how to start a compliance program
TRANSCRIPT
CREATING AN EFFECTIVE COMPLIANCE PROGRAM
SCCE UTILITIES & ENERGY CONFERENCEHouston, Texas February 22, 2015
Carolyn S. EgbertCreative Solutions for Executives
1
2
INTRODUCTIONIt’s your first day on the job -
What do you do?
Where do you start?
3
FIRST – SOME FACTS TO CONSIDERAccording to the National Business Ethics Survey* (“NBES”):• Observed misconduct decreased by 14% since 2007;• Fewer employees felt pressure to compromise their
standards – down by 4%;
Why? • Strong ethics and compliance programs bearing fruit? • or, employees take fewer risks when the economy is
weak or uncertain, given the economic state since 2008?
*Ethics Resource Center, 2013 survey of 6420 employees.
4
FIRST – SOME FACTS TO CONSIDER (cont’d)
According to the NBES:*• A relatively high percentage of misconduct is
committed by managers (60% of reports involved supervisors to top management);
• 26% of reported misconduct ongoing at time of survey;
• Reporting misconduct has stalled;• Retaliation continues as a widespread problem.
*Ethics Resource Center, 2013 survey of 6420 employees.
5
WHY HAVE A COMPLIANCE PROGRAM?
1. Fulfill fiduciary, legal and regulatory duties and requirements.
2. Understand risks and potential exposures.
3. Effective risk management and reputation protection.
4. Create an engender a values-based, ethical culture that defines who you are and how you do business.
6
THE COST OF MISCONDUCTDirect Costs:
Regulatory fines: In 2013, the DOJ levied $8B in fines for civil and criminal actions; the SEC levied a record $3.4B in enforcement sanctions.Other penalties, including imprisonment.
Indirect costs:
•Loss of customers•Loss of competitive standing•Loss of investor confidence•Lack of trust in management•Loss of top quality talent
7
FEDERAL SENTENCING GUIDELINES (“FSG”)In 1991, the Federal Sentencing Commission established the standards for an effective compliance program at FSG §8B2.1(a)(2):
“To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall – (1) exercise due diligence to prevent and detect criminal conduct; and (2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”
8
Federal Sentencing Guidelines (cont’d)
The FSG:
• Are clearly remedial; mitigate culpability;• Distinguish between rewarding ethical and
compliant behavior and disciplining/deterring unethical, criminal behavior; and,
• Recognize that organizations cannot prevent inappropriate behavior from ever occurring.
9
EIGHT ELEMENTS OF AN EFFECTIVE COMPLIANCE PROGRAM
1. High level company personnel who exercise effective oversight and have direct reporting authority to the governing body or appropriate subgroup (e.g., Audit Committee);
2. Written policies and procedures;
3. Training and education;
4. Lines of communication;
10
EIGHT ELEMENTS OF AN EFFECTIVE COMPLIANCE PROGRAM (cont’d)5. Standards enforced through well-
publicized disciplinary guidelines;
6.Internal compliance monitoring;
7.Response to detected offenses (including remediation of harm caused by criminal conduct) and corrective action plans (including assessment and modification of the compliance and ethics program); and,
8.Periodic Risk Assessments.
11
EIGHT ELEMENTS OF AN EFFECTIVE COMPLIANCE PROGRAM (cont’d)In the 2012 Morgan Stanley matter, the DOJ/SEC gave the company a pass (NPA agreement) due to “rogue” employee behavior, citing MS’ compliance program elements:
• Policies and procedures• Compliance resources (over 500 compliance
officers)• Training• Ongoing communications• Transaction-specific controls
12
HIGH LEVEL PERSONNEL – Governing Authority (e.g., Board of Directors)The organization’s governing authority should:
• be knowledgeable about the program;
• exercise reasonable oversight over its implementation and effectiveness;
• ensure adequate resources to operate the program effectively; and,
• promote the program.
