Group Standard Compliance Serco is committed to good governance practices and the management of risks supported by a robust business compliance process SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
Document Details Document Details erence SMS GS-G2: Compliance Approval Date July 2014 Serco Public Version 1 Date for next review July 2016 Applicability Serco Group covering all business regions, operating companies and business units throughout the world 1 Authority Chief Executive, Serco Group plc Accountable Policy Owner (Group) Chief Operating Officer Additional Information Supporting standards, standard operating procedures and guidance relating to this Group Standard are available on Our World under Serco Management System Governance Our policies and standards, together with any regional or market requirements and enhancements to them, are authorised through a robust governance process. The SMS Quality Manual describes this process and is available on Our World under Serco Management System Consequence Management As a Group Standard the requirements detailed in this document are mandated and must be adhered to. Non-compliance will have consequences which may include disciplinary action. The Consequence Management Group Standard (SMS-GS-G1) details how instances of non-compliance will be dealt with 1 As used herein, Serco Group and its affiliates, subsidiaries and operating companies are referred to as Serco, the Company or company, or we, us or our. Contents 1 Objectives... 2 2 Compliance Structure... 2 3 Policy Standards... 3 3.1 Compliance programme... 3 3.2 Input identification... 3 3.3 Compliance mapping... 4 3.4 Scope and testing of compliance activity... 4 3.5 Delivery of compliance reviews... 4 3.5.1 Planning and scoping... 4 3.5.2 Conducting fieldwork... 4 3.5.3 Closing meeting... 5 3.5.4 Draft reporting... 5 3.5.5 Management response... 5 3.5.6 Issuing the final report... 5 3.5.7 Follow up... 5 3.6 Resource management... 5 3.7 Review and monitoring... 5 4 Responsibilities & Accountabilities... 6 5 Processes and Controls... 8 5.1 Governance processes and controls... 8 5.2 Key processes and controls... 15 6 Supporting documentation and guidance... 18 7 Definitions... 18 8 Further information and support... 19 1 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
1 Objectives Serco is committed to good governance practices and the management of risks supported by a robust business compliance process. Management is responsible for maintaining adequate internal controls to manage risks and ensure compliance with local laws and regulations, contractual obligations and the Serco Management System (SMS). Each is responsible for establishing a robust compliance process, including the identification and management of compliance obligations, and an effective compliance programme. Compliance management is a critical part of the business compliance process. It enables management to satisfy themselves that key risks are being managed effectively and that a robust control environment is in place. Compliance management will be based on a structured approach, independent of operational reporting lines, to obtain evidence-based information on the current state of process compliance and control effectiveness to: ensure compliance with the Serco Management System (SMS) and specific regulatory and customer requirements promote proactive identification of control deficiencies so that control effectiveness can be strengthened in a timely manner and through a structured process that drives accountability for control improvement provide information on systemic control weaknesses that may require strategic control solutions to be implemented which span more than one business area within a, thereby avoiding duplication of effort and/or inconsistent solution development improve visibility of process compliance and control effectiveness, thereby providing evidence-based inputs into the current risk exposure held across the improve the effectiveness of processes and controls, thereby helping to ensure that they are cost effective and delivering business performance value 2 Compliance Structure Compliance is concerned with providing the confidence that internal procedures and controls are in place and that risks are being identified and managed appropriately, with the focus of effective compliance being on managers managing the business in real time and being able to demonstrate that risks are being mitigated. Effective compliance will be delivered by three Lines of Defence : 1 st Line of Defence operations and s day to day compliance activities concerned with providing confidence that required policies and procedures are being applied, decision making is within defined authority limits and risks that reside with the business are being managed effectively 2 nd Line of Defence compliance reviews, undertaken by someone independent of operational reporting lines, provide validation that the business is compliant with policies and procedures with the aim of continually improving procedures and assessing capability 3 rd Line of Defence Internal and external audit - whilst there are similarities in the activities with compliance activities; Internal Audit operates on behalf of the Serco Group plc Board and Audit Committee and is independent of business operations. The role of Internal Audit is to provide an objective and independent review of the design and operation of risk management processes and controls operated across the Group 1 External audits or quality reviews are completed either where it is a contractual requirement to be externally certified to a particular Standard or recognised industry award or where there is a business need. This Group standard defines the requirements for compliance in support of the 1 st and 2 nd Lines of Defence. 1 See Internal Audit Group Standard : SMS-GS-G3 2 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
