9/10/2018. Joseph Spinelli. Waqas Shahid. Society of Corporate Compliance Ethics

Transcription

1 Society of Corporate Ethics Conducting Risk & Assessments for Anti Bribery & Anti Corruption s September 12, WHO WE ARE Joseph Spinelli Waqas Shahid joseph.spinelli@ankura.com Senior Managing Director, New York, NY Former FBI Agent and Former New York State Inspector General; Monitorships; Investigations; Preeminent leader in multiple fields, including white collar crime investigations, anti-bribery and corruption, Foreign Corrupt Practices Act (FCPA) risk management, monitorships, and criminal investigations. As Inspector General of New York State, oversaw the federal investigation of the violation of civil rights involving hate crimes in a religious community; supervised all fraud and corruption investigations for state government agencies and authorities and co- authored the New York State Internal Control Act of 1987; directed the investigation of corruption in the New York State Police Department; supervised the investigation and prosecution of the executive director of the New York State Thruway Authority for bribery and conflicts of interest. As special agent in the Federal Bureau of Investigation (FBI), served as case agent in the investigation and prosecution of a U.S. Congressman in the FBI s ABSCAM investigation; directed the FBI s investigation of organized crime s involvement in professional boxing and testified before the U.S. Senate Subcommittee on Permanent Investigations for the creation of a National Boxing Commission. waqas.shahid@ankura.com Senior Managing Director, New York, NY Corporate ; & Project JD with more than 15 years of multi-disciplinary legal, compliance and technology experience, including counseling companies on international trade compliance matters; conducting internal investigations; handling data privacy and security matters; and designing and deploying efficient, scalable compliance solutions. Helped multiple global aerospace defense enterprises successfully navigate U.S. export control monitorships. As Senior Attorney at global aerospace defense and technology company, designed and conducted enterprise-wide technology systems compliance reviews; designed and implemented scalable trade compliance solutions; data-driven compliance risk evaluations and mitigation. Investigated and disclosed numerous matters involving violations of U.S. export regulations to Departments of State and Commerce. Previously attorney with Latham & Watkins, where practice focused on U.S. export and sanctions compliance, including under the ITAR, EAR, and economic sanctions, FCPA. 2 1

2 AGENDA WHAT IS A COMPLIANCE RISK ASSESSMENT AND WHY DO IT? ASSESSMENT CONCEPTS RECENT GOVERNMENT GUIDANCE ANKURA S APPROACH UNDERSTAND YOUR ORGANIZATION AND INHERENT RISKS IDENTIFY CURRENT CONTROLS ASSESS BEHAVIORS AND OUTCOMES IDENTIFY GAPS & ENHANCE YOUR PROGRAM 3 FRAMING QUESTION How can you measure, manage, and communicate whether your organization is appropriately managing compliance risk? 4 2

3 WHAT IS A COMPLIANCE RISK ASSESSMENT? COMPLIANCE RISK ASSESSMENT: DEFINITION A deliberate, documented exercise to assess and organization s compliance risk, compliance controls, and gaps in such compliance controls. Based on qualitative and quantitative information Vehicle to engage organization stakeholders in compliance process Business system and Enterprise Risk planning tool: starting point for deliberate, continuous compliance improvement Identification of areas of greatest compliance opportunity/risk Understand Your Organization and Assess Inherent Risks Identify Your Current Controls Where do you get your information? People Documents Systems Assess Behavioral Expectations and Norms () Self-Assessment White Paper Identify/Prioritize Gaps and Enhance Your 5 WHY CONDUCT A COMPLIANCE RISK ASSESSMENT? DRIVERS FOR COMPLIANCE RISK ASSESSMENT Performance Risk-driven Analytical/Rigorous Efficient Continuously improving Prevention/Preemption Expectations complexity US Sentencing Guidelines DOJ Evaluation Standards Regulator Guidance Industry Standards (e.g., ISO) Business Imperatives Lean Execution Complex Organizations Dynamic Environment Dispersed Operations Diverse Stakeholders Speed of decision-making Objections We already know our risks Too hard Too expensive I can t be held responsible for what I don t know One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas. (US Department of Justice and Securities and Exchange Commission, A Resource Guide to the U.S. Foreign Corrupt Practices Act, at 58 (2012), 6 3

