P A U L E . Z I K M U N D

D I R E C T O R G L O B A L E T H I C S & C O M P L I A N C E

B U N G E

The Fraud Examiner’s Journey to the Compliance Office

Agenda

Current Compliance Risk Assessment

Compliance Defined

Role of the Compliance Officer

Skills & Qualifications of the CCO

Hallmark of an Effective Compliance Program

Building Key Partnerships

CFE to CCO

I N D U S T R Y T R E N D S A N D A N A L Y S I S

Current Compliance Risk Environment

Laws, Regulations, & Guidance

Sarbanes-Oxley Act

U.S. Federal Sentencing Guidelines

PATRIOT Act—Anti-money laundering

Insurance policies and ratings agencies (Moody’s)

IIA Fraud Risk Practice Guidance

Statement of Audit Standards No. 99

DOJ/SEC FCPA Resource Guide

Dodd-Frank Act

COSO—Internal Controls—Integrated Framework Update

Four Emerging Compliance Risks to

Consider in 2014

© 2012 The Corporate Executive Board Company. All

Rights Reserved. ADR4006812SYN ADR4006812SYN-CEB

Please note that the CEB program names referenced in this document have changed since the time of publication.

87

Compliance Risk Risk Drivers #1. Destructive Microcultures

Company culture (even when it’s very strong) is not a uniform thing. Environments and observed misconduct rates will vary by country and by business unit and companies need to be aware of where their cultural hot spots exist to prioritize compliance and ethics resources.

#2. Tone at the Middle

Most companies are discovering that a tone from the top, code of conduct, and annual compliance training are not enough to create a strong culture of compliance and ethics. Research indicates that the middle manager disproportionally influences (positively and negatively) the integrity behaviors of individual employees and teams, yet most firms do not always effectively foster this tone at the middle.

#3. Third-Party Relationships

In 2013, almost 55% of Chief Audit Executives identified control deficiencies in third-party relationships, perhaps not surprising given the growing ecosystem of third parties to execute core business functions, most specifically contract workers and outsourcing service providers.

#4. Business Resistance

Almost 40% of compliance failures can be attributed to “unintentional noncompliance”— employees committing misconduct because of (1) a lack of awareness or (2) the complex nature of some compliance processes. Many compliance teams have started to measure their level of “alignment “ with key business partners as a way of indentifying improvement opportunities.

Corruption Perceptions Index Map

ERC National Business Ethics Survey

“Companies are working harder to build strong cultures and implement increasingly sophisticated ethics and compliance programs. The results show that companies are doing a better job of holding workers accountable, imposing discipline for misconduct, and letting it be known publicly that bad behavior will be punished.”

More than one in five workers who reported misconduct said they suffered from retribution as a result of doing so.

The percentage of companies viewed as having “strong” ethics cultures climbed to 66 percent in 2013, compared to 60 percent in the last survey.

ERC National Business Ethics Survey

The percentage of companies providing ethics training rose from 74 percent to 81 percent between 2011 and 2013.

Two-thirds of companies included ethical conduct as a performance measure in employee evaluations, up from 60 percent in 2011.

Employees claimed that members of management are responsible for six of every ten instances of misconduct

© 2013 The Corporate Executive Board Company. All

Rights Reserved. CDES5367413SYN

92

#2 TONE AT THE MIDDLE: COMPLIANCE ONLY LEARNS ABOUT 17% OF

COMPLIANCE VIOLATIONS

How Information About Business Misconduct Travels Analysis of 2012 Reporting Trends from CEB RiskClarity’s Database

Forty percent of observed

misconduct never leaves

the workforce.

…then only 602 report

what they observe.

If 1,000 employees

observe misconduct…

About 290 managers talk to their

direct manager or supervisor.

About 213 managers talk to HR,

Legal, or other separate function (outside Compliance).

About 123 managers take their

reports directly to Compliance. 50 employees take their

reports directly to Compliance.

209 employees report to HR,

Legal, or other corporate

function (outside Compliance).

408 employees tell their

direct manager or supervisor.

From the COMPLIANCE AND ETHICS LEADERSHIP COUNCIL

of the CORPORATE INTEGRITY PRACTICE

www.celc.executiveboard.com

© 2011 The Corporate Executive Board Company. All Rights

Reserved. CELC1444711SYN

99

21.2%

13.1%

10.1%

20.2%

17.9%

6.4%

11.1%

Lack of employee

awareness and process

complexity are among the

top three most

frequently cited causes of

material compliance and

ethics risk events.

