Thursday, December 29, 2011

Process Framework for Managing Compliance Risk

Organization exposure to compliance risk is rising at the same time the cost of compliance soars. An ad hoc or reactive approach to compliance brings complexity, forcing business to be less agile. Organizations in the past have addressed compliance as singular issues or obligations, which often resulted in multiple initiatives working in isolation. Isolated compliance initiatives tend to rely on manual processes burdened with costly assessments managed through spreadsheets, documents, and email, which is costly and unreliable. This makes it difficult to adapt to new regulatory requirements while increasing pressure and anxiety for management, employees and business relationships.

Without a business process view to manage compliance risk, organizations will continue to be burdened with the data overload and complexity of compliance data. Organizations need complete visibility into a portfolio of compliance processes spread across a distributed and complex business.  Organizations need information and not just data.

Success in compliance risk management begins with a strategy — how to effectively manage compliance across the organization. Ultimately, the organization needs to identify and prioritize major risks resulting from regulatory mandates, and maintain oversight and control over business processes to mitigate these risks. In compliance business process architecture, accountability and compliance is effectively managed and the business has a system of record to understand and manage the diverse complexity of compliance issues. Compliance needs to be an active and living part of the organization and culture to prevent and detect issues across the business. It is a continuous and ongoing process to be monitored, maintained and nurtured. This challenge is taking on a new paradigm that focuses on establishing compliance processes that move from a reactive fire-fighting mode to one that actively manages, monitors, mitigates, prevents, and detects compliance-related risks.

Using the OCEG GRC Capability Model as a basis and integrating compliance risk management requirements from experience as well as guidance from USSC Organizational Sentencing Guidelines, U.K. Bribery Act, and Australia’s 3806:2006, there are common core processes that compliance can establish to manage compliance risk. A business process framework to manage compliance risk in the 21st century enables an organization to manage and monitor compliance risk through:

  • Compliance program management: This is the core process that everything else revolves around. It integrates all the other functions to provide a single cohesive program for managing and scheduling compliance reporting, assessments, controls, investigations, policies, regulatory change, and specific projects and tasks. An effective program delivers a 360-degree view of compliance risk management activities.
  • Compliance risk identification and assessment: Risk assessments are foundational to compliance initiatives. In addition to a periodic risk assessment, the organization must have regular compliance risk assessment and monitoring activities to ensure policies and controls that maintain integrity are in place and working. The compliance risk identification and assessment process drives every aspect of a successful program as it identifies and models compliance risk that all the other processes build upon.
  • Regulatory and risk intelligence: To keep current on compliance risk requires that the organization have a process to continuously monitor changes to the regulatory and risk environments impacting the business, and to monitor the business for change. This involves identifying subject matter experts for each compliance risk area that are accountable for monitoring internal changes and external change from regulators, courts, legislatures, and other sources to identify new and developing compliance risks that will impact the business.
  • Policy definition, communication, and maintenance: Organizations must have documented and up-to-date policies and procedures that both address the compliance and ethical risks and are in accordance with the culture, values, and obligations of the organization. Compliance requirements and processes must be clearly documented within policies and procedures. The policy definition, communication, and maintenance process provides proof that the program is sound and controls are adequate.
  • Compliance risk reporting and accountability: Compliance is a distributed and federated function in most enterprises. While the board has ultimate accountability, responsibility for compliance risk management falls to the CECO, and is delegated across a variety of business processes and functions. To effectively provide assurance to the board and executives, an effective GRC approach requires that a process of compliance risk governance, accountability, and reporting be in place. This requires collaboration with other roles such as internal audit, and establishes lines of communication throughout the business.
  • Due diligence efforts: An established process to document due diligence efforts shows that employees and business partners are properly screened, and assures the business that it is not engaging with individuals or organizations that have a bent toward unethical behavior. It also assures the organization that individuals have the right background, resources, and experience to do the job they are engaged for.
  • Training and communication: Written policies are not enough — individuals need to know what is expected of them day-to-day and their business operations. Organizations are increasingly using online training in addition to discussion-led training to raise compliance and ethics awareness. There is also a trend toward using interactive technologies and learning simulations. The training and communication process is key to communicating the corporate culture, obligations, and expectations across the organization and to business partners.
  • Ongoing compliance assessment: The organization needs ongoing assessment of compliance policies and controls. This involves surveys, self-assessments, and automated assessments for regular compliance risk and control monitoring. Successful organizations conduct assessments not just on a periodic basis but whenever significant business change might impact compliance.
  • Enforcement of the control environment: While policies and procedures may define how the organization behaves, enforcement ultimately depends on controls. The organization should implement preventive and detective controls that support compliance obligations and policies. The organization needs to ensure these controls are in place and operating as designed. When there are issues, the organization must address these with corrective controls.
  • Record and report issues: Clearly defined processes must be in place for individuals to report concerns, weaknesses and wrongdoing. Reporting is often done anonymously via call centers or Weblines. Clearly defined processes must be communicated and maintained for management to document reports made directly to them as well so that one database can be maintained and audited.
  • Conduct investigations: Even in the best organization things go wrong. Investigative processes (e.g., hotline analysis, surveys, management reports, exit interviews) must be in place to quickly identify potential incidents of wrongdoing and quickly and effectively investigate and resolve issues. This includes reporting and working with outside law enforcement and authorities.
  • Implement communication and reporting processes: The organization must have channels of communication where employees can ask questions on policies and procedures to avoid misunderstanding as well as issues of noncompliance. Possible systems include help lines, interactive intranets with FAQs and ‘ask a question’, and forms processing where approvals are requested.
  • Third-party relationships: Central to an integrity and compliance program is the ability to identify and manage the risk of third-parties. Technology enables the ongoing due diligence effort to monitor and score vendor and third-party risk, communicate a supplier code of conduct and other policies to vendors and track attestations, and deliver surveys and assessments.

