1

COMPLIANCE RISK ASSESSMENT STRATEGIES

Carla Weiler, Starbucks

Monica Reinmiller, Sutherland Global Services

2

AGENDA

� Focus: strategic discussion on how to approach SCOPE and EXECUTION of your compliance risk assessments

� Start with the end game in mind:

�What do you want/need to accomplish?

�We are all on a journey – are you just starting?

SCOPE

3

RISK ASSESSMENT PROCESS

Identify Risk

Gather Information

Assess

Prioritize

Mitigate

Monitor

Report

Legal/Regulatory landscape

Market analysis

Risk catalog

Internal/external

In-person interviews

Self surveys

Risk ownership

Existing controls

Qualitative / Quantitative

Available resources

Align with strategic goals

Develop and document

KPIs

Ongoing review

Emerging risk

Mitigation plan updates

Quarterly risk reporting to

oversight body

APPROACH BASED ON MATURITY

Reactive Developing Leading Practice

Informal High level Detailed reporting

Ad Hoc Ad Hoc or Annual Consistent frequency

Zero to limited resources Limited to some resources Staffed or funded

Leading Practice Criteria or Factors

• Budget

• Organization wide events (ex. Annual ERM Assessment)

• Leverage continuous monitoring

• Maintain consistent housekeeping: report format, repository,

tracking

4

IDENTIFYING RISK:

Legal / Regulatory Requirements Business Requirements

Industry Specific

• Gas/Electric

• Health Care

• Higher Education

• Industrial

• Manufacturing

• Retail

• Technology

• Transportation

Geography/Entity Status

• Domestic

• International

• Public or Private

• Joint Ventures

Antitrust/Fair Competition

California

• Conduct business in CA?

Consumer Protection/Product Safety

Corporate Governance/Securities

• Listing requirements

• Board matters

• Ethics /Whistleblower Protection

• Insider Trading/Reg FD

Employment

• Compensation

• Harassment/Discrimination

• Labor

• Leaves Administration

• Wage and Hour

Environmental

Financial

• Financial Reporting (SEC)

• Tax

Fraud and Corruption

• Anti-Money Laundering

• Bribery (FCPA; UKBA, OECD)

Government Relations

• Fed Contractor status

Information Management

• Discovery/Records Retention

• Privacy

Import and Export

Intellectual Property

• Copyright/Trademark use

Workplace Health & Safety

Internal Focused

• Mission

• Values

• Code of Conduct

• Policies and Procedures

� Internal Investigations

� Conflicts of Interest

� Non-Retaliation

External Focused

• Corporate Social Responsibility

• Sustainability

• Vendor Management

Voluntary Standards

• U.S. Federal Sentencing Guidelines

• Industry Codes

• PCI

• Trade Associations

Emerging Issues?

DEFINING YOUR UNIVERSE

IDENTIFYING EMERGING RISK:MONITORING

� Bloomberg BNA

� US Department of Treasury (OFAC)

� SCCE Compliance & Ethics Blog

� GAN Business Anti-Corruption Portal

� Federal Trade Commission

� Stanford Law School Foreign Corrupt Practices Act Clearinghouse (Sullivan & Cromwell LLP)

5

OTHER RISK IDENTIFIERS

� Hotline

� Litigation

� Benchmarking

EXECUTION

Internal v. External

6

INTERNAL:ALIGNING ETHICS & COMPLIANCE WITH ERM

• Strategic

• Operational

• Financial

• IT / Technology

• Legal / Regulatory

• Ethics / Reputation

ERM

Benefits:

�Align framework and

approach

�Less burden for the

business

�Board Oversight

�Senior Leader

Involvement

EXTERNAL:VENDOR RISK ASSESSMENTS

� Manage risks and vulnerabilities

� Leverages experience across wide range of industries

� Capabilities to assess complex environments (e.g., highly regulated industries)

� Advance analytic tools used to drive transformative insights

7

QUESTION

WHAT & HOW MUCH DO YOU DOCUMENT?

� Legal concerns?

� Resource constraints?

� Business impact (e.g., time

consumption)

REASONS TO DOCUMENT

� Require specific input (i.e., it takes a village)

� Assurance for alignment to corporate initiatives

� Executive discussions

ADDITIONAL STRATEGIES

8

USE OF SURVEYS AND OTHER TOOLS

� Surveys: SCCE, CEB, Big Four

CASE STUDY: FBI

� Questionnaires: process specific (e.g., Fraud, FCPA, SHE, etc.) v. holistic risk framework

EXAMPLES: CEB & ACFE

USE OF SURVEYS

What could go wrong?What could go wrong?

How bad could it be?How bad could it be?

9

SURVEY METHODOLOGIES

� Secure the data submission and storage

� Identify most critical risk inquiries for measurement through survey

� Have the methodology (e.g., weighting, comparison, etc.) prior to start

� Consider the reporting impact: quantitative v. qualitative

Copyright © 2016 Society of Corporate Compliance and Ethics

(SCCE). All rights reserved.

SAMPLE SURVEY QUESTIONS

10

SAMPLE TOOL:CORPORATE EXECUTIVE BOARD

© 2016 CEB. All Rights Reserved.

SAMPLE TOOL:ASSOCIATION OF CERTIFIED FRAUD EXAMINERS

© 2016 Association of Certified Fraud Examiners, Inc. All rights reserved.

11

SAMPLE RISK ASSESSMENT FLOW (MONITORING)

Risk Detection Process Inquiry Measurement Reporting Tracking

New regulatory

guidance

Process review or

inquiry*

Assess process or

controls

Escalate:

1. Process owner

2. Committee

Ex. Committee

risk log

*Internal Audit Plan or SOX/PCI/Privacy framework testing

ARE WE THERE YET?

� Manage the journey

� Ensure completeness and measure the results against your objective

� Keep it simple

12

KEY TAKE-AWAYS

� Identify scope and purpose

� Align execution with ERM or existing processes:

� Leverage Subject Matter Experts (e.g, Audit)

� Consider use of survey or questionnaire based on scope

� Utilize monitoring sources to enhance risk detection and support assessment work

� Document results and manage expectations