Tag: Risk Assessments

Categories
Compliance Into the Weeds

Compliance into The Weeds: The Complexity of Risk Assessments

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom and Matt take a deep dive into the variables a compliance professional should consider when performing a risk assessment. We also say a few words about our experiences in the total solar eclipse of April 8.

Risk assessments in compliance encompass the careful evaluation of both external and internal risks, necessitating a carefully planned process for overseeing various risk assessments within a company. This task, while intricate and often challenging, is a crucial aspect of compliance.

Fox emphasizes the necessity of precisely defining the scope of risk assessments, which could involve assessing external threats, internal controls, or both. He proposes that companies could benefit from the guidance of internal audits, external consultants, or professional service firms.

Similarly, Matt acknowledges its complex and challenging nature. Kelly underscores the importance of a disciplined, coherent approach to managing risk assessments across different parts of an organization, suggesting the possibility of involving assistance from third-party firms or internal audit teams.

Both Fox and Kelly’s perspectives underscore the importance of strategic planning, effective management, and possible external input in conducting risk assessments in compliance programs.

Key Highlights:

  • Comprehensive Approach to Conducting Risk Assessments
  • Collaborative Risk Assessment for Compliance Optimization
  • Enhancing Compliance through Internal Control Testing
  • Strategic Integration of Compliance in Enterprise Risk
  • Celestial Event Viewing: The Influence of Clouds

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Great Women in Compliance

Great Women in Compliance – Christina Marshall on Global Compliance Leadership

Welcome to the Great Women in Compliance Podcast. In this episode, we visit Christina Marshall, an experienced ethics and compliance leader with extensive experience working with US and foreign regulators. Her expertise is in fraud and corruption investigations, risk assessments, and operationalizing compliance in complex global organizations. She currently leads the Oracle EMEA Compliance team, which is responsible for driving compliance through Europe, the Middle East, and Africa. She is a US-trained litigator with a Juris Doctor from Fordham University School of Law.

Christina has worked in private practice as well as as a senior counsel within the Division of Enforcement at the Securities Exchange Commission, which is responsible for investigating violations of the FCPA. Her extensive experience also includes teaching as a professor of Securities Regulation, White Collar Crime, Corporations and American Law. Based on her extensive experience, Christina is highly skilled in investigating procurement fraud, money laundering, and corruption, leading risk assessments, and creating preventative compliance practices.

Christina’s perspective on compliance best practices is that it should function as a partnership with the business, focusing significantly on transparency and support for business leaders, rather than acting as the ‘police’. Her knowledge in this area has been shaped by her prior experience at the US Securities and Exchange Commission’s Division of Enforcement and her extensive engagement with regulators worldwide. Additionally, her time spent teaching law in Russia has enriched her global perspective. She emphasizes the necessity of involving business partners in risk mitigation, with an emphasis on fostering trust and respect, particularly during challenging investigations.

Key Highlights:

  • Collaborative Approach to Achieving Compliance Goals
  • Efficient Risk Management Through Practical Prioritization
  • Fostering Trust Through Investigative Transparency
  • Encouraging Curiosity and Open Communication Culture
  • Global Compliance Strategies in Multinational Operations
  • Tailoring Compliance Programs for Regional Teams
  • Enhancing Compliance Practices Through Root Cause Analysis
  • Enhancing Efficiency Through Clear Communication

Resources:

Join the Great Women in Compliance community on LinkedIn here.

Categories
Compliance Week Conference Podcast

Compliance Week 2024 Speaker Preview Podcasts – Elizabeth Simon on More Holistic Risk Assessments

In this episode of the Compliance Week 2024 Speaker Preview Podcasts series, Elizabeth Simon discusses her panel presentation at Compliance Week 2024, “Innovative Approaches to Enterprise Risk Assessments.” Some of the issues she and her colleagues will discuss in this podcast and her presentation are:

  • How compliance can help the entire business mitigate risk
  • How to take a holistic approach to enterprise risk management
  • Seeing old friends, making new ones, and learning about new best practices at Compliance Week 2024

I hope you can join me at Compliance Week 2024. This year’s event will be held April 2-4 at the Westin Washington, DC, Downtown. The line-up is first-rate, with some top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event, offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 19th year, join 500+ compliance, ethics, legal, and audit professionals who gather to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. Compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs, among many others, to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 80+ respected cross-industry practitioners, including CEOs, CCOs, regulators, federal officials, and practitioners, to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from panels on leadership, fraud detection, confronting regulatory change, abiding by cross-border rules and regulations, and the always-favorite fireside chats.
  • Bring actionable takeaways from various session types, including cyber, AI, Compliance, Board obligations, data-driven compliance, and many others, to your program for you to listen, learn, and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. As an extra benefit to listeners of this podcast, Compliance Week is offering a $200 discount on the registration price. Enter the discount code TFOX2024 for $200 off.

