What should your compliance function look like?assets.corporatecompliance.org/Portals/1/...Things to...

1

Dominic F. Perella

Sean Coutain

October 2017

From Start-Up to IPOHow to Design and Build a Compliance Program From

Scratch

What should your compliance

function look like?

2

This image cannot currently be displayed.

Start With the Legal Frameworks

• There are Legal Frameworks that Should Guide Your Way

• Most Important Touchstone: The U.S. Sentencing Guidelines

• Later On: SOX, COSO, and Stock Exchange Rules

2


U.S. Sentencing Guidelines

• The United States Sentencing Guidelines (USSG) are relevant

because organizations are “persons” under U.S. federal criminal

law and may be prosecuted for criminal conduct.

• The USSG has a whole section on effective compliance programs.

• That’s because an organization’s commitment to stopping criminal

conduct, as evidenced by the effectiveness of its compliance and

ethics program, is the primary mitigating factor that may result in

a reduced sentence.

3

3


U.S. Sentencing Guidelines cont.

The USSG defines effective programs as follows:

� DUE DILIGENCE: Exercise due diligence to prevent and detect criminal conduct.

� ETHICAL CULTURE: Promote a culture that encourages ethical conduct and a commitment to

compliance with the law.

� POLICIES & CONTROLS: Establish standards & procedures to prevent & detect criminal conduct.

� BOARD OVERSIGHT: Board must be knowledgeable about the content and operation of the

compliance and ethics program and must exercise reasonable oversight.

� ACCOUNTABLE SENIOR MANAGEMENT: High-level personnel must ensure that the organization

has an effective compliance and ethics program.

• Make high-level personnel responsible.

• Appoint specific people to run the program’s operations and give them adequate resources,

appropriate authority, and direct access to the governing authority.

• Have them report periodically on the program’s effectiveness.

4


U.S. Sentencing Guidelines cont.

� TRAINING: Communicate compliance standards through effective training programs,

appropriate to individuals' respective roles and responsibilities.

� EVALUATION & RISK ASSESSMENT: Take reasonable steps to:

• Periodically evaluate the effectiveness of the program.

• Ensure that the program is followed, including auditing to detect criminal conduct.

• Periodically assess the risk of criminal conduct and take appropriate steps to design,

implement, or modify each program requirement to reduce that risk.

� WHISTLE-BLOWING: Maintain a system for employees and agents to report or seek

guidance regarding potential or actual criminal conduct without fear of retaliation.

� ENFORCEMENT: Consistently promote and enforce the compliance program. Include

appropriate incentives for taking reasonable steps to prevent or detect criminal

conduct, and appropriate disciplinary measures for failing to take such steps.

� REMEDIATION: If criminal conduct occurs, take reasonable steps to respond and to

prevent it in the future, including any necessary modifications to the program.

5

4


Sarbanes Oxley & COSO

Next step after you’ve nailed the USSG: Test yourself against Sarbanes-Oxley

(SOX) and the Committee of Sponsoring Organizations (COSO) framework.

SOX § 406: A public company’s code of conduct must call for--

• Standards as are reasonably necessary to promote honest and ethical

conduct, including the ethical handling of actual or apparent conflicts

of interest between personal and professional relationships;

• Immediate disclosure of any change in or waiver of the code of ethics

for senior financial officers;

• Full, fair, accurate, timely, and understandable disclosure in the

periodic reports required to be filed by the issuer;

• Compliance with applicable governmental rules and regulations.

6


Sarbanes Oxley & COSO cont.

• SOX § 404 requires management to establish and maintain

adequate internal controls over financial reporting and to publicly

disclose the framework used to assess the effectiveness of controls.

• The COSO framework is the current “gold standard”; most U.S.

public companies use it to satisfy SOX § 404. It list seventeen

principles for an effective control environment.

• Principle one is “Demonstrate Commitment to Integrity and Ethical

Values.”

7

5


Sarbanes Oxley & COSO cont.

