Sunday, May 1, 2011

Insight from the SEC

Seal of the U.S. Securities and Exchange Commi...Image via WikipediaIn preparing for a presentation I have coming up, I ran across a speech SEC Chairman Mary Shapiro gave on March 23, 2011 to the Securities Industry and Financial Markets Association's (SIFMA) Compliance and Legal Society Annual Seminar. While her remarks were certainly aimed at the financial industry, I found them to be relevant to all compliance professionals. Here are just a few snippets for your consideration:
  • Our examiners will be looking to see if registrants have embraced “a culture of compliance [my emphasis],” including enterprise risk management, within their firms.
  • A comprehensive approach to enterprise risk management is important for several reasons. For example, inattention to risk management can lead to seemingly minor corner-cutting on compliance issues which eventually snowballs into a serious problem for management and investors.
  • And, without a commitment to good governance and risk management, silos can form and the interdependence between risk categories can be overlooked.
Further, she elaborated that going forward, their examiners intend to focus on understanding how risk management is embedded in key business processes and decision-making at a number of levels. They will be asking questions such as:
  • How are the business units of an entity ensuring they are taking and managing risk effectively?
  • Are key risk management, control and compliance functions structured and funded to be effectively embedded in the business process?
  • How are senior managers ensuring effective oversight of enterprise risk management?
  • And how is the internal audit process independently verifying and providing the board and senior management with assurance about the operating effectiveness of the risk management, compliance and control functions?
These comments resonated with me, because this is also what I am hearing from our most forward-thinking clients and from industry analysts. The compliance function is growing up - and it needs to be funded appropriately in order to be effective. Tom Fox, a recognized expert in the FCPA, retells a great anecdote he heard from a former prosecutor: When told by a company identified as violating a compliance regulation that they properly fund the compliance effort, the prosecutor would simply ask, "how much did you spend last year on paper clips/Post-It notes?" If greater than the funding for the compliance department/function, the company would inevitably find itself in more trouble.

But more than just funding, compliance activities must be integrated into the ongoing operational processes of the business in order to be effective. The "whack a mole" approach to dealing with the most pressing compliance issue at hand simply won't suffice as we continue to operate in an environment where governmental agencies are committed to issuing new legislation and aggressively enforcing those and existing laws.

The question going forward won't be, "do you have a compliance program?" It will be, "how can you demonstrate your compliance program is effective?" So what are you doing in this area?
Enhanced by Zemanta

Friday, April 15, 2011

Adaptive GRC

I spent the first part of this week at the Health Care Compliance Association's Annual Compliance Institute, where I had the pleasure of listening to Daniel Levinson, the Inspector General of the Office of Inspector General give a keynote. (Also heard James B Stewart give an overview of his new book, Tangled Webs, which I think every compliance officer will want to read, but I digress...).

In Mr. Levinson's speech he reviewed what makes a strong compliance program, and I was once again reminded of how similar all the best practice frameworks are in their guidance.
Earlier this year I spent some time reviewing guidance in the US Federal Sentencing Guidelines, those from the OECD on effective compliance, FCPA program advice, and recently the Adequate Procedures from the Ministry of Justice on Anti-corruption programs. All of these shared commonalities, echoed by Mr. Levinson, on what needs to be present in an effective and evolving compliance program:
  • Tone from the Top - Senior Leadership must be committed to fostering an environment of integrity and compliance, and ensure this culture permeates throughout all employee ranks
  • Risk Assessment - An organization must periodically review and assess the perceived risks facing it, which subsequently leads to...
  • Policies, Procedures, Controls and Guidelines - Once risks are identified, appropriate policies and controls must be created and distributed to those likely to be affected. And these stakeholders must be trained, and often attest to their understanding of the policy and their commitment to abide by the expectations set within.
  • Reporting Mechanism - We are all human, so despite best intentions, it is recognized violations of existing policies will occur. When this happens, an organization must have the ability to effectively collect reports of possible violations where ever they come forward. A hotline is not enough - organizations should challenge themselves to ensure they are capturing reports that surface in face to face meetings with managers, HR business partners, and other local supervisors, exit interviews, through alerts or exceptions that are flagged through technology, etc.
  • Monitor and Assessment - A compliance program is not static; it needs to adapt as the business changes. New regulations can be mandated by the government, the business environment may be altered through mergers & acquisitions, economic prosperity or downturns, expansion into new markets, etc. Risks that weren't anticipated during the periodic assessments may become visible. An effective compliance program must be able to collect risk-related data, manage it consistently and appropriately, learn from it, and ultimately adapt to these learnings in order to support the overall business objectives.
It is with this understanding as a foundation that is driving us here at EthicsPoint. We understand that every organization is on a GRC continuum - the level of sophistication and complexity of the compliance program will be dictated by the unique combination of different factors - industry, and associated level of governmental regulations, organizational structure (domestic vs multi-national, single site vs multi-site, blue collar vs white collar, etc.) and corporate culture/commitment to compliance. Furthermore, the compliance obligations of today will not be the same twelve months from now.

