Embed Size (px)
Citation preview
Enterprise risk management Risk management for in-house Counsel John Esvelt, National Director of Risk Management Jennifer Halloran, Risk Management Lawyer
Dentons Canada LLP
November 20, 2013
Our perspective
• Background in Insurance, Business Administration, Risk Management and Policy Drafting
• Civil litigation and arbitration experience
• Worked with insurers and the insurance industry for years
• Currently responsible for the Canada Region Risk Management, Regulatory Compliance, Insurance Programs and Policy Development
2 November 20, 2013 Dentons Canada LLP
Our role
• Identify, measure, eliminate, mitigate and manage risks
• Legal and business risks
• Education programs
• Policies and procedures
• Insurance programs
• Advocacy
• Legal and reputational management
November 20, 2013 Dentons Canada LLP 3
Overview for today
• What is ERM?
• Management Liability Insurance
• D&O Insurance
• Employment Practices Liability (EPL)
• Fiduciary Liability Insurance
• Kidnapping & Ransom Insurance
• Regulatory Compliance
• Growing Risk of Fraud and Information Theft
• Protecting your Company information
• Speed of Risk – Improve your lines of reporting
4 November 20, 2013 Dentons Canada LLP
Today’s enterprise risk management
Enterprise risk management (“ERM”)
• What is ERM?
• Where should ERM live in your organization? • General Counsel’s office vs. specific departments responsible for underlying
risks • Segregate legal risk management from operational risk responsibility
6 November 20, 2013 Dentons Canada LLP
Reporting for success
• Does your reporting system make it easy to report issues?
• Are they reported quickly?
• Does everyone in your organization know who to report things to?
• Can the information get you to quickly enough to react to it?
• Does your reporting beat social media?
• Is your social media policy better understood than internal reporting obligations?
7 November 20, 2013 Dentons Canada LLP
Risk and opportunity
• Taking risks moves businesses forward
• Taking well informed risks allows you to compare the cost of the risk to its return which empowers you to maximize the benefit
• Risks are well informed when you have reliable reporting of both financial and non financial performance indicators
• Common themes after successful ERM implementation are increased confidence and an improved risk appetite
8 November 20, 2013 Dentons Canada LLP
Management liability insurance Protection for your senior administration, directors and officers
Insurance protection for management
• Who is protected? • Company • Directors, Officers, advisory Board Members, operating executives • All persons occupying any management or administrative positions • Much broader than simple D & O policy
• Insurance policy for senior management and your organization
• Claims made policy
10 November 20, 2013 Dentons Canada LLP
Extensive coverage
• Expansive definition of “Claim” and “Wrongful Act”
• Includes coverage for criminal proceedings and statutory liability
• This is broad coverage
11 November 20, 2013 Dentons Canada LLP
Be aware of the exclusions
• Common exclusions: • Bodily injury (Commercial General Liability Policy) • Pollution (Commercial General Liability Policy) • Employment related wrongful acts (Employment Liability Policy) • Liability for obligations relating to employment retirement or pension funds
(Fiduciary Liability Policy) • Intentional fraudulent acts • Breach of contract
12 November 20, 2013 Dentons Canada LLP
Know your risk
• Claims made policy means that a wrongful act which occurred prior to the inception date of the policy will be covered only if management had no knowledge of any claim or alleged wrongful act which may reasonable be expected to give rise to a Claim
• Open reporting procedures
13 November 20, 2013 Dentons Canada LLP
Directors and Officers (“D&O”) liability insurance
Inside D&O insurance
• Covers Directors and Officers of your organization
• Similar to management liability insurance – more restricted
• Insured v. Insured Exclusion
15 November 20, 2013 Dentons Canada LLP
Outside D&O liability insurance
• Who is covered?
• Is this necessary? • Do members of your organization sit on outside boards? • Is there a connection between your company and the outside organization • Customer service/client relationship • Charitable groups and organizations
• Structured as excess insurance
16 November 20, 2013 Dentons Canada LLP
Tailor your policy
• Make sure your policy fits your specific needs • i.e. Jurisdictions with compliance officers may require specific policy
• Manage your activities
• Make sure you and your team know the reporting obligations under your Policy
17 November 20, 2013 Dentons Canada LLP
Employment practices liability (“EPL”) Coverage for employment torts
Employment practices liability insurance
• Provides coverage for “employment torts”
• Who are commonly included as “insured”: • Employees; • Directors; • Officers; • Shareholders; and • Counsel; for acts committed during the term of their employment with insured company.
