Can Your Compliance Program Manage All of Your Organization's Risks? Discussing the Proposition of Enterprise Wide Risk Management February 6, 2003 PwC

Can Your Compliance Program Manage All of

Your Organization's Risks?

Discussing the Proposition of Enterprise Wide Risk

Management

February 6, 2003

Michael L. ShawSenior Manager

2PricewaterhouseCoopers LLP

Overview

Corporate Compliance Programs Defined Enterprise-Wide Risk Management Defined Key Differences How Your Organization Can Benefit From Enterprise-Wide Risk Management Applying EWRM to Satisfy Sarbanes-Oxley Requirement A Suggested Approach for Implementing EWRM


Compliance Defined

A compliance program is a management process comprised of formal reporting structures and risk

mitigation systems designed to motivate, measure, and monitor an organization’s legal and ethical performance

around complex business practices.


Elements of a Traditional Compliance Program

Federal Sentencing Guidelines

Experience from other industry sectors

OIG Compliance Program Guidance

Standards and Procedures

Oversight Responsibility

Education and Training

Lines of Communication

Monitoring and Auditing

Enforcement and Discipline

Response and Prevention



Code of Conduct Commitment by senior management Distribution to applicable employees and contractors Updating to address new risks Values approach Records retention










High-level involvement Responsibility for developing, operating, and monitoring the compliance program Direct access to Board and/or CEO Updates to Board and/or CEO Operational Committee










General and specific training sessions on a periodic basis Cover commitment, reinforce policies and procedures, and address risks Conducted for applicable employees and contractors Documentation of training efforts

















Hotlines Exit interviews Periodic surveys Supervisor accountability Documentation of issues identified and resolved Periodic reports on issues handled Non-retaliation policy










Internal or external evaluators to perform regular reviews Focus on high-risk areas Validation of policies and procedures Qualifications of reviewers Corrective action in response to audit results Monitoring and reporting of audit efforts










Consequences of violating the law, the Code of Conduct, or policies and procedures Violations reviewed and resolved on a case-by-case basis Consistent disciplinary action Confidentiality Periodic reports of action taken










Prompt investigations of reasonable allegations of suspected noncompliance Decisive steps to correct problems identified Reporting to Government when appropriate under the advice of legal counsel


Notable Quote

“I think the guidelines may need to say something more about the need to have ongoing auditing and testing of a compliance program on paper to ensure that it is effective in practice.”

- U.S. Sentencing Commission Vice Chair, John R. Steer


EWRM Explained

Increasingly, best in class organizations are embedding their compliance programs into an expanded view of enterprise wide risk management (EWRM). Approached in this way, compliance transitions from a reactive, process intensive activity to a dynamic program enabling the organization to manage a broad range of changes that can impact its performance.

EWRM defines risks as events or activities that can affect the achievement of an organization’s goals.

EWRM addresses all organizational goals, objectives and relationships with key stakeholders.

EWRM is an anticipatory, proactive process that becomes a key part of strategy and planning. EWRM helps mitigate surprises and ensures all organizations are aligned with key objectives


EWRM Explained

Pulling together the disciplines that address both sides of risk --minimizing uncertainty and maximizing opportunities -- the concept pushes an organization to address risks and their management explicitly – as part of everyday business.

An EWRM framework emphasizes the need for processes to (1) identify risk, (2) assess risk and (3) manage risk.

EWRM can be implemented at any level of the organization in whole or in part (i.e. business unit, functional process, geography) . A robust compliance program is the cornerstone of managing risk across the organization.


EWRM Explained

Reactive

ProactiveStrategic

Building in an Enterprise Wide Risk Management program:

Current best practice

Pulling together the disciplines that address both sides of risk – minimizing uncertainty and maximizing

opportunities – the concept pushes an organization to address risks and their management explicitly – as

part of everyday businessMost Organization’s

Today?

• Risk & Compliance external reporting

• Strategy Building

• Enterprise Risk Assessment

• Control Self Assessment

• Enterprise Wide Risk Management Program

• Complying with known laws and regulations

• Seeking to meet industry compliance requirements

• Managing crisis


Applying EWRM to Satisfy Sarbanes-Oxley Requirements

Internal Accounting

Controls

Disclosure Requirements

Financial Reporting

ComplianceOperations

Internal Controls Over Financial Reporting

Disclosure Controls and Procedures

Other aspects of Compliance and Operations pertaining to DC&P

LEGEND


Operationalizing the Control Structure


COSO defines internal controls as a process effected by an entity’s Board of Directors, Management and other personnel, designed to provide reasonable assurance regarding achievement of the objectives in each of the following categories:

Effectiveness & Efficiency of Operations

Reliability of Financial Reporting

Compliance with Applicable Laws and Regulations

5

EWRM is Supported by the COSO Framework


Control Activities

• Policies/procedures that ensure management directives are carried out.

• Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.

Monitoring • Assessment of a control system’s

performance over time.

• Combination of ongoing and separate evaluation.

• Management and supervisory activities.

• Internal audit activities.

Control Environment • Sets tone of organization-influencing

control consciousness of its people.• Factors include integrity, ethical values,

competence, authority, responsibility.• Foundation for all other components of

control.

Information and Communication• Pertinent information identified, captured

and communicated in a timely manner.

