Presentation - Society of Corporate Compliance and Ethics

Transcription

602: Creating a Compliance Program
in a
Matrix Organization
February 23, 2016
Objective
> Benchmarking Tools for Understanding the Culture and Current
Organizational Compliance Structure
> Leveraging Cross Functional Teams
> Building a Charter
2
602: Creating a Compliance Program in a Matrix Organization 2/23/2016
SCCE Utilities & Energy Conference
© 2015 The Williams Companies, Inc. All rights reserved.
1
Slicing Open the Matrix
Initial Steps
Establish a 90 day plan
Gather the Data
> Days 1-30 Map the Organization
> Internal Review to Identify the Need
> Days 31-60 Identify the Risks
> 3rd Party Assessment to Focus the Need
> Days 61-90 Design the Structure and
> Internal Interviews to Align the Team
Foundation
> Internal Survey to Validate the Need
3
The Road to Understanding Matrix Cultures and Compliance
Structures – Days 1 through 30
4. Cascading helps define business function silos
1. Start with the published
governance documents
3. Cascade C-Suite management functions
5. Research and identify imbedded compliance
obligations by silo
2. Identify board committees
6. Identify imbedded personnel dedicated to compliance in the silos
7. Identify personnel resources dedicated to
enterprise compliance functions (i.e., Audit,
Risk, Compliance, Security, Training)
9. Diagram the culture and structure
8. Prioritize compliance risks by
identifying an enterprise common risk
rank model
4
2
Identifying the Culture Map
How does
responsibility
cascade through
the enterprise?
5
Mapping the Structure and Compliance Culture of the Matrix
KEY LEGAL & REGULATORY COMPLIANCE OBLIGATIONS
GOVERNMENTAL OVERSIGHT
GOVERNING
AUTHORITY,
OVERSIGHT,
STAFFING, AND
RESOURCES
Natural Gas
Act
of
1938
29
CFR
1910.119
Title
49
Transportation
40
CFR
68
FERC
DOL/OSHA
DOT
EPA
BOARD OVERSIGHT
(COMMITTEE?)
MANAGEMENT OVERSIGHT
DAY TO DAY RESPONSIBILITY
SarbanesOxley Act
of
2002
Fair Labor
Standards
Act
49
CFR
192
SEC
DOL
DOT/PHMSA
AUDIT
CFO
COO
COO
COO
CFO
CEO
COO
OPS
OPS
EHS
EHS
Finance &
Accounting
HR
EHS/OPS
RISK ASSESSMENT
CODE OF CONDUCT, POLICIES & PROCEDURES
DUE CARE IN DELEGATION, HIRING AND PROMOTION
EDUCATE & COMMUNICATE
MONITOR, AUDIT, REPORT, PREVENT & DETECT
INVESTIGATE, ENFORCE DISCIPLINE AND INCENTIVIZE
RESPOND, REMEDIATE AND ASSESS
6
3
Benchmarking Maturity
* SCCE Utilities & Energy Conference 2014, KCP&L presentation “The “New Compliance Vision – Cutting Edge or Bleeding Edge”,
7
Benchmarking the Bridge to Compliance Days 31-60
Controls
• Code of Conduct
• Policies / Procedures
• Control Functions
• Audit
• Risk
• HR
• Imbedded
Resources
Compliance Program
• Foundation
• Design
• Structure
• Support
•
•
•
•
•
Tension Points
Operational Needs
Cost of Compliance
Duplication of Efforts
Complexity of Compliance
Operational Drag
Watch out for the Sharks!
Identify the Risks
• Internally validated
• 3rd Party Consultants
• Compared to Industry
8
Survey the Risks
• Business Function
• Operating Area
• Responsibility Level
Map the Risks
• Liability Exposure
• Operating Area
• Job Function
4
Perception of Legal Risks Give Insight into Culture
> Pick a Sample Group including:
– Business Functions
– Operating Areas
– Responsibility Levels
> Sample Risk Survey Categories
1.
2.
3.
4.
5.
6.
7.
8.
Antitrust / Fair Trade
Consumer Protection/Product Safety
Environmental Health and Safety
Culture/Reporting/Investigations
Labor
Regulatory
Legal
Privacy
> Sample Questions:
– Do you think [Company Name] overbills some of
its customer for services – or bills an entity that
is not a customer?
– Do you think that [Company Name] facilities or
tasks create an environment that harms the
health of our employees?
– Do you think that management pressure, or fear
of retaliation, will cause compliance violations to
go unreported?
– Do you think that [Company Name] procedures
for reporting or investigating misconduct will be
