Jeffrey M. Kaplan Kaplan & Walker LLP PLI C&E Institute May 30, 2013

 Legal expectations ◦ General: USSG ◦ Risk-area specific. E.g., FCPA guidance and other anti- corruption standards ◦ Overlap between the two  Practical benefits ◦ Identify good practices, so the company doesn’t cut back ◦ Identify room for improvement ◦ Serve as commitment device – to maintain (or regain) momentum ◦ Serve as a “road map” for getting program credit in an investigation 2Kaplan & Walker LLP

Interviews  Various possibilities:  C&E personnel  other staff  operations  sometimes third parties  Interviews can serve an educational purpose, too  Should conduct on a non-attribution basis Document reviews  Program design  Program operation 3Kaplan & Walker LLP

Surveys (cont.)  Use already existing data (regular employee engagement survey results), or  Conduct one specifically for the assessment  Survey data can be very helpful for identifying parts of company – geographic, business line, risk areas - where program faces special challenges Focus groups Privilege issue  Increases candor  Decreases ability to share results Kaplan & Walker LLP4

 Different types ◦ General process – e.g., against program charters or other general process documents ◦ Risk-area procedures – e.g., use of due diligence mechanisms ◦ Risk-area substantive – e.g., improper payments  Can be stand-alone or part of general audits  Typically done by internal audit staff ◦ But need to ensure that they have sufficient background/direction for audits to be effective  Line between audits and assessments is not always clear-cut Kaplan & Walker LLP5

 Internal versus external. Issues are: ◦ Cost and greater knowledge of the company, versus ◦ Independence and breadth of knowledge  External assessment recommendations may be harder to ignore than with internal effort  Blended approach may be best ◦ Internal should be more frequent than external ◦ Internal assessments can be built into ongoing activities  E.g., surveys at the end of training sessions 6Kaplan & Walker LLP

 In principle, risk assessment tells you how to design and implement a C&E program and program assessment tells you if your approach is working  In practice, the two overlap substantially  One should be alert to risk insight from program assessments and vice versa ◦ E.g., gap between “gross” and “net” risk tells you something about efficacy of program for a given area Kaplan & Walker LLP7

 Generally all the elements and sub-elements of an effective C&E program  Plus program “attributes” – aspects of programs that cut across program elements: o Strength/clout o Independence o Reach o Ethics, as well as compliance o Management knowledge of, and involvement in, the program o Culture o Resources 8Kaplan & Walker LLP

 On risk assessment, focus on not only whether the company seems to know its risks, but also…  The risk assessment process  Helpful in meeting legal expectations?  Does it produce valuable information?  Is it sufficiently documented?  The extent to which the results of the risk assessment are actually used in designing, improving and deploying various program elements  Are you getting full use of the assessment?  Many companies don’t 9Kaplan & Walker LLP

 Code of conduct – is it ◦ On point? ◦ Understandable? ◦ Being read? ◦ Periodically revised? ◦ Sufficiently translated?  Individual policies – to what extent ◦ Do they seem to address pertinent risks? Get reviewed/revised as much as needed? ◦ Are they “connected” to other program elements, e.g., training and auditing? ◦ A note on policy management 10Kaplan & Walker LLP

 Consider adequacy of program governance documentation, not only of C&E office but also other functions with C&E roles, such as members of C&E management committees, SMEs and regional personnel  Are the individuals in C&E functions actually doing what the governance documents say they will?  Is there an appropriate level of independence and authority to implement the Program?  Is the Audit Committee getting the right information, and at the right frequency, about the Program? ◦ Look at both general program elements and also risk- area specific information (for high-risk areas) 11Kaplan & Walker LLP

 Diligence in hiring tends to be fairly straightforward. (Typically it is risk based) ◦ But not all companies have ethics questions for hiring interviews  What due diligence steps a company should take regarding promotions is not that straightforward ◦ Often an opportunity to develop recommendations here, based on a company’s risks and culture ◦ Having C&E input for promotions can send a powerful message about the importance of the program  Third parties – a related dimension (which should be dealt with not only by program assessment but also risk assessment) ◦ Goes beyond FCPA 12Kaplan & Walker LLP

 Tends to be among the most extensive parts of a program assessment  In addition to whether the right people are getting trained on the right topics at the right intervals, should look at efficacy/impact  This can lead, for some companies, to recommendations for more role-based training (and sometimes even less overall training) ◦ A note on training fatigue  Also consider training and communications plans and documentation of training and communications efforts ◦ Lessons of Morgan Stanley and the Black (ACL) cases 13Kaplan & Walker LLP

 Examine the “three lines of defense” ◦ Real-time monitoring by businesses ◦ Monitoring by functions (e.g., C&E, Finance, HR) ◦ True auditing  With each of the above: ◦ Is there enough, based on risk assessment? ◦ Are the results being put to full use?  For C&E auditing ask: ◦ What percentage of overall auditing effort is C&E- related? ◦ Same question with findings  Note that monitoring is an area where many companies have room to improve 14Kaplan & Walker LLP

 Consider ◦ Whether sufficient reporting procedures and avenues are in place ◦ How well those are communicated to employees and others ◦ What is employee comfort level in reporting (good area for surveys)  Can benchmark metrics ◦ E.g., number of calls to helpline and percentage of anonymous calls ◦ Local results can be key here  Look closely at means to protect whistleblowers ◦ E.g., are managers trained in relevant do’s/don’ts? 15Kaplan & Walker LLP

 Are protocols and procedures in place?  How these are implemented in practice? ◦ Typically includes a review/audit of some case files to get a first-hand look at how investigations are conducted ◦ Timeliness and state of documentation. ◦ What is state of investigator training and other forms of guidance  Discipline: ◦ Is it meted out for supervisory failures that contributed to misconduct in appropriate cases? ◦ What are employee perceptions of the level of consistency of discipline?  A note on “organizational justice” 16Kaplan & Walker LLP

 Does the organization have formal procedures for considering enhancements to the Program following violations, including across business units, staff functions and geographies? ◦ Are investigators trained to look for this? ◦ Procedures also necessary for smaller program enhancements, such as those recommended in an audit or following an investigation  Are there procedures and practices related to periodic program assessment, including self-assessment? ◦ This can be on a risk-area – as well as overall - basis  In practice, how well does the organization consider enhancements following violations? ◦ Independence issues and the 2010 USSG amendments 17Kaplan & Walker LLP

 Does the company use economic incentives? ◦ Not necessary for all companies in my view, but can help in some  Does it use softer forms of incentives? ◦ Are managers trained on how to recognize and acknowledge ethically exemplary behavior?  Does it deploy not just general incentives but also, as appropriate, risk-area specific incentives? ◦ Can be important in rolling out major initiatives, such as third-party due diligence systems 18Kaplan & Walker LLP

 By risk area, e.g., ◦ Anti-corruption  Consider using the DOJ/SEC FCPA guidance document ◦ Competition law ◦ Note that this may make particular sense for emerging areas of risk  By program function, e.g., ◦ Investigations ◦ Board oversight  Note that dives don’t have to be very deep to be useful ◦ Several medium dives can be more helpful than one deep one, at least for some companies 19Kaplan & Walker LLP

 Who gets a copy? ◦ Privilege issues  Using the results ◦ Develop an action plan ◦ Different levels of priority ◦ Board reporting ◦ Senior management reporting 20Kaplan & Walker LLP