600 likes | 717 Views
Understanding the Risks of Operating in a Global Market. January 19, 2011. Faculty. Moderator:. Michael Samonas Compliance Solutions Specialist , LexisNexis. Faculty. Speakers:. Paul J. McNulty Partner Baker McKenzie LLP. Stephen Martin
E N D
Understanding the Risks of Operating in a Global Market • January 19, 2011
Faculty • Moderator: Michael Samonas Compliance Solutions Specialist, LexisNexis
Faculty • Speakers: Paul J. McNulty Partner Baker McKenzie LLP Stephen Martin General Counsel and Chief Compliance Officer Corpedia Matthew B. Pachman Vice President and Chief Compliance Officer Altegrity
Great Expectations: A New Era of Business Crime Enforcement and Corporate Compliance
Overview of Enforcement Issues: The Big Picture • A decade of enforcement milestones • Enron • SOX • Thompson / McNulty / Filip • FCPA enforcement surge • Mortgage mess • Pharmaills • Technology – Transparency –Tolerance
Top 10 FCPA Settlements (millions) Start of 2010 Start of 2011 2006 2005 2008 2009 2010 2007
40% 30% 20% 10% 0% 95 96 97 98 99 00 01 02 03 04 05 06 -10% -20% -30% S&P 500 Chg SEC Enf Actions Chg • Counter-Cyclical Enforcement of Corporate Law1 1Associate Professor AmitaiAvisam, Yale Journal on Regulation, Vol. 25:1, 2008
Corruption Securities and financial fraud Procurement fraud Health care fraud Mortgage fraud • Top Federal Enforcement Priorities
Corruption Securities and financial fraud Procurement fraud Health care fraud Mortgage fraud Consumer fraud • Top National (Federal and State) Enforcement Priorities
Corruption Financial crime Fraud in Multilateral Development Projects Consumer protection Competition Privacy / Data Security • Top Global Enforcement Priorities
Does it really matter? How does it really work? How do we really know if we’ve done enough? • Great Expectations for Compliance Programs
Nature and seriousness of the offense; Pervasiveness of the wrongdoing within the business; History of similar misconduct; Timely and voluntary disclosure of wrongdoing and willingness to cooperate in the investigation; Existence and effectiveness of pre-existing compliance program; Remedial actions, including efforts to implement corporate compliance program; Collateral consequences, including existence of disproportionate harm to shareholders; Adequacy of prosecution of individuals responsible; Adequacy of civil or regulatory remedies. • Corporate Prosecution Principles – USAM 9-28-3.00
“We know when we see good compliance. We have a good sense of whether it’s robust and real or created on the cheap. … [I]t’s stunningly bad business not to have a state-of-the-art compliance program. You’ll get a better deal.” PLI Conference (11/4/2010) “Strengthen FCPA compliance program, including internal controls; top-notch program will improve standing with DOJ.” ACI Conference (11/16/2010) • DOJ Criminal Division AAG on Corporate Compliance
The Essential Ingredients of Corporate Compliance Leadership Risk Assessment Standards and Controls Training and Communication Monitoring, Auditing and Response
The Essential Ingredients of Corporate Compliance USSG’s 7 Elements of an Effective Compliance Program 13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance UK’s 6 Principles for “Adequate Procedures” 1. Standards and procedures to prevent and detect criminal conduct 1. Risk assessment as basis for effective internal controls and compliance program 1. Risk assessment 2. Top level commitment 2. Policy that clearly and visibly states bribery is prohibited 2. Leaders understand / oversee the compliance program to verify effectiveness and adequacy of support; specific individuals vested with implementation authority / responsibility 3. Due diligence 3. Training – periodic, documented 4. Clear, practical and accessible policies and procedures 4. Responsibility – individuals at all levels should be responsible for monitoring 5. Effective implementation 5. Support from senior management – strong, explicit and visible 3. Deny leadership positions to people who have engaged in misconduct 6. Monitoring and review 6. Oversight by senior corporate officers with sufficient resources, authority, and access to Board 4. Communicate standards and procedures of compliance program, and conduct effective training 7. Specific risk areas – promulgation and implementation programs to address key issues 5. Monitor and audit; maintain reporting mechanism 8. Business partners due diligence 9. Accounting – effective internal controls for accurate books and records Prepared by: Paul J. McNulty Chair, Global Compliance Baker & McKenzie 6. Provide incentives; discipline misconduct 10. Guidance – provision of advice to ensure compliance 7. Respond quickly to allegations and modify program 11. Reporting violations confidentially with no retaliation NOTE: A general provision requires periodic assessment of risk of criminal conduct and appropriate steps to design, implement, or modify each element to reduce risk 12. Discipline for violations of policy 13. Re-assessment – regular review and necessary revisions
13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance Panalpina Corporate Compliance Program 1. Risk assessment as basis for effective internal controls and compliance program 1. Clearly articulated and visible policy 2. Senior management’s strong, explicit, and visible support 2. Policy that clearly and visibly states bribery is prohibited 3. Develop and promulgate compliance standards and procedures governing gifts, hospitality, travel, etc. 3. Training – periodic, documented 4. Risk assessment as basis for standards and procedures 4. Responsibility – individuals at all levels should be responsible for monitoring 5. Annual review of program 5. Support from senior management – strong, explicit and visible 6. Assign responsibility to one or more senior corporate executives for implementation and oversight; directly reporting to the Board; adequate level of autonomy and sufficient resources 6. Oversight by senior corporate officers with sufficient resources, authority, and access to Board 7. Specific risk areas – promulgation and implementation programs to address key issues 7. System of financial and accounting procedures 8. Effective communication and periodic training and certifications 8. Business partners due diligence 9. Accounting – effective internal controls for accurate books and records 9. System for guidance, confidential reporting, response 10. Guidance – provision of advice to ensure compliance 10. Disciplinary procedures 11. Reporting violations confidentially with no retaliation 11. Agent and business partner due diligence 12. Agent and business partner agreements 12. Discipline for violations of policy 13. Periodic review and testing of standards and procedures (monitoring) 13. Re-assessment – regular review and necessary revisions
Major Compliance Challenges Leadership Structure Emerging Markets Oversight and Responsiveness
Knowing your story Avoiding a “paper program” “Everyone’s got an ethics policy, but you’d be surprised at the number of big name companies that have paper-only policies.” Keeping it current Risk assessment Reviews Benchmarking Your Program
Antitrust Enforcement: Annual DOJ Criminal Antitrust Fines Source: Gibson Dunn & Crutcher 2010 Year-End Antitrust Update
FCPA Enforcement: Actions Filed by SEC & DOJ Source: Gibson Dunn & Crutcher 2010 Year-End FCPA Update
Full-time Employee Equivalent Dedicated to Ethics and Compliance Activities Source: Corpedia-ACC Compliance Program Benchmarking and Risk Assessment Survey 2010
Approximate Annual Spend on Compliance and Ethics Activities Source: Corpedia-ACC Compliance Program Benchmarking and Risk Assessment Survey 2010
67% of corporations with 5k-10k employees spend less than $150k annually on ethics and compliance. This is up from 55% in 2007 and36% in 2005. Source: Corpedia-ACC Compliance Program Benchmarking and Risk Assessment Survey 2010
Does Your Organization Conduct a Compliance Risk Assessment? Source: Corpedia-ACC Compliance Program Benchmarking and Risk Assessment Survey 2010
How Often Do You Conduct Compliance Risk Assessments? Source: Corpedia-ACC Compliance Program Benchmarking and Risk Assessment Survey 2010
FSG says… “in implementing [the elements of an effective compliance and ethics program] the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement [as set forth in the elements] to reduce the risk of criminal conduct identified in this process” What is a Compliance Risk Assessment?
Prevention and mitigation FSG §8B2.1 Needs-gap analysis Budget prioritization COSO internal control environment self-assessment Affirmative defense for organization & oversight personnel SEC May 2005 guidance on SOX 404 Why Conduct a Compliance Risk Assessment?
Results must be acted on Poor execution not defensible Leadership may not be supportive Discovery Attorney-client privilege erosion Cost/ROI Disruption Ownership (IA, C&E) ...Why Have Second Thoughts
What resources were appropriated? How do I know the risk assessment was objective? Were risks in the C-suite and boardroom addressed? How was risk examined at vendor/agent level? If raw work product was not retained, does the final report provide sufficient detail on methodology? Was culture and attitude measured (tone from the top)? Was knowledge assessed? The Prosecutor’s View...
Was anyone terminated or disciplined as a result of the risk assessment? Who among the governing authority of the corporation received the final report or was briefed on the outcome? How were the risk assessment outcomes used? The Prosecutor’s View...
Which Methodologies Were Used in Conducting Your Risk Assessment? Source: Corpedia-ACC Compliance Program Benchmarking and Risk Assessment Survey 2009
Does the Compliance Risk Assessment Take into Account One or More of the Following: Source: Corpedia-ACC Compliance Program Benchmarking and Risk Assessment Survey 2009
12 Common Pitfalls Expectations (unclear, undefined, unrealistic) Unrealistic deadlines Lack of resources Ownership Coordination Lack of objectivity, credibility Qualitative skew Narrow and deep vs. shallow and wide Document availability (e.g. ,policies) Too much focus on the perceived “priority” risks Lack of follow through One-time event
9 Tips for Success...and to Stay Sane! Don’t rush into it – “lite” may be possible first Use outcomes to improve program structure and focus Use it to prove program efficiency, not vice-versa Strive for objectivity - open-ended questions (3x rule) Document structure is key Know what the measures will be Message clear, concise and unique from IA Cross-pollinate non-compliance ideas and feedback – you are in a unique facilitating position Be prepared to deal with what you find – and steer leadership accordingly in ADVANCE
Evolution of the Code • Codes of Today • The Beginning
Code 3.0: The Future Code Code Hosted on Intranet Activities/Quizzes Interactive and Dynamic Corporate Policies Case Studies Reporting Resources
Why Code 3.0? Current Codes Code 3.0
Accountable, Knowledgeable Oversight • Hallmark 2 of the Guidelines looks not only at Board oversight, but management oversight as well • Governing authority must • Be knowledgeable about the content and operation of the ethics and compliance program • Exercise reasonable oversight with respect to the implementation and effectiveness of the program • Be adequately resourced
This means Board oversight is no longer optional Delaware courts have made clear it is part of the duty of good faith SOX 301 Listing requirements The Board is required to ensure that: The compliance program is truly effective High-level individuals are assigned responsibility for the compliance program These persons take an active role in promoting ethical conduct Accountable, Knowledgeable Oversight
Accountable, Knowledgeable Oversight • Oversight responsibility may be delegated to a committee of the Board • Should be defined in the committee’s charter • The individual with overall responsibility for ethics and compliance and the person with day-to-day responsibility should update the committee at least quarterly • Make sure organizational charts reflect the reporting structure • Discuss material reports and investigations, new large scale issues in the Company’s program, as well as other topics (hotline reporting results, etc.) • Committee should then update the full Board
A word about training… Board should receive training on the compliance program and their responsibilities Board should be knowledgeable about the training employees are receiving Only 44 percent of companies surveyed in the 2010 ACC Survey train their Board Accountable, Knowledgeable Oversight
Training Local anti-corruption training and messaging at appropriate levels Risk based approach in training content and frequency requirements Accounting/Audit Anti-corruption risk assessments performed on an annual basis Incorporate anti-corruption audits as part of corporate internal audit Systems Automated risk assessment tools that assist in the identification and evaluation of significant anti-corruption risks Track high risk payments and entertainment expenses for government employees Government contracts can be segregated, identified and tracked Use of technology to prevent and detect questionable payments Anti-Corruption Compliance—Leading Practices
Compliance Environment Strong and regular message from leadership emphasizing the importance of compliance and zero tolerance policy Compliance officer charged with responsibility and supported by adequate resources Anti-corruption and FCPA guidelines built into ethics framework Legal Centralization of legal approval of agents and standard anticorruption provisions Risk based approach in due diligence guidelines Supply chain management/tracking/verification Anti-Corruption Compliance—Leading Practices
Benchmarking and Certification • Certifications • Program (Ethics Inside Certification, Compliance Leader Verification) • Specific areas (Anti-Corruption Program Verification) • Benchmarking • Best practices • Industry peers • Regulatory specific requirements
Your compliance program is a living entity; it should be constantly evolving. Final Thoughts
Key program elements Risk assessment Program governance Written standards Communications and training Monitoring/auditing Are there special considerations for global programs? Implementation: The Road Map