1Enterprise Compliance

Integrated Assurance Overview

Integrated Assurance Overview

Presented toRisk and Audit Committee

November 19, 2019

Agenda Item 7a, Attachment 1 Page 1 of 8

2Enterprise Compliance

Integrated Assurance Overview

CalPERS Integrated Assurance Model

Board of Administration / Risk & Audit Committee

Executive and Senior Leadership

Program Area Management and

Employees

First Line of Defense

Internal Audit

Second Line of Defense Third Line of Defense

Compliance

Risk Management

Financial Controls

Information Security

Regulator

External Audit

• Identify and build the risk universe

• Implement and maintain controls

• Consider risk in operational decision-making

• Report on adequacy of risk mitigation

• Establish risk management processes

• Ensure compliance with framework

• Collect and analyze risk information

• Assess risk environment• Provide independent

assurance on internal control system

• Communicate residual or unacceptable risk exposure for remediation

Source: Institute of Internal Auditors; CEB analysis

Agenda Item 7a, Attachment 1 Page 2 of 8

3Enterprise Compliance

Integrated Assurance Overview

Maintain Policy Governance

Maintain Delegation of Authority Governance

Design Compliance Policies and Procedures

GovernanceGovernance serves as a guide and sets out rules and operational guidance on how to run an organization.

It applies to what an organization does, how it is done, when it is done, and by whom.

Based on Gartner Ignition Diagnostic for Compliance & Ethics

Agenda Item 7a, Attachment 1 Page 3 of 8

4Enterprise Compliance

Integrated Assurance Overview

Culture trumps compliance.

Measure CalPERS Culture

Promote a Culture of Integrity

Maintain Reporting Channels

Intake and Triage Employee Reports

Culture and Ethics

Based on Gartner Ignition Diagnostic for Compliance & Ethics

Agenda Item 7a, Attachment 1 Page 4 of 8

5Enterprise Compliance

Integrated Assurance Overview

Develop and Deliver Compliance

TrainingMeasure Training

Effectiveness

Develop and Deliver

Communications Content

Training and CommunicationCompliance departments responsible for ethics must create effective training and communications relevant to their intended audiences.

Based on Gartner Ignition Diagnostic for Compliance & Ethics

Agenda Item 7a, Attachment 1 Page 5 of 8

6Enterprise Compliance

Integrated Assurance Overview

Track the Legal and

Regulatory Environment

Assess Legal and

Compliance Risk

Monitor Compliance

Risk Exposure

Test and Audit

Compliance

Build Risk Specific

Mitigation Plans

Monitoring and Testing Compliance

Based on Gartner Ignition Diagnostic for Compliance & Ethics

Agenda Item 7a, Attachment 1 Page 6 of 8

7Enterprise Compliance

Integrated Assurance Overview

The compliance program evaluates the effectiveness of the program through metrics. It benchmarks and reports that information to key stakeholders.

Reporting

Based on Gartner Ignition Diagnostic for Compliance & Ethics

Agenda Item 7a, Attachment 1 Page 7 of 8

8Enterprise Compliance

Integrated Assurance Overview

Compliance and Ethics Supports CalPERS Objectives

Governance

CalPERS PerformanceAgency Reputation

Financial PerformanceOperational Excellence1

Trai

ning

and

Com

mun

icat

ion

Cultu

re a

nd E

thic

s

Mon

itorin

g an

d Te

stin

g

Repo

rtin

g

1 10 Truths About Corporate Culture, Gartner, 2017

Agenda Item 7a, Attachment 1 Page 8 of 8