what should your compliance function look like?assets.corporatecompliance.org/portals/1/...things to...
TRANSCRIPT
1
Dominic F. Perella
Sean Coutain
October 2017
From Start-Up to IPOHow to Design and Build a Compliance Program From
Scratch
What should your compliance
function look like?
2
This image cannot currently be displayed.
Start With the Legal Frameworks
• There are Legal Frameworks that Should Guide Your Way
• Most Important Touchstone: The U.S. Sentencing Guidelines
• Later On: SOX, COSO, and Stock Exchange Rules
2
This image cannot currently be displayed.
U.S. Sentencing Guidelines
• The United States Sentencing Guidelines (USSG) are relevant
because organizations are “persons” under U.S. federal criminal
law and may be prosecuted for criminal conduct.
• The USSG has a whole section on effective compliance programs.
• That’s because an organization’s commitment to stopping criminal
conduct, as evidenced by the effectiveness of its compliance and
ethics program, is the primary mitigating factor that may result in
a reduced sentence.
3
3
This image cannot currently be displayed.
U.S. Sentencing Guidelines cont.
The USSG defines effective programs as follows:
� DUE DILIGENCE: Exercise due diligence to prevent and detect criminal conduct.
� ETHICAL CULTURE: Promote a culture that encourages ethical conduct and a commitment to
compliance with the law.
� POLICIES & CONTROLS: Establish standards & procedures to prevent & detect criminal conduct.
� BOARD OVERSIGHT: Board must be knowledgeable about the content and operation of the
compliance and ethics program and must exercise reasonable oversight.
� ACCOUNTABLE SENIOR MANAGEMENT: High-level personnel must ensure that the organization
has an effective compliance and ethics program.
• Make high-level personnel responsible.
• Appoint specific people to run the program’s operations and give them adequate resources,
appropriate authority, and direct access to the governing authority.
• Have them report periodically on the program’s effectiveness.
4
This image cannot currently be displayed.
U.S. Sentencing Guidelines cont.
� TRAINING: Communicate compliance standards through effective training programs,
appropriate to individuals' respective roles and responsibilities.
� EVALUATION & RISK ASSESSMENT: Take reasonable steps to:
• Periodically evaluate the effectiveness of the program.
• Ensure that the program is followed, including auditing to detect criminal conduct.
• Periodically assess the risk of criminal conduct and take appropriate steps to design,
implement, or modify each program requirement to reduce that risk.
� WHISTLE-BLOWING: Maintain a system for employees and agents to report or seek
guidance regarding potential or actual criminal conduct without fear of retaliation.
� ENFORCEMENT: Consistently promote and enforce the compliance program. Include
appropriate incentives for taking reasonable steps to prevent or detect criminal
conduct, and appropriate disciplinary measures for failing to take such steps.
� REMEDIATION: If criminal conduct occurs, take reasonable steps to respond and to
prevent it in the future, including any necessary modifications to the program.
5
4
This image cannot currently be displayed.
Sarbanes Oxley & COSO
Next step after you’ve nailed the USSG: Test yourself against Sarbanes-Oxley
(SOX) and the Committee of Sponsoring Organizations (COSO) framework.
SOX § 406: A public company’s code of conduct must call for--
• Standards as are reasonably necessary to promote honest and ethical
conduct, including the ethical handling of actual or apparent conflicts
of interest between personal and professional relationships;
• Immediate disclosure of any change in or waiver of the code of ethics
for senior financial officers;
• Full, fair, accurate, timely, and understandable disclosure in the
periodic reports required to be filed by the issuer;
• Compliance with applicable governmental rules and regulations.
6
This image cannot currently be displayed.
Sarbanes Oxley & COSO cont.
• SOX § 404 requires management to establish and maintain
adequate internal controls over financial reporting and to publicly
disclose the framework used to assess the effectiveness of controls.
• The COSO framework is the current “gold standard”; most U.S.
public companies use it to satisfy SOX § 404. It list seventeen
principles for an effective control environment.
• Principle one is “Demonstrate Commitment to Integrity and Ethical
Values.”
7
5
This image cannot currently be displayed.
Sarbanes Oxley & COSO cont.
8
Internal Controls COSO Principles of Effective Internal Controls
Control
Environment
1. Demonstrate commitment to integrity and ethical values
2. Ensure that board exercises oversight responsibility
3. Establish structures, reporting lines, authorities, and responsibilities
4. Demonstrate commitment to a competent workforce
5. Hold people accountable
Risk assessment
6. Specify appropriate objectives
7. Identify and analyze risks
8. Evaluate fraud risks
9. Identify and analyze changes that could significantly affect internal controls
Control activities
10. Select and develop control activities that mitigate risks
11. Select and develop technology controls
12. Deploy control activities through policies and procedures
Information and
communication
13. Use relevant, quality information to support the internal control function
14. Communicate internal control information internally
15. Communicate internal control information externally
Monitoring
16. Perform ongoing or periodic evaluations of internal controls (or a
combination of the two)
17. Communicate internal control deficiencies
This image cannot currently be displayed.
