Compliance and Ethics Risk Assessments - PowerPoint Presentation

Slide1

Compliance and Ethics Risk Assessments

Jeff Kaplan/Kaplan

&

Walker

LLP

jkaplan@kaplanwalker.com

PLI C&E Institute

June 1, 2015Slide2

Today’s presentation

What your risk assessment should do for your program

Recovering the lost dimension of risk assessment

Optimize program elementsGain broader benefitsHow to get there But not describing a technology/methodology, so much as an approach – that should inform the use of technology/methodologiesRelationship between risk and program assessment

2Slide3

Governmental expectations

Historical experience: companies were preparing to fight the last war

Sentencing Guidelines added risk assessment as a foundational element in 2004

What is sometimes forgotten: the need to use results to implement the other C&E toolsFor this reason, “why” information is importantWhy important too for efficiency, as well as efficacyAchieving “Goldilocks C&E”

Other official C&E program expectations include risk assessment

I

t is also a foundational element in 2010 OECD anti-bribery guidance (the “global sentencing guidelines”) Important under 2011 UK Bribery law guidance and 2012 DoJ FCPA guidance

3Slide4

What a risk assessment should do: some specifics

Determine

whether additional C&E policies are needed for any given part of the company (e.g., business or geographical unit) on any given topic, or the extent to which such policies need to be revised

Develop company-specific examples or Q&A that can help make a code of conduct less abstractDetermine whether any additional C&E communications (training or other) should be targeted at any particular part of the company on any given topic Develop/enhance C&E audit protocols, monitoring tools and other approaches to “checking” on both an enterprise-wide and local “level”

Side note

: monitoring is an area of widespread C&E underperformance

4Slide5

What a risk assessment should do (cont.)

Identify

C&E

risks for which additional controls are warranted, such as pre-approvals by management or staff for specified (high-risk) activitiesEstablish additional C&E oversight/reporting responsibilities for high-risk areasAdd C&E components to job descriptions, performance-evaluation criteria or business unit plans in a risk-based way

Determine whether incentives in any part of the Company pose an undue risk from a C&E perspective

Assess where/how the C&E program should apply to contractors, vendors, other third parties

5Slide6

What a risk assessment should do (cont.)

Design/revise program efficacy metrics

Identify true ethics, as well as compliance, issues that the Program should address

Identify cultural C&E risks, such as lack of employee identification with the company or its mission, short-term thinking or other “moral hazard” related risksProvide a stronger foundation for the Program oversight by the BoardProvide a basis for future (or “evergreen”) risk assessments

6Slide7

What a risk assessment should do: some generalities

Educate key people in your company

Set boundaries of your program

Maintain program momentum 7Slide8

Risk assessment as education

Interviews of business leaders/key staff can be educational because:

The questions/instructions themselves offer embedded learning about how C&E risk works

Providing answers gets interviewees to think about how the program is relevant to themHelps make interviewees risk sentinelsSurveys –generally less useful for determining what risks are than for educating senior personnel as to the need for the programBut the latter can be crucial in some instances

8Slide9

Risk assessment as education (cont.)

The risk assessment report

A full report is itself helpful from educational perspective

E.g., report should provide framework for assessing risks, not just findingsThis augers in favor of reasonably wide “readership” But need to consider approach vis a vis attorney-client privilege

Recent case on investigations underscores need not to take privilege for granted in C&E work

9Slide10

Setting C&E program boundaries

Important because

Initial “rough cut” in establishing program may not have been optimum

Risks change – so should program boundariesProgression of a healthy C&E function is to expand bothOutwardly – greater scope of risksExample: human rights and C&EInwardly (i.e., deeper) – penetration by business, staff or geographic unit

(or even project)

10Slide11

Issue of program momentum

Many programs were result of the C&E “Big Bang” (Enron/

Worldcom

, S-Ox, revised Sentencing Guidelines)Many are susceptible to the “mission accomplished” fallacyA good risk assessment helps fend that off byProviding education – as to the why, what, how, when and where of C&EOutward/inward expansionBeing otherwise dynamic

11Slide12

“Inward” expansion: the importance of granularity

C&E risks are often more local than global

Need is for “

nano compliance”How to address this: use a 3-D approachWhat are the dimensions?Geography and/or product/serviceType of risk (e.g., bid rigging)

Mitigation tool:

if in place, how useful?

if not, how needed?A great use for technology (for complex organizations)

12Slide13

Examples of 3-D approach

For your operations in Vietnam:

What are corruption risks?

