outsourcing

requirements are defined

3. Using an industry standard control framework can help to bring the

control frameworks of the client and vendor together

4. The intent behind the controls is all important

5. Be sure how you will assure vendor performance against your

compliance requirements. Ensure these are contractual obligations.

6. Consider transitioning to vendor assurance mechanisms to leverage

cost efficiencies as trust develops over time.

Internal controls should form the basis of your Quality Management System

(QMS) which will be covered further in Module 3.

9/20/2013

11

Public - Slide 21

The Quality Management System J&S Case Study*

Module 3

*Based on real client experiences

Public - Slide 22

The Quality Management System

People

Process

Systems

What it is

Systems and tools are standardized and fit for purpose

Underlying infrastructure subject to appropriate level of control

Systems and tools catalogued in an inventory management system

Processes follow quality policies and good documentation practices

Processes are clear, precise, consistent and repeatable

Underpinned by robust change management including approvals, plans and risk

assessments

Element

Knowledgeable of specific industry requirements & compliance requirements

Can demonstrate qualifications to conduct each and every task they perform via

training, background and experience

Perform each and every task that is in an SOP or WI as required - with evidence

9/20/2013

12

Public - Slide 23

J.S. Inc.

I’m Steve

Kilmister, COO for

J.S. Inc. …

• Need to keep non-core spending flat;

goal is to enable our pipeline to

mature and revenue grow from a new

product launch

• We agreed the area of the business

where we can achieve cost savings

AND improve our internal operations

to gain efficiencies is in our IT

Department

• The dilemma is how to create an

‘agile’ strategy to support the

explosive growth in BYOD and need

for security of our IP?

• These represent parallel and

conflicting demands upon an IT team

that we have constrained to a fixed

budget

Challenges

• A blue-chip US-based company operating in 70

countries worldwide, across 250+ locations; the

CEO has asked the management team to consider

outsourcing to lower costs

J.S. Corporate Profile

• Cut costs but not quality and ensure

ability to budget going forward

• Responsiveness to needs of the

business by access to a breadth of

skills and resources globally –

consistent framework put in place

• Centralized management including

program and project management to

ensure the solution is within budget

but is also accessible

• Greatly improve the speed and the

security of our IT infrastructure to

“best in class”

• Technology roadmaps as part of a

governance process

Intended Benefits

• Outsource the management of

existing IT services and all suppliers

to a single supplier/vendor

• Migrate technical people and

equipment assets to a qualified

service provider who takes

‘ownership’ - has decision making

authority

• Require a standardized infrastructure

all over the world so that anyone in

the company can work anywhere and

it will be fast and efficient

• Measure performance and define

SLAs to business needs via a

contract – thus, we need an RFP and

a team to solicit the right vendor

Solution

Public - Slide 24

J.S. Inc.

• Compliance has also been

challenged to reduce costs

• Local processes not aligned to

corporate compliance strategy

• Senior management “talking the

talk” not “walking the walk”

• Inconsistent systems and tools

• Adherence to processes still

inconsistent

• Training people around the world

in local language is expensive and

time consuming

Challenges

• We’ve been struggling to maintain compliance in

light of internal restructuring, reducing budgets and

increasing scrutiny by regulators.

J.S. Compliance Profile

• Fiduciary responsibility to the

board

• Fines & Penalties

• Brand and reputational Impacts

• Increased costs through required

remediation actions

• Speed and agility at the cost of

quality and control

• Unending Audit Cycles

In light of all of the this how could

we ever consider outsourcing?

Consequences

• Compliance and ethics code of

conduct

• Anti-bribery and corruption

(training not sticking again!)

• Sarbanes-Oxley

• Industry specific Health and Safety

• Governmental Reporting

• Data Protection and Privacy

• If it wasn’t documented, it wasn’t

done!

• Enforcement has really been

stepped up since the UK Anti-

bribery Act

Regulatory Imperatives

I’m Janet

Himmelreich, Chief

Compliance Officer

for J.S. Inc. …

9/20/2013

13

Public - Slide 25

J.S. Inc.

The “CEO” of J.S.

Inc.

• We have to give a plan to the board that explains

how we are going to demonstrate $xM worth of

savings by FY 2015/16 – SO YOU BETTER GET

YOUR ACTS TOGETHER OR - YOU’RE FIRED!

