1 What Keeps You Awake at Night . . . and What Should You Do About It? SCCE 2009 Compliance & Ethics Institute Peter Webster, Rio Tinto SCCE 2009 2 What keeps you awake at night . . ? The Unknown
1
What Keeps You Awake at Night . . . and What Should You Do About It?
SCCE 2009 Compliance & Ethics Institute
Peter Webster, Rio Tinto
SCCE 2009 2
What keeps you awake at night . . ?
The Unknown
2
SCCE 2009 3
SCCE 2009 4
What keeps you awake at night . . ?
•• MaximMaxim
– Anxiety: Unknown & unmanaged risks
– Solution: Risk management
•• Six principlesSix principles
– Derived from key compliance & risk standards
•• Three case studiesThree case studies
– Anticorruption
– Data privacy / EU hotlines
– M&A / partnerships
3
SCCE 2009 5
What keeps you awake at night . . ?
•• 11stst principle: Risk identificationprinciple: Risk identification
– External risks
– Internal risks
• Scope
– Clear boundaries
• Geographic / operational
– Subject matter experts
SCCE 2009 6
What keeps you awake at night . . ?
•• 2nd principle: Risk analysis2nd principle: Risk analysis
– Uniform reliable & repeatable methodology
– Documentation / risk registers
??3MPY
??4MHLX
Mgmt.ActionRankCLRisk
4
SCCE 2009 7
What keeps you awake at night . . ?
Level 5Level 4Level 3Level 2Unlikely
Level 6Level 5Level 4Level 3Probable
Level 7Level 6Level 5Level 4Highly Likely
Level 4Level 3Level 2Level 1Very Unlikely
HighModerateLowVery Low
Most Serious Consequence
SCCE 2009 8
What keeps you awake at night . . ?
Class IV
Class III
Class II
Class I
Risk
Class
Urgent and Immediate AttentionLevel 6 &
7
Proactive ManagementLevel 4 &
5
Active Monitoring (may be a Class III risk)Level 3
Active Management not requiredLevel 1 &
2
ResponseRisk Level
5
SCCE 2009 9
Risk analysis and management process
Risk process Risk process
initiationinitiation
Risk Risk
identificationidentification
Risk evaluationRisk evaluationRisk Risk
managementmanagement
Risk updatesRisk updates
Risk Risk
ManagementManagement
Risk RegisterRisk Register
Risk AnalysisRisk Analysis
Risk reportingRisk reporting
SCCE 2009 10
What keeps you awake at night . . ?
•• 3rd principle: Risk controls3rd principle: Risk controls
– Prioritized risk → prioritized controls
– Build on existing corporate culture
• Ethics / business integrity
• ‘Tone at the top’: strong support; regularly delivered
• Systems
• Policies: High / critical risks
• Training: On-line / face to face
• Audit forums
6
SCCE 2009 11
What keeps you awake at night . . ?
•• 4th principle: Monitoring & auditing4th principle: Monitoring & auditing
• Whistle blowing
– Compliance / Audit forums
– Investigations
• Assigning priorities
• Uniform protocols
– Annual audit
• Internal control questionnaire
SCCE 2009 12
What keeps you awake at night . . ?
•• 5th principle: Adequate resources5th principle: Adequate resources
– Centralized & decentralized resources
• “In a profit and loss driven world, there is always
a risk that companies facing an uncertain
economic future may choose to cut compliance
expenses as a short sighted way to save money.”
– SEC Chairman Christopher Cox
• “Do what you can, with what you have, where you
are”
– Theodore Roosevelt
7
SCCE 2009 13
What keeps you awake at night . . ?
•• 6th principle: Build evidence6th principle: Build evidence
• Identified operational compliance managers
– Management accountability
• Record-keeping
– Training
– Audit forum minutes
– Investigation follow-through
• Reporting
SCCE 2009 14
What keeps you awake at night . . ?
Case study 1: Anticorruption
8
SCCE 2009 15
What keeps you awake at night . . ?
•• Case study 1: AnticorruptionCase study 1: Anticorruption
– Risk identification
• TI CPI / enforcement trends
• Operations in high risk countries
– Risk analysis
– Controls
• Policy / training / contractual / due diligence
– Reporting / recordkeeping
• Due diligence files / agent register
– Resources
• Local company / subject matter experts
SCCE 2009 16
What keeps you awake at night . . ?
•• Case study 2: Data privacy / EU hotlinesCase study 2: Data privacy / EU hotlines
– Risk identification
• Country laws
• Global data flow
– Risk analysis
– Controls
• Policy / training / contractual
• EU hotline protocols
– Reporting / recordkeeping
– Resources
• Data privacy coordinators
• External / internal hotline managers
• Subject matter experts
9
SCCE 2009 17
What keeps you awake at night . . ?
•• Case study 3: M&A / partnershipsCase study 3: M&A / partnerships
– Risk identification
• Vicarious liability
• External relations
– Risk analysis
– Controls
• Due diligence
• Training
• Contractual
– Reporting / recordkeeping
SCCE 2009 18
What keeps you awake at night . . ?
•• ConclusionsConclusions
– Minimize the unknown
• Identify, analyze and manage risk
– Remember first principles / key sources
• US Sentencing guidelines
• Australian standard 3806 (compliance)
• Australian standard 4360 (risk)
• ISO 31000 (risk)
• ISO Guide 73 (risk vocabulary)
• COSO Enterprise risk management framework