Creating Maintaining and Updating Your Compliance Program Code
- Slides: 44
Creating, Maintaining and Updating Your Compliance Program/ Code of Conduct and Related Policies and Procedures* Susan Dauber General Counsel Ogg Trading, LLC Teresa Davidson General Counsel Volvo Financial Services Region the Americas Robert Jett Global Compliance Counsel RGA Reinsurance **Views expressed today by the panelists today are their own and not attributed or authorized by the employer
INTRODUCTIONS
Risk Assessment Ø Assess potential risk on an on-going basis o Changes in laws and regulations o New product lines and business activities o New locations (organic growth and acquisitions) o Change in customer base o Response to compliance audits and violations Ø Create Risk Matrix Ø Tailor types and frequency of training, oversight and compliance audits
Types of Risk • Conflicts of Interest-Organizational • Conflicts of Interest--Individual • Bribery and Corruption • Supplier Practices • Competition Law • Sales and Marketing • Confidential Information/IP • Insider Trading • Data Privacy • Government Relations and Contracting • • • Product Quality and Safety Political Activity Export Control Employment Law and Policy Employee Health and Safety Anti-boycott Environment Licensing Misuse of Company Resources Money Laundering Regulatory Customers/Sanctions & AML
Risk Matrix Identify and rate risk within each category based on its likelihood & impact. 1. Likelihood: There is a likelihood or a risk of threat occurring. 2. Impact: Impact on the company if a certain risk or threat occurred. LEVEL RATING RISK DESCRIPTION 3 High Risk is Expected to Occur on a Regular Basis 2 Medium Event Probably Occurs on an Occasional Basis 1 Low Event May Only Occur in Exceptional Circumstances LEVEL RATING RISK DESCRIPTION 3 High Realization of the Event Would Have Serious and Lasting Consequences to the Business 2 Medium Realization of the Event Would Have Some, But Not Significant, Consequences to the Business 1 Low Realization of the Event Would Have Minor Consequences to the Business, Which Can be Easily Overcome
Example: Export Control Risk Assessment LOW RISK MEDIUM RISK HIGH RISK Stable, known customer base. Local. Changing customer base; new domestic markets. Large, fluctuating customer base; international. Few high risk customers. Moderate number of highrisk customers. Large number of high-risk customers. No internet sales. Internet sales, with verification and screening. Internet sales, without customer screening. No history of violations or indicia of potential violations. Small # of voluntary disclosures resulting in penalties; implemented corrective actions. Multiple voluntary disclosures/enforcement actions. No confirmation of corrective actions. Compliance systems and controls are well-organized and staffed. Compliance program is slow Compliance systems are to identify and react to ineffective. weaknesses.
SAMPLE Roles & Responsibilities Alignment
Risk Assessment: Output/ Results § Carefully consider who gets a copy of the full risk assessment § Use of a summary of the report for certain stakeholders, including the Board and senior management § Outline the methodology and clearly set out the scope and limits of the assessment § Use risk matrices, if practical, to grade risks into categories § Identify areas of uncertainty and those requiring further assessment or review § Create a timetable for periodic reviews and updates to the risk assessments
Regulatory Environment • Current regulatory environment has never been more demanding of corporations and their compliance programs – e. g. state insurance regulators now looking at AML/OFAC • Important to understand your businesses and the regulatory jurisdictions in which they operate (and want to operate in). • Resources are not limitless – identify those businesses/products that present the greatest risks to the organization and focus on them initially. • Proactive vs. Reactive approaches – there is a greater expectation of this than in the past from regulators.
Identify Stakeholders Key Employee (Chief Legal Officer or Chief Compliance Officer) or Decentralized Structure with Corporate Oversight Performance Administration • Training • Disseminate Materials • Update Intranet • Record Keeping • Compliance Monitoring • Report and Escalate Violations • Consistent Enforcement Coordination • Management • Bd of Directors • HR • Sales/Marketing • Operational Units • Outside vendors (e. g. , Hotline)
Board of Directors’ Governance Ensure compliance. Responsibilities policies, systems and procedures in place. • • Monitor implementation and effectiveness of compliance program: – Be actively involved – Attend Board meetings – Review, consider and evaluate information provided – Inquire further when presented with questionable circumstances or potential issues • Once Board knows of a potential compliance issue it must act. • Regularly receive compliance briefings and training.
