session 309 - allocating risk for your company - playing the feud (cjp 10.26)
TRANSCRIPT
Faculty• General Counsel, Mid-Atlantic
Business Unit, Titan America LLCCarl Peterson
• Associate General Counsel, Dassault Falcon Jet Corp.Stephanie Bortnyk
• Assistant General Counsel, Allegis Group, Inc.Allie Wright
• Attorney, Womble Carlyle Sandridge & Rice, LLPSonny Haynes
*Disclaimer: The views and opinions expressed in this presentation and the accompanying materials are those of the authors as individuals and do not necessarily reflect the views or opinions of any of their respective employers.
Allocating Risk for Your Company:Agenda
I. Traditional role of Legal Department in Risk Assessment/ComplianceII. Current Environment – Recent Developments
III. Survey Results - Introduction
IV. Approaches to Compliance and Risk AssessmentV. Ethical Concerns Related to Risk Assessments and ComplianceVI. Survey of In-House Counsel – Discussion and Results – Playing the Feud!
VII. Wrap Up/Q&A
Allocating Risk for Your Company: The Changing Landscape of Compliance
• Has historically been the norm• But environment is evolving…
“Triage” Approach – Learn and Respond
• Began with financial reporting - Sarbanes-Oxley, Gramm Leach Bliley, Dodd-Frank, etc.
• Recent developments = more comprehensive
Compliance Obligations Are Increasing
• DOJ/other agencies becoming more aggressive• Holder Memo• Thompson Memo• McNulty Memo• Filip Memo
Risks of Non-Compliance Also Increasing
Potential for Personal
Liability
Antitrust Laws
Environmental Laws
Federal Securities
Laws
Yates Memo (2015)
FCPA
MSHA
Responsible Corporate
Officer Doctrine
“Hide no Harm Act” (SB)
(2015)
Allocating Risk for Your Company: Survey Results - Introduction
• Wanted to learn “typical” in-house risks
• How risks were being monitored
• SLD focus
Survey Development
Allocating Risk for Your Company: Survey Results - Demographics
# of Lawyers
1-3 4-7 8+
68%15%
17%
# of Support Staff
1-3 4-7 8+
84%
14%
2%
Specialists v. Generalists
Generalists Specialized
A Little of Both
49%45%
6%
Company Size
0-500 501-5,000 5,001+
43%
32%25%
Internal Audit Department (Separate from Legal)
Triage of Issues as they Arise (brought forward by the business or outside forces)
Outside Compliance Monitoring Vendor
Monitored/Addressed by Outside Counsel
Routine Legal Department Compliance Checks
45%
20%26%
8%1%
Allocating Risk for Your Company: Survey Results – Risk Monitoring and Compliance
• More clients/practice areas/responsibilities, fewer attorneys/staff
• Shift from triage to forward-looking program is vital
• A viable compliance program is a must• Protect your company• Protect yourself and executives• Financial incentives
Legal Departments Are Being Asked to Do More With Less
Allocating Risk for Your Company: Survey Results - Overview
• Strong internal controls• Self-discovery/self-reporting
• Requires formal compliance audits, risk assessments, mitigation efforts, etc.
• Evidence shows that very few of us have these practices in place
Limited Tools That May Garner Leniency
Where To Start?
Allocating Risk for Your Company: The Changing Landscape of Compliance
COMMITMENT
1
POLICIES
2
OVERSIGHT
3
TRAINING
5
INCENTIVES
6
DILIGENCE
7
REPORTING
8
IMPROVEMENT
9
INTEGRATION
10
ASSESSMENT
4
0-5 Hallmarks 6-8 Hallmarks 9-10 Hallmarks
53%
13%
Allocating Risk for Your Company: Ten Hallmarks of an Effective Compliance
Program
34%
ERM
CAS(2003)
COSO(2004)
RIMS(2006)
ISO 31000(2009)
“The discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.”
“A process…applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
“A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risk and managing the combined impacts of those risks as an interrelated risk portfolio.”
“A process that provides confidence that planned objectives will be achieved within an acceptable degree of residual risk”
Risk is “the effect of uncertainty on objects
• Systematic process to identify and scale risk• Can be applied to any area• Prioritizes and manages risks as an
integrated portfolio• Evaluation of portfolio through various lenses• Recognizes that all risks are interrelated –
combination of multiple risks may exceed sum of individual parts
• Involve risk identification/management in all critical business decisions
In Plain English?
