Tag: Risk Assessments

Categories
Blog

When New Business Risks Emerge: Lessons for Compliance from The Creature from the Black Lagoon

Ed. Note: This week, leading up to Halloween, I will examine lessons for compliance professionals through the lens of the great Universal Movie Monsters: Frankenstein, Wolfman, Dracula, and The Mummy. Today, we consider what compliance needs to do when new business risks emerge through the lens of the 1954 monster movie classic The Creature from the Black Lagoon. 

============================================================

We move from the 1930s to the 1950s to look at the classic horror film The Creature from the Black Lagoon. In this movie, a team of scientists stumbles upon an uncharted and dangerous lagoon in the Amazon rainforest, only to discover the terrifying Gill-man. What starts as a routine scientific expedition quickly becomes a struggle for survival as the group faces an unexpected threat from an unknown entity. As compliance professionals, this scenario is an apt metaphor for when new business risks emerge or your business model changes unexpectedly.

The film offers valuable lessons on preparedness, adaptability, and vigilance in the face of the unknown lessons echoed in the latest guidance from the 2024 Evaluation of Corporate Compliance Programs(2024 ECCP) and commentary from industry experts like Nicole Argentieri. In this post, we will explore what *The Creature from the Black Lagoon* teaches us about managing new business risks, assess the 2024 ECCP’s guidance on this issue, and consider how Principal Deputy Assistant Attorney General Lisa Argentieri’s views on the 2024 ECCP further inform our approach to compliance in a changing business landscape.

Identifying the Uncharted Waters: Recognizing New Risks

The scientists in The Creature from the Black Lagoon ventured into unknown territory, unaware of the dangers lurking beneath the surface. Similarly, when a business undergoes a shift in its business model, whether through entering new markets, launching new products, or facing changes in regulatory environments, new risks can emerge that were previously uncharted. The first step in managing these risks is recognizing them.

The 2024 ECCP stresses the importance of continuously assessing and identifying new risks as part of an effective compliance program. The ECCP notes that businesses should engage in ongoing risk assessments, particularly when significant changes in business operations occur. Compliance officers must have a mechanism to detect these changes early and respond accordingly.

Nicole Argentieri emphasizes this point, highlighting the need for businesses to be proactive rather than reactive. In her commentary on the ECCP, Argentieri notes that one of the key elements of a robust compliance program is its ability to evolve with the business. Companies must quickly recalibrate their risk assessments and compliance strategies when new risks appear. As the film illustrates, failing to anticipate or identify new threats can leave you vulnerable, just as the scientists were unprepared for the dangers in the lagoon.

 Assessing the Threat: The Need for a Swift and Comprehensive Risk Evaluation

Once the scientists in the film realize that the Gill-man is a threat, they must quickly reassess their entire situation. In the corporate world, the appearance of a new risk demands a similar response: swift and comprehensive evaluation. Businesses must assess the immediate risk and its broader implications on the company’s operations, reputation, and compliance obligations.

The 2024 ECCP strongly emphasizes the need for businesses to adapt their risk assessments to reflect changes in operations or the external environment. Whether the company is expanding into a new geographic area, introducing new products, or dealing with changing regulations, the risk landscape will shift. Compliance officers must ensure their risk management frameworks are flexible enough to incorporate these new threats.

Argentieri has noted that when new risks emerge, companies must act swiftly to integrate them into their compliance programs. This involves conducting fresh risk assessments and ensuring that any changes in the business model are reflected in compliance policies, training, and monitoring systems. Like the characters in the film, who adapt their strategies as they learn more about the Gill-man, compliance teams must evolve their strategies based on a full understanding of the new risk landscape.

Adapting Your Strategy: Revising Policies, Procedures, and Controls

The central characters in The Creature from the Black Lagoon must quickly adapt their approach to survive. Similarly, when new business risks arise, compliance officers must reevaluate and adjust existing policies, procedures, and internal controls. The 2024 ECCP clearly states that policies and controls should not remain static. Instead, they must be revised to reflect the changing nature of business operations and risks.