3 Policy Standards 3.1 Compliance programme S1. Management is responsible for maintaining adequate internal controls to manage risks and ensure compliance with local laws and regulations, contractual obligations and the SMS. Compliance activity provides the basis to enable management to confirm such compliance S2. The al CEO will ensure, through the al Compliance Lead that an appropriate compliance programme is implemented to ensure key risks are being managed and regulations/procedures complied with S3. The basis of a structured approach to compliance testing will be through a compliance Review Programme ( programme ) which will be developed to cover each, its s and Contracts S4. Programme development will cover: a. Step 1 (see 3.2): Identification of all inputs that will perform some form of compliance activity in any given year, including risk profiles, SMS core control requirements, certification, regulatory and customer requirements and contractual obligations, external assurance reviews and internal audit b. Step 2 (see 3.3): Mapping of compliance activities identified in Step 1 against the relevant SMS standard area to understand where there may be duplication of effort or gaps in the coverage provided c. Step 3: Identification of individual compliance reviews that should be conducted in the period based on the current level of compliance activity against the SMS d. Step 4: Validation of proposed compliance reviews with management and amendment to reflect business priorities e. Step 5: Definition of indicative scopes for compliance activity identified including guidance on key processes and control areas that will be examined. S5. The al compliance programme will comprise of individual reviews conducted over the year, that will collectively make up the compliance programme S6. The Group Compliance Lead will review and endorse the s annual compliance programme prior to final approval by the al Executive Management Team (EMT) S7. Those undertaking compliance reviews will be independent of operational reporting lines S8. Resources responsible for conducting compliance reviews will have experience of key methodologies in the areas of risk, quality and compliance as well as a good understanding of the business /functional area that is being reviewed S9. The al EMT will review the implementation of the al annual compliance programme and monitor implementation, findings and action close out status 3.2 Input identification S10. The compliance programme will focus on, but not be limited to, compliance with policy and standards defined within the SMS, legal and regulatory requirements that are applicable to the management of the business and will review the operation of key controlling processes in place to manage the risks under review S11. The al compliance programme will be risk based and focus on risks that could impact on Serco s ability to effectively achieve its objectives S12. Risks will be assessed and reviewed by the al EMT throughout the year and these reviews will inform the al compliance programme, which will be updated if required 2 S13. The risk profiles of the, s and Contracts will identify the key controls to manage or mitigate assessed risks. The Compliance Programme should provide a mechanism for independently testing the effectiveness of these controls S14. Reviews undertaken by Internal Audit 3 and planned reviews by the customer, external regulators, certification bodies and other third parties for the year will be taken into consideration when designing the compliance programme 2 See Risk Management Group Standard : SMS-GS-RM1 3 See Internal Audit Group Standard : SMS-GS-G3 3 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
3.3 Compliance mapping S15. To ensure that we have a balanced compliance programme that recognises all compliance activities, all planned 2 nd and 3 rd Lines of Defence compliance activity will be mapped to allow comparison and determine the extent of assurance being provided by internal and external assurance providers S16. This mapping process will consider planned compliance activity at all levels including Contract, and S17. Through the aggregation of compliance activity, adjustments will be made to reflect business priorities and risks and areas of coverage, duplication or gaps S18. The al Compliance Lead will ensure the compliance activity covered by the compliance map provides al Executive Management with sufficient assurance to satisfy themselves that key risks are being managed and regulations/procedures complied with 3.4 Scope and testing of compliance activity S19. Reviews will assess compliance against the SMS and identify the controls in the existing Group Standards for testing. The extent of test required will be determined during the planning/scoping phase of the review S20. Reviews will check the results and completion of self-assessment reporting, where it exists S21. Reviews can be undertaken using the following: a. control walkthroughs walkthrough a process to determine the design effectiveness of a control and process flow (i.e. existence of bottlenecks, unnecessary activities and conflicting controls) b. control review adequacy assessment of business processes and controls that ensure the business processes are being complied with c. control review effectiveness (sample testing) testing a sample of transactions to conclude on the operating effectiveness of the control S22. The scope of compliance reviews will be validated by management prior to reviews being conducted to ensure accurate and relevant coverage is undertaken during the review 3.5 Delivery of compliance reviews S23. A structured approach will be applied to