Sustaining an Effective Ethics and Compliance Program through Program and Risk Assessments

Transcription

1 Sustaining an Effective Ethics and Compliance Program through Program and Risk Assessments Thomas F. Kokalas, Bracewell, LLP Michael W. Brooks, Bracewell, LLP Stacy Mines, EY (Fraud Investigations and Dispute Services) Introductions 1

2 Overview I. Assessing the Compliance Program II. Framing the Assessment Standards and Elements III. Conducting Program Assessments IV. CFTC and FERC Risk Factors V. Conclusion and Questions Assessing the Compliance Program Key Considerations Compliance programs are designed to ensure that company policies are being followed and that controls are in place to prevent and detect misconduct, identify problems and address policy concerns. Periodically assessing the effectiveness of the compliance program helps make certain that standards and expectations are being met. 2

3 Assessing the Compliance Program Sentencing Guidelines Standards Demonstrates that the company is conducting due diligence and devoting attention to its compliance program. 8B2.1(a)(1). Promotes an organizational culture that encourages ethical conduct. 8B2.1(a)(2). Demonstrates that the company is committed to its compliance program. 8B2.1(b)(1-7). Assessing the Compliance Program Part of a Best Practices Approach to Compliance Pro-Active v. Re-Active. Helps shed light on issues that may have gone unnoticed or undetected. 3

4 Framing the Assessment Identifying the Risk Factors Facing the Industry External Sources of Information Conduct a review of recent enforcement proceedings. Gauge what various regulators are focused on. Internal Sources of Information Pinpoint what Executives and General Counsel are concerned with. Speak with employees that may be faced with compliance risks Identify Gaps Ensure the right questions are being asked. Is the organization assessing the right information. Framing the Assessment Identifying the Risk Factors Facing the Industry Specific Issues Reliability concerns Gas and Gas Safety Commodities Trading (FERC and Dodd Frank) Renewables Environmental Issues Cybersecurity 4

5 Companies need to answer six key questions What are our most significant ethics and compliance risks? Who is accountable for managing them? What are they doing? Is it working? How do we know? Do we have evidence (appropriate documents and records)? Can you answer all six questions? Where do you have challenges? To meet federal sentencing guidelines definition of an effective program... Definition: Exercise due diligence to prevent and detect criminal conduct and promote an organizational culture that encourages ethical conduct and compliance with law. Standards and procedures To prevent and detect violations Leadership Board of Directors oversees program Senior management ensures an effective program Specific high-level people have overall responsibility for program Person with clout, resources and Board access has operational responsibility for program Trustworthy leaders Diligence to screen out managers with history of non-compliant or unethical conduct Training and education For directors, officers, employees and appropriate agents Management processes Monitoring, auditing, and evaluating the program Confidential resource to report concerns or ask questions, preferably anonymous Incentives and discipline To enforce program Response and improvement Reasonable steps taken after misconduct is detected Risk assessment influences all other standards The organization shall periodically assess the risk of criminal conduct and shall design, implement or modify each requirement set forth to reduce the risk of criminal conduct identified through this process 5