8

Internal Controls COSO Principles of Effective Internal Controls

Control

Environment

1. Demonstrate commitment to integrity and ethical values

2. Ensure that board exercises oversight responsibility

3. Establish structures, reporting lines, authorities, and responsibilities

4. Demonstrate commitment to a competent workforce

5. Hold people accountable

Risk assessment

6. Specify appropriate objectives

7. Identify and analyze risks

8. Evaluate fraud risks

9. Identify and analyze changes that could significantly affect internal controls

Control activities

10. Select and develop control activities that mitigate risks

11. Select and develop technology controls

12. Deploy control activities through policies and procedures

Information and

communication

13. Use relevant, quality information to support the internal control function

14. Communicate internal control information internally

15. Communicate internal control information externally

Monitoring

16. Perform ongoing or periodic evaluations of internal controls (or a

combination of the two)

17. Communicate internal control deficiencies


Stock Exchange Codes of Conduct

• Planning to go public? You’ll need to meet specific compliance

rules for that too.

• Each stock exchange promulgates its own rules.

• Check these rules well in advance of the IPO. Leave yourself

enough time to come up to code as needed.

9

6


Stock Exchange Codes of Conduct cont.

NASDAQ

NASDAQ Rule 5610 requires listed companies to meet these requirements:

• Must adopt a code of conduct applicable to all directors, officers, and

employees.

• Code of conduct must be publicly available.

• Code must provide for an enforcement mechanism.

• Waivers for directors or executive officers must be approved by the

Board. Waivers must be disclosed within 4 business days on a Form 8-K.

• Code of conduct must comply with SOX Section 406.

10



New York Stock Exchange (NYSE)

NYSE Rule 303A.10 requires the following:

• Adopt and disclose a Code of Business Conduct and Ethics for directors,

officers, and employees.

• Promptly disclose any waivers of the code for directors or executive

officers.

• Such waivers may be made only by the board or a board committee.

• Each code must contain compliance standards and procedures that will

facilitate the code’s effective operation. The standards should ensure

prompt and consistent action against code violations.

11

7



NYSE cont.

NYSE Rule 303A.10 also requires that each code must address:

• Conflicts of interest. Must have a mechanism to identify conflicts and ban them as

warranted.

• Corporate opportunities. Must prohibit personnel from taking opportunities that

belong to the company.

• Confidentiality. Must emphasize confidentiality of corporate and customer

information.

• Fair dealing. Must require fair dealing with third parties and ban manipulation,

misrepresentation, and other unfair practices.

• Protection of assets. Must ban theft and misuse of company assets.

• Compliance with laws. Must promote compliance with laws, rules, and

regulations, including insider trading laws.

• Reporting. Must encourage the reporting of illegal or unethical behavior, offer

mechanisms for reporting, and make clear that the company will not allow

retaliation for reports made in good faith.12

What Next?

8


What Next?

So now you’ve got a Code of Conduct. What do you do next?

Risk Assessment:

• Risks vary widely by industry. Work with an outside advisor

to design a process tailored to your company and industry.

• Use results of risk assessment to inform what you build.

• Add additional policies, training, due diligence, and

management oversight, targeted at your risks.

14


Common Risks

Compliance programs typically guard against four common categories

of risk: corruption, conflicts of interest, fraud, and regulatory

violations. But you need to understand which risks to emphasize given

your particular business. Things to think about:

• Will you be operating in countries with a high risk of

corruption?

• Will you be selling high-tech hardware that’s likely to be

regulated by export control regulations?

• Will you be using agents, such as sales agents, that are more

difficult for you to control directly?

• Will you be in a highly regulated industry?

15

9


Targeting Your Risks

Your risk assessment will guide you on what to build.

• Example: Operating in countries with a high risk of corruption? Add

especially robust anti-corruption training and controls around gifts and

other expenses.

• Example: Selling high-tech hardware that’s likely to be regulated by

export control regulations? Add controls to make sure you always have a

full, real-time understanding of your company’s new research or products.

That way, you can analyze their export implications or hire a consultant to

do so.

Snap’s initial assessment focused on three risks:

• Corruption

• Trade Restrictions

• Conflicts of Interest

16


Risk 1: Corruption

The Foreign Corrupt Practices Act (“FCPA”) became law in 1977 but few cases were

prosecuted. In 1997, the U.S. signed an international convention combating bribery

of public officials, and then amended the FCPA to add worldwide jurisdiction. Post-

amendment, prosecutions skyrocketed.

17

10


Risk 1: Corruption cont.