J.S. CEO/CIO Statement to the COO & CCO

The way forward… • A person from the Compliance team will be a member

of the outsourcing steering committee

• Compliance, Quality and Security requirements

provided early to procurement

• Procurement will only use recognized vendors in our

field

• Client and Vendor business cases will be aligned

• Assure a strategic partnership with vendor

• Know how the vendor will meet the compliance

requirements

• Ensure Legal interests are represented and consistent

• We will maintain internal monitoring and

assurance

Public - Slide 26

Deliv

ery

Partn

er D

eliv

ery

Part

ner

Vendor

Compliance Requirements Flow Down

Contract

Client Organization

Regulator Note:

In the majority of cases

there will be no direct

link from the client’s

regulator to the vendor.

Therefore, it is

essential that the flow

of compliance

requirements is

maintained by use of

contractual terms and

conditions.

9/20/2013

14

Public - Slide 27

Translating contract requirements

•A contract between strategic partners must be a living, breathing

agreement

•Frames the specific requirements

•Defines commercial agreement including service level agreements (SLA)

•Specifies the standards, policies and procedures that must be followed

•Specify governance, reporting, and “T’s and C’s”

•How does the client then share the regulatory compliance requirements?

•Shared QMS – Quality Management System

•A modular QMS allows the partners to share, monitor and measure the

effectiveness and the ability to demonstrate compliance

People Process Systems

Public - Slide 28

Creating a modular Quality Management System (QMS)

1. Client maintains overall responsibility for the QMS and

accountability to the regulator, BUT elements (“modules”) can be

managed individually

2. The contract will specify the applicable QMS modules for which the

vendor is responsible

3. Those modules must be documented and mutually agreed

4. Client and Vendor personnel must be trained on the appropriate QMS

modules

5. The entire QMS must be maintained under robust change control

9/20/2013

15

Public - Slide 29

Key takeaways from Module 3

1. A QMS incorporates People, Processes and Systems

2. When considering outsourcing, a QMS should be modular to allow

responsibility to be delegated to the vendor

3. Overall QMS accountability always remains with the client

4. Don’t assume that your regulatory responsibilities will be shared by

your vendor

5. The contract should be the mechanism by which the client’s regulatory

requirements are delegated to the vendor

6. The QMS should include evidence of vendor performance to

compliance requirements

7. Compliance can be outsourced with the right approach!

Public - Slide 30

Closing

Thoughts

9/20/2013

16

Public - Slide 31

When outsourcing goes wrong, it can really go wrong…

Lack of vendor accountability for meeting compliance requirements

can lead to catastrophic failures

•Increased regulatory scrutiny

•Brand and reputational damage

•Financial penalties

•Commercial sanctions

•Destruction of assets

•Environmental impacts

•Severe detriment to market position

•Impaired ability to continue as a ‘going concern’

•Loss of Life

Prevention is the best medicine

Public - Slide 32

…but if you get it right, there are many benefits

•Enables the whole business to achieve objectives

•Commercial “wins” for both client and vendor

• Increased knowledge base and access to subject matter expertise

•Flexible / scalable delivery of services

• Increased visibility and transparency

•Reduced risk of outsourcing

•Maintained or improved quality results

•Consistency through the use of your vendor as an ‘agent of change’

•Reduced assurance overheads

…yes it can be done!

9/20/2013

17

Public - Slide 33

Closing thoughts

1. Get a seat at the table – EARLY

2. Select a vendor with a proven track record of satisfying

compliance requirements for other similar clients

3. Don’t lose all of your compliance subject matter expertise – it’s

still YOUR risk

4. Ensure your compliance requirements are included within any

contract – don’t assume

5. Consider your vendor an extension of your control environment

6. Provide your vendor a framework – avoid micromanagement

7. Monitor from the outset – express any contractual rights to audit

Public - Slide 34

and Answers

Questions

9/20/2013

18

Public - Slide 35

Contact Details

Janet K Himmelreich

BT Global Services

Client Compliance Services Centre of Excellence

Head

Email: janet.k.himmelreich@bt.com

Steve J Kilmister

BT Global Services

Client Compliance Services Centre of Excellence

Operations and Assurance Director

Email: steve.kilmister@bt.com

Public - Slide 36

Materials

Additional

9/20/2013

19

Public - Slide 37

Biography

Janet Himmelreich, CCEP Head, Client Compliance Services

Centre of Excellence - BT Global Services

Janet K. Himmelreich leads the BT Global Services Client Compliance Services Centre of Excellence. BT is a UK based global

telecommunications service provider currently providing services to some 8,500 global organisations and the majority of the