The Compliance Podcast Network produces the Compliance Week 2024 Preview Podcast series. Compliance Week sponsors this series.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 19 – Evaluating a Risk Assessment

One way to evaluate risks as determined by the company’s risk assessment is through a risk matrix. Once risks are identified, they are then rated according to their significance and likelihood of occurring and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of your remedial efforts or for continuous auditing. A variety of solutions and tools can be used to manage these risks going forward, but the key step is to evaluate and rate these risks. All your actions should flow from the risk ranking.

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These become the focus of your most significant risk management efforts, coupled with audits and monitoring going forward. A variety of tools can be used to continuously monitor risk going forward. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program, rather than letting the compliance program inform the risk assessment.

Three key takeaways:

1. Even after you complete your risk assessment, you must evaluate those risks for your company.

2. The DOJ and SEC are looking for a well-reasoned approach to how you evaluate your risk.

3. Create a risk matrix and rank your risks; then remediate and monitor as appropriate.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 18 – Risk Assessments

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based on a risk assessment, on an understanding of your organization’s business from a commercial perspective, on how your organization has identified, assessed, and defined its risk profile, and, finally, on the degree to which the program devotes appropriate scrutiny and resources to this range of risks. The 2023 ECCP added a new emphasis on the cadence of Risk Assessments, mandating that risk assessments should be done not less than annually, but in reality, they should be done each time your risk changes. Over the past couple of years, every company’s risks have changed from going to Work From Home to Return to the Office to the Hybrid Work environments of 2024. What about geopolitical issues, the supply chain, or even potential compliance risks in the 2024 election cycle? Have you assessed each of these new paradigms for risks from a compliance perspective?

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some, or all of the above as your basic inquiries for your risk analysis, it should be acceptable as your starting point.

Three key takeaways:

1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.

2. The DOJ will now consider both your risk assessment methodology for identifying risks and the gathered evidence.

3. You should base your compliance program on your risk assessment.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Everything Compliance

Everything Compliance – Episode 123, The Spanish Kiss Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we have the quartet of Jay Rosen, Jonathan Armstrong, Matt Kelly and Karen Woody, with Tom Fox hosting. We conclude with our always popular and fan fav Shout Outs and Rants.

1. Matt Kelly looks at the new SEC requirement for companies to improve their risk assessments and attendant processes. He rants about the US Federal Courts not allowing television cameras and says we need the Trump trials televised in federal courts.

2. Karen Woody reviews Opinion Release 23-01. She shouts out to the Barbie movie.

3. Tom Fox shouts out to Megan Rapinoe for great professional career and her social activism while a member of the USWNT.

4. Jay Rosen looks at the imbroglio surrounding the Spanish National football team after its Women’s World Cup win. Rosen shouts out SOCAR, the South Orange County Compliance and Ethics Roundtable.

5. Jonathan Armstrong considers the NATS air traffic debacle and operational resilience. He shouts out Sgt. Graham Saville who lost his life helping a person in distress.

The members of the Everything Compliance are:

•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks can be reached at jtmarks@gmail.com.

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Compliance Week Conference Podcast

Compliance Week 2023 Speaker Series – Hemma Lomax on Risk Assessments

In this episode of the Compliance Week 2023 Speaker Preview Podcasts series, Hemma Lomax discusses some of her panel at Compliance Week 2023,  “Approaches to Risk Assessment Programs – Benchmarking Best Practices Across Industries.”

Some of the issues she will discuss in her presentation is:

  • How cross-functional professionals are structuring their risk assessment programs, benchmark best practices, and walk away with ideas to enhance their program;
  • Cohesive approaches to concurrent risk assessments; and
  • A discussion on the insourcing vs. outsourcing external assessments and weighing the pros and cons of each.

I hope you can join me at Compliance Week 2023. This year’s event will be May 15-17 at the JW Marriott in Washington, DC. The line-up of this year’s event is simply first-rate, with some of the top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 18th year, compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. And many others to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 75+ respected cross-industry practitioners who are CEOs, CCOs, regulators, federal officials, and practitioners to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from the two SEC Commissioners, gain insights into the agency’s enforcement areas, and walk away with guidance on remaining compliant within emerging areas such as ESG disclosure, third-party risk management, cybersecurity, cryptocurrency, and more.
  • Bring actionable takeaways from your program from various session types, including ESG, Human Trafficking, Board obligations, and many others, for you to listen, learn and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. Listeners of this podcast will receive a discount of $200 by using code TF200 on the link here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – COSO Objective II: Risk Assessments

Objective II is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner, none of this will sound new or even insightful, however the Framework requires a component of management input and oversight that was perhaps not as well understood.

