LCBS Presentation Conf 08-06
-
Upload
alessandro-celuzza -
Category
Documents
-
view
219 -
download
0
Transcript of LCBS Presentation Conf 08-06
-
8/10/2019 LCBS Presentation Conf 08-06
1/49
Lean Compliance
ManagementHow to measure compliance management effectiveness in quantitativeterms and make it achievable to any business organization
Alessandro CeluzzaMoscow, 2014-06-10
-
8/10/2019 LCBS Presentation Conf 08-06
2/49
Summary - Key topics of the presentation
Introduction
Purpose of the presentation and sources of the model
The contents of Lean ComplianceA new synthesis of management tools already known in businessworld
The quantitative approach to compliance managementIntroduction to the theoretical basis of the model and toquantitative measurement
How to put Lean Management in practiceSuggestions to make it work to increase the resilience of yourorganization in a profitable way
-
8/10/2019 LCBS Presentation Conf 08-06
3/49
IntroductionPurpose of the presentation and sources of the model
-
8/10/2019 LCBS Presentation Conf 08-06
4/49
Introduction
Lets start from a question:
Is it possible to define a methodology tomake companys business profitable, makingcompliance measurable in quantitative terms,evaluating and reducing the impact of incidentson business continuity and reducing risks of
losses and costs?
-
8/10/2019 LCBS Presentation Conf 08-06
5/49
Introduction
The research of a business solution to answer theprevious question brought to the proposal of a newmanagement model which synthesize some powerfultools already well known in the business world:
compliance management system
six sigma
lean management
-
8/10/2019 LCBS Presentation Conf 08-06
6/49
Introduction
The purpose of this presentation is to depict a methodology,
made available for every kind of organization, which can beput into practice with achievable investments, aimed torealize the following results:
total compliance to regulations and laws robustness to accidental events and disruptive incidents
and assurance of business continuity
excellent world class results efficiency of management system
-
8/10/2019 LCBS Presentation Conf 08-06
7/49
Introduction
The presentation refers to the following sources:
ISO/DIS 19600, about compliance management system
ISO 31000 and ISO 22301, about risk assessment andbusiness continuity management
six sigmabreakthrough strategy
lean managementliterature
Any contribution to the improvement of the model will be appreciated
-
8/10/2019 LCBS Presentation Conf 08-06
8/49
The contents of LeanCompliance
ISO/DIS 19600 and its relation with other standards
-
8/10/2019 LCBS Presentation Conf 08-06
9/49
Compliance ManagementSystemISO/DIS 19600
-
8/10/2019 LCBS Presentation Conf 08-06
10/49
Compliance Management System
Compliance is one of the main issues for everykind of organization, regardless its dimension, typeof products, applied technologies and targetmarkets, and for every kind of business.
-
8/10/2019 LCBS Presentation Conf 08-06
11/49
Compliance Management System
One of the solutions which companies are providedwith, to prevent the consequences of non
compliance, is the effective application of aCompliance Management System(CMS).
-
8/10/2019 LCBS Presentation Conf 08-06
12/49
Compliance Management System
A CMS is aimed to
- enable the organization to manage effectively boththe internal and the external risks associated with
any regulatory compliance- help to mitigate liabilities and to protect the goodreputation of the companies and the trust of the
market
-
8/10/2019 LCBS Presentation Conf 08-06
13/49
Compliance Management System
Is it possible to provide organizations with asimple, reliable and easy to use compliancemanagement system?
For this purpose, ISO is going to provide themarket with a new standard ISO/DIS 19600
compliance management system guidelines.
-
8/10/2019 LCBS Presentation Conf 08-06
14/49
Compliance Management System
ISO delivered ISO/DIS19600 standard, whosepurpose is to provideorganizations withguidance for establishing,
developing,implementing, evaluating,maintaining andimproving an effective and
responsive compliancemanagement system.
-
8/10/2019 LCBS Presentation Conf 08-06
15/49
Compliance Management System
ISO/DIS 19600, is still in draft status and can already be
considered in the light of its potential to become an internationalstandard, so its useful for companies and for any other interestedparties to be familiar with the model provided by ISO.
ISO/DIS 19600 provides us the definitions of compliance and
compliance obligation (see ISO/DIS 19600, 3.24 and 3.31):
Meeting all the organizations requirementsthat the same organization has to, or chooses to,
comply with.
-
8/10/2019 LCBS Presentation Conf 08-06
16/49
Compliance Management System
The definition provided by ISO/DIS 19600 implies thatcompliance is an outcome of an organization meeting itsobligationsand that the commitment to compliance implies thatthe organization is supposed to be compliant with:
all the laws and regulationsapplicable and having impact on its
businessall the contractual requirements agreed with its clients and
other interested parties
all the requirements chosen on a voluntary basis, according tocompanys policies.
