Standardization of Compliance Programs

Transcription

1 ANTI-BRIBERY & CORRUPTION CONFERENCE 2017 Standardization of Compliance Programs Karin Holloch, Jones Day Düsseldorf (Germany) OVERVIEW I. Introduction II. Reasons for Standardization of Compliance Programs III. ISO IV. ISO V. IDW PS

2 INTRODUCTION INTRODUCTION DIFFERENT ASPECTS OF STANDARDIZATION Standardization based on laws, guidelines, regulations National law might require standardization of CMS Recommendations of national public authorities about the structure and content of CMS Development of best practices in CMS to avoid liability Standardization of CMS as Corporate Policy Development of one CMS through out the whole company Cross-jurisdictional, unified CMS Standardization of certain Elements of the CMS Certain elements of the CMS can be standardized e.g.: Hospitality and Gifts Policy, Whistleblower System Organizational aspects can be standardized, e.g. reporting lines, reports, etc. 4 2

3 INTRODUCTION CHALLENGES OF STANDARDIZATION Risk and compliance culture vary from one country to the next, also regulatory pressures are different across geographies. Multiple compliance regulations (for bank sector e.g.: Dodd-Frank Act, Foreign Account Tax Compliance (FACTA), Basel III ) Lack of integration across business systems storing and managing compliance-related information or activities There is no one solution fits all in compliance management. 5 INTRODUCTION BENEFITS OF STANDARDIZATION Ø One standard for compliance, integrity and ethics Ø Clear rules and transparent regulations and policies help the employees to understand what is expected from them Ø Efficient compliance management (reduction of the number of regulations and policies, lean management of internal regulations and policies) Ø Helps to develop the compliance culture in the company 6 3

4 INTRODUCTION NATIONAL CORPORATE GOVERNANCE CODICES Basic principle of all national codices: ü the board of directors is responsible for internal audit, risk and compliance management ü compliance management must be effective and proportional to the risks ü no delegation of responsibility for design, supervision and effectiveness of the compliance management system for ensuring compliance with law 7 NATIONAL STANDARDS FOR COMPLIANCE MANAGEMENT SYSTEMS 8 4

5 NATIONAL STANDARDS FOR CMS (1) Australian Standard on Compliance Programs, 1998 = AS 3806 (developed in 1995, on the initiative of the Australian Consumer & Competition Commission), revised in 2006;; UK-Bribery Act 2010 (international scope of application, possibility for sanctions against companies and individuals) Austrian standard ONR Compliance Management Systems;; Italian decree-law (231/2001) establishing an obligation for CMS, with broad sanctions against companies and individuals;; 9 NATIONAL STANDARDS FOR CMS (2) USA: ü Foreign Corrupt Practices Act, 1997 ü Federal Sentencing Guidelines issued by US Sentencing Commission, 1991 ü Sarbanes-Oxley Act, into force since July 2002 ü Listing Standards of the New York Stock Exchange requires CMS Standards from non-governmental sources ü German Audit Standard 980 Principles for auditing CMS;; ü ICC Rules of Conduct to combat Extortion and Bribery, published 1997 ü Antitrust Compliance Toolkit, published 2013 by ICC bring compliance programs or CSM in line with international best practice 10 5

6 BEST PRACTICES FOR STANDARDIZATION OF CMS q A culture of ethics and compliance with law, built on values and business principles applied by the governing body and management within a good compliance governance framework. q A written compliance policy that sets out the objectives of compliance within the company, describes the responsibilities of the board of directors, executive management and the staff, explains how the compliance function is organized and what its role is, and regulates its independence, its authority within the organization and its resources. q Full, systematic analysis of compliance risks. q Organization and procedures of the CMS, including Internal Control System. 11 ISO ISO

