sally march and ruth steinholtz scce european compliance and ethics …€¦ · scce european...
TRANSCRIPT
3/13/2015
1
Sally March and Ruth SteinholtzSCCE European Compliance and Ethics Institute
March 2015
Basic Compliance Risk Assessment
Ethics and Culture Risk◦ What are they?◦ Why is this important?
Assessing Ethics and Culture Risk
3/13/2015
2
#1 Ensure the Business understands its risks and manages them appropriately
◦ Ensure periodic C&E risk assessments are conducted across the organization
◦ Drive the integration of C&E risk assessments across the Business Units
◦ Ensure that risks are appropriately prioritized◦ Ensure that action plans are developed and carried out on
risk assessments◦ Evaluate risk mitigation
Audit Universe Assess and Respond
Event Identification
Risk Assessment – evaluate likelihood and impact
Risk Response – avoid, accept, reduce, share
Control Activities – based on risk evaluation, identify and implement mitigation activity
Monitoring – revisit established controls on a periodic basis to ensure they are effective and working as designed and that they continue to be relevant.
3/13/2015
3
PreparationGet executive buy-in. This is strategic and goes to the heart
of the organisation’s ability to realise its objectives.Understand your organisation and its activities, e.g., lines of
business, key business risks, recent business changes, likely business changes, strategies, competitors, industry practices, geography/dispersion.
Where are key decisions made that can create risk?Understand your organisation’s ERM framework.Planning and Methodology – the process methodology must be
objective and defensible.Who will conduct the assessment? Field a diverse team. Do
you need external consultants?Consider the need for legal privilege, protocols for document
creation.
Scope Examine all major areas of E&C risk, “gross” Don’t forget the “E”
Ethics, Culture and Code of Conduct Criminal conduct Legal and regulatory Policies and procedures Industry standards Are you capturing activities that are questionable
though not illegal? Address both current and potential risks –
“Predicting the past with 90% accuracy”
3/13/2015
4
Interviews & Document Review
Risk assessments should involve participants from all parts of the business and from all levels.
Assess the ability of leaders to recognize and prevent compliance failures.
How are you going to assess “tone” and culture? Internal corporate documents External industry reports and other sources, e.g., TI CPI Include “near misses” as well as failures
Qualify, Quantify and Validate
Likelihood that risk will occur Impact if it does
Type of impact, e.g., prosecution, civil damages, reputational damage, management time
Extent of impact Velocity? Other factors?
Challenge and validation – ultimately the Board or Audit Committee
3/13/2015
5
Identify control activities For each risk, what are the current controls? Awareness of current controls
Define further mitigation plans Mitigation plans should reflect risk appetite – avoid,
accept, reduce or share High risk and weakest controls -– improve High risk and strong controls -- monitor
Validate gross vs residual risk Beware false sense security re: residual risk
Not everything that counts can be counted, and not everything that can be counted counts. William Bruce Cameron (not Einstein)
What is culture?
But, how can we measure something so ____?
Don’t we need to understand what drives unethical behaviour?
3/13/2015
6
11Source: US Management Association 2006; Survey of 1,121 global managers
Pressure to meet unrealisticobjectives/deadlines
69.7%
Desire to further one’s career 38.5%Desire to protect one’s livelihood 33.8%Environment of cynicism or diminished morale
31.1%
Improper training/didn’t know it was unethical
27.7%
Lack of consequences if caught 24.3%Following boss’s orders 23.5%Peer pressure/desire to be a team player 14.9Wanting to help the organisation survive 8.7%A sense of loyalty 6.9%Desire to steal from or harm the organisation 9.5%
Values are the building blocks of culture, influencing behaviour
It is possible to measure (and change) culture, using tools that have been around for many years!
