Compliance Risk Siemens

Transcription

1 International In-house Counsel Journal Vol. 6, No. 24, Summer 2013, 1 Compliance Risk Siemens JAN HANSEN Head of Compliance Remediation & Risk Prevention, Siemens, Germany 1. Introduction What has dental care to do with risk management? Everybody knows that preventive measures like brushing your teeth twice a day, using dental floss daily and going to a dentist once a year cost nearly nothing. Still many people do not do it or do not do it properly, get holes in their teeth and, on top of this, face a huge invoice from their dentist to fix the problem. It would therefore be much more effective and efficient to focus on taking preventive measures than on fixing the holes afterward. In many companies including Siemens in the past it is like this. Risk management is done but not properly like brushing your teeth but just with water. In many cases, fixing the holes at the end costs more than if the issues had been identified and tackled with appropriate preventive measures beforehand. At Siemens, several preventive measures have now been established at different levels. Around two years ago, we at Compliance set up the Compliance Governance Remediation & Risk Prevention department. This department is dedicated to dealing with compliance-related preventive issues and consists of three teams: Case-based Remediation: The team coordinates and supports Compliance Officers in implementing remediation measures identified during a compliance investigation. This task is important in ensuring that compliance incidents that have occurred in different entities will not happen there again. Compliance Controls: For important compliance processes, there is at least one control to check whether the process is working as it should. If a control fails, a deficiency is recorded in a central tool. This team defines the controls, performs spot checks, and analyzes all deficiencies worldwide for systematic process weaknesses that need to be remediated, identifying at an early stage whether established processes need to be adapted accordingly. International In-house Counsel Journal ISSN print/issn online

2 2 Jan Hansen Compliance Risks: This team performs bottom-up and top-down compliance risk analyses. The bottom-up process for all entities is designed in the department. The risks identified worldwide are collected centrally and consolidated for a corporate view. Top-down internal and external data with compliance relevance is analyzed to determine the risks for selected entities. The results are then discussed with the entity's top management. The Compliance Governance Remediation & Risk Prevention department works closely with the department responsible for Enterprise Risk Management (ERM) at Siemens, which is assigned to the Corporate Finance organization. However, the Compliance Risk Assessment process is owned and governed by the Compliance organization, which reports its results to the ERM process (see below). The following sections describe the top-down and bottom-up processes of the Compliance Risk Team in more detail. 2. Bottom-up compliance risk identification Compliance Risk Assessment 2.1 Goal of the Compliance Risk Assessment The goal of the bottom-up risk assessment process the Compliance Risk Assessment (CRA) is to evaluate compliance risks in conjunction with the business at the Sector, Cluster and Division level and to define corresponding mitigation measures. The bottomup discussion also aims to raise awareness of compliance risks and to strengthen and emphasize the responsibility of management in general for compliance-related topics.

3 Further benefits of the bottom-up assessment are: Compliance Risk Assessment 3 Transparency for management in deciding whether to avoid, reduce, transfer or accept certain compliance risks Understanding of possible underlying compliance risks for the entire organization Indication for a risk-based resource allocation of the headcount within the Compliance organization High-quality input to the overarching Enterprise Risk Management process regarding compliance risks 2.2 Process In general, the CRA is an annual process and is mandatory at the Sector, Division and Cluster level. Further workshops can be held below this level (if, for example, a Cluster wants to hold a CRA workshop for each country), subject to a joint decision by the responsible CEO and Compliance Officer. The CRA process generally consists of four steps: Preparation The first step of the process, "Preparation", is vital for a sound risk assessment. It has been shown that solid preparation is a key element of every successful risk workshop. Responsibility for preparation lies with the Compliance Officer of the entity concerned. Preparation starts with a review of last year s risks and the decision, if those are completely mitigated or shall be transferred to next year. When this decision is made, data from different internal and external sources is analyzed and interviews are conducted with key functions (such as the CEO, CFO, Sales, Supply Chain Management and General Counsel). Each Compliance Officer must decide independently which data sources to use, depending on the risk environment in which the entity is operating. The final results of the preparation phase are key hypotheses and critical questions to foster a critical and open discussion during the workshop. The following figure provides an overview of possible sources of data:

4 4 Jan Hansen Management workshop The responsible Compliance Officer decides in conjunction with the CEO who should participate in the CRA management workshop. Other participants can be invited from the business, depending on the results of the preparation phase and the topics that have been identified there. It may also be useful to invite a third party, for example from another region or business, to exchange different points of view. The following list provides an overview of the mandatory and optional participants: Mandatory participants CEO of the entity Compliance Officer of the entity Optional participants CFO General Counsel CEOs of the subordinate Divisions, Business Units or Segments/major countries within the Cluster Operative functions (such as Sales, Business Development or Project Management) Supply Chain Management (SCM) Human Resources Accounting Experience shows that a time slot of between two and three hours for the workshop is ideal, as this provides sufficient time for discussions. It is also recommended that the hypotheses and risks already identified during the preparation phase be discussed and a brainstorming session conducted to encourage participants to "think outside the box". The participants in the management workshop describe and evaluate the identified risks, prioritize them and obtain a ranking of all risks. It is very important for the root causes of the risks to be identified and described in such a way that an independent third party is able to understand the issue from the documentation. Finally, a rough response plan for all risks should be drawn up before the end of the meeting. To obtain these results, it is of utmost importance that the workshop is prepared properly by the respective Compliance Officer and that all participants are encouraged by the responsible CEO to discuss the risks in an open manner Report to Enterprise Risk Management Enterprise Risk Management (ERM) is the overarching risk process that covers and combines all topics with a significant impact on Siemens AG. The risks identified and recorded in ERM are disclosed to the certified public accountant and the shareholders. The CRA workshop is held before the ERM workshop and serves as a filter. Not all compliance risks will be reported to ERM. The evaluation is based on management judgment. The risks that are relevant are rated according to a special ERM methodology, recorded in a common database, and tracked centrally. The CRA workshop therefore provides a structured and harmonized approach to preparing a qualified annual ERM workshop for compliance risks.

5 Compliance Risk Assessment Mitigation The Compliance Officer works with the assigned risk owner to define an appropriate and detailed response plan for every risk. The following points in particular must be clarified: Risk owner in charge of the risk and of implementing the mitigation measures Key elements of the response plan, considering the main activities, the responsibilities of each step and the desired state after implementation Expected mitigation date, including defined milestones Once the defined response plan has been approved by the CEO of the entity, the mitigation measures can be implemented. The status is monitored regularly and reported to management at least quarterly by the Compliance Officer. 2.3 Compliance Risk Assessment timeline The CRA must be performed by Q2 of each year. The following figure provides an overview of the general process schedule. 3. Top-down compliance risk analysis 3.1 Goal of the top-down risk analysis The goal of the top-down risk analysis by the Compliance Governance Remediation & Risk Prevention department is to obtain an independent view of the entity's internal and external risk situation. The result of the analysis is reviewed jointly by the Chief Compliance Officer, the Chief Counsel Compliance, and the local CEO, CFO and Compliance Officer in order to raise awareness of critical findings and identify possible blind spots. Further actions and mitigation measures are also agreed in this meeting. 3.2 Process The top-down process is an annual exercise. At the beginning of each year, four or five entities are selected for subsequent analysis by an independent central team. The top-down process generally consists of four steps:

6 6 Jan Hansen Selection of focus entities At the beginning of every year, the Chief Compliance Officer and the Chief Counsel Compliance select four or five focus entities based on a brief pre-analysis. During the pre-analysis, statistics are prepared for every Cluster and Division, including for example the number of business partners, compliance process deficiencies or internal compliance allegations. External factors from Transparency International or the World Economic Forum are also used. In addition to the statistics, interviews are conducted within the Compliance organization to collect different opinions on the entities and the relevant topics. The result of this step is a summary that forms the basis for the decision by management Internal data analysis During the internal data analysis, statistics from different tools used throughout the company are evaluated. The data used always has a certain compliance connection, which allows the analyst to derive relevant observations. Some examples are: Order Intake & Revenue Development: For every selected entity, last year's growth and the budget figures for next year are evaluated. If, for example, an entity is planning for extraordinary growth, either the targets for the existing sales force are very high or new employees need to be recruited. Both measures may expose the entity to different compliance risks. It is particularly important for this data to be complemented with external market data, as a budgeted 5% growth in Germany, for example, is a different indication than in China. Projects: Most entities within Siemens do not operate in just a single country or region but, for various reasons, conduct projects or business in many countries all over the world. It is therefore important to check what kind of projects are conducted by the entity (technically complex projects or simple ones) and where these projects are implemented. The farther away from the entity a project is conducted, the greater the potential for difficulties in implementing all of Siemens' rules and regulations. Business Partners: Like projects, business partners can be located all around the world. The monitoring of business partners becomes particularly challenging if the partner is very far away. Sponsoring & Donations: A central tool is used to record and approve all sponsoring and donations so that high amounts can be analyzed. Process Weaknesses: Every compliance process must be controlled by means of spot checks at least once a year. Weaknesses are recorded in a central tool. The data relating to these weaknesses is an indicator of risks, especially in combination with other sources. Internal Compliance Cases: During the analysis, the entities' compliance cases over the last two to three years are examined in detail for patterns or similarities. This is one of the most time-consuming tasks, as every report must be read in detail. However, it is also one of the best sources for the internal analysis.

7 Compliance Risk Assessment 7 At the end of the internal analysis, all the data from the different sources is combined and used as the basis for observations and relevant questions. It may be, for example, that an entity awarded many projects last year in one particular industry sector of a country also paid out substantial sponsoring amounts in this country during the same year. In this case, it would make sense to question whether there was any connection between the projects and the sponsoring External data analysis During the external data analysis, statistics from external sources are evaluated. Typical data sources include for example compliance surveys from audit companies, Transparency International, the World Bank, Global Integrity or the World Justice Project. The data used always has a certain compliance connection, which allows the analyst to derive relevant observations. External Cases: One of the most fruitful sources is data relating to external cases that have occurred outside of Siemens in the country under analysis. This data can be found in news articles and using special search machines (such as Dow Jones Factiva). The following points are evaluated with regard to external cases: What happened exactly (active corruption, antitrust, passive corruption, etc.)? How did the money leave the company (business partners, joint ventures, suppliers, etc.)? Who received the money at the other end (public official, domestic company, etc.)? Could the same scheme be successful within Siemens? The last bullet point is the most interesting but also the most challenging to evaluate. In many cases, this information used in conjunction with the internal cases produces interesting observations. Sales Channel: The different sales channels that are used to sell products form an important connection between Siemens and the external environment. It is therefore important to analyze how the different units sell their products in the market (direct sales, distributors, sales agents, etc.). The procurement channels are also checked for noticeable questions.

8 8 Jan Hansen Market & Competition Data: Data about the general market development, including for example GDP, inflation and the unemployment rate, shows the general situation in the region. There are also special compliance statistics and indicators for many areas. On top of this, the competitive environment of the different Siemens businesses is checked (oligopoly, diverse market situation, etc.). The combination of all these figures can provide a good indication of any upcoming compliance challenges. Legal Environment: Last but not least, the general legal and political environment is researched. Existing compliance-related laws and their enforcement are of particular interest. In addition, the political mindset of the parties in power can provide hints as to how corrupt actions will be ascertained and disciplined in future. At the end of the external analysis, all the data from the different sources is combined and used as the basis for observations and relevant questions. It may be, for example, that an entity operates in an environment characterized by decreasing GDP and many external cases of corruption. In this case, it would make sense to question whether there are measures taken by management to create awareness among employees about the situation, thus setting the right "tone from the top" Summary and management discussion In the final step of the analysis as a whole, the internal and external data is combined and used as the basis for observations and questions. It may be, for example, that an entity operates in a very challenging compliance environment with critical compliance indicators and low levels of legal enforcement but, within Siemens, no compliance incidents have been recorded in the last two years. In this case, it would make sense to question whether people are openly reporting compliance incidents and what the entity is doing to encourage reporting. At the very end of the analysis, the questions are discussed in a management workshop. This workshop is attended by the management and Compliance Officer of the local entity and, in most cases, the Chief Compliance Officer or the Chief Counsel Compliance. The discussion can take up to three hours, depending on the observations made. During the workshop, the compliance risks are jointly defined, remediation measures are agreed, and everything is documented in the form of minutes.

9 Compliance Risk Assessment 9 Through this methodology with fact-driven observations and questions it is possible to have an open discussion with the entity's top management about compliance risks. Some of the questions are nothing new for them and can be answered easily. However, there are always a few questions that show the facts in a different light, raising attention and awareness. These are the questions that are discussed intensively, as they reveal blind spots. 3.3 Top-down compliance risk analysis timeline The top-down analysis is performed annually throughout the year by two risk analysts. One of the analysts focuses on the internal part, the other on the external part. One detailed analysis for one entity takes between six and eight weeks, depending on the amount of data that is available. This is why it is so important to select focus entities at the beginning, enabling the sources to be analyzed in the necessary detail. The following figure provides an overview of the general process schedule. 4. Summary At the end of every year, the results of the bottom-up approach and the findings of the different top-down analyses are summarized. The aim of this exercise is to identify worldwide, systematic and recurring compliance risks. These risks are then actively exchanged with the organization in order to create awareness. In addition, mitigation measures are defined at the Corporate Compliance level to initiate process improvements or other actions aimed at reducing the risks globally. Particularly in this final step, a lot of time and effort is required to consolidate all the different material. This was carried out for Siemens for the first time in 2012, and brought many interesting aspects to light that helped Compliance to focus on important future topics. All the processes and measures that have been established are there for one reason only: to identify possible risks and future issues as soon as possible and to tackle them with appropriate preventive measures so that Siemens never again has to "fix the holes" afterward. *** Jan Hansen joined Siemens in 2001 and has held several positions as Commercial Manager and Program Manager during his career. After spending four years in China, Mr. Hansen came to Compliance as Project Manager with the task of optimizing the compliance processes. In 2012, Mr. Hansen assumed his current position as Head of the Compliance Remediation & Risk Prevention department.