Regulatory Compliance Risk Assessment: Ranking Risks

Ed. Note-I recently posted an article by Mary Shaddock Jones entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”.   Based on the response to the posting, I asked Mary to drill down a little more in subsequent articles on a few of the steps she suggested outlined in that article.  Unfortunately I posted the third article out of sequence. This is the second posting in this follow up series.

[Remember that the hypothetical in the original article was that you had just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates.] 

As stated in the previous article, we believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis.  In the previous article, we discussed identifying Risk Centers and Risk Owners as one way of identifying all of the various legal/regulatory compliance risks that could impact your company.  Once the risks are identified, under the ERM Framework, the next step in the process would be to rate the “Significance” and the “Likelihood” of compliance failure in order to establish a Priority Rating.  Significance X Likelihood= Priority Rating.

What do we mean by this?  Develop a “Significance” Rating Guide with numbers 1-5 with 1 being “Extreme” and 5 being “Negligible”.  Then develop a “Likelihood” Rating Guide with numbers 1-5 with 1 being “Almost Certain” and 5 being “Rare”.  The next step is to develop a “Priority” Rating Guide from 1-25 with 1 & 2 being “Severe” and 20-25 being “Trivial”.  At the recent Compliance Week 2011 meeting in Washington DC, I saw an excellent presentation by Michele K. Abraham, Corporate Attorney-Ethics & Compliance with The Timken Company.  This is how The Timkin Company rated “Significance”, “Likelihood” and “Priority Rating”:

“Significance” Rating Guide:

Rating	Assessment	Evaluation Criteria- What is the Impact on the Business
1	Extreme	Consequences would threaten survival of the business or would result in outside monitoring and enforcement.
2	Very High	Consequences would have a material impact on the operations of the Company or could result in outside monitoring and enforcement.
3	Medium	Consequences would result in significant review or changed ways of operating by outside enforcement agency.
4	Low	Consequences would contribute to the failure to accomplish business objectives.
5	Negligible	Consequences would not effect any constituent in any material manner.

“Likelihood” Rating Guide:

Rating	Assessment	Evaluation Criteria- How likely is this event to occur at your company?
1	Almost Certain	Highly likely, this event is expected to occur.
2	Likely	Strong possibility than an event will occur and there is sufficient historical incidence to support it.
3	Possible	Event may occur at some point, typically there is no history to support it.
4	Unlikely	Not expected, but there is a slight possibility that it may occur.
5	Rare	Highly unlikely, but may occur in unique circumstances.

“Priority” Rating Guide:

Rating	Assessment	Evaluation Criteria- What Action is Required?
1-2	Severe	Immediate action is required to address this risk, in addition to inclusion in training and education and audit and monitoring plans.
3-4	High	Should be proactively monitored and mitigating through inclusion in training and education and audit and monitoring plans.
5-7	Significant
8-14	Moderate
15-19	Low	Risks at this level should be monitored, but do not necessarily pose any serious threat to the organization at the present time.
20-25	Trivial

These rating guides are a terrific model for you to use to develop the Rating Guides for your business. But remember, each business is different.  The evaluation criteria must be tailored to your company.

Let’s take a look at an example:

Scenario:

Your company sells ready-mix concrete in Louisiana.  With the economic downturn in the housing market, the demand for ready-mix concrete is declining.  You have a competitor who also sells in the same area.  During the risk identification brainstorming sessions with the Sales Department, you learn that at a recent industry wide event your salesman has approached the salesman for the competition and “suggested” that a good price for X pounds of ready-mix concrete is $X dollars.  You recognize that this action is probably a violation of the U.S. anti-trust laws.  How do you rate the “Significance” of this event?  What about the “Likelihood”?  You learn from the legal department that the maximum fine for violating the Sherman Act is $100 million for corporations. You also learn that the maximum fine may be increased to twice the gain derived from the crime or twice the loss suffered by the victims of the crime, if either of those amounts is greater than the statutory maximum fine.  Given the fines and penalties, would you rate this risk a “1” “Extreme” because you believe that the consequences of such an event would threaten the survival of the business or would result in outside monitoring and enforcement?  What about the likelihood? Perhaps you would rank the likelihood as a “2” “Likely” because you believe that there is a strong possibility than an event will occur and there is sufficient historical evidence to support it.  In this case, then the “Priority” rating for an anti-trust violation would be “2” which according to your Priority Rating Guide, suggests that immediate action is required to address this risk.

The questions for us to discuss in the next segment are “How do you manage the risk”? What internal controls do you have or can you implement to mitigate the risk?”

Mary Shaddock Jones, Attorney at Law.  msjones@msjllc.com; 337-515-8527 (c); 337-513-0335 (0)

 

Regulatory Compliance Risk Assessment: Managing Risks with Internal Controls

Ed. Note-I recently posted an article by Mary Shaddock Jones entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”.   Based on the response to the posting, I asked Mary to drill down a little more in subsequent articles on a few of the steps she suggested outlined in that article.  This is the third  and final posting in this follow up series.

[Remember that the hypothetical in the original article was that you had just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates.] 

As stated in the previous article, we believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis.  In the first article, we discussed identifying Risk Centers and Risk Owners as one way of identifying all of the various legal/regulatory compliance risks that could impact your company.  As discussed in the second article, once the risks are identified, under the ERM Framework, the next step in the process would be to rate the “Significance” and the “Likelihood” of compliance failure in order to establish a Priority Rating.  We believe that the third step in the process it to determine how the various identified risks are managed and/or mitigated using risk specific internal controls.

What do we mean by this?  One definition of “Internal Control” is the following:

Internal control- Systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to (1) conduct its business in an orderly and efficient manner, (2) safeguard its assets and resources; (3) deter and detect errors, fraud, and theft, (4) ensure accuracy and completeness of its accounting data, (5) produce reliable and timely financial management information, and (6) ensure adherence to its policies and plans.

We think most people when they hear the word “internal control” automatically assumes that it is referring to accounting or financial controls.  While that may be true, we believe that internal controls, as systematic measures (such as reviews, checks and balances, methods and procedures) can be used in the compliance risk assessment process.  A few types of internal controls that may be used to mitigate identified compliance risks are the following:  (1) Control Environment, (2) Policies, and, (3) Procedures.  Some of the controls may need to be on an entity-level, while others may be process specific.

Why does all of this matter? The process your company puts into place to identify, prioritize and mitigate and/or manage compliance risks matters in many respects.  First and foremost, it is a systematic driven way of trying to prevent criminal behavior.  Second, the process helps you to put in Compliance and Ethics program which should be considered “effective” under the US. Sentencing Guidelines.

 

 §8B2.1. Effective Compliance and Ethics Program

 (a)    To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—

 (1)   exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

(b)  Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:

 (1)  The organization shall establish standards and procedures to prevent and       detect criminal conduct.

 (2) (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall  exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high level personnel shall be assigned overall responsibility for the compliance and ethics program.

  (C)  Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

 (3)  The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.

(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subparagraph (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.

 (B)  The individuals referred to in subparagraph (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.

 (5) The organization shall take reasonable steps—

 (A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;

 (B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and

(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

 (6)  The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate  incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.

 (7)  After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.

 (c)   In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.

 What should be clear is that the U.S. Sentencing Guidelines do not tell you HOW to identify, assess, prioritize, mitigate or manage risks. It just tells provides guidance on what are the elements of an Effective Compliance and Ethics Program, including, (as a summary only), that  (a) you have to establish standards and procedures to prevent and detect criminal conduct; (b)  you have to have specific individuals (arguably at all levels of the organization) who are knowledgeable and responsible for the program; (c) you communicate the policies and procedures; (d) you have to monitor for compliance; (e) take reasonable actions to respond to criminal conduct and prevent or detect future conduct and (f) periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify the controls to reduce the risk of criminal conduct.

We believe that the Enterprise-Wide Risk Management format is an excellent tool to assist your company in creating and maintaining an Effective Compliance Program.   Hopefully,  by utilizing some of the suggestions in this series of articles, the task of performing a regulatory compliance risk assessment in all of the countries that your company currently operates  will  not be as quite as daunting as you originally feared.

Summary:  (1) Identify the Risk Centers; (2) Identify the Risk Owners within each Risk Center; (3) Work with the Risk Centers/Owners to identify the Legal/Regulatory requirements applicable to each of their Risk Centers; (4) Prioritize the risks using a “Significance” and “Likelihood” rating guide; and (5) identify and/or implement internal controls to minimize the identified risks.

 Mary Shaddock Jones, Attorney at Law.  msjones@msjllc.com; 337-515-8527 (c); 337-513-0335 (0)