The Compliance Model: A Framework for All Things Compliance. Director Corporate Compliance & Risk Management jutter@midwestiso.org.



Similar documents
8 Key Requirements of an IT Governance, Risk and Compliance Solution

Special Report: ROI of Records Management for Legal Discovery

Current IBAT Endorsed Services

RSA Via Lifecycle and Governance 101. Getting Started with a Solid Foundation

Managing Healthcare Big Data using Electronic Content Management (ECM) Jessica Settelmayer Ahlert, RHIA

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

Enterprise Content Management. Image from José Borbinha

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

North American Electric Reliability Corporation (NERC) Cyber Security Standard

PRIVACY IMPACT ASSESSMENT

North American Electric Reliability Corporation. Compliance Monitoring and Enforcement Program. December 19, 2008

Quality Procedure ISO 9001: 2008 Control of Documents

Standard CIP 007 3a Cyber Security Systems Security Management

EXAM PREPARATION GUIDE

Standard CIP Cyber Security Systems Security Management

AccTech's vast experience and understanding of government requirements allows us to assist any government agency in:

RSA Identity Management & Governance (Aveksa)

IBM Enterprise Content Management (ECM)

IBM ECM Employee Lifecycle Management August HR best practices: Managing employee information from hire to retire

Case Study Success with a. into a Corporate Integrity Agreement (CIA)

Compliance and Security Solutions

ACCELUS COMPLIANCE MANAGER FOR FINANCIAL SERVICES

Lexmark Enterprise Software. Transforming customer engagement

Table of contents. Best practices in open source governance. Managing the selection and proliferation of open source software across your enterprise

MISO Annual Compliance Program Update

Product Lifecycle Management in the Medical Device Industry. An Oracle White Paper Updated January 2008

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

9 ways to revolutionize HR with paperless productivity

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Software Development for Medical Devices

Understanding the Return on Investment of Media Asset Management Systems

ECM+ Maturity Model. Defining the corporate benchmark against best practices

RSA ARCHER AUDIT MANAGEMENT

How to Secure Your SharePoint Deployment

ACCOUNTING DEPARTMENT

OBLIGATION MANAGEMENT

Governance, Risk & Compliance for Public Sector

Total Reconciliation Solution (T-Recs ) Enterprise A Control Framework for Governance, Risk Management and Compliance

Why enterprise data archiving is critical in a changing landscape

ORACLE PROJECT MANAGEMENT

MOLA MOLA IDA Integrates ARIS Business Architect or ARIS Toolset with EMC Documentum. White Paper

Implementing a Successful Digital First Strategy

IDC Abordagem à Implementação de Soluções BPM

Payment Card Industry Data Security Standard

Big Data Industry Approaches to Operational Excellence

Top 10 reasons to automate expense management process

Enterprise Risk Management in Compliance 360

Core Fittings C-Core and CD-Core Fittings

Cisco Intelligent Automation for SAP

Aboriginal Affairs and Northern Development Canada. Internal Audit Report. Prepared by: Audit and Assurance Services Branch.

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

10 Steps to Establishing an Effective Retention Policy

IBM ediscovery Identification and Collection

Using Enterprise Content Management Principles to Manage Research Assets. Kelly Mannix, Manager Deloitte Consulting Perth, WA.

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Agenda. You are not in the business to manage records

BENEFITS OF IMAGE ENABLING ORACLE E-BUSINESS SUITE:

Copyright Soleran, Inc. esalestrack On-Demand CRM. Trademarks and all rights reserved. esalestrack is a Soleran product Privacy Statement

Integrated archiving: streamlining compliance and discovery through content and business process management

SharePoint 2013 for Business Process Automation

WHITE PAPER Practical Information Governance: Balancing Cost, Risk, and Productivity

Take control of lending credit risk

ORACLE PROCESS MANUFACTURING QUALITY MANAGEMENT

32 ENVIRONMENTAL SERVICES 2013 INTEGRATED MANAGEMENT SYSTEM UPDATE FOR WATER, WASTEWATER AND WASTE MANAGEMENT

Lowering E-Discovery Costs Through Enterprise Records and Retention Management. An Oracle White Paper March 2007

