Methods and systems for compliance program assessment

US 20020059093A1
Filed: 05/03/2001
Published: 05/16/2002
Est. Priority Date: 05/04/2000
Status: Abandoned Application

First Claim

Patent Images

1. A method for conducting a consistent, documented and yet repeatable compliance risk assessment and mitigation process, using a network-based system including a server system coupled to a centralized database and at least one client system, said method comprising the steps of:

conducting a compliance program assessment;

conducting a prioritization of compliance risks;

identifying, for each compliance risk area, potential compliance failures and potential causes and effects of such compliance failures; and

ensuring that risk monitoring and control mechanisms are in place to mitigate compliance risks.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for identifying and quantifying compliance issues are described. In one embodiment, a system is configured to implement a method which comprises assessing at least one compliance program to identify potential risks and prioritizing the potential risks. The issues relating to the potential risks, for example, failure modes and root causes are identified and are mitigated and controlled.

Citations

118 Claims

1. A method for conducting a consistent, documented and yet repeatable compliance risk assessment and mitigation process, using a network-based system including a server system coupled to a centralized database and at least one client system, said method comprising the steps of:
- conducting a compliance program assessment;
  
  conducting a prioritization of compliance risks;
  
  identifying, for each compliance risk area, potential compliance failures and potential causes and effects of such compliance failures; and
  
  ensuring that risk monitoring and control mechanisms are in place to mitigate compliance risks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 2. A method according to claim 1 wherein said step of conducting a compliance program assessment further comprises the steps of:
    - developing a binary questionnaire;
      
      assembling a cross functional team;
      
      defining what constitutes a “
      
      yes”
      
      answer for each question in the binary questionnaire;
      
      identifying and interviewing process owners for the questionnaire answers;
      
      compiling interview results; and
      
      summarizing findings and reviewing final results with compliance and functional leaders.
  - 3. A method according to claim 1 wherein said step of conducting a prioritization of compliance risks further comprises the steps of:
    - identifying the compliance risks of at least one of business'"'"' processes, products, environment, and location; and
      
      prioritizing the business'"'"' highest risks.
  - 4. A method according to claim 1 wherein said step of identifying further comprises the steps of:
    - analyzing identified high compliance risk areas to determine potential compliance failures and root causes; and
      
      prioritizing actions that need to be taken; and
      
      developing policy scorecards to be used as a monitoring and reporting tool.
  - 5. A method according to claim 1 wherein said step of identifying further comprises the steps of:
    - reassembling the cross functional team that was initially used to conduct the compliance program assessment;
      
      mapping high risk process steps;
      
      beginning a construction of a Failure Mode in Effect Analysis (FEMA);
      
      assigning severity, occurrence and detection Factors;
      
      calculating Risk Prioritization Numbers (RPN);
      
      defining recommended actions to reduce RPNs; and
      
      defining scorecard content and format.
  - 6. A method according to claim 1 wherein said step of ensuring that risk monitoring and control mechanisms are in place, further comprises the steps of:
    - establishing appropriate controls to provide guidance to the business; and
      
      monitoring that the appropriate controls to mitigate compliance risks.
  - 7. A method according to claim 1 wherein said step of ensuring that risk monitoring and control mechanisms are in place, further comprises the steps of:
    - developing action items;
      
      ensuring that the developed action items are completed in a timely manner; and
      
      establishing and monitoring the controls to mitigate compliance risks.
  - 8. A method according to claim 2 wherein said step of identifying and interviewing process owners further comprises the steps of:
    - identifying and interviewing for compliance using a knowledge base; and
      
      identifying and interviewing for compliance using a question owner'"'"'s matrix.
  - 9. A method according to claim 2 wherein said step of compiling interview results further comprises the step of compiling interview results using a spreadsheet configured for automatically converting the results from qualitative to quantitative and further configured to tabulate and graph the results.
  - 10. A method according to claim 2 wherein said step of summarizing findings further comprises the step of summarizing the results of the assessment of at least one compliance program using at least one of a program assessment summary and a policy assessment summary.
  - 11. A method according to claim 3 wherein said step of prioritizing the business'"'"' highest risk further comprises:
    - mapping a high level business risk model;
      