the delivery of individual compliance reviews and will detail the approach in undertaking the review in regard to the following areas: 3.5.1 Planning and scoping S24. The high level background, objectives, scope and timescales for the review will be determined for each review S25. A Manager/senior point of contact (nominated contract lead) for the site/contract being reviewed will be appointed S26. The review will agree the logistics of the review (e.g. site access requirements), agree the list of employees to be interviewed and examine provided documents provided prior to the commencement of the review S27. Key processes/areas, SMS requirements and relevant standards to be reviewed will be identified S28. Compliance review records from previous compliance activity and internal audits to establish any relevant areas that should be covered will be reviewed S29. Reviews will identify and test the effectiveness of controls in the existing process S30. The extent of test required will be determined during the planning and scoping phase of the review 3.5.2 Conducting fieldwork S31. An opening meeting will be conducted with the Manager of the site/contract being reviewed. The purpose of this meeting is to confirm the scope and schedule for the visit S32. The reviewer will conduct interviews and look for objective evidence of compliance with controls/ processes/ procedures being reviewed. S33. During meetings, records/ documents will be reviewed and appropriate notes/ evidence taken of what is seen and said will be recorded on the review programme being used S34. The sensitivity, data classification and data protection of evidence will be considered 4 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
S35. Personal records will not be identified unless absolutely necessary for an audit trail and traceability of evidence S36. At the end of the meeting or visit, the draft findings with the Contract Manager will be documented 3.5.3 Closing meeting S37. A closing meeting with the nominated contract lead of the site/contract being reviewed will be held. The purpose of this meeting is to provide and discuss initial feedback on the findings from the review 3.5.4 Draft reporting S38. Using a combination of the complete review programme, notes made and objective evidence seen, testing undertaken; a factual, draft report will be produced S39. The draft report will be issued to the nominated contract lead of the site/contract being reviewed to confirm the factual accuracy and agreement to the actions 3.5.5 Management response S40. Management will review the draft report and agree or challenge (giving reasons) the findings of the report S41. Corrective/preventive action(s) including an action owner and timescales for completion of each action will be assigned to each Performance Improvement Opportunity (PIO) identified S42. Upon review, management will provide the draft report to the reviewer in a timely manner 3.5.6 Issuing the final report S43. Management responses, owners and suggested completion dates will be reviewed for appropriateness S44. A final version of the report will be documented, converted into PDF and issued to the relevant stakeholders 3.5.7 Follow up S45. Actions must be completed within agreed timescales, where possible S46. Overdue actions will be tracked and reported. A revised date will be identified and recorded but tracking and reporting will continue to be against the original due date S47. To ensure accurate monitoring and reporting, the reviewer will periodically monitor the status of open actions to ensure that the action status field is correct S48. Evidence for completion of actions will be proportionate to the priority of the finding S49. Where the action is outstanding, or has not been completed to the Reviewer s satisfaction, further follow up will be required. If the Action Owner disagrees, escalation to management will be invoked 3.6 Resource management S50. Resources will be competent (have the necessary knowledge, skills and experience) to undertake their role and to deliver compliance reviews S51. The individual competency required to identify risks, test the design and operating effectiveness of controls and undertake compliance reviews will be assessed with training needs identified and delivered 4 3.7 Review and monitoring S52. Reports on progress against the planned compliance programme and common trends or issues found will be issued on a periodic basis to enable management to consider areas for improvement S53. Oversight and review of Contract compliance activity will be completed by the MD. Oversight of compliance activity, exceptions and high risk areas will be reviewed by the al EMT S54. Significant findings or actions requiring escalation to management will be raised with the al Compliance Lead to ensure appropriate management attention and close out S55. Documentation relating to all compliance reviews will be retained and, where identified for disposal, disposed of in accordance with Document Retention requirements 5 4 See Employee Lifecycle Group Standard : SMS-GS-P1 5 See Document Retention GSOP : SMS GSOP-II1-2 5 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