-
8/10/2019 LCBS Presentation Conf 08-06
17/49
Compliance Management System
The CMS Guideline ISO/DIS
19600 is articulated on 10chapters, according to the newstructure stated in ISOdirectives, and is based upon
the continual improvementprinciple (PDCA)
According to PDCA methodology, the
Compliance Management Systemincludes the following phases
-
8/10/2019 LCBS Presentation Conf 08-06
18/49
-
8/10/2019 LCBS Presentation Conf 08-06
19/49
Compliance Management System
The key starting point is the understanding of the contextin which the organization operates.
It includes the determination of internal and externalcompliance risks.
In doing so, the organization needs to take intoconsideration a broad range of external and internalaspects, i.e.: regulatory, social and cultural contexts,
economic situation, internal policies and resources.
-
8/10/2019 LCBS Presentation Conf 08-06
20/49
Compliance, risk assessment and
business continuity managementISO Guide 73, ISO 31000 and ISO 22301
-
8/10/2019 LCBS Presentation Conf 08-06
21/49
Compliance and risk management
The guidelines included inISO/DIS_19600 can be effectivelyintegrated with ISO_31000 and
ISO_22301 to set up a compliancemanagement system able to give to theorganization robustness to potentialdisruptive events
.
-
8/10/2019 LCBS Presentation Conf 08-06
22/49
ISO 31000Riskmanagement Principlesand guidelines
Provides the
principles andguidelines formanaging anyform of risk in asystematic,transparent and
credible mannerand within anyscope and context.
-
8/10/2019 LCBS Presentation Conf 08-06
23/49
Compliance and risk management
Business organizations need to evaluate in
quantitative terms the consequences of breachingone or more of :
the laws and regulations applicable and having
impact on their business the contractual requirements agreed with its
clients and other interested parties
the requirements chosen on a voluntary basis,according to companys policies.
-
8/10/2019 LCBS Presentation Conf 08-06
24/49
ISO 22301 specifies
requirements to plan,establish, implement,operate, monitor, review,maintain and continually
improve a documentedmanagement system toprepare for, respond toand recover from
disruptive events whenthey arise.
Compliance and business continuity
-
8/10/2019 LCBS Presentation Conf 08-06
25/49
Compliance and business continuityISO 22301 is the firstinternational standard to befully compliant with the new
guidelines from ISO/Guide 83(High level structure andidentical text for managementsystem standards and commoncore management system termsand definitions).
ISO 22301 is the first standardto fully integrate a high-levelstructure and common textthat will make it totallyaligned with all other
management systems once therelated standards have alsoadopted the ISO Guide 83guidelines.
According to PDCA methodology, the
BCMS according to ISO 22301 includes thefollowing phases
-
8/10/2019 LCBS Presentation Conf 08-06
26/49
Compliance and business continuity
ISO 22301
The PDCA modelapplied to BCMS
processes
-
8/10/2019 LCBS Presentation Conf 08-06
27/49
Compliance and business continuityISO 22301 - The PDCA model applied to BCMS processes
-
8/10/2019 LCBS Presentation Conf 08-06
28/49
ISO 22301 applies to all types and sizes of organizations thatwish to:
establish, implement, maintain and improve a BCMS
assure conformity with the organizations stated businesscontinuity policy
demonstrate conformity to others
seek certification/registration of its BCMS by an accreditedthird party certification body
make a self-determination and self-declaration of conformitywith this International Standard.
Compliance and business continuity
-
8/10/2019 LCBS Presentation Conf 08-06
29/49
The quantitative approach tocompliance management
The theoretical basis of the model
-
8/10/2019 LCBS Presentation Conf 08-06
30/49
The theoretical basis of the model
When you can measure what you are speakingabout and express it in numbers, you know somethingabout it, but when you cannot express it in numbers,your knowledge is of a meagre and unsatisfactorilykind.
Lord Kelvin (1824-1907)
-
8/10/2019 LCBS Presentation Conf 08-06
31/49
The theoretical basis of the model
We know what we can measure and express in
numbers and in quantitative terms.
If we dont measure something, we cannot controlit, so we accept to be at the mercy of chance.
So the main question is:
Can we accept the risk to be at the mercy of
chance when we manage a business organization?
-
8/10/2019 LCBS Presentation Conf 08-06
32/49
The theoretical basis of the model
According to the theoretical basis that we just
pointed out, we need to measure the risks ofnoncompliance and express them inquantitative terms, if we want to know them.
If we dont know them we cannot controlthem.
If we dont control the risks, it means that weaccept to be at the mercy of chance.
-
8/10/2019 LCBS Presentation Conf 08-06
33/49
The theoretical basis of the model
If we really dont accept the risk to be atthe mercy of chance
and we want to master the processes of ourbusiness organization,
we need information
in terms of factsand figures.
-
8/10/2019 LCBS Presentation Conf 08-06
34/49
The theoretical basis of the model
The acceptance of the risk of noncomplianceshould be
related to the effective consequences of the negativeevent.
