What should your compliance function look like?

Similar documents
SUNRISE TELECOM CODE OF BUSINESS CONDUCT AND ETHICS Overview Sunrise Telecom is committed to its customers, partners, employees and stockholders.

CODE OF BUSINESS CONDUCT AND ETHICS. FRONTIER AIRLINES, INC. Adopted May 27, 2004

CODE OF BUSINESS CONDUCT AND ETHICS (Amended and Restated as of May 7, 2013)

The Company seeks to comply with both the letter and spirit of the laws and regulations in all countries in which it operates.

Computer Programs and Systems, Inc. Code of Business Conduct and Ethics

Bribery and Corruption

Code of Business Conduct and Ethics

Janus Henderson Group plc. Code of Business Conduct

Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

Could (and should) you be looking proactively at data to find corruption?

RELM WIRELESS CORPORATION (the Company ) CODE OF BUSINESS CONDUCT AND ETHICS

Verisk Analytics, Inc. Code of Business Conduct and Ethics As Amended June 5, 2018

OUR CODE OF BUSINESS CONDUCT AND ETHICS

Southwest Airlines Co. Code of Ethics

AMETEK, Inc. Code of Ethics and Business Conduct

THE TIMBERLAND COMPANY CODE OF ETHICS

Code of Ethics for Senior Financial Officers

Appendix 8. M&T BANK CORPORATION CODE OF BUSINESS CONDUCT AND ETHICS

ALTISOURCE PORTFOLIO SOLUTIONS S.A. CODE OF ETHICS FOR SENIOR FINANCIAL OFFICERS

This document articulates ethical and behavioral guidance for all NGA Human Resources companies, employees, and business partners (such as suppliers,

Our Code of Conduct also applies to our directors with respect to his or her director-related duties.

Report on Compliance and Ethics

CODE OF ETHICAL CONDUCT

CODE OF CONDUCT DESCRIPTION PRINCIPLES POLICIES AND DEFINITIONS

Best Practices for Vendor Risk Profiling

CODE OF CONDUCT. (As Amended June 11, 2015)

Internal Audit & Compliance Importance of Collaboration and Skill Development

POLICY The following are the principles of the Conduent Global Ethics Policy that govern all practices concerning business ethics:

CODE OF BUSINESS CONDUCT AND ETHICS

BIG LOTS, INC. CODE OF BUSINESS CONDUCT AND ETHICS

Barbara Strozzilaan 201, 1083HN Amsterdam

The Company seeks to comply with both the letter and spirit of the laws and regulations in all jurisdictions in which it operates.

Code of Business Conduct and Ethics

PRYSMIAN GROUP ETHICAL CODE

Code of Business Conduct and Ethics

Anti-Fraud Programs and Control Policy

CHOICE HOTELS INTERNATIONAL, INC. CORPORATE ETHICS POLICY

CODE OF ETHICS FOR CHIEF EXECUTIVE OFFICER AND SENIOR FINANCIAL OFFICERS UGI CORPORATION

Our vision. A company where the best people want to work.

MiMedx Group, Inc. Code of Business Conduct and Ethics

ACCELERATE DIAGNOSTICS, INC. CODE OF ETHICS FOR CHIEF FINANCIAL OFFICER AND SENIOR FINANCIAL OFFICERS

Letter From Crown s President

Global Supplier Code of Business Conduct & Ethics

FOUNDATION BUILDING MATERIALS, INC. EMPLOYEE CODE OF CONDUCT

FCPA COMPLIANCE PROGRAMS

ASSOCIATED BANC-CORP CODE OF BUSINESS CONDUCT AND ETHICS

SETTING POLICIES and GUIDELINES for CONDUCTING INTERNAL INVESTIGATIONS

Code of Business Ethics & Conduct

CODE OF ETHICS/CONDUCT

CODE OF CONDUCT A MESSAGE FROM OUR CEO. Dear Colleagues:

CODE OF BUSINESS CONDUCT PENN NATIONAL GAMING, INC.