4 WHY CONDUCT A COMPLIANCE RISK ASSESSMENT? US GOVERNMENT GUIDANCE Feb DOJ Fraud Section issues Evaluation of Corporate s Guidance ( Filip Factors ): We recognize that each company's risk profile and solutions to reduce its risks warrant particularized evaluation. Accordingly, we make an individualized determination in each case. This document provides some important topics and sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program. 5. Risk Assessment Risk Process What methodology has the company used to identify, analyze, and address the particular risks it faced? Gathering and Analysis What information or metrics has the company collected and used to help detect the type of misconduct in question? How has the information or metrics informed the company s compliance program? Manifested Risks How has the company s risk assessment process accounted for manifested risk. fraud/page/file/937501/download 7 WHY CONDUCT A COMPLIANCE RISK ASSESSMENT? US GOVERNMENT GUIDANCE Nov Deputy AG Rosenstein announces revised FCPA Corporate Enforcement Policy: First, when a company satisfies the standards of voluntary self disclosure, full cooperation, and timely and appropriate remediation, there will be a presumption that the Department will resolve the company s case through a declination.. Second, if a company voluntarily discloses wrongdoing and satisfies all other requirements, but aggravating circumstances compel an enforcement action, the Department will recommend a 50% reduction off the low end of the Sentencing Guidelines fine range. Third, the Policy provides details about how the Department evaluates an appropriate compliance program, which will vary depending on the size and resources of a business. The Policy therefore specifies some of the hallmarks of an effective compliance and ethics program. Examples include fostering a culture of compliance; dedicating sufficient resources to compliance activities; and ensuring that experienced compliance personnel have appropriate access to management and to the board. attorney general rosenstein delivers remarks 34th international conference foreign 8 4

5 WHY CONDUCT A COMPLIANCE RISK ASSESSMENT? US GOVERNMENT GUIDANCE US Attorneys Manual FCPA Corporate Enforcement Policy: c. Timely and Appropriate Remediation in FCPA Matters The following items will be required for a company to receive full credit for timely and appropriate remediation for purposes of USAM (1) (beyond the credit available under the U.S.S.G.):. Implementation of an effective compliance and ethics program, the criteria for which will be periodically updated and which may vary based on the size and resources of the organization, but may include: o The company s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated; o The effectiveness of the company s risk assessment and the manner in which the company s compliance program has been tailored based on that risk assessment; fraud/file/838416/download 9 COMPLIANCE PROGRAM LIFECYCLE HOW DO RISK ASSESSMENTS FIT IN? Risk Assessment Structure Substantive Controls Success 1. Assess Your Risks 5. Improve & Fine Tune COMPLIANCE PROGRAM LIFECYCLE 2. Assess Your Current Controls 4. Monitor, Oversee, Communicate 3. Systematically Build & Run Your 10 5

6 HOW DO YOU DO IT? ANKURA S APPROACH TO COMPLIANCE RISK ASSESSMENTS 1. Understand Your Organization & Inherent Risk 2. Identify Your Controls 3. Assess Behavioral Expectations and Norms () 4. Identify/Prioritize Gaps and Enhance Get out and know the business Understand objectives, strategies, and activities Identify potentiallyregulated activities Collect data and measure activity Assess your inherent risks Understand your compliance obligations Identify risk and compliance contact points in terms of systems, processes, and transactions Identify and Map current controls to contact points Evaluate data regarding contact points: volume, frequency, sensitivity Define and measure behavioral norms and expectations Evaluate previous escapes and corrective actions Assess residual risk in context of activity information Identify gaps and shortcomings Prioritize Determine whether to accept, avoid, transfer/share, address residual risks Develop enhancements tailored to risks Prioritize and initiate enhancement projects 11 ASSESSMENT CONCEPTS ASSESSMENT TERM DEFINITIONS Inherent Risk Organizational and operational activities, processes, and conduct that are potential basis for compliance violations or issues Independent of compliance controls Risk Contact Points Locations where risk manifests in terms of systems, processes, and transactions Conceptual location for implementation of controls Controls Processes, systems, and capabilities intended to mitigate compliance risks Conceptually, includes all operational elements of compliance program Residual Risk Risk remaining following implementation/assessment of controls Residual risks can be accepted, avoided, transferred/shared, or addressed Gaps Risk contact points where controls are assessed as insufficient to risk Conceptual location for implementing enhanced controls An organization s attitudes and functional way of doing business with regard to compliance Enhancements Project-based initiatives to manage residual risks, typically through mitigation 12 6

