trends in compliance and ethics - chapters site county/iia oc presentation... · trends in...
TRANSCRIPT
Trends in Compliance and Ethics
Global Ethics & Compliance
November 13, 2015
'Confidential Information for the sole benefit and use of PwC's Client
PwC
Agenda
� Introductions
� Compliance Trends
- PwC’s 2015 State of Compliance Survey: Key Themes
- Conflict Minerals – an overview
- Third Party Risk
'Confidential Information for the sole benefit and use of PwC's Client
2
PwC
PwC’s State of Compliance 2015 Survey Key Themes
The compliance function should actively participate in the setting of corporate strategy. 1Owners of compliance obligations should be aware of what “compliance” entails across the organization as well as understanding the scope of their own responsibilities.
2The compliance function should collaborate with business owners of compliance obligations. 3
Compliance leaders should evaluate and potentially re-imagine the identity of their function.4
Compliance officers should explore ways to increase operational efficiency and effectiveness.5
4
'Confidential Information for the sole benefit and use of PwC's Client
PwC
Theme 1: The compliance function should actively participate in the setting of corporate strategy.
78%
of CEOs expect to increase headcount
of CEOs are concerned about over-regulation
50%
38%
of CCOs saw an increase in staffing, while 36% saw no change and 8% saw a decrease
Source: PwC’s 2015 State of Compliance Survey
5
'Confidential Information for the sole benefit and use of PwC's Client
PwC
The compliance function can be particularly valuable as companies experience significant growth.
What will your Chief Compliance Officer/Corporate Compliance function do to address these trends?
What trend do you believe will be the greatest driver for change in compliance risk management over the next 10 years?
55%
52%
45%
51%
Embed new compliance risks into business strategydecisions
Build this trend into compliance risk metrics
Engage with new/ additional external stakeholders
Engage with new/ additional internal stakeholders
2%
1%
12%
53%
11%
Climate change
Accelerating urbanization
Shifts in economic power
Technological breakthroughs
Demographic shifts
6
Source: PwC’s 2015 State of Compliance Survey
'Confidential Information for the sole benefit and use of PwC's Client
PwC
B
Note: This is a representation of the way responsibility is allocated at a small sample of companies. It is not a recommendation of how that responsibility should be allocated.
Direct Involvement/Monitoring
Limited Involvement
Compliance Risk Assessment
Code of Conduct, Hotline, Investigations
Fraud & Corruption (AML, ABAC, etc.), Insider Trading,
Conflicts of Interest
Compliance & Ethics Training
Environmental , Health & Safety
Information Management
(includes Privacy & Records
Management)
Employment
Customs & Trade
Compliance
SOX
IP/ Confidentiality
Financial Reporting
Shared
Services
International Business
Development
Advertising & Marketing
Political and Lobbying
Social Media & Other Use of Technology
Legend
Ownership
Monitoring
Line of Sight
Theme 2: Owners of compliance obligations should be aware of what “compliance” entails across the organization as well as understanding the scope of their own responsibilities.
'Confidential Information for the sole benefit and use of PwC's Client
7
PwC
85%
82%
59%
55%
54%
50%
45%
40%
37%
22%
13%
13%
12%
9%
10%
Compliance
Legal
Internal Audit
Finance
Human Resources
Risk Management
Operations
Information Technology
Business Units
Sales and Marketing
Supply Chain
Procurement
Research & Development
Investor Relations
Other
83%
80%
63%
52%
52%
41%
32%
31%
17%
12%
11%
9%
12%
Compliance
Legal
Internal Audit
Finance
Human Resources
Operations
Information Technology
Business Units
Sales and Marketing
Supply Chain
Procurement
Investor Relations
Other
8
Which of the following departments or functions serve on the Compliance Committee?
2015 2014
Theme 3: The compliance function should collaborate with business owners of compliance obligations.
Source: PwC’s 2015 State of Compliance Survey
'Confidential Information for the sole benefit and use of PwC's Client
PwC
5%
6%
7%
7%
7%
8%
8%
9%
9%
10%
10%
11%
11%
11%
12%
15%
16%
16%
16%
16%
20%
26%
31%
Insider trading
Records management
Social media
Employment labor compliance
Ethical sourcing
Corporate social responsibility
Fair competition/Anti-trust
Government contracting
Safety/Environmental
Money laundering
Import-export controls/trade compliance
Consumer protection
Intellectual property
Supplier compliance
Business continuity
Security
Regulatory quality
Fraud
Conflicts of interest
Bribery/Corruption
Strategic risk
Privacy and confidentiality
Industry-specific regulations
1%
2%
3%
4%
4%
5%
6%
6%
6%
7%
8%
8%
8%
12%
12%
12%
14%
17%
22%
24%
24%
27%
47%
Physical security
Ethical sourcing
Insider trading
Social media
Corporate social responsibility
Fair competition/Anti-trust
Records management
Safety/environmental
Government contracting
Import-export controls/trade compliance
Employment and labor compliance
Intellectual property
Business continuity
Money laundering
Regulatory quality
Consumer protection
Fraud
Conflicts of interest
Supplier/vendor/third-party compliance
Bribery/corruption
Industry-specific regulations
Privacy and confidentiality
Data security
9
Select your top 3 areas in terms of future perceived level of compliance-related risk to your business over the next 5 years (i.e., to 2020)?