      compiling a list of compliance requirements;
      
      prioritizing the list of compliance requirements;
      
      beginning construction of a quality function deployment (QFD);
      
      entering a severity rating for non-compliance with requirements;
      
      assessing and evaluating compliance policies;
      
      identifying immediate risks and completing constructing of a QFD; and
      
      prioritizing compliance risk areas.
  - 12. A method according to claim 11 wherein said step of mapping the high level business risk model further comprises the steps of:
    - identifying core processes and products of a business;
      
      associating business risk with the core processes and products of a business; and
      
      associating business risk with compliance requirements.
  - 13. A method according to claim 11 wherein said step of compiling a list of compliance requirements further comprises the step of compiling a list of compliance requirements including at least one of a company declared policy and/or practice, legal and regulatory requirements of a business, contractual requirements, compliance risks and internal requirements.
  - 14. A method according to claim 11 wherein said step of prioritizing the list of compliance requirements further comprises prioritizing the severity level of non-compliance using a severity matrix.
  - 15. A method according to claim 11 wherein said step of beginning construction of the quality function deployment (QFD) further comprises the steps of:
    - beginning construction of the QFD using information generated in mapping the high level business risk model with a compliance requirements list developed in making a severity matrix; and
      
      quantifying the results using a risk QFD matrix.
  - 16. A method according to claim 11 wherein said step of assessing and valuating compliance policies further comprises the steps of:
    - assessing business routines and controls to ensure compliance with each policy; and
      
      determining a quality function deployment (QFD) score.
  - 17. A method according to claim 16 wherein said step of determining a quality function deployment (QFD) score further comprises the step of determining a QFD score as process strength rating×
    - severity rating.
  - 18. A method according to claim 16 wherein said step of determining a quality function deployment (QFD) score further comprises automatically entering the score into a risk QFD.
  - 19. A method according to claim 11 wherein said step of prioritizing risk areas further comprises summarizing findings from the risk quality function deployment (QFD) using a risk prioritization matrix.
  - 20. A method according to claim 11 further comprising the step of identifying the top three to five compliance requirements having the highest risk.
  - 21. A method according to claim 5 wherein said step of mapping the high-risk process steps comprises the steps of:
    - creating a process map; and
      
      creating a process map within a failure mode and effect analysis matrix.
  - 22. A method according to claim 5 wherein said step of beginning the construction of a failure mode and effect analysis matrix further comprises the steps of determining potential failure modes for each step in a process, brainstorming potential effects of the failure identifying potential causes of the failures and documenting current controls.
  - 23. A method according to claim 5 wherein said step of assigning severity, occurrence and detection factors further comprises automatically entering the assigned factors into the failure mode and effect analysis matrix.
  - 24. A method according to claim 5 wherein said step of determining risk prioritization numbers further comprises determining the risk prioritization numbers as severity rating×
    - occurrence rating×
      
      detection rating.
  - 25. A method according to claim 5 wherein said step of defining recommended actions to reduce the risk prioritization numbers further includes the step of automatically entering at least one of the recommended actions, an owner of the recommended action and expected date of completion of the recommended action into the failure mode and effect analysis matrix.
  - 26. A method according to claim 5 wherein said step of defining recommended actions to reduce the risk prioritization number further comprises the steps of automatically reassigning ratings and redetermining the risk prioritization numbers.
  - 27. A method according to claim 5 further comprising the step of monitoring progress in reducing the risk prioritization numbers.
  - 28. A method according to claim 27 wherein the step of monitoring progress in reducing the risk prioritization numbers comprises monitoring progress in reducing the risk prioritization numbers using policy scorecards.
  - 29. A method according to claim 1 further comprising the steps of compiling an actions items list and creating at least one policy dashboard.
  - 30. A method according to claim 1 further comprising the step of monitoring metrics relating to training.

