Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compliance and Ethics Risk Assessments

Published byAmi Short Modified over 9 years ago

Similar presentations

Presentation on theme: "Compliance and Ethics Risk Assessments"— Presentation transcript:

1 Compliance and Ethics Risk Assessments
Jeff Kaplan/Kaplan & Walker LLP PLI C&E Institute June 1, 2015

2 Today’s presentation What your risk assessment should do for your program Recovering the lost dimension of risk assessment Optimize program elements Gain broader benefits How to get there But not describing a technology/methodology, so much as an approach – that should inform the use of technology/methodologies Relationship between risk and program assessment

3 Governmental expectations
Historical experience: companies were preparing to fight the last war Sentencing Guidelines added risk assessment as a foundational element in 2004 What is sometimes forgotten: the need to use results to implement the other C&E tools For this reason, “why” information is important Why important too for efficiency, as well as efficacy Achieving “Goldilocks C&E” Other official C&E program expectations include risk assessment It is also a foundational element in 2010 OECD anti-bribery guidance (the “global sentencing guidelines”) Important under 2011 UK Bribery law guidance and 2012 DoJ FCPA guidance

4 What a risk assessment should do: some specifics
Determine whether additional C&E policies are needed for any given part of the company (e.g., business or geographical unit) on any given topic, or the extent to which such policies need to be revised Develop company-specific examples or Q&A that can help make a code of conduct less abstract Determine whether any additional C&E communications (training or other) should be targeted at any particular part of the company on any given topic Develop/enhance C&E audit protocols, monitoring tools and other approaches to “checking” on both an enterprise-wide and local “level” Side note: monitoring is an area of widespread C&E underperformance

5 What a risk assessment should do (cont.)
Identify C&E risks for which additional controls are warranted, such as pre-approvals by management or staff for specified (high-risk) activities Establish additional C&E oversight/reporting responsibilities for high-risk areas Add C&E components to job descriptions, performance- evaluation criteria or business unit plans in a risk-based way Determine whether incentives in any part of the Company pose an undue risk from a C&E perspective Assess where/how the C&E program should apply to contractors, vendors, other third parties

6 What a risk assessment should do (cont.)
Design/revise program efficacy metrics Identify true ethics, as well as compliance, issues that the Program should address Identify cultural C&E risks, such as lack of employee identification with the company or its mission, short-term thinking or other “moral hazard” related risks Provide a stronger foundation for the Program oversight by the Board Provide a basis for future (or “evergreen”) risk assessments

7 What a risk assessment should do: some generalities
Educate key people in your company Set boundaries of your program Maintain program momentum

8 Risk assessment as education
Interviews of business leaders/key staff can be educational because: The questions/instructions themselves offer embedded learning about how C&E risk works Providing answers gets interviewees to think about how the program is relevant to them Helps make interviewees risk sentinels Surveys –generally less useful for determining what risks are than for educating senior personnel as to the need for the program But the latter can be crucial in some instances

9 Risk assessment as education (cont.)
The risk assessment report A full report is itself helpful from educational perspective E.g., report should provide framework for assessing risks, not just findings This augers in favor of reasonably wide “readership” But need to consider approach vis a vis attorney- client privilege Recent case on investigations underscores need not to take privilege for granted in C&E work

10 Setting C&E program boundaries
Important because Initial “rough cut” in establishing program may not have been optimum Risks change – so should program boundaries Progression of a healthy C&E function is to expand both Outwardly – greater scope of risks Example: human rights and C&E Inwardly (i.e., deeper) – penetration by business, staff or geographic unit (or even project)

11 Issue of program momentum
Many programs were result of the C&E “Big Bang” (Enron/Worldcom, S-Ox, revised Sentencing Guidelines) Many are susceptible to the “mission accomplished” fallacy A good risk assessment helps fend that off by Providing education – as to the why, what, how, when and where of C&E Outward/inward expansion Being otherwise dynamic

12 “Inward” expansion: the importance of granularity
C&E risks are often more local than global Need is for “nano compliance” How to address this: use a 3-D approach What are the dimensions? Geography and/or product/service Type of risk (e.g., bid rigging) Mitigation tool: if in place, how useful? if not, how needed? A great use for technology (for complex organizations)

13 Examples of 3-D approach
For your operations in Vietnam: What are corruption risks? What is present mitigation using training/communications? Is it effective? Is more/different needed? For a given product line What are risks of competition law violation? What is present mitigation using auditing?

14 3-D examples (cont.) For human resources department
What are risks of a privacy violation? What are our controls? Are they effective? Do we need something more/different? Do they need to vary by geography?

