1 / 44

Susan Dauber General Counsel Ogg Trading, LLC Teresa Davidson General Counsel

Learn from industry experts how to create, maintain, and update compliance programs effectively. Understand risks, regulatory environments, and stakeholder management for successful implementation. Discover key training strategies and policy delivery methods.

welliott
Download Presentation

Susan Dauber General Counsel Ogg Trading, LLC Teresa Davidson General Counsel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Creating, Maintaining and Updating Your Compliance Program/ Code of Conduct and Related Policies and Procedures* Susan Dauber General Counsel Ogg Trading, LLC Teresa Davidson General Counsel Volvo Financial Services Region the Americas Robert Jett Global Compliance Counsel RGA Reinsurance **Views expressed today by the panelists today are their own and not attributed or authorized by the employer

  2. INTRODUCTIONS

  3. Risk Assessment • Assess potential risk on an on-going basis • Changes in laws and regulations • New product lines and business activities • New locations (organic growth and acquisitions) • Change in customer base • Response to compliance audits and violations • Create Risk Matrix • Tailor types and frequency of training, oversight and compliance audits

  4. Types of Risk • Conflicts of Interest--Organizational • Conflicts of Interest--Individual • Bribery and Corruption • Supplier Practices • Competition Law • Sales and Marketing • Confidential Information/IP • Insider Trading • Data Privacy • Government Relations and Contracting • Product Quality and Safety • Political Activity • Export Control • Employment Law and Policy • Employee Health and Safety • Anti-boycott • Environment • Licensing • Misuse of Company Resources • Money Laundering • Regulatory • Customers/Sanctions & AML

  5. Risk Matrix Identify and rate risk within each category based on its likelihood & impact. Likelihood: There is a likelihood or a risk of threat occurring. Impact: Impact on the company if a certain risk or threat occurred.

  6. Example: Export Control Risk Assessment

  7. SAMPLE Roles & Responsibilities Alignment

  8. Risk Assessment: Output/ Results • Carefully consider who gets a copy of the full risk assessment • Use of a summary of the report for certain stakeholders, including the Board and senior management • Outline the methodology and clearly set out the scope and limits of the assessment • Use risk matrices, if practical, to grade risks into categories • Identify areas of uncertainty and those requiring further assessment or review • Create a timetable for periodic reviews and updates to the risk assessments

  9. Regulatory Environment Current regulatory environment has never been more demanding of corporations and their compliance programs – e.g. state insurance regulators now looking at AML/OFAC Important to understand your businesses and the regulatory jurisdictions in which they operate (and want to operate in). Resources are not limitless – identify those businesses/products that present the greatest risks to the organization and focus on them initially. Proactive vs. Reactive approaches – there is a greater expectation of this than in the past from regulators.

  10. Identify Stakeholders Key Employee (Chief Legal Officer or Chief Compliance Officer) or Decentralized Structure with Corporate Oversight

  11. Board of Directors’ Governance Responsibilities • Ensure compliance policies, systems and procedures in place. • Monitor implementation and effectiveness of compliance program: • Be actively involved • Attend Board meetings • Review, consider and evaluate information provided • Inquire further when presented with questionable circumstances or potential issues • Once Board knows of a potential compliance issue it must act. • Regularly receive compliance briefings and training.

  12. Trainingand policies

  13. Developing the Policies • Mandatory Policy Requirements • Ethics, conflict of interest, insider trading, data, finance, IT • Principles- based approach provides greater advantage for global effectiveness • Permits local nuances but communicates general policy framework, compliance requirements, and enforcement • Review by local in-house counsel, local human resources personnel and preview with senior management provides buy-in and reinforces “tone at the top” • Risk assessment output will drive additional corporate policies

  14. Delivering the Policies Consider translation requirements – comprehension of English is generally an issue in Asia and French versions are a requirement in Quebec. Drinking from the fire hose – consider when and how many to push out – initial program policies “bite the bullet”. Training programs and attestation requirements need consideration as to length and completion periods. Updates should be on a rolling basis to efficiently use resources Create a training calendar and coordinate with HR for new hires

  15. Training Program Who will be responsible for overseeing training program? Who will conduct the training? Who will be trained? How will training be conducted? How frequently will training be required or provided? How will training be documented and training records maintained? How will training be kept relevant and up-to-date?

