How to Start a Compliance Program from Scratch

Transcription

1 How to Start a Program from Scratch Leona Lewis, J.D. ComplyEthic Consulting LLC leonalewis@complyethic.com Nothing in this presentation is intended to be legal advice. Any examples or scenarios in this presentation are for discussion purposes only. Please retain an attorney for legal advice applicable to your precise circumstances or for legal issues that impact you or your business. 1

2 Current State... Businesses face more regulations each year and a more aggressive enforcement environment. Clients and customers have their own requirements for their vendors and service providers. Scandals and disasters can flare up on social media in minutes, magnifying the impact of problems that in the past may not seem such a big deal. What if... You had a well documented, current and accurate program that could be referred to at any time when enforcement knocks on your door. You had an employee base that knew what they were supposed to do, or not do, to keep the company in compliance and avoid trouble. You had a process that allowed the business to operate smoothly and reasonably respond to changes in your business and the regulatory environment. 2

3 Solution! Program Designed to Prevent and Detect wrongdoing manage the risk of non compliance and appropriately react to problems when they occur Assure external stakeholders (aka Regulators & Law Enforcement) Assure internal stake holders (aka Company Officers, Board of Directors) Company that the company is doing what it can to manage the risk of non compliance Allow employees to know what they need to do in their jobs to avoid compliance problems Allow everyone to sleep better at night Watch Out for Red Herrings When a company starts a compliance program, it is often tempted to delay starting the process of building a compliance program until they have: Analyzed all the issues they have now or will have in the future Identified all the risks that apply to their businesses that they know about and then start hunting for risks that they do not know about Benchmark against the structure and resources that other companies have Identify all the legacy policies and procedure documents and carefully filing them away in a central repository. Before the company starts: Putting any resources into compliance Identifying owners of any compliance risks Creating any policies and procedures designed to manage compliance risk. The problem is that while all of this investigation is going on, compliance risks still apply to the company and the delay in the company s response creates even more risk. 3

4 Do what you can, with what you have, where you are. Theodore Roosevelt GOVERNANCE 4

5 Where to Start Governance How Information is Reported, Questions Answered, & Decisions are Made Decisions will need to be made as a compliance program is started and as it operates. Who will be accountable for the compliance program? If compliance is not followed, what happens? What resources will be devoted to compliance? How the company will choose between compliance alternatives? How information about compliance be escalated? How will the company know what regulations they need to comply with and what to do if regulation changes? How will the company decide how to change the program if the business changes? How Will the Company Make Decisions About Program? Board of Directors Decisions, Solutions, Implementation High Level Executives Team/ Liaisons Operations Reporting, Escalation of Issues Proposals 5

6 Federal Sentencing Guidelines*...an organization shall (1) exercise due diligence to prevent and detect criminal conduct; and (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law *paraphrased Federal Sentencing Guidelines* Policies and procedures need to be established on how compliance is achieved and how the company knows when any non compliance occurs. The Board of Directors, Officers and Directors shall: Be knowledgeable about what the compliance program is and how it works and Exercise reasonable oversight on the implementation and effectiveness of the compliance program. *paraphrased 6

7 Oversight Responsibility Board of Directors High Level Executives Team/ Liaisons Operations Responsible to exercise oversight on the implementation and effectiveness of the compliance program. Responsible to be knowledgeable about what the compliance program is and how it works. Leadership Responsibility Board of Directors High Level Executives Team/ Liaisons Specific individual(s) from the ranks of high level executives shall be assigned overall responsibility for the compliance and ethics program Operations 7

8 Operational Responsibility Board of Directors High Level Executives Team/ Liaisons Operations Specific individuals with operational responsibility shall be delegated day to day responsibility for compliance Information Flow Up the Organization Report to Board of Directors when appropriate Specific individuals with operational responsibility shall report periodically to high level personnel and on the effectives the compliance and ethics program. Board of Directors High Level Executives Team/ Liaisons Operations 8

9 Communication Across the Operations Responsible for establishing on how compliance is achieved and how the company knows when any non compliance occurs. Board of Directors High Level Executives Team/ Liaisons Operations Communicate policies & procedures to operational employees by conducting training programs appropriate to employees roles and responsibilities. Monitoring & Enforcement Executives have the responsibility to ensure policies & procedures are established on how compliance is achieved. Have the responsibility to take reasonable steps to ensure the compliance program is followed and consistently enforced throughout the organization. Board of Directors High Level Executives Team/ Liaisons Operations Monitor adherence to compliance program (specifically policies & procedures) Follows & enforces the compliance program 9