4 Responsibilities & Accountabilities S56. The following responsibilities will apply to the delivery of the defined standards. If these are not completed effectively, the person responsible will be accountable for any consequences 6 Group S57. The Group CEO will appoint a Group Compliance Lead responsible for: a. developing and maintaining Group compliance policy b. ensuring standards and associated procedures and key controls remain fit for purpose, reflect legislative and regulatory requirements and effectively manage business risks c. reviewing and endorsing al compliance plans d. providing oversight and reporting on compliance activity and performance S58. The al CEO will appoint a al Compliance Lead who is independent of the operational reporting lines of the business with responsibility for: a. implementing compliance policy, standards, procedures and key controls across the ; which may include the development of country/region/al procedures b. ensuring that the level of compliance activity provides sufficient coverage to provide assurance that key risks are being managed and regulations/ procedures are being complied with c. ensuring procedures and key controls, remain fit for purpose, reflect legislative and regulatory requirements d. implementing a compliance framework that provides confidence key controls are effectively managing business risks e. ensuring resources responsible for conducting compliance reviews have appropriate skills, experience and a good understanding of the business / functional area that is being reviewed f. providing oversight and reporting al compliance performance 6 See Consequence Management Group Standard : SMS-GS-G1 S59. The al EMT is responsible for: a. reviewing and approving the al compliance programme b. monitoring implementation and completion of the al compliance programme c. providing oversight and reviewing and al compliance activities to ensure they provide sufficient coverage to satisfy itself that the key risks are being managed and regulations/ procedures complied with S60. Those conducting compliance reviews will: a. maintain all evidence and records gained throughout the review b. plan and prepare for the review c. agree and document the ToR d. conduct the review e. record review findings f. produce the draft and final reports g. gain agreement from management on the content of the final report h. verify completed actions i. follow-up outstanding actions S61. The Managing Director is responsible for: a. Appointing a nominated contract lead to manage the compliance review b. Ensuring that the agreed actions are implemented and completed within the agreed timescales c. Oversight and review of Contract compliance activity Contract/Function S62. The Contract Manager (or Corporate Function Head) is responsible for: a. complying with compliance policy, standards, procedures and key controls b. ensuring local controls and procedures are in place for providing assurance that business risks are being effectively managed and decision making is within defined authority limits c. completing actions within agreed timescales following all compliance activity 6 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
S63. Management responsible for the business area being reviewed will: a. Review ToR and contribute to the planning phase by agreeing the scope of the review etc. b. Attend the opening meeting c. Carry out on-site preparations d. Review and agree the draft report - including actions, owners and timescales for completion e. Ensure the completion of agreed actions within agreed timescales S64. Those attending interviews as part of a compliance review will: a. Prepare for the review meeting and engage positively with the review process b. Be helpful and honest and see the review as an opportunity to improve the process being reviewed c. Accept the reviewer s feedback, however challenge if something is wrong or unclear S65. Those allocated an action as a result of a review will: a. Ensure the agreed actions are completed with the agreed timescales b. Ensure evidence of actions is maintained to allow for verification that the action has been adequately implemented c. Notify the reviewer at the earliest opportunity if action(s) can t be completed within agreed timescales All employees S66. All employees are responsible for: a. following defined procedures and work instructions b. telling a line manager of any compliance concerns 7 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
Group (S57, S63-S65) (S58-S60 & S63-S65) (S61, S63-S65) Contract (S62-S65) All Employees (S66) 5 Processes and Controls 5.1 Governance processes and controls Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference for ensuring controls are in place and operating effectively P1 Compliance responsibilities are defined and understood C1 A Group Compliance lead is appointed by the Group CEO with responsibility for: Developing and maintaining Group compliance policy Ensuring standards and associated procedures and key controls remain fit for purpose, reflect legislative and regulatory requirements and effectively manage business risks Providing oversight and reporting compliance performance 8 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
Group (S57, S63-S65) (S58-S60 & S63-S65) (S61, S63-S65) Contract (S62-S65) All Employees (S66) Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference for ensuring controls are in place and operating effectively C2 A al Compliance lead is appointed by the al CEO with responsibility for: Implementing compliance policy, standards, procedures and key controls across the ; which may include the development of country/region/ al procedures Ensuring that the level of compliance activity provides sufficient coverage to provide assurance that key risks are being managed and regulations/ procedures are being complied with Ensuring procedures and key controls remain fit for purpose and reflect legislative and regulatory requirements Implementing a compliance framework to provide confidence that key controls are effectively managing business risks Ensuring resources responsible for conducting compliance reviews have appropriate skills, experience and a good understanding of the business / functional area that is being reviewed Providing oversight and reporting al compliance performance 9 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