  16. Training and Communication Reasonable and practical steps should be taken to disseminate information about the organization’s compliance programs and its policies and processes. Training should be periodic and documented. Training should be provided to the governing body, high level executives, employees and, where appropriate the organization’s agents on relevant laws, regulations, corporate policies and prohibited conduct. The government’s expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.

  17. Training Options • Types of Training: • Online (individualized) • Webinar • In-person /video conference • Workshops • Method: • Two-Way • Lecture • Role Playing • Brain Storming • Case Studies • Frequency: • On-boarding • Periodic / Annual • Change in position/job function • Management-focused training • Attendance or Assessment

  18. Communicate Frequently • Annual Reports • Business and Staff Meetings • Company Communications • CEO Addresses • Compliance Posters • In-house Publications • Company Intranet Postings • Company Web site • New Employee Orientation • Press Releases • Procedures Manuals • Training Sessions • Contract Terms

  19. Assess Effectiveness Goal: Identify and resolve inconsistencies between written procedures and operations Methods: • Track reports of non-compliance • Audit training completion and results • Quantify communications by executive team • Use of hotline and other reporting processes • Audit the audit process

  20. Self-Evaluation Checklist • Has the company established compliance procedures, policies and standards relevant to its business? • Are management commitment and involvement apparent? • Are appropriate resources, including dedicated staff, committed? • Are there established processes in place such that employees feel comfortable reporting non-compliance? • Is there effective communication between stakeholders? • Does company provide training to all employees, as well as specifically-targeted training? • Has company implemented checks and safeguards on employees and activities? • Does the program ensure compliance and detect violations, through monitoring and audits? • Is there a record-keeping process? • Is there an established procedure for escalating problems and taking corrective actions? • Is there ongoing monitoring and evaluating of the program to enhance compliance and detection of violations? • Is the program reviewed and updated based on changes in law or company’s operations?

  21. Common Issues • Code of Conduct/Employee Handbook • Condition of employment • Acknowledge receipt at on-boarding • Acknowledge annually • Certify that s/he is unaware of violations • Vendors • Provide copy or link to Code or relevant policies • Certify that Vendor maintains similar policies

  22. Monitoring, Auditing and Updating Your Compliance & Ethics Program

  23. Monitoring…Auditing…Response Organizations are required to monitor, audit and respond quickly to allegations of misconduct. These three components are what enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. Responsiveness is composed of investigations, correction actions, and continuous improvement.

  24. Reasons for Auditing & Monitoring Ensure that compliance activities are being performed Identify gaps in risk assessments Determine gaps and corrective actions needed Catch the Rogue Employee

  25. Benefits of Monitoring & Auditing In its decision not to prosecute Morgan Stanley for the actions of one of its employees, the US DOJ specifically cited Morgan Stanley’s auditing and monitoring program: “Morgan Stanley continually evaluated and improved its compliance program and internal controls. For instance, beginning in 2007, Morgan Stanley engaged in risk based FCPA auditing intended to detect transactions, payments, and partnerships that suggested increased risks for Morgan Stanley to violate the FCPA. Morgan Stanley checked the efficacy of its controls through various systems, including internal audits and desk reviews that included meetings between employees and compliance personnel to discuss anti-corruption risks. Morgan Stanley compliance personnel regularly reviewed and updated Morgan Stanley’s compliance program and policies to reflect regulatory developments and changing risk. Morgan Stanley, in conjunction with outside legal counsel, also annually conducted a formal review of each of its anti-corruption policies.“

  26. Types of Auditing & Monitoring • Formal • Informal

  27. Formal Auditing Usually conducted by Internal Audit or a Third Party Specific focus for audit activity Report typically goes to Audit Committee of Board of Directors and/or Executive Management

  28. Partnership with Internal Audit Engage with and utilize this resource to the fullest. Compliance audits – don’t re-invent the wheel – internal audit function can be a strong and “silent” partner in conducting reviews. Follow through on audit findings – things are never complete. Independent nature of internal audit department provides stronger case to external regulators for showing review and assessment of controls. Audit staff make good compliance professionals.

