Maturity Model Final June 1 SCCE.pptx [Read-Only]
![Maturity Model Final June 1 SCCE.pptx [Read-Only]](/img2/134/201-benchmarking-compliance-effectiveness-roach-3.webp)
6/2/2015Benchmarking ComplianceEffectiveness:Developing a Maturity Model to Measure YourCompliance Program and Report to YourBoard/Audit CommitteeRobert F. RoachVice President, Chief Global Compliance OfficerNew York UniversityJune 1, 2015Compliance Maturity ModelThe Challenge:Measuring Compliance ProgramEffectivenessCompliance Maturity ModelThe Challenge:Measuring Compliance Program Effectiveness1. The StandardWhen establishing and implementing a ComplianceProgram, most organizations (including Universities)attempt to follow the U.S. Federal Sentencing Guidelinesfor Organizations:Section 8B2.1 Effective Compliance and EthicsPrograms.1
6/2/2015Compliance Maturity Model2. The Guidelines don’t always help!While the Guidelines set forth basic elements of an effectivecompliance program, they make clear that: No single compliance program design fits everyorganization. An organization's industry, size, structure and mission allinfluence program design and operation.3. The Challenge:The Guidelines direct us to have an “effective” program, buthow do you define and measure the effectiveness of yourCompliance program?Compliance Maturity Model4. Practical Issues Easier to track program activities than results Difficult to determine which compliance activities driveresults Difficult to assess employee and management behaviorobjectively and consistently over time Lack of useful benchmarks for comparison Often difficult to glean actionable information from selfassessmentsCompliance Maturity ModelCapability Maturity Models2
6/2/2015Compliance Maturity ModelCapability Maturity ModelsThe concept of a Capability Maturity Model was developed atCarnegie Mellon in the 1980s for the U.S. DefenseDepartment to help measure the capability of potentialvendors in the software industry to fulfill governmentcontracts.The term "maturity" refers to the degree to which anorganization’s processes have been formalized, implementedand integrated into an organization's operations.Compliance Maturity ModelCapability Maturity ModelsCapability Maturity Models have been developed for manyfields and areas.With a Compliance Maturity Model we hope to provide: A useful means for assessing your compliance programagainst recognized standards A method for identifying “next steps” required to advanceyour compliance program A process for measuring progress against internal andexternal benchmarks A tool that can be used to measure progress in specificcompliance areas and projects or your overall complianceprogramCompliance Maturity ModelIn the next sections of this presentation we will cover: A Compliance Maturity Model (CMM) that focuses onelements of a compliance program The general “stages of maturity” for organizationalcompliance processes3
6/2/2015Compliance Maturity ModelA Compliance Maturity Model (CMM)Compliance Maturity ModelCompliance as an Afterthought:Many organizations have “bolted on” compliance programsthat are separate and apart from their “business” operations.They have not integrated a focus on compliance riskmanagement within operational and decision makingprocesses.The overall results are fragmented compliance programs thatare complicated to operate and difficult to coordinate,manage, and monitor. These systems also tend to bereactive rather than planned or strategic.Compliance Maturity ModelCMM Maturity LevelsA CMM focuses on integration of your compliance programsinto organizational business processes by analyzing the“maturity” of your program with levels that range from adhoc practices, to formally defined steps, to managed withresult metrics, to active optimization of processes. As anorganization moves up the maturity model, ownership spreadsacross the organization and becomes embedded within thevery culture of the organization.Note: capability maturity models vary in the number of“maturity” levels they use – usually three to five. They alsouse somewhat different descriptive labels. We havedeveloped a CMM with five levels and the most frequentlyused labels for maturity levels.4