‘Best in class’ compliance functions focus on key strategic and emerging risks.
2015 2014
Source: PwC’s 2015 State of Compliance Survey
'Confidential Information for the sole benefit and use of PwC's Client
PwC
33%
33%
28%
43%
55%
55%
64%
65%
80%
80%
Technology acumen
Data analysis experience
HR background
Finance background
Business operations background
Industry expertise
Regulatory compliance experience
Audit background
Legal background
Compliance or ethics background
Theme 4: Compliance leaders should evaluate and potentially re-imagine the identity of their function, including its people.
10
Which of the following skillsets and experiences are represented in your organization’s Corporate Compliance function?
1Compliance or Ethics
Background
2 Legal
Background
3 Audit
Background
Source: PwC’s 2015 State of Compliance Survey
'Confidential Information for the sole benefit and use of PwC's Client
PwC
Theme 5: Compliance officers should explore ways to increase operational efficiency and effectiveness.
41%
35%
24%
Yes No Don't know
What elements does your Corporate Compliance function consider to help define aggregate compliance cost when determining budgets or articulating program value?
Does your Chief Compliance Officer/ Corporate Compliance function actively measure compliance cost to your organization?
Direct operating costs 74%
Compliance-related initiatives 69%
Systems and tools 57%
Third party (e.g., contingent workers, contractors,
consulting fees)
55%
Indirect operating costs 51%
Direct cost of non-compliance 36%
Other 2%
Don’t know 12%
11
Source: PwC’s 2015 State of Compliance Survey
'Confidential Information for the sole benefit and use of PwC's Client
PwC
Technology has the potential to add significant value to compliance management.
Why doesn’t your Corporate Compliance function use a dedicated GRC technology tool?
GRC tools are too expensive
We don’t have the technical expertise to effectively use
GRC technology tools
We don’t have budget for GRC technology
None of the GRC
technology tools we have seen meet our needs
We don’t have time to analyse and select a GRC technology vendor
We make do with other in-house tools GRC
technology is not a priority
for us
12
'Confidential Information for the sole benefit and use of PwC's Client
Source: PwC’s 2015 State of Compliance Survey
PwC
Compliance teams need data that measures how well the business manages compliance risk.
13
How, if at all, does your organization use data analytics in its corporate compliance and ethics program?
14%
8%
17%
20%
20%
28%
28%
35%
37%
39%
53%
Don't know
We access data from portable devices (e.g.smartphone, tablet)
We do not use data analytics in our corporatecompliance and ethics program
We receive automated data outputs
For external reporting
For transaction monitoring
For visualization and dashboarding
To track regulatory compliance (e.g. meetingcompliance deadlines)
To monitor for inappropriate or suspicious activity
For trending and comparisons
For internal reporting
Source: PwC’s 2015 State of Compliance Survey
'Confidential Information for the sole benefit and use of PwC's Client
PwC
Top 5 ways that compliance professionals can become C-suite stars . . .
14
Actively express an interest in participating in strategy decisions, and proactively articulate to the CEO the strategic value that compliance can deliver.
1Review the strategic plan and develop ideas for addressing new or unusual compliance risks, or leveraging them to gain competitive advantage. 2Forge close relationships with key business leaders throughout the company and offer insights to help the business identify and mitigate risks related to compliance issues.
3Define (or redefine) the scope of compliance across the organization and build partnerships with compliance owners within the business to ensure that all issues are being managed effectively.
4
Implement efficiency initiatives to improve the effectiveness of the compliance function and reduce compliance-related costs. 5
'Confidential Information for the sole benefit and use of PwC's Client
PwC
Temporary stay on disclosing conflict status
• Included in the SEC’s communication that suspended the conflict status labelling requirement
• Has caused some confusion over whether this guidance overrides the Rule’s requirement for the audit in CY2015
• On August 18th, the U.S. Court of Appeals for the D.C. Circuit upheld their original decision that the labelling requirement is unconstitutional.
• On October 2, 2015, SEC and Amnesty International filed petitions requesting an en banc rehearing of the April 2014 and the August 2015 D.C. Court of Appeals panel decisions, in an effort to reverse the ruling that struck down portions of the conflict minerals rule as
unconstitutional.