  29. Working with Internal Audit/Outside Auditors Important to have a good working relationship Recommended that you meet regularly to discuss issues, upcoming audit plans, etc. If possible, try to get involved with making of the audit plan and initial review of any audits in progress – before the final report is issued Remember – they are experts at auditing but may not be subject matter experts.

  30. Reporting Reports presented to the Audit Committee and/or the Board of Directors tend to be high level and summarized. Privilege is a big issue. May be discoverable

  31. Informal Monitoring This is the opportunity to fix problems before they become problems. Informal monitoring requires strong relationships throughout the business. Important to have a plan for maintaining contacts with key personnel. Major difference is who reviews the findings.

  32. Informal Monitoring Plan Step 1: Compliance collaborates with Business Lead to conduct Compliance review. Step 2: Compliance coordinates meetings with Compliance Activity owners to review status. Step 3: When meeting with the Compliance Activity owner, Compliance – • Reviews the evidence that shows whether the Compliance Activity is still functioning • Walks through the process and guidance documents with the Compliance Activity owner • Discusses any concerns or potential gaps with the owner • Outlines any concerns with the owner and discusses any potential remediation or continuous improvement Step 4: After meeting with all the Compliance Activity owners, Compliance conducts a de-brief with the Business Lead wherein Compliance - • Discusses any gaps/concerns and outlines any potential remediation or continuous improvement • Determines any modification or additions to the Compliance Activity that may be beneficial • Schedules the next review All findings will be reported solely to the Business Lead and the respective Compliance Activity owners. No formal report will be issued and the findings will not be disseminated outside the Business Lead or the Compliance group.

  33. Closing comments

  34. Recommendations • Conduct annual risks assessments • Avoid “wait and see” approach; enforcement trends and government priorities change rapidly. Important to stay up to date. • Build annual risk assessment into the compliance program. • Risk assessments should be regular, systemic part of compliance efforts rather than an occasional ad hoc exercise after a crisis. • Understand the array of compliance risks being faced and perform a comprehensive review • Scrutinize new business partners and third-parties • Update policies and procedures based on enforcement trends • Prepare an internal annual reporting process

  35. Develop an Annual Plan • Typical FCPA agreements (DPAs and NPAs) require annual risk assessment based on risk profile • Integrate with business resources: annual/ periodic budget planning/business reviews meetings are good source of information. Compliance should always attend. • Coordinate with internal audit and internal control. • Executive travel Plans/Country/business operations visits – calendar and itinerary planning. • Policy Management • Systems/ people resource limitations • Cost benefit analysis • FCPA includes penalties ($2m USD per violation of Anti-Bribery provision and $25 m USD per violation of Anti-Accounting provision • Willful actions resulting FCPA violation can result in up to 20 years imprisonment & $5 MUSD personal fine. • Extraterritorial liability (ex. Brazil’s private anti-bribery law: company to company bribe) http://www.justice.gov/criminal/fraud/fcpa/ https://www.sec.gov/spotlight/fcpa/fcpa-cases.shtml

  36. Develop an Annual Plan (2) Establish Goals of Annual Plan • Establish base culture and education of new employees • Continued Training • Address changes in business operations, legal and regulatory requirements • Risk mitigation targets • Revisit internal discipline and penalties for violations • “Red Flags” and early warning update • Reinforce commitment of leadership and management • Central v local commitments • Fix Calendar dates • Strengthen culture of compliance • http://www.fincen.gov/statutes_regs/guidance/pdf/FIN-2014-A007.pdf (copy included). • Prioritize • Plan for disruptions & delays • Include local input • English and all other languages • Allow for local customization • Realize some English does not translate well. • Draft and update templates • Update policies • Determine whether business actually still operates within policies • Tailor training to levels within organization. • Examples – Sales needs 3 hrs live session on FCPA, anti-bribery and general ethics or anti-competition at annual sales meeting while tax unit can take on line web session.