What is present mitigation using training/communications?Is it effective? Is more/different needed?For a given product lineWhat are risks of competition law violation?What is present mitigation using auditing?Is it effective? Is more/different needed?

13Slide14

3-D examples (cont.)

For human resources department

What are risks of a privacy violation?

What are our controls?Are they effective?Do we need something more/different?Do they need to vary by geography?

14Slide15

3-D approach: geographic dimension

Can be whatever size geography makes sense for the organization in questions

Region

NationLocationProduct and/or service line and/or staff unit As an alternative to this dimension, orC

ombined with geographic (for 4-D approach)

15Slide16

3-D approach: risk areas

These are types of violations

Start with those in your code

But need to consider right level of specificityE.g., not just competition law but horizontal restraints, vertical restraints, etc.Add others you know about from whatever source InterviewsExternal sources (e.g., industry groups)There is a list in my e-book:

http

://

www.corporatecomplianceinsights.com/wp-content/uploads/2013/12/CCI-Compliance-and-Ethics-Risk-Assessment-Final-Dec-30-PDF.pdf

16Slide17

More on 3-D approach: C&E tools

Not all of them – only those that are risks sensitive

Generally 5 types

Standards (policies typically)Training/communicationAuditing/monitoring/other forms of checkingInternal controls (e.g., required pre-approvals)Accountabilities (which includes incentives)O

thers (e.g., investigations, hotlines) are not risk area specific (for the most part)

17Slide18

3-D risk assessment in practice

No one would ever explore risks/mitigation at every intersection

Idea is to

Look at a category of risk; andAsk if there are any high-risk variants; and For those, see what the mitigation is/should beI.e., it is largely handled on an exception basis

18Slide19

Methodology for risk identification

Applies both generally and to individual risk areas

V

ery relevant to the “why” of risk assessmentHistorical information meaning:Prior C&E violations or near misses at your companyPrior C&E violations or near misses at other companies company’s areas of business, to the extent that such are known

19Slide20

Substance of methodology (cont.)

Other factors, including:

Organizational culture (not necessarily uniform)

Organizational justiceOpennessWorkforce alignment with companyHonestyTreatment of C&E and other control staffInternal/external

Exhaustion

Short-term thinking

Other cultural factorsIndustry (external pressure, customs)Regional

20Slide21

Substance of methodology (cont.)

The extent to which legal or ethical standards might not be sufficiently understood or appreciated at the company

The

extent of “temptation” Vis a vis the risk areaOr just generally (overall incentive approaches)Control

issues, including those arising from organizational structure

21Slide22

Substance of methodology: offense related

Need to look closely at risk causing factors specific to types of offenses

E.g., for insider trading:

How often does company have material non-public info vis a vis its own securities, e.g., does it have a lot of significant “events”?How often does it have such info re: third parties?How many employees/agents have access to such information?

22Slide23

Substance – offense related (cont.)

Competition law

Issues are often product/service specific

Concentration in the marketPressure in the marketHistory can be particularly relevant hereIndustry cultures can be strong where there is a lot of inter-company mobilitySometimes lack of understanding is, tooSo are controls

(pricing, bidding discretion)

23Slide24

Corruption risk

UKBA: Identifies types of risks to be assessed:

Country

SectorTransactionBusiness OpportunityBusiness PartnershipAlso, need to assess risk in light of general factors (similar to ones discussed earlier, e.g., training deficiencies)

24Slide25

Substance of methodology: enforcement related

Increasingly important as enforcement trends continue upward

Consider the “demand side” – governments’ need for revenue, and where enforcement can produce substantial revenue

E.g., competition law, taxRelevant to both likelihood and impact of riskConsider “pre-enforcement” declarations of intent by governmentE.g., financial reporting warnings by SEC two years before Enron

25Slide26

Questions

26