7 INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) established 1947;; Head Office in Geneva, Switzerland;; independent, non-governmental organization with a membership of 162 countries;; focused on development of relevant International Standards to improve international trading;; developed more than twenty thousand voluntary international standards;; other standards: ISO Social responsibility, ISO Energy management, ISO Anti-bribery management systems. 13 ISO & ISO ISO Standard for CMS Management principles ISO Standard for fight against bribery Development of ethical business culture 14 7

8 OVERVIEW: ISO ISO Standard for Compliance Management Systems (CMS) is based on the general management-principle of a sustained optimization. The principle consists of four steps: ü plan ü act ü review ü adapt The standard provides no binding rules for companies, but is recognized as an general guideline which can be adapted by companies and organizations of diverse types and sizes. The Standard can support an establishment of a CMS, but also to integrate Compliance into an existing management system. 15 ELEMENTS OF CMS IN ACCORDANCE WITH ISO International Organization for Management Standardization: ISO Compliance Systems 16 8

9 ISO ISO Standard was established in October, 2016;; new standard to help organizations fight bribery and promote an ethical business culture;; provides new requirements for: ü Anti-bribery policy / Management leadership, commitment and responsibility ü Personnel controls and training / Risk assessments ü Due diligence on projects and business associates / Financial, commercial and contractual controls ü Reporting, monitoring, investigation and review / Corrective action and continuing improvement The standard provides no binding rules for companies, but is recognized as an general guideline which can be adapted by companies and organizations of diverse types and sizes. 17 GERMANY: AUDIT STANDARD IDW PS 980 9

10 IDW PS 980 Complianceculture Compliancemonitoring/ improvement Compliancecommunication Complianceprogram q Audit standard for compliance-riskanalysis and compliance programs q established by the Institute of German Auditors, 2011 Compliancerisik Complianceorganization Compliancetargets 19 What is the assessment of the risk of violations of these (legal) regulations or non-compliance? (Quantification based on the dimensions "probability of occurrence" COMPLIANCE-RISK ANALYSIS IN ACCORDANCE WITH IDW PS 980 (1) Taking into account the compliance goals, the compliance risks are identified, which may result in violations of the rules to be adhered to and, as a result, failure to meet the compliance targets. For this purpose, a procedure for systematic risk identification and reporting is introduced. The identified risks are analyzed in terms of likelihood of occurrence and possible consequences (e.g. level of damage). Basis for development of CMS and monitoring measures;; Strategic analysis of risks for compliance violations, e.g. Interviews, workshops;; No one-time activity, but regulatory process 20 10

11 COMPLIANCE-RISK ANALYSIS IN ACCORDANCE WITH IDW PS 980 (2) Clarifying issues: Ø What are the essential (supervisory) legal requirements for the respective area? (law, regulations, guidelines etc.)? Ø What is the assessment of the risk of violations of these (legal) regulations or noncompliance? (Quantification based on the dimensions "probability of occurrence" and "possible amount of damage";; gross / net viewing) Ø Are any further measures necessary to remedy any deficits / regulatory gaps? Ø How is it ensured, that changes of legal regulations and specifications are observed by the company? 21 REVIEW OF CMS IN ACCORDANCE WITH IDW PS 980 concept appropriateness effectiveness type 1 type 2 type

12 REVIEW OF CMS IN ACCORDANCE WITH IDW PS 980 Audit of concept Audit of appropriateness Audit of effectiveness CMS is appropriate to identify and to prevent risks with reasonable assurance Audit of implementation of CMS in business processes Scope of audit: description of CMS provided by company Audit of effectiveness and implementation of descripted measures CMS is appropriate to identify and to prevent risks with reasonable assurance Audit of concept included Audit of concept & appropriateness included 23 THANK YOU VERY MUCH FOR YOUR ATTENTION! Karin Holloch Rechtsanwältin Certified Compliance & Ethics Professional International (CCB) Jones Day Düsseldorf (T)

13 GLOBAL REACH WE DO BUSINESS WHERE OUR CLIENTS DO BUSINESS 25 13