When your business model changes, you cannot assume that your existing compliance framework will continue to be effective. For example, expanding into new geographic regions may introduce new risks related to anti-bribery and corruption (ABAC), data privacy, or supply chain integrity. New product offerings bring consumer protection, product safety, or intellectual property risks to the forefront. The ECCP recommends reviewing and updating your internal controls, third-party risk management processes, and compliance training to ensure that all aspects of your compliance program remain relevant.

Argentieri’s analysis of the 2024 ECCP reinforces this point. She has argued that businesses must build dynamic and agile compliance programs. The compliance function should be involved in key decision-making processes as the business grows and changes. When new risks emerge, the compliance department must be ready to overhaul procedures and policies swiftly. This could mean expanding due diligence efforts, revising conflict-of-interest policies, or rolling out new training programs to address the specific nature of the risk.

Vigilance and Monitoring: Ongoing Risk Management

In The Creature from the Black Lagoon, the characters must always stay vigilant to avoid the creature’s attacks. When new risks emerge, businesses must maintain a heightened level of vigilance through ongoing monitoring and testing of their compliance programs. The 2024 ECCP underscores the importance of regular monitoring to ensure compliance programs work as intended, especially in the face of new business risks.

The ECCP recommends incorporating data analytics and other technological tools to monitor compliance activities in real-time. For example, if your business is expanding into new regions, you may want to enhance monitoring of third-party relationships in those areas to ensure compliance with local laws and regulations. Continuous monitoring allows businesses to spot emerging risks early and respond before they become critical issues.

Argentieri has highlighted the need for compliance professionals to stay engaged with the business as it evolves. She suggests that compliance officers must work closely with business leaders to understand the company’s strategic direction and anticipate new risks before they fully materialize. Compliance professionals can avoid potential threats by actively participating in business discussions and decision-making and adjusting their monitoring programs accordingly.

Training and Communication: Keeping Everyone in the Loop

In the film, survival depends on everyone being aware of the danger and working together to manage it. Similarly, once new risks have been identified, ensuring that all employees, from the C-suite to the front lines, are informed and equipped to handle them is essential. The 2024 ECCP stresses the importance of communication and training as key components of an effective compliance program, especially when new risks are introduced.

When a business model changes or a new risk emerges, compliance officers must update training programs to reflect these developments. Employees should understand the nature of the new risks and how to navigate them within the company’s compliance framework. Regular communication from leadership about the importance of compliance and the role employees play in managing risk is critical for building a culture of compliance.

Argentieri has noted that training should be tailored to address the risks that have arisen. For example, if a company is entering a market with heightened anti-corruption risks, the compliance training should focus on identifying red flags for bribery and navigating local regulatory requirements. Just as the characters in The Creature from the Black Lagoon needed to work as a team to survive, businesses must ensure everyone is on the same page when managing new risks.

The lessons from The Creature from the Black Lagoon offer valuable insights for today’s compliance professionals. When faced with new and unforeseen threats, quickly adapting and responding is crucial for survival. The 2024 ECCP reinforces this need for agility, emphasizing the importance of ongoing risk assessments, the revision of policies and procedures, and vigilant monitoring.

Nicole Argentieri’s commentary on the ECCP provides further guidance, urging companies to build compliance programs that can evolve in real-time with the business. Just as the characters in the film had to adapt to survive, compliance officers must ensure their programs are flexible enough to respond to new risks and changing business models. By staying alert, adapting quickly, and fostering a culture of compliance, businesses can navigate uncharted waters and emerge stronger on the other side.

Join us tomorrow, where we will consider the 1954 movie version of The Creature from the Black Lagoon and how companies must assess and manage new and emerging risks.

Categories
Compliance Into the Weeds

Compliance into The Weeds: The Complexity of Risk Assessments

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom and Matt take a deep dive into the variables a compliance professional should consider when performing a risk assessment. We also say a few words about our experiences in the total solar eclipse of April 8.