31. A system for identifying and quantifying compliance comprising:
- at least one computer;
  
  a server configured to read input information relating to identifying and quantifying compliance, assess at least one compliance program, prioritize risk, identify issues relating to the risk and mitigate and control to resolve the issues;
  
  a network connecting said computer to said server; and
  
  a user interface allowing a user to input information relating to identifying and quantifying compliance.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62)
- - 32. A system according to claim 31 wherein said server configured to assess at least one compliance program is further configured to assemble a cross function team, identify and interview for compliance, compile interview results and summarize the results of the assessment of at least one compliance program.
  - 33. A system according to claim 32 wherein said server configured to assemble a cross-functional team is configured to assemble a cross-functional team using a knowledge base within said server.
  - 34. A system according to claim 32 wherein said server configured to assemble a cross-functional team using a knowledge base is further configured to create a questionnaire that includes a plurality of binary questions relating to compliance and define what constitutes an affirmative answer to the questions.
  - 35. A system according to claim 32 wherein said server configured to identify and interview for compliance is configured to identify and interview for compliance using a knowledge base within said server.
  - 36. A system according to claim 35 wherein said server configured to identify and interview for compliance is further configured to identify and interview for compliance using a question owner'"'"'s matrix.
  - 37. A system according to claim 32 wherein said server configured to compile interview results using a spreadsheet is configured to compile interview results using a spreadsheet configured for automatically converting results from qualitative to quantitative and to tabulate and graph results.
  - 38. A system according to claim 32 wherein said server configured to summarize the results of the assessment is configured to summarize the results of the assessment using at least one of a program assessment summary and a policy assessment summary.
  - 39. A system according to claim 31 wherein said server configured to prioritize the risk is further configured to map a high level business risk model, compile a list of compliance requirements, prioritize the list of compliance requirements, construct a quality function deployment (QFD) matrix, assign a severity rating for non-compliance with requirements, assess and valuate compliance policies, identify at least one immediate risk and prioritize compliance risks areas.
  - 40. A system according to claim 39 wherein said server configured to map the high level business risk model is further configured to identify at least one core process and product of a business, associate business risk with at least one core process and product of a business and associate business risk with compliance requirements.
  - 41. A system according to claim 39 wherein said server configured to compile a list of compliance requirements is configured to compile a list of compliance requirements including at least one of a company declared policy and/or practice, legal and regulatory requirements of a business, contractual requirements, compliance risks and internal requirements.
  - 42. A system according to claim 39 wherein said server configured to prioritize the list of company requirements is configured to prioritize the severity level of each occurrence of non-compliance in accordance with a severity matrix.
  - 43. A system according to claim 39 wherein said server configured to construct the quality function deployment (QFD) matrix is further configured to construct the QFD matrix using information generated in mapping the high level business risk model with the compliance requirements list developed in creating a severity matrix.
  - 44. A system according to claim 39 wherein said server configured to construct the quality function deployment (QFD) matrix is configured to quantify results using a risk QFD matrix.
  - 45. A system according to claim 39 wherein said server configured to assess and evaluate compliance policies is configured to assess business routines and controls to ensure compliance with each policy and determine a quality function deployment (QFD) score.
  - 46. A system according to claim 45 wherein said server configured to determine a quality function deployment (QFD) score is configured determine a QFD score as process strength rating×
    - severity rating.
  - 47. A system according to claim 45 wherein said server configured to determine a quality function deployment (QFD) score is further configured to automatically enter the QFD score into a risk QFD matrix.
  - 48. A system according to claim 39 wherein said server configured to prioritize compliance risk areas is further configured to summarize findings from the risk quality function deployment (QFD) matrix in accordance with a risk prioritization matrix.
  - 49. A system according to claim 39 wherein said server is further configured to identify the top three to five compliance requirements having the highest risk.
  - 50. A system according to claim 31 wherein said server configured to identify issues relating to risk is further configured to assemble a cross-functional team, map the high risk process steps, construct a failure mode and effect analysis matrix, assign severity, occurrence and detection factors, determine risk prioritization numbers and define recommended actions to reduce the risk prioritization numbers.
  - 51. A system according to claim 50 wherein said server configured to map the high-risk process steps is further configured to create a process map.
  - 52. A system according to claim 50 wherein said server configured to create a process map is configured to create a process map in accordance with a failure mode and effect analysis matrix.
  - 53. A system according to claim 50 wherein said server configured to construct a failure mode and effect analysis matrix is further configured to determine potential failure modes for each step in a process, brainstorm potential effects of the failures to identify potential causes of the failures and documents current controls.
  - 54. A system according to claim 50 wherein said server configured to determine risk prioritization number is configured to determine risk prioritization numbers as severity rating×
    - occurrence rating×
      