6 and FERC Expectations Conducts compliance audits and investigations Created its own penalty guidelines, compliance program policy statement and statement on enforcement with Federal Sentencing Guidelines as a foundation Can refer matters to the Department of Justice for criminal prosecution Power to condition, suspend, or revoke market-based rate authority, certificate authority, or blanket certificate authority Ability to fine up to $1,000,000 per day per violation Total fines in excess of $450 million since 2007, with most ranging between $1 10 million Fines as high as $245 million related to submission of false information and market manipulation in trading activities Civil penalties can be entirely eliminated if both the following occur Violation was not serious Appropriate remediation steps were taken and an effective compliance program was in place Effective Preventive Measures: FERC Policy Statement on Compliance 2008 It is not enough to create a good compliance program on paper; the company must carry through to implement the program with effective accountability for compliance and periodic review and evaluation of the effectiveness of the program. Commitment to Compliance: FERC Revised Enforcement Policy Statement 2008 The factors examined in determining the existence of a robust internal compliance program include determining how frequently the company reviews and modifies the compliance program. Drivers SEC/DOJ enforcement DOJ hired Compliance Counsel to assist in assessing the quality and effectiveness of companies corporate compliance programs Window dressing vs. quality, effective program (not one-size-fits all; scaled to size and risk) Guidance regarding the resolution of cases involving corporate wrongdoing focuses on the compliance program in place at the company Sentences can be reduced based on existence of a compliance program Compliance measured by self-policing, self-reporting, remediation, and cooperation An organization will never qualify for reduced sentencing when it unreasonably delays reporting the offense Includes effective compliance and ethics program Common sense approach to evaluating compliance programs Is the program well designed? Is it applied in good faith? Does it work? How has it been implemented? Focus goes beyond design of the program; looks at actual implementation across the organization Emphasis on whistleblower protection Sarbanes Oxley (2002) Protects whistleblowers from retaliation Dodd Frank (2010) Provides and monetary awards for whistleblowers who voluntarily come forward with information Acknowledges importance of internal programs and provides than an employee may report issues to the internal program and the government and still qualify 6

7 The ultimate outcome of an effective compliance program is a reputation to underpin business success Assurance to shareholders and the Board that the Company complies with its legal obligations Attraction of the best customers, business partners and employees because the Company actively demonstrates high ethical standards supported by its values Communication of expectations and providing workable solutions for compliance by employees and third-parties acting on behalf of the Company Assurance to employees and third-parties that they can raise concerns in a safe environment Early resolution of issues because employees raise issues and the Company has an established protocol for addressing issues Program lifecycle management Regularly evaluate effectiveness of Integrity & Compliance framework. Timely close identified gaps and report on effectiveness to local management. Assess and improve Integrity & Compliance Framework to ensure effectiveness and increase acceptance and efficiency Regularly re-assess Compliance and Integrity Risks to ensure appropriate coverage, considering changes in regulatory requirements, audit findings, actual cases (externally and internally) Review centrally defined Integrity & Compliance to identify need to change locally implemented compliance frameworks / adjust local frameworks to individual needs Update Integrity & Compliance framework to reflect changes of risks and regulation, within the organization, strategy, structure, operation or processes and IT landscape 7

8 Compliance risk assessment approaches and challenges vary by company What is your approach to compliance risk assessment? Have you identified your compliance risk universe and owners of those areas? What is the frequency of your risk assessment process? How do you engage key leaders in the process? What is the relationship to ERM, if applicable, regarding key outputs, ratings, and standards? How do you utilize the results? Do you report results or mitigation efforts to the Board? Compliance Risk Universe* Illustrative example for utilities not company specific Competitive practices (FTC, DOJ) Antitrust Customer, competitor, supplier relations Corporate governance (SEC) Board structure and processes Audit committee structure and processes Ethics Employment (EEOC, DOL) Executive compensation Compensation Benefits Hiring Employee info privacy Reductions in force Whistleblower protection Harassment prevention Accommodation (discrimination prevention) Workplace violence Global migration (immigration) Contingent workforce Labor Leave Employment torts Environmental (EPA) NEPA Air quality Water Quality Management systems and reporting Hazardous material management Laboratory practices Permit management Financial SOX Tax Treasury Legal and regulatory requirements Fraud and corruption (DOJ) Foreign Corrupt Practices Act (FCPA) Insider transactions Anti-money laundering Financial statement fraud Occupational fraud (intellectual property, trade secrets) Corruption Revenue and expense recognition Government contracts (DOD, OMB) US Government contracts Other jurisdictions (state and country) Information management Records retention Freedom of Information ACT (FOIA) Data and record classification Information access Information availability and recovery Information management monitoring Information disposition Litigation discovery rules Data protection and privacy Intellectual property (DOC) Copyright Trademark Trade secret Patent International dealings/trade (FTC, DOC) Boycott Import Export Workplace health/safety (OSHA) Security and Emergency Response (ESF) Employees Contractors Product quality/liability Quality management system NRC Nuclear operations and decommissioning New construction State PUCs Base rate and other cost-recovery cases Inspection rules Regulatory proceedings and investigations Reporting requirements Retail choice rules Privacy rules FERC Market manipulation Market behavior rules Affiliate restrictions Standards of conduct Wholesale market price reporting Compliance effectiveness Commercial operations Participation in ISO and RTO markets Billing and payment, settlement Creditworthiness Capacity and supply obligations NERC Critical infrastructure protection standards Reliability standards CFTC Futures/derivatives/options trading Trading standards Political activities Lobbying guidelines PAC contributions Employee s activities Time and expense reporting of meetings Business requirements Internally focused requirements Mission Values Code of Conduct Policies and procedures Quality management certifications (ISO, Six Sigma) Crisis preparedness Externally focused requirements Corporate social responsibility Sustainability Public commitments Contractual obligations Vendor management Exchange listings Voluntary standards US Federal Sentencing Guidelines Industry codes Trade associations Emerging issues Aside from mandatory requirements, organizations make choices regarding their brand, their values and the commitments they make to customers, business partners, employees and other stakeholders. Although voluntary, consequences for non-compliance could be more serious than non-compliance with mandatory requirements. *Illustrative US example 8