  37. Implementing Your Annual Plan • Communications From Management • Employee Town Halls & Meetings • Internal Web site • Individual Emails (Example Attached as Exhibit ___) • All should be translated into local language. • Vet with business leaders • Make available on line • The more senior the sender, the greater the impact. • Use your Onboarding & Annual Acknowledgement to train at high level (Sample pages attached as Exhibit __) • Update • Add questions if system permits • Share results through business • Work with legal – subpoenas, regulatory reports, and government inquiries should change priorities. • Depending on industry, plan for independent 3rd party review or audit.

  38. Are Your Updates Working? Common Issues: • Is your hotline working? • Test from each location • Segregation of duties – Review of system authorizations. • “Exception” payments, contracts • 3rd party due diligence results • Local language a “must” • New servers/computer hardware for customer data • Follow-up on required government reports (http://blogs.wsj.com/moneybeat/2014/07/22/excerpts-from-new-york-feds-letter-to-deutsche-bank/) • Comments from Management • Self Reporting • Final Test – From the DOJ While the Department recognizes that no compliance program can ever prevent all criminal activity by a corporation's employees, the critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives. The Department has no formulaic requirements regarding corporate compliance programs. The fundamental questions any prosecutor should ask are: Is the corporation's compliance program well designed? Is the program being applied earnestly and in good faith? Does the corporation's compliance program work? http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/28mcrm.htm#9-28.800 • http://www.fcpablog.com/blog/2014/1/15/gold-dust-for-compliance-officers.html

  39. Some Common Pitfalls Manage Expectations (unrealistic, undefined, unclear) Avoid Aggressive deadlines Lack of resources (be upfront and realistic) Ownership issues (objectivity, credibility) Coordination (communication is important) Narrow and deep vs. shallow and wide Documentation availability (e.g. policies, processes) Heavy focus on the perceived “priority” risks Lack of follow through One time event mind-set (“evergreen” or continuous improvement)

  40. Maintain Your Sanity – tips for Success! Ease into it – a lighter approach is still a good first step Be prepared to deal with what you find – communicate and educate leadership accordingly – in advance if possible Strive for objectivity – use of open-ended questions Use output to improve overall program – not to validate it Structuring the document is key Use your unique facilitation role – communicate non-compliance ideas and feedback received during assessments Use results to “prove” program efficiency, not vice-versa

  41. Useful Resources http://www.acc.com/ethicsxchange/ http://www.bis.doc.gov/index.php/compliance-a-training/export-administration-regulations-training/online-training-room http://www.worldcompliance.com/Libraries/WhitePapers/FCPA_Compliance_Roadmap_White_paper.sflb.ashx http://www.epa.gov/compliance/assistance/business.html http://www.dol.gov/compliance/ http://www.acc.com/vl/membersonly/SampleFormPolicy/loader.cfm?csModule=security/getfile&pageid=1326931&page=/legalresources/resource.cfm&qstring=show=1326931&title=Compliance%20Policies

  42. Useful Resources http://www.oecd.org/daf/anti-bribery/countryreportsontheimplementationoftheoecdanti-briberyconvention.htm http://www.fcpablog.com/ http://www.irs.gov/Businesses/Corporations/Foreign-Account-Tax-Compliance-Act-FATCA http://fcpamericas.com/ http://www.transparency.org/whatwedo/pub/assurance_framework_for_corporate_anti_bribery_programmes http://www.ftc.gov/ http://www.justice.gov/criminal/fraud/fcpa/othersites/ http://www.fincen.gov/statutes_regs/guidance/ http://www.pwc.com/en_US/us/risk-assurance-services (if links do not work, cut and paste into browser window)

  43. Questions

More Related