Talk the Talk Walk the Talk Management Commitment Allocate Resources Incentives & Recognition
TRAINING AND POLICIES
Developing the Policies • Mandatory Policy Requirements • Ethics, conflict of interest, insider trading, data, finance, IT • Principles- based approach provides greater advantage for global effectiveness • Permits local nuances but communicates general policy framework, compliance requirements, and enforcement • Review by local in-house counsel, local human resources personnel and preview with senior management provides buy -in and reinforces “tone at the top” • Risk assessment output will drive additional corporate policies
Delivering the Policies • Consider translation requirements – comprehension of English is generally an issue in Asia and French versions are a requirement in Quebec. • Drinking from the fire hose – consider when and how many to push out – initial program policies “bite the bullet”. • Training programs and attestation requirements need consideration as to length and completion periods. • Updates should be on a rolling basis to efficiently use resources • Create a training calendar and coordinate with HR for new hires
Training Program • Who will be responsible for overseeing training program? • Who will conduct the training? • Who will be trained? • How will training be conducted? • How frequently will training be required or provided? • How will training be documented and training records maintained? • How will training be kept relevant and up-to-date?
Training and Communication • Reasonable and practical steps should be taken to disseminate information about the organization’s compliance programs and its policies and processes. • Training should be periodic and documented. • Training should be provided to the governing body, high level executives, employees and, where appropriate the organization’s agents on relevant laws, regulations, corporate policies and prohibited conduct. • The government’s expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.
Training Options • Types of Training: Training • Method: Method • Frequency: Frequency • Attendance or Assessment – – – – Online (individualized) Webinar In-person /video conference Workshops Two-Way Lecture Role Playing Brain Storming Case Studies On-boarding Periodic / Annual Change in position/job function Management-focused training
Communicate Frequently – – – – Annual Reports Business and Staff Meetings Company Communications CEO Addresses Compliance Posters In-house Publications Company Intranet Postings Company Web site New Employee Orientation Press Releases Procedures Manuals Training Sessions Contract Terms
Assess Effectiveness Goal: Identify and resolve inconsistencies between written procedures and operations Methods: q. Track reports of non-compliance q. Audit training completion and results q. Quantify communications by executive team q. Use of hotline and other reporting processes q. Audit the audit process
Self-Evaluation Checklist 1. Has the company established compliance procedures, policies and standards relevant to its business? 2. Are management commitment and involvement apparent? 3. Are appropriate resources, including dedicated staff, committed? 4. Are there established processes in place such that employees feel comfortable reporting noncompliance? 5. Is there effective communication between stakeholders? 6. Does company provide training to all employees, as well as specificallytargeted training? 7. Has company implemented checks and safeguards on employees and activities? 8. Does the program ensure compliance and detect violations, through monitoring and audits? 9. Is there a record-keeping process? 10. Is there an established procedure for escalating problems and taking corrective actions? 11. Is there ongoing monitoring and evaluating of the program to enhance compliance and detection of violations? 12. Is the program reviewed and updated based on changes in law or company’s operations?
Common Issues • Code of Conduct/Employee Handbook – Condition of employment – Acknowledge receipt at on-boarding – Acknowledge annually • Certify that s/he is unaware of violations • Vendors – Provide copy or link to Code or relevant policies – Certify that Vendor maintains similar policies
Monitoring, Auditing and Updating Your Compliance & Ethics Program
Monitoring…Auditing…Response Organizations are required to monitor, audit and respond quickly to allegations of misconduct. These three components are what enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. • Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. • Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. • Responsiveness is composed of investigations, correction actions, and continuous improvement.
