SCCE Compliance & Ethics Institute. Agenda. Trust & Verify: Investigation and Compliance Forensic Tools. September 16, 2014

Transcription

1 SCCE & Ethics Institute Trust & Verify: Investigation and Forensic Tools September 16, 2014 Martin Wolin Chief Risk & Officer Mercer North & Latin America Boston, MA Alan K. Halfenger Chief Officer Bain Capital, LLC Boston, MA Agenda Trust & Verify: Investigation and Forensic Tools Background and Introduction Approach Overview Investigations vs. Forensic Tools Functional Responsibility and Key Stakeholders Forensic Tools Audit and Reviews Monitoring Investigations Questions & Answers 1 Background and Introduction Firm profiles may be very different, but their approaches and issues are often remarkably similar Category Firm Profile Program Profile Regulatory Environment CCO Profile Key Characteristics Size; Geographic Locations; Business Model and Lines of Business; Employee and Client Base; Public vs. Private Company; Culture; Risk Tolerance and Reputation Size; Budget; Centralized v. Decentralized; General v. Business/Regulatory Specific; Other Control Functions; Third Party Support Federal v. State v. Local; Non US Regulations; Regulatory Environment and Enforcement Culture; Civil v. Criminal; Rate of Change; and Litigation Concerns Background and Experience; Mandate and Reporting Lines; and A firm s commitment to compliance will impact how it approaches the identification and mitigation of potential risks. 2 1

2 Approach Overview Investigations vs. Forensic Testing Approach may be similar in each process, but the catalysts, sensitivity and stakes may be much higher for investigations Forensic Testing Proactive and Continuous Driven by Senior Management s commitment to ensuring a sound compliance culture Protects firm by self identifying bad actors/behaviors and correcting them Management reporting and transparency critical to the process Testing is core to any process because it allows the firm to continuously analyze its actual compliance Critical for US sentencing guidelines 3 Investigations Reactive and intermittent Often driven by external events and forces Damage often already done when investigation work commences Significant willful blindness or cover up risk during the process Significant legal, regulatory and reporting risk Process often leverages external resources and done under privilege Approach Overview Functional Responsibility and Key Stakeholders Overlapping responsibilities among control groups may at times create redundancy without added value and risk mitigation for the firm Key control functions often overlap in responsibility; this requires coordination to ensure adequate oversight of risk Business Direction and Oversight Business Regulatory Advice & Litigation Support Legal Audit Controls and Testing Risk Management Risk Identification and Mitigation 4 Approach Overview Functional Responsibility and Key Stakeholders (Continued) These compliance processes must take into consideration a long list of internal and external stakeholders Internal Corporate/Senior Management Line of Business/Employees Control Entities: Legal Audit Risk Management External Regulators Do we self report? Clients Shareholders Unintended Third Parties Congress Media Mom and Dad 5 2

3 Forensic Tools: Audit and Reviews Key Objectives Strategic Goals Provide reliable and timely results so that appropriate action can be taken by the business to address issues identified. Verify compliance with regulatory requirements and other obligations to the satisfaction of regulators, boards and leadership. 6 Operational Goals Continually improve the quality, consistency, efficiency and effectiveness the program. Periodically review the program in light of regulatory developments and incidents to ensure content stays relevant. Apply a risk based process to ensure resources are directed to our greatest exposures. Leverage firm wide resources to maximize breadth of coverage. Utilize more thematic reviews, surveys and certifications in lieu of traditional on site office reviews. Forensic Tools: Audit and Review Plan Development and Factors Considered auditing priorities are a function of the varying levels of risk, resources and local program monitoring maturity. Topics and locations to be monitored are selected based on: Prior Results & Coverage: Monitoring & Internal Audits Investigations & Incidents of Non Regulatory & Other Environmental Developments Elements Self Assessments Key Initiatives/ Market Expansion Input from Business and R&C Leaders Key operational and compliance risks 2014 Auditing Plan 7 Forensic Tools: Audit and Review Risk Based Location Selection Criteria Presence of regulated activity Presence of new activity Acquisitions New products/services Litigation history Number of reports to counsel Total annual litigation spend Time since last review Number of hotline calls Prior compliance monitoring review and Internal Audit scores Number of detected compliance violations Number of detected privacy incidents Management gut feel 8 3

4 Forensic Tools: Audit and Review Risk Based Topic Criteria Periodic office reviews include some combination of remote and on site file reviews, colleague interviews, facility reviews and integrity checks on self monitoring. Risk areas to be reviewed are generally divided into core (e.g., apply to many locations and businesses) and non core (e.g., apply to select locations, topics and/or businesses) Topics for a specific review are chosen based on the risk profile of the business and location, with core program elements being supplemented with reviews of higher risk areas. Office reviews are supplemented with thematic reviews, surveys and certifications. To increase coverage we work to embed as much compliance auditing as possible into locally owned risk/quality frameworks. 9 Forensic Tools: Audit and Review Reporting and Remediation Findings and action plans from global reviews collected. Results are scored and reported to management, boards and select risk committees at the conclusion of each review, using the following scoring methodology: Required actions and recommendations are provided to management following each review and tracked by to completion. Wrap up sessions and training are provided to local colleagues in conjunction with the majority of on site reviews. Quarterly reporting is provided to senior leadership outlining key findings for certain policies. 10 Forensic Tools: Audit and Review Collaboration with Partners Internal Audit (IA) Discussions were held with internal audit to ensure no major overlap in monitoring activities. Results are shared between and IA throughout the year. and IA verify for remediation of one another s material findings when possible. The Business In some countries, many issues that would have been traditionally covered under a compliance auditing program are reviewed as part of the risk frameworks that are in place in the larger markets and that are being developed across the region. Ownership, review and reporting of risks by the businesses, coupled with support and oversight by, has been an effective approach. Honor business requests to develop auditing regimes for higher risk areas. leverages business subject matter experts to participate in certain reviews. 11 4