7 1: UNDERSTAND YOUR ORGANIZATION AND ASSESS INHERENT RISK Base Your Assessment Process on Your Organization s Objectives What is your organization s mission? What differentiates your organization? What are the organization s strategic priorities? What are the organization s most pressing operational challenges? What is the organization s risk appetite? What are the organization s key bottom-line drivers (specific products, customers, initiatives, departments)? What are the organization s core values? Understand Risks Inherent in Your Business Activities What industries do you operate in? What countries? What does your sales force look like? Who are your customers? Does this expose you to compliance risk? Who do you employ? Who do you partner with? To understand and document risk, use: Executive interviews Employee surveys Enterprise data Output Systematically-built Risk Map (at multiple layers): Risk variable/factor (geography, offering, personnel, supply chain) Risk severity Risk likelihood (backed by empirical data; how many transactions?) Business processes implicated Organizational unit(s) that owns the risk TOOLS Interviews Surveys Mission and Value Statements Performance Data Leadership Direction Past History of Escapes Internal Risk Internal and External Audits Practical pointers Don t be monolithic Segment the organization and the population Build diversity into process and reporting Leverage existing organizational hierarchy; roll-up, aggregate, and distill Capture, analyze, and report both qualitative and quantitative data. Be systematic and organized 13 1: UNDERSTAND YOUR ORGANIZATION AND ASSESS INHERENT RISK IDENTIFY & ASSESS INHERENT RISK EXAMPLE FOR CORRUPTION RISKS EXAMPLES OF INHERENT RISK AREAS COMMERCIAL SERVICES, UNREGULATED, B2B INDUSTRIES HIGHLY REGULATED WITH CORRUPTION HISTORY (CONSTRUCTION, UTILITIES, DEFENSE, ETC.) DEVELOPED WORLD, HIGH ON TI CPI GEOGRAPHIES DEVELOPING WORLD; COUNTRIES WITH HISTORY OF CORRUPTION ISSUES; LOW TI CPI INFREQUENT GOVERNMENT INTERACTION FREQUENT, AT HIGH LEVELS. DISTRIBUTED, LOCAL NO GOVT. LICENSES OR PERMITS REQUIRED; NO GOVERNMENT OVERSIGHT GOVERNMENT APPROVALS LICENSES REQUIRED; HIGH GOVERNMENT OVERSIGHT COMPANY-EMPLOYED, VETTED SALES FORCE CONTRACTED, FOREIGN SALES AGENTS ONE GLOBAL FIRM ; CENTRALIZED MANAGEMENT AND OVERSIGHT COHERENT, GLOBAL CORPORATE CULTURE; ETHICS AND COMPLIANCE FOCUSED VETTED, INTERNATIONAL BUSINESSES WITH HISTORY OF ETHICS & COMPLIANCE COMPANY ORGANIZATION COMPANY CULTURE BUSINESS PARTNERSHIPS INDEPENDENTLY OPERATED; JOINT VENTURES; BRANDED AFFILIATES NO COHERENT CORPORATE CULTURE; ETHICS & COMPLIANCE NOT PART OF CORE TENANTS UNVETTED, LOCAL PARTNERS; NO ETHICS & COMPLIANCE TRACK RECORD LOWER RISK HIGHER 14 7