3/13/2015
7
Positive Focus Excessive Focus
Financial StabilityShareholder value, organisational growth, employee health, safety. Control, corruption, greed
BelongingLoyalty, open communication, customer satisfaction, friendship. Manipulation, blame
High PerformanceSystems, processes, quality, best practices, pride in performance. Bureaucracy, complacency
Continuous Renewal and LearningAccountability, adaptability, empowerment, teamwork, goals orientation, personal growth
Building Corporate CommunityShared values, vision, commitment, integrity, trust, passion, creativity, openness, transparency
Strategic Alliances and PartnershipsEnvironmental awareness, community involvement, employee fulfillment, coaching/mentoring
Service To Humanity And The PlanetSocial responsibility, future generations, long-term perspective, ethics, compassion, humilityService
Making a difference
Internal Cohesion
Transformation
Self-esteem
Relationship
Survival
Level 7 – Ethical behaviour; doing things because it is the right thing to do. Long term perspective and serving the greater good.
Level 6 – Collaborative working environment, win‐win outcomes. Focus on leadership development that makes a difference. Sustainability and environmental awareness.
Level 5 – Clear vision and the values are lived and demonstrated by the senior team in their decision making. High levels of trust and honesty.
Level 4 – Staff feeling engaged and empowered. Business is continually improving and developing.
Level 3 – High performing systems. E.g. Fast decisions and accurate order fulfilment. People feel a sense of pride when they tell others who they work for.
Level 2 – Satisfied customers and staff. Respectful and open communication.
Level 1 – Profitable, financially stable, fair prices and pay? Good working conditions.
3/13/2015
8
Engineering and Projects Company (339)
Level 7
Level 6
Level 5
Level 4
Level 3
Level 2
Level 1
Personal Values Current Culture Values Desired Culture Values
IRS (P)= 6-4-0 | IRS (L)= 0-0-0 IROS (P)= 0-2-5-0 | IROS (L)= 1-1-1-0 IROS (P)= 1-3-6-0 | IROS (L)= 0-0-0-0
Matches
PV - CC 1CC - DC 4PV - DC 2
Health Index (PL)
PV: 10-0CC: 7-3
DC: 10-0
1. honesty 169 5(I)
2. accountability 165 4(R)
3. commitment 150 5(I)
4. continuous learning 92 4(I)
5. balance (home/work) 91 4(I)
6. family 91 2(R)
7. self-discipline 91 1(I)
8. responsibility 89 4(I)
9. respect 81 2(R)
10. open communication 76 2(R)
Black Underline = PV & CC Orange = CC & DC P = Positive L = Potentially Limiting I = Individual O = Organizational
Orange = PV, CC & DC Blue = PV & DC (white circle) R = Relationship S = Societal
1. continuous improvement
111 4(O)
2. customer satisfaction
111 2(O)
3. safety conscious 102 1(O)
4. cost reduction 88 1(O)
5. job insecurity (L) 77 1(O)
6. inconsistent (L) 75 3(I)
7. teamwork 74 4(R)
8. accountability 71 4(R)
9. blame (L) 71 2(R)
10. corporate image 64 3(O)
1. accountability 180 4(R)
2. customer satisfaction
147 2(O)
3. continuousimprovement
143 4(O)
4. employee development 111 4(O)
5. employee recognition 96 2(R)
6. commitment 95 5(I)
7. inspirational leadership 95 6(O)
8. employee fulfilment 94 6(O)
9. teamwork 90 4(R)
10. professionalism 80 3(O)
Values Plot Copyright 2011 Barrett Values Centre February 2011
The values that are important to
employees in their personal lives.
How employees experience the company - What is working well? What is undermining the sustainability of
the company.