6/2/2015Compliance Maturity Model1. Ad Hoc: Procedures are usually informal, incomplete andinconsistently applied.2. Fragmented: There are some compliance controls in place, but theyare not consistent across the organization. Often limited to certainareas or managed in “silos” (e.g. EHS, Finance, Research, etc.)3. Defined: Compliance Controls and procedures are documented andstandardized across the organization4. Mature: Compliance procedures are an integral part of businessprocesses and periodic reviews are conducted to access effectivenessof the program5. Optimized: Regular review and feedback are used to ensurecontinuous improvement towards optimization of complianceprocesses; elements are often automated, which are more effective atpreventing compliance failures and ultimately less costly than manualcontrols focusing on detectionCompliance Maturity Mode - OrganizationCompliance Program Maturity - Organization3.Defined2. Fragmented5. Optimizing4.Mature1. AdHocCompliance Program Maturity OrganizationA.B.C.D.E.Ad HocFragmentedDefinedMatureOptimizing5
6/2/2015Compliance Maturity ModelCMM – Focused on“Federal Sentencing Guidelines” ElementsCompliance Maturity Model - StructureStructure and Accountability Leadership, Distributed Responsibility andAdequate Resources Enterprise‐Wide Coordination and Oversight Demonstrated Enterprise CommitmentNYUComplianceStructureAudit & ComplianceCommittee of theBoard of TrusteesOversees the implementation and effectiveness of NYU's Compliance Programand monitors the University’s compliance with its legal, grant, contractual andpolicy obligations. The Vice President and Chief Global Compliance Officerreports regularly to the CommitteeOffice of thePresident / OCRMOCRM, led by the Deputy President, Diane Yu, and the Vice President and ChiefGlobal Compliance Officer, facilitates communication among key complianceofficers through our compliance committees and University‐wide ComplianceProgramUniversityCompliance & RiskSteering CommitteeCompliance & RiskCommitteesUniversity Leadership committee chaired by Deputy President, Diane Yu, andstaffed by OCRM, approves the University’s ethics, compliance, and trainingpriorities and oversees the University’s compliance effortsOCRM co‐chairs three Compliance & Risk Committees:The Compliance & Risk Officers Working Group New York, Abu Dhabi, ShanghaiThe Schools Compliance & Risk Officers TaskforceThe Global Compliance & Risk Officers Taskforce186
6/2/2015NYUComplianceOCRM Compliance CommitteesCOWG: includes compliance officers from academic andadministrative departments, including NYU Abu Dhabi,who are responsible for day to day compliance activities.COWG currently has a membership of more than 25compliance officers.Compliance OfficersWorking Group(COWG)Schools ComplianceOfficers Taskforce(SCOT)Global ComplianceOfficers Taskforce(GCOT)SCOT: includes representatives appointed by the deansand directors of all of NYU’s Schools, Colleges and majorInstitutes, including NYU Poly and the Center for UrbanScience and Progress (CUSP). SCOT was formed in 2012 asa forum for Schools to discuss their unique complianceconcerns and as a vehicle to enhance compliancecommunication with COWG and GCOT.GCOT: provides a forum for administrators at WashingtonSquare who have responsibilities for the academic andadministrative development at the Global Sites.Compliance Maturity Model - Structure1. Ad Hoc2. Fragmented3. Defined4. Mature5. OptimizedThere is no formalcompliance structureSenior management andBoard discouragenoncompliance but notconsistent in follow throughA compliance structure hasbeen established, withaccountability assigned tokey risk area officersCompliance riskassessments andmitigation plans arecompleted by risk areaofficers on a regular, timelyand consistent basisNetwork of complianceofficers representing everysignificant operation inplace and they meetregularly to coordinatecompliance activitiesNo Independent oversightAccountability is broadlyunderstood but not formallydocumented.Senior ComplianceCommittee exists, includesrepresentatives of keyorganizational activitiesReporting by risk areaofficers to ChiefCompliance Officer istimely and consistentSenior ComplianceCommittee considerscompliance a strategicpriority. Compliance