Benchmarking 101: Shaping your E&C Program for Maximum Value

METHANEX CORPORATE MANUAL

General Policy. Policies

DRAFTING AN COMMUNICATING EFFECTIVE POLICIES AND PROCEDURES AGENDA

Message to All Directors, Officers and Employees of Atmos Energy Corporation

ULTRA CLEAN HOLDINGS, INC. a Delaware corporation (the Company )

W.W. GRAINGER, INC. Business Conduct Guidelines

Code of Ethics. Table of Contents. Itziar Sisniega, with Piccolo

MV Transportation, Inc. Code of Conduct

Corporate Governance: Sarbanes-Oxley Code of Ethics

Uniti Group Inc. Code of Business Conduct and Ethics & Whistleblower Policy. (Effective February 14, 2017)

Compliance with Laws, Rules and Regulations

SOSi SUPPLIER CODE OF CONDUCT

Acceleron Pharma Inc. Code of Business Conduct and Ethics

It s time to revisit your anti-corruption compliance program How to design an effective and defensible compliance program in response to global trends

Strengthening Your Compliance and Ethics Program By Engaging Your Board Members

CONFLICT OF INTEREST POLICY

Managing Compliance Risk in M&A, and Special Considerations for Joint Ventures

2012 GUIDELINES MANUAL

Global Code of Business Conduct and Ethics

"Finnair" and "Finnair Group" as used herein refer to Finnair Plc and its subsidiaries.

LONDON PUBLIC LIBRARY POLICY

DOUBLE-TAKE SOFTWARE, INC. CODE OF BUSINESS CONDUCT AND ETHICS

ENMAX CORPORATION PRINCIPLES OF BUSINESS ETHICS

CODE OF ETHICS AND BUSINESS CONDUCT

Airport Legal Governance Issues: Understanding & Meeting Ethics Compliance Obligations

Delta Dental of Michigan, Ohio, and Indiana. Compliance Plan

CODE OF BUSINESS ETHICS

Employee Handbook. Code of Conduct Acknowledgement

Page: Page 1 of 5 Effective Date: January 27, 2004 Authorized By: President and CEO Function: Executive

CODE OF BUSINESS CONDUCT AND ETHICS

GTT Communications, Inc. CODE OF BUSINESS CONDUCT AND ETHICS

CODE OF CONDUCT AND ETHICS

Morgan Stanley Code of Ethics and Business Conduct

Corporate Compliance Global. 5 Essential Elements of Compliance

COMPLIANCE AT LARGER INSTITUTIONS. November 11 13, Robert F. Roach Chief Compliance Officer New York University

GENTING MALAYSIA BERHAD (58019-U) CODE OF CONDUCT AND ETHICS

convercent Sample Board Report* Ethics & Compliance Program Update

AES Values Guide. From Words to Action STRIVE FOR EXCELLENCE THROUGH WORK HONOR COMMITMENTS ACT WITH INTEGRITY PUT SAFETY FIRST HAVE FUN

CODE OF BUSINESS CONDUCT AND ETHICS

TURNING POINT BRANDS, INC. CODE OF BUSINESS CONDUCT AND ETHICS. (Adopted by the Board of Directors on November 23, 2015)

MITSUI & CO., LTD. Anti-Corruption Policy. Contents

ve Fun Through Work AES Values Guide From Words to Action OUR CODE OF CONDUCT EXCELLENCE INTEGRITY SAFETY AGILITY FUN

Compliance Program Effectiveness Guide

NATIONAL CINEMEDIA, INC. AUDIT COMMITTEE CHARTER

LIVING OUR CORE VALUES. Supplier Code of Conduct

Compliance with applicable governmental laws, rules, and regulations; Prompt internal reporting of violations of the Code;

ATTACHMENT B CORPORATE COMPLIANCE PROGRAM. In order to address any deficiencies in its internal controls, policies, and procedures

Transcription:

From Start-Up to IPO How to Design and Build a Compliance Program From Scratch Dominic F. Perella Sean Coutain October 2017 What should your compliance function look like? Start With the Legal Frameworks There are Legal Frameworks that Should Guide Your Way Most Important Touchstone: The U.S. Sentencing Guidelines Later On: SOX, COSO, and Stock Exchange Rules 2 1

U.S. Sentencing Guidelines The United States Sentencing Guidelines (USSG) are relevant because organizations are persons under U.S. federal criminal law and may be prosecuted for criminal conduct. The USSG has a whole section on effective compliance programs. That s because an organization s commitment to stopping criminal conduct, as evidenced by the effectiveness of its compliance and ethics program, is the primary mitigating factor that may result in a reduced sentence. 3 U.S. Sentencing Guidelines cont. The USSG defines effective programs as follows: DUE DILIGENCE: Exercise due diligence to prevent and detect criminal conduct. ETHICAL CULTURE: Promote a culture that encourages ethical conduct and a commitment to compliance with the law. POLICIES & CONTROLS: Establish standards & procedures to prevent & detect criminal conduct. BOARD OVERSIGHT: Board must be knowledgeable about the content and operation of the compliance and ethics program and must exercise reasonable oversight. ACCOUNTABLE SENIOR MANAGEMENT: High-level personnel must ensure that the organization has an effective compliance and ethics program. Make high-level personnel responsible. Appoint specific people to run the program s operations and give them adequate resources, appropriate authority, and direct access to the governing authority. Have them report periodically on the program s effectiveness. 4 U.S. Sentencing Guidelines cont. TRAINING: Communicate compliance standards through effective training programs, appropriate to individuals' respective roles and responsibilities. EVALUATION & RISK ASSESSMENT: Take reasonable steps to: Periodically evaluate the effectiveness of the program. Ensure that the program is followed, including auditing to detect criminal conduct. Periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify each program requirement to reduce that risk. WHISTLE-BLOWING: Maintain a system for employees and agents to report or seek guidance regarding potential or actual criminal conduct without fear of retaliation. ENFORCEMENT: Consistently promote and enforce the compliance program. Include appropriate incentives for taking reasonable steps to prevent or detect criminal conduct, and appropriate disciplinary measures for failing to take such steps. REMEDIATION: If criminal conduct occurs, take reasonable steps to respond and to prevent it in the future, including any necessary modifications to the program. 5 2

