Jeff KaplanKaplan Walker LLP jkaplankaplanwalkercom PLI CE Institute June 1 2015 Todays presentation What your risk assessment should do for your program ID: 754314
Download Presentation The PPT/PDF document "Compliance and Ethics Risk Assessments" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Compliance and Ethics Risk Assessments
Jeff Kaplan/Kaplan
&
Walker
LLP
jkaplan@kaplanwalker.com
PLI C&E Institute
June 1, 2015Slide2
Today’s presentation
What your risk assessment should do for your program
Recovering the lost dimension of risk assessment
Optimize program elementsGain broader benefitsHow to get there But not describing a technology/methodology, so much as an approach – that should inform the use of technology/methodologiesRelationship between risk and program assessment
2Slide3
Governmental expectations
Historical experience: companies were preparing to fight the last war
Sentencing Guidelines added risk assessment as a foundational element in 2004
What is sometimes forgotten: the need to use results to implement the other C&E toolsFor this reason, “why” information is importantWhy important too for efficiency, as well as efficacyAchieving “Goldilocks C&E”
Other official C&E program expectations include risk assessment
I
t is also a foundational element in 2010 OECD anti-bribery guidance (the “global sentencing guidelines”) Important under 2011 UK Bribery law guidance and 2012 DoJ FCPA guidance
3Slide4
What a risk assessment should do: some specifics
Determine
whether additional C&E policies are needed for any given part of the company (e.g., business or geographical unit) on any given topic, or the extent to which such policies need to be revised
Develop company-specific examples or Q&A that can help make a code of conduct less abstractDetermine whether any additional C&E communications (training or other) should be targeted at any particular part of the company on any given topic Develop/enhance C&E audit protocols, monitoring tools and other approaches to “checking” on both an enterprise-wide and local “level”
Side note
: monitoring is an area of widespread C&E underperformance
4Slide5
What a risk assessment should do (cont.)
Identify
C&E
risks for which additional controls are warranted, such as pre-approvals by management or staff for specified (high-risk) activitiesEstablish additional C&E oversight/reporting responsibilities for high-risk areasAdd C&E components to job descriptions, performance-evaluation criteria or business unit plans in a risk-based way
Determine whether incentives in any part of the Company pose an undue risk from a C&E perspective
Assess where/how the C&E program should apply to contractors, vendors, other third parties
5Slide6
What a risk assessment should do (cont.)
Design/revise program efficacy metrics
Identify true ethics, as well as compliance, issues that the Program should address
Identify cultural C&E risks, such as lack of employee identification with the company or its mission, short-term thinking or other “moral hazard” related risksProvide a stronger foundation for the Program oversight by the BoardProvide a basis for future (or “evergreen”) risk assessments
6Slide7
What a risk assessment should do: some generalities
Educate key people in your company
Set boundaries of your program
Maintain program momentum 7Slide8
Risk assessment as education
Interviews of business leaders/key staff can be educational because:
The questions/instructions themselves offer embedded learning about how C&E risk works
Providing answers gets interviewees to think about how the program is relevant to themHelps make interviewees risk sentinelsSurveys –generally less useful for determining what risks are than for educating senior personnel as to the need for the programBut the latter can be crucial in some instances
8Slide9
Risk assessment as education (cont.)
The risk assessment report
A full report is itself helpful from educational perspective
E.g., report should provide framework for assessing risks, not just findingsThis augers in favor of reasonably wide “readership” But need to consider approach vis a vis attorney-client privilege
Recent case on investigations underscores need not to take privilege for granted in C&E work
9Slide10
Setting C&E program boundaries
Important because
Initial “rough cut” in establishing program may not have been optimum
Risks change – so should program boundariesProgression of a healthy C&E function is to expand bothOutwardly – greater scope of risksExample: human rights and C&EInwardly (i.e., deeper) – penetration by business, staff or geographic unit
(or even project)
10Slide11
Issue of program momentum
Many programs were result of the C&E “Big Bang” (Enron/
Worldcom
, S-Ox, revised Sentencing Guidelines)Many are susceptible to the “mission accomplished” fallacyA good risk assessment helps fend that off byProviding education – as to the why, what, how, when and where of C&EOutward/inward expansionBeing otherwise dynamic
11Slide12
“Inward” expansion: the importance of granularity
C&E risks are often more local than global
Need is for “
nano compliance”How to address this: use a 3-D approachWhat are the dimensions?Geography and/or product/serviceType of risk (e.g., bid rigging)
Mitigation tool:
if in place, how useful?
if not, how needed?A great use for technology (for complex organizations)
12Slide13
Examples of 3-D approach
For your operations in Vietnam:
What are corruption risks?