10 Design Governance Process for Engagement Clear Roles and Responsibilities Avoid a Cast of Thousands in Decision Making Easy, Regular and Helpful Communications Have Empathy and Solve Problems CONTINUOUS IMPROVEMENT CYCLE PLAN DO CHECK ACT A recurring theme in building a compliance program. 10

11 . Plan Act Do Check RISK ASSESSMENT 11

12 What is Risk? Risk is... Forward Looking Dynamic Ambiguous Based on Information from Company Cross Functional Stakeholders Risk of Non An Analysis Required by the Federal Sentencing Guidelines Likelihood x Impact Risk is not... Reviewing Incidents that have already happened A List of Issues Unambiguous/Certain Risk of Getting Caught Risk Assessment Process Identify Risks Evaluate/Prioritize Manage/Mitigate Report to Management & Board of Directors 12

13 Creating a Risk Inventory from Scratch Selection of Laws/Regulations Based on Current Operations Selection of Laws/Regulations Based on Strategic Plan Selection of Laws/Regulations Based on Benchmarking Selection of Laws/Regulation Based on Enforcement Trends Any Other Sources That Your Business Finds Important Risk Inventory Evaluate & Prioritize Risks 13

14 Design Risk Assessment Project for Engagement Eliminate Mystery Map out the risk assessment project plan and educate stakeholders on the plan and expected resource needs and time frames. Be clear on the role of the stakeholder at each stage in the process. Keep stakeholders up to date on what you are doing and what you plan to do. Time is Money Have clear goals for every meeting with stakeholders, do not invite stakeholders to meetings where they do not have a role. Avoid using meetings to investigate facts with stakeholders, use the time to get decisions and input from stakeholders. Make sure materials for stakeholders are easy to understand at a glance. Make People Look Good Keep stakeholders up to date on information and reports about issues related to their team before its is reported to upper management. Engage stakeholders personally in discussions with upper management whenever possible so they get credit for being sophisticated about compliance and solving problems. Develop Ownership Look for stakeholder decision making on eliminating obstacles or solving problems involves their teams during the project. The more decisions stakeholders make, the more they have ownership in the process. INHERENT RISK LIKELIHOOD How Often Does the Risk Apply to Your Operations? IMPACT What is the potential (worst) impact of the risk if it occurred? INHERENT RISK The risk that applies to businesses like yours in general (without controls). 14

15 RESIDUAL RISK INHERENT RISK Risk in Businesses with Similar Operations (but Without Controls) CONTROLS How well the Company Mitigates/Manages the Likelihood and Impact of the Risk RESIDUAL RISK The risk that applies to your company at this point in time. Likelihood Matrix How frequently does the set of facts that creates potential risk of law/regulation non compliance exist in company operations? This risk applies to company operations continually This risk applies to company operations regularly This risk applies to company operations infrequently This risk applies to our operations but the circumstance where is applies are rare EXAMPLE FOR DISCUSSION PURPOSES ONLY 15

16 Impact Matrix IMPACT 5 Serious 4 Major 3 Moderate 2 Minor 1 Slight Financial Serious impact to financial statements Serious impact to financial statements Serious impact to financial statements Serious impact to financial statements Slight to no impact to financial statements Reputational Widespread public or regulator concern, news and perceived stock price impact Widespread public or regulator concern and news coverage Public or regulator concern and news coverage Limited public concerns and some news coverage Concerns limited to internal discussions and no news coverage Operational Widespread, longterm operationshutdown Widespread, short term interruption of operations Partial interruption of operations Partial, short term interruption of operations Minor, very shortterm or nominal interruption in operations Human Safety Death or Serious, lifechanging injury Serious injury requiring long term hospitalization Major injury requiring some hospitalization Minor injury needing some outpatient medical care Minor injury, not needing only first aid and not medical care Legal Criminal Sanctions or Jail Substantial Investigation and High Civil Sanctions Investigation and Large Civil Sanctions Moderate Civil Fine with Little Investigation Small Fine or Ticket EXAMPLE FOR DISCUSSION PURPOSES ONLY Potential Impact Worksheet Example Financial Reputational Operational Human Safety Legal IMPACT SCORE Environmental Statute Worker Safety Regulation Anti Bribery Statute Select Impact Score from the Highest Risk Impact Scores for Each Law/Regulation (The Worst Case Scenario) 16