9 Compliance risk areas E&C maintains a listing of the Company s compliance risk areas Sample areas include: Environmental Health and Safety NERC FERC Financial / Sox Nuclear Labor and Employment International (non-us) Department of Transportation Federal Contracting Dodd-Frank Cybersecurity Supply Chain FCPA Antitrust Data Privacy Intellectual Property Records and Information Management State Regulatory Customer/ Competition Political Activity and Lobbying Compliance risk assessment leading practices Repeatable process with increased interaction with areas previously deemed high risk Survey all areas annually Higher risk areas periodic facilitated sessions Sharing of lessons learned and emerging issues with compliance areas to make the process meaningful Integration with ERM, if applicable, regarding key outputs, ratings, and standards Compliance Program periodic reports to the Board include updates on highest risk compliance areas and key controls or improvement activities Periodic independent compliance risk assessments with facilitated sessions 9

10 Risk dashboard Illustrative - For Discussion Purposes Risk detail Mitigation Compliance risk area Risk level Principal risks Trend v. Prior qtr Response/ initiative Status 1 Cyber security Risk 1 Cyber security High 2 Cyber security Risk 2 Privacy FERC Environmental State Regulatory Medium Medium Low Low Cyber security Risk 3 Privacy Risk 1 Privacy Risk 2 Privacy Risk 3 FERC Risk 1 FERC Risk 2 FERC Risk 3 Environmental Risk 1 Environmental Risk 2 Environmental Risk 3 State Regulatory Risk 1 State Regulatory Risk 2 State Regulatory Risk 3 This will be populated as future assessments are conducted Challenges to providing reasonable assurance of compliance for diverse areas Now you know your risks, how should they be managed? What program elements are missing or need to be enhanced? What is your approach to understanding what practices are in place for core compliance risk areas? Are there common elements you expect to see in all compliance programs? What is your role in terms of providing assurance? How do you roll up compliance information to the Board? Are there tools and approaches that can be shared across compliance risk areas? 10