19 November 20, 2013 Dentons Canada LLP
Protection offered by EPL insurance
• Designed to cover common exclusion in the management liability policy
• What constitutes a “wrongful act” [actual or alleged]: • Discrimination of employee of third party • Harassment of employee or third party • Wrongful termination of employee • Workplace torts
20 November 20, 2013 Dentons Canada LLP
“Workplace Torts”
• Definition is usually extensive and includes allegations of: • Defamation; • Invasion of privacy; • Workplace harassment; • Libel; • Slander; • Infliction of emotional distress; • Wrongful discipline; • Violation of civil rights; • Other torts related to employment relationship.
21 November 20, 2013 Dentons Canada LLP
Exclusions from EPL insurance
• Most significant exclusion: contractual claims • Wrongful dismissal claims could fall within this exclusion
• Other common exclusions include: • Workers compensation claims • Losses arising from disability benefits • Losses arising from violations of pension legislation or plans • Losses associated with strikes and lockouts
22 November 20, 2013 Dentons Canada LLP
Fiduciary liability policy
Fiduciary liability insurance – what is it?
• Covers legal liability arising from claims for alleged failure to prudently act within the meaning of the Employee Retirement Income Security Act, or other employee pension, health and benefit plans
• Designed to provide protection for allegations of: • Breach of fiduciary duty • Negligence in administration of a plan
24 November 20, 2013 Dentons Canada LLP
Who is covered under a fiduciary liability insurance policy?
• Who is a Fiduciary? • Employer (a.k.a. plan sponsor) • Officers and directors • Plan administrator • Pension committee • Investment manager • Other consultants and advisors within organization (including lawyers)
• Fiduciary responsibilities owed to beneficiaries are distinct from their other role(s) within the organization
25 November 20, 2013 Dentons Canada LLP
Claims under fiduciary liability policy
• Main areas of exposure to loss involve allegations against fiduciaries for loss arising from : • Conflict of Interest • Administrative errors • Improper advice or counsel • Misrepresentation • Imprudent investment • Failure to arrange adequate funding for the plan • Denial or change of benefits • Incorrect benefit calculation • Wrongful termination of the plan • Civil rights denial or discrimination
26 November 20, 2013 Dentons Canada LLP
Fiduciary liability policy: General
• Policy is claims based: policy in place at time of claim responds
• Intended to cover third party claims for fiduciary errors and omissions relating to administration of plan
• Notice of circumstances, within policy period, which may give rise to a claim may trigger the activation of the policy if notice is accepted
27 November 20, 2013 Dentons Canada LLP
Kidnapping and ransom insurance
Kidnapping and ransom insurance – what is it?
• Covers legal liability arising from having employees kidnapped. In particular it covers the cost of ransom and the costs of claims made by the employee or their family for any harm resulting from the kidnapping.
• Most good polices will also provide consulting services to help you manage the event if it occurs
• It does not pay the ransom money before the ransom is paid – you must come up with the money first and then make a claim afterwards
• Fairly inexpensive insurance
• Requires you to cooperate with the authorities.
29 November 20, 2013 Dentons Canada LLP
Kidnapping and ransom – repatriation
• K & R policies normally do not cover repatriation.
• All out of pocket costs for repatriation or emergency evacuation are normally paid by you – the policy gives you access to expertize and resources
• Issues to consider are where will employees be repatriated to? • Local employees vs. visitors
30 November 20, 2013 Dentons Canada LLP
Good travel policies
31
• Do you have a travel policy?
• Do you know where your employees are? • Itinerary • Contact numbers • Local travel arrangements
• Do you allow travel in the face of travel advisories? • Who signs off on this travel?
November 20, 2013 Dentons Canada LLP
Regulatory compliance Effectively working with your professional advisors
Regulatory compliance
• Demonstrable “due diligence”
• Organizations that have a robust ERM program already have the compliance needed for regulators
• Avoid the scramble when the auditor/regulator comes calling
33 November 20, 2013 Dentons Canada LLP
Legal regulatory obligations
• Regulators: • Examples:, Office of the Privacy Commissioner of Canada, IIROC and FSCO,
FINTRAC, FCAC, DICO
• Legislation: • Examples: CSOX, Privacy Act of Canada, Provincial Privacy Laws, Securities
Acts, etc.
