1

Sustaining an Effective Ethics and Compliance Programthrough Program and Risk Assessments

Thomas F. Kokalas, Bracewell, LLP

Michael W. Brooks, Bracewell, LLP

Stacy Mines, EY (Fraud Investigations and Dispute Services)

Introductions

2

Overview

I. Assessing the Compliance Program

II. Framing the Assessment – Standards and Elements

III. Conducting Program Assessments

IV. CFTC and FERC Risk Factors

V. Conclusion and Questions

Assessing the Compliance Program

Key Considerations

► Compliance programs are designed to ensure that company policies are being followed and that controls are in place to prevent and detect misconduct, identify problems and address policy concerns.

► Periodically assessing the effectiveness of the compliance program helps make certain that standards and expectations are being met.

3

Assessing the Compliance Program

Sentencing Guidelines Standards

► Demonstrates that the company is conducting due diligence and devoting attention to its compliance program. 8B2.1(a)(1).

► Promotes an organizational culture that encourages ethical conduct. 8B2.1(a)(2).

► Demonstrates that the company is committed to its compliance program. 8B2.1(b)(1-7).

Assessing the Compliance Program

Part of a “Best Practices” Approach to Compliance

► Pro-Active v. Re-Active.

► Helps shed light on issues that may have gone unnoticed or undetected.

4

Framing the Assessment

Identifying the Risk Factors Facing the Industry

► External Sources of Information

► Conduct a review of recent enforcement proceedings.

► Gauge what various regulators are focused on.

► Internal Sources of Information

► Pinpoint what Executives and General Counsel are concerned with.

► Speak with employees that may be faced with compliance risks

► Identify Gaps

► Ensure the right questions are being asked.

► Is the organization assessing the right information.

Framing the Assessment

Identifying the Risk Factors Facing the Industry

► Specific Issues

► Reliability concerns

► Gas and Gas Safety

► Commodities Trading (FERC and Dodd Frank)

► Renewables – Environmental Issues

► Cybersecurity

5

Companies need to answer six key questions

► What are our most significant ethics and compliance risks?

► Who is accountable for managing them?

► What are they doing?

► Is it working?

► How do we know?

► Do we have evidence (appropriate documents and records)?

Can you answer all six questions?

Where do you have challenges?

To meet federal sentencing guidelines definition of an effective program ...

► Definition: “Exercise due diligence to prevent and detect criminal conduct and promote an organizational culture that encourages ethical conduct and compliance with law.”

► Standards and procedures

► To prevent and detect violations

► Leadership

► Board of Directors oversees program

► Senior management “ensures” an effective program

► Specific high-level people have overall responsibility for program

► Person with “clout,” resources and Board access has operational responsibility for program

► Trustworthy leaders

► Diligence to screen out managers with history of non-compliant or unethical conduct

► Training and education

► For directors, officers, employees and appropriate agents

► Management processes

► Monitoring, auditing, and evaluating the program

► Confidential resource to report concerns or ask questions, preferably anonymous

► Incentives and discipline

► To enforce program

► Response and improvement

► Reasonable steps taken after misconduct is detected

► Risk assessment influences all other standards

► “The organization shall periodically assess the risk of criminal conduct and shall design, implement or modify each requirement set forth to reduce the risk of criminal conduct identified through this process”

6

and FERC Expectations

► Conducts compliance audits and investigations

► Created its own penalty guidelines, compliance program policy statement and statement on enforcement with Federal Sentencing Guidelines as a foundation

► Can refer matters to the Department of Justice for criminal prosecution

► Power to condition, suspend, or revoke market-based rate authority, certificate authority, or blanket certificate authority

► Ability to fine up to $1,000,000 per day per violation

► Total fines in excess of $450 million since 2007, with most ranging between $1–10 million

► Fines as high as $245 million related to submission of false information and market manipulation in trading activities

► Civil penalties can be entirely eliminated if both the following occur

► Violation was not serious

► Appropriate remediation steps were taken and an effective compliance program was in place

► Effective Preventive Measures: FERC Policy Statement on Compliance 2008

► “It is not enough to create a good compliance program on paper; the company must carry through to implement the program with effective accountability for compliance and periodic review and evaluation of the effectiveness of the program.”

