compliance risk assessment strategies carla weiler ......•strategic •operational •financial...
Post on 19-Jun-2020
3 Views
Preview:
TRANSCRIPT
1
COMPLIANCE RISK ASSESSMENT STRATEGIES
Carla Weiler, Starbucks
Monica Reinmiller, Sutherland Global Services
2
AGENDA
� Focus: strategic discussion on how to approach SCOPE and EXECUTION of your compliance risk assessments
� Start with the end game in mind:
�What do you want/need to accomplish?
�We are all on a journey – are you just starting?
SCOPE
3
RISK ASSESSMENT PROCESS
Identify Risk
Gather Information
Assess
Prioritize
Mitigate
Monitor
Report
Legal/Regulatory landscape
Market analysis
Risk catalog
Internal/external
In-person interviews
Self surveys
Risk ownership
Existing controls
Qualitative / Quantitative
Available resources
Align with strategic goals
Develop and document
KPIs
Ongoing review
Emerging risk
Mitigation plan updates
Quarterly risk reporting to
oversight body
APPROACH BASED ON MATURITY
Reactive Developing Leading Practice
Informal High level Detailed reporting
Ad Hoc Ad Hoc or Annual Consistent frequency
Zero to limited resources Limited to some resources Staffed or funded
Leading Practice Criteria or Factors
• Budget
• Organization wide events (ex. Annual ERM Assessment)
• Leverage continuous monitoring
• Maintain consistent housekeeping: report format, repository,
tracking
4
IDENTIFYING RISK:
Legal / Regulatory Requirements Business Requirements
Industry Specific
• Gas/Electric
• Health Care
• Higher Education
• Industrial
• Manufacturing
• Retail
• Technology
• Transportation
Geography/Entity Status
• Domestic
• International
• Public or Private
• Joint Ventures
Antitrust/Fair Competition
California
• Conduct business in CA?
Consumer Protection/Product Safety
Corporate Governance/Securities
• Listing requirements
• Board matters
• Ethics /Whistleblower Protection
• Insider Trading/Reg FD
Employment
• Compensation
• Harassment/Discrimination
• Labor
• Leaves Administration
• Wage and Hour
Environmental
Financial
• Financial Reporting (SEC)
• Tax
Fraud and Corruption
• Anti-Money Laundering
• Bribery (FCPA; UKBA, OECD)
Government Relations
• Fed Contractor status
Information Management
• Discovery/Records Retention
• Privacy
Import and Export
Intellectual Property
• Copyright/Trademark use
Workplace Health & Safety
Internal Focused
• Mission
• Values
• Code of Conduct
• Policies and Procedures
� Internal Investigations
� Conflicts of Interest
� Non-Retaliation
External Focused
• Corporate Social Responsibility
• Sustainability
• Vendor Management
Voluntary Standards
• U.S. Federal Sentencing Guidelines
• Industry Codes
• PCI
• Trade Associations
Emerging Issues?
DEFINING YOUR UNIVERSE
IDENTIFYING EMERGING RISK:MONITORING
� Bloomberg BNA
� US Department of Treasury (OFAC)
� SCCE Compliance & Ethics Blog
� GAN Business Anti-Corruption Portal
� Federal Trade Commission
� Stanford Law School Foreign Corrupt Practices Act Clearinghouse (Sullivan & Cromwell LLP)
5
OTHER RISK IDENTIFIERS
� Hotline
� Litigation
� Benchmarking
EXECUTION
Internal v. External
6
INTERNAL:ALIGNING ETHICS & COMPLIANCE WITH ERM
• Strategic
• Operational
• Financial
• IT / Technology
• Legal / Regulatory
• Ethics / Reputation
ERM
Benefits:
�Align framework and
approach
�Less burden for the
business
�Board Oversight
�Senior Leader
Involvement
EXTERNAL:VENDOR RISK ASSESSMENTS
� Manage risks and vulnerabilities
� Leverages experience across wide range of industries
� Capabilities to assess complex environments (e.g., highly regulated industries)
� Advance analytic tools used to drive transformative insights
7
QUESTION
WHAT & HOW MUCH DO YOU DOCUMENT?
� Legal concerns?
� Resource constraints?
� Business impact (e.g., time
consumption)
REASONS TO DOCUMENT
� Require specific input (i.e., it takes a village)
� Assurance for alignment to corporate initiatives
� Executive discussions
ADDITIONAL STRATEGIES
8
USE OF SURVEYS AND OTHER TOOLS
� Surveys: SCCE, CEB, Big Four
CASE STUDY: FBI
� Questionnaires: process specific (e.g., Fraud, FCPA, SHE, etc.) v. holistic risk framework
EXAMPLES: CEB & ACFE
USE OF SURVEYS
What could go wrong?What could go wrong?
How bad could it be?How bad could it be?
9
SURVEY METHODOLOGIES
� Secure the data submission and storage
� Identify most critical risk inquiries for measurement through survey
� Have the methodology (e.g., weighting, comparison, etc.) prior to start
� Consider the reporting impact: quantitative v. qualitative
Copyright © 2016 Society of Corporate Compliance and Ethics
(SCCE). All rights reserved.
SAMPLE SURVEY QUESTIONS
10
SAMPLE TOOL:CORPORATE EXECUTIVE BOARD
© 2016 CEB. All Rights Reserved.
SAMPLE TOOL:ASSOCIATION OF CERTIFIED FRAUD EXAMINERS
© 2016 Association of Certified Fraud Examiners, Inc. All rights reserved.
11
SAMPLE RISK ASSESSMENT FLOW (MONITORING)
Risk Detection Process Inquiry Measurement Reporting Tracking
New regulatory
guidance
Process review or
inquiry*
Assess process or
controls
Escalate:
1. Process owner
2. Committee
Ex. Committee
risk log
*Internal Audit Plan or SOX/PCI/Privacy framework testing
ARE WE THERE YET?
� Manage the journey
� Ensure completeness and measure the results against your objective
� Keep it simple
12
KEY TAKE-AWAYS
� Identify scope and purpose
� Align execution with ERM or existing processes:
� Leverage Subject Matter Experts (e.g, Audit)
� Consider use of survey or questionnaire based on scope
� Utilize monitoring sources to enhance risk detection and support assessment work
� Document results and manage expectations
top related