Compliance360 SCCE Master

1

Society of Corporate Compliance and Ethics

6500 Barrie Road, Suite 250, Minneapolis, MN 55435, United States

www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977

Understanding and Optimizing Legal & Regulatory Risk Management

SPEAKER: Steve McGraw

Compliance 360, Inc.,

President & CEO

www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 2

Agenda

• Credits

• Overview of ERM

• Legal and Regulatory

– Definition

– Issues

• Solution Examples

• Best Practices

• Recommendations

2


Credits

• Mark S. Beasley, PhD, CPADirector, Enterprise Risk Management Initiative

Board Member of Committee of Sponsoring Organizations of the TreadwayCommission (COSO)

• Dana R. Hermanson, Ph.D.Dinos Eminent Scholar Chair of Private EnterpriseProfessor of Accounting at Kennesaw State University

• Customers


ERM – An Overview of the Basics

o ERM is a process,

o effected by an entity’s board of directors, management, and other personnel,

o applied in a strategy setting and across the enterprise,

o designed to identify potential events that may affect the

entity,

o manage risks to be within its risk appetite,

o to provide reasonable assurance regarding the

achievement of entity objectives.

Committee of Sponsoring Organizations of the Treadway Commission (COSO 2004) (see www.coso.org)

By definition:

3


ERM Technology• Risk Appetite/ Risk Tolerance

• “Enterprise” – not just selected “silos of risk”

• A “process” that is ongoing, living & systematic

• Consideration of risks on “portfolio” basis

• Heavily integrated with business strategy

• Focus is on coordinated program for identification, measurement, assessment, and response to risks primarily across 2 dimensions

– Probability (Likelihood)

– Criticality (Consequence/Impact)

• Key part of entity’s corporate governance

• Responsibility of senior management and board

• Pushed down to key business segment management


Governance Over Two Aspects of

Entity

1) Leadership in Strategic

Performance

Board of

Directors

External

AuditorsInternal

Auditors Regulators

Legal

System

ManagementAudit

Committee

Enterprise Risk Management

2) Objective Oversight

of Management

ERM Directly Links to Corporate Governance

Congress

4


Traditional Risk Management Approach

Legal Reg.

RisksOperations

Risks

Finance

Risks

IT Risks Strategic

Market

Risks

Geo Political

Risks

Weather

Environment

Risks

“Silo” or “Stove-Pipe” Risk Management


Traditional Risk Management Approach

Enterprise Focus on Risks

Legal Reg.

Risks

Operations

Risks

Finance

Risks

IT Risks Strategic

Market

Risks

Geo Political

Risks

Valuation Creation and Preservation

Weather

Environment

Risks

5


Definition: Risks associated with the uncertainty of violating laws or regulations.

NEGATIVERisk that company may INTENTIONALLY or

UNINTENTIONALLY violate a law,

contract, or regulatory provision

and face potential litigation which

could lead to cash loss and could impact enterprise by triggering

other risks such as reputation loss,

customer backlash, employee

embarrassment, etc.

POSITIVEThe company may be the

beneficiary of legal or regulatory risk if another party is the violator

(e.g. contract violation) and the

company is able to successfully

sue.

THUS, LEGAL/REG RISK COULD BE BOTH POSITIVE AND NEGATIVE (BUT MOSTLY NEGATIVE)

What is Legal & Regulatory Risk?


Major Issues Associated with L&R Risk

• Exposure to fines by regulatory agencies

• Significant workload by legal & regulatory staff

• Blind sided by newly enacted laws, new regulatory trends

• My competitor’s problem could be my problem

• Managing legal & regulatory risk outside legal & regulatory

department

• “HUGE” uncertainty as to what may trigger it. (What might be deemed “LEGAL” today, might be deemed as

“ILLEGAL” tomorrow as the culture shifts over time.)

6



Legal Reg. Risks

Operations Risks

Finance Risks

IT Risks Strategic Market Risks

Geo Political

Risks


Weather Environment

Risks

Privacy

laws

Data Breach Brand

Erosion

Legal and Regulatory Risk Leakage Example


Legal and Regulatory Risk Leakage Example


Legal Reg. Risks

Operations Risks

Finance Risks

IT Risks Strategic Market Risks

Geo Political

Risks


Weather Environment

Risks

Local

Ordinances

Delayed

Store

Openings

Brand

Erosion

Municipal

Fines

7


MattelRecent High Profile Example #1


Mattel – Negative PressRecent High Profile Example #1

8


Mattel Earning Press ReleaseRecent High Profile Example #1


Mattel Stock Price ChartRecent High Profile Example #1

9


Recent High Profile Example #2

Regulatory Risk | AMERIGROUP


Recent High Profile Example #2

Regulatory Risk | AMERIGROUP

Settlement

Verdict Announced

10


Major Components of Legal & Regulatory Risk


• notification of newly enacted law

• notification of newly proposed

regulations

• notification of final regulations

• notification of regulatory

enforcement actions

• alerting of news and

announcements by political figures,

agency heads and other influential

public figures

Legislative and regulatory notification and awareness notification of newly proposed law

1. Early Warning System

11


• A knowledge base of all applicable laws

and regulations

• The current legal interpretation

• A repository of previous opinions

• The responsible party(ies) for

implementing changes

• The impact to your Enterprise Risk

Framework (ERM)

Assess company’s impact with a risk-based approach

2. Risk-Based Impact Assessment


1. Legal and/or compliance personnel is alerted to an issue

2. The issue is documented and tracked electronically

3. Management in legal will rank order the issue by risk classification

4. Legal and compliance agree on the risk and controls implementation

5. Compliance reviews (tests) the Policies & Procedures and controls on for each issue

6. Compliance determines is the testing of the controls is effective

7. Compliance works with the business owners to educate and manage the compliance process at the business level/unit

8. Results from the controls testing and other processes are reported to the ERM

Make sure to have an automated, consistent management process of Legal & Regulatory Risk

3. Change / Project Management

12


Monitor and test controls on a regular basis

• Independence

• Testing Frequency

• Testing Failures

– What to do next?

• Document

4. Controls Monitoring


New Issue

Alert

Legal

Document

Issue

Review

Current

Policies &

Controls

Legal

Compliance

Control

Testing

RiskRanking

Government

Affairs

LegislativeInfluence

Communicate

To

Business

Owners

Process Flow

13


Privacy

BSA/USA PA

Eastern States

Western States

Compliance

Alert

Legal

IssueCategory?

Legislative

Influence

Government

Affairs

Communicate

To

Business

Owners

Organizational


Additional Recommendations

• Ensure strong legal counsel

• If you are in a highly regulated industry, e.g. Insurance, Pharmaceutical, have dedicated resource monitoring regulations

• Keep data on "INCIDENCES" that might lead to risks. Monitor whether any ultimately lead to litigation/settlement. (Example: Retail stores track customer injuries so they can estimate percentages of incidents that lead to litigation.)

• Be proactive in anticipating potential drivers of legal risks –Look for factors that drive change such as new political appointee or increase scrutiny in adjacent markets and then respond to those risks proactively

14


THANK YOU!

Contact Information:Steve McGraw

Chief Executive Officer

Compliance 360, Inc.

678.992.0262

[email protected]

Documents

Compliance360 SCCE Master