how to set up an effective compliance functioninfo.amberroad.com/rs/665-bwt-776/images/geert...

How to set up an effective compliance functionGeert Vermeulen, 21 May 2015

Who am I?

Former Chief Compliance Officer Aon EMEAFormer Global Head of Compliance DamcoDirector Netherlands Compliance Institute

• Compliance education, training and events• Compliance consultancy• External Compliance Officers• Interim Compliance Professionals and Recruitment• Publisher

Acting President VCO

Question

Who are you? •Export controls manager/advisor•Legal Counsel•Chief (Ethics and) Compliance Officer/Head of Compliance•Consultant/Service provider•Operations/operational management•Other

Content

•Three lines of defense model•History of the compliance function•Elements of an effective ethics and compliance program•Integrated approach•Compliance 1.0 vs. Compliance 2.0•Centralized or decentralized approach – 2 case studies

Question

In your company, does compliance report into: •Legal•Audit•Risk•CFO•COO•CEO•Other

Governance/three lines of defence

Board

The business

Risk ManagementCompliance

Audit

1st line of defence

2nd line of defence

3rd line of defence

Legal

How to set up an effective compliance function

Three lines of defense• Management: responsible for compliance• Compliance: responsible for compliance activities

(prevent and help solve problems)• Audit: independent check in respect of compliance

(indepent check and detection)

4th and 5th line of defense• External Auditor• Supervisor


Historical development:

• Compliance arose out of the Legal department or• Compliance originated from the Audit department

=> conflicts with 3 lines of defense model


•Compliance part of Legal?•Compliance has matured over the last 10 – 15 years. •If you want to prevent problems, it is not sufficient to just follow the law. You also need to think about ethics & controls•From the 2009 Pfizer $2.3 billion settlement (which separated compliance from legal):

• “The lawyers tell you whether you can do something, and compliance tells you whether you should. We think upper management should hear both arguments.”


Reporting line of the Chief Compliance Officer (CCO)• General Counsel: legal view vs. ethical perspective• Audit: potential COI• Chief Risk (&Compliance) Officer =>COSO ERM model


Reporting line of the Chief Compliance Officer (CCO)• General Counsel: legal view can differ from ethical

perspective• Audit: potential COI• Chief Risk (&Compliance) Officer =>COSO ERM model• CFO/COO• Chief Strategy Officer• CEO (Barclays, pharma, Ballast Nedam, SBM Offshore)• Combination of CEO and (audit committee of) non-

executive Board

Source: SCCE/NYSE Governance Services 2014


Chief Compliance Officer:

•Should be independent, empowered and close to the C-level (seat at the table)•Compliance 2.0 – Donna Boehme•Compliance Charter describing the duties, responsibilities, authority of compliance (governance model)


• ISO 19600:2014 standard (ISO CD 37001 ABC coming up)• OECD: Good practice guidance on internal

controls/ethics/compliance 2010• Bureau of Industry and Security (BIS) 9 principles• Aerospace & Defence industry: European common

industry standards 2007• UK Bribery Act 2010/guidance on adequate procedures• US Federal Sentencing Guidelines / FCPA Resource Guide• Handbook Compliance Professional NCI• Roland: The 7 principles• All come down to the same

Effective Ethics &

Compliance Program

Leadership Risk Analysis

Policies & Procedures

Communication & Training

Responding to allegations

Evaluation and Reporting Monitoring &

Auditing

Incentives & Discipline

Culture & Behavior

Coordinated Internal Approach

•Management: Strategy, leadership, compliance reporting•HR: Culture and behavior, hiring practices, training, discipline•Legal: Legal advice, compliance clauses, legal privilege•Risk: Risk assessment, risk analysis, risk mitigation plans•Marketing & Coms: Communication, sponsorships, events•Finance: Internal (payment) controls •IT: system controls/screening/systems design/data privacy •Sustainability: due diligence on supply chain•Audit: Risk assessment, train auditors, solve findings, conduct investigatons

Ethics & Compliance Officer needs to:

• Know about the law• Know the business/the products or services• Be able to conduct a risk assessment• Lead projects• Be able to implement requirements/controls into

existing processes• Have a feeling for IT• Be able to lead an investigation

Ethics & Compliance Officer needs to:

• Listen (to complaints)• Convince people• Be a communicator, orally and written• Be a trainer• Be an anthropologist• Know about ethics and behavior• Have courage• Be close to the C-suite

Compliance Officer 1.0

You have to comply with the law

Ethics & Compliance Officer 2.0

Question

In your company:

•Do you have Compliance 1.0 ?•Do you have Compliance 2.0 ?

Question

What is your personal view:

•Do you prefer Compliance 1.0?•Do you prefer Compliance 2.0?

Central vs decentral approach

Example:

Screening of business partners (clients, suppliers, employees, etc) against the watchlists, PEP lists, etc.


Company 1-Over 150 local systems in 60 countries-Lots of (sensitive) personal data/complicated to transfer -Professional compliance officers in each country-Local screening-Countries obliged to send in monthly screening statistics


Company 2-Basically one central backoffice/finance system for 90 countries-Hardly any personal data-Not every country has a professional compliance officer-Central screening by a service team in India-Escalate difficult cases to the compliance team

Question

Regarding watchlist screening:

-Do you conduct screening centrally?-Do you conduct screening decentrally?

Conclusion

- How you organize compliance depends on the specific characteristics of your organization - No one size fits all approach; you need to tailor the compliance program to your organization

Conclusion

how to set up an effective compliance functioninfo.amberroad.com/rs/665-bwt-776/images/geert...

Documents