riskscenarios have beenidentified, assessed andmapped to compliancecontrols, which areupdated at least annually.Oversight and monitoringare inconsistentAccountability is notdefinedSenior compliancecommittee may exist, butcompliance activitiesreactive and in silosChief Compliance Officeror other individual with dayto day responsibility forcompliance appointedThe senior compliancecommittee meets at leastquarterly, receives regularreports by ChiefCompliance Officer,actively plans forcompliance contingenciesThe Board/AuditCommittee and executivemanagement show ademonstrated commitmentto compliance throughoutthe organization.Compliance risks are notunderstoodCompliance risks areunderstood but not formallydocumented.Process in place foridentifying compliancerisks and developingmitigation plans byassigned risk area officersChief Compliance Officerhas independent and directaccess to Board or AuditCommittee. Makes regularreports on complianceactivities to Board/AuditCommittee.Compliance, riskmanagement and internalaudit have implementedintegrated work plans.Integrated functions aresupported by automatedprocesses.Compliance Maturity Model - StructureStructure and Accountability3.Defined2. Fragmented5. Optimizing4.Mature1. AdHoc7
6/2/2015Structure and AccountabilityA.B.C.D.E.Ad HocDefinedFragmentedMatureOptimizingCompliance Maturity Model - PoliciesPolicies and Procedures Distributed and Assigned Responsibility Development and Publication Accessibility and Communication Policy Tracking, Review and riendly! Search by keyword, category or date rangeNeed helpfinding anNYU policy?ContactDianeDelaney atour office –Diane’semail is onthe policiespage248
6/2/2015Compliance Maturity Model - Policies1. Ad Hoc2. Fragmented3. Defined4. Mature5. OptimizedSome compliance policiesexistCompliance policies existbut may not be completeand are not consistentlydocumentedPolicies for all significantcompliance areas arepublished, in a consistentformat and readilyavailablePolicies are widelyavailable and easily foundon the organization’swebsite (internal orexternal). There areadditional mechanisms foreasy identification (e.g.web search functions)Policies identify executiveand day-to-day responsibleofficers for questionsCompliance policies aremonitored and results usedto improve policiesEmployees may beinformed about policies,but communication issporadic and availabilityinconsistentEmployees are providedguidance on organization'spolicies, howevercommunications aresporadic or undocumentedThe organization hasformal processes in placeto communicatecompliance policiesCompliance policies andthe consequences of noncompliance arecommunicated regularly, atleast annually. Policycompliance is monitoredand assessed.Changes andimprovements are made tomessaging andcommunication techniquesin response to periodicassessments. New andamended policies arecommunicated shortly afterchanges approvedProcesses for approvaland subsequent revieware informal, sporadic andinconsistent.Procedures for approval ofpolicies and subsequentreview exist but are notformally documented norconsistently followedThere is a formal policydevelopment and approvalprocedure that identifiesexecutive owners, day-today responsible officers.Subsequent review occurs,but monitoring forcompliance with processdoes not occur or issporadic andundocumented.Policies are reviewedregularly to ensurecompliance with regulatorychanges. Monitoring ofcompliance with policyreview process is formaland documented.Legislation is proactivelymonitored to ensure thatnew and amended policiesare implemented in atimely fashion. Legislationservices are utilized. Thepolicy management andmonitoring process may beautomated.Compliance Maturity Model - PoliciesPolicies and Procedures3.Defined2. Fragmented5. Optimizing4.Mature1. AdHocPolicies and ProceduresA.B.C.D.E.Ad HockFragmentedDefinedMatureOptimizing9