Stock Exchange Codes of Conduct
• Planning to go public? You’ll need to meet specific compliance
rules for that too.
• Each stock exchange promulgates its own rules.
• Check these rules well in advance of the IPO. Leave yourself
enough time to come up to code as needed.
9
6
This image cannot currently be displayed.
Stock Exchange Codes of Conduct cont.
NASDAQ
NASDAQ Rule 5610 requires listed companies to meet these requirements:
• Must adopt a code of conduct applicable to all directors, officers, and
employees.
• Code of conduct must be publicly available.
• Code must provide for an enforcement mechanism.
• Waivers for directors or executive officers must be approved by the
Board. Waivers must be disclosed within 4 business days on a Form 8-K.
• Code of conduct must comply with SOX Section 406.
10
This image cannot currently be displayed.
Stock Exchange Codes of Conduct cont.
New York Stock Exchange (NYSE)
NYSE Rule 303A.10 requires the following:
• Adopt and disclose a Code of Business Conduct and Ethics for directors,
officers, and employees.
• Promptly disclose any waivers of the code for directors or executive
officers.
• Such waivers may be made only by the board or a board committee.
• Each code must contain compliance standards and procedures that will
facilitate the code’s effective operation. The standards should ensure
prompt and consistent action against code violations.
11
7
This image cannot currently be displayed.
Stock Exchange Codes of Conduct cont.
NYSE cont.
NYSE Rule 303A.10 also requires that each code must address:
• Conflicts of interest. Must have a mechanism to identify conflicts and ban them as
warranted.
• Corporate opportunities. Must prohibit personnel from taking opportunities that
belong to the company.
• Confidentiality. Must emphasize confidentiality of corporate and customer
information.
• Fair dealing. Must require fair dealing with third parties and ban manipulation,
misrepresentation, and other unfair practices.
• Protection of assets. Must ban theft and misuse of company assets.
• Compliance with laws. Must promote compliance with laws, rules, and
regulations, including insider trading laws.
• Reporting. Must encourage the reporting of illegal or unethical behavior, offer
mechanisms for reporting, and make clear that the company will not allow
retaliation for reports made in good faith.12
What Next?
8
This image cannot currently be displayed.
What Next?
So now you’ve got a Code of Conduct. What do you do next?
Risk Assessment:
• Risks vary widely by industry. Work with an outside advisor
to design a process tailored to your company and industry.
• Use results of risk assessment to inform what you build.
• Add additional policies, training, due diligence, and
management oversight, targeted at your risks.
14
This image cannot currently be displayed.
Common Risks
Compliance programs typically guard against four common categories
of risk: corruption, conflicts of interest, fraud, and regulatory
violations. But you need to understand which risks to emphasize given
your particular business. Things to think about:
• Will you be operating in countries with a high risk of
corruption?
• Will you be selling high-tech hardware that’s likely to be
regulated by export control regulations?
• Will you be using agents, such as sales agents, that are more
difficult for you to control directly?
• Will you be in a highly regulated industry?
15
9
This image cannot currently be displayed.
Targeting Your Risks
Your risk assessment will guide you on what to build.
• Example: Operating in countries with a high risk of corruption? Add
especially robust anti-corruption training and controls around gifts and
other expenses.
• Example: Selling high-tech hardware that’s likely to be regulated by
export control regulations? Add controls to make sure you always have a
full, real-time understanding of your company’s new research or products.
That way, you can analyze their export implications or hire a consultant to
do so.
Snap’s initial assessment focused on three risks:
• Corruption
• Trade Restrictions
• Conflicts of Interest
16
This image cannot currently be displayed.
Risk 1: Corruption
The Foreign Corrupt Practices Act (“FCPA”) became law in 1977 but few cases were
prosecuted. In 1997, the U.S. signed an international convention combating bribery
of public officials, and then amended the FCPA to add worldwide jurisdiction. Post-
amendment, prosecutions skyrocketed.
17
10
This image cannot currently be displayed.
Risk 1: Corruption cont.
FCPA criminalizes the giving of:
• anything of value,
• directly or indirectly,
• to a government official
for the purpose of:
• influencing, inducing or otherwise affecting an official act, decision,
or omission of an act or decision,
• securing an improper advantage, or
• assisting in obtaining or retaining business for any person or entity.
