Date post: | 23-Feb-2017 |
Category: |
Law |
Upload: | eric-morehead |
View: | 34 times |
Download: | 2 times |
How Are We Doing? Why We Assess Compliance Programs and Strategies for AssessmentSCCE WebinarJune 13, 2016
Pete Rock, Deputy Chief Compliance OfficerKnights of Columbus
Eric Morehead, Principal ConsultantMorehead Compliance Consulting
Morehead Compliance Consulting
1. Why Turn Over the Rocks? Some Benefits and Some Goals for A Periodic Compliance Program Assessment
2. Measure Twice and Cut Once: Preparing for a Compliance Program Assessment
3. Sum of Its Parts: What are Different Tools and Approaches Organizations Can Take for Assessments?
Morehead Compliance Consulting
Morehead Compliance Consulting
SOURCES FOR DATA
> Compliance and Ethics Program Environment Report, SCCE and NYSE Governance Services (CEPE 2014) http://m1.corpedia.com/resource_database/CEPEReport.pdf
> 2013 Association of Corporate Counsel / Corpedia Benchmarking Survey on Compliance Programs and Risk Assessments (ACC 2013)
Morehead Compliance Consulting
Why Turn Over the Rocks? Some Benefits and Some Goals for Periodic Program Assessment
Morehead Compliance Consulting
5
Why Assesses?• Regulator Expectations
• Federal Sentencing Guidelines §8B2.1(b)(5)(B)• “[E]valuate periodically the effectiveness of the organization’s compliance and ethics
program”
• Started appearing in NPA’s and DPA’s in the 2000’s• Encouraged risk-based mapping and review of Program• Builds off of language in the Organizational Sentencing Guidelines
• Spelled out in the FCPA Guidance in November 2012• “DOJ and SEC will evaluate whether companies regularly review and improve their
compliance programs and not allow them to become stale.”
6
Why Assess?Consequences are Large and Unpredictable
From: Brandon L. Garrett, Too Big To Jail: How Prosecutors Compromise with Corporations (Harvard U. Press 2014).
7
Why Assesses?• Stakeholder Expectations
• Shareholders, including Institutional Investors• Board of Directors
• Prevention and mitigation of risk• An assessment can identify risks and suggest steps to prevent violations
• Identify gaps in training, policies, procedures, controls• An assessment can identify gaps that require attention
8
Why Assesses?• Budget prioritization
• An assessment can identify areas to allocate resources
• Affirmative defense for organization & oversight personnel (Remember board members can be held labile for misconduct under the In re Caremark case.)• An assessment can provide an affirmative defense for both the organization
& individual oversight personnel in the event of a violation
9
A Little Benchmarking: Who Assesses?
83%
17%
Do You Conduct a “Formal As-sessment of the Overall C&E
Function”[CEPE]?
YesNo
8 out of 10 of your peers.
10
Goals and Scoping• What End Product Do You Want?
• A detailed report with recommendations and action items?• To set a baseline for future assessments?• To provide a verbal update to the Board of Directors?• To answer specific questions?
• Begin with the End in Mind• What’s the timeline?• Who is the audience?• Will this be repeatable and periodic?
11
Goals and Scoping• Who is in Charge?
• Legal, audit, compliance?• What resources they will have?• What the broad expectations are for the result?
• What Operations Will Be Covered?• Will this review cover subsidiaries, joint ventures, overseas operations, contractors, etc?• Will this review cover all aspects of the program (will it be multi-year)?
• How will data be collected? • Surveys, focus groups, interviews, document and record review
• Scoring and evaluation• Determine how (and if) there will be scoring and evaluation• Written report? With recommendations?
12
Goals and Scoping• Should You Work With a Third Party?
• Pros• Have already developed methodology and tools• Has resources, expertise and project management experience• Access to benchmarking and best practice data• Independence and ability to leverage independence
• Cons• Costs – it can sometimes be easier to control costs internally • Possibly steep learning curve on your operations• Future repeatability dependent on contract with third party (you won’t own methodology)• Third parties could face barriers in some organizations
13
Who Conducts The Risk Assessment [CEPE]?
73%
14%
13%
Internal
Third Party
Other/Combo
Measure Twice and Cut Once: Preparing for a Compliance Program Assessment
Morehead Compliance Consulting
15
Let’s Get Started!!• Who is on the team?
• Usual suspects (legal, audit, HR)• Include “boots on the ground” – operational and international• Make sure team has resources, authority and profile
• Establish the process plan• Order of data gathering (including document review, surveys, focus groups, interviews• Discuss possible scoring or reporting models
• Seven hallmarks of the USSG• ISO 19600• Custom
• Build a realistic timeline – be generous but have clear goals and milestones • Complete assessments, including surveys and benchmarking, can easily take six months or more.
Be cautious about expectations.
16
Let’s Get Started!!• Consider Peer Organizations
• Discuss assessment experiences and processes• Consider peers for benchmarking
• Including publicly sources such as Code of Conduct and governance information• Keep up with SCCE and industry groups
• Establish Buy In (and Anticipation) at the Top• Regularly update the board • Consider building interest (particularly for survey components) at operational
meetings and other internal marketing opportunities• Look at Hotline/Helpline and Reporting Trends to Help Establish Scope• Look at Prior Survey (Culture or HR Survey) Results to Help Establish
Scope
Sum of Its Parts: What are Different Tools and Approaches To an Assessment?
Morehead Compliance Consulting
18
What Now?Common Compliance Program Elements Included in an Assessment [CEPE]
Co de
T r a i n i ng
Po l i c i e s
R e po r ti ng Syst e m
I nve sti g a ti o ns
Co mm uni c a ti on
Cul t ur e of E t h i c s
B OD O ve r si g h t
KA o f R i sks
3 r d P a r t y
79%
78%
77%
72%
62%
59%
56%
52%
43%
39%
19
What Now?• What Documents Do You Gather?
• Review of documentation that memorializes the program, including the code, written policies and procedures, any prior reviews or audits, reporting system information, board minutes, survey data, any program charters, training materials, communication examples
• Access to resources, such at the intranet, LMS, gift reporting systems, etc
• Collection of data will be from various stakeholders and might be a good time to conduct interviews or establish questionnaires for stakeholders to fill out while providing data
• Leave the Door Open – Establish A Process for Follow Up and Additional Requests
20
Data Evaluation Considerations• Written Standards
• Clear, consistent, concise and available?• Are rules and applicability addressed?• Provides guidance and resources?• Systematic process for generation, update and review?• Policy portal or policy management system?
• Other Internal Data• Reporting statistics, investigations and disclosures• Internal reporting, BOD minutes• Training and communication examples
• Online training availability and LMS operation • Live training process
• IA reports – ERM data
21
Data Evaluation Considerations• Some External Data Sources
• Analyst and auditor reports• Litigation research (DPA’s, NPA’s, filings)• Media coverage• Corporate reviews, CSR reviews, public reports from NGO’s and others• Other external stakeholder views• Data sources like NBES and risk topic specific data (such as data breach and
social media)• Institutional investor proxies and statements• Informal sources like SCCE and local ethics roundtables
22
Looking Outside the Organization• Benchmarking Data Can Be Instrumental To Useful Results
Does Your Organization Benchmark What Data is Collected? Your Compliance and Ethics Program [ACC] [CEPE]
59%
41%NoYes
43% Collect External Documentation
23
Just One More Question• Culture Surveys Should Cover
• Resources available• Do you know where to report? Have you read the Code in the last year?
• Perception of organizational justice (e.g. “Do you feel the company takes allegations seriously? Do you feel all employees are treated the same?)
• Perceptions of misconduct• Perceptions of manager’s ethics• Perceptions of peer employee’s ethics
• Pressure to commit misconduct• Perceptions of misconduct
• Who commits it• Perceptions around reporting for those who have observed misconduct
• Retaliation fears
24
Other Surveys• Manger Sample Survey
• Awareness of and adherence to specific policies/controls• Examination of key actual/perceived risks• Focused, deep-dive on specific targeted issues (e.g. “My organization has an anti-
corruption policy that applies to operations in [country x], true or false?”)
• Broader Employee Sample for a Knowledge Assessment• Questions should be targeted (i.e. not every participant will receive all questions)• Questions should be based on baseline risk determinations to identify risk topics• Topics and questions are often scenario-based (similar to training questions, e.g.
“Which of the following could create a COI or the appearance of a COI?”)
25
Some Considerations for Surveys Demographic
Breakdown Location/Country Job Level Job Function Business Unit Tenure
If Internal Survey Identify team Identify resources
Third Party Culture Data for Benchmark ECI NBES
Preparations for Survey Early approval of questions Platform selection Beta testing Provision for
Translations Paper surveys
Survey Communication Email templates Reminder schedule
26
Survey Use by Peer Organizations Does Your Organization Conduct Culture Surveys? [ACC] [CEPE]
51% Conduct
Culture Surveys
23%
7%
70%
Yes
Part of RA
No
27
Interviews • Will the assessment team be conducting interviews?• Language issues? Does team have direct facility to speak with foreign
personnel? • Should be a consistent “script” or plan tailored with data gathered from
the document review or the surveys (e.g. knowledge survey on anti-corruption showed low scores in certain areas)
• Interview list should include the “usual suspects” (legal, C&E, audit, HR) but also operational personnel with interview subjects from each significant operating unit, location and function
• Functional management should be included• Consider including rank and file (resource issue)
28
Interviews • Phone or virtual? Both have benefits and minuses• Possibly engage a third party just for interviews?• Is the team going to use exhibits or documents? Slows process down,
narrows forcus• Follow-up potential• Who is present? Is it one-on-one or is manager or HR (or someone else)
present?
29
Focus Groups• Who will run the focus groups from the team?• How structured will they be -
• Q&A, open-ended, role-play, or mixture?• Formal vs. informal?• How long will the sessions be?• How many participants?• How many sessions?• Will rank and file be intermixed with management?• External facilitator?• Recorded?
• Topics for Focus Groups• Culture• Compliance risk topics (knowledge assessment)
30
Tools Used By Peers [CEPE]
62% Management
Interviews 46%Employee Interviews
15% Employee
Focus Groups
31
Analysis and Reporting• Oral Report to Board (or Management)
• The report will often be accompanied by data from the surveys and other previously generated data such as reporting statistics and training completion rates (so, no newly generated data or presentations)
• The report will detail findings on the status of the program elements and controls in place based on the 7 hallmarks of the sentencing guidelines or some other scoring outline
• The team will also report on benchmarking data gathered informally during the process for comparison
• The report will not typically include recommendations
32
Analysis and Reporting• Written Formal Reporting• After completing the document and data review, surveys and individual
interviews the team will often conduct an analysis of the results that will include benchmarking for certain aspects of the program
• Once the analysis is complete, the team may offer an oral report that includes primary findings and recommendations
• Once recommendations are discussed, the team will often then draft a written report that will include
• Program findings based on the agreed methodology (e.g. the 7 hallmarks, best practices, or some other agreed criteria)
• Recommendations for the program moving forward• Benchmarking data comparing various aspects of the program
33
Some Considerations for Reporting Reports should be effective and meet audience expectations
Does that mean a straightforward approach with an digestible executive summary? Does that mean a detailed, data-driven exercise with methodology explained, use of
charts, graphs and heat maps? Is this meant for internal audiences only?
Privilege to be invoked? Clear and direct writing with a pleasant and organized layout
Ask third parties for sample reports Use of recommendations
Are recommendations practical? Are recommendations well explained and executable?
34
Do Peer Organizations Write a Report [ACC]?
76%
24%
Yes No
35
Next Steps• The assessment team provides specific updates to the applicable
operating units effected by the findings (HR, IT, Legal, etc)• The assessment team works with the exec management to determine
the best cycle for repeating the process• The assessment team puts together a written follow-up plan
• Based on the recommendation in the report• Addressing each recommendation directly• Assigning responsibility for any follow-up plan• Establishing a timeline
36
Is a Written Plan Generated from the Assessment [ACC]?
63%37% Yes
No
37
Next Steps – Example of a Simple Action Plan
Recommendation Response Action Plan Assignment Date for Completion
Draft New Code Code is 4 years old and needs only a refresh
Will edit and revise the Code General Counsel Q1 2016
Implement G&E pre-approval tool
Currently informal approval process in place
Determine best process and implement
CECO Q2 2016
Implement integrated, multi-year communications and training curricula
Individual training stake holders have their own plans and there is sufficient coordination
No action N/A N/A
Executive support for non-retaliation could be more visible
CEO Code letter updated and CEO filmed video that was sent to all hands
Already addressed N/A N/A
38
Basic Assessment Process
Establish: Scope
Team
Goals
Timeline
Collect data
Review documentation
Establish and complete surveys
Interviews and focus groups
Analysis
Additional data or interviews
Findings
Recommendations
Reporting
Actionable next steps
Throughout the project consider process improvement and repeatability
Morehead Compliance Consulting
Questions?
Eric Morehead
www.moreheadconsulting.com
512-961-3890