E N D
Enterprise Risk Management Enterprise Risk Management is the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short and long-term value to its stakeholders.
Risk Model Maturity Spectrum Profile Comply withRegulatoryObligations ProtectShareholderValue EnhanceShareholderValue EARTH FINAL FRONTIER Basic Moderate Advanced Characteristics • Manages risk of infractions • Provides limited protection • Uses risk management tools • Protects assets and shareholder value • Integrates risk measures across enterprise • Enhances shareholder value More Shareholder Value
Overview of Enterprise Risks • Hazard Risks include risks from: • Fire and other property damage; • Windstorm and other natural perils; • Theft and other crime, personal injury; • Business interruption; • Disease and disability (including work-related injuries and diseases); • Liability claims; • War, and • Terrorism.
Overview of Enterprise Risks • Financial Risks include risks from: • Price (e.g. asset value, interest rate, commodity); • Liquidity (e.g. cash flow, call risk, opportunity cost); • Credit (e.g. default, downgrade); • Inflation/purchasing power; • Hedging/basis risk, • Taxes; and • Currency fluctuations.
Overview of Enterprise Risks • Operational Risks include risks from: • Business operations (e.g., human resources, product development, capacity, efficiency, product/service failure, channel management, supply chain management, business cyclicality, demand for services); • Empowerment (e.g., leadership, change readiness); • Information technology (e.g., relevance, availability); • Information/business reporting (e.g., budgeting and planning, accounting information, pension fund, investment evaluation, taxation); • National disaster; • Failure to identify market trends; and • Failure to properly document deals and transactions.
Overview of Enterprise Risks • Strategic Risks include risks from: • Reputational damage (e.g., trademark/brand erosion, fraud, unfavorable publicity); • Competition; • Customer wants; • Demographic and social/cultural trends; • Technological innovation; • Capital availability; and • Regulatory and political trends.
Overview of Enterprise Risk Management Mitigate IdentifyRisks Analyze/ Quantify Risks Assess/ Prioritize Risks Treat/ Exploit Risks EstablishContext Monitor & Review
Practical Considerations in Implementing ERM • Designating an ERM “Champion” • Making ERM part of the enterprise culture (“tearing down the silos”) • Determining all possible risks of the organization • Quantifying operational and strategic risks • Lack of appropriate risk transfer mechanisms • Monitoring the Process • Start Slowly – Build Upon Successes
Critical Success Factors in Implementing ERM • Management Buy-In • Leadership • Follow up
Opportunity for Legal Officers • Take leadership role in risk identification and mitigation • Move beyond compliance to other risks facing the company and how they may have legal consequences • Preventive/proactive lawyering • Consider attorney client privilege implications • Springboard for ethics and compliance initiatives
Compliance Program inContext of ERM Universe ERM COMPLIANCEPROGRAM
What is a Compliance Program A program to ensure that a Company has an ethical/compliant culture, minimizing risk to the Company, its Directors and Officers of criminal/financial liability, while maximizing the credit available under the United States Federal Sentencing Guidelines in the event of a violation of law.
USSG Seven Criteria • Written policies and procedures (code of conduct) • Specific high level personnel assigned to oversee compliance program • Communicate standards to all employees/agents; required participation in training-publications explaining program • Auditing and monitoring • Method for reporting non-compliance without fear of retaliation (anonymous or confidential reporting) • Consistent discipline for non-compliance • Reasonable steps to respond and prevent
Why Have a Compliance Program Caremark case: Directors must ensure that a company has a system designed to detect, monitor, prevent and report any significant lack of compliance with applicable law. Holder/Thompson Memos/SEC Position: Decisions whether to prosecute companies involve the questions of 1) whether upper level management was involved in the misconduct, 2) whether there was an effective compliance program, 3) the company’s criminal history, and the industry self-policing/reporting standards. Federal Sentencing Guidelines: Company may significantly reduce sanctions, fines and penalties if it has an effective program to prevent and detect violations of law, the hallmark of which is due diligence. A $6M fraud matter will produce a fine of $8.4 to $16.8 M for a corporation without a compliance program, which may be reduced to as little as $300K for a corporation with an effective compliance program.
1. Establish standards & procedures reasonably “capable of reducing… prospect for criminal conduct” • Are the Code of Conduct and other policies simple, internally consistent and easily followed? • Is there a process for identifying, capturing and addressing material risks? • Is there a process to identify compliance issues early in the development of new or changing business models and laws? • Is there a process to update policies and procedures? • Do they cover all employees and other agents?
2. Assign oversight to specific high-level personnel • Who serves as Compliance Officer? • Does the Compliance Officer have all appropriate access and all necessary resources? • Does the Compliance Officer have the right level of independence? • Does the Compliance Officer report directly to the CEO/GC/Audit Committee? • Does Compliance Officer review exception to Code of Ethics? • Is there Board oversight? • Audit Committee or not • Employee Certifications • Conflicts of Interest
2. Assign oversight to specific high-level personnel [continued] • Corporate commitment • Is there strong executive leadership commitment as demonstrated by communications, actions, budget (especially during tough economic times)? • Do regular business reports include compliance matters? • Are senior executives involved in the development of company policies?
3. Use due care to avoid individuals with bad propensities • Are there employee screening/background checks? • Do performance reviews include ethics/ compliance?
4. Effectively communicate standards to employees • Is there a vigorous process for the development and implementation of compliance training? • Is there a comprehensive communication plan addressing: • turnover • language barriers • level of communication (6th grade v. college), • channels of communication • timing for each type of communication (new policy, reminder, change in business or business practice, training, etc.) • brochures, webinars, etc.
Training Issues • How often is training offered/repeated/updated? • Who is trained? • Does everyone receive the same training? • How is the training accomplished: in person, Web based? • Brochures • How is the format determined? • Is appropriate training mandatory?
5. Monitoring, auditing, and using reporting system (without fear of retribution) • Is there a vigorous program of internal audits and on-site, in-house or outside legal audits? • Is there a reporting system that allows anonymous reporting, protecting identities to the extent permitted by law and consistent with the policies of the Company’s Code of Conduct? • Are there incentives for compliance as a job performance element/penalties for failure to perform?
6. Consistent & Appropriate Discipline • Is there a well-articulated, even-handed, evenly enforced disciplinary policy? • Does the company dismiss/discipline high level managers for violations? • Are there robust mechanisms to discover and take appropriate disciplinary action in response to violations of law and policy?
7. Take “All Reasonable Steps” • Does the company develop proportional and timely responses to mistakes? • Is there an honest evaluation on an ongoing basis to anticipate new issues and improve the program? • ERM is Next Step
Compliance Pitfalls • Boilerplate programs • Standards without established procedures • Double standards regarding discipline • Poor communication • Lack of enforcement • Constrained resources • Disconnect on risk/benefit analysis
“LIVE LONG AND PROSPER” Mr. Spock
~ Thank You ~ • Mark L. JonesJackson Walker L.L.P.Corporate Partner1401 McKinney StreetHouston, TX 77010713-752-4224mjones@jw.com • Susan M. PonceHalliburtonSenior V.P. & Chief Ethics and Compliance Officer2107 CityWest Blvd., Bldg 4 - 13th FloorHouston, TX 77042713-839-4509Susan.Ponce@Halliburton.com