Ed. Note-I recently posted an article by Mary Shaddock Jones entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”. Based on the response to the posting, I asked Mary to drill down a little more in subsequent articles on a few of the steps she suggested outlined in that article. This is the third and final posting in this follow up series.
[Remember that the hypothetical in the original article was that you had just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates.]
As stated in the previous article, we believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis. In the first article, we discussed identifying Risk Centers and Risk Owners as one way of identifying all of the various legal/regulatory compliance risks that could impact your company. As discussed in the second article, once the risks are identified, under the ERM Framework, the next step in the process would be to rate the “Significance” and the “Likelihood” of compliance failure in order to establish a Priority Rating. We believe that the third step in the process it to determine how the various identified risks are managed and/or mitigated using risk specific internal controls.
What do we mean by this? One definition of “Internal Control” is the following:
Internal control- Systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to (1) conduct its business in an orderly and efficient manner, (2) safeguard its assets and resources; (3) deter and detect errors, fraud, and theft, (4) ensure accuracy and completeness of its accounting data, (5) produce reliable and timely financial management information, and (6) ensure adherence to its policies and plans.
We think most people when they hear the word “internal control” automatically assumes that it is referring to accounting or financial controls. While that may be true, we believe that internal controls, as systematic measures (such as reviews, checks and balances, methods and procedures) can be used in the compliance risk assessment process. A few types of internal controls that may be used to mitigate identified compliance risks are the following: (1) Control Environment, (2) Policies, and, (3) Procedures. Some of the controls may need to be on an entity-level, while others may be process specific.
Why does all of this matter? The process your company puts into place to identify, prioritize and mitigate and/or manage compliance risks matters in many respects. First and foremost, it is a systematic driven way of trying to prevent criminal behavior. Second, the process helps you to put in Compliance and Ethics program which should be considered “effective” under the US. Sentencing Guidelines.
§8B2.1. Effective Compliance and Ethics Program
(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—
(1) exercise due diligence to prevent and detect criminal conduct; and
(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.
(b) Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:
(1) The organization shall establish standards and procedures to prevent and detect criminal conduct.
(2) (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.
(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high level personnel shall be assigned overall responsibility for the compliance and ethics program.
(C) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.
(3) The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.
(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subparagraph (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.
(B) The individuals referred to in subparagraph (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.
(5) The organization shall take reasonable steps—
(A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;
(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and
(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
(6) The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.
(7) After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.
(c) In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.
What should be clear is that the U.S. Sentencing Guidelines do not tell you HOW to identify, assess, prioritize, mitigate or manage risks. It just tells provides guidance on what are the elements of an Effective Compliance and Ethics Program, including, (as a summary only), that (a) you have to establish standards and procedures to prevent and detect criminal conduct; (b) you have to have specific individuals (arguably at all levels of the organization) who are knowledgeable and responsible for the program; (c) you communicate the policies and procedures; (d) you have to monitor for compliance; (e) take reasonable actions to respond to criminal conduct and prevent or detect future conduct and (f) periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify the controls to reduce the risk of criminal conduct.
We believe that the Enterprise-Wide Risk Management format is an excellent tool to assist your company in creating and maintaining an Effective Compliance Program. Hopefully, by utilizing some of the suggestions in this series of articles, the task of performing a regulatory compliance risk assessment in all of the countries that your company currently operates will not be as quite as daunting as you originally feared.
Summary: (1) Identify the Risk Centers; (2) Identify the Risk Owners within each Risk Center; (3) Work with the Risk Centers/Owners to identify the Legal/Regulatory requirements applicable to each of their Risk Centers; (4) Prioritize the risks using a “Significance” and “Likelihood” rating guide; and (5) identify and/or implement internal controls to minimize the identified risks.
Mary Shaddock Jones, Attorney at Law. firstname.lastname@example.org; 337-515-8527 (c); 337-513-0335 (0)