ineffective in bringing about compliance?
– Do you think the [Company Name] training is
inadequate for employee safety and health?
> Answer Scale
– Both Quantitative
and Qualitative
9
Big Data - Big Challenge - Leveraging the Matrix
Days 61 - 90
Strategies to Get the Data
> Build relationships with imbedded compliance resources
> Interview key work partners
> Scan the Intranet for News
> Talk with the Communications Team
Data Resources
Build the Reports
> To benchmark performance
> To demonstrate execution efficiency and
effectiveness
> To demonstrate non-compliance trends
> To demonstrate key risks
Report Outputs to Plug into Enterprise Risk Models
> Results from the Surveys will show cultural
disconnects between business functions,
management levels, and operating areas
> High turnover, incomplete training trends,
numbers of near misses can be leading indicators
of potential compliance issues.
10
5
Charter: Blueprint for Compliance Foundation and Structure
> Benchmark Against Publicly Disclosed Charters
> The Board Charter should establish:
– Scope of the Committee Responsibility Based upon Identified Risks
– Meeting Rhythm Cycle
– Annual Review
• Compliance Program
• Compliance Officer
• Charter
– Quarterly Reporting
•
•
•
•
•
11
Legal Risks in Context
Compliance Trends
Compliance Failures
Enforcement Actions
Recommendations
Operational Rhythm Enhances Board Line of Sight
Board
Jun-19-2016
Board
Sep-12-2016
Board
Dec-11-2016
Board
Mar-12-2017
X
X
X
X
- Compliance Officer
X
X
X
X
- Management
X
X
X
X
Evaluate Committee performance and effectiveness and report to Board.
X
X
IV.A.2.
Review and Approve the Annual Compliance Plan.
X
IV.A.3.
Review Compliance Annual Report for Compliance Program Effectiveness
IV.A.4.
Review reports regarding material violations of laws, regulations and any breach of fiduciary duty.
IV.A.5.
Review procedures for receiving employee complaints and concerns under an employee “hot-line” or other direct access
program.
IV.A.6.
Annual evaluation with management of the Compliance Officer
IV.B.1.
Monitor formal linkages among the Company’s strategic planning, budgeting, financial management, and risk
management processes
IV.B.2.
Review and approve appropriate risk management policies and monitor reporting frameworks to support effective
management of key risks.
Reference
III. A.
Review Charter and report to Board.
III. C.
Approval of prior meeting minutes.
III. C.
Executive sessions
III.D.
12
Committee Charter Requirements
X
X
X
X
X
X
X
X
Consistent standards and a common risk policy for identifying, evaluating, and addressing risks (Risk Vocabulary,
Common Platform, Risk Measurement Methodolgy)
X
Executive and Board-level consensus with respect to risk tolerance levels.
X
X
6
Operational Rhythm Enhances Board Line of Sight
continued . . . .
Review the identification of risk owners, development of metrics and the effectiveness of strategies, controls, or techniques
used to transfer or mitigate the risk and the monitoring of these metrics.
IV.B.3.
X
X
X
X
X
X
Review the risk assessment ensuring it includes a complete inventory of current mitigation activities and gaps between the
current operating environment and “best in class” risk management for each risk.
Ensure that an implementation plan to manage each risk identified, and ensure that each actionable item in the
implementation plan is linked to one or more Key Risk Indicators (KRIs), tracking exposure elevation and treatment success
or failure.
X
For each critical risk identified, review of the established risk tolerance levels, risk retention and transfer (mitigation)
strategies, controls, or techniques to determine the feasibility and desirability of retaining or transferring the risk.
13
X
Review and evaluate the effectiveness of management’s processes and action plans to address the critical risks that are
identified.
X
X