Sarbanes Oxley & COSO Next step after you ve nailed the USSG: Test yourself against Sarbanes-Oxley (SOX) and the Committee of Sponsoring Organizations (COSO) framework. SOX 406: A public company s code of conduct must call for-- Standards as are reasonably necessary to promote honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships; Immediate disclosure of any change in or waiver of the code of ethics for senior financial officers; Full, fair, accurate, timely, and understandable disclosure in the periodic reports required to be filed by the issuer; Compliance with applicable governmental rules and regulations. 6 Sarbanes Oxley & COSO cont. SOX 404 requires management to establish and maintain adequate internal controls over financial reporting and to publicly disclose the framework used to assess the effectiveness of controls. The COSO framework is the current gold standard ; most U.S. public companies use it to satisfy SOX 404. It list seventeen principles for an effective control environment. Principle one is Demonstrate Commitment to Integrity and Ethical Values. 7 Sarbanes Oxley & COSO cont. Internal Controls Control Environment Risk assessment Control activities Information and communication Monitoring COSO Principles of Effective Internal Controls 1. Demonstrate commitment to integrity and ethical values 2. Ensure that board exercises oversight responsibility 3. Establish structures, reporting lines, authorities, and responsibilities 4. Demonstrate commitment to a competent workforce 5. Hold people accountable 6. Specify appropriate objectives 7. Identify and analyze risks 8. Evaluate fraud risks 9. Identify and analyze changes that could significantly affect internal controls 10. Select and develop control activities that mitigate risks 11. Select and develop technology controls 12. Deploy control activities through policies and procedures 13. Use relevant, quality information to support the internal control function 14. Communicate internal control information internally 15. Communicate internal control information externally 16. Perform ongoing or periodic evaluations of internal controls (or a combination of the two) 17. Communicate internal control deficiencies 8 3

Stock Exchange Codes of Conduct Planning to go public? You ll need to meet specific compliance rules for that too. Each stock exchange promulgates its own rules. Check these rules well in advance of the IPO. Leave yourself enough time to come up to code as needed. 9 NASDAQ Stock Exchange Codes of Conduct cont. NASDAQ Rule 5610 requires listed companies to meet these requirements: Must adopt a code of conduct applicable to all directors, officers, and employees. Code of conduct must be publicly available. Code must provide for an enforcement mechanism. Waivers for directors or executive officers must be approved by the Board. Waivers must be disclosed within 4 business days on a Form 8-K. Code of conduct must comply with SOX Section 406. 10 Stock Exchange Codes of Conduct cont. New York Stock Exchange (NYSE) NYSE Rule 303A.10 requires the following: Adopt and disclose a Code of Business Conduct and Ethics for directors, officers, and employees. Promptly disclose any waivers of the code for directors or executive officers. Such waivers may be made only by the board or a board committee. Each code must contain compliance standards and procedures that will facilitate the code s effective operation. The standards should ensure prompt and consistent action against code violations. 11 4

NYSE cont. Stock Exchange Codes of Conduct cont. NYSE Rule 303A.10 also requires that each code must address: Conflicts of interest. Must have a mechanism to identify conflicts and ban them as warranted. Corporate opportunities. Must prohibit personnel from taking opportunities that belong to the company. Confidentiality. Must emphasize confidentiality of corporate and customer information. Fair dealing. Must require fair dealing with third parties and ban manipulation, misrepresentation, and other unfair practices. Protection of assets. Must ban theft and misuse of company assets. Compliance with laws. Must promote compliance with laws, rules, and regulations, including insider trading laws. Reporting. Must encourage the reporting of illegal or unethical behavior, offer mechanisms for reporting, and make clear that the company will not allow retaliation for reports made in good faith. 12 What Next? What Next? So now you ve got a Code of Conduct. What do you do next? Risk Assessment: Risks vary widely by industry. Work with an outside advisor to design a process tailored to your company and industry. Use results of risk assessment to inform what you build. Add additional policies, training, due diligence, and management oversight, targeted at your risks. 14 5