Throughout all of these processes, compliance risk management needs to have a clearly defined lessons-learned process to make sure the organization is not a repeat offender. Organizations with a history of noncompliant conduct will find that they are not treated favorably by courts and regulators.

What are your experience and thoughts on the breadth of processes needed to build a strong compliance risk management program?

Posted by mrasmussen at 16:02 8 Comments

Wednesday, November 16, 2011

Principles of Compliance Risk Management

Understanding and Approaching Compliance and Ethics Risk

Historically the compliance function did not understand and model processes for risk management. Compliance documented and met requirements, and found and resolved issues. There was limited modeling of compliance issues and risk to determine business impact and prioritization of resources. Most often compliance was reactive, putting out fires instead of actively interpreting and predicting compliance and ethics risk issues, and developing treatment plans to mitigate or avoid damage to the organization.

The CECO in the 21st century must take a risk-based approach to compliance processes. This requires the organization to take in information from the external business and regulatory environment, understand the current and future context of a dynamic and distributed business, and model risk and business impact today and into the future. In some industries CECOs are best served to use risk models that support decision tree and scenario analysis to model risk in their environments, but can also benefit from heat maps, MARCI charts (mitigate, assure, redeploy, and cumulative impact), and even quantitative approaches such as loss distributions in Monte Carlo simulations to portray loss and impact (if there is enough data to make these meaningful).

Regardless of the complexity of the analysis, the principles of compliance risk management are the same:

  • Understand your risk: An organization needs to have a risk-based approach to managing compliance and ethics. This includes a periodic assessment (e.g., annual) of the exposure to the organization for unethical conduct. However, the risk assessment process should also be dynamic, done each time there is a significant business change that could lead to exposure and incidents (e.g., mergers and acquisitions, new strategies and entry into new markets).
  • Approach compliance based on proportionality of risk: How an organization implements compliance procedures and controls must be based on the proportionality of the risk it faces. If a certain area of the world or a business partner receives a high risk score for ethics or corruption, the organization must respond with stronger compliance procedures and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
  • Monitor the risk and regulatory environment: Content and information on changes to risk and regulatory environments is critical. New laws, changed regulations, court rulings, and standards of practice all change what is required of the organization. The compliance function needs to have a defined process and be accountable to monitor risk of changes in the regulatory environment.
  • Tone at the top: The compliance risk management program needs to be fully supported by the board of directors and executives. Communication with top-level management must be bidirectional. Leadership must communicate what is both acceptable and unacceptable risk, and support the compliance and ethics program. Executives and the board must be informed about the effectiveness and operations of the compliance and risk management strategy to fulfill their fiduciary obligations.
  • Know who you do business with: Organizations need to know their business relationships. This requires that an established risk-monitoring framework is in place that catalogs the organization’s third-party relationships, markets, and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of risk of corruption, compliance, or ethical issues in a relationship, additional preventive and detective controls must be put in place. This goes beyond business partners: this means knowing employees, and conducting background checks where needed in order to understand if they are susceptible to corruption and unethical conduct.
  • Keep information current: Due diligence and risk assessment efforts must be kept current. These are not point-in-time efforts, but must be done on a regular basis or when the business becomes aware of conditions that point to increased risk to ethics and compliance issues.
  • Compliance oversight: The organization must have someone responsible for oversight of compliance risk processes and activities. This includes the authority to report compliance and ethical risk to independent monitoring bodies such as the audit committees of the board.
  • Manage change in the business: The organization must monitor the business for changes that can impact its compliance and ethics program or introduce greater risk to corporate integrity. The organization needs to document changes required for business practices as a result of observations and investigations, and must implement changes through a deliberate program of change management. These changes must be monitored by compliance to actively prevent corruption.
What are your thoughts on the core principles of compliance risk management?

Posted by mrasmussen at 18:05 42 Comments

Tuesday, November 8, 2011

Compliance & Ethics in the 21st Century

Twenty-first century organizations are expected to do everything possible to manage and maintain corporate integrity. Demands coming from governments, the public, business partners, and clients require the organization to have defined values and ethics practices that are monitored and adapted to the demands of a changing business and regulatory environment.