      detection rating.
  - 55. A system according to claim 50 wherein said server configured to assign a severity rating, occurrence and detection factors is further configured to enter the assigned factors into the failure mode and effect analysis matrix.
  - 56. A system according to claim 50 wherein said server configured to define recommended actions is further configured to automatically enter at least one of the recommended actions, an owner of the recommended action, and expected date of completion of the recommended action into the failure mode and effect analysis matrix.
  - 57. A system according to claim 50 wherein said server configured to define recommended actions to reduce the risk of prioritization numbers is further configured to reassign ratings and redetermine the risk prioritization numbers.
  - 58. A system according to claim 50 wherein said server is further configured to monitor progress in reducing the risk prioritization numbers using policy scorecards.
  - 59. A system according to claim 50 wherein said server configured to mitigate is further configured to compile an actions items list and create at least one policy dashboard.
  - 60. A system according to claim 31 wherein said server is configured to allow a user to submit information relating to the identification and quantification of compliance via the Internet.
  - 61. A system according to claim 31 wherein said server is configured to allow a user to submit information relating to the identification and quantification of compliance via an Intranet.
  - 62. A system according to claim 31 wherein said network is one of a wide area network and a local area network.

63. A computer programmed to:
- prompt a user to identify potential risks and failure modes and root causes associated with the risks within a compliance program;
  
  prioritize the risks; and
  
  prompt the user with at least one mitigation plan to deal with at least one of the identified risks, failure modes, and root causes.
- View Dependent Claims (64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75)
- - 64. A computer according to claim 63 further programmed to prompt a user to identify process owners within the compliance program.
  - 65. A computer according to claim 63 wherein to identify the risks and failure modes and root causes, said computer displays a computer generated screen comprising a questionnaire relating to compliance.
  - 66. A computer according to claim 65 wherein the questionnaire comprises a question owners matrix.
  - 67. A computer according to claim 66 wherein said question owners matrix comprises a listing of compliance assessment areas.
  - 68. A computer according to claim 63 further programmed to calculate a percentage of compliance.
  - 69. A computer according to claim 65, said computer further programmed to tabulate and graph questionnaire results.
  - 70. A computer according to claim 63 wherein to prompt a user with a mitigation plan, said computer displays a computer generated screen comprising at least one of a completed questionnaire, a summary of current status, improvement opportunities, action plans, potential best practices, a program summary and a policy assessment summary.
  - 71. A computer according to claim 63 wherein to prioritize the risks said computer is programmed to:
    - assess compliance risk; and
      
      relate risks to processes, products and environments.
  - 72. A computer according to claim 63 wherein to prioritize the risks said computer is programmed to prioritize a list of compliance requirements based upon a severity of non-compliance.
  - 73. A computer according to claim 72 further programmed to organize the list of compliance requirements using a severity matrix format.
  - 74. A computer according to claim 72 further programmed to generate a risk quality function deployment matrix, using compliance requirements and severity ratings for non-compliance of each compliance requirement.
  - 75. A computer according to claim 72 further programmed to calculate risk prioritization numbers using at least one of severity ratings, a likelihood of occurrence factor and a detection ability factor.