13
HIGH LEVEL PERSONNEL – Day-to-Day Responsibility• May be a Chief Compliance Officer (GC,
IA or Independent) and/or a Compliance Committee;
• Must have overall responsibility for day-to-day compliance program operations;
• Must have prompt access to the Board to report instances of criminal conduct;
• Must report annually to the Board on compliance and ethics program; and,
• Must have access to effective high level management and executive oversight.
14
SMALLER ORGANIZATIONSWhat is deemed “adequate” will vary depending on the size and operations of an organization.
Smaller organizations “may meet the requirements of this guideline with less formality and fewer resources than would be expected of large organizations. In appropriate circumstances, reliance on existing resources and simple systems can demonstrate a degree of commitment that, for a large organization, would only be demonstrated through more formally planned and implemented systems.”
Federal Sentencing Guidelines ManualEffective Compliance Programs GuidelinesCommentary
15
PROMOTING THE PROGRAM§8B2.1(b)(6) – an organization should promote and consistently enforce its program through incentives and disciplinary action.
• Should be done throughout all levels;
• Appropriate is case-specific;
• Appropriate includes rewarding material concerns that are raised or helpful recommendations for improvement; and,
• Could range from reprimand with additional training to a demotion or termination.
• Must be proportional!
16
COMPLIANCE COMMUNICATIONS ELEMENTS
• Written Policies and Procedures
• Training and Education
• Lines of Communication (Hot/Helplines)
• Standards enforced through well-publicized disciplinary guidelines – Code of Conduct
17
WRITTEN POLICIES AND PROCEDURES
• Should be adopted to promote employee understanding of and adherence with laws and regulations;
• Should encourage managers and employees to report good-faith belief or knowledge of unlawful, unethical or improper behavior without fear of retaliation; and,
• Should be readily available, easily accessed, and kept current.
18
TRAINING AND EDUCATION§8B2.1(b)(4) prescribes that:
• Reasonable and practical steps must be taken to widely promulgate, disseminate information and train employees on the organization’s compliance program and its code of conduct, policies, procedures and processes.
• Training should be provided to the governing authority, high-level executive, employees and, where appropriate, the organization’s agents. (May be required by law.)
• Recommended that training be tracked, attested to, documented, and followed-up.
19
SMALLER ORGANIZATIONS
With respect to smaller organizations,
“Examples of the informality and use of fewer resources with which a small organization may meet the requirements of this guidelines include . . . training employees through informal staff meetings.”
Federal Sentencing Guidelines ManualEffective Compliance Programs GuidelinesCommentary
20
LINES OF COMMUNICATIONTo enhance the effectiveness of a compliance program, the FSG requires lines of communication whereby:
• Employees and agents may seek guidance and report concerns, including the opportunity to report anonymously;
• There are assurances that there will be no retaliation for good-faith reporting; and,
• Sometimes required by statute. e.g., Medicare/Medicaid.
21
PUBLICIZED STANDARDS AND DISCIPLINEFSG §8B2.1(b)(1) – An organization must have standards of conduct and internal controls reasonably capable of reducing the likelihood of criminal and other improper conduct.
The Code of Ethical Conduct is the foundation of these controls and is the centerpiece of an effective compliance program.
22
PUBLICIZED STANDARDS AND DISCIPLINE (cont’d)
Code of Ethical Conduct – Content:
• Leadership/mission statement• Description of program and relevant
risks• Values, guiding ethical principles• Who is covered and who administers the
program• Guidance on expected behaviors• Channels and obligations for reporting
misconduct or violations of the Code• Disciplinary actions for Code violations
23
INTERNAL MONITORINGFSG – a compliance program should include ongoing monitoring and auditing systems designed to detect criminal and other improper conduct.
Essential component because:
• ensures that the organization’s compliance and ethics program is followed; and,
• evaluates the effectiveness of the compliance program.
24
INTERNAL MONITORING (cont’d)What should be monitored?
• Risks and context – anything changing?
• Compliance with the Code of Conduct; policies and procedures; overall effectiveness of the program, policies and systems;
• Employee understanding/opinion of the ethical climate, commitment to compliance; and,
• Whether there are risks not addressed.