Most organizations at least try to address external legal requirements and compliance obligations. The demands of the 21st century are changing the role of the CECO and moving organizations to actively manage and monitor compliance risk. Both internal and external stakeholder forces and events cause organizations to increase compliance monitoring and reporting, especially with regard to regulatory compliance, where demands grow every day. Boards and executive management desire a deeper understanding of how the organization addresses compliance risk, whether compliance activities are effective and efficient, if they’re are current enough for a distributed and dynamic business, and whether they enhance compliance activities.
The Critical Role of the CECO in a GRC Strategy
The focus on risk management is on the rise as stakeholder groups, rating organizations (e.g., Standards & Poor’s), shareholder advocacy groups, and enterprise partners increase their demands for transparency. So the CECO needs to manage and monitor ethics and compliance risk as part of an overall governance, risk management and compliance (GRC) program. The CECO is critical to a GRC strategy that brings together compliance, ethics, legal, risk, audit, finance, and business operations to collaborate and provide accountability. With responsibility for understanding the compliance, ethics, and cultural obligations and risks faced by the organization, the CECO is a critical player in the strategic design of collaboration and management of GRC.
The requirements of the 21st century compel CECOs to guide the enterprise beyond traditional concepts. The CECO must be a champion of corporate values, culture, and ethics. This requires that the CECO be an integrated part of the organization’s GRC capabilities. Today’s CECO must have a full understanding of the ethical, regulatory, and cultural risks the company faces, how they relate to each other, and how they fit into broader enterprise risk strategies. The CECO must be able to rely on well-managed cultural, compliance, and ethical risk management and governance processes to provide assurance that ethics and compliance efforts are appropriate to meet requirements and operate as designed.
The CECO in the 21st century must assure the board and other stakeholders that the company can maintain reliable achievement of objectives while addressing uncertainty and acting with integrity.  The role must see that the organization will meet its objectives while being compliant with the boundaries set by laws, regulations, contractual and corporate commitments, and social responsibility obligations.
As a key player at the center of the strategic team of the enterprise, the CECO must address wide-ranging stakeholder demands and concerns, such as:
  • The desire to move compliance from corporate cop to champion of values, ethics, and culture within the organization.
  • Key external stakeholder (investors, regulators, NGOs, local communities) demands for transparency and evidence of effective compliance and ethics.
  • The board and C-suite need clear and reliable information about ethics, culture, and regulatory risks to drive strategic decisions and future outcomes.
  • Compliance executives need to allocate limited resources to minimize exposure to significant compliance and ethical risks.
  • Line executives need policy communications, training, surveys, and compliance risk assessments that do not disrupt operations, as well as coordinated compliance calendars, and content.
  • An overarching need for improved efficiencies and reduced risk throughout the extended enterprise that align business relationships with the organization’s values and code of conduct, while meeting compliance obligations.
  • Management of decentralized organizations where compliance owners and managers are located around the world.
  • Establishment of clear lines of accountability to gain greater control and responsibility for compliance risk.
  • Validation that the organization’s culture and practices align with other commitments to corporate social responsibility and sustainability.
All the while, the CECO must embrace a strategic view that satisfies the demands of all of these competing forces while keeping an eye on the prize — meeting organizational objectives and delivering strategic value. This requires the CECO to build collaborative relationships with other GRC roles across the business.
Building Relationships across the Business
The CECO is faced with the challenge of encouraging other executives to work together to revamp existing siloed, and haphazard risk management, compliance and governance systems, and turn them into an integrated process that provides greater transparency, reliability and value. A well-defined and implemented GRC approach is essential for 21st century compliance management. Without it, governance and strategic planning is weakened while integrity and compliance is threatened by misallocation of resources. Additionally, this GRC approach must include the elements necessary for objective, independent and measurable evaluation of GRC systems. There must be capable, well-informed ethics and compliance personnel in place to provide assurance to management and the board that all of this is effectively and efficiently working as designed. To develop and maintain a strong GRC management process, the CECO must have the support of, and share information with, a number of key members of the executive team.
It is critical that the CECO play a key role to develop and drive GRC strategy by understanding the compliance and ethical risks the organization faces and the opportunities to control cost, improve resource utilization and create sustainable scalability and alignment with company goals and objectives. CECOs should be prepared to champion corporate compliance and ethics goals, for example:
  • Articulate to the board why having a clear and conformed view of compliance and ethics effectiveness is critical to the organization’s culture, performance, as well as meeting the board’s fiduciary responsibilities
  • Demonstrate how centralized oversight and supporting technologies for policy communication and training drive predictable behaviors and performance results.
  • Communicate the benefits of including compliance and ethics within business change initiatives and partner/supplier relationships.
  • Influence key functional executives to support compliance and ethics’ role in the organization’s achievement of business objectives.
  • Collaborate with key executives to develop GRC processes for measurable evaluation of effectiveness and efficiency, and to support business agility.
  • Assist the CEO in evaluating opportunities and preventing adverse effects from identified regulatory compliance and ethical risks.
  • Help management appreciate how an integrated GRC model can improve processes while reducing or eliminating redundant efforts that can be leveraged across assessment, training, awareness, investigations and policy management.
  • Incorporate compliance risk management and assurance across extended business relationships (e.g., supply chain, vendors, and contractors).
Collaboration is required to break down organizational barriers to compliance management and develop a risk-driven GRC strategy that is effective, efficient, and agile enough to meet the demands of a changing business and regulatory environment. Executives already understand they are critical players as the eyes and ears of the organization as it works to achieve objectives. By leading them to understand the value of an integrated GRC approach, the CECO in the 21st century can be a central force to establish and maintain integrity as it drives towards business objectives and performance.
CECO: Answering to the Board and Executives on Compliance
Historically, compliance was a distributed function with lack of consistent processes and approach between distributed functions. Corporate compliance (typically not responsible for all of compliance) was often found in legal. Going forward, though, pressures will increase for one role to have oversight and be accountable for compliance risk management.  That will likely be the CECO.
The traditional role of compliance management is moving out of legal and other areas, taking on broader responsibility for ethics, compliance, integrity, culture, and social responsibility across the organization, and having a direct reporting relationship to the CEO and/or board of directors. This is most frequent in highly regulated industries. Some organizations are differentiating between operational compliance and legal compliance by having legal monitor and interpret laws that impact the organization. Regulators and government agencies are in some cases requiring, or at least encouraging, the role of compliance to report outside of legal so it has greater ability to raise issues and see them resolved.
What is becoming critical is the CECO’s ability to report to the board of directors. Since 1996 in the U.S., the board has had responsibility to see that a compliance and ethics program is in place.  This was most recently made clear in the United States Sentencing Commission Organizational Guidelines that require that the board be knowledgeable about the content and operation of the compliance and ethics program, and exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program — with specific ability for the CECO role to have direct access to the board or an appropriate subgroup of the board.
What are your thoughts on the role of the CCO/CECO and compliance in the 21st century?

Posted by mrasmussen at 20:15 6 Comments

Tuesday, November 1, 2011

INTEGRITY: Does Your Organization Walk It’s Talk?

Compliance risk management in the 21st century boils down to defining and maintaining corporate integrity. Organizations operate in a field of ethical, regulatory, and legal landmines. Any day of the week, business and trade publication headlines reveal failures to heed compliance obligations and ethical practices. Led by WikiLeaks and widespread coverage of corporate exposure and scandal, the organization must understand, manage, and monitor the range of ethical and compliance risks challenging the integrity of the organization.