Risk assessments in compliance encompass the careful evaluation of both external and internal risks, necessitating a carefully planned process for overseeing various risk assessments within a company. This task, while intricate and often challenging, is a crucial aspect of compliance.

Fox emphasizes the necessity of precisely defining the scope of risk assessments, which could involve assessing external threats, internal controls, or both. He proposes that companies could benefit from the guidance of internal audits, external consultants, or professional service firms.

Similarly, Matt acknowledges its complex and challenging nature. Kelly underscores the importance of a disciplined, coherent approach to managing risk assessments across different parts of an organization, suggesting the possibility of involving assistance from third-party firms or internal audit teams.

Both Fox and Kelly’s perspectives underscore the importance of strategic planning, effective management, and possible external input in conducting risk assessments in compliance programs.

Key Highlights:

  • Comprehensive Approach to Conducting Risk Assessments
  • Collaborative Risk Assessment for Compliance Optimization
  • Enhancing Compliance through Internal Control Testing
  • Strategic Integration of Compliance in Enterprise Risk
  • Celestial Event Viewing: The Influence of Clouds

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Great Women in Compliance

Great Women in Compliance – Christina Marshall on Global Compliance Leadership

Welcome to the Great Women in Compliance Podcast. In this episode, we visit Christina Marshall, an experienced ethics and compliance leader with extensive experience working with US and foreign regulators. Her expertise is in fraud and corruption investigations, risk assessments, and operationalizing compliance in complex global organizations. She currently leads the Oracle EMEA Compliance team, which is responsible for driving compliance through Europe, the Middle East, and Africa. She is a US-trained litigator with a Juris Doctor from Fordham University School of Law.

Christina has worked in private practice as well as as a senior counsel within the Division of Enforcement at the Securities Exchange Commission, which is responsible for investigating violations of the FCPA. Her extensive experience also includes teaching as a professor of Securities Regulation, White Collar Crime, Corporations and American Law. Based on her extensive experience, Christina is highly skilled in investigating procurement fraud, money laundering, and corruption, leading risk assessments, and creating preventative compliance practices.

Christina’s perspective on compliance best practices is that it should function as a partnership with the business, focusing significantly on transparency and support for business leaders, rather than acting as the ‘police’. Her knowledge in this area has been shaped by her prior experience at the US Securities and Exchange Commission’s Division of Enforcement and her extensive engagement with regulators worldwide. Additionally, her time spent teaching law in Russia has enriched her global perspective. She emphasizes the necessity of involving business partners in risk mitigation, with an emphasis on fostering trust and respect, particularly during challenging investigations.

Key Highlights:

  • Collaborative Approach to Achieving Compliance Goals
  • Efficient Risk Management Through Practical Prioritization
  • Fostering Trust Through Investigative Transparency
  • Encouraging Curiosity and Open Communication Culture
  • Global Compliance Strategies in Multinational Operations
  • Tailoring Compliance Programs for Regional Teams
  • Enhancing Compliance Practices Through Root Cause Analysis
  • Enhancing Efficiency Through Clear Communication

Resources:

Join the Great Women in Compliance community on LinkedIn here.

Categories
Compliance Week Conference Podcast

Compliance Week 2024 Speaker Preview Podcasts – Elizabeth Simon on More Holistic Risk Assessments

In this episode of the Compliance Week 2024 Speaker Preview Podcasts series, Elizabeth Simon discusses her panel presentation at Compliance Week 2024, “Innovative Approaches to Enterprise Risk Assessments.” Some of the issues she and her colleagues will discuss in this podcast and her presentation are:

  • How compliance can help the entire business mitigate risk
  • How to take a holistic approach to enterprise risk management
  • Seeing old friends, making new ones, and learning about new best practices at Compliance Week 2024

I hope you can join me at Compliance Week 2024. This year’s event will be held April 2-4 at the Westin Washington, DC, Downtown. The line-up is first-rate, with some top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event, offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 19th year, join 500+ compliance, ethics, legal, and audit professionals who gather to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. Compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs, among many others, to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 80+ respected cross-industry practitioners, including CEOs, CCOs, regulators, federal officials, and practitioners, to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from panels on leadership, fraud detection, confronting regulatory change, abiding by cross-border rules and regulations, and the always-favorite fireside chats.
  • Bring actionable takeaways from various session types, including cyber, AI, Compliance, Board obligations, data-driven compliance, and many others, to your program for you to listen, learn, and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. As an extra benefit to listeners of this podcast, Compliance Week is offering a $200 discount on the registration price. Enter the discount code TFOX2024 for $200 off.

The Compliance Podcast Network produces the Compliance Week 2024 Preview Podcast series. Compliance Week sponsors this series.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 19 – Evaluating a Risk Assessment

One way to evaluate risks as determined by the company’s risk assessment is through a risk matrix. Once risks are identified, they are then rated according to their significance and likelihood of occurring and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of your remedial efforts or for continuous auditing. A variety of solutions and tools can be used to manage these risks going forward, but the key step is to evaluate and rate these risks. All your actions should flow from the risk ranking.

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These become the focus of your most significant risk management efforts, coupled with audits and monitoring going forward. A variety of tools can be used to continuously monitor risk going forward. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program, rather than letting the compliance program inform the risk assessment.

Three key takeaways:

1. Even after you complete your risk assessment, you must evaluate those risks for your company.

2. The DOJ and SEC are looking for a well-reasoned approach to how you evaluate your risk.

3. Create a risk matrix and rank your risks; then remediate and monitor as appropriate.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 18 – Risk Assessments

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based on a risk assessment, on an understanding of your organization’s business from a commercial perspective, on how your organization has identified, assessed, and defined its risk profile, and, finally, on the degree to which the program devotes appropriate scrutiny and resources to this range of risks. The 2023 ECCP added a new emphasis on the cadence of Risk Assessments, mandating that risk assessments should be done not less than annually, but in reality, they should be done each time your risk changes. Over the past couple of years, every company’s risks have changed from going to Work From Home to Return to the Office to the Hybrid Work environments of 2024. What about geopolitical issues, the supply chain, or even potential compliance risks in the 2024 election cycle? Have you assessed each of these new paradigms for risks from a compliance perspective?

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some, or all of the above as your basic inquiries for your risk analysis, it should be acceptable as your starting point.

Three key takeaways:

1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.

2. The DOJ will now consider both your risk assessment methodology for identifying risks and the gathered evidence.

3. You should base your compliance program on your risk assessment.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Everything Compliance

Everything Compliance – Episode 123, The Spanish Kiss Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of Jay Rosen, Jonathan Armstrong, Matt Kelly and Karen Woody, with Tom Fox hosting. We conclude with our always popular and fan fav Shout Outs and Rants.

1. Matt Kelly looks at the new SEC requirement for companies to improve their risk assessments and attendant processes. He rants about the US Federal Courts not allowing television cameras and says we need the Trump trials televised in federal courts.

2. Karen Woody reviews Opinion Release 23-01. She shouts out to the Barbie movie.

3. Tom Fox shouts out to Megan Rapinoe for great professional career and her social activism while a member of the USWNT.

4. Jay Rosen looks at the imbroglio surrounding the Spanish National football team after its Women’s World Cup win. Rosen shouts out SOCAR, the South Orange County Compliance and Ethics Roundtable.

5. Jonathan Armstrong considers the NATS air traffic debacle and operational resilience. He shouts out Sgt. Graham Saville who lost his life helping a person in distress.

The members of the Everything Compliance are:

•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks can be reached at jtmarks@gmail.com.

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Compliance Week Conference Podcast

Compliance Week 2023 Speaker Series – Hemma Lomax on Risk Assessments

In this episode of the Compliance Week 2023 Speaker Preview Podcasts series, Hemma Lomax discusses some of her panel at Compliance Week 2023,  “Approaches to Risk Assessment Programs – Benchmarking Best Practices Across Industries.”