6/2/2015Compliance Maturity Model –Training/CommunicationTraining and Communication Planning and Content Distributed and Assigned Responsibilities Delivery Mechanisms (In-person, Online, Automation) Audience – Needs Identification Audit Trail, Tracking and Metrics Assessment and CertificationCompliance Maturity Model - Training1. Ad Hoc2. Fragmented3. Defined4. Mature5. OptimizedFormal compliancetraining is not provided.However, complianceinformation may becommunicated byinformal meansThe organizationprovides compliancetraining but it is sporadicor in silos.Compliance training isprovided throughout theorganization as neededin a scheduled andtimely fashion. Trainingmetrics may not becollected and reportedto executives or theBoard in a regular orconsistent fashion.An enterprise widecompliance trainingprogram exists and ismonitored bymanagement/responsible officers. Theorganization identifiespersons needing trainingin key compliance areasand monitors theirparticipation. Trainingmetrics are collectedand reported toexecutives and theBoard. At least annually.A program ofcompulsory compliancetraining is implemented.Automation is used inprogram delivery andmonitoring.Competencyassessments andcertification programsare implemented in keycompliance areas.Monitoring and metricsare used to continuouslyimprove training.There is no munication aboutcompliance may occur,but it is sporadic andinformalCompliancecommunications such asnewsletters, emailblasts, posters and othermethods used. There isno formal documentedcompliancecommunicationprogram.The organization hasdeveloped a formalcompliancecommunication planthat is documented andupdated at leastannually.Compliance monitoringand metrics are used tocontinuously improvethe compliancecommunication plan.Compliance Maturity ModelTraining3.Defined2. Fragmented5. Optimizing4.Mature1. AdHoc10
6/2/2015Compliance Maturity Model – RiskRisk Assessment Process – Defined Formal Methodology Distributed Responsibility and Ownership Scope – Complete and Enterprise-Wide Risk Criteria Mitigation Plans Monitoring – Responsible Officers and Independent Reporting and OversightCompliance Maturity Model – RiskCompliance Maturity Model - Risk1. Ad Hoc2. Fragmented3. Defined4. Mature5. OptimizedCompliance Risksmay have beenidentified, but not theresult of any formalprocessEmployees may beaware of and considervarious compliancerisks.Processes have beenimplemented for riskidentification,assessment andreporting .All formal processesfor compliance riskmanagement havebeen implementedthroughout theorganization and areformally documentedthrough a risk registeror other means.Compliance, RiskManagement andInternal Audit haveintegrated riskmanagementprocesses that areimproved continuouslythrough ongoingmonitoring. Riskscustomized byjurisdiction.A compliance riskassessment has notlikely been completedand risk formallydocumentedRisk assessmentsmay not be conductedregularly, but are notpart of a regular riskmanagement programand may not cover allareas.A formal riskmanagementprocesses has beenadopted, such as ISO31000 or COSO ERM.All risks are assessedat least annually.Mitigation plans aremonitored by riskowners and reviewedby independentdepartment (e.g.compliance or internalaudit)Executivemanagement andBoard regularly reviewrisk program andprovide leadership forkey strategic andinstitutional risks.Results of riskmanagement processat least annually toexecutivemanagement andBoard.Automation for riskmanagement processmay be implemented.11
6/2/2015Compliance Maturity Model - RiskRisk Assessment3.Defined2. Fragmented5. Optimizing4.Mature1. AdHocRisk AssessmentA.B.C.D.E.Ad HocFragmentedDefineMatureOptimizingCompliance Maturity Model - MonitoringMonitoring Standards Ownership – Distributed and Independent Remedial Action Plans Metrics Reporting and Oversight12
6/2/2015Compliance Maturity Model - MonitoringCompliance Maturity Model - Monitoring1. Ad Hoc2. Fragmented3. Defined4. Mature5. OptimizedMonitoring ofcompliance programelements and risks areinformal and ad hoc.Monitoring ofcompliance programelements and risks existbut may not cover all allaspectsMonitoring ofcompliance programcover all relevantelements and risks.Monitoring ofcompliance cover allprogram elements andrisks.Monitoring iscoordinated andintegrated intoCompliance, IA and RiskManagement Functions.Guidance onmonitoring is notformally provided ordocumentedSome guidanceprovided but not fullydocumented.Monitoring is fullydocumented.Monitoring is fullydocumented andincludes both ongoingmonitoring by riskowners andindependent monitors(e.g. complianceofficer or IA)Formal integratedmonitoring plans aredeveloped at leastannually byCompliance, IA andRisk Management.Monitoring plans arereviewed andapproved at leastannually by executivesand Board.Monitoring results withcorrective action plansare reported toexecutives and BoardMetrics arising frommonitoring activitiesare developed,reported and utilizedto drive continuousimprovement in theCompliance Program.Automation is usedwhen possible.Compliance Maturity Model - MonitoringMonitoring3.Defined2. Fragmented5. Optimizing4.Mature1. AdHoc13