25
INTERNAL MONITORING (cont’d)Types of monitoring:
• Line management reviews of risks, strategies and management systems;
• Internal audit – independent required of area assessed;
• External audit; and,
• Employee surveys.
26
INTERNAL MONITORING (cont’d)SMALLER ORGANIZATIONS:
“Examples of the informality and use of fewer resources with which a small organization may meet the requirements of this guideline include . . . monitoring through regular ‘walk-arounds’ or continuous observation while managing the organization.”
Federal Sentencing Guidelines ManualEffective Compliance Programs GuidelinesCommentary
27
RESPONSE TO MONITORING - §8B2.1(b)(7)After monitoring and auditing of its compliance program, the organization shall take reasonable steps to:
• Respond appropriately to any violations of the law or policies to prevent future misconduct;
• Modify and improve the organization’s compliance and ethics program; and,
• Make restitution when appropriate if criminal conduct is found.
28
RESPONSE TO MONITORING - §8B2.1(b)(7)When improper conduct has been detected, imperative that organization take action.
• Failure to prevent/detect improper conduct in and of itself does not mean that program is ineffective.
• “. . . recurrence of similar misconduct creates doubt regarding whether the organization took reasonable steps to achieve an effective program.”
• Appropriate remedial measures must be taken. May include anything from disciplinary action for responsible person or modification of compliance program in place.
29
PERIODIC RISK ASSESSMENTS - §8b2.1(c)An organization should periodically assess the risk of improper conduct within its operations and take appropriate steps to design, implement or modify each element of the program to reduce the risk of improper or unethical behavior.
Benefits –• Efficiency – maximize resources• Buy-in/Ownership – increase active participation• Coordination – consensus building across multiple
functions
30
PERIODIC RISK ASSESSMENTS - §8b2.1(c) (cont’d)
Risk assessments usually focus on evaluating:
• audit results;
• recent litigation or settlements;
• compliance complaints;
• employee claims;
• industry enforcement trends; and,
• existence/sufficiency of policies.
31
PERIODIC RISK ASSESSMENTS - §8b2.1(c) (cont’d)
Risk assessments – content and focus:
• now more formal;• results should be mapped on a matrix to show the
level of risk for each area examined;• determine the likelihood of a violation; • assess the likely damage to the organization from a
violation;• identify the steps that must be taken to mitigate
the risks;• determine whether internal controls are effective to
mitigate the risk;• identify whether any corrective action needed; and,• communicate throughout the organization.
32
PERIODIC RISK ASSESSMENTS - §8b2.1(c) (cont’d)
Once risks are assessed:
- What is your organization’s appetite for risk?
- What are the most important risks to address?
33
PERIODIC RISK ASSESSMENTS - §8b2.1(c) (cont’d)
Risk response:
- Avoidance- Reduction/Mitigation (internal controls)- Sharing (e.g., insurance)- Acceptance
i. Crisis Management Plansii. Business Continuity Plansiii. Other Operational Plansiv. New policies/procedures
34
ALMOST DONEImportance and complexity of compliance programs have skyrocketed.
Is a key element for all stakeholders.
FSG is best guidance, but when at the sentencing stage, it is too late to start a compliance program.
Eight components provide the essential foundation to create an effective program and detect/deter improper, unethical conduct.
Time to start is now.
35
TOP TEN REASONS TO HAVE AN EFFECTIVE PROGRAM• Learn new lingo to amaze and confound your board and
colleagues, e.g, FSG, Dodd-Frank, qui tam• Prevent your tax dollars from funding beach house for
whistleblowers.• Let some other company experience the joy of
responding to a SEC investigation.• Orange is not your color and you don’t want to learn,
the perp walk, unless it’s a new dance.• Remember CCO’s don’t let executives sit for mug shots.• Pass up the opportunity to see your name and picture
on a headline that reads “Chief Compliance Officer Facing Charges.”
• Avoid having to call 1-800-FINDMEAJOB• Avoid wasting your 15 minutes of fame on a CNN
Headline News topic.• Skip the experience of “Club Fed.”• And the number one reason you need an effective
compliance program . . .• IT’S THE LAW!
36
QUESTIONS?????
37