34 November 20, 2013 Dentons Canada LLP
Company and industry specific obligations
• International Organization for Standardization (“ISO”): Designed to achieve consistency across organizations
• Evolving standards
• Industry specific obligations • i.e. privacy
35 November 20, 2013 Dentons Canada LLP
Risk management extends to the risks your clients subject you to
• Your clients may subject you to their regulatory compliance obligations • Securities compliance • Healthcare and personal information/privacy • Suppliers may end up agreeing to rules they don’t understand
36 November 20, 2013 Dentons Canada LLP
Educate your professionals
• Reduce risk by informing those who advise you of your various obligations
• You know your business – advisors and professionals need to be educated on the relevance of a particular standard or rule to your specific operations
37 November 20, 2013 Dentons Canada LLP
Global operations – sanctions
• You should be aware of Canadian Trade Sanctions particularly as you expand globally
• Range from obtaining a permit to operate to absolute prohibitions
• Be aware of sanctions in other countries where you operate
Canadian Economic Sanctions • Al Qaida and the Taliban • Burma / Myanmar • Belarus • Cote d’Ivoire • Democratic Republic of the Congo • Eritrea • Guinea-Bissau • Iran • Iraq • Lebanon • Libya • Liberia • North Korea • Sierra Leone • Somalia • Sudan • Suppression of Terrorism • Syria • Tunisia and Egypt • Zimbabwe
38 November 20, 2013 Dentons Canada LLP
Global Operations: Foreign Corrupt Practices Act (“FCPA”)
• Important that organizations conducting business abroad actively engage in anti-corruption compliance programs
• Programs should include: • ethics policy specifically prohibiting actions that violate anti-corruption laws; • senior-level oversight of the FCPA compliance program; • accounting measures to comply with books, records, and internal controls
requirements; • senior management review of agent relationships; • frequent training of employees, officers, and agents; • internal reporting mechanisms permitting secure referral of corruption issues; • frequent audits of operations in problematic jurisdictions or sectors of a
business; and • frequent review and revamping of all FCPA-related policies and procedures
39 November 20, 2013 Dentons Canada LLP
Conflicting requirements
• Ensure that you are not breaching Canadian law in an attempt to comply with foreign regulatory requirements
• Potential for clash: • i.e. Privacy rights vs. foreign corrupt practices investigations • i.e. Privacy rights vs. diversity initiatives • i.e. Financial privacy rights vs. Foreign Account Tax Compliance Act
40 November 20, 2013 Dentons Canada LLP
Protection of your corporate identity and reputation
Corporate identity theft
• Increasing at alarming rates
• Occurs when a person or a group take on a company’s identity for their own malicious purposes • Often so criminals can extract money, data or any other information from the
organization in order to profit through illegal means
• We have seen this take place by: • Stealing cheque stock • Interception of actual cheques • Stealing corporate web domains • Unauthorized use of company’s identity for improper purposes
• Huge reputational risk
42 November 20, 2013 Dentons Canada LLP
Internal controls to reduce risk
• Proper cheque procedures relating to: ordering, issuing, printing and signing, distribution and replacement.
• Watch for clues: • Loss of cheques or cheque stock • Suspicious inquiries of your organization • Inconsistencies in cheques drawn on your account
• Google Alerts, Twitter and Social Media Monitoring • Know what is being written about you on line
• Ensure reporting system allows timely and transparent disclosure of suspicious activities
43 November 20, 2013 Dentons Canada LLP
Facebook, Twitter, blogging, texting and email
• What is Social Networking and Online Presence?
• The risks • Privacy, caching and archiving
• The blurring between public and private in the professional legal world – social media policies
• Duties to your organization
• Duties to clients: privacy, confidentiality, loyalty, performance
• Legal liability
44 November 20, 2013 Dentons Canada LLP
Social networking - online presence
• Online Presence • Is it a person – an extension of yourself • Is it property – a collection of data that can be traded for access to services
• Personal Data • a property issue about who owns the data an who gets to do things • a human rights issue with limits on what can be done with out data
• Most data about you is created by other people
45 November 20, 2013 Dentons Canada LLP
Protecting your company information
Protecting sensitive information
• Recurrent risks for global operations identified by media: • Hacking computer systems • Information theft
• Is there an increased risk of participating in global market?
