Today s Agenda. David Wong, Monica Reinmiller

Transcription

1 SCCE Compliance & Ethics Institute Post Conference Session Advanced Risk Management Workshop: Tackling and Effectively Managing Your Top Ethics and Compliance Risks David Wong, Monica Reinmiller 1 Today s Agenda Overview of top risks facing global organizations today to include emerging challenges and trends; explore best practice for identifying and prioritizing your most important risks Share case study examples of approaches and strategies to managing risk in a few key focus areas including conflicts of interest, third party due diligence, and books and records; discuss practical processes and solutions for effective risk management and mitigation Engage in a real world exercise that supports and reinforces the value and benefits of effective risk identification, prioritization, and management infrastructures 2 1

2 Overview of Top Risks & Risk Management 3 Top Risks trending FCPA corruption Information Security Trade controls (import / export) Competition 4 2

3 Evaluate your risk universe Where do you start? 1. What does your company do? Financial Services Health Services Non profit Consumer Product (sales) 2. What does the company process framework look like? Consider starting by evaluating your largest and/or most sensitive process areas If you re not sure, consult with internal SMEs or partner with internal audit 5 Evaluate your risk universe Ex. Third Party Relationships Supply Chain Vendor Sales Distribution & logistics Quality Purchasing Certifications (ISO) Procurement Quality Purchasing Cost Management (Approved Vendor List) Agents Distributors & resellers JVs 6 3

4 Evaluate your risk universe Ex. Human Resource function: Compensation & Incentives Executive Compensation Incentive Plans Deferred Compensation Change in Control Agreements Global Equity Plans Sales and Commission Structures Labor Relations Labor (Strategy, Union Elections, Collective Bargaining) Works Councils Work Rules Compliance Grievances Notification and Consulting Wage & Hour Human Resources Department Interviewing and hiring Organizational Structure Resources Oversight of Subsidiary Operations Workplace Change Contingent Worker Management Employee Relations 7 Choose a risk framework 3. What do the regulatory guidelines say (and which legal requirements apply to you)? USSG OECD UK s 6 Principles DOJ SEC FCPA Guidelines HIPPA 4. Choose a control framework that you can map to COSO PCI Basel OR 8 4

5 Choose a risk framework Map to the framework to your legal compliance requirements within your process universe Remember: When starting your assessment, set expectations for yourself and your stakeholders Establish a road map (timelines, deliverables, resources) for more comprehensive risk assessment work Monitor for process and regulatory environment changes 9 Case Studies Scenarios & Strategies 10 5

6 Case Study 1: Political Corruption (US) & Conflicts of Interest Former Virginia Governor Robert McDonnell & spouse Maureen McDonnel The defense argued that the exgovernor did not carry out or Multiple issues raised: promise to carry out any official «Quid pro quo» (bribery) act for Williams Corruption and abuse of public office Conflict of interest Bad judgment? Are gifts to high ranking officials just «longaccepted» political courtesies that are ok? What about lavish receptions for meet and greets? How does a State government identify and manage conflict risks? 11 Case Study 2: Security Breach & Privacy Target, November 2013 biggest retail hack in U.S. history 70m affected hundreds of lawsuits Notification process failed could risk assessment have helped identify weaknesses to prevent failures? 12 6

7 Case Study 3: Environmental regulations & operating standards BP Oil Spill: On the evening of 20 April 2010, a gas release and subsequent explosion occurred on the Deepwater Horizon oil rig working on the Macondo exploration well for BP in the Gulf of Mexico 1 BP had a safety system known as the operating management system (OMS) that executives described as the "cornerstone" of their safety practices, but that was not applied in the Gulf 2 Catastrophic risk materialized could risk assessment have helped prevent this? (is this only about the mechanical safety failure? Or are operating decisions subject to cultural risks that can be identified and assessed to spot management level issues?) 1http:// of mexico restoration/deepwater horizon accident and response.html 2 oil spill trial bp failure 13 Risk Identification, Prioritization, and Management 14 7

8 Risk Identification & Prioritization Risk Assessment Process 1. Methodology a) Determine your scope: Enterprise? Specific Geography? Specific legal risk v. process area(s) b) Determine roles and responsibilities Evaluate the level of sensitivity and consider who should perform the assessment: internal teams (inside counsel, internal audit, security team) versus external support (outside counsel, consultants, or leading experts) Set expectations with engagement stakeholders based on roles c) Identify your main resources and access to them SME interviews Database reports Existing process area flows and documentation Policies and procedures Applicable legal guidelines d) Develop your timeline and deliverables Consider how many resources you require to complete the assessment (c. above) Ensure you have the availability to complete or supervise the work at critical milestones 15 Risk Identification & Prioritization Risk Assessment Process 2. Approach a) Designing your risk assessment Consider your format: Word, excel,.ppt Rate the intensity of your risk: impact, likelihood and any control mitigation Determine if you ll assign a score to your risk rating criteria to calculate an objective score OR determine if you ll rely on more subjective rating criteria (Hi/Med/Lo) Determine how you ll manage issues or control gaps identified b) Supporting documentation & considerations Questionnaires Surveys Interviews Control framework requirements (SOX, PCI DSS, ISO) Heat Maps & Dash Boards Action Plan & remediation management Insider or external counsel to establish privilege Remediation Action Plans 16 8

9 Risk Identification & Prioritization Risk Assessment Process 2. Approach c) Leverage your resources for any best practice templates or documents DEMO: Compliance & Ethics Leadership Council (CEB) CELC Legal & Compliance & Risk Assessment Tool 17 Risk Identification & Prioritization Break out session 3. Small group discussions a) You ve been made aware that an internal marketing team supporting the U.S. public sector sales team is using marketing funds to sponsor industry round tables and conferences b) You are a technology company and have extensive training offerings for customer personnel to stay informed on how to best manage your solution in their environment; internships are also extended to customer personnel from international locations c) Your company s suppliers hold industry events that usually include training and product demos, as well as banquet meals, concert entertainment and hotel stays 18 9

10 Resources COSO (Committee of Sponsoring Organizations of the Treadway Commission), Risk Assessment in Practice (2012) OCEG (Open Compliance and Ethics Group), member assessment tools: tools burgundy book/ ERC (Ethics Resource Center), toolkit, Ethics Tool kit and Guidelines UN Global Compact, Tools and Resources CELC (Compliance & Ethics Leadership Council), Performing a Legal and Compliance Risk Assessment A Step by Step Implementation Guide and Risk Assessment Tool PLI Corporate Compliance and Ethics Institute 2013, Compliance and Ethics Risk Assessments The Foundation of Effective Programs, (May 2013) Corporate Compliance Insights, Compliance & Ethics Risk Assessment: Concepts, Methods, and New Directions, by Jeffrey Kaplan 19 Thank you! David Wong (david_wong@symantec.com) Monica Reinmiller (monica_reinmiller@symantec.com)