Audit-Ready SharePoint Applications

REALIZING MAXIMUM BENEFITS FROM GOVERNANCE, RISKS AND COMPLIANCE (GRC) TOOLS

Wolkige Versprechungen - Freiraum mit Tuecken

State of Medical Device Development State of Medical Device Development seapine.com 1

LANDesk Service Desk. Outstanding IT Service Management Made Easy

ISO 9001 and ISO Quality Management Guidance for CM Relative to CMII (Rev B)

Managing Business Processes

Enterprise Content Management for Procurement

Sarbanes-Oxley Act. Solution Brief. Sarbanes-Oxley Act. Publication Date: March 17, EventTracker 8815 Centre Park Drive, Columbia MD 21045

AUTOMATING THE EXEMPTION CERTIFICATE LIFECYCLE

Consider Identity and Access Management as a Process, Not a Technology

AssurX Makes Quality & Compliance a Given Not Just a Goal

In-House Technology Challenges and Opportunities

Archiving: Session ID: More Than Just Compliance. Frank Orlando

Thought Leadership White Paper

Certified Information Professional (CIP) Certification Maintenance Form

TIBCO Spotfire and S+ Product Family

Transcription:

The Compliance Model: A Framework for All Things Compliance Jana Utter Director Corporate Compliance & Risk Management jutter@midwestiso.org Disclaimer The information contained in this presentation is general in nature and applicable to the Midwest ISO s situation as a regional transmission organization and registered entity subject to certain NERC and RE reliability standards. Any information or examples provided herein should not be interpreted as repeatable or applicable validation of compliance by the auditing entities for other utilities. 1

What are we going to discuss? Brief Overview of Midwest ISO Governance, Risk, and Compliance GRC as a business function GRC as a system A Framework for All Things Compliance The Compliance Model The Compliance Platform 3 Midwest ISO Overview Supports the reliable delivery of electricity in 13 U.S. states and the Canadian Province of Manitoba Headquartered in Carmel, Indiana, with operations centers in Carmel and St. Paul, Minnesota Approximately $24 billion per year settled in energy markets 350 market participants serving 40+ million people Midwest ISO Reliability Coordination Area 2

Governance, Risk, Compliance A Set of Business Functions 5 Process-Driven Compliance Governance, Risk, Compliance A Set of Systems Supporting Compliance 6 3

A Framework for All Things Compliance THE COMPLIANCE MODEL Compliance Scope 8 4

The Compliance Model Compliance Model Implementation (CMI) provides additional assurance of compliance and systems to support efficient and effective management of compliance activities. The Compliance Model Database 10 5

The Compliance Model Interface with Business Processes A Framework for All Things Compliance MODEL IMPLEMENTATION 6

Compliance Model Implementation CMI Phase I CMI Phase II CMI Phase III CMI Phase IV Phased Implementation CM Phase I: Identify Requirements For example - NERC Standards applicable to Midwest ISO are identified CM Phase II: Validate and Assign Requirements Midwest ISO staff responsible for Requirement is verified CM Phase III: Document Compliance Processes & Records Processes to achieve compliance are identified and control activities and required Compliance Records determined CM Phase IV: Implement Processes within Compliance Platform Processes in Business Process Model tool and Records in Enterprise Content Management tool 13 Compliance Model - Phase I 14 7

Compliance Model - Phase II 15 Compliance Model - Phase III 16 8

Compliance Data Model Inputs Compliance Area Requirement Owner Requirement Identification # Text of Requirement Compliance Narrative (NERC) Internal Objective (NERC Element) Control Activity # Text of Control Activity Business Area Frequency Type Control Activity Owner Process Corroborating Evidence Supporting Department Category Risk Notes 17 CMI Phase III Activity Overview Tariff Requirements Matrix CMI Database (System of Record) Quality Assurance Review Process Identification Control Drafting NERC Requirements Matrix Evidence Production MATRIX CONTAINS - Unique Identifier Requirement Owner Requirement Text After Requirements have been passed to the CMI Database the focus shifts from documentation of requirements and identification of owners to Process Identification, Controls Documentation, Evidence Gathering and an independent Quality Assurance Review. 18 9