• Access to internally and externally generated information.

• Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action.

Risk Assessment

• Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities.

All five components must be in place for a control to be effective.

6

EWRM is Supported by the COSO Framework


Critical Steps of EWRM

Management determines whether the company accepts, rejects, mitigates or transfers individual or classes of risks.

Functional teams strive to identify risks “before they occur or in time” to mitigate the impact of the risk. They communicate their views to a risk facilitator on a timely basis. Issue resolution process is in place.

Proactive identification of events or conditions that could compromise business objectives are categorized by franchise and functional areas. Accountability is assigned to each risk.

Guidance and training should be provided to franchise and functional leaders and teams on what is meant when we speak of risk, impact, internal control, etc.; development of communication plan and supporting infrastructure.

Creating a Risk Aware

Culture

1

IdentifyRisk

2

AssessRisk

3Manage

Risk

4 Evaluation of risk allowing for prioritization of resources.


Getting Started: A Suggested Approach

Assess your organization’s current techniques, tools and approaches for evaluating risk across the organization and consider appropriate level of opportunity

High level view at an enterprise level, or Detailed level view at Business Unit level

Conduct a gap analysis of current risk management practices against leading practice models, identifying existing internal best practices and potential opportunities for improvement

Develop recommendations for developing an enterprise-wide risk management framework specific to your organization including an execution plan to not only identify but mitigate them with controls



Once the assessment is complete, design and implement an Enterprise-wide risk management program for your organization

Facilitate decision making and monitor program effectiveness Functional management will take the lead, with counsel from the risk management facilitator to identify, assess and decide how they will mitigate risks

Appoint a Risk Management Facilitator

• This is a leading practice• Develop and articulate the risk

strategy• Develop tools to identify risk

(leverage existing initiatives)• Develop a methodology to identify

and prioritize risk

Create a Template to Capture Risk Profile including:

• Nature of the risk• Business impact• Probability of occurrence• Exposure to the company• Controls that exist to mitigate

the risks• Gaps, if any

Evaluate and Report• Consolidated risks to senior

management • Including supporting

management’s assertion under Section 404

• Ensure accountability for identified gaps within functional management



For rating the Potential Impact of a risk, the impact on financial, operational and/or legal implications can be considered as well as the ability to achieve the stated objective in the face of that risk. Respondents can apply a rating corresponding to the level of impact of the risk, as follows:

Low - if the impact of the risk would have some financial, operational and/or legal implications and require attention, but is no greater than an irritant to the organization

Medium - if the impact of the risk would have significant financial, operational and/or legal implications, and/or would significantly delay the ability to achieve the objectives or otherwise affect it

High - if the impact of the risk would have major financial, operational and/or legal implications and/or it is so significant one would need to abandon the objectives



For rating the Probability risks, the frequency of historical events can be considered as well as current outlook. Respondents can apply the rating corresponding to the probability of occurrence of the risk, as follows:

Low - if the likelihood of this risk occurring is unlikely Medium - if the likelihood of occurrence is somewhat likely High - if the likelihood of occurrence is very likely

Responsible parties should be identified

External environment should be considered



For all risks with a high composite rating, respondents can identify “Primary Exposure” to indicate the direct exposure facing an organization using categories such as:

Government Enforcement Regulatory Violation Financial Loss Reputational Damage Failure to comply with internal policy Inefficiencies and/or excessive costs Inappropriate financial reporting or disclosure Legal Risk



In addition, for all risks with a high composite rating, existing control mechanisms should be considered. An organization’s management should apply a rating corresponding to the level of control, such as the following:

Policies and procedures exist and are tested as part of external or internal audits, and/or monitoring controls are in place

Policies and procedures exist Policies and procedures are in the early stages of development Policies and procedures do not exist


Case Example: A Pharmaceutical Company

Functional Areas # of Risks Identified # of “High” Risks Identified

# of “High” Risks Identified w/Limited Controls in Place

Sales & Marketing 22 14 8R&D 15 12 2Manufacturing 45 5 1Regulatory Affairs 26 6 1Financial Reporting 15 8 0HR 45 12 2IT 8 6 2International 16 8 2Total


Benefits of EWRM

Enhanced decision making processPrevention, detection and resolution of improper behavior,

including “early warning system”Improved effectiveness of compliance across organizationIntegrated approach to risk, yielding increased efficiencies

and reduced costsMitigated impact of risk issues on the business, both

offensively and defensivelyIncreased internal customer satisfaction


In Summary, EWRM provides

An integrated, dynamic display of business objectives, key risks, and controls that are aligned with supporting policies, procedures, and operating principles

A robust, flexible structure that can deal systematically with both external and internal changes affecting the company

An aligned and supportive infrastructure that facilitates early identification of new risks, communication, training, incident identification, issues management, and internal and external reporting

A gap analysis in connection with Sections 302 and 404 of Sarbanes-Oxley


For More Information Contact:

Michael L. ShawSenior ManagerPricewaterhouseCoopers1300 K Street, N.W. – Suite 800Washington, D.C. 20005(202) 414-1552

[email protected]

mailto:[email protected]






Documents

Can Your Compliance Program Manage All of Your Organization's Risks? Discussing the Proposition of Enterprise Wide Risk Management February 6, 2003 PwC