Transcript
1
Society of Corporate Compliance and Ethics
6500 Barrie Road, Suite 250, Minneapolis, MN 55435, United States
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977
Understanding and Optimizing Legal & Regulatory Risk Management
SPEAKER: Steve McGraw
Compliance 360, Inc.,
President & CEO
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 2
Agenda
• Credits
• Overview of ERM
• Legal and Regulatory
– Definition
– Issues
• Solution Examples
• Best Practices
• Recommendations
2
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 3
Credits
• Mark S. Beasley, PhD, CPADirector, Enterprise Risk Management Initiative
Board Member of Committee of Sponsoring Organizations of the TreadwayCommission (COSO)
• Dana R. Hermanson, Ph.D.Dinos Eminent Scholar Chair of Private EnterpriseProfessor of Accounting at Kennesaw State University
• Customers
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 4
ERM – An Overview of the Basics
o ERM is a process,
o effected by an entity’s board of directors, management, and other personnel,
o applied in a strategy setting and across the enterprise,
o designed to identify potential events that may affect the
entity,
o manage risks to be within its risk appetite,
o to provide reasonable assurance regarding the
achievement of entity objectives.
Committee of Sponsoring Organizations of the Treadway Commission (COSO 2004) (see www.coso.org)
By definition:
3
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 5
ERM Technology• Risk Appetite/ Risk Tolerance
• “Enterprise” – not just selected “silos of risk”
• A “process” that is ongoing, living & systematic
• Consideration of risks on “portfolio” basis
• Heavily integrated with business strategy
• Focus is on coordinated program for identification, measurement, assessment, and response to risks primarily across 2 dimensions
– Probability (Likelihood)
– Criticality (Consequence/Impact)
• Key part of entity’s corporate governance
• Responsibility of senior management and board
• Pushed down to key business segment management
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 6
Governance Over Two Aspects of
Entity
1) Leadership in Strategic
Performance
Board of
Directors
External
AuditorsInternal
Auditors Regulators
Legal
System
ManagementAudit
Committee
Enterprise Risk Management
2) Objective Oversight
of Management
ERM Directly Links to Corporate Governance
Congress
4
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 7
Traditional Risk Management Approach
Legal Reg.
RisksOperations
Risks
Finance
Risks
IT Risks Strategic
Market
Risks
Geo Political
Risks
Weather
Environment
Risks
“Silo” or “Stove-Pipe” Risk Management
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 8
Traditional Risk Management Approach
Enterprise Focus on Risks
Legal Reg.
Risks
Operations
Risks
Finance
Risks
IT Risks Strategic
Market
Risks
Geo Political
Risks
Valuation Creation and Preservation
Weather
Environment
Risks
5
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 9
Definition: Risks associated with the uncertainty of violating laws or regulations.
NEGATIVERisk that company may INTENTIONALLY or
UNINTENTIONALLY violate a law,
contract, or regulatory provision
and face potential litigation which
could lead to cash loss and could impact enterprise by triggering
other risks such as reputation loss,
customer backlash, employee
embarrassment, etc.
POSITIVEThe company may be the
beneficiary of legal or regulatory risk if another party is the violator
(e.g. contract violation) and the
company is able to successfully
sue.
THUS, LEGAL/REG RISK COULD BE BOTH POSITIVE AND NEGATIVE (BUT MOSTLY NEGATIVE)
What is Legal & Regulatory Risk?
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 10
Major Issues Associated with L&R Risk
• Exposure to fines by regulatory agencies
• Significant workload by legal & regulatory staff
• Blind sided by newly enacted laws, new regulatory trends
• My competitor’s problem could be my problem
• Managing legal & regulatory risk outside legal & regulatory
department
• “HUGE” uncertainty as to what may trigger it. (What might be deemed “LEGAL” today, might be deemed as
“ILLEGAL” tomorrow as the culture shifts over time.)
6
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 11
Enterprise Focus on Risks
Legal Reg. Risks
Operations Risks
Finance Risks
IT Risks Strategic Market Risks
Geo Political
Risks
Valuation Creation and Preservation
Weather Environment
Risks
Privacy
laws
Data Breach Brand
Erosion
Legal and Regulatory Risk Leakage Example
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 12
Legal and Regulatory Risk Leakage Example
Enterprise Focus on Risks
Legal Reg. Risks
Operations Risks
Finance Risks
IT Risks Strategic Market Risks
Geo Political
Risks
Valuation Creation and Preservation
Weather Environment
Risks
Local
Ordinances
Delayed
Store
Openings
Brand
Erosion
Municipal
Fines
7
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 13
MattelRecent High Profile Example #1
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 14
Mattel – Negative PressRecent High Profile Example #1
8
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 15
Mattel Earning Press ReleaseRecent High Profile Example #1
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 16
Mattel Stock Price ChartRecent High Profile Example #1
9
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 17
Recent High Profile Example #2
Regulatory Risk | AMERIGROUP
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 18
Recent High Profile Example #2
Regulatory Risk | AMERIGROUP
Settlement
Verdict Announced
10
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 19
Major Components of Legal & Regulatory Risk
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 20
• notification of newly enacted law
• notification of newly proposed
regulations
• notification of final regulations
• notification of regulatory
enforcement actions
• alerting of news and
announcements by political figures,
agency heads and other influential
public figures
Legislative and regulatory notification and awareness notification of newly proposed law
1. Early Warning System
11
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 21
• A knowledge base of all applicable laws
and regulations
• The current legal interpretation
• A repository of previous opinions
• The responsible party(ies) for
implementing changes
• The impact to your Enterprise Risk
Framework (ERM)
Assess company’s impact with a risk-based approach
2. Risk-Based Impact Assessment
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 22
1. Legal and/or compliance personnel is alerted to an issue
2. The issue is documented and tracked electronically
3. Management in legal will rank order the issue by risk classification
4. Legal and compliance agree on the risk and controls implementation
5. Compliance reviews (tests) the Policies & Procedures and controls on for each issue
6. Compliance determines is the testing of the controls is effective
7. Compliance works with the business owners to educate and manage the compliance process at the business level/unit
8. Results from the controls testing and other processes are reported to the ERM
Make sure to have an automated, consistent management process of Legal & Regulatory Risk
3. Change / Project Management
12
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 23
Monitor and test controls on a regular basis
• Independence
• Testing Frequency
• Testing Failures
– What to do next?
• Document
4. Controls Monitoring
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 24
New Issue
Alert
Legal
Document
Issue
Review
Current
Policies &
Controls
Legal
Compliance
Control
Testing
RiskRanking
Government
Affairs
LegislativeInfluence
Communicate
To
Business
Owners
Process Flow
13
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 25
Privacy
BSA/USA PA
Eastern States
Western States
Compliance
Alert
Legal
IssueCategory?
Legislative
Influence
Government
Affairs
Communicate
To
Business
Owners
Organizational
www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 26
Additional Recommendations
• Ensure strong legal counsel
• If you are in a highly regulated industry, e.g. Insurance, Pharmaceutical, have dedicated resource monitoring regulations
• Keep data on "INCIDENCES" that might lead to risks. Monitor whether any ultimately lead to litigation/settlement. (Example: Retail stores track customer injuries so they can estimate percentages of incidents that lead to litigation.)
• Be proactive in anticipating potential drivers of legal risks –Look for factors that drive change such as new political appointee or increase scrutiny in adjacent markets and then respond to those risks proactively
top related