FCPA Compliance and Ethics Blog

February 12, 2015

Maurice Gilbert, CCI and Ten Questions A Board Should Consider About Compliance

Maurice GilbertFor those of you in the compliance world who do not know Maurice Gilbert, you should. I could probably write an entire post on the number of hats that he wears. For the Chief Compliance Officer (CCO) or compliance practitioner, two of the most significant are as Managing Director at Consileum Inc., which I consider to be one of the premier compliance related search firms in America and as Founder and Managing Editor of Corporate Compliance Insights, known as CCI in the compliance world (full disclosure – I blog and write for CCI). If you are looking for some of the country’s top compliance talent for a corporate compliance position Maurice should be about the first person you call when even thinking about such a task. He can help you to define the scope of the position and then craft the position to attract some great talent for you to consider. Of course, you should always know one of the country’s top compliance talent recruiters because you never know when the right opportunity might be presented by a client to Maurice and you could perfectly fill the bill.

However it is his other hat that I want to highlight today. As Founder and Managing Editor of one of the top online compliance resources, Maurice leads a team that continually generates and posts some of the most insightful and useful pieces of information around the entire panoply of issues related to compliance. From my world of anti-corruption compliance, to trade-compliance, corporate boards and governance, auditing and much more, CCI is a resource you should have on your favorites toolbar. It was through Maurice and CCI that I was introduced to the writings and assorted wisdom of Jim DeLoach, who is one of my favorite contributors to read on CCI.

DeLoach is a Managing Director with global consulting firm Protiviti. He regularly writes and blogs on issues relating to Enterprise Risk Management (ERM). He put out such great material and a plethora of it that Maurice persuaded him to put it together for us in an eBook, entitled “Making Risk Management Work for You. In the section entitled “10 Questions You Should Ask About Risk Management”, DeLoach lists 10 questions he says that a board and senior management should think about when considering ERM. I have used this section as a basis to reformulate the questions from a compliance perspective.

