21
Developing Internal Compliance Melvin Glapion 2 November 2012
Developing Internal Compliance
Melvin Glapion
2 November 2012
Kroll’s engagements in the last 12 months We operate in varied and interesting territories
2 Proprietary and Confidential — Kroll Advisory Solutions
Proprietary and Confidential — Kroll Advisory Solutions 3
GDP growth can be found in countries where
transparency is lowest
CEE Countries “Advanced” Europe PIIGS African Countries BRIC Countries
Average TI Score: 5.5
Average GDP % Growth Rate: 2.55%
US anti-bribery and anti-corruption regulation is being
aggressively enforced
Proprietary and Confidential — Kroll Advisory Solutions 4
Immediate and direct consequences:
» Criminal and civil fines have consistently exceeded US$1bn over the last couple of years; and
» Number of cases pursued by SEC and DOJ have increased five fold.
Long term initiatives adopted by global regulatory bodies:
US ramping up efforts:
» Record breaking fines (e.g. Siemens and Tidewater);
» SEC and DOJ promising more “proactive” investigations; and
» Developing new strategies to strengthen activity.
US co-operating with other jurisdictions:
» Regulators co-ordinating on cross-border enforcement;
» Emerging markets at the root of many high-profile investigations; and
» Sector-specific investigations.
Proprietary and Confidential — Kroll Advisory Solutions 5
UKBA is far more stringent than FCPA
Provision FCPA UKBA
Covers Bribes paid or offered to foreign officials Bribes paid to any person
(not limited to foreign officials)
“Active Offense” Vs.
“Passive Offense”
Active—only act of payment prohibited Active and Passive offenses: one for
offering and the other for receiving bribes
Strict Corporate Liability Only as it relates to accounting
provisions for public companies
Establishes a new strict liability corporate
offense for the failure to prevent bribery
Jurisdiction US companies and its citizens, foreign
listed companies, or any person
committing an offence while in the US
UK nationals or residents,
organizations based in or conducting
some part of their business in the UK
Facilitation Payments Allowed in the case of payments for
expediting routine government action
Disallowed, though guidance may
suggest that nominal payments are
unlikely to be prosecuted
Costs associated with
violating
Fines, penalties, disgorgement of profits,
reputational damage, corporate legal
costs
Fines, penalties, disgorgement of profits,
reputational damage, corporate legal
costs; criminal charges against board
members, personal legal costs
Proprietary and Confidential — Kroll Advisory Solutions 6
A stricter regulatory environment is emerging
RANK COMPANY TOTAL PENALTY COUNTRY
1 JGC Corporation 218,800,000 Nigeria
2 Magyar Telekom 90,800,000 Macedonia, Montenegro
3 Magyar Telekom 59,600,000 Greece
4 Johnson & Johnson 48,666,316 Greece, Romania, Poland,
Iraq
5 Bridgestone
Corporation 28,000,000 Latin America
6 Johnson & Johnson 21,400,000 Greece, Poland, Romania,
Iraq
7 Diageo Plc 16,373,820 India, Thailand and South
Korea
8 Aon Corporation 14,545,020 South East Asia, Middle East
and Latin America
9 IBM 10,000,000 South Korea and China
10 Maxwell
Technologies 8,000,000 China
11 Maxwell
Technologies 6,350,890 China
12 Armor Holdings 5,690,744 -
RANK COMPANY TOTAL PENALTY COUNTRY
1 BAE Systems plc 400,000,000 Saudi Arabia, Czech Republic
& Hungary
2 Snamprogetti 240,000,000 Nigeria
3 Technip SA 240,000,000 Nigeria
4
ENI &
Snamprogetti
Netherlands BV
125,000,000 Nigeria
5 Technip SA 98,000,000 Nigeria
6 Daimler AG 93,600,000 Russia, China, Croatia
7 Alcatel-Lucent SA 92,000,000 Africa, Latin America and Far
East
8 Daimler AG 91,400,000
Multiple across Eastern
Europe, Africa, China and
South East Asia
9 Panalpina 70,560,000
Africa, Latin America ,
Eastern Europe and Central
Asia
10 Alcatel-Lucent SA 45,372,000 Honduras, Malaysia, Costa
Rica and Taiwan
11 ABB Ltd 39,314,262 Mexico, Iraq
12 Pride 32,625,000 Mexico, Venezuela, India
2011 2010
SEC and DOJ fines ranked by amount (USD) for 2010-2011
7 Proprietary and Confidential — Kroll Advisory Solutions
1. PREVENT
• Third Party Screening
• Employee & Senior Hire
Screening
• Risk Assessments
• PEPs Analysis
• Employee
Training/Whisteblower
2. DETECT
• Financial Controls and
Inventory Management
• Physical Security
• IT Security
• IT Countermeasures
• Audit & Governance
3. RECOVER
• External Investigations
• Internal Investigations
• External Forensics
• Internal Forensics
• External Legal
• Internal Legal
4. MONITOR
• On-going Employee &
Third Party Monitoring
• Function Specific Focus
• Email Review
• Corruption, Bribery Fraud ,
Audit and Governance
Best Practice
EVENT
e.g. Fraud, Corruption or Bribery
Compliance Measures: Best Practice Best practice compliance procedures should include four discreet sets of proactive and reactive measures
8 Proprietary and Confidential — Kroll Advisory Solutions
1. PREVENT
• Third Party Screening
• Employee & Senior Hire
Screening
• Risk Assessments
• PEPs Analysis
• Employee
Training/Whisteblower
2. DETECT
• Financial Controls and
Inventory Management
• Physical Security
• IT Security
• IT Countermeasures
• Audit & Governance
3. RECOVER
• External Investigations
• Internal Investigations
• External Forensics
• Internal Forensics
• External Legal
• Internal Legal
4. MONITOR
• On-going Employee &
Third Party Monitoring
• Function Specific Focus
• Email Review
• Corruption, Bribery Fraud ,
Audit and Governance
Best Practice
EVENT
e.g. Fraud, Corruption or Bribery
Compliance Measures: Reality Companies often react after an event has occurred and invest less in preventative measures
9 Proprietary and Confidential — Kroll Advisory Solutions
1. PREVENT
• Third Party Screening
• Employee & Senior Hire
Screening
• Risk assessments
• PEPs Analysis
• Employee
Training/Whisteblower
EVENT
e.g. Fraud, Corruption or Bribery
Compliance Measures: Prevention
2. DETECT
• Financial Controls and
Inventory Management
• Physical Security
• IT Security
• IT Countermeasures
• Audit & Governance
3. RECOVER
• External Investigations
• Internal Investigations
• External Forensics
• Internal Forensics
• External Legal
• Internal Legal
4. MONITOR
• On-going Employee &
Third Party Monitoring
• Function Specific Focus
• Email Review
• Corruption, Bribery, Fraud,
Audit and Governance
Best Practice
Proprietary and Confidential — Kroll Advisory Solutions 10
Plethora of risks posed by emerging market deals Undisclosed beneficial owners, conflicts of interests, PEP exposure and poor governance
Proprietary and Confidential — Kroll Advisory Solutions 11
Risk based approach helps prioritse compliance Suitable when dealing with third parties, employee screening and wider risk assessments
Proprietary and Confidential — Kroll Advisory Solutions 12
11
32
58 60
29
10
0
10
20
30
40
50
60
70
1-5 6-10 11-15 16-20 21-25 26-30
Nu
mb
er
of
co
mp
an
ies
Risk level (lowest: 1; highest: 30)
The Risk Matrix in practice We tend to find that the risk profiles of third parties fall within the normal distribution of a bell curve
Proprietary and Confidential — Kroll Advisory Solutions 13
Compliance Spectrum Once risk level is identified, we can then determine the degree of due diligence required
Increasing level of risk
Proprietary and Confidential — Kroll Advisory Solutions 14
Whistleblowing is on the rise since the financial downturn:
» Tip-offs to the FSA about potential wrongdoing at banks has increased almost four-fold since the onset of the
financial downturn:
» The FSA received 3,733 calls from whistleblowers in the year to May - 276 per cent up on the number of tip-
offs it received in the 12 months before the downturn.
» Nearly one in five of the investigations handled by Kroll for its corporate clients around the world was sparked
by a complaint by an insider to someone other than a direct manager.
» Roughly 60 per cent of the above investigations have resulted in Kroll finding evidence to back up the original
complaint.
Need to be mindful of whistleblower allegations that are malicious:
» Nearly two in 10 whistleblower complaints that Kroll has been hired to investigate were malicious allegations
from individuals seeking revenge on an individual or company.