Reasons for Auditing & Monitoring • Ensure that compliance activities are being performed • Identify gaps in risk assessments • Determine gaps and corrective actions needed • Catch the Rogue Employee
Benefits of Monitoring & Auditing In its decision not to prosecute Morgan Stanley for the actions of one of its employees, the US DOJ specifically cited Morgan Stanley’s auditing and monitoring program: “Morgan Stanley continually evaluated and improved its compliance program and internal controls. For instance, beginning in 2007, Morgan Stanley engaged in risk based FCPA auditing intended to detect transactions, payments, and partnerships that suggested increased risks for Morgan Stanley to violate the FCPA. Morgan Stanley checked the efficacy of its controls through various systems, including internal audits and desk reviews that included meetings between employees and compliance personnel to discuss anti-corruption risks. Morgan Stanley compliance personnel regularly reviewed and updated Morgan Stanley’s compliance program and policies to reflect regulatory developments and changing risk. Morgan Stanley, in conjunction with outside legal counsel, also annually conducted a formal review of each of its anticorruption policies. “
Types of Auditing & Monitoring ØFormal ØInformal
Formal Auditing • Usually conducted by Internal Audit or a Third Party • Specific focus for audit activity • Report typically goes to Audit Committee of Board of Directors and/or Executive Management
Partnership with Internal Audit • Engage with and utilize this resource to the fullest. • Compliance audits – don’t re-invent the wheel – internal audit function can be a strong and “silent” partner in conducting reviews. • Follow through on audit findings – things are never complete. • Independent nature of internal audit department provides stronger case to external regulators for showing review and assessment of controls. • Audit staff make good compliance professionals.
Working with Internal Audit/Outside Auditors • Important to have a good working relationship • Recommended that you meet regularly to discuss issues, upcoming audit plans, etc. • If possible, try to get involved with making of the audit plan and initial review of any audits in progress – before the final report is issued • Remember – they are experts at auditing but may not be subject matter experts.
Reporting • Reports presented to the Audit Committee and/or the Board of Directors tend to be high level and summarized. • Privilege is a big issue. • May be discoverable
Informal Monitoring • This is the opportunity to fix problems before they become problems. • Informal monitoring requires strong relationships throughout the business. • Important to have a plan for maintaining contacts with key personnel. • Major difference is who reviews the findings.
Informal Monitoring Plan Step 1: Compliance collaborates with Business Lead to conduct Compliance review. Step 2: Compliance coordinates meetings with Compliance Activity owners to review status. Step 3: When meeting with the Compliance Activity owner, Compliance – a) Reviews the evidence that shows whether the Compliance Activity is still functioning b) Walks through the process and guidance documents with the Compliance Activity owner c) Discusses any concerns or potential gaps with the owner d) Outlines any concerns with the owner and discusses any potential remediation or continuous improvement Step 4: After meeting with all the Compliance Activity owners, Compliance conducts a de-brief with the Business Lead wherein Compliance a) Discusses any gaps/concerns and outlines any potential remediation or continuous improvement b) Determines any modification or additions to the Compliance Activity that may be beneficial c) Schedules the next review All findings will be reported solely to the Business Lead and the respective Compliance Activity owners. No formal report will be issued and the findings will not be disseminated outside the Business Lead or the Compliance group.
CLOSING COMMENTS
Recommendations q Conduct annual risks assessments § Avoid “wait and see” approach; enforcement trends and government priorities change rapidly. Important to stay up to date. q Build annual risk assessment into the compliance program. § Risk assessments should be regular, systemic part of compliance efforts rather than an occasional ad hoc exercise after a crisis. § Understand the array of compliance risks being faced and perform a comprehensive review q Scrutinize new business partners and third-parties q Update policies and procedures based on enforcement trends q Prepare an internal annual reporting process
Develop an Annual Plan • Typical FCPA agreements (DPAs and NPAs) require annual risk assessment based on risk profile • Integrate with business resources: annual/ periodic budget planning/business reviews meetings are good source of information. Compliance should always attend. • Coordinate with internal audit and internal control. • Executive travel Plans/Country/business operations visits – calendar and itinerary planning. • Policy Management • Systems/ people resource limitations – Cost benefit analysis – FCPA includes penalties ($2 m USD per violation of Anti-Bribery provision and $25 m USD per violation of Anti-Accounting provision – Willful actions resulting FCPA violation can result in up to 20 years imprisonment & $5 MUSD personal fine. – Extraterritorial liability (ex. Brazil’s private anti-bribery law: company to company bribe) http: //www. justice. gov/criminal/fraud /fcpa/ https: //www. sec. gov/spotlight/fcpa/fc pa-cases. shtml
Develop an Annual Plan (2) Establish Goals of Annual Plan • • • Establish base culture and education of new employees Continued Training Address changes in business operations, legal and regulatory requirements Risk mitigation targets Revisit internal discipline and penalties for violations “Red Flags” and early warning update Reinforce commitment of leadership and management Central v local commitments Fix Calendar dates Strengthen culture of compliance – http: //www. fincen. gov/statutes_regs/guid ance/pdf/FIN-2014 -A 007. pdf (copy included). • • • Prioritize Plan for disruptions & delays Include local input English and all other languages – Allow for local customization – Realize some English does not translate well. Draft and update templates Update policies Determine whether business actually still operates within policies Tailor training to levels within organization. Examples – Sales needs 3 hrs live session on FCPA, anti-bribery and general ethics or anti-competition at annual sales meeting while tax unit can take on line web session.