Most organizations have written ethics and compliance practices to govern business practices, transactions, processes, employees and relationships. However, as the growing number of scandals and legal issues attest, this solution is often just smoke and mirrors, and not an integrated part of the corporate culture and business operations. Corporations in the 21st century must establish and maintain integrity to ethics, values, and compliance practices — and demonstrate they are reality, not fiction.

Integrity in compliance and ethics involves walking the walk — not just talking the talk. Integrity is measured by what a corporation does and does not do when it thinks it can get away with something. All too often corporate reports, filings, and stakeholder communications state one thing when in reality the corporation is doing something else. This inconsistency comes as a result of ignorance, market and management pressure, but far too often is simply an outright willingness to deceive.

Integrity is a mirror revealing the truth about a corporation’s ethics and compliance practices. Integrity is violated when corporate policies and procedures are thrown out the window. From an organization’s perspective, personal and corporate integrity are two sides of the same coin. For a corporation to have integrity, it must be an ethical environment with employees and business partners willing to follow and enforce corporate culture, policies, and procedures. Employees want to work for a corporation committed to doing the right thing, in sync with their personal values and beliefs, and which has the integrity to live by their communicated practices and commitments.

Compliance and Integrity in Dynamic and Distributed Business

Compliance risk management in the 21st century organization is not easy. Business is global. Organizations across industries have global clients, partners and business operations. The larger the organization is, the more complex its operations are, particularly interactions with external entities around the world.

Adding to the complexity of global business, today’s organization is dynamic and constantly changing. The modern organization changes every minute. New employees come into the organization; others change roles, some leave. New business partner relationships are established; others terminated or changed. The business executes on strategy and enters new markets, opens up new facilities around the world, contracts with agents, or introduces new products and services. New laws are introduced that impact the organization, regulations change, and the risk environment (e.g., economic, geopolitical, operational) changes — impacting how business is conducted.

The distributed and dynamic nature of business makes defining and maintaining corporate integrity a challenge. How does an organization validate that it is current with its legal, regulatory, policies, and other obligations in the face of an ever-changing business environment?

Who Defines the Organization’s Values and Ethics?

Values and ethics that establish corporate integrity practices must be defined, communicated, and modeled. The issue is, who defines these values and ethics?

The answer stems from the corporation’s overall culture — but that too has to be modeled and defined somewhere in the organization. There are several places that values and ethics can be molded.  These are:

  • Directors and executive management: Ultimately the board and management have a key stake in establishing the culture, ethics, and values of the organization. It is at this level that the code of conduct should be defined and enforced. The board is also critical in establishing risk appetite and tolerance levels that impact how an organization defines its culture of risk-taking, which impacts compliance risk and the culture of the organization.
  • Employees: If executives fail to define, communicate and train about values and ethics, then employees are left to define corporate culture themselves. Even when executives define and communicate values, employees mold, shape, and make the corporate culture a reality and communicate it to the rest of the world.
  • Business partners: An organization is no longer an entity unto itself — it is impossible to define where the boundaries of an organization start and stop. The extended enterprise of business partners, supply chain, outsourcers, service providers, contractors, consultants, temporary staffing, and clients influence and shape the culture and brand of an organization. Organizations, particularly in an era of corporate social responsibility, need to validate they are doing business with organizations that share the same values. No organization wants to be in the media spotlight for partnering with an unethical business.
  • Clients: Ultimately an organization exists to provide value. For commercial organizations this is financial value, not just ethical value. To achieve financial value it is necessary to attract clients. Clients obviously want to achieve value in quality products and services from the organization. However, they are also becoming more selective in doing business with organizations that share the same ethical and social values.
  • Governments: Through regulation, legal liability, and plain old pressure, governments extend great influence on the culture and values of the organization. The economic crisis of 2008-2011 has provided many examples of government’s influence and control over entire industries as well as practices within those industries (e.g., salary and bonuses).
  • Nongovernment organizations (NGOs): Nonprofits, lobbyists, and associations all have sway over organizations and how they define culture, values, and ethics. NGOs wield great political, social, and media influence.

The net result is that organizations will have their values and ethics defined somewhere. Either management will lead, or others will define it for them. Where values and ethics are not centrally defined and communicated as a part of corporate culture, the organization risks going in a direction it never intended. Additionally, an ad hoc approach to defining corporate values leaves the door wide open for corruption.

This requires the organization to define its culture at the top, but also to communicate and model it down to the lowest level employee. No longer can an organization sit back and show unwillingness to influence employee behavior. The job of the CECO is to articulate and communicate the culture as defined by the board of directors and executives, establish it in policies and procedures, and monitor compliance on a continuous basis. In the past this was done in reaction to SEC requirements and Sarbanes Oxley in a post-Enron world. After the first decade of the 21st century, this has changed significantly. Expanded regulations, a flat world, increased criminal and personal liability on executives, extensive decentralization of the enterprise, social media, the era of WikiLeaks, an agitated public, and stressed economic markets all require that the organization do more than talk about integrity.

What are your thoughts on corporate integrity and how it is carried out in compliance and ethics?

Posted by mrasmussen at 14:44 10 Comments

Tuesday, October 18, 2011

Regulations and a Demand for Integrity Bear Down on the Organization

Managing an organization’s ethics and values is challenging enough. A legion of laws, regulations, contractual obligations, judgments, and fines bear down on the organization and the CECO in the 21st century. There is a difficult path ahead for ethics and compliance management. Compliance is particularly difficult, as business is bombarded with thousands of new regulations each year.