What employees believe is necessary
for the company to achieve its
full potential
Leisure and Tourism Example 1 (98)
care for the client 47 2(R)
teamwork 40 4(R)
continuous improvement 38 4(O)
team spirit 35 4(R)
customer satisfaction 29 2(O)
bureaucracy (L) 22 3(O)
customer collaboration 22 6(O)
humour/ fun 22 5(O)
organisational growth 22 1(O)
coaching/ mentoring 21 6(R)
innovation 21 4(I)
open communication 34 2(R)
positive attitude 34 5(I)
information sharing 31 4(O)
continuous improvement 30 4(O)
team spirit 30 4(R)
employee recognition 29 2(R)
balance (home/work) 27 4(O)
cooperation 25 4(R)
teamwork 24 5(O)
humour/ fun 23 5(R)
trust 34 2(R)
Values Plot Copyright Barrett Values Centre
I = IndividualR = Relationship
Black Underline = PV & CCOrange = PV, CC & DC
Orange = CC & DCBlue = PV & DC
P = PositiveL = Potentially Limiting (white circle)
O = OrganisationalS = Societal
Matches
PV - CC 1CC - DC 4PV - DC 3
Health Index(PL)
PV - 10-1CC - 10-1DC - 10-0
humour/fun 55 5(I)
positive attitude 41 5(I)
respect 40 2(R)
honesty 39 5(I)
family 32 2(R)
balance (home/work) 31 4(I)
efficiency 29 3(I)
being liked (L) 26 2(R)
continuous learning 26 4(I)
initiative 25 4(I)
well-being (physical/ emotional/ mental/ spiritual)
25 6(I)
Level Personal Values (PV) Current Culture Values (CC) Desired Culture Values (DC)
7
6
5
4
3
2
1
IRS (P)= 8-2-0 | IRS (L)= 0-1-0 IROS (P)= 1-4-5-0 | IROS (L)= 0-0-1-0 IROS (P)= 1-5-4-0 | IROS (L)= 0-0-0-0
3/13/2015
9
Keep working on them In the meantime, do you have a leadership
development or talent management dept? Face to face interviews, probing issues such
as whether the culture encourages challenge, the quality of leadership, the “atmosphere” in various areas of the company
Exit interviews, employee surveys, other employee communications
The
Boar
d, E
xecu
tives
and
Man
agem
ent
RISK
RISK
RISK
1st Business operationsA robust environmentunder which processes and controls are effectively operated
Design, implement and operate systems, process and controls to effectively support decision-making, manage risks, and achieve strategic objectives
2nd Divisional and group oversightConsistent monitoring and management of the effective operation of processes and controls
Establish policies and procedures, roles and responsibilities, boundaries for the operations and tone at the top.Oversight functions that monitor, test and resolve control or transactional failures e.g. management operational committees, Compliance and Quality functions, etc.
3rd Internal AssuranceIndependent control environment assessment
Independent assessment of the effectiveness of business operations and management oversight including second line oversight functionsExamples include Internal Audit, Security, and Health and Safety Assurance functions
3/13/2015
10
Sally J. March, J.D., LL.M., CCEPDrummond March & [email protected]+44(0)7909915456
Ruth Steinholtz (see bio for details)Aretéwork [email protected]+44 (0)7900 681457
UK Ministry of Justice Guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing ◦ http://www.justice.gov.uk/downloads/legislation/bribery-act-2010-guidance.pdf
COSO Integrated Risk Management Framework http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf
“Conducting Effective Risk Assessments”, Association of Corporate Counsel InfoPAK Scott Killingsworth, “Some realism about risk assessments”, Compliance & Ethics
Professional, January 2015 Richard Barrett, The Values Driven Organization, Routledge, 2014 M. Bazerman and A. Tenbrunsel, Blind Spots: Why we Fail to do What’s Right and What to
Do about it, Princeton University Press, 2011 M. Heffernan, Wilful Blindness, Why we ignore the obvious at our peril, Simon &
Schuster, 2011
3/13/2015
11
An organization “shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement [of its compliance and ethics program] to reduce the risk of criminal conduct identified through this process.”
#1 Proportional Procedures◦ “Adequate bribery prevention procedures ought to be
proportionate to the bribery risks that the organisation faces. An initial assessment of risk across the organisation is therefore a necessary first step.”
#3 Risk Assessment◦ “The commercial organisation assesses the nature and
extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodic, informed and documented.”