17 Inherent Risk Worksheet Law Regulation Impact Score Likelihood Score INHERENT RISK SCORE Environmental Statute Worker Safety Regulation Anti Bribery Statute Impact x Likelihood = Inherent Risk Prioritize Law/Regulations for Further Evaluation Environmental Worker Safety Bribery Impact x Likelihood = Inherent Risk Score 17

18 Evaluate Existing Risk Controls for Each Law/Regulation (Mitigation/Management) Breakdown of Individual Requirements Regulatory Requirement #1 Regulatory Requirement #2 Regulatory Requirement #3 Do policies & procedures to comply with this requirement exist? Are they well documented? Are they designed to lower the likelihood of noncompliance Do the procedures enable detection of non compliance? Procedures People Technology CONTROL SCORE (select highest score from People, Process & Technology) Assurance Scale: High Control = 1 Medium Control = 2 Low Control = 3 Unknown or None = 4 Highest Control Score Equals the Risk Control Score Does the technology lower the likelihood of noncompliance? Does the technology used for compliance give a high, medium or low level of assurance of repeatable compliance with requirements? Are we able to detect non compliance? Do employees have access to the policies & procedures? Does this lower the likelihood of non compliance? Is there effective training? Are incentives aligned with compliance? Is there a high level of performance of required procedures shown? Company Risk Score Worksheet Law/Regulation IMPACT RISK CONTROLS SCORE RISK SCORE (Including Controls) Environmental Statute Worker Safety Regulation Anti Bribery Statute Impact Score x Risk Controls Score = Risk Score Higher score indicates higher risk at this time in your company given existing controls. 18

19 Manage & Mitigate Risks with Action Creating Action Plans to Manage/Mitigate Risks Requirements Map Process & Controls Identify Gaps in Controls Create Action Plans to Close Control Gaps 19

20 Action Planning on a Continuous Cycle Action Plan to Close Gaps Requirements Map Process All action plans may not be created at once due to limited resources. Start creating action plans now, and Continuously Repeat the Cycle Identify Gaps in Controls Report Risk Assessment to Management & Board of Directors 20

21 Design Reporting for Engagement Frequency: Quarterly keeping in mind your company s budget cycle. Some quarters it is good to know executives are planning budgets. This frequency also means that you will always have a relatively up to date report to present at any time. At A Glance: Design reports communicating the main points of the report with diagrams and tables (whenever possible). Also give underlying detail in a concise easy to read manner with the diagrams and charts. Specificity: Use every communication as an opportunity to educate specifics on the risks and impact to the company. Include specific controls (not just financial controls for instance) and other mitigating efforts. Consistency: Use the same format of the report for every quarter to avoid training executives multiple times on multiple formats. Ensure that risks that appear in working documents appear in the final report. If the risk level changes, you do not want people surprised by risks they had not seen before. Risk Register # Law Regulation Risk Description Risk Score Action Plan to Implement Necessary Controls Status of Action Plan Control Owner (Operations) Risk Owner (Operations)

22 Risk Heat Map Likelihood (aka Control Score) Anti Bribery Workplace Safety Environmental Law IMPACT Continuing Risk Reporting Cycle Identify Risk TIP Report to Management & the Board of Directors as Applicable Status & Progress Make People Look Good Educate the lower levels of management on the report quarter before escalating to Senior Management or the Board of Directors. Create Action Plans to Manage/Mitigate Risks Evaluate/Prioritize Risks TIP Develop Ownership Look for stakeholder decisionmaking to create action plans. The more decisions stakeholders make, the more they have ownership in the process. 22

23 Continuous Improvement Cycle Create action plans to cure deficiencies and repeat the cycle. Identify deficiencies and corrective action plans that need to be created to cure deficiencies. Act Plan Now action plans need to be put in continuous improvement cycle. Do Plan Implementation How is the plan working? Do you have the information to know? If not, you will need to conduct an audit. Check Summary Do what you can, with what you have, where you are. Theodore Roosevelt Start with Governance Federal Sentencing Guidelines Outlines Structure & Principles Risk Assessment Manage & Mitigate Risks with Action Reporting Continuous Improvement Design for Engagement 23

24 Coffee & Donuts on Me! Leona Lewis, J.D. Founder ComplyEthic Consulting LLC Further Reading guidelines division launches newfcpa pilot program compliance counselcompliance expectations/ assistant attorneygeneral criminal division leslie r caldwell 22nd annual ethics attorney generalleslie r caldwell delivers remarks compliance week conference 24