  • What are the company’s top compliance risks, how severe is their impact and how likely are they to occur? – Just as managing enterprise risk at a strategic level requires focus, the same is true for compliance. This requires you limiting your top risks to a handful so they can accurately be assessed and managed. DeLoach suggests that you should be emphasizing no more than five to 10 risks. Furthermore, “Day-to-day risks are an ongoing operating responsibility.”
  • How often does the company refresh its assessment of the top [compliance] risks? – As the Department of Justice (DOJ) continually reminds us, your compliance risk assessment process should be responsive to change in the business environment. It is now mandatory that teams have in place “a robust process for identifying and prioritizing the critical [compliance] risks, including emerging [compliance] risks, is vital to an evergreen view of the top risks.”
  • Who owns the top compliance risks and is accountable for results, and to whom do they report? – While this might seem self-evident in any best practices compliance program it is not always opaque within an organization. Clearly your CCO should own the top compliance risks and manage them but there should also be proper board oversight and reporting. DeLoach warns, “Gaps and overlaps in risk ownership should be minimized, if not eliminated.”
  • How effective is the company in managing its top [compliance] risks? – Just how effective is your compliance regime is a key question that any CCO or compliance practitioner needs to be thinking about on a regular basis. However, for the board and senior management level, there should be “a robust process for managing and monitoring each of the critical [compliance] risks.” Moreover, your “risk management capabilities must be improved continuously as the speed and complexity of business change.”
  • Are there any organizational “blind spots” around [compliance] warranting attention? – Some practitioners believe that the entire Foreign Corrupt Practices Act (FCPA) enforcement regime is a failure because companies are still engaging in bribery and corruption. But the simple fact is that since corporations are made up with people there will always likely be wrongdoers. DeLoach notes that “Cultural issues and dysfunctional behavior can undermine the effectiveness of [compliance] risk management and lead to inappropriate risk taking or the undermining of established policies and processes.” He cites several examples including “lack of transparency, conflicts of interest, a shoot-the-messenger environment and/or unbalanced compensation structures may encourage undesirable behavior and compromise the effectiveness of risk management.”
  • Does the company understand the key assumptions underlying its [compliance] strategy and align its competitive intelligence process to monitor external factors for changes that could alter those assumptions? – You might not think it could happen in a compliance regime but if a company fails to recognize that its business paradigm is changing, it could be too late to affect an appropriate compliance strategy for a new product line/service offering or breaking into a new geographic territory. Here DeLoach believes that while “no one knows for sure what will happen that could invalidate the company’s strategic assumptions in the future, monitoring the validity of key assumptions over time as the business environment changes is a smart thing to do.”
  • Does the company articulate its risk appetite and define risk tolerances for use in managing the business? – This is one area that always bears discussion. For some companies there is enough business in the middle of the road that they feel like they do not have to go up to the line of a FCPA violation to garner sales, while other companies have done deals that may have been lawful but, at the end of the day, had awful consequences for the business. Just because you can do something does not mean you should do it and a large part of such a calculus is round your risk appetite dialogue. DeLoach believes such ongoing conversations can assist to “bring balance to the conversation around which risks the enterprise should take, which risks it should avoid and the parameters within which it should operate going forward. The risk appetite statement is decomposed into risk tolerances to address the question, “How much variability are we willing to accept as we pursue a given business objective?” For example, separate risk toler­ances may be expressed differently for objec­tives relating to earnings variability, interest rate exposure, and the acquisition, develop­ment and retention of people.”
  • Does the company’s [compliance] risk reporting provide management and the board information they need about the top risks and how they are managed? – Compliance reporting should begin with relevant information about the critical compliance risks and how those compliance risks are managed. DeLoach believes that some of the questions you should be asking under this prong are along the lines of the following: “Are there opportunities to enhance the [compliance] risk reporting process to make it more effective and efficient? Is there a process for moni­toring and reporting critical [compliance] risks and emerging [compliance] risks to executive management and the board?”
  • Is the company prepared to respond to extreme [compliance] events? – DeLoach calls it an extreme event but I would ask, what will you do if your company is on the front page of the New York Times (NYT), Wall Street Journal (WSJ), Financial Times (FT) or any other similar media outlet for a compliance related violation or issue? Do you have a response plan in place? More so “Has it prioritized its high-impact, low-likeli­hood risks in terms of their reputational effect, velocity to impact and persistence of impact, as well as the enterprise’s response readiness?”
  • Does the board have the requisite skill sets to provide effective [compliance] risk oversight? – This goes to the heart of frustrations from both the compliance function side and the board side of the equation. Does your board and senior management have specific FCPA or other relevant anti-corruption training and understand your business model well enough to provide input regarding critical compliance risk issues on a timely basis? From the board’s perspective they may feel the information they receive is asymmetrical and that they do not receive enough material information to render good decision-making. From the CCO or compliance practitioner’s perspective, they may feel that they cannot get enough time in front of the board, audit committee or senior management to properly educate them on the issues.

I have only scratched the surface of DeLoach’s thoughts on ERM. I urge you to go to the CCI site and download the entire work. Did I mention the best thing about CCI and DeLoach’s book? It is free on the CCI site. So after you download DeLoach’s book, stick on the site and noodle around to find something that interests you or could be of assistance in your compliance practice. Don’t forget to check out CCI’s job listing because Maurice has that other hat that he wears as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 24, 2011

Regulatory Compliance Risk Assessment: Identifying Key Legal/Regulatory Risks

Ed. Note-I recently posted an article by Mary Shaddock Jones entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”.   Based on the response to the posting, I asked Mary to drill down a little more in subsequent articles on a few of the steps she suggested outlined in that article.  This is the first posting in this follow up series.

Remember that the hypothetical in the original article was that you had just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates. 

We believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) ERM Framework defines ERM as follows:

 

Enterprise risk management is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

 

The key is that ERM is process.  It is not a “one time” exercise.  The same holds true for Legal/Regulatory /Compliance risks facing your company.  Laws and regulations can change on a regular basis.  Keeping up with the myriad of changes can be a difficult task for compliance and legal departments- especially at smaller firms or companies.  This is why we suggest that you need to “divide” the company into various “Risk Centers” and identify the “Risk Owners” within each Risk Center.  Responsibility for monitoring and notifying the Legal/Compliance departments of any change in the legal/regulatory requirements should remain with the “Risk Owner”.