■ More than 7 in 10 material

compliance risk events

result from either a failure

to create clear compliance

expectations or a

prioritization of self

over company.

#4: BUSINESS RESISTANCE: UNDERSTANDING THE

CAUSES OF MATERIAL COMPLIANCE AND ETHICS RISK

EVENTS

Root Causes of Compliance and Ethics Risk Events Percentage of Events Attributed to Cause, 2011

n = 58 companies.

Process Complexity Leads to Unintentional or

Negligent Noncompliance

Lack of Employee Awareness

Poor Regulatory Tracking

Poor (Permissive)

Corporate Culture

Employee Self-

Interest

Other Root Cause

Operational Burden

Unintentional risk events are

generally caused by a lack of

clear employee expectations.

Only 6% of material

compliance risk events result

from a failure to track new

(or changing) regulations.

Did You Know?

In the past three years,

companies experienced a

median of 20 material

compliance and ethics risk

events.

Unintentional

Intentional risk events stem

from employees—as an

individual or as a group.

Intentional

CELC1444711SYN-CEB

Please note that the CEB program names referenced in this

document have changed since the time of publication.

$0.0

$9.0

$18.0

$17.3

$10.2

$8.0

$3.7

$1.0

$0.3 $0.0

Figure 2: Average Cost of Fines and Settlements for a

Single Violation

In Millions of US Dollars, 2011 and 2012

FCPA Violations

Securities Violations

Money Laundering/

Bank Secrecy Act

Violation

Fraud Data Privacy or Information

Security Violation

Discrimination Health

and Safety Violations

Source: CEB analysis

Health and safety violations have an average cost of $2,132 per incident.

Ernst & Young 12th Global Fraud Survey

Increasing risk of bribery and corruption

Nearly half of the organizations surveyed had been victimized by a significant fraud within the prior year

Managing third-party risk is high priority

M&A poses significant risk to companies

Employees committed 85% of the worst frauds

Continued need to build stronger control environment (policies, training, stronger Code of Conduct, stronger compliance programs)

Fraud Is Pervasive—2014 ACFE Survey

Estimated $3.7 trillion in fraud losses

85% of all frauds involve asset misappropriation schemes

Median loss = $145,000 per incident

Average scheme = 18 months before detection

Over 40% of all fraud is discovered through tips and complaints

Corruption & billing schemes present the greatest risk

Anti-fraud controls = reduced occurrences & losses

Highest risks = banking, government, & manufacturing

It takes time and effort to recover the money stolen by perpetrators, and many organizations are never able to fully do s

Cost of Organizational Dishonesty

Reputation degradation

Lower employee morale

Loss of sales

Increased absenteeism

Loss of assets

Disruption to operations

Cost of investigations

Lower job satisfaction

Higher employee turnover

Health consequences

Lack of trust

Backlash to controls

Source: MIT Sloan Management Review

W H A T I S E T H I C S & C O M P L I A N C E ?

Compliance Defined

What Is Corporate Compliance?

“Designed to prevent unlawful conduct and to promote conformity with externally imposed regulations, provide a second component of background for organizational ethics.”

The internal programs and policy decisions made by a company in order to meet the standards set by government laws and regulations.

A corporate compliance program is generally defined as a formal program specifying an organization’s policies, procedures, and actions within a process to help prevent and detect violations of laws and regulations.

Means conforming to a rule, such as a specification, policy, standard, or law.

Compliance Mission

The mission of Bunge’s Global Ethics and Compliance (GEC) is to serve the best interests of Company, its employees, customers, and stockholders by promoting an organizational culture committed to integrity, ethical conduct, and compliance with the law. GEC will support Bunge’s achievement of financial, operational, and strategic objectives by incorporating compliance and ethics in the daily business practices and by setting standards, policies, and procedures that contribute to responsible practices and integrity of Bunge’s products and services.

What Is Organizational Ethics?

Organizational ethics is the ethics of an organization, and it is how an organization ethically responds to an internal or external stimulus.

Organizational ethics express the values of an organization to its employees and/or other entities irrespective of governmental and/or regulatory laws.

Ethics are the principles and values an individual uses to govern his activities and decisions. In an organization, a code of ethics is a set of principles that guide the organization in its programs, policies, and decisions for the business.