► Commitment to Compliance: FERC Revised Enforcement Policy Statement 2008

► “The factors examined in determining the existence of a robust internal compliance program include determining how frequently the company reviews and modifies the compliance program.”

Drivers SEC/DOJ enforcement

► DOJ hired Compliance Counsel to assist in assessing the quality and effectiveness of companies’ corporate compliance programs

► “Window dressing” vs. quality, effective program (not “one-size-fits all;” scaled to size and risk)

► Guidance regarding the resolution of cases involving corporate wrongdoing focuses on the compliance program in place at the company

► Sentences can be reduced based on existence of a compliance program

► Compliance measured by self-policing, self-reporting, remediation, and cooperation

► An organization will never qualify for reduced sentencing when it unreasonably delays reporting the offense

► Includes “effective compliance and ethics program”

► Common sense approach to evaluating compliance programs

► Is the program well designed? Is it applied in good faith? Does it work? How has it been implemented?

► Focus goes beyond design of the program; looks at actual implementation across the organization

► Emphasis on whistleblower protection

► Sarbanes Oxley (2002)

► Protects whistleblowers from retaliation

► Dodd Frank (2010)

► Provides and monetary awards for whistleblowers who voluntarily come forward with information

► Acknowledges importance of internal programs and provides than an employee may report issues to the internal program and the government and still qualify

7

The ultimate outcome of an effective compliance program is a reputation to underpin business success

► Assurance to shareholders and the Board that the Company complies with its legal obligations

► Attraction of the best customers, business partners and employees because the Company actively demonstrates high ethical standards supported by its values

► Communication of expectations and providing workable solutions for compliance by employees and third-parties acting on behalf of the Company

► Assurance to employees and third-parties that they can raise concerns in a safe environment

► Early resolution of issues because employees raise issues and the Company has an established protocol for addressing issues

Program lifecycle management

� Regularly re-assess Compliance and Integrity Risks to ensure appropriate coverage, considering changes in regulatory requirements, audit findings, actual cases (externally and internally)

� Regularly evaluate effectiveness of Integrity & Compliance framework. Timely close identified gaps and report on effectiveness to local management. Assess and improve Integrity & Compliance Framework to ensure effectiveness and increase acceptance and efficiency

� Review centrally defined Integrity & Compliance to identify need to change locally implemented compliance frameworks / adjust local frameworks to individual needs

� Update Integrity & Compliance framework to reflect changes of risks and regulation, within the organization, strategy, structure, operation or processes and IT landscape

8

Compliance risk assessment approaches and challenges vary by company

► What is your approach to compliance risk assessment?

► Have you identified your compliance risk universe and owners of those areas?

► What is the frequency of your risk assessment process?

► How do you engage key leaders in the process?

► What is the relationship to ERM, if applicable, regarding key outputs, ratings, and standards?

► How do you utilize the results?

► Do you report results or mitigation efforts to the Board?

Fraud and corruption (DOJ)► Foreign Corrupt Practices Act (FCPA)► Insider transactions► Anti-money laundering► Financial statement fraud► Occupational fraud (intellectual property,

trade secrets)► Corruption► Revenue and expense recognition

Government contracts(DOD, OMB)► US Government contracts► Other jurisdictions (state and country)

Information management► Records retention► Freedom of Information ACT (FOIA)► Data and record classification► Information access► Information availability and recovery► Information management monitoring► Information disposition► Litigation discovery rules► Data protection and privacy

Intellectual property (DOC)► Copyright► Trademark► Trade secret► Patent

International dealings/trade(FTC, DOC)► Boycott► Import► Export

Workplace health/safety (OSHA)► Security and Emergency Response (ESF)► Employees► Contractors

Product quality/liability► Quality management system

Legal and regulatory requirements Business requirements

Competitive practices(FTC, DOJ)► Antitrust► Customer, competitor, supplier

relations

Corporate governance(SEC) ► Board structure and processes► Audit committee structure and

processes► Ethics

Employment (EEOC, DOL)► Executive compensation► Compensation► Benefits► Hiring► Employee info privacy► Reductions in force► Whistleblower protection► Harassment prevention► Accommodation (discrimination

prevention)► Workplace violence► Global migration (immigration)► Contingent workforce► Labor► Leave► Employment torts

Environmental (EPA)► NEPA► Air quality► Water Quality► Management systems and

reporting► Hazardous material management► Laboratory practices► Permit management

Financial► SOX► Tax► Treasury

Aside from mandatory requirements,

organizations make choices regarding

their brand, their values and the

commitments they make to customers,

business partners, employees and other

stakeholders. Although voluntary,

consequences for non-compliance could

be more serious than non-compliance

with mandatory requirements.