The objective of Risk Assessment consists of four principles.

Principle 6: Suitable objectives.

Principle 7: Identifies and analyzes risk.

Principle 8: Fraud risk.

Principle 9: Identifies and analyzes significant change.

The SEC has made it clear that companies should be expanding their view of risk in implementing the COSO 2013 Internal Controls Framework. Obviously, risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluation. The regulators are telling companies specifically that they should be seeing new risks that they need address because of the changes brought about by the new standard.

Three key takeaways:

  1. Risk assessments are required under the COSO 2013 Internal Controls Framework, the 2012 FCPA Guidance and almost all other best practices compliance programs.
  2. Look at your risks across your organization and not in a siloed manner.
  3. Risks, both determination and management of, changes over time so be cognizant of changes in business practices on the ground.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Risk Assessments and Internal Controls

Today, I will review how to use the risk assessment you have performed as a tool to provide a structured approach to establishing effective internal controls. After preparing the risk assessment, the next step is to prioritize listing the risks and which locations are common. This begins by mapping existing internal controls to risks and assessing whether the internal controls are sufficient to mitigate the risks.

To help with consistency in this evaluation process, assigning a risk weight to each element in the risk assessment may be useful. For example, a construction company might assign a higher weight to the presence of movable fixed assets. A company that sells exclusively through local distributors might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However, it is structured; the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then prioritize the locations dealing with control risks.

Top Risks Include:

Sales are conducted through third parties.

·       A U.S.-based international sales manager who is responsible for growing the business?

·       Sales channel uses a U.S.-based sales force that only travels to locations outside the U.S. for temporary visits of generally short duration.

·       Gifts, travel, and entertainment.

· High-risk jurisdictions.

·       Business ventures.

You can also utilize the COSO 2013 Internal Controls Framework, which created a more formal structure to design or assess the effectiveness of internal control within the five COSO components. A companion document, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, catalogued possible approaches and examples in the context of internal controls over financial reporting and could be useful for companies complying with internal compliance controls under the FCPA. COSO has also published an additional companion document, Illustrative Tools for Assessing Effectiveness of a System of Internal Control, which provides templates that may be used to support an assessment of internal controls and includes various scenarios which illustrate several practical examples of how the templates may be used.

Finally, consider a business unit in a geographic area such as the Far East where there is a significant amount of deference to supervisors in the local culture, such that even if an employee saw inappropriate behavior, it would not be expected that the employee would make any report or comment.

Three key takeaways:

1. Third-party risks are still your highest risks under the FCPA, so use your internal controls appropriately to help prevent this risk from becoming a violation.

2. Use mapping and gap analysis to collate risks to existing controls.

3. Always consider the regional and geographic variances.

Categories
31 Days to More Effective Compliance Programs

Day 15 – How do you evaluate a risk assessment?

After completing your risk assessment, you must translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his  BioProcess International article entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”:
Once we have assessed risks and determined a process that includes options to resolve and manage them whenever appropriate, we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are better positioned to speak about the quality of our businesses.

William C. Athanas, in his Industry Week article, “Rethinking FCPA Compliance Strategies in a New Era of Enforcement,” posited that companies assume that FCPA violations follow a bell curve in which most employees are responsible for most of the violations. However, Athanas believed that the distribution pattern more closely follows a hockey-stick distribution, where just a few people commit virtually all violations. Athanas concluded by noting that it is this limited group of employees, or what he terms the “shaft of the hockey stick,” to which a company should devote most of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts, such as intensive training sessions or detailed analysis of key financial transactions involving those employees with the greatest means and motive to commit a violation.
The priority risks are the most significant risks with the greatest likelihood of occurring. These become the focus of your most significant risk management efforts, coupled with ongoing audits and monitoring. A variety of tools can be used to monitor risk going forward continuously. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program rather than letting the compliance program inform the risk assessment.
Three key takeaways:

  1. Even after you complete your risk assessment, you must evaluate those risks for your company.
  2. The DOJ and SEC are looking for a well-reasoned approach to how you evaluate your risk.
  3. Create a risk matrix and rank your risks; then remediate and monitor as appropriate.