6/2/2015MonitoringA.B.C.D.E.Ad HocFragmentedDefinedMatureOptimizingCompliance Maturity ModelProjects and Deep DivesCompliance Maturity ModelProjects and Deep Dives Specific Compliance Processeso Compliance Complaint Processes Specific Compliance Subject Matterso Privacy Compliance Program Qualities/Resultso Compliance Culture Department or Compliance Functiono Human Subjects Research14
6/2/2015Compliance Maturity ModelReporting CMM to the Board:By Compliance Program ElementCompliance Maturity ModelReporting CMM to the Board:By Compliance Program Element Snapshot by Element By Target or Goal Year-on-Year Comparison BenchmarkingCompliance Maturity rePolicyTrainingRiskMonitoring15
6/2/2015Compliance Maturity ModelCompliance Program Maturity3.Defined2. Fragmented5. Optimizing4.Mature1. AdHocCompliance Program MaturityA. Ad HocB. FragmentedC. DefineD. MatureE. OptimizingCompliance Maturity ModelQuestions?16
Compliance Maturity Model Capability Maturity Models The concept of a Capability Maturity Model was developed at Carnegie Mellon in the 1980s for the U.S. Defense Department to help measure the capability of potential vendors in the software industry to fulfill government contra
Fig. 3. Capgemini's DevOps Maturity Model [11] 2.4 Hewlett Packard Enterprise DevOps Maturity Model Inbar et al. [10] from Hewlett Packard Enterprise (HPE), developed a new maturity model that is aligned with the CMMI maturity model to measure DevOps adoption. This model is designed to cover the entire lifecycle of an
3rd International Conference on Leadership, . Davies, 2004 and others) and institutions (PMI-OPM3, SEI-CMMI-PPMMM Gartner, OGC, P3M3 and other) addressed the topic of maturity in project management and have developed models for evaluating the maturity of . (2010) distinguished between two types of maturity, maturity of the PMO and maturity .
Within the software industry, maturity is frequently related to the Capability Maturity Model (CMM) and the CMM successor, the Capability Maturity Model Integration (CMMI). The Cloud Maturity Model parallels this understanding and measures Cloud capability
The cloud maturity model is a multidimensional approach to how you can identify concrete development targets for your cloud transition. The cloud maturity model includes the notion that people and processes are as important as technology in cloud maturity. We now introduce the Cloud Maturity Model
The Prosci Change Management Maturity Model . info@tpsoc.eu 7 www.tpsoc.eu and Prosci Maturity Model Audit give you the insights you need to assess your organization's change maturity level and map out a strategy for growing your change competency. By advancing your maturity level, you're focusing
Maturity Model is loosely based on the RM3i. The working group chose to modify that tool to expand its appeal to all federal agencies. This Federal RIM Program Maturity Model was created as a tool to measure the maturity of an agency RIM program. It can be used to measure the maturity of agency programs of any size and at any level.
Enhancing Advanced Use of CMMI-DEV with CMMI-SVC Process Areas for SoS 94 Multiple Paths to Service Maturity 97 Case 1: CMMI-DEV Maturity Level to CMMI-DEV Maturity Level 3 Adapted for Services, 2004–2007 98 Case 2: CMM-SW to CMMI-DEV and ISO 9001 99 Case 3: CMM-SW to CMMI-DEV Maturity Level 3 and Maturity
phases attained more algae for future oil extraction (Day 32 was in growing phase). After ultrasonication, the lipids were extracted by the Folchs method. The lipid content was 8.6% by weight. 0 0.05 0.1 0.15 0.2 0.25 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 38 40 42 Algae Mass (grams) Time (days) Haematococcus Growth in Bolds Basal .