This is why we have put so much effort into delivering the EthicsPoint Adaptive GRC Framework. We know that our solutions need to be able to fit into your organization today, regardless of where you are on the continuum, and adapt to your own internal processes and needs. Furthermore, we have to be able to support you as your compliance requirements change over time.

Later tonight, we will be launching the latest evolution of our solution offerings, including:
  • Enhanced Issue and Event Manager capabilities
  • NEW Benchmarking module, enabling deep analysis of your GRC program and comparisons with other "like" organizations - by industry, company size and even against our entire population of clients
  • NEW Policy Manager product to help you effectively manage the lifecycle of your policies
  • Enhanced Visualization Manager capabilities that will assist you in identifying risk hotspots, patterns and trends
  • New Service Offerings, including Global Whistleblowing Compliance, Third-party Risk Assessments and Third-party Privacy Assessments
This launch - while the largest and most ambitious in our company history - is only the beginning! And I couldn't be more excited about where we all are going as we adapt to ever-changing compliance needs!

Friday, November 12, 2010

Congratulations are in order!

Fireworks #1Image by Camera Slayer via FlickrLast night Corporate Secretary magazine presented the third annual Corporate Governance Awards, and the winner's list was chock full of EthicsPoint customers, many of whom I've had the distinct pleasure of meeting. I've said it before, but it bears repeating - the single most rewarding part of my job is interacting with our customers who work tirelessly fostering an environment of compliance and integrity throughout their organizations. Whenever I tire of the negativity endemic in our politics and media, I find solace in knowing the reality is much more positive than what is reported, often based on the character and hard work of clients and individuals like those listed below.

Please join me in congratulating the following winners of the Corporate Governance Awards:

  • Most Innovative CSR disclosure - Timberland
  • Best Legal team in an M&A transaction - Kraft Foods
  • Best proxy statement - UnitedHealth
  • Corporate governance team of the year (large-cap) - Best Buy
  • Governance professional of the year (large-cap) - Carol Ward, Kraft

Enhanced by Zemanta

Thursday, October 21, 2010

The Cost of Fraud

I downloaded the 2010 Kroll Global Fraud Report the other day - it's 47 pages of insightful data, analysis and recommendations with section overviews for both geographic and industry segments - I highly recommend downloading a copy. (Also would encourage readers to sign up for our upcoming webinar in which Melvin Glapion, Managing Director, UK Head of Business Intelligence, Kroll and Jeff Cramer, Managing Director and head of Kroll's Chicago office will discuss findings in this report)

To whet your appetite, here are some statistics that caught my eye just in my initial reading:
  • 88% of respondents report they had been hit by at least one type of fraud in the past year - this is across small, medium and large enterprises. How are you collecting reports of suspected misconduct? I ask because I've heard many companies say "they don't have problems in their company - we don't have a need for an easy way to collect, investigate and resolve misconduct reports." Really???? You're one of the 12% of people that haven't been hit by fraud in the past year? Really? If so, Congratulations!
  • Cost of fraud has risen 20% in the past year - across all size companies. This is NOT just a large enterprise problem
  • Fraud/Corruption is not a victimless crime - it is hampering the economic development of all countries:
  • 48% of respondents indicate that fraud has deterred them from engaging in business in at least one foreign country. (this is not just a developing country problem - 7% have not operated in North America due to the perception of fraud!)
  • Corruption was named by 63% of respondents as the main reason for not doing business in Africa and 59% for avoiding Central Asia.
  • Most companies are not prepared to comply with anti-corruption laws such as the US' Foreign Corrupt Practices Act (FCPA) or UK Bribery Act
  • Only 36% of companies that fall under one or more of these laws believe these mandates applied to their business!
These statistics (and others in the report) are staggering and sobering in many ways. But at the same time, I'm re-energized and optimistic when I think of all the progress our customers are making to improve their overall ethics and compliance programs. Yet I only have the opportunity to speak with a small percentage of clients and prospective customers, so I ask you: How would you have answered the questions in the survey, and what are you doing to improve?

Sunday, October 10, 2010

Deterring and Detecting Financial Reporting Fraud

The Center for Audit Quality just released a new report - Deterring and Detecting Financial Reporting Fraud - A Platform for Action, which I downloaded. The report focuses on financial reporting fraud at publicly-traded companies of all sizes, and its recommendations are intended to be scalable to different situations. I found it to be a pretty comprehensive report, with guidance that would be applicable for any organization (large, small, public, private, etc.) looking to improve internal operations and mitigate the risk of financial reporting fraud.

As it is a 55 page document, I won't try to summarize all the salient parts here, but I did think their top three characteristics in organizations where this risk in minimized are worth repeating:
  • A strong, highly ethical tone at the top that permeates the corporate culture
  • Skepticism - a questioning mindset that strengthens professional objectivity, on the part of all participants in the financial reporting supply chain
  • Strong communication among supply chain participants
Given the corporate scandals that have emerged over the past few years, have you assessed your compliance and audit strategies with an eye toward mitigating this risk?

Thursday, September 23, 2010

Commitment to Ethics

This morning, EthicsPoint announced the winners of our 2010 Best Ethics Portal Contest, and I'm pleased to congratulate the winners again here:

  • Best Buy
  • Bon Secours Health System
  • Boys & Girls Club of Garden Grove
  • California Independent System Operator
  • Chesapeake Energy Corporation
  • Kraft Foods, Inc
  • Precision Drilling Corporation
  • TELUS Corporation
What's especially gratifying in recognizing these organizations is that their ethics portals really are just a small part of their overall commitment to fostering a culture of integrity and compliance. Amid all the negativity we read/hear about relating to companies that fall short in this area, I believe it's extremely valuable to celebrate those who strive on a daily basis to do the right thing. Please join me in congratulating this year's winners!
Enhanced by Zemanta

Monday, September 13, 2010

Visualize your success

"Never in history has the human brain been asked to track so many data points."
-Dr Edward Hallowell, Psychiatrist, Author of CrazyBusy

On September 10th EthicsPoint announced the release of the first new software application added to the Framework we announced last May - epVisualization Manager.
After having previewed it during our Regional User Forums over the past few months, I can sincerely state that you will be blown away by what it can do once you see it and start working with it - the possibilities are bounded only by your imagination!

Simply put, epVM allows you to map multiple layers of data to create a location-based dashboard. That data can come from EthicsPoint products (such as the location of your remote offices and all the associated reports of misconduct), RSS and other public feeds (such as weather data), premium data feeds (eg subscription data highlighting corruption trends in third world countries) and proprietary feeds (eg point of sale data from your internal financial applications). By layering data on a map, you can then begin to visualize patterns and trends that simply wouldn't be possible if you were trying to accomplish the same thing through spreadsheets or other methods.

We're demonstrating Visualization Manager this week at the annual SCCE Compliance Institute in Chicago, and next week at the ACUA and ECOA annual conferences. If you aren't planning to attend one of these shows and would like to learn more, contact us and we'd be thrilled to give you a tour!