Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 0
Steps to an Effective
Compliance Programme
Presented byRandy Stephens | Vice President, NAVEX Global
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 1www.navexglobal.com
Randall (Randy) Stephens Vice President, NAVEX Global
Randy Stephens is a Vice President with NAVEX Global’s Advisory Services team. A lawyer and compliance specialist, Randy has worked in roles with legal and compliance responsibility for over 30 years. Clients engaged Randy to train employees or conduct culture, risk and programme assessments in Japan, China, Australia, United Arab Emirates, Saudi Arabia, Kuwait, Jordan, Qatar, Romania, Serbia, Switzerland, Italy, the UK and Canada while also working with clients with offices and operations throughout the U.S. and around the world. Randy has significant in-house experience leading compliance programmes and working for some of the largest and most diverse public and private corporations in the United States, e.g. Home Depot, Family Dollar and US Foods.
He is the author of numerous compliance related articles and commentary and is regularly featured or quoted as a compliance expert in press and publications. In 2017 Randy was named by JD Supra as #3 of the Top Ten Compliance Authors for 2016 based on readers’ choice.
He joined NAVEX Global’s Advisory Services team in 2012.
Presented By
Chris Morton
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 2www.navexglobal.com
• Effectiveness Standards
• Review of the Elements to an Effective E&C Programme
• Third Parties
• Monitoring and Measuring Effectiveness of the Programme
• Takeaways
Agenda
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 3www.navexglobal.com
Effectiveness Standards
Many Models – How do you choose?
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 4www.navexglobal.com
Four Important Factors When Assessing Effectiveness
1. Does the compliance programme demonstrate thoughtful design?
2. How operational is the programme (not a paper-based programme)?
3. How well do stakeholders communicate with each other?
4. How well is the programme resourced?
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 5www.navexglobal.com
A Partial Timeline Ethics & Compliance Effectiveness Models
US FSGO
COSO Risk
Model
USSOX
FSGO Revision & World
Bank Group Integrity
Guidelines
Dodd-Frank
& FSGO Revision
UK Bribery Act &
ISO 19600
COSO Revision & FCPA
Guidance
ISO 37001
Sapin II, Netherlands
& DOJ Guidance
1991 1992 20102004 2011 2012 2013 20172016
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 6www.navexglobal.com
The Essentials
Many Models – How do you choose?
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 7www.navexglobal.com
What is effectiveness component is your weakest link?
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 8www.navexglobal.com
All based on a Risk Assessment and applicable standards for your industry, organisation and risk tolerance
Elements of an Effective Compliance Programme
• Leadership and oversight of the programme with appropriate resources and authorities
− Deny leadership to people who have engaged in misconduct
• Standards and procedures
• Communications on standards and procedures of compliance programme
• Training that is relevant and effective
• Monitor and audit
• HR alignment with incentives and discipline
• Reporting and timely responses to allegations and modify programme
• Culture
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 9www.navexglobal.com
Oversight, Structure & Leadership
• Programme oversight responsibilities codified in governance committee charter
• Knowledgeable about programme operation
• Conducts oversight of programme effectiveness
• Accessible and holds executive sessions with those managing the programme
• Receives timely reports of significant issues
• Assigns adequate resources to programme
Common Practice Best Practice
Boar
dLe
ader
ship
Stru
ctur
e
• Responsibilities under E&C programme understood by directors to employees
• Person in charge of programme has clout
• High level person and person with day-to-day activities manage programme with a defined relationship to the board
• Management ethics committee gets information from managers and gives practical programme input
• Programme applies to third-party partners
• Individuals/committees deploy programme initiatives regionally/locally, as needed
• Programme integrated with business operations
• Management ethics committee charters/procedures
• Senior leadership understands/exercises responsibility to sustain culture of compliance and integrity
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 10www.navexglobal.com
Standards & Procedures
• Code in readable language and includes links to applicable policies, reporting processes, responsibilities of employees and managers, and conduct standards for high risk areas
• Standards for third parties
• Schedule periodic review of code and policies
• Good accessibility to the code, policies and procedures
• Document retention programme including E&C documents
• Policy development and dissemination process
• Current policies to address high-medium risks
• Code update at least every 3-4 years
Common Practice Best Practice
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 11www.navexglobal.com
Training & Communications
• Role relevant education
• Board and leadership training (not just briefing)
• Assess effectiveness of education efforts
• Sanitised cases and lessons learned
• E&C education tied to risk assessment
• Manager awareness of responsibilities and how to respond to issues
• Leadership messaging
• Multiyear education plan including various methods and formats
• Tracking of completion
Common / Effective Practice Best Practice
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 12www.navexglobal.com
Reporting & Response
• Case closure times average < 30 days
• Policies/procedures for assigning, conducting and overseeing investigations
• Tracking corrective actions for consistency
• Focus on root cause analysis and related programme improvements
• Data tracking, trending and reporting to leadership and the board
• Confidential and anonymous system for reporting E&C questions and concerns
• Employees understand reporting process and are encouraged to speak up
• Report escalation policy or process
• Non-retaliation policy is enforced
• Incident management system that allows tracking and reporting of statistics
Common / Effective Practice Best Practice
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 13www.navexglobal.com
What is your top compliance programme objective?