Allocating Risk for Your Company: Enterprise Risk Management
• ERM concepts can be replicated on a smaller scale
• DOJ Guidance – smaller companies with fewer resources can still comply• If a program meets
these three criteria, it will provide for detection, prevention, and remediation
Allocating Risk for Your Company: Small Law Department – Other Compliance Methods
Step 1 – Set parameters for rankingValue Risk Grade Probability
1 - Very low < $10k < once every 10 years2 - Low > $10k > once every 10 years3 - Medium > $100k > once a year4 - High > $1m > once a month5 - Very high > $10m > once a day
Step 2 – Survey risk/probability
Allocating Risk for Your Company: Create Your Own Assessment
Step 3 – Tabulate Survey Results
Allocating Risk for Your Company: Create Your Own Assessment
Risk Description
Activity Risk Grade Probability Risk Value Grade Value
Probability Value
Employment Law
Union 2 - Low 2 - Low 100 10 10
Social Media 3 - Medium 3 - Medium 10000 100 100
Co-Employment 3 - Medium 3 - Medium 10000 100 100 FLSA 4 - High 4 - High 1000000 1,000 1,000 Overtime 3 - Medium 3 - Medium 10000 100 100 Discrimination 3 - Medium 3 - Medium 10000 100 100 Employee Safety 4 - High 5 - Very High 10000000 1,000 10,000
•Who is your client?•What do you do with information uncovered?
•Attorney/client privilege protection?
Unlocking Potential Ethical Concerns in Preparing a Risk Assessment
Allocating Risk for Your Company: Small Law Department – Risk Assessments & Investigations
• What about risks that might be uncovered?• Something significant?• Serious enough to warrant outside
counsel engagement?
• Ethical rules to consider:• Rule 1.6: Confidentiality of
Information• Rule 1.13: Organization as Client• Rule 4.1: Truthfulness In
Statements To Others• Rule 8.4: Misconduct
Allocating Risk for Your Company: Risk Assessments & Investigations
• Client Confidences• Routine business
audits v. audits to determine need for legal advice
• What about internal investigations?
Model Rule 1.6: Confidentiality of Information
Allocating Risk for Your Company: Small Law Department – Risk Assessments & Investigations
• (a) A lawyer employed or retained by an organization represents the organization acting through it duly authorized constituents
• What about…• Conflicts of interest?• Upjohn warnings?• Report up, but do you always report out?
Model Rule 1.13 –Organization as Client
Allocating Risk for Your Company: Risk Assessments & Investigations
• Do not fail to disclose material fact when disclosure needed to avoid criminal or fraudulent act
• Do not knowingly make false statement of material fact or law
Model Rule 4.1 – Truthfulness in Statements to Others
• Defines “professional misconduct”• Refrain from deceit, dishonesty, fraud, or
misrepresentation
Model Rule 8.4 – Misconduct
Allocating Risk for Your Company: Risk Assessments & Investigations
Allocating Risk for Your Company: Playing the Feud – Labor and Employment
Edition
• Fair Labor Standards Act• Employee Safety (OSHA/MSHA)• Overtime Rules• Co-Employment• Social Media Issues• Union Activities/Persuader Rule
POLL QUESTION –What do you believe survey respondents identified as the “highest risk” labor and employment issue:
Allocating Risk for Your Company: Playing the Feud – IT/Data Protection Edition
• Increased Role of Legal in Data Compliance
• Data Management/Retention/Deletion• Cybersecurity (Breaches/Hacking)• Unstructured Data Control• IT Infrastructure (aging/new
technology)• EU Privacy Mandates
POLL QUESTION – What do you believe survey respondents identified as the “highest risk” IT/Data Protection Issue:
0
0
0
Cybersecurity
Data Management/Retention/DeletionUnstructured Data
Control
Cheer SilenceLoseWin Boo
IT & Data Protection
Allocating Risk for Your Company: Playing the Feud – Legal Department
Management Edition
• Establishing/Maintaining Business Relationships
• Enterprise Risk Management• Identifying C-Level Risk Tolerance• Identification/Retention of Talent• Protection of Privilege• Conflicts of Interest
POLL QUESTION – What do you believe survey respondents identified as the “highest risk” Legal Department Management Issue:
0
0
0
Talent Identification & Retention
Protection of Privilege
Enterprise Risk Management
Cheer SilenceLoseWin Boo
Legal Department Management
Allocating Risk for Your Company: Playing the Feud – Supply Chain Edition
• Supply Chain Transparency• Foreign Privacy Laws• FCPA Compliance• Re-Export Concerns• OFAC Compliance/Sanctions
List• Ethical and Social Compliance
POLL QUESTION – What do you believe survey respondents identified as the “highest risk” Supply Chain Issue:
0
0
0
Ethical and Social Compliance
Supply ChainTransparency
FCPA Compliance
Cheer SilenceLoseWin Boo
Supply Chain
Allocating Risk for Your Company: Playing the Feud – Ethics Edition
• Client Identification/Conflicts of Interest
• E-Discovery/Litigation Management• Legal Outsourcing/Unauthorized
Practice of Law• Communications with Represented
Parties• Preserving Privilege and Work
Product Protections• Personal Liability/Obligations
Regarding Reporting
POLL QUESTION – What do you believe survey respondents identified as the “highest risk” Ethics Issue:
0
0
0
Preserving Privilege/WorkProduct Protections
E-Discovery/Litigation Management
Personal Liability/Obligations re Reporting
Cheer SilenceLoseWin Boo
Ethics
Summary OverviewChanging Environment = Changing Approach
Survey Your Landscape
Open an Ongoing Dialog with Business
Consider Legal as well as Business Risks
Review/Adopt Compliance and Risk Monitoring Plans
Incorporate Compliance Efforts into Business Routine
Create a Defensible Position