Common Risks Compliance programs typically guard against four common categories of risk: corruption, conflicts of interest, fraud, and regulatory violations. But you need to understand which risks to emphasize given your particular business. Things to think about: Will you be operating in countries with a high risk of corruption? Will you be selling high-tech hardware that s likely to be regulated by export control regulations? Will you be using agents, such as sales agents, that are more difficult for you to control directly? Will you be in a highly regulated industry? 15 Targeting Your Risks Your risk assessment will guide you on what to build. Example: Operating in countries with a high risk of corruption? Add especially robust anti-corruption training and controls around gifts and other expenses. Example: Selling high-tech hardware that s likely to be regulated by export control regulations? Add controls to make sure you always have a full, real-time understanding of your company s new research or products. That way, you can analyze their export implications or hire a consultant to do so. Snap s initial assessment focused on three risks: Corruption Trade Restrictions Conflicts of Interest 16 Risk 1: Corruption The Foreign Corrupt Practices Act ( FCPA ) became law in 1977 but few cases were prosecuted. In 1997, the U.S. signed an international convention combating bribery of public officials, and then amended the FCPA to add worldwide jurisdiction. Postamendment, prosecutions skyrocketed. 17 6

FCPA criminalizes the giving of: anything of value, directly or indirectly, to a government official Risk 1: Corruption cont. for the purpose of: influencing, inducing or otherwise affecting an official act, decision, or omission of an act or decision, securing an improper advantage, or assisting in obtaining or retaining business for any person or entity. 18 Risk 1: Corruption cont. Global Proliferation Other countries have since added their own anti-corruption laws. For example, the UK Bribery Act,Brazil sclean Company Act, andthe Frances LoiSapinII are substantially similar to the FCPA and have global reach. Some of these laws also forbid commercial bribery bribery of a private party, as opposed to a government official. Some states (e.g. California) also have commercial bribery laws. 19 Risk 2: Trade Restrictions Trade embargoes and sanctionsprohibit or severely restrict business activities with certain countries and their nationals, as well as business activities with specific entities and persons (e.g. those who support terrorism). Export control regulationsimpose restrictions on the transfer of certain articles and technology to foreign destinations or persons. Anti-boycott regulationsprohibit U.S. companies and their foreign subsidiaries from participating in unsanctioned boycotts against countries friendly to the United States. Some other countries and jurisdictions also maintain laws that prohibit compliance with unsanctioned foreign boycotts or embargoes. 20 7

Risk 3: Conflicts of Interest Kickbacks: Supplier kicks back a percentage of its earnings to an employee in exchange for rigging a bid or channeling extra business to the supplier. Outside Activities: Employment by or ownership stake in a customer, supplier, competitor, or potentially competitive business. Hiring: Selecting less-qualified candidates based on familial relationship or for personal benefit. 21 So What Do You Build, Exactly? Recommended policies: First: Build Other Policies 1) Anti-corruption Policy & Due Diligence Protocol 2) Gifts& Entertainment 3) Travel & Expenses 4) Trade Compliance Policy 5) Related Party Transactions Policy 6) Insider Trading Policy 7) Non-retaliation Policy 8) Anti-fraud Policy (The 2013 revisions to the COSO framework recommends establishing fraud risk governance policies ) 23 8

Second: Build Training Programs Employee training should cover the key points of all policies Code of Conduct training must be Company-wide and in-depth. All other trainings can be targeted E.g., in-depth anti-corruption training for customer or supplierfacing personnel. E.g., in-person training on boycotts for personnel in high-risk countries. 24 Third: Build Company-wide Messaging Periodic messaging Deliver compliance messaging on a fixed cadence. Quarterly campaign featuring new theme or subject matter Annual Ethics Week Tone from the top Messaging from management impacts employee behavior more effectively than messaging from the compliance function. Hold management accountable Managers are incentivized to participate in compliance messaging when held accountable for: Training completion rates Employee certification rates Policy violation rates 25 Fourth: Build Spending Controls Gift & entertainment expense limits are meaningless without spending controls. Your expense monitoring system should have the following features: Pre-approval workflow for policy exceptions Vendor code analytics (e.g., expense type is meal but credit card vendor code is clothing retailer ) Tracking of gift recipients and event attendees Automated flagging of expense limit violations by: expense type employee rank location headcount 26 9