18
This image cannot currently be displayed.
Risk 1: Corruption cont.
Global Proliferation
• Other countries have since added their own anti-corruption laws.
• For example, the UK Bribery Act, Brazil’s Clean Company Act,
and the Frances’ Loi Sapin II are substantially similar to the FCPA
and have global reach.
• Some of these laws also forbid commercial bribery – bribery of a
private party, as opposed to a government official.
• Some states (e.g. California) also have commercial bribery laws.
19
11
This image cannot currently be displayed.
Risk 2: Trade Restrictions
• Trade embargoes and sanctions prohibit or severely restrict
business activities with certain countries and their nationals, as well
as business activities with specific entities and persons (e.g. those
who support terrorism).
• Export control regulations impose restrictions on the transfer of
certain articles and technology to foreign destinations or persons.
• Anti-boycott regulations prohibit U.S. companies and their foreign
subsidiaries from participating in unsanctioned boycotts against
countries friendly to the United States. Some other countries and
jurisdictions also maintain laws that prohibit compliance with
unsanctioned foreign boycotts or embargoes.
20
This image cannot currently be displayed.
Risk 3: Conflicts of Interest
• Kickbacks: Supplier “kicks back” a percentage of its earnings to an
employee in exchange for rigging a bid or channeling extra
business to the supplier.
• Outside Activities: Employment by or ownership stake in a
customer, supplier, competitor, or potentially competitive
business.
• Hiring: Selecting less-qualified candidates based on familial
relationship or for personal benefit.
21
12
So What Do You Build, Exactly?
This image cannot currently be displayed.
First: Build Other Policies
Recommended policies:
1) Anti-corruption Policy & Due Diligence Protocol
2) Gifts & Entertainment
3) Travel & Expenses
4) Trade Compliance Policy
5) Related Party Transactions Policy
6) Insider Trading Policy
7) Non-retaliation Policy
8) Anti-fraud Policy (The 2013 revisions to the COSO framework recommends
establishing “fraud risk governance policies”)
23
13
This image cannot currently be displayed.
Second: Build Training Programs
Employee training should cover the key points of all policies
• Code of Conduct training must be Company-wide and in-depth.
• All other trainings can be targeted
� E.g., in-depth anti-corruption training for customer or supplier-
facing personnel.
� E.g., in-person training on boycotts for personnel in high-risk
countries.
24
This image cannot currently be displayed.
Third: Build Company-wide Messaging
• Periodic messaging
• Deliver compliance messaging on a fixed cadence.
• Quarterly campaign featuring new theme or subject matter
• Annual Ethics Week
• Tone from the top
• Messaging from management impacts employee behavior more
effectively than messaging from the compliance function.
• Hold management accountable
• Managers are incentivized to participate in compliance messaging
when held accountable for:
• Training completion rates
• Employee certification rates
• Policy violation rates25
14
This image cannot currently be displayed.
Fourth: Build Spending Controls
Gift & entertainment expense limits are meaningless without
spending controls. Your expense monitoring system should have the
following features:
• Pre-approval workflow for policy exceptions
• Vendor code analytics (e.g., expense type is “meal” but credit
card vendor code is “clothing retailer”)
• Tracking of gift recipients and event attendees
• Automated flagging of expense limit violations by:
• expense type
• employee rank
• location
• headcount
26
This image cannot currently be displayed.
Fifth: Build Counterparty Due Diligence
Set clearly-defined criteria to determining the scope and level of due
diligence to conduct on each counterparty.
• Risk-based approach: Level of scrutiny should be based on:
• Entity type (e.g., customer, supplier, agent)
• Location (country’s corruption perceptions index score)
• Industry
• State ownership
• Automate your systems
• Connect customer and vendor onboarding systems to your
due diligence provider via API.
• Include questions about entity type, location, industry and
state ownership in your customer and supplier onboarding
portals.
27
15
This image cannot currently be displayed.
Sixth: Build Enforcement
• You’ll need procedures that tell you what to do when an employee
goes awry.
• Example: Employee exceeds spending limits without clearance. You
should have procedures setting forth who will investigate, who will
decide on discipline, and what the discipline may include for
particular violations.
28
This image cannot currently be displayed.
Seventh: Build Conflicts Disclosures
• You’ll need a simple way for employees to tell you about their
potential conflicts (outside business interests, relationships, etc).
Many software tools are available for this.
• Employees should be asked upon hiring and periodically
afterwards.
• You’ll also need a procedure to decide which conflicts will be
allowed and which have to be solved (e.g. by ending an outside
project or changing a managerial reporting structure).