Source: UK Ministry of Justice Guidance about procedures which relevant commercial organisations can put into place to prevent persons associated with them from bribing
3/13/2015
12
6. Ethics and compliance programmes or measures designed to prevent and detect foreign bribery applicable, where appropriate and subject to contractual arrangements, to third parties...(hereinafter “business partners”), including, inter alia, the following essential elements: ◦ i) properly documented risk-based due diligence
pertaining to the hiring, as well as the appropriate and regular oversight of business partners;
The Public Company Accounting Oversight Board (PCAOB) approved Auditing Standard No. 5 for public accounting firms on July 25, 2007. This standard superseded Auditing Standard No. 2, the initial guidance provided in 2004. The SEC also released its interpretive guidance on June 27, 2007. It is generally consistent with the PCAOB's guidance, but intended to provide guidance for management. Both management and the external auditor are responsible for performing their assessment in the context of a top-down risk assessment, which requires management to base both the scope of its assessment and evidence gathered on risk. This gives management wider discretion in its assessment approach. These two standards together require management to:◦ Assess both the design and operating effectiveness of selected internal controls related to significant
accounts and relevant assertions, in the context of material misstatement risks;◦ Understand the flow of transactions, including IT aspects, in sufficient detail to identify points at which a
misstatement could arise;◦ Evaluate company-level (entity-level) controls, which correspond to the components of the COSO framework;◦ Perform a fraud risk assessment;◦ Evaluate controls designed to prevent or detect fraud, including management override of controls;◦ Evaluate controls over the period-end financial reporting process;◦ Scale the assessment based on the size and complexity of the company;◦ Rely on management's work based on factors such as competency, objectivity, and risk;◦ Conclude on the adequacy of internal control over financial reporting.
Source: Wikipedia
3/13/2015
13
Enterprise risk management consists of eight interrelated components. Internal Environment – The internal environment encompasses the tone of an
organization, and sets the basis for how risk is viewed and addressed by an entity’speople, including risk management philosophy and risk appetite, integrity and ethicalvalues, and the environment in which they operate.
Objective Setting – Event Identification – Internal and external events affecting achievement of an entity’s
objectives must be identified, distinguishing between risks and opportunities. Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for
determining how they should be managed. Risks are assessed on an inherent and aresidual basis.
Risk Response – Management selects risk responses – avoiding, accepting, reducing, orsharing risk – developing a set of actions to align risks with the entity’s risk tolerancesand risk appetite.
Control Activities – Policies and procedures are established and implemented to helpensure the risk responses are effectively carried out.
Information and Communication – Relevant information is identified, captured, andcommunicated in a form and timeframe that enable people to carry out theirresponsibilities.
Monitoring – The entirety of enterprise risk management is monitored and modificationsmade as necessary.
26
Most organizations rely on multiple sources for answersHowever, risk oversight and an integrated approach is usually lacking
Business DevelopmentMarket and Strategy Risks
Information ManagementIT Security, Data Integrity,
Information Adequacy, Business Process/Continuity Risks
Insurance Property, Casualty, Liability, and
Hazards
Internal Audit Risk informed audits, risks to
internal control, key exposures and vulnerabilities, and assurance
Security Risks to property and people
General Counsel Legal and Intellectual Property
Operations Quality of care, Customer
Relations, Market and Pricing, Competitive,
People/Process/Asset Performance, Environmental and
Safety Risks
Finance Internal Control, Disclosure, Credit, Liquidity, Commodity,
Risk Analytics & Modeling
Integrated process provides a means to better understand, communicate and respond to the risk knowledge that exists in the organization
Compliance and Ethics Ethics and Business Conduct,
and Regulatory Compliance Risks
3/13/2015
14
Likelihood Impact
Likelihood of Occurrence 1 = Improbable2 = Remote3 = Occasional4 = Frequently5 = All the time
H-M-L
Impact of Occurrence1 = Minimal/Negligible2 = Slight 3 = Moderate4 = Critical/Serious5 = Catastrophic
H-M-L
28
Prioritize your risks - - define your criteria first and then rank high, medium, low
Reputation Legal/Regulatory Financial
High
Systemic loss of public/client confidence resulting in loss of
customers; major media coverage – headline news for
several days
Major infraction resulting in criminal or civil prosecution and/or significant discipline; loss of ability
to operate in one or more countries
Significant financial impact with widespread liability
Moderate
Loss of confidence among large number of customers and a
segment of the general public; major media coverage for 1-2
days
Infraction resulting in civil prosecution and/or discipline; loss
of ability to operate within local jurisdiction
Considerable financial impact with regional liability
Low
Loss of confidence among a limited number of customers in
local market/country; limited local media coverage
Minor infraction that is readily remediated; no loss of ability to
operate
Minimal financial impact with localized liability
3/13/2015
15
29
12
34
56
9
78
10