“Pending further action, an IPSA will not be required unless a company voluntarily elects to describe a product as “DRC conflict free” in its Conflict Minerals Report.”
--SEC statement, April 29, 2014
Confidential Information for the sole benefit and use of PwC's Client.15
PwC
SEC High Level RequirementsS1502 essentially requires a new level of transparency and risk management across company supply chains
What are conflict minerals?
Conflict minerals, per S1502, are tantalum, tin, tungsten and gold (“3TG”) that may be necessary to the production or functionality of a company’s products.
What is the goal of s1502?
S1502 seeks to reduce funding for armed groups in the DRC and surrounding countries. Companies are required to perform due diligence and report on whether the 3TG in their products may have been sourced from the DRC region, and if so, if they are conflict free . Note that the regulation does not restrict sourcing from the region. This is a transparency requirement only.
When is the reporting due??
The Form SD (and, if applicable, CMR) are due May 31st
for the prior calendar year.
SEC Requirements
Determine at a product level how
S1502 applies
Develop and conduct reasonable country of
origin inquiry (RCOI) and due diligence (DD)
Obtain independent audit, if needed
Comply with disclosure requirements
1
+2 3
4a
4b
~1,265Issuers filed a Form SD
~ 1,000 Issuers included a Conflict Minerals Report (over 75%)
6Issuers obtained an audit of their Conflict Minerals Report
Figures are based on CMRs filed as of 7/15/2015 16
Proprietary and Confidential
PwC
Summary of SEC Rule – Audit Requirement
• The Conflict Minerals Report, when required, must include an independent audit report to express an opinion or conclusion covering:
- Whether the design of the due diligence framework conforms, in all material respects, with a nationally or internationally recognized framework (e.g., OECD), and
- The accuracy of the description in the CMR of the DD measures undertaken
• Generally Accepted Government Auditing Standards (Yellow Book) established by GAO apply. Audit could be either:
- Attestation Engagement (must be performed by CPA), or
- Performance audit (not required to be conducted by CPA)
• For companies using their financial statement auditor, the IPSA is considered a non-audit service subject to pre-approval by the Audit Committee
• Some level of independence required to be the IPSA auditor17
'Confidential Information for the sole benefit and use of PwC's Client
PwC
Program Assessment or Mock Audit
Program Assessment
• Assessment of the company’s Conflict Mineral compliance program and activities, broadly
• Covers both areas of compliance as well as areas in scope of the audit
• Can include program design and/or execution (minimally a sample of 1)
Mock Audit
• Focuses on preparedness of the company to meet the 2 objectives in scope of the future IPSA
• Execute the audit methodology
• Assess Company’s due diligence framework is designed in conformity, in all material respects, with the criteria set forth in the OECD
• Company’s description of the due diligence measures is consistent, in all material respects, with the due diligence process the Company undertook
'Confidential Information for the sole benefit and use of PwC's Client
18
PwC
Third Party Risk
Increased reliance on Third Parties represents a unique compliance challenge.
19
'Confidential Information for the sole benefit and use of PwC's Client
PwC
Third Party Risk Management FrameworkThird party risk management is focused on understanding and managing risks associated with third parties with which the company does business and/or shares data.
Third Party Risk Management
Vendors
Suppliers
Joint Ventures
Business Channels
Marketing Partners
Third Parties Risk ConsiderationsThe PwC TPSRM Framework
Affiliates
Broker Dealers
Reputational
Operational
Financial
Business Continuity
Country
Information Security
Privacy
Regulatory / Compliance
Termination
Subcontractor
Technology
Concentration
Regulated Entities
20
'Confidential Information for the sole benefit and use of PwC's Client
PwC
Managing Risk Associated with Third Parties
The following are examples of Third Party due diligence assessments performed on potential and existing third parties to understand the existing control environment and capabilities.