U.S. Perspective
At the U.S. federal level (not including U.S. state or local jurisdictions) there were more than 3,500 new regulations issued last year. This brings the total number of regulations issued since 1995 to nearly 60,000. Another 4,000 new laws and regulations are pending, waiting for approval. The sheer volume is staggering. FCPA is a particular hotbed of compliance in the U.S.:
  • The court found Frederic Bourke, Jr. was willfully blind and as an investor he should have done more due diligence and should have known that the energy company he invested in bribed foreign officials.
  • The government told Nature’s Sunshine’s CFO and COO they should have had better controls over financial reporting, even though the SEC never stated they specifically knew of the bribery happening within the corporation.
  • The average cost of an FCPA settlement is $50 million plus the expense for an external monitor to validate a compliance program is in place for the next 10 to 20 years. This does not include investigation expenses.
  • The U.S. Department of Justice assessed nearly $2 billion in fines in 2010. Eight of the top 10 FCPA settlements occurred in 2010. BAE Systems was the third largest fine at $500 million. Daimler AG had $185 million in fines and disgorgements. Snamprogetti had $365 million in fines (the fourth-largest).
  • Charles Jumet, former VP of Ports Engineering Consulting Corporation, was sentenced to 87 months in prison.
  • Siemens spent $850 million in fees and expenses to investigate anticorruption. Daimler had a five-year investigation that cost over $500 million.
European Perspective 
Europe has been known for a principles-based (or outcomes-based) approach to compliance — which originates from the United Kingdom’s Financial Services Authority. They have turned their focus away from specific requirements toward understanding and interpreting compliance in light of the risk the organization faces, requiring a risk-based approach to compliance. Adding to compliance mandates, the U.K. approved the U.K. Bribery Act (UKBA) legislation in 2010, which went into enforcement in July 2011.  This brings broader scope and implications to anticorruption compliance. Both the FCPA and the UKBA are country-specific initiatives in support of the Organization for Economic Cooperation and Development’s (OECD) anticorruption initiatives in 34 countries.  The OECD has released Good Practice Guidance for internal controls, ethics, and compliance to combat corruption around the world.
Australian Perspective
Australia, through the ASNZ 3806 standard, takes a principles-based approach to compliance. The 12 principles provide guidance to organizations designing, developing, implementing and maintaining an effective compliance program, encompassing:
  • Commitment
  • Implementation
  • Monitoring and measuring
  • Continual improvement
  • In addition, mandates such as those provided by the Australian Securities and Investments Commission (ASIC) and Australian Prudential Regulation Authority (APRA) broaden the scope and compliance requirements for listed organizations or those within the financial services industry.
The Era of the Corporate Bounty Hunter
Government is cracking down on organizations that lack integrity in their ethics and compliance practices. The current environment is seeing increased actions and judgments for noncompliant behavior such as corruption, insider trading, antitrust abuse, harassment, discrimination, fraud, and privacy violations. Fraud and unethical behavior is not tolerated — government and society have had enough. One aspect of this change is the government focus on initiatives that establish rewards for corporate whistleblowers. This heralds the era of the corporate bounty hunter.

The U.S. government recently introduced its most extensive regulation to uncover corporate wrongdoing in the Dodd-Frank Wall Street Reform and Consumer Protection Act (Pub.L. 111-203, H.R. 4173).  Title IX Subtitle B gives the SEC powers to enforce a “whistleblower bounty program.”  This program allocates a 10 percent to 30 percent reward to corporate whistleblowers who provide information leading to a successful government enforcement action with monetary sanctions of more than $1 million. In an era of increased scrutiny and judgments for anticorruption, insider trading, and other areas, this significant concern keeps executives, the board, legal, and compliance professionals up at night.

This just scratches the surface of the regulatory burden on organizations amidst thousands that span areas of employment, quality, health and safety, environmental, business transactions, privacy, security, and many other areas. Distributed businesses that cross jurisdictions in transactions and relationships have a great deal to answer for when it comes to regulatory oversight. The burden is so great it demands companies use limited resources and a risk-based approach to understand where its greatest ethics and compliance risks are. A risk-based approach complements a values-based approach and enhances corporate culture. While culture and values ultimately drive compliance, an organization must understand where its greatest compliance exposure is and allocate resources accordingly.

This is the second in my series on Compliance Management in the 21st Century. The previous ones have been:

I would love to hear your thoughts as well – please share them.

For those that cannot wait for all of my upcoming posts – you can read my thoughts and perspectives in my most recent written report:  Compliance Risk Management in the 21st Century.

Posted by mrasmussen at 14:20 8 Comments

Wednesday, October 12, 2011

From Finding and Fixing Problems to Compliance Risk Management

Over the next several posts we will now turn our attention to the evolving role of Corporate Compliance and Ethics.

Regulations, ethics, and integrity are challenging the organization like never before. Governments are increasing scrutiny of organizations, stakeholders demand transparency, clients want assurance the organization is reputable and upholds their values, and business partners require commitments to compliance and ethics.

The role of the chief ethics and compliance officer (CECO) has changed: it has evolved from various compliance areas to become a strategic pillar of the enterprise. The CECO in the 21st century has more to do than find and fix problems and ensure compliance requirements are met. Today’s CECO has to ensure compliance risk is understood and managed, that organizational obligations are more than written policies but part of the fabric of business operations and interactions, and that there is a strong corporate culture that ensures social responsibility as part of the ethical environment. A strong compliance program is based on values, but requires a risk-based approach to understanding and prioritizing limited resources to combat risk.

CECOs are climbing the corporate ladder to a higher status. What was scattered across business functions — with a concentration in legal — is now coming of age as a senior executive role. With the burden of increased scrutiny, oversight, and ethics the CECO is often reporting directly to the board of directors and senior executives.

Yesterday’s compliance program will no longer work. The 21st century demands a robust compliance program to manage the breadth and depth of ethics and compliance risk that bears down on the organization today.

This is the beginning of my thoughts to start the discussion, please expect several more posts over the next few weeks as I share more deeply my research and insight into the evolving role of corporate compliance and ethics.  I would love to hear your thoughts as well – please share them.