Implementing Your Annual Plan • Communications From Management – Employee Town Halls & Meetings – Internal Web site – Individual Emails (Example Attached as Exhibit ___) • All should be translated into local language. • Vet with business leaders • Make available on line • The more senior the sender, the greater the impact. • Use your Onboarding & Annual Acknowledgement to train at high level (Sample pages attached as Exhibit __) – Update – Add questions if system permits • Share results through business • Work with legal – subpoenas, regulatory reports, and government inquiries should change priorities. • Depending on industry, plan for independent 3 rd party review or audit.
Are Your Updates Working? Common Issues: • Is your hotline working? – Test from each location • Segregation of duties – Review of system authorizations. • “Exception” payments, contracts • 3 rd party due diligence results • Local language a “must” • New servers/computer hardware for customer data • • Final Test – From the DOJ While the Department recognizes that no compliance program can ever prevent all criminal activity by a corporation's employees, the critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives. The Department has no formulaic requirements regarding corporate compliance programs. The fundamental questions any prosecutor should ask are: Is the corporation's compliance program well designed? Is the program being applied earnestly and in good faith? Does the corporation's compliance program work? Follow-up on required government reports (http: //blogs. wsj. com/moneybeat/2014/07/22/ excerpts-from-new-york-feds-letter-to-deutsche -bank/) • • Comments from Management Self Reporting http: //www. justice. gov/usao/eousa/foia_reading_room/usam/title 9/28 mcrm. htm#9 -28. 800 • http: //www. fcpablog. com/blog/2014/1/15/g old-dust-for-compliance-officers. html
Some Common Pitfalls • • • Manage Expectations (unrealistic, undefined, unclear) Avoid Aggressive deadlines Lack of resources (be upfront and realistic) Ownership issues (objectivity, credibility) Coordination (communication is important) Narrow and deep vs. shallow and wide Documentation availability (e. g. policies, processes) Heavy focus on the perceived “priority” risks Lack of follow through One time event mind-set (“evergreen” or continuous improvement)
Maintain Your Sanity – tips for Success! • Ease into it – a lighter approach is still a good first step • Be prepared to deal with what you find – communicate and educate leadership accordingly – in advance if possible • Strive for objectivity – use of open-ended questions • Use output to improve overall program – not to validate it • Structuring the document is key • Use your unique facilitation role – communicate noncompliance ideas and feedback received during assessments • Use results to “prove” program efficiency, not vice-versa
Useful Resources • http: //www. acc. com/ethicsxchange/ • http: //www. bis. doc. gov/index. php/compliance-atraining/export-administration-regulations-training/onlinetraining-room • http: //www. worldcompliance. com/Libraries/White. Papers/ FCPA_Compliance_Roadmap_White_paper. sflb. ashx • http: //www. epa. gov/compliance/assistance/business. html • http: //www. dol. gov/compliance/ • http: //www. acc. com/vl/membersonly/Sample. Form. Policy/l oader. cfm? cs. Module=security/getfile&pageid=1326931&p age=/legalresources/resource. cfm&qstring=show=1326931 &title=Compliance%20 Policies
Useful Resources • http: //www. oecd. org/daf/antibribery/countryreportsontheimplementationoftheoecdantibriberyconvention. htm • http: //www. fcpablog. com/ • http: //www. irs. gov/Businesses/Corporations/Foreign-Account-Tax. Compliance-Act-FATCA • http: //fcpamericas. com/ • http: //www. transparency. org/whatwedo/pub/assurance_framewo rk_for_corporate_anti_bribery_programmes • http: //www. ftc. gov/ • http: //www. justice. gov/criminal/fraud/fcpa/othersites/ • http: //www. fincen. gov/statutes_regs/guidance/ • http: //www. pwc. com/en_US/us/risk-assurance-services (if links do not work, cut and paste into browser window)
Questions