11 Compliance framework Core program standards with design and implementation remaining with each risk area Development of a compliance management framework with specific program standards Sets accountability for cross-cutting elements such as compliance risk assessment and Helpline process (response and remediation) Identifies those accountable for compliance programs in key risk areas Establishes universal standards with accountabilities and process steps Utilizes a maturity model to facilitate continuous improvement Allows for assessment of progress against core program elements at the compliance risk level not just at enterprise level Provides tools for management reporting and oversight Establishing core standards, measuring compliance management practices against those standards and development of improvement plans to address gaps does not require a one size fits all approach to compliance Program controls should be tailored to the risk of the particular compliance area Comprehensive framework Compliance & Integrity Mission and values Strategy Tone at the top Culture Effective and aligned compliance activities Board oversight / management responsibility Integrity & Compliance organization PREVENT DETECT RESPOND People Process Data Systems Code of conduct Policies, procedures, processes and controls Education and advice Incentives Compliance risk assessment and monitoring Internal and external communication / program reporting Requirement management and implementing processes Program evaluation and compliance sustainability Strategy and support functions Speaking up and confidential reporting Third-party diligence Monitoring, reviews and auditing Data analytics Operations and business units Engaged and accountable employees Incident and case management Investigation Corrective action Remediation Corporate governance Integrated risk and compliance functions Operational excellence 11

12 Compliance framework The framework and the core standards serve as a basis for evaluating compliance practices across the Company Partnership: Each business unit and functional compliance area, in partnership with the Compliance Office, assess their compliance practices against the compliance management standards. Areas with higher compliance risk as evaluated through the risk assessment process would be expected to have more controls or oversight than lower risk areas. Assurance: If the business units and functional compliance areas meet the compliance management standards, then the company has assurance that core compliance management practices are in place. Alignment: Gaps between current practices and the core standards are identified through comparing current practices to the standards (assessment). Improvement plans, prioritized based on risk, are developed to address gaps. Best practices: Also identified through the assessment process and shared across business units and functional compliance areas. Compliance Program Assessment Outline of an approach Identify whether you will conduct an overarching program assessment or assess a specific risk area against key program expectations Determine if the assessment will be conducted by company personnel or outside provider Level of risk Reason for the assessment (proactive versus response to particular concern) Privilege consideration Level of expertise needed or desired Identify key stakeholders for interviews and/or facilitated sessions Review key documents Review any relevant investigation/hotline trends and themes Tie findings to framework and expected elements Identify strengths and gaps Engage risk owner regarding mitigation/improvements Track completion of any agreed upon improvements/remediation 12

13 Assessment process Framework elements serve as a checklist of compliance practices/ standards (based on Federal Sentencing Guidelines and other relevant guidance) Accountability: E&C in partnership with leaders of compliance risk areas conduct assessments and compare existing program elements to expected standards. Where there are gaps, risk mitigation plans are drafted by the business units and functional compliance areas. These should be tailored to the relative risk. Support: Improvement or risk mitigation plans are shared with the Compliance Office as part of on-going dialogue and partnership. In addition, the Compliance Office can facilitate sharing of best practices across the organization to eliminate redundancy. Monitoring: Programs elements once reported as in place, can be part of audit plans for future audit cycles. Provides some independent view of the selfassessment. Board level focus: Assessment results for high-risk areas can be shared with the Board as part of the overall program update reporting. Requirement management E&C: Prevention Requirement management Identifies, in consultation with the Business Unit Heads and Law Department, a list of Compliance Areas (a Compliance Area may be company-wide or unique to a Business Unit or Support Function) Maintains a list of Compliance Area Leads Compliance area leads: Assign and document the process and accountability for identifying and documenting laws, regulations and other compliance requirements and for tracking new and changed requirements for the Compliance Area Assign and document the process and accountability for interpreting laws, regulations, orders and other compliance requirements Ensure that there is a current catalog of compliance requirements that is reviewed periodically for completeness, including applicable external reporting requirements Ensure timely, accurate and complete reporting of information to regulators, with adequate coordination and review across the company or impacted areas, for each compliance requirement in the catalog Notify E&C upon discovery of new or changed compliance requirements that should be communicated to other Compliance Area Leads for their review Provide effective communication about changes in compliance obligations for managers and employees with compliance responsibilities What is the process and accountability for identifying and documenting new or changed laws, regulations and compliance requirements? Are you assigned to track specific requirements? What are the applicable external reporting requirements for reporting of information to regulators for your compliance requirements? What is the process for communicating new or changed compliance requirements to others (e.g., Functional Areas, Compliance Areas, work groups) that may be affected and ensuring relevant interpretations are consistent across Compliance Areas? What tools or software are used to track, manage and monitor your requirements? 13

