www.riskandcompliancemagazine.com
APR-JUN 2019
risk &
compliance
R & C
Inside this issue:
FEATURE
IT disaster recovery planning
EXPERT FORUM
Risk, culture and ethics assessments to stress test compliance programmes
HOT TOPIC
Impact of CFIUS reforms for PE houses
�����������������������������������������������������������
��������������������������������������������������������������
�����������������������������������������������������
�����������������������������������������������������
��������������������������������������
�������������������������������������������������������������
�����������������������������������������������������
��������������������������������������������������
�����������������������������
���������������
����������
�������������������������������������������
�������������������������������������������
����������������������������������������������
�������������������������������������������
���������������������
����������������������������
����������������������������������������
������������������������������������
��������������������������
������������������������
RISK & COMPLIANCE Apr-Jun 2019 3
R & C CONTENTS
CONTENTS
www.riskandcompliancemagazine.com FOREWORD
FEATURE
IT disaster recovery planning
FEATURE
Analysing and improving internal investigations
EDITORIAL PARTNERS
EXPERT FORUM
Risk, culture and ethics assessments to stress test compliance programmes
The Ethics & Compliance Initiative; A.P. Moeller-Maersk;
Novartis International AG; Zinser, Esponda y Gomez Mont, Abogados
PERSPECTIVES
Crisis and the protective power of trust
Edelman Intelligence
MINI-ROUNDTABLE
Advanced technology for compliance
FTI Consulting
ONE-ON-ONE INTERVIEW
Compliance risks and considerations for family offices
Acuris Risk Intelligence
MINI-ROUNDTABLE
Managing trade compliance screening
Nasdaq
PERSPECTIVES
Data privacy and the IS auditor
ISACA Pune Chapter
ONE-ON-ONE INTERVIEW
Building a sustainable programme around data privacy
SAI Global
MINI-ROUNDTABLE
Asset-liability management (ALM) in the concept of stress testing
SAS Editor: Mark Williams
Associate Editor: Fraser Tennant Associate Editor: Richard Summerfield Publisher: Peter Livingstone Publisher: James Spavin Production: Mark Truman Design: Karen Watkins Risk & Compliance
Published by Financier Worldwide Ltd 23rd Floor, Alpha Tower
Suffolk Street, Queensway Birmingham B1 1TT United Kingdom +44 (0)845 345 0456
riskandcompliance@financierworldwide.com www.riskandcompliancemagazine.com ISSN: 2056-8975
© 2019 FINANCIER WORLDWIDE LTD All rights reserved.
No part of this publication may be copied, reproduced, transmitted or held in a retrievable system without the written permission of the publishers. Whilst every effort is made to ensure the accuracy of all material published in Financier Worldwide, the publishers accept no responsibility for any errors or omissions, nor for any claims made as a result of such errors or omissions. Views expressed by contributors are not necessarily those of the publishers. Any statements expressed by professionals in this publication are understood to be general opinions and should not be relied upon as legal or financial advice.
Opinions expressed herein do not necessarily represent the views of the author’s firms or clients.
Financier Worldwide reserves full rights of international use of all published materials and all material is protected by copyright. Financier Worldwide retains the right to reprint any or all editorial material for promotional or nonprofit use, with credit given.
009 006
016 189
023
039 044 052
057
065
069
074
CONTENTS
MINI-ROUNDTABLE
Insurers – preparing for IFRS 17
KPMG; SAS
MINI-ROUNDTABLE
Segmentation and AI in AML alerts
Navigant
PERSPECTIVES
Ensuring the future of audit
ICSA: The Governance Institute
MINI-ROUNDTABLE
Audit committee disclosures
Crowe Global
PERSPECTIVES
General counsel has quickly become the vigilant sentinel of reputation risk and the corporate conscience
Edelman
ONE-ON-ONE INTERVIEW
CCOs: managing responsibilities and liability risks
Zinser, Esponda y Gomez Mont, Abogados
PERSPECTIVES
You may never be free of liability from old conduct, if the SEC has its way
Jenner & Block LLP
PERSPECTIVES
Role of risk culture in effective implementation of risk governance
Indian School of Business (ISB)
MINI-ROUNDTABLE
Automated third-party risk assessment
KPMG
PERSPECTIVES
Protecting the crown jewels: a guide to safeguarding trade secrets and confidential business information
Fisher Phillips
PERSPECTIVES
Compliance with the evolving US sanctions and export control laws
Venable LLP
PERSPECTIVES
A wave of export regulation to hit US technologies
Sheppard, Mullin, Richter & Hampton
PERSPECTIVES
Artificial intelligence and competition
Clifford Chance
ONE-ON-ONE INTERVIEW
Compliance considerations for marijuana businesses
Acuris Risk Intelligence
PERSPECTIVES
The shortage of fuels in Mexico – managing crisis and compliance
ScottHulse PC
HOT TOPIC
Impact of CFIUS reforms for PE houses
Dechert LLP; Mayer Brown LLP; Skadden, Arps, Slate, Meagher & Flom LLP
084 138
095 146
102 152
106 120 158
124 162
167
129 172
134 176
FOREWORD
FOREWORD
– Editor
Welcome to the twenty-sixth issue of Risk
& Compliance,
an e-magazine dedicated to the latest developments in corporate risk management and regulatory compliance. Published quarterly by Financier Worldwide, Risk &Compliance draws on the experience and expertise of leading experts in the field to deliver insight on the myriad risks facing global companies, the insurance solutions available to mitigate them, and the in-house processes and controls companies must adopt to manage them.