*Illustrative US example

Internally focused requirements► Mission► Values► Code of Conduct► Policies and procedures► Quality management certifications (ISO,

Six Sigma)► Crisis preparedness

Externally focused requirements► Corporate social responsibility► Sustainability► Public commitments► Contractual obligations► Vendor management► Exchange listings

Voluntary standards► US Federal Sentencing Guidelines► Industry codes► Trade associations

Emerging issues

Compliance Risk Universe* Illustrative example for utilities – not company specific

NRC► Nuclear operations and decommissioning

► New construction

State PUCs► Base rate and other cost-recovery cases► Inspection rules► Regulatory proceedings and investigations► Reporting requirements► Retail choice rules► Privacy rules

FERC► Market manipulation► Market behavior rules

► Affiliate restrictions► Standards of conduct

► Wholesale market price reporting► Compliance effectiveness

Commercial operations► Participation in ISO and RTO markets► Billing and payment, settlement► Creditworthiness► Capacity and supply obligations

NERC► Critical infrastructure protection standards ► Reliability standards

CFTC► Futures/derivatives/options trading► Trading standards

Political activities► Lobbying guidelines► PAC contributions► Employee’s activities► Time and expense reporting of meetings

9

Compliance risk areas

► E&C maintains a listing of the Company’s compliance risk areas

► Sample areas include:

EnvironmentalHealth and

SafetyNERC FERC Financial / Sox Nuclear

Labor and Employment

International (non-US)

Department of Transportation

Federal Contracting

Dodd-Frank Cybersecurity

Supply Chain FCPA Antitrust Data PrivacyIntellectual

Property

Records and Information

Management

State Regulatory

Customer/Competition

Political Activity and

Lobbying

Compliance risk assessment leading practices

► Repeatable process with increased interaction with areas previously deemed high risk

► Survey all areas annually

► Higher risk areas – periodic facilitated sessions

► Sharing of lessons learned and emerging issues with compliance areas to make the process meaningful

► Integration with ERM, if applicable, regarding key outputs, ratings, and standards

► Compliance Program periodic reports to the Board include updates on highest risk compliance areas and key controls or improvement activities

► Periodic independent compliance risk assessments with facilitated sessions

10

MediumPrivacy

Privacy Risk 1

Privacy Risk 2

Privacy Risk 3

1

2

3

HighCyber security

Cyber security Risk 1

Cyber security Risk 2

Cyber security Risk 3

1

2

3

Compliance risk area

Principal risksRisk levelResponse/initiative

Trend v. Prior qtr

Risk detail

Status

Mitigation

Medium

1

2

3

FERC

FERC Risk 1

FERC Risk 2

FERC Risk 3

LowEnvironmental

LowState

Regulatory

1

2

3

State Regulatory Risk 1

State Regulatory Risk 2

State Regulatory Risk 3

Th

is w

ill

be p

op

ula

ted

as f

utu

re

assessm

en

ts a

re c

on

du

cte

d

Environmental Risk 1

Environmental Risk 2

Environmental Risk 3

1

2

3

Illustrative -

For Discussion PurposesRisk dashboard

Challenges to providing reasonable assurance of compliance for diverse areas

► Now you know your risks, how should they be managed? What program elements are missing or need to be enhanced?

► What is your approach to understanding what practices are in place for core compliance risk areas?

► Are there common elements you expect to see in all compliance programs?

► What is your role in terms of providing assurance?

► How do you roll up compliance information to the Board?

► Are there tools and approaches that can be shared across compliance risk areas?

11

Compliance frameworkCore program standards with design and implementation remaining with each risk area

► Development of a compliance management framework with specific program standards

► Sets accountability for cross-cutting elements such as compliance risk assessment and Helpline process (response and remediation)

► Identifies those accountable for compliance programs in key risk areas

► Establishes universal standards with accountabilities and process steps

► Utilizes a maturity model to facilitate continuous improvement

► Allows for assessment of progress against core program elements at the compliance risk level – not just at enterprise level

► Provides tools for management reporting and oversight

► Establishing core standards, measuring compliance management practices against those standards and development of improvement plans to address gaps does not require a one size fits all approach to compliance

► Program controls should be tailored to the risk of the particular compliance area

Compliance & IntegrityMission and values Strategy Tone at the top Culture

Comprehensive framework

People

Process

Data

Systems

Effective and aligned compliance activities

PREVENT

Requirement management and implementing processes

Board oversight / management responsibility

Integrity & Compliance organization

Strategy and support functions

Engaged and accountable employees

Operations and business units

Internal and external communication / program reporting

Program evaluation and compliance sustainability

Corporate

governance

Integrated risk

and compliance functions

Operational

excellence

Code of conduct

Policies, procedures,processes and controls

Incentives

Education and advice

DETECT RESPOND

Compliance risk assessment and monitoring

Speaking up and confidential reporting

Third-party diligence

Monitoring, reviews and auditing

Data analytics

Incident and case management

Investigation

Corrective action

Remediation

12

Compliance framework

► The framework and the core standards serve as a basis for evaluating compliance practices across the Company

► Partnership: Each business unit and functional compliance area, in partnership with the Compliance Office, assess their compliance practices against the compliance management standards. Areas with higher compliance risk – as evaluated through the risk assessment process – would be expected to have more controls or oversight than lower risk areas.

► Assurance: If the business units and functional compliance areas meet the compliance management standards, then the company has assurance that core compliance management practices are in place.

► Alignment: Gaps between current practices and the core standards are identified through comparing current practices to the standards (assessment). Improvement plans, prioritized based on risk, are developed to address gaps.

► Best practices: Also identified through the assessment process and shared across business units and functional compliance areas.

Compliance Program AssessmentOutline of an approach

► Identify whether you will conduct an overarching program assessment or assess a specific risk area against key program expectations

► Determine if the assessment will be conducted by company personnel or outside provider

► Level of risk

► Reason for the assessment (proactive versus response to particular concern)

► Privilege consideration

► Level of expertise needed or desired

► Identify key stakeholders for interviews and/or facilitated sessions

► Review key documents

► Review any relevant investigation/Hotline trends and themes

► Tie findings to framework and expected elements

► Identify strengths and gaps

► Engage risk owner regarding mitigation/improvements

► Track completion of any agreed upon improvements/remediation

13

Assessment process

► Framework elements serve as a checklist of compliance practices/ standards (based on Federal Sentencing Guidelines and other relevant guidance)

► Accountability: E&C in partnership with leaders of compliance risk areas conduct assessments and compare existing program elements to expected standards. Where there are gaps, risk mitigation plans are drafted by the business units and functional compliance areas. These should be tailored to the relative risk.

► Support: Improvement or risk mitigation plans are shared with the Compliance Office as part of on-going dialogue and partnership. In addition, the Compliance Office can facilitate sharing of best practices across the organization to eliminate redundancy.

► Monitoring: Programs elements once reported as in place, can be part of audit plans for future audit cycles. Provides some independent view of the self-assessment.

► Board level focus: Assessment results for high-risk areas can be shared with the Board as part of the overall program update reporting.

Requirement management

Requirement management

E&C:

► Identifies, in consultation with the Business Unit Heads and Law Department, a list of Compliance Areas (a Compliance Area may be company-wide or unique to a Business Unit or Support Function)

► Maintains a list of Compliance Area Leads

Compliance area leads:

► Assign and document the process and accountability for identifying and documenting laws, regulations and other compliance requirements and for tracking new and changed requirements for the Compliance Area

► Assign and document the process and accountability for interpreting laws, regulations, orders and other compliance requirements

► Ensure that there is a current catalog of compliance requirements that is reviewed periodically for completeness, including applicable external reporting requirements

► Ensure timely, accurate and complete reporting of information to regulators, with adequate coordination and review across the company or impacted areas, for each compliance requirement in the catalog

► Notify E&C upon discovery of new or changed compliance requirements that should be communicated to other Compliance Area Leads for their review

► Provide effective communication about changes in compliance obligations for managers and employees with compliance responsibilities

► What is the process and accountability for identifying and documenting new or changed laws, regulations and compliance requirements? Are you assigned to track specific requirements?