For those that cannot wait for all of my upcoming posts – you can read my thoughts and perspectives in my most recent written report:  Compliance Risk Management in the 21st Century.

Posted by mrasmussen at 15:16 14 Comments

Monday, September 26, 2011

Role of Technology in Anti-corruption Compliance

With increased exposure to anti-corruption laws and investigations, and defined anti-corruption practices, how does an organization go about using technology to manage anti-corruption compliance?

Compliance needs to be an active part of the organization and culture to prevent and detect corruption, bribery, and fraud. This continuous and ongoing process must be monitored, maintained, and nurtured. The challenge is establishing corruption prevention and detection activities that move the organization from a reactive fire-fighting mode to one that actively manages, monitors, prevents, and detects risk. This requires the organization to implement technology to manage anti-corruption compliance.

Technology can help organizations manage and monitor anti-corruption compliance by enabling and automating:
  • Compliance program management: The organization needs a 360-degree view of compliance activities and reporting. This requires an end-to-end system for managing compliance activities, metrics, and reports. From this system the organization should be able to produce reports and metrics relevant to the board of directors and executives, to assure them they are meeting fiduciary obligations to have a compliance program for anti- corruption in place. All compliance management personnel and employees should be able to access the system and see contextually relevant tasks and items.
  • Regulatory intelligence and change management: The integration of regulatory content feeds and technology enables the compliance program to monitor changes in anti-corruption laws, requirements, and cases to determine how new developments impact the business. The organizations must use technology to take in legal and regulatory feeds and route them to the correct subject matter expert for review and business impact analysis.
  • Compliance risk assessment: Risk assessments are mandatory for compliance initiatives. The organization needs a technology platform to manage risk surveys, assessments, and related risk information and report, analyze and model risk.
  • Policy and procedure management: A core process of a compliance program is the ability to document policies and procedures to maintain a state of compliance. All relevant policies related to anti-corruption should be documented, maintained, communicated, and attested to within a technology platform with a robust audit trail and content management capability. This includes code of conduct, anti-corruption, and other related policies.
  • Training and communication: It is not enough to make written policies available — the organization also needs to train individuals on policies. Organizations are increasingly using the economies of online training to deliver courses on anti-corruption, and to test employee understanding of policies and requirements.
  • Third-party management: Central to an anti-corruption compliance program is the ability to manage the risk of third-party entities you interact and do business with. Technology, and the integration of content feeds, enables the ongoing due diligence effort to monitor and score vendor/third-party risk, communicate policies to vendors, track attestations, and deliver surveys and assessments.
  • Forms processing and automation: A critical component of an anti-corruption program is the ability to process and automate forms related to compliance policies and procedures. Interactions for contributions, gift, entertainment, and facilitated payments should be managed through online forms and workflow for approval or disapproval.
  • Investigations management: Technology enables the organization to manage and monitor issues and incidents, and collaborate and document investigations. This includes the ability to record the range of issues reported from hotlines and other mechanisms, what actions were taken, and the results of the investigation.
This is the second installment on a three part series on Anti-Coruption.  The first article can be found at:

I would love to hear your thoughts on the role of technology in anti-corruption compliance. This series is a collection of pieces from a published paper – the rest of the paper can be found at:

Posted by mrasmussen at 12:02 6 Comments

Thursday, September 15, 2011

Meeting Anti-Corruption Obligations

With increased exposure to anti-corruption laws and investigations, how does an organization respond to anti-corruption compliance obligations?

The best offense in anti-corruption is a good defense. Organizations must be prepared to show that they have a strong compliance program in place to mitigate or avoid exposure to penalties. In today’s complex business environment, incidents do happen — the organization defends itself by demonstrating it has implemented appropriate compliance measures to prevent and detect issues of corruption and noncompliance. The goal is to have preventive measures in place to avoid corruption issues, while at the same time having detective measures to monitor for instances of corruption and respond quickly and efficiently. This includes reporting and cooperating with authorities in investigations.

While there are different laws around the world aimed at anti-corruption, the compliance aspects to these laws are based on common requirements that are the backbone of any good compliance program. From a U.S. perspective, the best defense is to show that the organization has met the elements of an effective compliance program as established by the United States Sentencing Commission Organizational Guidelines.[2] The U.S. guidelines compliment and coordinate well with the U.K.’s guidance requiring a company to demonstrate adequate procedures to prevent bribery. It is a full defense in the U.K. Bribery Act when an organization proves that despite a particular incident of bribery it nevertheless has proper compliance practices in place to prevent corruption and bribery. Both the U.S. and U.K. guidance aligns with and supports OECD Good Practice on Internal Controls, Ethics, and Compliance.

An integrated view of the U.S., U.K., and OECD guidance requires that an organization have the following compliance elements in place:

  • Understand your risk: An organization must have a risk-based approach to managing anti-corruption. This includes periodic assessment (e.g., annual) of the exposure to the organization for corruption and unethical conduct. However, the risk-assessment process should also be dynamic — completed each time there is a significant business change that could lead to exposure (e.g., mergers and acquisitions, new strategies, and new markets). Risk assessments should cover exposure to corruption in specific markets, business partners, and geographies.
  • Approach compliance in proportion to risk: How an organization implements compliance procedures and controls is based on the proportion of risk it faces. If a certain area of the world or business partner carries a higher risk for corruption, the organization must respond with stronger compliance procedures and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
  • Tone at the top: The compliance program must be fully supported by the board of directors and executives. Communication to and from top-level management must be bidirectional. Management must communicate that they support the anti-corruption compliance program and will not tolerate corruption in any form. At the same time, they must be well-informed about the effectiveness and strategies for compliance and anti-corruption initiatives.
  • Know who you do business with: It is critical to establish a risk-monitoring framework that catalogs third-party relationships, markets, and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of corruption risk in a relationship, additional preventive and detective controls must be established in response. This includes knowing your own employees and conducting background checks to understand if they are susceptible to corruption and unethical conduct.
  • Keep information current: Due diligence and risk assessment efforts need to be kept current. These are not point-in-time efforts that happen once; they need to be done on a regular basis or when the business becomes aware of conditions that point to increased risk of corruption.
  • Compliance oversight: The organization needs someone who is responsible for the oversight of anti-corruption compliance processes and activities. This person should have the authority to report to independent monitoring bodies, such as the audit committees of the board, to report issues of corruption.
  • Established policies and procedures: Organizations must have documented and up-to-date policies and procedures that address corruption. The code of conduct is the governing policy that filters down to other policies that address anti-corruption, gifts, hospitality, entertainment and expenses, customer travel, political contributions, charitable donations and sponsorships, facilitation payments, and solicitation and extortion. Compliance requirements and processes must be clearly documented and adhered to.
  • Effective training and communication:Written policies are not enough — individuals need to know what is expected of them. Organizations must implement anti-corruption training programs to educate employees and business partners at risk of exposure to bribery, corruption, and fraud. This includes getting acknowledgements from employees and business partners to affirm their understanding, and attestation of their commitment to behave according to established policies and procedures.
  • Implement communication and reporting processes:The organization must have channels of communication where employees can get answers on policies and procedures. This could take the form of a help line that allows an individual to ask questions, or a FAQ database, or via form processing for approval on activities and requests. The organization must also have a hotline reporting system for individuals to report misconduct — in the U.S. this is called a whistleblower system, and in the U.K. it is referred to as a speak-up line.
  • Assessment and monitoring:In addition to periodic risk assessment, the organization must also have regular compliance assessment and monitoring activities to ensure that policies, procedures and controls to prevent corruption and bribery are in place and working.
  • Investigations:Even in the best organization, things go wrong. Investigation processes (hotlines, surveys, management reports, and exit interviews) must be in place to quickly identify potential incidents of corruption, and quickly and effectively investigate and resolve issues. This includes reporting and working with outside law enforcement and authorities.
  • Internal accounting controls: Organizations must keep detailed books, records and accounts that fairly and accurately reflect transactions and disposition of assets that could be implicated in corruption issues. This includes contract-pricing review, due diligence and verification of foreign business representatives, accounts payable payments, financial account reconciliation, and commission payments.
  • Manage business change: The organization must monitor the business environment for changes that introduce greater risk of corruption. The organization must document changes required to business practices as a result of observations and investigations, and address deficiencies through a careful program of change management. This requires that business change be monitored by compliance personnel to proactively prevent corruption.
This is the second installment on a three part series on Anti-Coruption.  The first article can be found at:

I would love to hear your MEETING ANTI-CORRUPTION OBLIGATIONS. This series is a collection of pieces from a published paper – the rest of the paper can be found at:

Posted by mrasmussen at 21:12 21 Comments

Wednesday, September 7, 2011

Managing Compliance with Anti-corruption Laws Is Increasingly Burdensome

Organizations across industries have global clients, partners, and operations. The larger the organization is, the more complex its interactions with external entities (e.g., government, regulators, contractors, vendors, and other third-parties) around the world.

Adding to the complexity and distribution of global business is a constantly changing business environment. In the brief moment spent reading this paper, your business has probably changed: New employees are hired, others change roles, and some leave. New business partner relationships are established — others terminated or changed. Business executes on strategy and enters new markets, opens up new facilities around the world, contracts with agents, or introduces new products and services. New laws are introduced that impact the organization, regulations change, and the environment around business changes, introducing risk (e.g., economic, geopolitical, operational) and impacting how business is conducted.

Global compliance in the context of a complex and dynamic business environment is particularly challenging as organizations face greater exposure to anti-corruption laws and regulations. How does an organization validate that it is current with legal, regulatory, and other obligations in the face of an ever-changing business environment?

First there was the U.S. FCPA

Laws such as the Foreign Corrupt Practices Act (FCPA) have been in place in the U.S. for nearly 35 years.[1] Despite this length of time, each year shows increasing noncompliance and growing fines and penalties by the US Department of Justice[2]. In 2010, the number of enforcement actions were double any previous year.[3]

BOX HIGHLIGHT/Call out

Growing liability:

  • The court found Frederic Bourke, Jr. was willfully blind, and that as an investor he should have done more due diligence and should have knows that the energy company he invested in bribed foreign officials.
  • The government told Nature’s Sunshine’s CFO and COO they should have had better controls over financial reporting, even though the SEC never stated they specifically knew of the bribery happening within the corporation.

Fines are skyrocketing:

  • The U.S. Department of Justice assessed nearly $2 billion in fines in 2010
  • Eight of the top 10 FCPA settlements occurred in 2010
  • BAE Systems was the third largest fine at $500 million
  • Daimler AG had $185 million in fines and disgorgements
  • Snamprogetti had $365 million in fines (fourth-largest)
  • The average cost of an FCPA settlement is $50 million plus the expense for an external monitor to validate a compliance program is in place for the next 10 to 20 years. This does not include investigation expenses.

