the final frontier. enterprise risk management is the discipline by which an organization in any...
TRANSCRIPT
The Final Frontier
Enterprise Risk Management is the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short and long-term value to its stakeholders.
Conceptual FrameworkERM Framework
Types of Risk
Process Steps Hazard Financial Operational Strategic
Establish Context
Identify Risks
Analyze/Quantify Risks
Assess/Prioritize Risks
Treat/Exploit Risks
Monitor & Review
Typical Risk Matrix
Risk Model Maturity Spectrum
ProfileComply withRegulatoryObligations
ProtectShareholder
Value
EnhanceShareholder
Value
EARTH FINAL FRONTIER
Characteristics
Basic Moderate Advanced
• Manages risk of infractions
• Provides limited protection
• Uses risk management tools
• Protects assets and shareholder value
• Integrates risk measures across enterprise
• Enhances shareholder value
More Shareholder Value
Overview of Enterprise Risks
Hazard Risks include risks from: Fire and other property damage; Windstorm and other natural perils; Theft and other crime, personal injury; Business interruption; Disease and disability (including work-related
injuries and diseases); Liability claims; War, and Terrorism.
Overview of Enterprise Risks
Financial Risks include risks from: Price (e.g. asset value, interest rate,
commodity); Liquidity (e.g. cash flow, call risk, opportunity
cost); Credit (e.g. default, downgrade); Inflation/purchasing power; Hedging/basis risk, Taxes; and Currency fluctuations.
Overview of Enterprise Risks Operational Risks include risks from:
Business operations (e.g., human resources, product development, capacity, efficiency, product/service failure, channel management, supply chain management, business cyclicality, demand for services);
Empowerment (e.g., leadership, change readiness); Information technology (e.g., relevance, availability); Information/business reporting (e.g., budgeting and
planning, accounting information, pension fund, investment evaluation, taxation);
National disaster; Failure to identify market trends; and Failure to properly document deals and transactions.
Overview of Enterprise Risks
Strategic Risks include risks from: Reputational damage (e.g., trademark/brand
erosion, fraud, unfavorable publicity); Competition; Customer wants; Demographic and social/cultural trends; Technological innovation; Capital availability; and Regulatory and political trends.
Overview of Enterprise Risk Management
Treat/ Exploit Risks
Assess/ Prioritize Risks
Analyze/ Quantify Risks
Identify
RisksEstablishContext
Monitor & Review
Mitigate
Practical Considerations in Implementing ERM Designating an ERM “Champion” Making ERM part of the enterprise culture
(“tearing down the silos”) Determining all possible risks of the organization Quantifying operational and strategic risks Lack of appropriate risk transfer mechanisms Monitoring the Process Start Slowly – Build Upon Successes
Critical Success Factors in Implementing ERMManagement Buy-InLeadershipFollow up
Opportunity for Legal Officers
Take leadership role in risk identification and mitigation
Move beyond compliance to other risks facing the company and how they may have legal consequences
Preventive/proactive lawyeringConsider attorney client privilege
implicationsSpringboard for ethics and compliance
initiatives
Compliance Program inContext of ERM Universe
ERM
COMPLIANCEPROGRAM
What is a Compliance Program
A program to ensure that a Company has an ethical/compliant culture, minimizing risk to the Company, its Directors and Officers of criminal/financial liability, while maximizing the credit available under the United States Federal Sentencing Guidelines in the event of a violation of law.
USSG Seven Criteria1. Written policies and procedures (code of
conduct)2. Specific high level personnel assigned to
oversee compliance program3. Communicate standards to all
employees/agents; required participation in training-publications explaining program
4. Auditing and monitoring5. Method for reporting non-compliance
without fear of retaliation (anonymous or confidential reporting)
6. Consistent discipline for non-compliance7. Reasonable steps to respond and prevent
Why Have a Compliance ProgramCaremark case: Directors must ensure that a company
has a system designed to detect, monitor, prevent and report any significant lack of compliance with applicable law.
Holder/Thompson Memos/SEC Position: Decisions whether to prosecute companies involve the questions of 1) whether upper level management was involved in the misconduct, 2) whether there was an effective compliance program, 3) the company’s criminal history, and the industry self-policing/reporting standards.
Federal Sentencing Guidelines: Company may significantly reduce sanctions, fines and penalties if it has an effective program to prevent and detect violations of law, the hallmark of which is due diligence.
A $6M fraud matter will produce a fine of $8.4 to $16.8 M for a corporation without a compliance program, which may be reduced to as little as $300K for a corporation with an effective compliance program.
1. Establish standards & procedures reasonably “capable of reducing… prospect for criminal conduct”
Are the Code of Conduct and other policies simple, internally consistent and easily followed?
Is there a process for identifying, capturing and addressing material risks?
Is there a process to identify compliance issues early in the development of new or changing business models and laws?
Is there a process to update policies and procedures?
Do they cover all employees and other agents?
2. Assign oversight to specific high-level personnelWho serves as Compliance Officer?
Does the Compliance Officer have all appropriate access and all necessary resources?
Does the Compliance Officer have the right level of independence?
Does the Compliance Officer report directly to the CEO/GC/Audit Committee?
Does Compliance Officer review exception to Code of Ethics?
Is there Board oversight? Audit Committee or not Employee Certifications Conflicts of Interest
2. Assign oversight to specific high-level personnel [continued]
Corporate commitment Is there strong executive leadership
commitment as demonstrated by communications, actions, budget (especially during tough economic times)?
Do regular business reports include compliance matters?
Are senior executives involved in the development of company policies?
3. Use due care to avoid individuals with bad propensities
Are there employee screening/background checks?
Do performance reviews include ethics/ compliance?
4. Effectively communicate standards to employees
Is there a vigorous process for the development and implementation of compliance training?
Is there a comprehensive communication plan addressing: turnover language barriers level of communication (6th grade v. college), channels of communication timing for each type of communication (new
policy, reminder, change in business or business practice, training, etc.)
brochures, webinars, etc.
Training Issues
How often is training offered/repeated/updated?
Who is trained?Does everyone receive the same training?How is the training accomplished: in
person, Web based?BrochuresHow is the format determined?Is appropriate training mandatory?
5. Monitoring, auditing, and using reporting system (without fear of retribution)
Is there a vigorous program of internal audits and on-site, in-house or outside legal audits?
Is there a reporting system that allows anonymous reporting, protecting identities to the extent permitted by law and consistent with the policies of the Company’s Code of Conduct?
Are there incentives for compliance as a job performance element/penalties for failure to perform?
6. Consistent & Appropriate Discipline
Is there a well-articulated, even-handed, evenly enforced disciplinary policy?
Does the company dismiss/discipline high level managers for violations?
Are there robust mechanisms to discover and take appropriate disciplinary action in response to violations of law and policy?
7. Take “All Reasonable Steps”
Does the company develop proportional and timely responses to mistakes?
Is there an honest evaluation on an ongoing basis to anticipate new issues and improve the program?
ERM is Next Step
Compliance Pitfalls
Boilerplate programsStandards without established proceduresDouble standards regarding disciplinePoor communicationLack of enforcementConstrained resourcesDisconnect on risk/benefit analysis
“LIVE LONG AND PROSPER”Mr. Spock
~ Thank You ~Mark L. JonesJackson Walker L.L.P.
Corporate Partner1401 McKinney Street
Houston, TX [email protected]
Susan M. PonceHalliburton
Senior V.P. & Chief Ethics and Compliance Officer2107 CityWest Blvd., Bldg 4 - 13th Floor
Houston, TX 77042713-839-4509