14 Assurance, monitoring & auditing Detection Assurance, Monitoring & Auditing E&C: Ensures that investigation protocols and jurisdiction statements for identification of investigation resources are maintained and updated Develops templates and tools for Compliance Area Leads to use in self-assessments and reports under the Compliance Program Framework and Standards Identifies key compliance Program metrics for on-going reporting Compliance area leads: Establish and monitor key indicators of compliance to core policies and procedures developed in their Compliance Areas Provide regular reports, metrics and assessments of their Compliance Area to E&C and to Functional Area Leads to enable them to monitor and assess compliance performance Provide certifications, as requested, to E&C What types of monitoring activities are performed to gauge the execution of compliance policies? How often? How do you review compliance with core policies and procedures developed in your area? Are periodic audits of compliance performed? Do the you maintain a list of compliance certifications? What is the process for reporting certifications in a timely manner? Escalation/notification Response Escalation/notification E&C: Creates guidelines regarding escalation and communication of compliance issues across the Company Compliance area leads: Develop Escalation Guidelines for their Compliance Area which indicate when issues should be communicated to E&C and senior management Escalate compliance issues to E&C based on the Escalation Guidelines maintained by E&C Do you have established guidelines for defining and reporting significant compliance issues? How do you analyze and review minor compliance issues to identify potentially significant overall trends? Do you have clear guidelines in place to determine when issues need to be reported to E&C? 14

15 Compliance program - Communication To assess leadership and tone-at-the-top, program assessments consider communication from Management. Program assessments should also consider how the communication is perceived by employees within the company Example: I regularly trust the information provided to me by: 40% 45% 45% 44% 45% 38% 10% 25% 30% 30% 29% 20% 18% 16% 12% 13% 10% 5% 4% 4% 4% 2% 1% 2% 2% 1% 1% 0% 1% 1% Chief Executive Officer Other corporate officers and executives Local managers My supervisor My peers Strongly Agree Agree Neutral Disagree Strongly Disagree Don't Know Do training survey results demonstrate strength or weakness Program assessments include a review of training materials and the process of updating for new policies or regulations. However, are there elements of a training program that require additional focus or attention? Is adequate training provided across all departments? Example: In the past two years, I have received sufficient and useful training that covers and includes 29% 44% 21% 35% 31% 14% 47% 25% 21% 44% 27% 17% 14% 38% 22% 20% 6% 4% 4% 3% 2% 1% 1% 0% 0% 0% 0% 0% Company's Code of Conduct 19% Policies that apply to my job Values 11% Conducting business in an ethical manner Raising and reporting issues 59% 35% 55% 23% 58% 27% 61% 29% 59% 26% 14% 11% 11% 7% 7% 5% 4% 4% 2% 1% 0% 0% 1% 0% 0% 0% 1% 0% 0% 0% Company's Code of Conduct Policies that apply to my job Values Conducting Raising business in and an ethical reporting manner issues Strongly Agree Agree Neutral Disagree Strongly Disagree Don't Know 15

16 Reporting to senior leadership and the Board The key deliverables from compliance program improvement plans can be reported to senior leadership and the Board Primarily about the existence of compliance management programs that meet required/desired standards Provided in addition to standard reporting on other overall program elements Provides a framework for engaging leadership around solutions and resource requirements that may cut across compliance areas Mitigation/improvement plans for highest risk compliance areas may feed into Board reporting As the compliance program matures, metrics can be added regarding program performance and effectiveness Compliance issues identified by third parties versus self-identified through audit, investigation, control review Control improvements stemming from internal review Decrease in external charges/complaints Trends re findings of external audits/reviews (fewer findings) Compliance dashboard Illustrative - For Discussion Purposes Risk detail Mitigation Compliance risk area Risk level Principal risks Trend v. Prior qtr Response/ initiative Status Requirements management (intake) Risk assessment FERC High Monitoring & auditing Response/issues management Evidence management Data Privacy FCPA/ABAC Data Privacy/ Security High Medium Low Communication & training Written standards Requirements management (intake) Risk assessment Monitoring & auditing Response/issues management Evidence management Communication & training Written standards Requirements management (intake) Risk assessment Monitoring & auditing Response/issues management Evidence management Communication & training Written standards Requirements management (intake) Risk assessment Monitoring & auditing Response/issues management Evidence management This will be populated as future assessments are conducted Communication & training Written standards 16

17 Sample compliance area reporting tool Auditing & Reports (Total Gas & Power) [M]anagement was aware of high market share Daily/monthly market share reports Compliance recommending use of reports Middle/back office inquiries about reasons for trading when more than 40% of overall volumes traded Written exercise where trader explains motivation Compliance report: contemplate ramping down its fixed price and physical basis trading in the markets in which it has a large share No traders questioned or disciplined CFTC Settlement: Civil penalty: $3,600,000 Trading limitations, document preservation, and reporting FERC Notice of Alleged Violations (pending) 17

18 Importance of Change (Kraft Foods) Historically procured its supply primarily in the local (Toledo, Ohio) cash market, using wheat futures to hedge its cash purchases In late 2011, the cash market was trading at a premium to the futures market and Kraft estimated that it could save more than $7 million by sourcing wheat via December 2011 futures rather than the cash market Kraft anticipated move would cause December futures prices to rise and cash prices to fall; constructed futures position to benefit then redelivered futures and purchased from cash market Importance of Change (BP Americas) [BP traders had] not adequately explained the changes in their trading s in Products To Price Setting Mechanism s in Timing of Trades s in Bid/Offer Behavior s in Volume s in Positions s in Transportation Usage s in Profit & Loss (P&L) Vetting new strategies prior to execution and recognizing changes in trading patterns as triggers for compliance reviews can help mitigate risk 18

19 The Human Factor (Direct Energy) Self-reported atypical trading Discovered almost immediately two different ways: Trader notified supervisor and then Compliance Officer after training Back office flagged unusually large volume of transaction confirmations Settlement: Civil penalty: $20,000 Disgorgement of unjust profits: $31,935 Compliance commitment and monitoring Credited with effective compliance program and cooperation CFTC/FERC Risks Manipulation Cross-Market Manipulation Gaming Disruptive Trading Spoofing Reckless disregard for orderly trading Violating bids/offers Do we have related positions? Do we trade price-setting products? What share of the market are we? Where do our profits come from? Training only? Monitoring? Futures Exchange Violations (ICE/NYMEX) Position Limits Prearranged Trades Block trades Exchange for Related Positions (EFRPs) Training? Affiliates? Controls? 19

20 CFTC/FERC Risks (cont d) Capacity Release Rules (yes, they still exist) Shipper-must-have-title policy and buy-sell prohibition Tying and bidding exceptions Authorizations & Periodic Filings Market-based rate authority (for all products and markets) Quarterly, annual, and event-triggered filings Dodd-Frank Requirements Reporting and recordkeeping Non-swap dealer status ISO/RTO Tariff Violations Loop flow Sham schedules On the Radar at FERC Connected Entity Reporting (Notice of Proposed Rulemaking) Report to ISO/RTO Affiliates (defined broadly) Employees Debt holder/issuer with share of profitability Parties to tolling agreements, energy management agreements, asset management agreements, and fuel management agreements Obligation to update within 15 days of any material change Technical Conference held December 21, 2015 Comments filed January 22,