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 14www.navexglobal.com
Culture
• Alignment of varying cultures within an organisation
• Management of pressure to reach goals
• All staff held equally accountable
• Employees have heard and believe compliance messages
• Trust in compliance processes and systems
• Low fear of retaliation
Common / Effective Practice Best Practice
Culture trumps compliance and culture is what happens “when no one is looking”
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 15www.navexglobal.com
Culture tops the list again with prevention cited better than cureTop Ethics & Compliance Programme Objectives
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 16www.navexglobal.com
Third Parties
Are your third parties putting you at risk?
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 17www.navexglobal.com
Why are Third Parties a Concern?
• Third Party (“3P”) Risk Management Growth
• Globalisation
- OECD Foreign Bribery Report (2014) confirmed that intermediaries pose the single greatest bribery risk for companies, concluding that 75 percent of foreign bribery schemes are executed through an agent or other third party
- Increased use of 3Ps
- Agent or 3P liability
- Growing 3P enforcement
• Karen Brockmeyer, former Chief of SEC’s FCPA Unit, “Over 70% of FCPA investigations involve the actions of 3Ps”
30 percent of the 3P survey respondents indicated they would increase the use of third parties in the coming 12 months. Only 6% will reduce current relationships. (2016 NAVEX 3P survey)
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 18www.navexglobal.com
Measuring Effectiveness
How do you measure what works and why?
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 19www.navexglobal.com
How do you measure compliance programme effectiveness?
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 20www.navexglobal.com
Measuring performance, lack of staffing and managing regulatory jurisdictionsTop Ethics & Compliance Programme Challenges
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 21www.navexglobal.com
Capturing metrics is a first step to measure & improve programme effectivenessMeasuring & Monitoring E&C Programme Effectiveness
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 22www.navexglobal.com
Effectiveness Measurement is a Process
TELL THE STORY:Report on outcomes and action plans to key audiences
• Begin With The End In Mind: Define Effectiveness
• Determine What Metrics You Should Use
• Identify Possible Barriers
• Do The Work: Measure, Evaluate & Create Plan
IDENTIFY YOUR GOALS
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 23www.navexglobal.com
Examples of Effectiveness Goals
• Drive awareness of E&C expectations/requirements
• Change behaviours around particular issues (bribery, retaliation, etc.)
• Assess strength of risk controls
• Evaluate programme resources
• Ensure compliance with policies and the law
• Identify education needs and impacts
• Measure the impact of programme on culture
• Set priorities and develop work plan
• Demonstrate progress
• Defending your organisation against key financial, reputational risks (bribery & corruption, etc.)
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 24www.navexglobal.com
Takeaways & Conclusions
Plan and execute
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 25www.navexglobal.com
Key TakeawaysConclusion & Recommendations
• Try to address a few key areas at a time: don’t try to do too much
• If you don’t have the right culture, no programme changes will work
• Understand it is not all about metrics
• Don’t just check off the steps ꟷ it’s about how you identify and manage the biggest gaps between risk and current mitigation
• Culture and good risk management are what matter most
• Credible communications with leadership will help make the case
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 26www.navexglobal.com
Questions?
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 27www.navexglobal.com
Thank You