8 2: IDENTIFY YOUR COMPLIANCE CONTROLS Understand Your Obligations What compliance obligations and jurisdiction are you subject to? Involve your legal department & external counsel if necessary Understand How Your Obligations Map to Your Risks Use your Risk Map to understand the interplay between your risks and obligations Understand the Elements of a Sound See subsequent slides Identify, Catalog, and Map Current Controls Detailed catalog + visual tracking. See subsequent slides Output Systematically-built Controls Map (at multiple layers): Obligation Area ( Regime) Specific Obligations (regulatory provision; internal requirement, etc.) Risk link Implicated business processes and systems Type of Control Control Description Owner Recordkeeping (how kept, where, audited?) Organizational unit that owns the control History of past related escapes TOOLS Interviews Command Media Repositories Disclosures & Audits Continuous Improvement System Practical pointers Don t reinvent the wheel; use existing corporate compliance framework as starting point Utilize historical escape information (disclosures, memos, etc.) and audit information to understand what controls may have been initiated and why (and which are missing!) Don t be monolithic Be systematic and organized 15 2: IDENTIFY YOUR COMPLIANCE CONTROLS What You re Looking For The Very Basics: Proportionality procedures to prevent bribery Top level commitment, effectively reinforced into organization culture Continuous organizational risk assessment and fine tuning Robust third party diligence and vetting Coherent, reinforced communications and training regarding FCPA compliance Appropriate monitoring, auditing, and oversight 16 8

9 2: IDENTIFY YOUR COMPLIANCE CONTROLS Sample of Specific Questions for FCPA Code of Conduct Does one exist? Clear policy statement on FCPA compliance? Reporting encouraged and mechanism identified? Is the Code of Conduct applied to vendors, suppliers, partners, consultants, agents? Employee Training Does training cover FCPA obligations, risks, and compliance in detail? Who has to take the training? Is the training tailored to job function? Are records kept and do employees have to provide certifications? Third Party Diligence (Screening, Vetting, and Contracting) Are partners, contracts, sales agents, etc. screened and vetted? Are government contacts / family relationships / etc. part of the vetting? Database of third parties? Appropriate FCPA flow downs in contracts? Are entities risk ranked, with appropriate diligence? Organization & Budget Is there a designated FCPA compliance officer? Does Chief Officer exist? Does CCO portfolio cover FCPA compliance? Is there dedicated budget for FCPA related compliance program? Policies & Procedures FCPA controls built into business policies and procedures? Clear instructions on what to do in event of FCPA issue? Procedure in place for internal reporting? Non retaliation policy? Clear, regularly reinforced messaging from top? Effective communication and training program? data collected and evaluated? Systems Centralized system for tracking of financial payments? Internal controls and alerts built in? Regular transaction reviews and auditing? FCPA issues reviewed and reported regularly at executive and board level? Payment monitoring systems in place? Regular internal audits? Regular external audits? Past history of violations/disclosures? Remedial actions implemented? 17 2: IDENTIFY YOUR COMPLIANCE CONTROLS AREAS CONTROLS & TOOLS Systems & Communication Training WHAT TO ADDRESS HOW TO ADDRESS Use the program tools to address the program areas 18 9

10 2: IDENTIFY YOUR COMPLIANCE CONTROLS CONTEXT PROGRAM MATRIX PROGRAM MATRIX PROGRAM AREAS 19 2: IDENTIFY YOUR COMPLIANCE CONTROLS SO WHAT DO WE DO WITH THIS? Maturity Mapping: High, Medium, Low Implementation ning & Sequencing 1 Areas of Concern Areas of Focus G=Q12019 Y=Q B=Q Q Q Q Q Q Q Q Q Q PROGRAM AREAS PROGRAM AREAS General Implementation Sequence Implementation ning & Sequencing 2 PROGRAM AREAS PROGRAM AREAS FY19-20 Budget ($ millions) Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Budgeting & Staffing Tool