Forbes top 500 global companies. Janet joined BT in 2005 as Chief Compliance Officer dedicated to the first Pharmaceutical

customer that contracted with BT to manage its entire network and telecommunications enterprise including contractual

regulatory compliance obligations that are shared with the customer. Since 2005, the team that provides these services has

increased to over 30 professionals’ worldwide and provides services to customers around the world.

Janet is a well regarded expert in the delivery of compliant services drawing on more than 25 years of consulting experience in

the healthcare field prior to joining BT. As a Subject Matter Expert in physician billing, fraud and abuse, Medicare and Medicaid

regulations, integrated healthcare delivery systems and HIPAA compliance in health systems and health plans, she served as

an expert witness and provided Independent Audit services to healthcare entities as well as the US Department of Health and

Human Services.

In addition to her leadership role for the CCS CoE, Janet serves in a governance role for several of the large customer contracts

with compliance obligations. This role is part of the executive leadership for several customer contracts. She also leads the

team that has developed the approach and method used for BT’s innovative and market leading proposition known as BT for

Life Sciences R&D Compute and the specific proposition that provides a compliance “wrap” to the standard services known as

“Conform.”

Her educational background combines a BA, MA and MBA with a certification through the Society of Corporate Compliance and

Ethics as a Certified Compliance and Ethics Professional. Within BT she is a member of the Data Protection Forum, the

Programme Control Board for BT for Life Sciences and is a key participant in the COO Team for BT Global Services’ vertical

known as Global Commerce. In her role she is responsible for business development, innovation as well as delivery of

contracted services for heavily regulated industries.

Public - Slide 38

Steve Kilmister Operations and Assurance Director

BT Global Services

Biography

Steve Kilmister currently serves as the Operations and Assurance Director for the BT Global

Services Client Compliance Services Centre of Excellence. BT is a UK based global

telecommunications service provider currently providing services to some 8,500 global

organisations and the majority of the Forbes top 500 global companies.

Steve has over 10 years of experience developing and delivering internal assurance

programmes in partnership with leadership teams, business management and operations teams

and has over 7 years of experience in providing internal and external assurance over the

compliance programmes that BT operates for its clients operating in heavily regulated

industries. He is responsible for designing and implementing the Quality Management System

Assurance function within the Client Compliance Services Centre of Excellence and is

accountable for internal quality assurance, audit management and facilitation, quality

monitoring, continuous improvement and security governance.

Steve’s is a respected leader, manager and subject matter expert recognised by clients and

peers alike for his passion for assurance, compliance and ethics. He believes in the ability to

manage the business risk of compliance though business as usual commitment to quality.

9/20/2013

20

Public - Slide 39

Sources Consulted

The Outsourcing Handbook: How to Implement a Successful Outsourcing Process

Mark Power, Carlo Bonifazi, Kevin C. Desouza, (2006) Kogan Page

“The ten outsourcing traps to avoid”

Mark Power, Carlo Bonifazi, Kevin C. Desouza, (2004) Journal of Business Strategy, Vol. 25 Iss: 2

“The Boeing Debacle: Seven Lessons Every CEO Must Learn”

Steve Denning, http://www.forbes.com/sites/stevedenning/2013/01/17/the-boeing-debacle-seven-lessons-

every-ceo-must-learn/

“Outsourcing - Right or Wrong? 9 Key Questions”

Adam Hartung, http://www.forbes.com/sites/adamhartung/2010/09/30/outsourcing-right-or-wrong-9-key-

questions/

“Outsourcing Ins And Outs”

Ed Sperling, http://www.forbes.com/2008/08/10/cio-doerr-savvis-tech-cio-cx_es_0811doerr.html

COSO

http://www.coso.org/

bt.com/globalservices