Executives can go to jail:

  • Charles Jumet, former VP of Ports Engineering Consulting Corporation, was sentenced to 87 months in prison

Investigation costs are significant:

  • Siemens spent $850 million in fees and expenses to investigate anti-corruption
  • Daimler had a five-year investigation that cost over $500 million

Harsh collateral sanctions, in which the government can also:

  • Terminate government licenses
  • Disbar the organization from government contracting
  • Disgorge company profits on contracts secured by improper payments

Now Organizations Have to Comply with the U.K. Bribery Act As Well

If the FCPA was not enough, the United Kingdom approved the U.K. Bribery Act (UKBA) legislation in 2010, which went into force in July 2011.[4] This anti-corruption law brings broader scope and implications to anti-corruption compliance. Both the FCPA and the UKBA are country-specific initiatives in support of the Organization for Economic Cooperation and Development’s (OECD) anti-corruption initiatives in 34 democratic countries around the world.[5] The OECD has released Good Practice Guidance on Internal Controls, Ethics, and Compliance to combat anti-corruption around the world.[6]

The UKBA makes it illegal for a company operating or listed in the U.K. to make unofficial payments to public officials to secure or expedite performance of routine or necessary business transactions. The scope of the UKBA includes anyone with business operations in the U.K. and covers acts and omissions anywhere in the world. Organizations need to be prepared to defend themselves — UKBA has a rebuttable position that an employee is acting on behalf of the organization. This requires that the organization is able to demonstrate it has an appropriate compliance program in place to overcome this burden of proof.

The U.K. Bribery Act establishes four criminal offenses for corporations[7]:

  1. Offering or paying a bribe
  2. Requesting or receiving a bribe
  3. Bribing a foreign public official
  4. Failing to prevent bribery

Dodd-Frank Whistleblower Provisions Makes Matters Worse

In the U.S., anti-corruption has become much more complex: The U.S. Federal Government whistleblowing provisions in the Dodd-Frank Act entice employees to report ethical violations, such as bribery and corruption, to the government. It gives the SEC powers of enforcement of a whistleblower bounty program and whistleblowers a bounty from fines and penalties resulting from the investigation should the organization be culpable.[8] The scope includes areas of fraud, antitrust, insider trading, corruption, and bribery. Corporate whistleblowers who provide information which leads to a successful SEC enforcement receive 10 percent to 30 percent of the monetary sanctions over $1 million. In an era of increased scrutiny and judgments for anti-corruption, this is a significant concern keeping executives, the board, legal, and compliance professionals up at night.[9]

This is an excerpt from my broader research piece on this topic:

Anti-Corruption: Efficient and Effective Compliance with U.K. Bribery Act, U.S. FCPA, and OECD Good Practices

 

[1] http://www.justice.gov/criminal/fraud/fcpa/

[2] FCPA Penalty structure: Violation — $250,000 and/or five years in prison for individuals, $2 million in fines for corporations. Violation of accounting provisions — $500,000 and/or twenty years in prison for individuals, $5 million for corporations. Willful violation of the books and records and internal control provisions — $25 million for the company, $5 million for an individual and up to 20 years in prison.

[3] http://www.justice.gov/criminal/fraud/fcpa/cases/2011.html

[4] www.opsi.gov.uk/acts/acts2010/ukpga_20100023_en_1

[5] http://www.oecd.org/department/0,3355,en_2649_34855_1_1_1_1_1,00.html.

[6] http://www.oecd.org/dataoecd/5/51/44884389.pdf

[7] http://www.natlawreview.com/article/uk-bribery-act-2010-corporate-hospitality-or-when-beer-bribe

[8] Based upon the success of a similar program established by the IRS in 2006

[9] http://www.sec.gov/rules/final/2011/34-64545.pdf

Posted by mrasmussen at 21:31 12 Comments

Thursday, August 18, 2011

A Close Collaboration Between Audit and Compliance: Key for Effective Risk Management

The role of internal audit is expanding as it guides the enterprise be- yond traditional attitudes about financial risk management, risk mitigation, and monitoring and toward evaluating a broader spectrum of compliance activities. Today’s auditor must have a full understanding of the risks the company faces and how they relate to each other, and needs to rely on well-constructed and well-executed risk management, control, and governance processes in order to provide assurance that controls are designed appropriately and operating as designed.

At the same time, the role of compliance is expanding as it goes beyond the traditional roles of building an ethical workplace culture, identifying and managing regulatory and legal obligations, and implementing and monitoring policies, controls, and training. Today’s compliance officer, beyond being devoted to the business and shareholder requirement of building and maintaining an ethical organizational culture, must have an active role in risk identification, management, monitoring, and mitigation.

Audit and compliance—working together—are uniquely positioned to help the board and management understand the importance of an integrated approach to compliance that enables wise resource use, prevents undesirable outcomes, and grasps advantages while achieving business objectives.

As risks like the UK Bribery
Act and various import/export trade regulations change the regulatory landscape, Audit and Compliance can together assess risk and ensure that compliance processes and controls are operating as designed and are effective in mitigating the most significant compliance risks.

The close collaboration between audit and compliance activities simply makes sense. Internal auditors have the skill set, interest, and focus to be able to look at things in a measurable way. They have a broad understanding of many facets of the company. Additionally, internal audit departments already have budgets and resources available to assess the effectiveness and efficiency of compliance process. If audit is involved on the front-end design of the compliance capabilities, theorganization will be assured that compliance systems are created to enable backend reviews, which ultimately improve efficiency.

Audit’s existing relationship with the audit committee can be leveraged to enhance the compliance reporting process; without a consistent and measurable compliance function, audit will have trouble assessing this process and providing assurance to the board that it is operating effectively.

At the same time, compliance under- stands how multiple regulations impact different business units differently and can help identify places where controls can address multiple requirements and/ or obligations. The entire compliance process needs to be audit-ready, with policies in place to deal with inquiries, subpoenas, formal audits, external reviews, and investigations. Working together, audit and compliance can monitor and periodically report to the CEO and board of directors on how compliance and ethics risks are being identified and addressed.

As the board and executive management bring assurance to all stakeholders of the strategic and organizational effectiveness of the enterprise and continue plans to both preserve and create value, an effective standard approach to providing assurance related to compliance and ethical risk is critical.

A Close Collaboration Between Audit & Compliance: Key for Effective Risk Management

Posted by mrasmussen at 02:54 19 Comments