5 Forensic Tools: Monitoring Monitoring Overview A firm s Monitoring Program is part of a group of key risk mitigants deployed by the Department, which include: Monitoring Program Tone at the Top / Culture Focus Areas Monitoring Ongoing Testing Surveillance Communication Reviews Management Reporting of Key Data Management Reporting of Raw Data E&R Focused Reviews Ongoing Advice and Involvement Policies and Procedures Firm wide Training Electronic Communications Review Trading Desk Sales & Marketing General Employee 2. Employee Monitoring Monthly Reporting Social Media Monitoring Conflicts of Interest Operational 3. Data Loss Prevention/Process Data Removal Data Upload and Viruses Access Controls Data Security/Hacking 4. Business Monitoring and Trading Surveillance Key Interactions Business Trade Surveillance Portfolio Management Ethical Walls Forensic Tools: Monitoring Monitoring Culture Different firm cultural norms will balance employee rights and privacy versus firm risk when addressing e mail monitoring and data security Blind Faith Light Touch Trust and Verify Police State Small and unregistered firms (Real Estate, Venture, Single PE fund) Infrequent ad hoc reviews Limited review scope No automation / technology Unlimited access to websites and personal mobile devices Registered HF, PE and multi strategy firms Generally ad hoc reviews Limited review scope focused in higher risk areas Minimal automation / technology Broad access to websites and personal mobile devices Larger registered HF, PE and multi strategy firms Ongoing routine reviews plus limited / necessary ad hoc reviews Broad review scope with deep dives into higher risk areas Effective use of automation / technology Selected websites and personal mobile devices blocked Investment banks, mutual funds, broker/dealers Ongoing routine and ad hoc reviews Very broad review scope with deep dives into most areas High degree of automation / technology General policy to block websites and personal mobile devices Bain surveillance program 1. Monitoring exiting employees 2. Increased standardization and management reporting o High degree of employee freedom & privacy o Low Cost o Limited oversight & disciplinary process o Smaller, less complex firms Successful Range o Limited employee freedom & privacy o High cost o Formal oversight & disciplinary process o Larger, more complex firms 13 Forensic Tools: Monitoring Monitoring Process Below is the routine Monitoring process, developed with the goal of providing a consistent and controlled approach across reviews. Business or Employee Activity Monitoring Activity Reporting and Exception Generation Preliminary Research Monitoring Team The Monitoring team produces business reporting to provide a holistic view into business activities and monitoring and analysis to issue spot potential breaches of law, policies and procedures. Business Unit Additional Research and Follow Up Business Unit Officer Research Business Unit/ Officer Business Reporting is generally raw data. Tracking and follow up is central to this process Final Analysis, Recommendations and Conclusions CCO Needle in a Haystack Digging too many holes Secret Police Culture Escalation Follow Up and Corrective Actions Business Unit Management and CCO 14 5

6 Forensic Tools: Monitoring Issue Identification and Escalation Policies should include guidelines for escalation and resolution that perpetuate fair and consistent treatment for identifying issues Record keeping should include potential issues, timely issue resolution and supporting documentation Reporting may be necessary to various parties: Regulators Auditors / External Auditors Shareholders Clients While identification, remediation and disclosures represent best practices, some firms fear the reputation risk that can result Find it now vs. Find it later! 15 Forensic Tools: Monitoring Issues and Pitfalls How much and what type of monitoring is driven by several key factors: Budget and staffing Risk and exposure Culture of / Employee trust Impact of missing an issue False sense of security Availability of necessary data Monitoring without meaningful and timely follow up is a significant problem Lack of adequate Management Reporting can also cause significant issues 16 Investigations Catalysts While forensic testing seeks to prevent violations of law and policy, investigations start with a specific concern that a breach may have already occurred Where do the concerns start? Management Oversight and Business Controls Self Assessment Process Risk Management Forensic Testing Audit and Reviews Monetizing Regulatory Inquiry or Examination Internal or External Audit Customer Complaint Whistleblower Hotline and Employee Reporting The firm s response and process is defined by the type and nature of the potential issue 17 6

7 Investigations Process and Key Issues While the process is typically consistent with an audit or compliance review, the confidentiality and discipline must be more strict. There are several key process questions that must be addressed: Is there a standard playbook or approach? Who should conduct the investigation? Internal vs. External Internal Conflicts Costs Firm Knowledge Does it need to be privileged? Do we have the right skills to conduct the investigation? Forensic Accounting Forensic IT Specialist Who is in the know? Who could be involved? 18 Investigations Issue Resolution Ok, so we know what happened, now what do we do about it? Corrective Actions Specific Actions Employee and supervisor issues Address client issues/compensation Revise process issues General Actions Strategic solutions and systems/controls Broader testing are there similar problems elsewhere? Related functions Reporting Do the regulators require disclosure? Does law enforcement need to be notified? Do clients need to be informed? Things to consider Could corrective actions be considered an admission of guilt by the regulators? Can this be used as evidence in a plaintiff s suit? 19 Q & A 20 7