and mitigate the misconduct - scce official site · survey, society for corporate compliance and...
TRANSCRIPT
1
How to Assess and Mitigate the Risk of Misconduct Occurring and
Not Being Reported
Presented by:Chip Jones
Kathy Cooper Franklin
Brad Siciliano
October 15, 2012
Earl M. “Chip” Jones, IIILittler Mendelson, P.C.Dallas Office(214) [email protected]
Presented by:
Katherine Cooper FranklinLittler Mendelson, P.C.Seattle Office(206) [email protected]
Bradley SicilianoLittler Mendelson, P.C.New York Office(212) [email protected]
2
Littler at a Glance
• Littler is the world's largest law firm exclusively devoted to representing management in employment and labor law matters.
• Compliance and Ethics Practice Group
– Investigations
– Designing incident management systems
– Program Development and Evaluation
– Analyzing Risk
– Policy and Procedure Development
– Training and Education
– Legal research
3
WHY WORRY ABOUT UNREPORTED MISCONDUCT MORE TODAY?
Enterprise Risk Management
3
In the Wake of RecentCorporate Scandal…
“In today’s regulatory environment, it’s virtually impossible to violate the rules. ...it’s impossible for a violation to go undetected, certainly not for a considerable period of time.”
— Bernie Madoff, 2007
• 2011 Maritz Employee Engagement Survey finds:
– 25% of employees report less trust in management than 2010
– Only 10% say they trust management to make the right decision
in times of uncertainty
– Only 14% believe their company’s leaders are ethical and honest
– Only 7% believe senior management’s
actions are consistent with their words
Employee Mistrust of Management:Survey Says…
4
The Disconnect
“Senior Executives consistently have a higher perception of their companies’ culture than other employees”
Compliance & Ethics Leadership Council, August 2011
The Whistleblower: Who, Where and Why?
• In 2011, 45% of U.S. employees said they had observed misconduct in the previous 12 months– Approximately two‐thirds of those who observed misconduct reported it
• Eighteen percent of employees who report misconduct ever choose to report externally (i.e., either initially or as a subsequent report)– Of those who report externally, 84% said they did so only after trying to report
internally first
• Seventy‐two percent of employees who believe their companies reward ethical conduct chose to report misconduct– Only 57% of employees who did not see ethical conduct rewarded in their
company chose to report
5
2012: The Year of the Bounty Hunter
WHAT IS ENTERPRISE RISK MANAGEMENT?
Enterprise Risk Management
6
How to Succeed
The underlying premise of ERM is that every entity exists to provide value for its stakeholders. All entities face uncertainty, and the challenges for management is determine how much uncertainty to accept as it strives to grow stakeholder value.
ERM – Integrated Framework, COSO, Sept. 1994.
Competitive strategy is "a combination of the ends (goals) for which the firm is striving and the means (policies) by which it is seeking to get there.“
“What is Strategy?” Michael Porter, Harvard Business Review, 1996
Choose a Framework
A process ... applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of objectives. ERM – Integrated Framework, COSO, Sept. 1994.
Deloitte ISO 31000 COSO
7
Or Create Your Own
Financial
Reputation
Go to Jail
Measure
Assess
Prioritize
Federal Sentencing Guideline Assessment
Operational
Strategic Risks
Define Your Risk Appetite
Tier 1 Tier 2 Tier 3Provide resources to
mitigate and/or install internal
controls
Identified improvements can be
made with existing resources
Risks are tolerable but will manage risks
with a continuous improvement focus
8
Make It a System
Risk Council
Executive Team
Audit Committee
Annual Initiatives
Results and Plans
Council meets 2‐4 times per year to update risk inventory and radar, review status reports, and discuss emerging risks. Council updates Executive Team as necessary but at least once per year.
Chief compliance officer updates Audit Committee each quarter on KPIs and Tier 1 activities and annually on FSG self assessment.
Compliance objectives built into annual performance management plans
Measure performance consistent with the way business success is measured
Risk Council absorbs results of operations, new strategic plans, industry events, etc. to annually refresh risk inventory, radar, and mitigation plans.
How Does It Work?
BUSINESS OBJECTIVE RISK
Expand to Eastern Europe Corruption
Accurate financial forecasts Pre‐booking revenue
Lower cost of debt Rate‐fixing (LIBOR)
9
Pre‐Booking Sales
Culture
Incentives
Reporting
Testing
Controls
Policy
Autonomy
Harm
Sales quota and month over months growth driven organization with senior management led by former sales people.
None
High level review of aggregate numbers as part of the audit process.
Credit department monitors accounts receivable aging and credit lines. Sales department manages returns.
General policy language but no detailed procedures
Sales manager only approval needed if product is available and order is within customers credit line.
Compensation heavily tied to hitting monthly sales targets. Compensation not impacted by returns, chargebacks or aged receivables.
Silo‐ed reporting structure through each departments’ management.
History
Inflated bonuses and commissions; misrepresent company performance; excess returns; customer annoyance; inaccurate forecasts.
Training None
Corruption
Culture
Incentives
Reporting
Testing
Controls
Policy
Autonomy
Harm
New markets have reputation for corruption
None identified inside the organization
None
Facilitation payments permitted and no legal review required
General policy language but no detailed procedures
Additional research and investigation required.
Company is making a big investment to expand in high risk countries
Speaking up is discouraged
History
Severe criminal penalties and sanctions
Training Ineffective “check the box” training
10
Interest Rate Setting (LIBOR)
Culture
Incentives
Reporting
Testing
Controls
Policy
Autonomy
Harm
Extremely competitive.