Organizational ethics is a broad concept that includes not only culture and trust, but also processes, outcomes, and character and denotes “a way of acting, not a code of principles.

Food for Thought

Nancy is a supervisor at LBT Corporation. She manages LBT’s human resources function for a division of the organization.

LBT conducts annual ethics and compliance certification training during which employees log into a portal and answers questions after viewing the training. The course takes approximately 30–45 minutes to complete.

Nancy, in her efforts to help her overworked staff sends the following email message. “Hello Everyone, there are 20 questions at the end of the training. In order to save the team some time I’ve included the answers below. Feel free to jump ahead and finish the certification much quicker than normal.”

What, if anything, should happen to Nancy?

Role of the Chief Compliance Officer

Roles & Responsibilities

Develop corporate compliance strategy

Conduct compliance risk assessments

Develop and periodically review appropriate compliance policies and procedures

Coordinate proactive measures to identify gaps in compliance with company policies and procedures

Conduct compliance training and awareness programs

Oversee the organization’s code of business conduct

Communicate results to executive leadership, audit committee, and other relevant parties

Roles & Responsibilities

Respond to alleged violations of rules, regulations, policies, procedures, and standards of conduct by evaluating or recommending the initiation of investigative procedures

Ensure proper reporting of violations or potential violations to duly authorized enforcement agencies as appropriate and/or required

Monitors, and as necessary, coordinates compliance activities of other departments to remain abreast of the status of all compliance activities and to identify trends

W H A T Y O U N E E D T O K N O W

Skills and Qualifications of the Chief Compliance Officer

Skills & Qualifications

Knowledge of relevant laws and regulations

Ability to collaborate with multiple functions and executive leadership

Excellent verbal & written communication skills

Critical thinking skills

Managerial courage

Strong networking skills

Good public speaker

Excellent credibility and strong brand

Forward thinking

Enjoys ethics

Hallmarks of an Effective Compliance Program

RUNNING A SUCCESSFUL PROGRAM

Federal Sentencing Guidelines

Oversight

Standards & Procedures

Auditing & Monitoring

Education &

Training

Reporting

Response & Investigation

Enforcement &

Discipline

Filip Memo

Nature & seriousness of the offense

Pervasiveness of wrongdoing

History of offenses

Timely & voluntary disclosure

Pre-existing compliance programs

Remedial actions

Collateral consequences

Adequacy of prosecution of individuals

Adequacy of remedies

2010 FSGO Amendments

CCO has direct access to the Board or Audit Committee

The compliance program discovered the offense

The organization promptly reported the offense

No member of the compliance program was involved in the misconduct

Organizations should continuously reassess their compliance programs

Pfizer FCPA Settlement

Delegation of compliance responsibilities to a high-level compliance officer

Appoint head of compliance for each business unit

Establish an Executive Compliance Committee

Establish a group to handle investigations, anti-corruption, and mergers and acquisition compliance

Risk-based annual reviews

Anti-corruption, risk-based, third-party due diligence

Compliance training & awareness programs

Annual compliance/FCPA certificates from senior managers

Elements of an Effective Program

Commitment from Senior Management

Code of Conduct & Compliance Policies

Oversight, Autonomy, & Resources

Risk Assessment

Training, Awareness, & Continued Advice

Element 1

Element 2

Element 3

Element 4

Element 5

Elements of an Effective Program

Incentives & Disciplinary Measures

Third-Party Due Diligence

Confidential Reporting & Investigation

Periodic Testing & Review

Mergers & Acquisitions Due Diligence

Element 6

Element 7

Element 8

Element 9

Element 10

Commitment from Senior Management

Tone at the top

Active board and audit committee

Tone in the middle

More than a paper program

Senior manager assigned to oversee compliance

Clearly defined values and standards

Communicated in unambiguous terms

Disseminated throughout the organization

Compliance Policies/Code of Conduct

New-hire policy

Code of conduct—code of ethics—employee handbook

IT/Internet ethics policy

Method of communication

Frequency of communication

Ease of access/centralized

Communicated to third parties

Frequency of certification

Required percentage of acknowledgement

Oversight, Autonomy, & Resources

Assigned to a senior-level person—CCO/CECO

Access to executive leadership—seat at the table

Reputation within the organization

Adequate staffing—proportionate to the size of the organization

Adequate resources—technology, portal, budget, etc.

Access to external consultants, lawyers, investigators, etc.

Approved charter (independent & objective function)

Not a paper program

Risk Assessment

Documented process

Tailored to meet the organization’s unique risk profile

Considers business lines, products, services, geographic locations, customer base, and distribution channels

Involves relevant personnel

Performed on a routine basis

Development of heat map

Shared and tracked with functions and business units

Training & Awareness Programs

Variety of training programs

Frequency of training sessions

How is training conducted

Special training for new policies and policy changes

Is training tracked and monitored for attendance, completion, and effectiveness

Who conducts the training

Incentives & Disciplinary Measures

Appropriate and clear disciplinary actions

Applied reliably and promptly

Publicized internally for deterrent effect

Fraud, misconduct, or policy violations result in swift and appropriate consequences

Not just a paper program

Review basis for disciplinary action taken by the organization

From the boardroom to the supply room

Incentive compliant behavior

Celebrate success

Third-Party Due Diligence

Defined as “reasonable inquiry” and not absolute certainty

Not necessarily an investigation or detailed fact finding Companies are advised to maintain a standard practice

or written policy Important to define an escalation process when red flags

are uncovered during the due diligence Companies should use logic and rational thinking when

evaluating third parties and be able to defend their position

Due diligence is not the same for everyone. The approach may vary depending upon the type of company

Include third parties, transactions, & relationships

Confidential Reporting & Investigation

Efficient, reliable, and properly funded investigation process

Internal mechanism to report concerns Effectively assigned for prompt follow-up Investigated by objective, independent, and competent

personnel Assignment of proper management oversight Results shared internally with appropriate personnel Investigations conducted in line with company policies

and within legal and regulatory guidelines Concerns are tracked and periodically reported to the

audit committee/senior management

Periodic Testing and Review

Continuous improvement

Business is constantly changing

Acquire companies

Launch new products

Open new offices

Change of senior leadership

Industry sweeps—monitor and respond

Continuous monitoring

Active internal audit function

M&A Pre-/Post-Acquisition Due Diligence

Background checks (reputation, litigation)

Social media review

Criminal/civil history

Interviews & intelligence gathering

Analysis of financial records

Assessment of anti-fraud/compliance programs and controls

Assessment of physical security risks

Organized and consistent risk-based program

Bunge’s Compliance Programs, Policies, & Controls

CCO Mission

Global Fraud &

Misconduct Policy

Global Investigation

Protocols

Allegations Matrix

GEC

Investigation Guidelines

CCO Mission

Defines the purpose of ethics and compliance & the areas of responsibility

Global Fraud & Misconduct Policy

Governs receipt, retention, and treatment of complaints

Global Investigation Protocols

Defines the general principles for the conduct of investigations by Legal/Compliance & Internal Audit

Allegations Matrix

Prioritizes allegations in three separate levels (A, B, C)

Assigns a specific person or function the authority to investigate

GEC Investigative Guidelines

Serves as a guide and reference to enroll investigative procedures and processes during the collection of facts and evidence in matters where illegal, unethical, or otherwise improper acts are alleged

Building Key Partnerships

KEYS TO ENSURE PROGRAM SUSTAINABILITY & EFFECTIVENESS

Ethics & Compliance

Programs & Controls

Internal/External Auditors

Human Resources/

Legal/

IT

Senior Management

External Agencies

Board

&

Audit Committee

Middle Management

& Employees

Key Stakeholders

P A T H W A Y T O C O M P L I A N C E R O L E

CFE to CCO

Recommendations

Know your company

Where does compliance fit in your organization?

Understand the regulations

Forward thinking and innovative

Understanding and managing risk

Review your internal policies and procedures

Build a campaign for compliance

Highlight risk

Avoid “the voice of no”—be an enabler

Recommendations

Develop a compliance charter

Embrace visibility

Build key partnerships and relationships

Generate excitement

Revise the hotline

Rewrite the code of conduct

Conduct training and awareness

Crisis drives change

Deliver perfection

Continuous improvement

Know Yourself

Outgoing

Strong communicator

Managerial courage

Embrace crisis and continuous change

Open to criticism and being judged by hindsight

Like to travel

Overcome pitfalls, roadblocks, and resistance

Willing to build the brand

Knowledgeable, continuous learner

Good educator