Some of the issues she will discuss in her presentation is:

  • How cross-functional professionals are structuring their risk assessment programs, benchmark best practices, and walk away with ideas to enhance their program;
  • Cohesive approaches to concurrent risk assessments; and
  • A discussion on the insourcing vs. outsourcing external assessments and weighing the pros and cons of each.

I hope you can join me at Compliance Week 2023. This year’s event will be May 15-17 at the JW Marriott in Washington, DC. The line-up of this year’s event is simply first-rate, with some of the top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 18th year, compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. And many others to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 75+ respected cross-industry practitioners who are CEOs, CCOs, regulators, federal officials, and practitioners to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from the two SEC Commissioners, gain insights into the agency’s enforcement areas, and walk away with guidance on remaining compliant within emerging areas such as ESG disclosure, third-party risk management, cybersecurity, cryptocurrency, and more.
  • Bring actionable takeaways from your program from various session types, including ESG, Human Trafficking, Board obligations, and many others, for you to listen, learn and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. Listeners of this podcast will receive a discount of $200 by using code TF200 on the link here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – COSO Objective II: Risk Assessments

Objective II is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner, none of this will sound new or even insightful, however the Framework requires a component of management input and oversight that was perhaps not as well understood.

The objective of Risk Assessment consists of four principles.

Principle 6: Suitable objectives.

Principle 7: Identifies and analyzes risk.

Principle 8: Fraud risk.

Principle 9: Identifies and analyzes significant change.

The SEC has made it clear that companies should be expanding their view of risk in implementing the COSO 2013 Internal Controls Framework. Obviously, risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluation. The regulators are telling companies specifically that they should be seeing new risks that they need address because of the changes brought about by the new standard.

Three key takeaways:

  1. Risk assessments are required under the COSO 2013 Internal Controls Framework, the 2012 FCPA Guidance and almost all other best practices compliance programs.
  2. Look at your risks across your organization and not in a siloed manner.
  3. Risks, both determination and management of, changes over time so be cognizant of changes in business practices on the ground.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Risk Assessments and Internal Controls

Today, I will review how to use the risk assessment you have performed as a tool to provide a structured approach to establishing effective internal controls. After preparing the risk assessment, the next step is to prioritize listing the risks and which locations are common. This begins by mapping existing internal controls to risks and assessing whether the internal controls are sufficient to mitigate the risks.

To help with consistency in this evaluation process, assigning a risk weight to each element in the risk assessment may be useful. For example, a construction company might assign a higher weight to the presence of movable fixed assets. A company that sells exclusively through local distributors might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However, it is structured; the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then prioritize the locations dealing with control risks.

Top Risks Include:

Sales are conducted through third parties.

·       A U.S.-based international sales manager who is responsible for growing the business?

·       Sales channel uses a U.S.-based sales force that only travels to locations outside the U.S. for temporary visits of generally short duration.

·       Gifts, travel, and entertainment.

· High-risk jurisdictions.

·       Business ventures.

You can also utilize the COSO 2013 Internal Controls Framework, which created a more formal structure to design or assess the effectiveness of internal control within the five COSO components. A companion document, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, catalogued possible approaches and examples in the context of internal controls over financial reporting and could be useful for companies complying with internal compliance controls under the FCPA. COSO has also published an additional companion document, Illustrative Tools for Assessing Effectiveness of a System of Internal Control, which provides templates that may be used to support an assessment of internal controls and includes various scenarios which illustrate several practical examples of how the templates may be used.

Finally, consider a business unit in a geographic area such as the Far East where there is a significant amount of deference to supervisors in the local culture, such that even if an employee saw inappropriate behavior, it would not be expected that the employee would make any report or comment.

Three key takeaways:

1. Third-party risks are still your highest risks under the FCPA, so use your internal controls appropriately to help prevent this risk from becoming a violation.

2. Use mapping and gap analysis to collate risks to existing controls.

3. Always consider the regional and geographic variances.