11 3: ASSESS BEHAVIORAL EXPECTATIONS AND NORMS (CULTURE) Understand Your Organization s Behavioral Expectations (Expected ) What are your organization s core values? How do these values interact with compliance? How do the organization s leaders EXPECT the organization to behave? Understand Your Organization s Behavioral Norms (Actual ) How do your personnel actually behave? How does behavior inform compliance objectives and obligations? Are there business unit outliers in terms of culture? Is your compliance program actually resulting in a culture of compliance? Is your compliance program undermined by your actual culture? Are all parts of your organization marching to the same drumbeat? Identify, Catalog, and Map Current Output Quantitative benchmark of your organization s behavioral norms and expectations Practical pointers Makes sure to understand the compliance culture in terms of expected v. actual Ensure that you conduct multi-dimensional analysis. Identify as finely as possible teams/groups with the right approach and outlook, and those that could use some help This is just a snapshot in time. Monitor continuously to determine whether specific initiatives have desired effects TOOLS Interviews Surveys Advanced Data Analytics Multi-dimensional Analysis Benchmarking (over time, industry) 21 3: ASSESS BEHAVIORAL EXPECTATIONS AND NORMS (CULTURE) Cause and Effect Diagram A Macroscopic View of How a Works INDIRECT FACTORS CAUSAL FACTORS COMPLIANCE CULTURE OUTCOMES Mission & Purpose Leadership & Employee Morale Engagement Leadership Stability Discipline Liability Organizational Values Structures, Systems & Policies Organizational Team Trust Collaboration Decision Effectiveness Reprisal Anxiety Code of Conduct Work Design & Processes Relationships determined using Analysis of Variance (ANOVA) testing and multivariate regression modeling Enterprise Brand Reputation Litigation Costs Shareholder Intervention Penalties Cost 22 11

12 4: IDENTIFY AND PRIORITIZE GAPS AND ENHANCE YOUR PROGRAM Inherent Risks Obligations Current Controls Cultural Assessment Gaps/ Residual Risk (RR) Gaps / RR RR Severity RR Likelihood Strategic Objectives Enhancement Prioritization Accept Avoid Transfer Address Exploit Some risks cannot be sufficiently addressed through controls Can never FULLY eliminate risks BUT beware of optics of accepted risk Consider whether you can change your business practices to remove the risk Usually comes into play when the risk is too high (e.g., media scrutiny, government oversight, etc.) or against company foundational beliefs Do you really need to own the risk? Is the risk better handled by suppliers, customers, partners, regulators, etc.? Is there a way to engage the regulators to coopt them into sharing the risk? Can you do something more internally to reduce the risk? Can you deploy additional controls / tools to provide redundancy? Can you utilize technology to address the risk? (e.g., automation, decision-making tools) Opportunity obtained from effective ERM strategy. Opportunity to increase ROI of compliance by adjusting spend or activity. 23 4: IDENTIFY AND PRIORITIZE GAPS AND ENHANCE YOUR PROGRAM Implementation ning & Sequencing 1 Implementation ning & Sequencing 2 General Implementation Sequence Areas of Focus G=Q12019 Y=Q B=Q Q Q Q Q Q Q Q Q Q PROGRAM AREAS PROGRAM AREAS Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q L3 L3 Systems & L2 L1 LOGICAL ORDER L2 L1 Training Communication Assessment & 24 12

13 4: IDENTIFY AND PRIORITIZE GAPS AND ENHANCE YOUR PROGRAM Great, but what about the world where I live? How do we get buy-in? Reframe: = Credibility = Value Proposition (for partners/customers/etc.) Recognize and emphasize that there are real consequences to neglect Leverage existing culture, business systems, and reporting Have a roadmap for compliant business success; define a path for your client's success Incremental, iterative, and pragmatic approach A.How do we operationalize? Be Systematic and Organized Implement Measure Communicate Improve What does this mean for how we do business? Build into organizational expectations and processes as a business system COMPLIANCE AT THE SPEED OF BUSINESS BUSINESS IMPERATIVES 25 13