Group (S57, S63-S65) (S58-S60 & S63-S65) (S61, S63-S65) Contract (S62-S65) All Employees (S66) Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference for ensuring controls are in place and operating effectively C3 al EMT is responsible for: Reviewing and approving the al compliance programme Monitoring implementation and completion of the al compliance programme Providing oversight and reviewing and al compliance activities to ensure they provide sufficient coverage to satisfy itself that the key risks are being managed and regulations/ procedures complied with C4 The MD is responsible for: Appointing a nominated contract lead to manage the compliance review Ensuring that the agreed actions are implemented and completed within the agreed timescales Oversight and review of Contract compliance activity 10 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
Group (S57, S63-S65) (S58-S60 & S63-S65) (S61, S63-S65) Contract (S62-S65) All Employees (S66) Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference for ensuring controls are in place and operating effectively C5 The Contract Manager (or Corporate Function Head) is responsible for: Complying with compliance policy, standards, procedures and key controls Ensuring local controls and procedures are in place to provide assurance that business risks are being effectively managed Completing actions within agreed timescales following all compliance activity C6 Those conducting compliance reviews are responsible for: Maintaining all evidence and records gained throughout the review Planning and preparing for the review Agreeing and documenting the ToR Conducting the review Recording review findings Producing the draft and final reports Gaining agreement from management on the content of the final report Verifying completed actions Following-up outstanding actions 11 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
Group (S57, S63-S65) (S58-S60 & S63-S65) (S61, S63-S65) Contract (S62-S65) All Employees (S66) Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference for ensuring controls are in place and operating effectively C7 Management responsible for the business area being reviewed will: Review ToR and contribute to the planning phase by agreeing the scope of the review etc. Attend the opening meeting Carry out on-site preparations Review and agree the draft report - including actions, owners and timescales for completion Ensure the completion of agreed actions within agreed timescales C8 Those attending interviews as part of a compliance review will: Prepare for the review meeting and engage positively with the review process Be helpful and honest and see the review as an opportunity to improve the process being reviewed Accept the reviewer s feedback, however challenge if something is wrong or unclear 12 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
Group (S57, S63-S65) (S58-S60 & S63-S65) (S61, S63-S65) Contract (S62-S65) All Employees (S66) Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference for ensuring controls are in place and operating effectively C9 Those allocated an action as a result of a compliance review will: Ensure the agreed actions are completed with the agreed timescales Ensure evidence of actions is maintained to allow for verification that the action has been adequately implemented Notify the reviewer at the earliest opportunity if action(s) can t be completed within agreed timescales C10 All employees are responsible for: Following defined procedures and work instructions Telling a line manager of any compliance concerns P2 Establish compliance policy C11 Policy, standards and Group procedures are defined and published P3 Establish compliance systems and process C12 Policy, standards and Group procedures are communicated and implemented 13 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
Group (S57, S63-S65) (S58-S60 & S63-S65) (S61, S63-S65) Contract (S62-S65) All Employees (S66) Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference for ensuring controls are in place and operating effectively C13 Appropriate compliance systems with supporting procedures and work instructions are defined, published and communicated C14 Compliance systems with supporting procedures and work instructions are periodically reviewed in light of any risk management compliance assessment and audit results, accidents and incident analysis, legal changes, changing circumstances and the commitment to continual improvement C15 Legal and regulatory compliance requirements are monitored with changes reflected in systems, procedures and work instructions P4 Provide oversight over compliance performance C16 Compliance performance is periodically reviewed for effectiveness C17 Compliance and audit reports are produced with action plans to address nonconformance 14 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
Group (S57, S63-S65) (S58-S60 & S63- S65) (S61, S63-S65) Contract (S62-S65) All Employees (S66) 5.2 Key processes and controls Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference for ensuring controls are in place and operating effectively P5 Identify compliance obligations C18 Compliance obligations are identified and inform the al Compliance Programme P6 Develop Compliance Programme C19 All forms of compliance activities, including those conducted by external bodies, the customer and internal audit are identified and inform the development of the Compliance Programme C20 The risk profiles of the, Business Unit and, where required, those of the individual contracts are reviewed and inform the development of the Compliance Programme C21 Risks are periodically assessed and the Compliance Programme is amended to reflect any changes in high risk areas identified C22 The Compliance Programme is approved by the al EMT 15 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