*Business Continuity Management includes Business Contingency (“BC”) planning and Disaster Recovery (“DR”)
• Technology Architecture• Assets utilized• Technology Roadmap• Technological capabilities• System Development Lifecycle
(SDLC)• Audit trail• Application management
• Incident management
• Monitoring, communication and
connectivity
Technology
• Third Party Relationship Management
• Sub-Service Third Party Relationships
• Logical access Control• Monitoring, communication and
connectivity
Subcontractor
• Fire Suppression• Server Security & Conditions• Data Centers• Backup Power Sources• Asset management• Key Card & Facility Access
Physical Security
• Security policies• Encryption• Logical access Control• Customer contact
Information Security & Privacy
• Political• Geographic• Regulatory• Legal• Economic• Travel Safety
Country
• Recovery• Data Backup Management• Offsite storage• Media and vital records• Data integrity
Business Continuity & Resiliency*
• Going concern• Liquidity• Leverage• Profitability• Transaction Processing
Financial
• Litigation or ethical flags• Media coverage• OFAC or other factors• Criminal and/or civil complaints
Reputational
• People• Process• Financial Reporting• Subcontractors• Concentration
Operational
• Anti-Bribery• Anti-Money Laundering• Sales & Marketing Activities• Transparency Reporting• Anti-corruption • PCI
Compliance
21
'Confidential Information for the sole benefit and use of PwC's Client
PwC
Third party inventory, stratification and on-going assessment model
Refine
Existing Third Party Inventory Inherent risk assessment Pre-contract due diligence& residual risk
Nature, timing and extent &On-going due diligence
GovernOversee
R
e
s
i
d
u
a
l
r
i
s
k
m
a
t
u
r
i
t
y
r
a
n
k
i
n
g
Standard risk definition
1 Controls do not exist/are not in place
2
Controls are in place but are not documented
appropriately or currently are not reviewed/ tested;
controls are not consistently followed
3Controls are in place and are documented and
reviewed; manual or partial automation
4
Controls are in place, are documented appropriately,
are reviewed on a periodic basis, have continuous
control monitoring and fully automated if available
Refre
sh &
Re-ra
nk
Metrics & ReportingThird Party Scorecards
ProgramDashboards
New Third Parties
On-boardEstablish
Inherent risk rating
Residual risk rating
Segment 3 – “Moderate R isk”
Segment 2 – “High Risk”Segment 1 –”Critical”
Nature Timing Extent Nature Timing Extent Nature Timing Extent
4
Segment 4 – “Low Risk”
Nature Timing Extent
3 Onsite12-16
Months
Scoped
TestingOnsite
18
Months
Scoped
Test ingRemote
18
Months
Scoped
Inquiry
Se lf-
Assess
36
Months
Scoped
Inquiry
1 Onsite AnnualScoped Testing Onsite Annual
Scoped Test ing Onsite
18Months
Scoped Testing Remote
24Months
Scoped Inquiry
Onsite18 Months
Scoped Testing Onsite
24 Months
Scoped Test ing Remote
24 Months
Scoped Inquiry
Se lf-Assess
48 Months
Scoped Inquiry
2 Onsite AnnualScoped
TestingOnsite
12-16
Months
Scoped
Test ingRemote Annual
Scoped
InquiryRemote
36
Month
Scoped
Inquiry
The inventory, risk rating and on-going testing model enables a focus on efforts to establish the third party inventory, oversee services with higher levels of inherent risk. The model relies on the existing third party inventory and new third parties as an input, as well as an area of refresh to ensure the third party inventory is kept complete and accurate on an on-going basis. The model also drives the on-going due diligence process based on the inherent risk and the business facts of the services provided.
22
'Confidential Information for the sole benefit and use of PwC's Client
PwC
Third Party Risk Management – Program governance structureA TPRM strategy is supported by three lines of defense – the first line lies within each individual Line of Business and is empowered by the second line who owns the provision of ongoing guidance, tool support, and facilitation of cross-business collaboration. The third line is responsible for evaluating the design and operating effectiveness of the Program.
Governance
Management & Oversight
Business Unit
Third Party Risk Manager
Subject Matter Specialists
Third Parties
Legal & Compliance
Business Unit Sponsor
Sourcing
Contracts ManagementProcurement
Enterprise Risk Committee Enterprise Management
Third Party Management Office Operational Risk Oversight
Board of Directors
Subcontractors
First Line of Defense• Primary responsibility for compliance and owner of risk• BU managers and third party relationship owners are responsible for
identifying, assessing and mitigating risk associated with their business• Implement internal controls and practices are consistent with company-wide
policies & procedures• Promote a strong risk culture and sustainable risk-return decision making
Second Line of Defense• Independent compliance framework, policy & oversight• Business partners work with the BU’s to identify, assess and mitigate all risks• Design and assist in implementing company-wide risk framework and
oversee enterprise risks• Provide independent risk oversight across all risk types, business units and
locations• Perform quality assurance reviews and other targeted oversight practices to
ensure that the line of business is compliant with internal policies/ external regulations
Third Line of Defense• Independent assurance• Independently test, verify and evaluate risk management controls against
internal policies• Report upon effectiveness of the program
Internal Audit
InfoSec Privacy BCMPhySec TP Compliance TPRM
Reputational RiskCredit/Finance Technology Operational Risk
HR
Sourcing Contracts
23
'Confidential Information for the sole benefit and use of PwC's Client
PwC
Bio’s
24
Thack Skidmore
Director, Performance Governance
Risk and Compliance
PwC LLP
Irvine, California
+1 949.437.5607
Cynthia Keith
Manager, Risk Assurance
PwC LLP
San Diego, California
+1 858.677.2675
Thank you
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
© 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
25