29
16
This image cannot currently be displayed.
Eighth: Build Reporting
Compliance function should report at least quarterly to either the full
board or, more commonly, the Audit Committee.
• Track compliance metrics for presentation to Committee.
− Investigation cycle times
− Number, type and location of cases
− Percentage of substantiated allegations
− Emerging trends
• Work cross-functionally to ensure the audit committee has a
complete view of issues across the company. Each function
should submit data on policy violations, audit findings, employee
misconduct, etc.
• Interpret changes in data over time.
30
How do you get executive oversight?
17
This image cannot currently be displayed.
First: Executive Buy-In
The DOJ and SEC’s “Resource Guide to the FCPA” states:
� “Compliance begins with the board of directors and senior executives setting the
proper tone for the rest of the company. . . . DOJ and SEC consider the
commitment of corporate leaders to a ‘culture of compliance’ and look to see if
this high-level commitment is also reinforced and implemented by middle
managers and employees.”
� “In appraising a compliance program, DOJ and SEC also consider whether a
company has assigned responsibility for the . . . program to one or more specific
senior executives.”
32
This image cannot currently be displayed.
Second: Compliance Committee
� Compliance Committees are well established as a preferred
method to help implement the DOJ’s executive buy-in
requirements discussed above.
� The Committee’s existence reduces risk. It also could mitigate
penalties in the event the company ever had a compliance issue
and faced government investigation.
33
18
This image cannot currently be displayed.
Compliance Committee cont.
�Compliance Committees are considered a Best Practice by virtually
all experts in the field.
�According to a CEB survey, the majority of public companies (79%)
have a Compliance Committee.
�The 21% who do not use this approach tend to be small companies
without international operations.
34
Yes = 79%
No =
21%
Existence of Compliance Commitee at Public Companies
This image cannot currently be displayed.
What Does The Committee Do?
1. Oversees a formal risk assessment process that covers areas addressed
by the Code (FCPA, trade, conflicts, etc.)
2. Benchmarks compliance function against peer companies and evaluates
its effectiveness
3. Identifies and addresses gaps in policy, training, oversight, and
enforcement
4. Determines the scope and ownership of compliance-related work
a. Vets and approves new company policies to avoid functional overlap.
b. Determines which functions will oversee which policies.
c. Determines best approaches for training and enforcement.
d. Evaluates which internal controls are needed.
e. Establishes internal investigation protocols.
f. Ensures that adequate resources are in place to achieve goals.
5. Tracks compliance metrics for presentation to the Board or Audit
Committee
35
19
This image cannot currently be displayed.
Who Should Serve on the Committee
The typical Committee is chaired by the Chief Compliance Officer and includes Legal,
Finance, HR, and Audit executives. But a CEB survey revealed important trends:
• The requirement of “management oversight” of compliance has led to increased
participation by CEOs and senior business unit executives.
• The increasing importance of technology in risk mitigation has drawn more IT
executives onto compliance committees.
36
This image cannot currently be displayed.
Benchmarking
The DOJ & SEC’s FCPA guidance states: “When it comes to compliance,
there is no one-size-fits-all program… Indeed, small and medium-size
enterprises likely will have different compliance programs from large multi-
national corporations, a fact DOJ and SEC take into account when
evaluating companies’ compliance programs.”
Benchmarking against other compliance programs is necessary to ensure
your program is comparable to others within your industry and at your level
of maturity. The following organizations provide benchmarking resources:
• Society for Corporate Compliance and Ethics (SCCE)
• Corporate Executive Board (CEB)
• Ethics & Compliance Initiative (ECI)
• Bay Area Ethics & Compliance Association (BECA)
• High Tech Compliance Group (HTCG)
• Ethisphere
37
20
Demo of some Snap compliance tools
This image cannot currently be displayed.
CONFLICT OF INTEREST DISCLOSURE DEMO
39
21
This image cannot currently be displayed.
Click here
This image cannot currently be displayed.
22
This image cannot currently be displayed.
This image cannot currently be displayed.
GIFT & ENTERTAINMENT PRE-APPROVAL DEMO
43
23
This image cannot currently be displayed.
Click here
This image cannot currently be displayed.
Pre-Approval Form – Concur Expense Management Tool
24
This image cannot currently be displayed.
Customer Onboarding Demo
46
This image cannot currently be displayed.
New Customer Screening Form - Salesforce.com
47
25
This image cannot currently be displayed.
GIFT DISCLOSURE DEMO
48
This image cannot currently be displayed.
Click here
26
This image cannot currently be displayed.
Gift Disclosure Form - Navex
This image cannot currently be displayed.
27
THE END