So who are some of the key “Risk Owners” in any organization?  Clearly the Human Resources department is one key “Risk Center”.  There are a myriad of U.S. Federal and State employment laws including, but not limited to: (a) Title VII of the Civil Rights Act of 1964; (b) Age Discrimination in Employment Act; (c) Americans with Disabilities Act; (d) Equal Pay Act; (e) Immigration Reform and Control Act of 1986. In addition, if you are a company operating internationally, you must have a “risk owner” who has responsibilities for the local Human Resources laws.  For instance did you know that the Mexican Constitution (at least at one point in time) contained a “Declaration of Social Rights” that deals with minimum working conditions, salaries, equality of treatment, job security, the right to strike, and mandatory profit sharing?  The Brazilian Labor Code has adopted many of the same principles and has created a system of Labor Courts that are quite favorable to all Brazilian workers – both blue and white collar.  But there are small differences in the employment laws between Mexico and Brazil that require someone with specialized knowledge within your company to “own” the risk.

Another “Risk Center” could be the Logistics or Supply Chain Management Department.  If this Department is responsible for interfacing with Freight Forwarder companies (i.e. A company which is hired to move shipments between foreign and domestic locations, or a portion of the way.  Freight forwarders handle many of the formalities involved in exporting and importing such shipments), then it should “own” the legal/regulatory compliance risks associated with exporting and importing.  Again, there are a myriad of U.S. Federal and State laws and regulations touching upon Import and Export activities including, (a) The Export Administration Act; (b) The Export Administration Regulations (EAR); (c) The International Traffic In Arms (ITAR); (d) Trading with the Enemy Act; (e) Antiboycott Regulations; (f) Foreign Corrupt Practices Act, to name a few.  In addition to the U.S. laws, there are significant local laws in foreign countries that regulate the importation and exportation of goods into the countries.  Did you know that there are different laws for the importation of vessels into Brazil depending upon whether or not the vessel is being used in the oil and gas industry?  Or that there are laws regarding the importation of automobiles into China? The point is that there are so many laws and regulations in every aspect of doing business that the most practical way of ensuring compliance is by having identifiable “Risk Centers” which designate a “Risk Owner” who has the compliance responsibility.  The compliance department can then act as the repository of the information, but the Risk Owner (i.e. that person closest to the risk).

What about Financial Record Keeping and Reporting?  Tom Fox has written numerous blogs regarding the Books and Records requirements contained within the Foreign Corrupt Practices Act.  The FCPA requires “issuers” (any company including foreign companies) with securities traded on a U.S. exchange or otherwise required to file periodic reports with the Securities and Exchange Commission (“SEC”) to keep books and records that accurately reflect business transactions and to maintain effective internal controls.  Another U.S. law which has significant internal Control requirements in the Sarbanes-Oxley Act of 2002.   Clearly, the Accounting/Financial Department(s) are another “Risk Center”.

What are the laws/regulations under each area? What is the appropriate “Risk Center” for each law/regulation for your company? Who is the designated “Risk Owner”?  Mapping out the answers to these questions will clearly be a step in the right direction in performing your Legal/Regulatory Risk Assessment.   Here are a few legal risk areas for your consideration: (a) Antitrust; (b) Bribery, Gifts and Entertainment; Conflicts of Interest; (c) Consumer Protection; (d) Customs, Import and Export Controls; (e) Environmental, Health and Safety; (f) Labor and Employment Law; (g) Financial Record Keeping and Reporting; (h) Government Contracting; (i) Intellectual Property; (j) HIPAA/ Security and Privacy; (k) Records Management; (l) Securities and Insider Trading;  and (m) Anti-Money Laundering.   This doesn’t even touch applicable international laws!  But it should help you get started with your Risk Assessment.  Good Luck!