Whistleblowing
15 Proprietary and Confidential — Kroll Advisory Solutions
1. PREVENT
• Third Party Screening
• Employee & Senior Hire
Screening
• Risk Assessments
• PEPs Analysis
• Employee
Training/Whisteblower
EVENT
e.g. Fraud, Corruption or Bribery
Compliance Measures: Detection
2. DETECT
• Financial Controls and
Inventory Management
• Physical Security
• IT Security
• IT Countermeasures
• Audit & Governance
3. RECOVER
• External Investigations
• Internal Investigations
• External Forensics
• Internal Forensics
• External Legal
• Internal Legal
4. MONITOR
• On-going Employee &
Third Party Monitoring
• Function Specific Focus
• Email Review
• Corruption, Bribery, Fraud,
Audit and Governance
Best Practice
Proprietary and Confidential — Kroll 16
Financial Controls and
Inventory Management
Audit & Governance
Physical Security
IT Security
IT Countermeasures
• Source of fraud is usually internal
• Exposure to threats also from external individuals, professional hackers and
governments (e.g. Iran & China)
• Moving IT systems and infrastructure into emerging markets presents additional risk
• Penetration testing conducted by experts is crucial
• Caution towards external devices (e.g. USB sticks and increased usage of iPads)
• Greater security and encryption is required
• Risk, corruption and bribery pose serious reputational issues, but are also gaining
strategic importance; therefore it is necessary that:
• Ensure board members are committed to best practice compliance initiatives
• Regularly review the compliance committee and board structure
• Ensure compliance committee has access to individuals across the
organisation who are responsible for prevention, detection and monitoring
• Robust policies and operating procedures should be able to identify potential instances
of corruption, fraud and bribery.
• Ensure that business is not unduly exposed to externalities by taking necessary
precautionary measures (e.g. careful selection of location and implementation of
standard security procedures)
1
2
3
4
5
Robust detection measures are key
17 Proprietary and Confidential — Kroll Advisory Solutions
1. PREVENT
• Third Party Screening
• Employee & Senior Hire
Screening
• Risk Assessments
• PEPs Analysis
• Employee
TrainingWwhisteblower
EVENT
e.g. Fraud, Corruption or Bribery
Compliance Measures: Recovery
2. DETECT
• Financial Controls and
Inventory Management
• Physical Security
• IT Security
• IT Countermeasures
• Audit & Governance
3. RECOVER
• External Investigations
• Internal Investigations
• External Forensics
• Internal Forensics
• External Legal
• Internal Legal
4. MONITOR
• On-going Employee &
Third Party Monitoring
• Function Specific Focus
• Email Review
• Corruption, Bribery, Fraud,
Audit and Governance
Best Practice
18 Proprietary and Confidential — Kroll Advisory Solutions
1. PREVENT
• Third Party Screening
• Employee & Senior Hire
screening
• Risk Assessments
• PEPs Analysis
• Employee
Training/Whisteblower
EVENT
e.g. Fraud, Corruption or Bribery
Internal Compliance Measures: Monitoring
2. DETECT
• Financial Controls and Inventory
Management
• Physical Security
• IT Security
• IT Countermeasures
• Audit & Governance
3. RECOVER
• External Investigations
• Internal Investigations
• External Forensics
• Internal Forensics
• External Legal
• Internal Legal
4. MONITOR
• On-going Employee &
Third Party Monitoring
• Function Specific Focus
• Email review
• Corruption, Bribery, Fraud,
Audit and Governance
Best Practice
Proprietary and Confidential — Kroll Advisory Solutions 19
Function Specific Focus
Email Review
Corruption, Bribery,
Fraud Audit - Best
Practice
On-going Third Party
Monitoring
On-going Employee
Monitoring • Adjust the frequency and level of the monitoring and/or re-screening according
to the risk presented by the employee and their responsibilities
• Be mindful of cultural and local nuances
• Review high risk business functions such as procurement, finance, sales and
senior directors to ensure they are compliant with best practice
• Monitor the development of PEP relationships amongst high risk employees
Post-Event Monitoring
• Match frequency of screening to risk exposure
• Identify changes in the business relationship and subsequent level of exposure
and adjust screening level and frequency accordingly
• Be mindful of laws governing confidentiality, particularly in parts of Europe
• Be authorised to review employee emails e.g. notifications or waivers
• Independent review
• Conducted by an expert team to undertake a thorough review of your internal
compliance policies
• Conducted annually and signed off by the board.
1
2
3
4
5
Applicable to internal and external sources of risk
20 Proprietary and Confidential — Kroll Advisory Solutions
1. PREVENT
• Third Party Screening
• Employee & Senior Hire
Screening
• Risk Assessments
• PEPs Analysis
• Employee
Training/Whisteblower
2. DETECT
• Financial Controls and
Inventory Management
• Physical Security
• IT Security
• IT Countermeasures
• Audit & Governance
3. RECOVER
• External Investigations
• Internal Investigations
• External Forensics
• Internal Forensics
• External Legal
• Internal Legal
4. MONITOR
• On-going Employee &
Third Party Monitoring
• Function Specific Focus
• Email Review
• Corruption, Bribery Fraud,
Audit and Governance
Best Practice
EVENT
e.g. Fraud, Corruption or Bribery
Compliance Measures: Best Practice Best practice compliance procedures should include four discreet sets of proactive and reactive measures
