Developing an Effective Compliance Monitoring Program

Similar documents
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

White Paper: The Seven Elements of an Effective Compliance and Ethics Program

Vendor Management Panel Discussion. Managing 3 rd Party Risk

US Sentencing Commission Compliance Recommendations Page 1 of 5

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

OUTSOURCING DUE DILIGENCE FORM

Key Trends, Issues and Best Practices in Compliance 2014

VISP Vendor Information Security Plan: A tool for IT and Institutions to evaluate third party vendor capacity and technology to protect research data

Assessment Process HITRUST, Frisco, TX. All Rights Reserved.

Third-Party Cybersecurity and Data Loss Prevention

CFPB Readiness Series: Compliant Vendor Management Overview

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

1. Purpose. 2. Membership and Organization. 3. Meetings. Canadian Imperial Bank of Commerce Risk Management Committee Mandate

OIG Security Audit: What You Need To Know

115 th Annual Convention

Reduce risk. Reduce cost. Raise performance.

Call for Presentations PHRMA Business Management & Strategy Conference May 25, 2016

OIG Security Audits of EHR Incentive Program Participants

View the Replay on YouTube. Sustainable HIPAA Compliance: Enhancing Your Epic Reporting. FairWarning Executive Webinar Series October 17, 2013

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Carl Abramson Gerry Blass Susan A Miller

CHAPTER 5 - SAFETY ASSESSMENTS, LOG OF DEFICIENCIES AND CORRECTIVE ACTION PLANS

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

Guided HIPAA Compliance

eskbook Emerging Life Sciences Companies second edition Chapter 25 Outsourcing in the Pharmaceutical Industry

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

2014 Vendor Risk Management Benchmark Study

a Legal Project Management Consultancy Plan. Resource. Realize.

VCU HEALTH SYSTEM Compliance Program. Updated August 2015

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

ursouthwestern Medical Center The University of Texas Southwestern Medical Center HIPAA Privacy Program Audit Internal Audit Report 15:20 July 6, 2015

Interpreting the HIPAA Audit Protocol for Health Lawyers

SHARED ASSESSMENTS PROGRAM STANDARDIZED INFORMATION GATHERING (SIG) QUESTIONNAIRE

HCA ETHICS AND COMPLIANCE PROGRAM

Office of Compliance and Ethics Introductory Report. Lynette Fons, Chief Compliance Officer

Services Providers. Ivan Soto

AHIA HCCA Auditing & Monitoring Focus Group Defining the Key Roles and Responsibilities Corporate Compliance and Internal Audit.

Building A Framework-based Compliance Program. Richard E. Mackey, Jr. Vice President, SystemExperts Corp. dick.mackey@systemexperts.

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

Ethical Maturity Index: Questionnaire Authors: Elena Demidenko and Patrick McNutt

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

Third Party Risk Management 12 April 2012

What can HITRUST do for me?

TRAINING TITLE: Internal Auditing Workshop (WORK-008)

Managing Outsourcing Contracts

HIPAA and HITECH Compliance for Cloud Applications

TransAlta Corporation Energy Trading Compliance Program Assessment

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Sustainable Compliance: A System for Ongoing Audit Readiness

How To Plan A Crisis Management Program

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE

Mental Health Resources, Inc. Mental Health Resources, Inc. Corporate Compliance Plan Corporate Compliance Plan

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

More information >>> HERE <<<

Outsourcing Information Technology Concepts and Case Study Carrollton, TX

Steve Bunde, HealthPartners Leanne Thyken, BCBS HCCA Upper Midwest Conference September 16, 2010

TrackWise - Quality Management System

Disaster Recovery Plan (Business Continuity) Template - Version 8.2

Inside the Beltway: Compliance Effectiveness Tips

Vendor Risk Management Financial Organizations

PRIVACY MANAGEMENT ACTIVITIES

Third Party Security Guidelines. e-governance

RISK ASSESSMENT CHECKLIST

Personal Development Plan

Internal Audit Checklist

How To Write An Hm Compliance Program

Position Description: Chief Information Officer Department: Information Technology Information Technology FLSA Status: Exempt. Revised: October, 2014

Appendix A: Sample Interview Note-taking Booklet

OCR HIPAA Audits. Disclaimer. Message. I am here for your benefit. If you have questions, please ask. 1. Background 2. The Audit 3.

Intelligent Vendor Risk Management

Best Practices for Choosing a Content Control Solution

Optimizing Quality Control / Quality Assurance Agents of a Global Sourcing / Procurement Strategy

Business Management System Manual. Context, Scope and Responsibilities

Design of Database Security Policy In Enterprise Systems

A Risk Assessment Checklist for Medicaid State Agencies

MHCC Certification of Electronic Health Networks

WHITE PAPER Third-Party Risk Management Lifecycle Guide

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Physical Security Reliability Standard Implementation

National Institute of Standards and Technology. HIPAA Security Rule Toolkit. User Guide

HUD Technical Assistance Conference HMIS Planning and Implementation

Reduce risk. Reduce cost. Raise performance.