ISO Guide 73
-
8/10/2019 LCBS Presentation Conf 08-06
35/49
The theoretical basis of the model
We need information:
- clean, free from prejudice, not affected by thepeople who collected them, in other wordswe need representative information
- sufficiently numerous, not to be affected byerrors during the sampling, in other words
we need significant information
-
8/10/2019 LCBS Presentation Conf 08-06
36/49
The theoretical basis of the model
Whatever the process we need to measure, to put it under
control, we need to get some quantitative information relatedto it, so we need to define:
1. The process and its variables
2. The questions we want to answer
3. The variables which are related to the questions
4. The sampling strategy (how to collect representative data)
5. The sampling budget (how many samples we can collectto make the sample significant)
-
8/10/2019 LCBS Presentation Conf 08-06
37/49
Six sigma
The breakthrough strategy applied to CMS
-
8/10/2019 LCBS Presentation Conf 08-06
38/49
Six sigma and compliance managementSix sigma breakthrough strategy is based to five interconnectedphases: D.M.A.I.C.
DEFINE: identify the Critical to Quality (CTQ) characteristics ofproducts/processes and the best in class performances tobenchmark
MEASURE: determine the process baseline, or where we are in terms of
process capabilityANALYSE: discover the causes of the gap between the actual performance
and the benchmark
IMPROVE: improvement projects to reduce the gap and reach the best in
class performance
CONTROL: consolidation of the results and continuous improvement
-
8/10/2019 LCBS Presentation Conf 08-06
39/49
Six sigma and compliance management
We can extend six sigma definitions to Compliance Management
System.
CTQ CTC
We define the Critical to Compliance characteristics the subsetof the business processes which could have a critical impact onorganizations requirements that the same organization has to, or
chooses to, comply with.
-
8/10/2019 LCBS Presentation Conf 08-06
40/49
ComplianceRelatedprocesses
CTC
The set ofbusiness
processes whichaffect any of the
ComplianceRequirements
The subset ofbusiness
processes whichaffect criticalcompliance
requirements(e.g. laws,
regulations,contracts, other
criticalrequirements)
Six sigma and compliance management
CTC = Critical to Compliance
characteristics
-
8/10/2019 LCBS Presentation Conf 08-06
41/49
Six sigma and compliance managementBusiness organizations should identify and define their CTCwith reference to the criticality of the consequences of
noncompliances: e.g. civil or criminal charges, big fines, lossof reputation, loss of contracts with the most importantclients, loss of market shares, bad reputation.
For such critical variables, the six-sigma long termperformanceto be assumed as a benchmark is:
Number of noncompliances
-
8/10/2019 LCBS Presentation Conf 08-06
42/49
Six sigma and compliance management
Number of noncompliances
-
8/10/2019 LCBS Presentation Conf 08-06
43/49
Six sigma and compliance management
With reference to CTCs, organizations cannot wait for thenoncompliance to happen because the consequences could be
disruptive for the business.
The suggestion is to
- select the key CTCs which are really critical according to Risk Assessment
and Business Impact Analysis,- Plan adequate Stress-Tests to simulate noncompliances related to the key
CTCs
- Perform the Stress-Tests and review the results expressed in quantitative
terms (DPMO)
- Improve the Business Continuity Plan and Procedures according to thereview of the Stress-Tests results.
-
8/10/2019 LCBS Presentation Conf 08-06
44/49
Lean ComplianceManagement
How to make CMS efficient avoiding any waste of resources
-
8/10/2019 LCBS Presentation Conf 08-06
45/49
The core idea of Lean Management is to maximize the value forinterested parties (shareholders, stakeholders, clients,
workers, etc.)while minimizing waste.Lean management means creating more value without waste ofresources.
A lean organization understands value for interested partiesand focuses its key processes to continuously increase it.
The ultimate goal is to provide perfect value to each interestedparty, through a perfect value creation process that has zero
waste.
Lean compliance management
-
8/10/2019 LCBS Presentation Conf 08-06
46/49
-
8/10/2019 LCBS Presentation Conf 08-06
47/49
Lean compliance management
The 5 tools of lean compliance management:SORT Seiri Select only the key CTCs and do not pay the same
attention to non-critical variables.Do not waste time and resources.
SYSTEMIZE Seiton Act in a systematic way and store the informationrelated to key CTCs in the right place, protecting
them.SHINE Seiso Keep all the information in perfect order.
STANDARDIZE Seiketsu Identify best practices and define procedures tokeep under control the key CTCs
SUSTAIN Shitsuke Spread and share the attention to compliancethroughout the whole organization
-
8/10/2019 LCBS Presentation Conf 08-06
48/49
Lean compliance managementHow to put in practice the Lean CMS:1. identify and define CTCs (critical to compliance variables) according
to Business Impact Analysis and Risk Assessment
2. define a metric to express each CTC in terms of DPMO3. measure actual performance (process baseline) for each CTC
4. analyze the causes of the gap between actual performance and six-sigma compliance
5. improve performances with an action plan to make performancesimprove till six sigma and monitor the results
6. keep under control new performances of CTQ in 5S organizationalenvironment
7. plan and perform stress tests to simulate the effectiveness of the CMS
8. review and share the results of the stress tests and improvecontinuously the CMS procedures
-
8/10/2019 LCBS Presentation Conf 08-06
49/49
Alessandro Celuzza
Managing DirectorThe Skyline Project SrlMilan Italy