CMI Phase III Quality Assurance Process for Documenting Compliance Process /procedure, controls, and evidence documented for each Compliance Requirement and submitted for Quality Assurance Review Process / Controls Quality Assurance Reviewer reviews and Signs-off Technical Quality Assurance Reviewer reviews and Signs-off Requirements Owner and Compliance Area Owner reviews and Signs-off Process Documentation, Controls and Evidence for all Requirements Completed Quality Assurance Review Objective: Ensure effectiveness of processes, control activities, and evidence to demonstrate compliance Process/Controls Review: Ensure adequacy of controls Technical Review focus: Ensure sufficiency, appropriateness and reliability of evidence. 19 Compliance Model Database Example Requirement ID Requirement Text Associated Process Control Evidence TOA_A II.E - 3 No Midwest ISO Director, agent, Officer or employee shall directly own securities issued by any Owner, Member, or User of the Transmission System. Annual Standards of Conduct Recertification Process at Section [xx] The Human Resources Manager shall confirm that all Directors, agents, Officers and employees have signed the annual recertification form attesting that they do not directly own securities issued by any Owner, Member or User of the Transmission System. Signed Annual Recertification Form Spreadsheet tracking all signatures Unique Requirement Identifier Rate schedule language capturing obligation placed on Midwest ISO. Identification of a specific process Control language including language used in the requirement (where appropriate). Evidence showing a signed recertification form and method for tracking 20 10

Compliance Model Phase IV Business Process Management Readiness 21 Compliance Model Phase IV Business Process Management Implementation 22 11

A Framework for All Things Compliance THE COMPLIANCE PLATFORM A COLLECTION OF INTERFACING SYSTEMS Compliance Model Lifecycle Management 24 12

The Compliance Platform Compliance through integration of best-in-class software applications 25 The Compliance Platform Primary Activities related to Governance, Risk & Compliance (GRC) Monitoring and recording of business activity to ensure compliance with policies; providing corrective action when rules have been ignored or misconstrued. Identifying potential risks, prioritizing risk tolerance and implementing controls to manage and mitigate risk. Recording and monitoring policies, procedures and controls to enable compliance. Primary Activities related to Business Process Management (BPM) Process execution to accomplish defined business objectives related to compliance activities. Process performance measurement to ensure production and capture of compliance records. Efficient execution of processes with efficiency, improving human capital efficiency enabling support of an increasing number of compliance requirements. Primary Activities related to Enterprise Content Management (ECM) Preservation of compliance records in a structured, controlled environment. Implementation of records retention and management policies. Search and retrieval. 26 13

Supporting Systems The Compliance Platform Process-Driven Compliance System Functions 27 Document-Driven Compliance Manual processes and unstructured data Process-Driven Compliance Manual Processes Burden Staff email Reports Less Visibility Into Compliance Activities Apps Files Web Databases Evidence records may not be captured completely, or may even become lost. 28 14

Process-Driven Compliance Process-Driven Compliance Process-Driven Compliance involves integration of three suites of applications to support risk management and compliance GRC Integration Point ECM Integration Point 29 Process Driven Compliance Process-Driven Compliance Process-Driven Compliance is Built-In Compliance providing control and visibility of compliance activities Sustainable Built-In Compliance Control of Compliance Activities Policies and standards establish expectation Procedures guide rules and responsibilities Workflows incorporate policies and procedures formalizing interactions Formalized workflows enforce rules, driving compliance activities Visibility of Compliance Activities Process models illustrate interactions and responsibilities Workflow adds rules policies, procedures and responsibilities to streamline process execution Workflow enables process automation and tracking enabling audit-ability and documented compliance 30 15

Governance, Risk Management & Compliance Building In-House, Java-Based Application Monitoring and recording of business activity to ensure compliance with policies; providing corrective action when rules have been ignored or misconstrued. Identifying potential risks, prioritizing risk tolerance and implementing controls to manage and mitigate risk Recording and monitoring policies, procedures and controls to enable compliance Business Process Management COR006: Corporate Attestations Process for NERC 16

Enterprise Content Management Find it Fast with ECMS Preservation of compliance records in a structured, controlled environment. Implementation of records retention and management policies. Search and retrieval Summary Process People Technology GRC is the integration of people, process and technology to support business functions of Governance, Risk Management, & Compliance 34 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information