Ed. Note-I recently posted an article by Mary Shaddock Jones entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”. Based on the response to the posting, I asked Mary to drill down a little more in subsequent articles on a few of the steps she suggested outlined in that article. This is the first posting in this follow up series.
Remember that the hypothetical in the original article was that you had just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates.
We believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) ERM Framework defines ERM as follows:
Enterprise risk management is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The key is that ERM is process. It is not a “one time” exercise. The same holds true for Legal/Regulatory /Compliance risks facing your company. Laws and regulations can change on a regular basis. Keeping up with the myriad of changes can be a difficult task for compliance and legal departments- especially at smaller firms or companies. This is why we suggest that you need to “divide” the company into various “Risk Centers” and identify the “Risk Owners” within each Risk Center. Responsibility for monitoring and notifying the Legal/Compliance departments of any change in the legal/regulatory requirements should remain with the “Risk Owner”.
So who are some of the key “Risk Owners” in any organization? Clearly the Human Resources department is one key “Risk Center”. There are a myriad of U.S. Federal and State employment laws including, but not limited to: (a) Title VII of the Civil Rights Act of 1964; (b) Age Discrimination in Employment Act; (c) Americans with Disabilities Act; (d) Equal Pay Act; (e) Immigration Reform and Control Act of 1986. In addition, if you are a company operating internationally, you must have a “risk owner” who has responsibilities for the local Human Resources laws. For instance did you know that the Mexican Constitution (at least at one point in time) contained a “Declaration of Social Rights” that deals with minimum working conditions, salaries, equality of treatment, job security, the right to strike, and mandatory profit sharing? The Brazilian Labor Code has adopted many of the same principles and has created a system of Labor Courts that are quite favorable to all Brazilian workers – both blue and white collar. But there are small differences in the employment laws between Mexico and Brazil that require someone with specialized knowledge within your company to “own” the risk.
Another “Risk Center” could be the Logistics or Supply Chain Management Department. If this Department is responsible for interfacing with Freight Forwarder companies (i.e. A company which is hired to move shipments between foreign and domestic locations, or a portion of the way. Freight forwarders handle many of the formalities involved in exporting and importing such shipments), then it should “own” the legal/regulatory compliance risks associated with exporting and importing. Again, there are a myriad of U.S. Federal and State laws and regulations touching upon Import and Export activities including, (a) The Export Administration Act; (b) The Export Administration Regulations (EAR); (c) The International Traffic In Arms (ITAR); (d) Trading with the Enemy Act; (e) Antiboycott Regulations; (f) Foreign Corrupt Practices Act, to name a few. In addition to the U.S. laws, there are significant local laws in foreign countries that regulate the importation and exportation of goods into the countries. Did you know that there are different laws for the importation of vessels into Brazil depending upon whether or not the vessel is being used in the oil and gas industry? Or that there are laws regarding the importation of automobiles into China? The point is that there are so many laws and regulations in every aspect of doing business that the most practical way of ensuring compliance is by having identifiable “Risk Centers” which designate a “Risk Owner” who has the compliance responsibility. The compliance department can then act as the repository of the information, but the Risk Owner (i.e. that person closest to the risk).
What about Financial Record Keeping and Reporting? Tom Fox has written numerous blogs regarding the Books and Records requirements contained within the Foreign Corrupt Practices Act. The FCPA requires “issuers” (any company including foreign companies) with securities traded on a U.S. exchange or otherwise required to file periodic reports with the Securities and Exchange Commission (“SEC”) to keep books and records that accurately reflect business transactions and to maintain effective internal controls. Another U.S. law which has significant internal Control requirements in the Sarbanes-Oxley Act of 2002. Clearly, the Accounting/Financial Department(s) are another “Risk Center”.
What are the laws/regulations under each area? What is the appropriate “Risk Center” for each law/regulation for your company? Who is the designated “Risk Owner”? Mapping out the answers to these questions will clearly be a step in the right direction in performing your Legal/Regulatory Risk Assessment. Here are a few legal risk areas for your consideration: (a) Antitrust; (b) Bribery, Gifts and Entertainment; Conflicts of Interest; (c) Consumer Protection; (d) Customs, Import and Export Controls; (e) Environmental, Health and Safety; (f) Labor and Employment Law; (g) Financial Record Keeping and Reporting; (h) Government Contracting; (i) Intellectual Property; (j) HIPAA/ Security and Privacy; (k) Records Management; (l) Securities and Insider Trading; and (m) Anti-Money Laundering. This doesn’t even touch applicable international laws! But it should help you get started with your Risk Assessment. Good Luck!
Mary Shaddock Jones, Attorney at Law can be reached via email at msjones@msjllc.com or via phone at 337-515-8527 (c); 337-513-0335 (0).
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.
FCPA Compliance and Ethics Blog 