FCPA criminalizes the giving of:

• anything of value,

• directly or indirectly,

• to a government official

for the purpose of:

• influencing, inducing or otherwise affecting an official act, decision,

or omission of an act or decision,

• securing an improper advantage, or

• assisting in obtaining or retaining business for any person or entity.

18


Risk 1: Corruption cont.

Global Proliferation

• Other countries have since added their own anti-corruption laws.

• For example, the UK Bribery Act, Brazil’s Clean Company Act,

and the Frances’ Loi Sapin II are substantially similar to the FCPA

and have global reach.

• Some of these laws also forbid commercial bribery – bribery of a

private party, as opposed to a government official.

• Some states (e.g. California) also have commercial bribery laws.

19

11


Risk 2: Trade Restrictions

• Trade embargoes and sanctions prohibit or severely restrict

business activities with certain countries and their nationals, as well

as business activities with specific entities and persons (e.g. those

who support terrorism).

• Export control regulations impose restrictions on the transfer of

certain articles and technology to foreign destinations or persons.

• Anti-boycott regulations prohibit U.S. companies and their foreign

subsidiaries from participating in unsanctioned boycotts against

countries friendly to the United States. Some other countries and

jurisdictions also maintain laws that prohibit compliance with

unsanctioned foreign boycotts or embargoes.

20


Risk 3: Conflicts of Interest

• Kickbacks: Supplier “kicks back” a percentage of its earnings to an

employee in exchange for rigging a bid or channeling extra

business to the supplier.

• Outside Activities: Employment by or ownership stake in a

customer, supplier, competitor, or potentially competitive

business.

• Hiring: Selecting less-qualified candidates based on familial

relationship or for personal benefit.

21

12

So What Do You Build, Exactly?


First: Build Other Policies

Recommended policies:

1) Anti-corruption Policy & Due Diligence Protocol

2) Gifts & Entertainment

3) Travel & Expenses

4) Trade Compliance Policy

5) Related Party Transactions Policy

6) Insider Trading Policy

7) Non-retaliation Policy

8) Anti-fraud Policy (The 2013 revisions to the COSO framework recommends

establishing “fraud risk governance policies”)

23

13


Second: Build Training Programs

Employee training should cover the key points of all policies

• Code of Conduct training must be Company-wide and in-depth.

• All other trainings can be targeted

� E.g., in-depth anti-corruption training for customer or supplier-

facing personnel.

� E.g., in-person training on boycotts for personnel in high-risk

countries.

24


Third: Build Company-wide Messaging

• Periodic messaging

• Deliver compliance messaging on a fixed cadence.

• Quarterly campaign featuring new theme or subject matter

• Annual Ethics Week

• Tone from the top

• Messaging from management impacts employee behavior more

effectively than messaging from the compliance function.

• Hold management accountable

• Managers are incentivized to participate in compliance messaging

when held accountable for:

• Training completion rates

• Employee certification rates

• Policy violation rates25

14


Fourth: Build Spending Controls

Gift & entertainment expense limits are meaningless without

spending controls. Your expense monitoring system should have the

following features:

• Pre-approval workflow for policy exceptions

• Vendor code analytics (e.g., expense type is “meal” but credit

card vendor code is “clothing retailer”)

• Tracking of gift recipients and event attendees

• Automated flagging of expense limit violations by:

• expense type

• employee rank

• location

• headcount

26


Fifth: Build Counterparty Due Diligence

Set clearly-defined criteria to determining the scope and level of due

diligence to conduct on each counterparty.

• Risk-based approach: Level of scrutiny should be based on:

• Entity type (e.g., customer, supplier, agent)

• Location (country’s corruption perceptions index score)

• Industry

• State ownership

• Automate your systems

• Connect customer and vendor onboarding systems to your

due diligence provider via API.

• Include questions about entity type, location, industry and

state ownership in your customer and supplier onboarding

portals.

27

15


Sixth: Build Enforcement

• You’ll need procedures that tell you what to do when an employee

goes awry.

• Example: Employee exceeds spending limits without clearance. You

should have procedures setting forth who will investigate, who will

decide on discipline, and what the discipline may include for

particular violations.

28


Seventh: Build Conflicts Disclosures

• You’ll need a simple way for employees to tell you about their

potential conflicts (outside business interests, relationships, etc).

Many software tools are available for this.

• Employees should be asked upon hiring and periodically

afterwards.

• You’ll also need a procedure to decide which conflicts will be

allowed and which have to be solved (e.g. by ending an outside

project or changing a managerial reporting structure).

29

16


Eighth: Build Reporting

Compliance function should report at least quarterly to either the full

board or, more commonly, the Audit Committee.

• Track compliance metrics for presentation to Committee.

− Investigation cycle times

− Number, type and location of cases

− Percentage of substantiated allegations

− Emerging trends

• Work cross-functionally to ensure the audit committee has a

complete view of issues across the company. Each function

should submit data on policy violations, audit findings, employee

misconduct, etc.

• Interpret changes in data over time.

30

How do you get executive oversight?

17


First: Executive Buy-In

The DOJ and SEC’s “Resource Guide to the FCPA” states:

� “Compliance begins with the board of directors and senior executives setting the

proper tone for the rest of the company. . . . DOJ and SEC consider the

commitment of corporate leaders to a ‘culture of compliance’ and look to see if

this high-level commitment is also reinforced and implemented by middle

managers and employees.”

� “In appraising a compliance program, DOJ and SEC also consider whether a

company has assigned responsibility for the . . . program to one or more specific

senior executives.”

32


Second: Compliance Committee

� Compliance Committees are well established as a preferred

method to help implement the DOJ’s executive buy-in

requirements discussed above.

� The Committee’s existence reduces risk. It also could mitigate

penalties in the event the company ever had a compliance issue

and faced government investigation.

33

18


Compliance Committee cont.

�Compliance Committees are considered a Best Practice by virtually

all experts in the field.

�According to a CEB survey, the majority of public companies (79%)

have a Compliance Committee.

�The 21% who do not use this approach tend to be small companies

without international operations.

34

Yes = 79%

No =

21%

Existence of Compliance Commitee at Public Companies


What Does The Committee Do?

1. Oversees a formal risk assessment process that covers areas addressed

by the Code (FCPA, trade, conflicts, etc.)

2. Benchmarks compliance function against peer companies and evaluates

its effectiveness

3. Identifies and addresses gaps in policy, training, oversight, and

enforcement

4. Determines the scope and ownership of compliance-related work

a. Vets and approves new company policies to avoid functional overlap.

b. Determines which functions will oversee which policies.

c. Determines best approaches for training and enforcement.

d. Evaluates which internal controls are needed.

e. Establishes internal investigation protocols.

f. Ensures that adequate resources are in place to achieve goals.

5. Tracks compliance metrics for presentation to the Board or Audit

Committee

35

19


Who Should Serve on the Committee

The typical Committee is chaired by the Chief Compliance Officer and includes Legal,

Finance, HR, and Audit executives. But a CEB survey revealed important trends:

• The requirement of “management oversight” of compliance has led to increased

participation by CEOs and senior business unit executives.

• The increasing importance of technology in risk mitigation has drawn more IT

executives onto compliance committees.

36


Benchmarking

The DOJ & SEC’s FCPA guidance states: “When it comes to compliance,

there is no one-size-fits-all program… Indeed, small and medium-size

enterprises likely will have different compliance programs from large multi-

national corporations, a fact DOJ and SEC take into account when

evaluating companies’ compliance programs.”

Benchmarking against other compliance programs is necessary to ensure

your program is comparable to others within your industry and at your level

of maturity. The following organizations provide benchmarking resources:

• Society for Corporate Compliance and Ethics (SCCE)

• Corporate Executive Board (CEB)

• Ethics & Compliance Initiative (ECI)

• Bay Area Ethics & Compliance Association (BECA)

• High Tech Compliance Group (HTCG)

• Ethisphere

37

20

Demo of some Snap compliance tools


CONFLICT OF INTEREST DISCLOSURE DEMO

39

21


Click here


22



GIFT & ENTERTAINMENT PRE-APPROVAL DEMO

43

23


Click here


Pre-Approval Form – Concur Expense Management Tool

24


Customer Onboarding Demo

46


New Customer Screening Form - Salesforce.com

47

25


GIFT DISCLOSURE DEMO

48


Click here

26


Gift Disclosure Form - Navex


27

THE END

Date post:	06-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

What should your compliance function look like?assets.corporatecompliance.org/Portals/1/...Things to...

Documents