76. A computer program embodied on a computer readable medium for managing compliance risk assessment to enable businesses to develop broader and deeper coverage of compliance risks, using a network based system including a server system coupled to a centralized database and at least one client system, said computer program comprising a code segment that:
- develops a questionnaire based on list of compliance requirements and stores the questionnaire into a centralized database;
  
  records and processes qualitative responses against each of the questions identified in the questionnaire;
  
  converts the qualitative responses to quantitative results based on predetermined criteria and develops compliance risk assessment output to enable businesses to reduce risks and improve profits.
- View Dependent Claims (77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89)
- - 77. The computer program as recited in claim 76 further comprising a code segment that compiles list of compliance requirements and prioritizes list of compliance requirements based on relative severity of non-compliance.
  - 78. The computer program as recited in claim 77 further comprising a code segment that compiles list of compliance requirements based on at least one of Regulatory Requirements, Contractual Requirements, Internal Policy Requirements and Spirit/Letter Requirements.
  - 79. The computer program as recited in claim 77 further comprising a code segment that:
    - stores severity rating for non-compliance requirements;
      
      accesses strength of business routines and controls to ensure compliance with each policy;
      
      computes a QFD score; and
      
      prioritizes compliance risk areas according to risk criteria and process control strengths.
  - 80. The computer program as recited in claim 79 further comprising a code segment that links business'"'"'s core process to key compliance risks.
  - 81. The computer program as recited in claim 76 further comprising a code segment that summarizes findings in an easily readable graphical and table formats.
  - 82. The computer program as recited in claim 79 further comprising a code segment that:
    - reports progress since last review;
      
      identifies focus areas for next review and defines specific recommended steps that business managers can implement to reduce risks.
  - 83. The computer program as recited in claim 76 further comprising a code segment that generates management reports for at least one of business groups, departments, regions, and countries.
  - 84. The computer program as recited in claim 76 further comprising a code segment that identifies opportunities for each businesses.
  - 85. The computer program as recited in claim 76 wherein the network is a wide area network operable using a protocol including at least one of TCP/IP and IPX.
  - 86. The computer program as recited in claim 76 wherein the data is received from the user via a graphical user interface.
  - 87. The computer program as recited in claim 76 further comprising a code segment that develops questionnaires based on pre-stored assumptions in the database.
  - 88. The computer program as recited in claim 76 wherein the client system and the server system are connected via a network and wherein the network is one of a wide area network, a local area network, an intranet and the Internet.
  - 89. The computer program as recited in claim 76, and further comprising a code segment that monitors the security of the system by restricting access to unauthorized individuals.

90. A database comprising:
- data corresponding to identified potential risks;
  
  data corresponding to prioritization of the risks; and
  
  data corresponding to a mitigation and control plan.
- View Dependent Claims (91, 92, 93, 94, 95, 96, 97, 98)
- - 91. A database according to claim 90 further comprising data corresponding to a cross-functional team.
  - 92. A database according to claim 90 further comprising data corresponding to a questionnaire regarding compliance.
  - 93. A database according to claim 92 further comprising data corresponding to interview results in a questionnaire spreadsheet.
  - 94. A database according to claim 90 further comprising data corresponding to at least one of a current status summary, improvement opportunities, action plans, potential best practices, a program summary and a policy summary.
  - 95. A database according to claim 90 further comprising data corresponding to a compliance assessment.
  - 96. A database according to claim 90 further comprising data corresponding to a quality function deployment assessment score, the assessment score calculated as process strength rating×
    - severity rating.
  - 97. A database according to claim 90 further comprising data corresponding to a failure mode and effects analysis matrix.
  - 98. A database according to claim 90 further comprising data corresponding to a risk prioritization matrix, risk prioritization calculated as severity rating×
    - occurrence rating×
      
      detection rating.

99. A method for compliance assessment comprising the steps of:
- entering, into an electronic interface, identified compliance risks and failure modes and root causes associated with the compliance risks;
  
  entering, into the electronic interface, compliance requirements; and
  
  requesting, from the electronic interface, a mitigation and control plan.
- View Dependent Claims (100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110)
- - 100. A method according to claim 99 further comprising the step of entering into the electronic interface, names of a cross-functional team.
  - 101. A method according to claim 100 further comprising the steps of:
    - requesting cross functional team members to complete a compliance questionnaire; and
      