15 3-D approach: geographic dimension
Can be whatever size geography makes sense for the organization in questions Region Nation Location Product and/or service line and/or staff unit As an alternative to this dimension, or Combined with geographic (for 4-D approach)

16 3-D approach: risk areas
These are types of violations Start with those in your code But need to consider right level of specificity E.g., not just competition law but horizontal restraints, vertical restraints, etc. Add others you know about from whatever source Interviews External sources (e.g., industry groups) There is a list in my e-book: content/uploads/2013/12/CCI-Compliance-and- Ethics-Risk-Assessment-Final-Dec-30-PDF.pdf

17 More on 3-D approach: C&E tools
Not all of them – only those that are risks sensitive Generally 5 types Standards (policies typically) Training/communication Auditing/monitoring/other forms of checking Internal controls (e.g., required pre-approvals) Accountabilities (which includes incentives) Others (e.g., investigations, hotlines) are not risk area specific (for the most part)

18 3-D risk assessment in practice
No one would ever explore risks/mitigation at every intersection Idea is to Look at a category of risk; and Ask if there are any high-risk variants; and For those, see what the mitigation is/should be I.e., it is largely handled on an exception basis

19 Methodology for risk identification
Applies both generally and to individual risk areas Very relevant to the “why” of risk assessment Historical information meaning: Prior C&E violations or near misses at your company Prior C&E violations or near misses at other companies company’s areas of business, to the extent that such are known

20 Substance of methodology (cont.)
Other factors, including: Organizational culture (not necessarily uniform) Organizational justice Openness Workforce alignment with company Honesty Treatment of C&E and other control staff Internal/external Exhaustion Short-term thinking Other cultural factors Industry (external pressure, customs) Regional

21 Substance of methodology (cont.)
The extent to which legal or ethical standards might not be sufficiently understood or appreciated at the company The extent of “temptation” Vis a vis the risk area Or just generally (overall incentive approaches) Control issues, including those arising from organizational structure

22 Substance of methodology: offense related
Need to look closely at risk causing factors specific to types of offenses E.g., for insider trading: How often does company have material non- public info vis a vis its own securities, e.g., does it have a lot of significant “events”? How often does it have such info re: third parties? How many employees/agents have access to such information?

23 Substance – offense related (cont.)
Competition law Issues are often product/service specific Concentration in the market Pressure in the market History can be particularly relevant here Industry cultures can be strong where there is a lot of inter-company mobility Sometimes lack of understanding is, too So are controls (pricing, bidding discretion)

24 Corruption risk UKBA: Identifies types of risks to be assessed:
Country Sector Transaction Business Opportunity Business Partnership Also, need to assess risk in light of general factors (similar to ones discussed earlier, e.g., training deficiencies)

25 Substance of methodology: enforcement related
Increasingly important as enforcement trends continue upward Consider the “demand side” – governments’ need for revenue, and where enforcement can produce substantial revenue E.g., competition law, tax Relevant to both likelihood and impact of risk Consider “pre-enforcement” declarations of intent by government E.g., financial reporting warnings by SEC two years before Enron

26 Questions

Download ppt "Compliance and Ethics Risk Assessments"

Similar presentations

Internal Control–Integrated Framework

Internal Control–Integrated Framework
Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.

Federal Audit Executive Council (FAEC) June 2012 Bi-Monthly Meeting Heather I. Keister Doris G. Yanger June 14, 2012 Green Book Update.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Fraud Auditing Chapter 11.

Fraud Auditing Chapter 11.
11 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Fraud Auditing Chapter 11.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Fraud Auditing Chapter 11.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 8: Developing an Effective Ethics Program.

© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 8: Developing an Effective Ethics Program.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Implementing and Auditing Ethics Programs

Implementing and Auditing Ethics Programs
What SMS means for an Operator’s relationship with the CAA

What SMS means for an Operator’s relationship with the CAA
project management office(PMO)

project management office(PMO)
Eurasian Corporate Governance Roundtable

Eurasian Corporate Governance Roundtable
Corporate Ethics Compliance *

Corporate Ethics Compliance *
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
BIOTECH SUPPLY October 8-9, 2012 Crowne Plaza, Foster City, CA California Transparency in Supply Chain Act, SB 657, Chapter 556, Statutes of 2010 David.

BIOTECH SUPPLY October 8-9, 2012 Crowne Plaza, Foster City, CA California Transparency in Supply Chain Act, SB 657, Chapter 556, Statutes of 2010 David.
Jeff Kaplan/Kaplan & Walker LLP The Network; January 20, 2015.

Jeff Kaplan/Kaplan & Walker LLP The Network; January 20, 2015.
RJC Certification - (COP 9) Bribery and Facilitation Payments Training Module – March 2014.

RJC Certification - (COP 9) Bribery and Facilitation Payments Training Module – March 2014.

Similar presentations

Ads by Google