Recent mortgage loan crisis demonstrated excessive risk taking
None
None
No policy related to the submission of data.
We have only 1 seat on 16 member committee that submits rates.
Could impact equity‐based compensation.
Several claims of retaliation have been made
History
Harm would be significant if other banks colluded in submitting data.
Training None
Risk Inventory
Severity
Likelihood
Tier 11. Misconduct Not Being Reported2. Risk B3. Risk C
Tier 21. Pre‐booking revenue2. FCPA Violations3. Sharing data with peers
Tier 34. Risk X5. Risk Y6. Risk Z
11
Step One: Know Your Risk Profile
What Happens When Key People Are Unaware of the Risk Profile
12
What Happens When Key People Are Unaware of the Risk Profile
Step Two: Mitigate the Risk: Establish Reporting and Incident
Management System
13
Internal Reports of Misconduct: Who, Where and Why?
• In 2011, 45% of U.S. employees said they had observed misconduct in the previous 12 months– Approximately two‐thirds of those who observed misconduct reported it
• Eighteen percent of employees who report misconduct ever choose to report externally (i.e., either initially or as a subsequent report)– Of those who report externally, 84% said they did so only after trying to report
internally first
• Seventy‐two percent of employees who believe their companies reward ethical conduct chose to report misconduct– Only 57% of employees who did not see ethical conduct rewarded in their
company chose to report
25
Supervisors Receive Majorityof 1st Reports
56% Your Supervisor
26% Higher Management
6% Other
5% Hotline/Help Line
5% Other Responsible Person Including Ethics Officer
3% Someone Outside Your Company
26
14
1. Effective Report and
Intake Procedures
2. Speak up training for manager &
employees
3. Notificationprotocol
4. Effective investigation
protocol – including training for
investigators
5. Effective remedial measures and
appropriate way to track and communicate discipline before it
occurs
6. Reporting and
Communication
27
Step Three: Mitigate the Risk: Internal Controls, Testing and
Auditing
15
Pre Booking Sales
• Separation of Duties
• Purchase Order: – Follow sales transaction end
to end.
• Return Authorizations:– Work backwards
• Bills of Lading– 3 days before the end of the
close
• Credit– Aging Reports
– Extending credit terms
Anti‐corruption
• Expense Reports
• Foreign Consultant/Supplier Contracts
• Due Diligence
• Background Checks
• Recent Hires
• Marketing Expenditures
• Intercompany Transfers
• Accounts Payable
• Compliance Certifications
16
“LIBOR” Situations
• Understand the process
• Clear policy and procedures
• Fiduciary disclosures– Trade group involvement
– Industry “best practice” projects
– Multi‐employer situations
• Email & communication reviews
• Establish firewalls
Step Four: Mitigate the Risk: Make Culture a Strategic Priority
17
How Do You Deal With This Behavior?
Assess Your Culture
• Cultural surveys
• Benchmark reporting
• Exit interviews
• Conduct a program review
• Determine stakeholder
communication preferences
and expectations
• Identify opportunities to drive
program awareness: training,
communication and internal
marketing
18
Train Managers to Encourage “Speaking Up” by…
• Welcoming the complaint or report (with words and body language)
• Break down hierarchical reporting habits
• Taking the time to listen
• Active listening, asking questions
• Showing the employee they care
• Understanding of importance of contacting compliance immediately
• Letting the employee know what is going to happen and that you will follow up with the employee
• Being professional, respectful, and thankful
• Retaliation will not be tolerated
Reporting Rates Rise When Ethical Commitment is Perceived to be Stronger
0102030405060708090
Weak or Weak‐Leaning Ethical Culture
Strong or Strong‐Leaning Ethical Culture
19
• Some CEOs, execs and Board Members hate the word
• The language and branding shift away from compliance and toward integrity / “doing the right thing”; sell the vision
• Explicit and concrete examples help:– Responsibility or rules ‐Will people take personal responsibility to address issues, or is it the job of somebody else?
– Candor or quiet ‐Will people speak up if they see questionable business conduct?
– Accountability or acquiescence ‐What happens to great performers who violate the Code?
A Conversation About Culture
The Training Value Proposition
Catch misconduct early
Empower potential reporters and give them an alternative to the government
Send the employer’s message
Help create an ethical culture
Establish legal defenses
20
The Training Trend
• Post Dodd‐Frank, increased employee communication and training is expected by 74% of respondents ‐ 83% at publicly traded companies
• Increased manager communication and training about handling allegations of wrongdoing is expected by 66% of respondents ‐ 72% at publicly traded companies
Survey, Society for Corporate Compliance and Ethics (SCCE)and Health Care Compliance Association (HCCA), July 2011
Solutions
• Policies
– Not just stand alone
– Not cookie cutter
– Not tucked away
• Training
– Not just a one time event
– Don’t limit to ethics training
– Work on solving problems in your actual environment, not whether a situation violates the policy
– Practice ethical response – project yourself
– Require thinking about how decisions really made
21
Questions?
How to Assess and Mitigate the Risk of
Misconduct Occurring and Not Being Reported
Earl M. “Chip” Jones, IIILittler Mendelson, P.C.
Dallas Office(214) 880-8115
Katherine Cooper FranklinLittler Mendelson, P.C.
Seattle Office(206) 381-4900
Bradley SicilianoLittler Mendelson, P.C.
New York Office(212) 471-4478