Mary Shaddock Jones, Attorney at Law can be reached via email at  msjones@msjllc.com or via phone at 337-515-8527 (c); 337-513-0335 (0).

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

June 9, 2011

Use of an ERM Map to Implement or Enhance Your Compliance Program

For some time I have wanted to write about an Enterprise Risk Management (EMR) Map that I came across. It is put out by a company called MetricStream. This ERM Map is designed to assist the compliance practitioner in either designing or reviewing a company’s Governance, Risk and Management (GRC) by providing a visual representation of the best practices in compliance business processes. It allows a company to either develop a gap analysis or classify gaps in its GRC program by better understanding overall system requirements. The ERM Map lays out these best practices in a visual format; identifying sub-processes within the specific disciplines involved in ERM; and finally separating such practices in Leadership, Organization, Process and Technology. This post will focus on Leadership and Process and I will discuss these in only some of the areas which are identified by discipline on the ERM Map.

I.                Chief Compliance Officer

  1. Leadership-the Chief Compliance Officer (CCO) is responsible is the model for ethical behavior and should link ethics to business success. The CCO should be a part of the Executive Leadership Team and work to create a formal compliance program including a Code of Conduct, Compliance Policy and Compliance Procedures to detail how the program should be conducted throughout the company.
  2. Process-the CCO should develop processes for monitoring of compliance so that if there is a violation, it can be detected and then remedied. There should be some type of ethics certification and creation of an anonymous reporting or helpline. There should be a formal measurement of compliance and ethics risks and a follow-up analysis of compliance failures to determine lessons learned going forward.

II.             Chief Risk Officer

 

  1. Leadership-this role should lead through visibility on the full spectrum of enterprise and operational risk. As risk management is a value generating business process; the role should be a part of the Executive Management Team.
  2. Process-this role is responsible for creating the formal process for analyzing and managing enterprise risk across the company. It assists to ensure that the Internal Audit process is risk driven and that financial processes are risk-based.

III.           Chief Financial Officer

 

  1. Leadership-the Chief Financial Officer (CFO) should focus the department’s efforts on business risk when conducting internal audits. This is broader than simply general audit, Sarbanes-Oxley (SOX) or Foreign Corrupt Practices (FCPA) audits; it should include all business risks. There should be accountability to the company’s Board of Directors.
  2. Process-initially it should be noted that ERM should drive audit priorities and the overall audit process should be repeatable and systematic. There should be consistent processes in place between operational and internal audit. In the area of findings, a summary of findings should be reported to the Board of Directors and there should a collaboration of findings with and recommendations to the persons or departments which are audited.

IV.            Chief Operating Officer

 

  1. Leadership-the Chief Operating Officer (COO) should be responsible for operational risk and should lead the effort to impart that quality and safety are at the core values of the company. This office should be accountable to regulators, industry and legal standards. The COO should lead to achieve consistent compliance and minimize exceptions.
  2. Process-the CCO should lead in the collaboration between quality and regulatory affairs. If there is decentralized accountability, the CCO must consolidate the reporting through centralized record keeping and document control. This role should enhance the collaboration between quality and regulatory affairs.

V.              Chief Information Officer

 

  1. Leadership-with a nod towards my “This Week in the FCPA” partner Howard Sklar who routinely lists data security as a key compliance concern, I will discuss the role of the Chief Information Officer (CIO) within the ERM Map. The role should begin with expertise on the integration of technological controls into business applications. The CIO should be charged with the centralized management of IT governance and should ensure that the IT environment is secure. This would include protection of information security. Finally as a leadership function, the CIO should ensure that data security is a Board of Directors agenda topic.
  2. Process-here the CIO should work to have an overall IT framework assist to drive business processes. There should be a centralized document management and approval system and there should be end-user identity management.

I have but scratched on the surface of the information readily available on the ERM Map. I would urge the compliance practitioner to go to the company’s website and order a complimentary copy of the map. It will give you a very good visual road map to create or enhance a complete company-wide GRC structure or allow you to think through any of the departments I have discussed and several others on the ERM Map which I have not discussed. It is a very valuable and free tool.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Blog at WordPress.com.