Work with management to ensure significant actions or initiatives, which the Committee believes necessary or appropriate
to effectively manage risk, are properly executed, monitored, and reported.
X
X
X
X
Track the status of critical risks, including the effectiveness of risk retention, mitigation strategies/techniques, or
strategies/techniques to transfer risk.
X
X
X
X
IV.B.4.
Ensure appropriate coordination of activities of discrete risk management disciplines (for example, legal compliance,
insurance, SOX compliance, use of derivatives) within the Company and Board.
X
X
X
X
IV.B.5.
Ensure appropriate management of risk at discrete locations within the Company
IV.B.6.
Monitor escalation process to ensure communication to senior management and, if appropriate, the Board with respect to
significant deviations from acceptable risk tolerance levels.
X
X
X
X
IV.C.1.
Obtain reports from management, General Counsel, and the Compliance Officer regarding compliance with applicable laws
and regulations and with the Company’s Code of Business Conduct and Ethics
X
X
X
X
IV.C.2.
Discuss with the Company’s Audit Committee and legal counsel any legal, compliance, or regulatory issues that could have
a material effect on the Partnership’s financial statements or compliance policies.
X
X
X
X
IV.C.3.
Review, and revise as needed, established procedures for the receipt, retention, and treatment of complaints received by
the Partnership regarding risks, compliance, internal controls and the confidential, anonymous submission by employees,
or third parties, of concerns regarding questionable activity of any individual or entity involving Partnership business
activities.
IV.C.4.
Investigate material matters brought to the Committee’s attention within the scope of its duties.
X
X
X
X
IV.C.5.
As applicable, review with management and the Compliance Officer any published reports and correspondence with
regulators or governmental agencies which raise material issues regarding the Partnership’s compliance obligations.
X
X
X
X
X
X
Referenced Subscription Based Tools
> Society of Corporate Ethics and Compliance
– http://www.corporatecompliance.org/
> Corporate Executive Board (CEB) – Compliance and Ethics
– https://www.cebglobal.com/exbd/compliance-legal/index.page?
> Association of Corporate Counsel – Compliance & Ethics Committee
– http://www.acc.com/committees/cec/index.cfm
> NYSE - Board Solutions – Governance Risk and Compliance
– https://www.nyse.com/governance/board-solutions
> Practising Law Institute (PLI) Corporate & Securities – Compliance
– http://pli.edu/Content/Corporate_Securities-Compliance/_/N-7y
– http://pli.edu/Content/Corporate_Securities-Corporate_Governance/_/N-7w
> Practical Law – Corporate Compliance and Ethics Toolkit
– http://us.practicallaw.com/8-503-7711
14
7
Some Free Tools
> Compliance & Ethics Risk Assessment: Concepts, Methods and New Directions
– Jeffrey M. Kaplan, Kaplan & Walker LLP, Princeton, New Jersey, www.kaplanwalker.com, Copyright ©2013 Corporate
Compliance Insights
– http://corporatecomplianceinsights.com/wp-content/uploads/2013/12/CCI-Compliance-and-Ethics-Risk-AssessmentFinal-Dec-30-PDF.pdf
> Society of Corporate Compliance and Ethics
– http://www.corporatecompliance.org/Resources.aspx
> ECI Ethics & Compliance Initiative
– https://www.ethics.org/research/free-toolkit
15
Questions
16
8

Presentation - Society of Corporate Compliance and Ethics

Transcription

Similar documents

I`m helping to end MS by participating in the 2016 Jayman BUILT MS

The Board of Directors of Qatar Fuel (WOQOD) is pleased to invite

5 `S` Training Program at ABV-IIITM, Gwalior on 21.07.2016

Porky Expo Flyer

The NeuLion Report

Sept 30-Oct 2, 2016 Nov 4-6, 2016 @Camp Tadmor

4 star ALOE HOTEL, PAPHOS

the Guidelines for the registration on

Ticket plus hotel packages for the Chelsea Flower Show 2016

loyola institute for ministry on-campus open house thursday, may 12