Fifth: Build Counterparty Due Diligence Set clearly-defined criteria to determining the scope and level of due diligence to conduct on each counterparty. Risk-based approach: Level of scrutiny should be based on: Entity type (e.g., customer, supplier, agent) Location (country s corruption perceptions index score) Industry State ownership Automate your systems Connect customer and vendor onboarding systems to your due diligence provider via API. Include questions about entity type, location, industry and state ownership in your customer and supplier onboarding portals. 27 Sixth: Build Enforcement You ll need procedures that tell you what to do when an employee goes awry. Example: Employee exceeds spending limits without clearance. You should have procedures setting forth who will investigate, who will decide on discipline, and what the discipline may include for particular violations. 28 Seventh: Build Conflicts Disclosures You ll need a simple way for employees to tell you about their potential conflicts (outside business interests, relationships, etc). Many software tools are available for this. Employees should be asked upon hiring and periodically afterwards. You ll also need a procedure to decide which conflicts will be allowed and which have to be solved (e.g. by ending an outside project or changing a managerial reporting structure). 29 10

Eighth: Build Reporting Compliance function should report at least quarterly to either the full board or, more commonly, the Audit Committee. Track compliance metrics for presentation to Committee. Investigation cycle times Number, type and location of cases Percentage of substantiated allegations Emerging trends Work cross-functionally to ensure the audit committee has a complete view of issues across the company. Each function should submit data on policy violations, audit findings, employee misconduct, etc. Interpret changes in data over time. 30 How do you get executive oversight? First: Executive Buy-In The DOJ and SEC s Resource Guide to the FCPA states: Compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.... DOJ and SEC consider the commitment of corporate leaders to a culture of compliance and look to see if this high-level commitment is also reinforced and implemented by middle managers and employees. In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the... program to one or more specific senior executives. 32 11

Second: Compliance Committee Compliance Committees are well established as a preferred method to help implement the DOJ s executive buy-in requirements discussed above. The Committee s existence reduces risk. It also could mitigate penalties in the event the company ever had a compliance issue and faced government investigation. 33 Compliance Committee cont. Compliance Committees are considered a Best Practice by virtually all experts in the field. According to aceb survey, the majority of public companies (79%) have a Compliance Committee. The 21% who do not use this approach tend to be small companies without international operations. Existence of Compliance Commitee at Public Companies No = 21% Yes = 79% 34 What Does The Committee Do? 1. Oversees a formal risk assessment process that covers areas addressed by the Code (FCPA, trade, conflicts, etc.) 2. Benchmarks compliance function against peer companies and evaluates its effectiveness 3. Identifies and addresses gaps in policy, training, oversight, and enforcement 4. Determines the scope and ownership of compliance-related work a. Vets and approves new company policies to avoid functional overlap. b. Determines which functions will oversee which policies. c. Determines best approaches for training and enforcement. d. Evaluates which internal controls are needed. e. Establishes internal investigation protocols. f. Ensures that adequate resources are in place to achieve goals. 5. Tracks compliance metrics for presentation to the Board or Audit Committee 35 12

Who Should Serve on the Committee The typical Committee is chaired by the Chief Compliance Officer and includes Legal, Finance, HR, and Audit executives. But a CEB survey revealed important trends: The requirement of management oversight of compliance has led to increased participation by CEOs and senior business unit executives. The increasing importance of technology in risk mitigation has drawn more IT executives onto compliance committees. 36 Benchmarking The DOJ & SEC s FCPA guidance states: When it comes to compliance, there is no one-size-fits-all program Indeed, small and medium-size enterprises likely will have different compliance programs from large multinational corporations, a fact DOJ and SEC take into account when evaluating companies compliance programs. Benchmarking against other compliance programs is necessary to ensure your program is comparable to others within your industry and at your level of maturity. The following organizations provide benchmarking resources: Society for Corporate Compliance and Ethics (SCCE) Corporate Executive Board (CEB) Ethics & Compliance Initiative (ECI) Bay Area Ethics & Compliance Association (BECA) High Tech Compliance Group (HTCG) Ethisphere 37 Demo of some Snap compliance tools 13

CONFLICT OF INTEREST DISCLOSURE DEMO 39 Click here 14

GIFT & ENTERTAINMENT PRE-APPROVAL DEMO 43 Click here 15

Pre-Approval Form Concur Expense Management Tool Customer Onboarding Demo 46 New Customer Screening Form - Salesforce.com 47 16

GIFT DISCLOSURE DEMO 48 Click here Gift Disclosure Form - Navex 17

THE END 18

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback