1 / 30

Can Your Compliance Program Manage All of Your Organization's Risks?

Explore how Enterprise-Wide Risk Management (EWRM) can boost compliance initiatives, manage risks, and enhance organizational performance. Learn the key differences, benefits, and a suggested implementation approach. Discover how EWRM aligns with Sarbanes-Oxley requirements and elevates legal and ethical standards in complex business environments. Gain insights on integrating EWRM to streamline monitoring, auditing, and enforcement processes for comprehensive risk mitigation. Elevate your compliance strategy with a proactive EWRM framework.

rsantiago
Download Presentation

Can Your Compliance Program Manage All of Your Organization's Risks?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Can Your Compliance Program Manage All of Your Organization's Risks? Discussing the Proposition of Enterprise Wide Risk Management February 6, 2003 Michael L. Shaw Senior Manager PwC

  2. Overview • Corporate Compliance Programs Defined • Enterprise-Wide Risk Management Defined • Key Differences • How Your Organization Can Benefit From Enterprise-Wide Risk Management • Applying EWRM to Satisfy Sarbanes-Oxley Requirement • A Suggested Approach for Implementing EWRM

  3. Compliance Defined A compliance program is a management process comprised of formal reporting structures and risk mitigation systems designed to motivate, measure, and monitor an organization’s legal and ethical performance around complex business practices.

  4. Elements of a Traditional Compliance Program Standards and Procedures • Federal Sentencing Guidelines • Experience from other industry sectors • OIG Compliance Program Guidance Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention

  5. Elements of a Traditional Compliance Program Standards and Procedures • Code of Conduct • Commitment by senior management • Distribution to applicable employees and contractors • Updating to address new risks • Values approach • Records retention Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention

  6. Elements of a Traditional Compliance Program Standards and Procedures • High-level involvement • Responsibility for developing, operating, and monitoring the compliance program • Direct access to Board and/or CEO • Updates to Board and/or CEO • Operational Committee Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention

  7. Elements of a Traditional Compliance Program Standards and Procedures • General and specific training sessions on a periodic basis • Cover commitment, reinforce policies and procedures, and address risks • Conducted for applicable employees and contractors • Documentation of training efforts Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention

  8. Elements of a Traditional Compliance Program Standards and Procedures • Hotlines • Exit interviews • Periodic surveys • Supervisor accountability • Documentation of issues identified and resolved • Periodic reports on issues handled • Non-retaliation policy Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention

  9. Elements of a Traditional Compliance Program Standards and Procedures • Internal or external evaluators to perform regular reviews • Focus on high-risk areas • Validation of policies and procedures • Qualifications of reviewers • Corrective action in response to audit results • Monitoring and reporting of audit efforts Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention

  10. Elements of a Traditional Compliance Program Standards and Procedures • Consequences of violating the law, the Code of Conduct, or policies and procedures • Violations reviewed and resolved on a case-by-case basis • Consistent disciplinary action • Confidentiality • Periodic reports of action taken Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention

  11. Elements of a Traditional Compliance Program Standards and Procedures • Prompt investigations of reasonable allegations of suspected noncompliance • Decisive steps to correct problems identified • Reporting to Government when appropriate under the advice of legal counsel Oversight Responsibility Education and Training Lines of Communication Monitoring and Auditing Enforcement and Discipline Response and Prevention

  12. Notable Quote “I think the guidelines may need to say something more about the need to have ongoing auditing and testing of a compliance program on paper to ensure that it is effective in practice.” - U.S. Sentencing Commission Vice Chair, John R. Steer

  13. EWRM Explained • Increasingly, best in class organizations are embedding their compliance programs into an expanded view of enterprise wide risk management (EWRM). Approached in this way, compliance transitions from a reactive, process intensive activity to a dynamic program enabling the organization to manage a broad range of changes that can impact its performance. • EWRM defines risks as events or activities that can affect the achievement of an organization’s goals. • EWRM addresses all organizational goals, objectives and relationships with key stakeholders. • EWRM is an anticipatory, proactive process that becomes a key part of strategy and planning. EWRM helps mitigate surprises and ensures all organizations are aligned with key objectives

  14. EWRM Explained • Pulling together the disciplines that address both sides of risk --minimizing uncertainty and maximizing opportunities -- the concept pushes an organization to address risks and their management explicitly – as part of everyday business. • An EWRM framework emphasizes the need for processes to (1) identify risk, (2) assess risk and (3) manage risk. • EWRM can be implemented at any level of the organization in whole or in part (i.e. business unit, functional process, geography) . • A robust compliance program is the cornerstone of managing risk across the organization.

  15. EWRM Explained Building in an Enterprise Wide Risk Management program: Current best practice • Strategy Building • Risk & Compliance external reporting • Enterprise Wide Risk Management Program Strategic • Enterprise Risk Assessment • Control Self Assessment Proactive • Complying with known laws and regulations • Seeking to meet industry compliance requirements Pulling together the disciplines that address both sides of risk – minimizing uncertainty and maximizing opportunities – the concept pushes an organization to address risks and their management explicitly – as part of everyday business • Managing crisis Reactive Most Organization’s Today?

  16. Applying EWRM to Satisfy Sarbanes-Oxley Requirements LEGEND Disclosure Requirements Disclosure Controls and Procedures Internal Accounting Controls Financial Reporting Other aspects of Compliance and Operations pertaining to DC&P Operations Compliance Internal Controls Over Financial Reporting

  17. Operationalizing the Control Structure

  18. EWRM is Supported by the COSO Framework • COSO defines internal controls as a process effected by an entity’s Board of Directors, Management and other personnel, designed to provide reasonable assurance regarding achievement of the objectives in each of the following categories: • Effectiveness & Efficiency of Operations • Reliability of Financial Reporting • Compliance with Applicable Laws and Regulations 5

  19. EWRM is Supported by the COSO Framework • Monitoring • Assessment of a control system’s performance over time. • Combination of ongoing and separate evaluation. • Management and supervisory activities. • Internal audit activities. • Control Activities • Policies/procedures that ensure management directives are carried out. • Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties. • Control Environment • Sets tone of organization-influencing control consciousness of its people. • Factors include integrity, ethical values, competence, authority, responsibility. • Foundation for all other components of control. • Information and Communication • Pertinent information identified, captured and communicated in a timely manner. • Access to internally and externally generated information. • Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action. • Risk Assessment • Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities. All five components must be in place for a control to be effective. 6

  20. Critical Steps of EWRM 1 Guidance and training should be provided to franchise and functional leaders and teams on what is meant when we speak of risk, impact, internal control, etc.; development of communication plan and supporting infrastructure. Proactive identification of events or conditions that could compromise business objectives are categorized by franchise and functional areas. Accountability is assigned to each risk. Creating a Risk Aware Culture 2 Identify Risk 3 4 Management determines whether the company accepts, rejects, mitigates or transfers individual or classes of risks. Functional teams strive to identify risks “before they occuror in time” to mitigate the impact of the risk. They communicate their views to a risk facilitator on a timely basis. Issue resolution process is in place. Assess Risk Evaluation of risk allowing for prioritization of resources. Manage Risk

  21. Getting Started: A Suggested Approach • Assess your organization’s current techniques, tools and approaches for evaluating risk across the organization and consider appropriate level of opportunity • High level view at an enterprise level, or • Detailed level view at Business Unit level • Conduct a gap analysis of current risk management practices against leading practice models, identifying existing internal best practices and potential opportunities for improvement • Develop recommendations for developing an enterprise-wide risk management framework specific to your organization including an execution plan to not only identify but mitigate them with controls

  22. Getting Started: A Suggested Approach • Appoint a Risk Management Facilitator • This is a leading practice • Develop and articulate the risk strategy • Develop tools to identify risk (leverage existing initiatives) • Develop a methodology to identify and prioritize risk • Create a Template to Capture Risk Profile including: • Nature of the risk • Business impact • Probability of occurrence • Exposure to the company • Controls that exist to mitigate the risks • Gaps, if any • Evaluate and Report • Consolidated risks to senior management • Including supporting management’s assertion under Section 404 • Ensure accountability for identified gaps within functional management • Once the assessment is complete, design and implement an Enterprise-wide risk management program for your organization • Facilitate decision making and monitor program effectiveness • Functional management will take the lead, with counsel from the risk management facilitator to identify, assess and decide how they will mitigate risks

  23. Getting Started: A Suggested Approach • For rating the Potential Impact of a risk, the impact on financial, operational and/or legal implications can be considered as well as the ability to achieve the stated objective in the face of that risk. Respondents can apply a rating corresponding to the level of impact of the risk, as follows: • Low - if the impact of the risk would have some financial, operational and/or legal implications and require attention, but is no greater than an irritant to the organization • Medium - if the impact of the risk would have significant financial, operational and/or legal implications, and/or would significantly delay the ability to achieve the objectives or otherwise affect it • High - if the impact of the risk would have major financial, operational and/or legal implications and/or it is so significant one would need to abandon the objectives

  24. Getting Started: A Suggested Approach • For rating the Probabilityrisks, the frequency of historical events can be considered as well as current outlook. Respondents can apply the rating corresponding to the probability of occurrence of the risk, as follows: • Low - if the likelihood of this risk occurring is unlikely • Medium - if the likelihood of occurrence is somewhat likely • High - if the likelihood of occurrence is very likely • Responsible parties should be identified • External environment should be considered

  25. Getting Started: A Suggested Approach • For all risks with a high composite rating, respondents can identify “Primary Exposure” to indicate the direct exposure facing an organization using categories such as: • Government Enforcement • Regulatory Violation • Financial Loss • Reputational Damage • Failure to comply with internal policy • Inefficiencies and/or excessive costs • Inappropriate financial reporting or disclosure • Legal Risk

  26. Getting Started: A Suggested Approach • In addition, for all risks with a high composite rating, existing control mechanisms should be considered. An organization’s management should apply a rating corresponding to the level of control, such as the following: • Policies and procedures exist and are tested as part of external or internal audits, and/or monitoring controls are in place • Policies and procedures exist • Policies and procedures are in the early stages of development • Policies and procedures do not exist

  27. Case Example: A Pharmaceutical Company

  28. Benefits of EWRM • Enhanced decision making process • Prevention, detection and resolution of improper behavior, including “early warning system” • Improved effectiveness of compliance across organization • Integrated approach to risk, yielding increased efficiencies and reduced costs • Mitigated impact of risk issues on the business, both offensively and defensively • Increased internal customer satisfaction

  29. In Summary, EWRM provides • An integrated, dynamic display of business objectives, key risks, and controls that are aligned with supporting policies, procedures, and operating principles • A robust, flexible structure that can deal systematically with both external and internal changes affecting the company • An aligned and supportive infrastructure that facilitates early identification of new risks, communication, training, incident identification, issues management, and internal and external reporting • A gap analysis in connection with Sections 302 and 404 of Sarbanes-Oxley

  30. For More Information Contact: Michael L. Shaw Senior Manager PricewaterhouseCoopers 1300 K Street, N.W. – Suite 800 Washington, D.C. 20005 (202) 414-1552 michael.l.shaw@us.pwcglobal.com

More Related