Group (S57, S63-S65) (S58-S60 & S63- S65) (S61, S63-S65) Contract (S62-S65) All Employees (S66) Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference for ensuring controls are in place and operating effectively P7 Map compliance activities against each SMS area C23 All planned compliance review activity is mapped to determine the extent of internal and external compliance activity being undertaken C24 Aggregation of compliance activity is completed and informs the al Compliance Programme P8 Deliver compliance reviews C25 Each compliance review consists of three key stages: Planning and agreeing the scope Conducting fieldwork Reporting C26 The scope of all compliance review activity is approved by management P9 Report findings and monitor agreed actions C27 Agreed actions are validated by management prior to the final report being issued C28 Actions are assigned owners and are completed in the timescales agreed 16 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
Group (S57, S63-S65) (S58-S60 & S63- S65) (S61, S63-S65) Contract (S62-S65) All Employees (S66) Process A set of related activities that must be carried out to achieve policy outcomes Controls The action we put in place to mitigate a risk(s) within a key process and/or the delivery of policy outcomes. These are mandated and are the minimum that should be implemented regardless of any local difference for ensuring controls are in place and operating effectively C29 Follow up reviews are conducted to determine whether agreed actions have been implemented C30 Reports on progress against the compliance programme, common trends or issues identified will be reported to management C31 Significant findings or actions from compliance review activity, requiring escalation, are raised with the al Compliance Lead to ensure appropriate management attention and close out 17 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
6 Supporting documentation and guidance 7 Definitions Term Definition The following should be read in conjunction with this standard: Document SMS GSOP-II1-2 Document Retention Group Standard Operating Procedure SMS-GS-II1 Information Integrity & Data Management Group Standard Accountability Being accountable means being not only responsible for something but also answerable for your actions. A responsible person is the individual who completes the task required. can be shared and delegated. SMS-GS-BC4 SMS-GS-RM1 Reputation, Brand and Communication Group Standard Risk Management Group Standard All responsible persons will also be accountable for completing tasks effectively. Non-compliance will have consequences which may include disciplinary action as defined within the Consequence Management Group Standard. Group Serco Group plc is the administrative centre of the organisation, responsible for setting corporate strategy, defining governance requirements and supporting the business in its day to day operations The Group will define a set of business s which will be responsible for business delivery within a defined set of markets or geographies. A is a cluster of contracts which provide a similar service e.g. Health, Defence, Transport etc. Where appropriate, a separate legal entity wholly owned or where Serco has a controlling share may also be referred to as a, where appropriate. This may also refer to Counties/Territories 18 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public
Contract Organisation Contract Manager A Contract provides specified requirements to a customer (either directly with Serco or to a consortium/joint Venture in which Serco is a party) A Contract will also refer to a corporate/functional area. Corporate/functional areas are functions which support the business and they include finance, HR, procurement etc. Organisation refers to a site, Contract, Business Unit and. This refers to a manager with responsibility for managing the performance of a contract and can include a Contract Manager on a day-to-day basis (or Operational Manager with devolved responsibility), a Contract Director, Partnership Director and/or a Managing Director Compliance review Internal Audit Testing A review assesses compliance with chosen standards. Reviews will identify the controls in the existing process for testing. The extent of test required will be determined during the planning / scoping phase of the review. Reviews may be referred to as audits (e.g. quality audit, safety audit, regulatory audit etc.) although these provide a different level of audit to that provided by Internal Audit An objective and independent review of the design and operation of the risk management processes and controls to assess whether they are adequate, carried out by Group Internal Audit Testing may cover control walkthrough; control review for adequacy; and control review for effectiveness through sample testing Compliance map A map of compliance activities planned to review selected processes and controls based on the risk profiles of the, or Contract Compliance programme A process based on a structured approach, independent of operational reporting lines, to obtain evidence-based information on the current state of process compliance and control effectiveness. This is achieved through a Compliance Programme by undertaking planned reviews. The Programme should provide comfort that the is managing its risks effectively and is in compliance with local laws and regulations, contractual obligations and the Serco Management System. 8 Further information and support If you require any further information or support regarding this Group Standard, or if you have any suggestions for improvement, please contact the Accountable Policy Owner (Group) or email sms@serco.com 19 SMS-GS-G2 Compliance July 2014 v1.0 Serco Public