What is present mitigation using training/communications?Is it effective? Is more/different needed?For a given product lineWhat are risks of competition law violation?What is present mitigation using auditing?Is it effective? Is more/different needed?
13Slide14
3-D examples (cont.)
For human resources department
What are risks of a privacy violation?
What are our controls?Are they effective?Do we need something more/different?Do they need to vary by geography?
14Slide15
3-D approach: geographic dimension
Can be whatever size geography makes sense for the organization in questions
Region
NationLocationProduct and/or service line and/or staff unit As an alternative to this dimension, orC
ombined with geographic (for 4-D approach)
15Slide16
3-D approach: risk areas
These are types of violations
Start with those in your code
But need to consider right level of specificityE.g., not just competition law but horizontal restraints, vertical restraints, etc.Add others you know about from whatever source InterviewsExternal sources (e.g., industry groups)There is a list in my e-book:
http
://
www.corporatecomplianceinsights.com/wp-content/uploads/2013/12/CCI-Compliance-and-Ethics-Risk-Assessment-Final-Dec-30-PDF.pdf
16Slide17
More on 3-D approach: C&E tools
Not all of them – only those that are risks sensitive
Generally 5 types
Standards (policies typically)Training/communicationAuditing/monitoring/other forms of checkingInternal controls (e.g., required pre-approvals)Accountabilities (which includes incentives)O
thers (e.g., investigations, hotlines) are not risk area specific (for the most part)
17Slide18
3-D risk assessment in practice
No one would ever explore risks/mitigation at every intersection
Idea is to
Look at a category of risk; andAsk if there are any high-risk variants; and For those, see what the mitigation is/should beI.e., it is largely handled on an exception basis
18Slide19
Methodology for risk identification
Applies both generally and to individual risk areas
V
ery relevant to the “why” of risk assessmentHistorical information meaning:Prior C&E violations or near misses at your companyPrior C&E violations or near misses at other companies company’s areas of business, to the extent that such are known
19Slide20
Substance of methodology (cont.)
Other factors, including:
Organizational culture (not necessarily uniform)
Organizational justiceOpennessWorkforce alignment with companyHonestyTreatment of C&E and other control staffInternal/external
Exhaustion
Short-term thinking
Other cultural factorsIndustry (external pressure, customs)Regional
20Slide21
Substance of methodology (cont.)
The extent to which legal or ethical standards might not be sufficiently understood or appreciated at the company
The
extent of “temptation” Vis a vis the risk areaOr just generally (overall incentive approaches)Control
issues, including those arising from organizational structure
21Slide22
Substance of methodology: offense related
Need to look closely at risk causing factors specific to types of offenses
E.g., for insider trading:
How often does company have material non-public info vis a vis its own securities, e.g., does it have a lot of significant “events”?How often does it have such info re: third parties?How many employees/agents have access to such information?
22Slide23
Substance – offense related (cont.)
Competition law
Issues are often product/service specific
Concentration in the marketPressure in the marketHistory can be particularly relevant hereIndustry cultures can be strong where there is a lot of inter-company mobilitySometimes lack of understanding is, tooSo are controls
(pricing, bidding discretion)
23Slide24
Corruption risk
UKBA: Identifies types of risks to be assessed:
Country
SectorTransactionBusiness OpportunityBusiness PartnershipAlso, need to assess risk in light of general factors (similar to ones discussed earlier, e.g., training deficiencies)
24Slide25
Substance of methodology: enforcement related
Increasingly important as enforcement trends continue upward
Consider the “demand side” – governments’ need for revenue, and where enforcement can produce substantial revenue
E.g., competition law, taxRelevant to both likelihood and impact of riskConsider “pre-enforcement” declarations of intent by governmentE.g., financial reporting warnings by SEC two years before Enron
25Slide26
Questions
26