IT Service Management tools - Acquisition and implementation

Performing Vendor Risk Assessments

Internet Banking Internal Control Questionnaire

How To Write An Impactful Audit Report

2007 Follow-Up Report on the Audit of Information Technology January 2005

2016 OCR AUDIT E-BOOK

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Secure HIPAA Compliant Cloud Computing

IT Governance. What is it and how to audit it. 21 April 2009

Effective Corporate Compliance Programs: The Impact of the 2004 Amendments to the U.S. Federal Sentencing Guidelines for Organizations

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved

HITRUST CSF Assurance Program

MAINTAINING COMPLIANCE AND MANAGING RISK IN OUTSOURCED ENGAGEMENTS. Nick Harrahill PayPal Global Security Operations

Contractor Purchasing System Reviews (CPSRs)

Privacy and Outsourcing

September 2010 Report No

Transcription:

Agenda September 12, 2011 Developing an Effective Compliance Monitoring Program Danielle Herrick, CCEP Biography Danielle Herrick, Principal, is Americas Compliance Leader for Administration and Outsourcing at Mercer. In this role, Danielle ensures proper compliance support is provided to Mercer s various administration and outsourcing businesses in Canada, Latin America and the United States. She is responsible for implementing a comprehensive compliance monitoring review program, developing and maintaining policies and procedures, managing incidents, conducting periodic risk assessments and participating in various management and compliance committees. Danielle has been with Mercer since January 2006 and has over 10 years of human resources and compliance experience. Prior to being awarded the role of Americas Compliance Leader for Administration and Outsourcing, Danielle was Americas Compliance Monitoring Leader where she managed compliance monitoring and risk management activities for all Mercer businesses in the region. Before coming to Mercer, Danielle served in various compliance roles for Fortune 500 companies. Her responsibilities included such activities as vendor management, contract negotiations and ERISA, Sarbanes-Oxley and HIPAA Privacy & Security compliance. Danielle has a Bachelor of Arts in sociology from the State University of New York at Oswego and a Master of Business Administration from Saint Joseph's College of Maine. She is a Certified Compliance and Ethics Professional, a licensed life and health agent, has received her Certification in Control Self-Assessment (CCSA) and is a Senior Professional in Human Resources (SPHR). Page 2 1

Agenda Overview Evidencing return on investment Elements of an effective compliance monitoring program Helpful tips Questions Page 3 Agenda Overview 2

Overview Federal Sentencing Guidelines 8B2.1. Effective Compliance and Ethics Program (a) To have an effective compliance and ethics program, for purposes of subsection (f) of 8C2.5 (Culpability Score) and subsection (c)(1) of 8D1.4 (Recommended Conditions of Probation - Organizations), an organization shall (1) exercise due diligence to prevent and detect criminal conduct; and (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct. Page 5 Agenda Return on Investment 3

Return on Investment Making a business case Develop a formal proposal Consider using existing staff and resources Plan to test pilot the program Evidencing return on investment Through reporting (improved monitoring results) Better audit results Decrease in the number of incidents (errors, regulatory violations/fines, etc.) Increased program efficiency (possibly decreased cost) over time Page 7 Agenda Elements of an effective compliance monitoring program 4

Key Elements A compliance monitoring program should be formal and include the following key elements: Agreed upon scope and strategy Standard tools and templates Reporting Training and communications Continuous improvement Page 9 Scope & Strategy There are multiple approaches that can be taken when implementing a monitoring program Risk based A deep dive into the controls identified for top or key risk areas Reviewing compliance with all policies and procedures A cursory review for compliance with all policies and procedures Combination risk based and all policies and procedures A cursory review for compliance with all policies and procedures and a deep dive into the controls identified for top or key risks Page 10 5

Scope & Strategy, cont d. Challenges for complex and/or multinational organizations Organizational challenges Cultural differences Language barriers Different regulatory environments Program costs Page 11 Scope & Strategy, cont d. Division policies & procedures Regional policies & procedures Core program Page 12 6

Scope & Strategy, cont d. Employee Interview To determine employee knowledge of and compliance with various policies, procedures and standards. Facility Review To determine compliance with data privacy & security and other facility requirements. File Review To review hard copy documentation (e.g., meeting notes, phone records, contracts, etc.). System Review To review electronic records, system access or programming. Procedural Review To review adherence to written procedures through colleague shadowing. Page 13 Scope & Strategy, cont d. On-site A consideration for paper heavy organizations Increased access to key personnel Improved visibility Ability to conduct facility reviews Opportunity to provide live post review training VS. Remote Works well for automated environments May provide more flexibility Efficient for subject matter reviews across multiple locations Reduced cost (e.g., travel) Page 14 7

Tools & Templates Page 15 Tools & Templates, cont d. Sample tools and templates for consideration: Closing meeting invite template Compliance reviewer guide Compliance reviewer training Dashboard template Data sample calculation worksheet Data sample template Employee deficiency notification Immediate action items template Interview invite template Pre-review meeting template Pre-review preparation instructions Post-review thank you note Post-review training deck Quality review checklist Report template Review questionnaires Review schedule Standard operating procedures (SOP Page 16 8

Tools & Templates, cont d. Develop/ review compliance monitoring program Confirm annual monitoring schedule Review preparation Schedule colleague interviews Confirm review logistics Distribute final report Q4 January 3-weeks prior 2-weeks prior 1-week prior Review 2-weeks after Develop scope and create tools and templates Prepare data sample Conduct prereview meeting Conduct review Document findings Hold closing meeting Page 17 Reporting Office/division level reporting Quarterly reporting Global/zone/market level reporting Compliance & risk committee reporting Page 18 9

Training & Communication Page 19 Continuous Improvement Once a program has been established, small changes rather than sweeping changes should occur over time to: Meet changing business needs Address a shifting risk environment Coordinate with regulatory changes Improve program efficiency Small improvements in the program are less likely to cost a significant financial investment or radical process changes Page 20 10

Agenda Helpful Tips Tips Start with a core program Ensure those performing the review are well trained and have the necessary tools and templates to be successful Communicate results in a formal manner Utilize results to improve other compliance programs (e.g., training and communications, risk management, etc.) Follow-up on action items identified during the review Review the compliance monitoring program annually Consider having internal audit review the effectiveness of the monitoring program Page 22 11

Questions 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information