      requesting, from the electronic interface, a summary of questionnaire results.
  - 102. A method according to claim 101 wherein said step of requesting a summary of questionnaire results further comprises the step of requesting, from the electronic interface, graphed and tabulated results.
  - 103. A method according to claim 99 further comprising the step of requesting, from the electronic interface, prioritization of occurrences of non-compliance in a severity matrix.
  - 104. A method according to claim 99 further comprising the step of requesting, from the electronic interface, an assessment of business routines and controls to determine a quality function deployment (QFD) score.
  - 105. A method according to claim 104 wherein the QFD score is calculated as process strength rating×
    - severity rating.
  - 106. A method according to claim 99 further comprising the step of requesting, from the electronic interface, a failure mode and effects analysis on a number of compliance requirements risks identified in a risk prioritization matrix.
  - 107. A method according to claim 106 wherein the number of compliance requirements risks identified in the risk prioritization matrix is no less than three (3) and no more than five (5).
  - 108. A method according to claim 106 further comprising the steps of:
    - requesting, from the electronic interface, a risk prioritization number; and
      
      generating a prioritization of actions for implementation and allocation of resources to reduce the risk prioritization number.
  - 109. A method according to claim 108 wherein the risk prioritization number is calculated as severity rating×
    - occurrence rating×
      
      detection rating.
  - 110. A method according to claim 108 further comprising the step of monitoring risk prioritization numbers using at least one policy scorecard.

111. A system configured for compliance assessment comprising:
- at least one computer;
  
  a server configured to provide a questionnaire which includes a plurality of binary questions relating to a compliance program and a definition of what constitutes an affirmative answer to the questions to identified process owners, compile answers received from the process owners, and summarize the questions and answers as an assessment of the compliance program;
  
  a network connecting said computer to said server; and
  
  a user interface allowing process owners and members of a cross functional team to enter information relating to a compliance assessment.
- View Dependent Claims (112, 113, 114, 116, 117, 118)
- - 112. A system according to claim 111 wherein said server further configured provide a question owner'"'"'s matrix to the process owners.
  - 113. A system according to claim 111 wherein said server further configured to:
    - automatically convert a compliance assessment from qualitative to quantitative results; and
      
      tabulate and graph the assessment results.
  - 114. A system according to claim 113 wherein said server further configured to tabulate and graph the assessment results using at least one of a program assessment summary and a policy assessment summary.
  - 116. A method according to claim 115 wherein said step of creating a questionnaire comprises the step of generating a question owner'"'"'s matrix.
  - 117. A method according to claim 115 wherein said step of compiling interview results comprises the steps of:
    - converting the results from qualitative to quantitative; and
      
      at least one of tabulating and graphing the results.
  - 118. A method according to claim 115 wherein said step of summarizing the results as an assessment of the compliance program comprises the step of using at least one of a program assessment summary and a policy assessment.

115. A method for assessing a compliance program, said method comprising the steps of:
- assembling a cross-functional team for determining what constitutes compliance;
  
  creating a questionnaire including a plurality of binary questions relating to compliance and defining what constitutes an affirmative answer to the questions;
  
  identifying and interviewing process owners for compliance with the compliance program;
  
  compiling interview results; and
  
  summarizing the results as an assessment of the compliance program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
General Electric Capital Corporation (General Electric Company)
Original Assignee
General Electric Capital Corporation (General Electric Company)
Inventors
Lacey, William, Robine, Christopher, Mitchell, Christina E., Torres, Frank III, Barton, Nancy E., Vicente, Ligia B., Denniston, Brackett B. III, Green, Robert C., Tucker, David E., Gilbert, Edward S., Carbone, John W., Whitcomb, John M., Mensching, Eugene F. Jr., West, Sheri F.

Application Number

US09/848,051
Publication Number

US 20020059093A1
Time in Patent Office

Days
Field of Search
US Class Current

705/10
CPC Class Codes

G06Q 10/06   Resources, workflows, human...

G06Q 10/06393   Score-carding, benchmarking...

G06Q 30/018   Certifying business or prod...

G06Q 40/08   Insurance

Methods and systems for compliance program assessment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

118 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for compliance program assessment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

118 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links