► What are the applicable external reporting requirements for reporting of information to regulators for your compliance requirements?

► What is the process for communicating new or changed compliance requirements to others (e.g., Functional Areas, Compliance Areas, work groups) that may be affected and ensuring relevant interpretations are consistent across Compliance Areas?

► What tools or software are used to track, manage and monitor your requirements?

Prevention

14

Assurance, monitoring & auditing

Assurance, Monitoring & Auditing

E&C:

► Ensures that investigation protocols and jurisdiction statements for identification of investigation resources are maintained and updated

► Develops templates and tools for Compliance Area Leads to use in self-assessments and reports under the Compliance Program Framework and Standards

► Identifies key compliance Program metrics for on-going reporting

Compliance area leads:

► Establish and monitor key indicators of compliance to core policies and procedures developed in their Compliance Areas

► Provide regular reports, metrics and assessments of their Compliance Area to E&C and to Functional Area Leads to enable them to monitor and assess compliance performance

► Provide certifications, as requested, to E&C

► What types of monitoring activities are performed to gauge the execution of compliance policies? How often?

► How do you review compliance with core policies and procedures developed in your area?

► Are periodic audits of compliance performed?

► Do the you maintain a list of compliance certifications?

► What is the process for reporting certifications in a timely manner?

Detection

Escalation/notification

Escalation/notification

E&C:

► Creates guidelines regarding escalation and communication of compliance issues across the Company

Compliance area leads:

► Develop Escalation Guidelines for their Compliance Area which indicate when issues should be communicated to E&Cand senior management

► Escalate compliance issues to E&C based on the Escalation Guidelines maintained by E&C

► Do you have established guidelines for defining and reporting significant compliance issues?

► How do you analyze and review minor compliance issues to identify potentially significant overall trends?

► Do you have clear guidelines in place to determine when issues need to be reported to E&C?

Response

15

Compliance program - Communication

► To assess leadership and “tone-at-the-top”, program assessments consider communication from Management.

► Program assessments should also consider how the communication is perceived by employees within the company

► Example: “I regularly trust the information provided to me by:”

10%12%

30%

38%

20%

25%

30%

45% 44% 45%

40%

45%

16%13%

29%

18%

10%

4% 4% 4%5%

1% 2% 1% 1%2% 2% 1% 0% 1%

Chief Executive Officer Other corporateofficers and executives

Local managers My supervisor My peers

Strongly Agree Agree Neutral Disagree Strongly Disagree Don't Know

Do training survey results demonstrate strength or weakness

► Program assessments include a review of training materials and the process of updating for new policies or regulations.

► However, are there elements of a training program that require

additional focus or attention?

► Is adequate training provided across all departments?

► Example: In the past two years, I have received sufficient and useful training that covers and includes…

35%

23%27% 29%

26%

59%55%

58%61%

59%

5%

14%11%

7%11%

1%

7%4% 2% 4%

0% 1% 0% 1% 0%0% 0% 0% 0% 0%

Company'sCode ofConduct

Policiesthat applyto my job

Values Conductingbusiness inan ethicalmanner

Raisingand

reportingissues

Strongly Agree

Agree

Neutral

Disagree

Strongly Disagree

Don't Know

29%

14%

25%27%

14%

44%

35%

47%44%

22%21%

31%

21%

17%

38%

4%

19%

4%

11%

20%

2% 1%3%

1%

6%

0% 0% 0% 0% 0%

Company'sCode ofConduct

Policiesthat applyto my job

Values Conductingbusiness inan ethicalmanner

Raisingand

reportingissues

16

Reporting to senior leadership and the Board

► The key deliverables from compliance program improvement plans can be reported to senior leadership and the Board

► Primarily about the existence of compliance management programs that meet required/desired standards

► Provided in addition to standard reporting on other overall program elements

► Provides a framework for engaging leadership around solutions and resource requirements that may cut across compliance areas

► Mitigation/improvement plans for highest risk compliance areas may feed into Board reporting

► As the compliance program matures, metrics can be added regarding program performance and effectiveness

► Compliance issues identified by third parties versus self-identified through audit, investigation, control review

► Control improvements stemming from internal review

► Decrease in external charges/complaints

► Trends re findings of external audits/reviews (fewer findings)