• How much has the media exaggerated this problem? • Media reports have exaggerated the risk posed by the US government but
have under reported the risks from hackers and the criminal element
• Your outside professional advisors may have your most sensitive information
47 November 20, 2013 Dentons Canada LLP
What you can do to prevent your data from being compromised • Ensure that when your information is shared with others there are proper
controls in place to manage this risk • Consider using offsite data rooms provide by specialists • Independently audit who has access to sensitive data held with third parties • Are your suppliers audited by independent security firms?
• Enforce transparent reporting in your IT group
• Security experts and auditors should report to General Counsel’s office
• Implement and enforce robust data protection policies
48 November 20, 2013 Dentons Canada LLP
Data protection policy
• Consider if it is appropriate to allow employees to store information on USB keys
• Every laptop hard drive should be encrypted
• Are your employees allowed to use social media at work?
• If so, are they properly educate on appropriate use?
49 November 20, 2013 Dentons Canada LLP
Data protection
50
• Old approach was to be the least attractive target, so if you made your system more secure than others, you reduced your risk
• Now, everyone has outsourced to the cloud, or data centres or simply has the minimum security in place
• New risk is protecting yourself from targeted risks • Its not about being the weakest link; its about having the most interesting stuff
to steal
• Revisit IT security assumptions that are more than 3 years old
November 20, 2013 Dentons Canada LLP
Recognize that risk tolerance is impacted by your age
• As we grow older, we generally become more risk adverse
• The failure to use clear language and agree on the common use of terms leads to a disconnect between how risk tolerance is described, communicated and understood within an organization
• Generational differences in the use of language and the starting point for risk tolerance compound this problem
51 November 20, 2013 Dentons Canada LLP
Segregate legal risk management from operational risk responsibility
• Legal issues may not be apparent to operations
• Operations may overly rely on “standard form” without identification of unique risks
• But legal can be overwhelmed by routine legal risks
52 November 20, 2013 Dentons Canada LLP
What to do if information has been compromised
• PLAN: • Know your reporting obligations BEFORE you are compromised • Know your communication strategy in advance • Who are your decision makers?
• Staying ahead of social media requires advanced preparation
53 November 20, 2013 Dentons Canada LLP
Practice questions
• Social Media – Does your internal reporting strategy keep pace with the speed of social media?
• Securities – How can you stay informed to know if you have a material change or material fact that must be disclosed?
54 November 20, 2013 Dentons Canada LLP
Reporting flexibility People do not report when it is too hard
Risk and opportunity
• Taking risks moves businesses forward
• Taking well informed risks allows you to compare the cost of the risk to its return which empowers you to maximize the benefit
• Risks are well informed when you have reliable reporting of both financial and non-financial performance indicators
• Two common themes after successful ERM implementation are increased confidence and an improved risk appetite
56 November 20, 2013 Dentons Canada LLP
Ultimate accountability
• Regulatory Requirements
• Your staff know about risks that you don’t even know exist
• The slower your turnover the less new innovation and risk awareness have been introduced into your business
• Increased accountability of Directors, Officers, and even Board Members
• Move to risk-based assessments in most industries
57 November 20, 2013 Dentons Canada LLP
Ensure risk management is practical
• Ensure that whenever possible risk management changes fit into the existing business processes
• It must make sense to the people who must follow the process – use training to fill the gap
• Create a common risk language across your company so that everyone speaks about risk the same way
• Risk changes and evolves rapidly – make sure that employees in the front line can easily contribute
• Ensure that everyone understands that improving risk reporting also improves staff engagement levels and enhances relationships with investors, regulators and customers
58 November 20, 2013 Dentons Canada LLP
Lastly - be honest
• Ensure that if you are re-examining policies that you re-examine the drivers behind them. Policies that do not change are likely out of step with the current risks they were intended to manage.
• If your organization has built risk management into performance reviews then make sure success is rewarded and coaching is used when necessary.
• Nothing kills credibility faster than insisting on controls that do not achieve what management says the do.
• If it does not work fix it, change it or get rid of it.
• When an idea works well, find out why it did and duplicate it.
59 November 20, 2013 Dentons Canada LLP
Thank you
© 2013 Dentons. Dentons is a global legal practice providing client services worldwide through its member firms and affiliates. This publication is not designed to provide legal or other advice and you should not take, or refrain from taking, action based on its content. Please see dentons.com for Legal Notices.
John Esvelt Dentons Canada LLP [email protected] +1 416 863 4406 Jennifer Halloran Dentons Canada LLP [email protected] +1 416 862 3426
Dentons Canada LLP
If you have any questions, please contact:
