how to set up an effective compliance functioninfo.amberroad.com/rs/665-bwt-776/images/geert...
TRANSCRIPT
How to set up an effective compliance functionGeert Vermeulen, 21 May 2015
Who am I?
Former Chief Compliance Officer Aon EMEAFormer Global Head of Compliance DamcoDirector Netherlands Compliance Institute
• Compliance education, training and events• Compliance consultancy• External Compliance Officers• Interim Compliance Professionals and Recruitment• Publisher
Acting President VCO
Question
Who are you? •Export controls manager/advisor•Legal Counsel•Chief (Ethics and) Compliance Officer/Head of Compliance•Consultant/Service provider•Operations/operational management•Other
Content
•Three lines of defense model•History of the compliance function•Elements of an effective ethics and compliance program•Integrated approach•Compliance 1.0 vs. Compliance 2.0•Centralized or decentralized approach – 2 case studies
Question
In your company, does compliance report into: •Legal•Audit•Risk•CFO•COO•CEO•Other
Governance/three lines of defence
Board
The business
Risk ManagementCompliance
Audit
1st line of defence
2nd line of defence
3rd line of defence
Legal
How to set up an effective compliance function
Three lines of defense• Management: responsible for compliance• Compliance: responsible for compliance activities
(prevent and help solve problems)• Audit: independent check in respect of compliance
(indepent check and detection)
4th and 5th line of defense• External Auditor• Supervisor
How to set up an effective compliance function
Historical development:
• Compliance arose out of the Legal department or• Compliance originated from the Audit department
=> conflicts with 3 lines of defense model
How to set up an effective compliance function
•Compliance part of Legal?•Compliance has matured over the last 10 – 15 years. •If you want to prevent problems, it is not sufficient to just follow the law. You also need to think about ethics & controls•From the 2009 Pfizer $2.3 billion settlement (which separated compliance from legal):
• “The lawyers tell you whether you can do something, and compliance tells you whether you should. We think upper management should hear both arguments.”
How to set up an effective compliance function
Reporting line of the Chief Compliance Officer (CCO)• General Counsel: legal view vs. ethical perspective• Audit: potential COI• Chief Risk (&Compliance) Officer =>COSO ERM model
How to set up an effective compliance function
How to set up an effective compliance function
Reporting line of the Chief Compliance Officer (CCO)• General Counsel: legal view can differ from ethical
perspective• Audit: potential COI• Chief Risk (&Compliance) Officer =>COSO ERM model• CFO/COO• Chief Strategy Officer• CEO (Barclays, pharma, Ballast Nedam, SBM Offshore)• Combination of CEO and (audit committee of) non-
executive Board
Source: SCCE/NYSE Governance Services 2014
How to set up an effective compliance function
Chief Compliance Officer:
•Should be independent, empowered and close to the C-level (seat at the table)•Compliance 2.0 – Donna Boehme•Compliance Charter describing the duties, responsibilities, authority of compliance (governance model)
How to set up an effective compliance function
• ISO 19600:2014 standard (ISO CD 37001 ABC coming up)• OECD: Good practice guidance on internal
controls/ethics/compliance 2010• Bureau of Industry and Security (BIS) 9 principles• Aerospace & Defence industry: European common
industry standards 2007• UK Bribery Act 2010/guidance on adequate procedures• US Federal Sentencing Guidelines / FCPA Resource Guide• Handbook Compliance Professional NCI• Roland: The 7 principles• All come down to the same
Effective Ethics &
Compliance Program
Leadership Risk Analysis
Policies & Procedures
Communication & Training
Responding to allegations
Evaluation and Reporting Monitoring &
Auditing
Incentives & Discipline
Culture & Behavior
Coordinated Internal Approach
•Management: Strategy, leadership, compliance reporting•HR: Culture and behavior, hiring practices, training, discipline•Legal: Legal advice, compliance clauses, legal privilege•Risk: Risk assessment, risk analysis, risk mitigation plans•Marketing & Coms: Communication, sponsorships, events•Finance: Internal (payment) controls •IT: system controls/screening/systems design/data privacy •Sustainability: due diligence on supply chain•Audit: Risk assessment, train auditors, solve findings, conduct investigatons
Ethics & Compliance Officer needs to:
• Know about the law• Know the business/the products or services• Be able to conduct a risk assessment• Lead projects• Be able to implement requirements/controls into
existing processes• Have a feeling for IT• Be able to lead an investigation
Ethics & Compliance Officer needs to:
• Listen (to complaints)• Convince people• Be a communicator, orally and written• Be a trainer• Be an anthropologist• Know about ethics and behavior• Have courage• Be close to the C-suite
Compliance Officer 1.0
You have to comply with the law
Ethics & Compliance Officer 2.0
Ethics & Compliance Officer 2.0
Question
In your company:
•Do you have Compliance 1.0 ?•Do you have Compliance 2.0 ?
Question
What is your personal view:
•Do you prefer Compliance 1.0?•Do you prefer Compliance 2.0?
Central vs decentral approach
Example:
Screening of business partners (clients, suppliers, employees, etc) against the watchlists, PEP lists, etc.
Central vs decentral approach
Company 1-Over 150 local systems in 60 countries-Lots of (sensitive) personal data/complicated to transfer -Professional compliance officers in each country-Local screening-Countries obliged to send in monthly screening statistics
Central vs decentral approach
Company 2-Basically one central backoffice/finance system for 90 countries-Hardly any personal data-Not every country has a professional compliance officer-Central screening by a service team in India-Escalate difficult cases to the compliance team
Question
Regarding watchlist screening:
-Do you conduct screening centrally?-Do you conduct screening decentrally?
Conclusion
- How you organize compliance depends on the specific characteristics of your organization - No one size fits all approach; you need to tailor the compliance program to your organization
Conclusion