High

Compliance dashboardIllustrative -

For Discussion Purposes

Compliance risk area

Principal risksRisk levelResponse/initiative

Trend v. Prior qtr

Risk detail

Status

Mitigation

FERC

MediumFCPA/ABAC

LowData Privacy/

Security

HighData Privacy

Th

is w

ill

be p

op

ula

ted

as f

utu

re

assessm

en

ts a

re c

on

du

cte

d

Requirements management (intake)

Risk assessment

Monitoring & auditing

Response/issues management

Evidence management

Communication & training

Written standards

Requirements management (intake)

Risk assessment

Monitoring & auditing

Response/issues management

Evidence management

Communication & training

Written standards

Requirements management (intake)

Risk assessment

Monitoring & auditing

Response/issues management

Evidence management

Communication & training

Written standards

Requirements management (intake)

Risk assessment

Monitoring & auditing

Response/issues management

Evidence management

Communication & training

Written standards

17

Sample compliance area reporting tool

Auditing & Reports (Total Gas & Power)

► “[M]anagement was aware of … high market share”► Daily/monthly market share reports

► Compliance email recommending use of reports

► Middle/back office inquiries about reasons for trading when more than 40% of overall volumes traded

► Written exercise where trader explains motivation

► Compliance report: “contemplate ramping down its fixed price and physical basis trading in the markets in which it has a large share”

► No traders questioned or disciplined

• CFTC Settlement:► Civil penalty: $3,600,000

► Trading limitations, document preservation, and reporting

► FERC Notice of Alleged Violations (pending)

18

Importance of Change (Kraft Foods)

► Historically procured its supply primarily in the local (Toledo, Ohio) cash market, using wheat futures to hedge its cash purchases

► In late 2011, the cash market was trading at a premium to the futures market and Kraft estimated that it could save more than $7 million by sourcing wheat via December 2011 futures rather than the cash market

► Kraft anticipated move would cause December futures prices to rise and cash prices to fall; constructed futures position to benefit then redelivered futures and purchased from cash market

Importance of Change (BP Americas)

► “[BP traders had] not adequately explained the changes in their trading”

► ∆s in Products To Price Setting Mechanism

► ∆s in Timing of Trades

► ∆s in Bid/Offer Behavior

► ∆s in Volume

► ∆s in Positions

► ∆s in Transportation Usage

► ∆s in Profit & Loss (P&L)

► Vetting new strategies prior to execution and recognizing changes in trading patterns as triggers for compliance reviews can help mitigate risk

19

The Human Factor (Direct Energy)

► Self-reported “atypical trading”

► Discovered almost immediately two different ways:

► Trader notified supervisor and then Compliance Officer after training

► Back office flagged unusually large volume of transaction confirmations

► Settlement:

► Civil penalty: $20,000

► Disgorgement of unjust profits: $31,935

► Compliance commitment and monitoring

► Credited with effective compliance program and cooperation

CFTC/FERC Risks

► Manipulation► Cross-Market Manipulation

► “Gaming”

► Disruptive Trading► Spoofing

► Reckless disregard for orderly trading

► Violating bids/offers

► Futures Exchange Violations (ICE/NYMEX)► Position Limits

► Prearranged Trades

► Block trades

► Exchange for Related Positions (EFRPs)

Do we have related positions?Do we trade price-setting products?What share of the market are we?Where do our profits come from?

Training only?Monitoring?

Training?Affiliates?Controls?

20

CFTC/FERC Risks (cont’d)

► Capacity Release Rules (yes, they still exist)► Shipper-must-have-title policy and buy-sell prohibition

► Tying and bidding exceptions

► Authorizations & Periodic Filings► Market-based rate authority (for all products and markets)

► Quarterly, annual, and event-triggered filings

► Dodd-Frank Requirements► Reporting and recordkeeping

► Non-swap dealer status

► ISO/RTO Tariff Violations► Loop flow

► Sham schedules

On the Radar at FERC

► Connected Entity Reporting (Notice of Proposed Rulemaking)

► Report to ISO/RTO

► Affiliates (defined broadly)

► Employees

► Debt holder/issuer with share of profitability

► Parties to tolling agreements, energy management agreements, asset management agreements, and fuel management agreements

► Obligation to update within 15 days of any material change

► Technical Conference held December 21, 2015

► Comments filed January 22, 2016