In this issue we present features on IT disaster recovery planning and on improving internal investigations. We also look at: stress testing compliance programmes; advanced technology for compliance; compliance risks for family offices;
trade compliance screening; sustainable programmes for data privacy; asset-liability management (ALM); preparing for IFRS 17;
segmentation and AI in AML alerts; audit committee disclosures;
responsibilities and liability risks for CCOs; automated third- party risk assessment; compliance considerations for marijuana businesses; the impact of CFIUS reforms on PE houses; and more.
Thanks go to our esteemed editorial partners for their valued contribution: Acuris Risk Intelligence; Crowe; Edelman; FTI Consulting; KPMG; Nasdaq; Navigant Consulting; SAI Global;
SAS; Zinser, Esponda and Gómez Mont; ICSA: The Governance Institute; and ISACA.
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 7 FOREWORD
����������������������������������������
����������������������������������
������������������������������������������
��������������������������������������������
�����������������������������������������������
���������������������������������������������
�����������������������
����������������
�������������������
���� ����������������������������������������������������������
������
�����������������������������������������������
������
��������������������������������������������
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 9 FEATURE
FEATURE
IT DISASTER RECOVERY PLANNING
BY RICHARD SUMMERFIELD
W
hen a company suffers an outage that takes down essential systems, including IT, the importance of disaster recovery planning becomes immediately apparent.Disaster recovery can help companies get vital systems back up and running and reduce the financial and reputational cost of any downtime experienced. A successful plan will have realistic and attainable objectives based on the business’s needs. This requires meticulous preparation, from undergoing a business impact analysis, to understanding and quantifying the company’s risks, to classifying and prioritising data for recoverability.
Although, according to the Allianz ‘Risk Barometer:
Top Business Risks for 2018’ survey, 42 percent of
companies of all sizes named business interruption as the most important risk they faced, a large number are insufficiently prepared for an outage and thus may suffer the consequences.
However, as IT becomes more integral to protecting business value, attitudes will need to change. Retaining and attracting customers following a poorly-handled outage can be very difficult, especially if trust has been lost.
Planning for the future, learning from the past
While it is impossible for companies to prepare for every potential threat, they can put adequate response mechanisms in place. IT disaster recovery
FEATURE
plans must be drawn up within overall business continuity plans, and companies must understand their priorities and recovery times. These objectives should be set out during the business impact analysis. Strategies should be developed to restore hardware, applications and data necessary to achieve business recovery.
IT disaster recovery planning has quickly ascended the corporate agenda. This is partly due to the increasing sophistication of cyber criminals and the frequency of their attacks. According to SonicWall, the number of cyber attacks across the world rose by 18 percent year on year in 2017.
In addition, natural disasters appear to be more common. According to the Centre for Research on the Epidemiology of Disasters, the number of flood and storm catastrophes has risen by 7.4 percent annually in recent decades. Other risk factors, such as human error or terrorist attacks, are further cause for concern. Companies must consider the complete spectrum of ‘potential interrupters’ when recovery planning.
This financial case is compelling. According to Gartner, the average cost of IT downtime is $5600 per minute, or more than $300,000 per hour. For large organisations, that cost can exceed $500,000.
Furthermore, according to Appdynamics, in 2017, organisations were losing an average of $100,000 for every hour of downtime on their websites. When one considers the impact of some disasters – Hurricane Rita in 2005 caused 384 hours of outages
IT DISASTER RECOVERY PLANNING
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 11 FEATURE
IT DISASTER RECOVERY PLANNING
FEATURE
and Hurricane Sandy in 2012 caused 337 hours of outages, for example – companies cannot afford to neglect recovery plans.
Companies must prepare their employees for the worst, as well as members of their supply chain.
“Contingency planning and training should be part of the day-to-day priorities of a business,” says Mark Adair, a partner at Mason Hayes & Curran.
“From a legal perspective, it is important that the disaster recovery and business continuity roles and obligations on the customer and supplier are described with clarity in the services contract. Some of the most important initial considerations are how the contract defines what constitutes a ‘disaster’
and what functional areas of the organisation the disaster recovery or business continuity plan is stated as applying to. Good planning should apply to everything from a disaster that wipes out an entire data centre, right down to the unavailability of a single server.”
Part of drawing up a sound disaster recovery plan is learning from failures. Mistakes can compromise the recovery process and cost millions. Lengthy and embarrassing IT outages can offer important lessons. “A good take away point from major system failures, such as the one that crippled British Airways in 2017, is that having recovery systems which are purely a tick-box capability, rather than ensuring that recovery systems have been thoroughly tested, is very much a false economy,” says Chris Bates, a partner at Ashurst. “That being said, much time
and expense can be saved where disaster recovery is automated, thereby ensuring that the disaster recovery procedures activate automatically in the event of a failure, minimising impact,” he explains.
Asset prioritisation and recovery
Prior to an outage, companies must consider how they are going to protect and recover vital assets.
If they do not have a detailed inventory of IT assets – both tangible and intangible – creating one is the first step.
The next is to back up data. Disaster Recover as a Service (DRaaS) solutions provide access to virtual backups and infrastructure in the cloud in the event of a disaster. Many companies are also utilising hybrid cloud strategies to provide additional security measures. Rather than storing all key data on-premises or with a cloud provider only, a hybrid strategy can be a simple and affordable alternative.
The efficiencies and scale of cloud infrastructure has changed disaster recovery. “Many enterprises now have the cloud, and cloud providers, at the heart of their disaster recovery plans,” explains Matthew Bennett, a partner at CMS. “More interestingly, as more production systems are being hosted in the cloud, disaster recovery is becoming baked into enterprise IT architecture rather than being a component on the side.”
Asset management and the approach companies take to it can determine the success of a disaster recovery process. “Assets to be prioritised in disaster IT DISASTER RECOVERY PLANNING
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 13 FEATURE
recovery planning will depend largely on the nature of the business and what assets are critical to the functioning of that business,” says Mr Bates. “A risk-based approach to prioritisation on a case-by- case basis is clearly the most sensible
way to assess this, however, generally speaking, the key assets will be those with direct customer interaction or those which are core to the execution of a service offering.”
Importance of insurance solutions
As part of their disaster recovery preparations, many companies are arranging business interruption insurance. “This can be a helpful way
to help mitigate the damage an incident causes and may fill certain gaps,” says Mr Adair. Insurance can act as a financial catalyst to help get organisations back up and running. The policy should consider the different types of disaster which may befall a company, and provide coverage for each. Regular asset inventory assets are needed to ensure they get the right protection.
“Business interruption insurance covers a business’ net income and the normal expenses in the restoration period following a disaster,” explains Mr Bates. “IT is critical to the operations of most businesses today and therefore any IT failures that affect the functioning of the business will need to
be covered by insurance. However, such insurance will not typically cover customer liability issues, so ensuring the priority of systems required for service continuity is key. Due to the increasing risk of cyber
attack, business interruption insurance as a subset of a portfolio of cyber insurances has evolved significantly over recent years. Businesses now must clearly identify and understand high impact cyber business interruption scenarios in order to secure the appropriate cover for these situations.”
However, insurance is just one element of disaster recovery and does not replace risk assessment, planning and training.
Regulatory developments
Regulatory developments are also influencing disaster recovery planning. The European Union’s (EU’s) General Data Protection Regulation (GDPR)
“Prior to an outage, companies must
consider how they are going to protect and recover vital assets. If they do not have a detailed inventory of IT assets – both tangible and intangible – creating one is the first step.”
IT DISASTER RECOVERY PLANNING
FEATURE
is having a profound impact. Given the financial penalties companies may face under GDPR, recovery plans must be compliant. Companies need to demonstrate that the security, availability, recovery and testing of their IT systems are of an adequate standard to ensure timely and effective recovery without risk to the confidentiality and integrity of a consumer’s personal information. Failure to do so could have serious financial and reputational consequences.
“The GDPR applies to both primary systems and recovery and backup systems,” notes Mr Adair.
“Companies must look at the type of data they are backing up. If dealing with any personal data, which is broadly defined, special care must be taken. Under the GDPR, organisations have to ensure the ongoing integrity, availability and resilience of systems and be able to restore the availability and access to personal data in the event of a physical or technical incident. For EU organisations, if a vendor is storing backups containing personal data on a server located outside the European Economic Area, the parties may fall foul of regulators in the absence of completing the necessary GDPR paperwork.”
Disaster recovery planners should also consider the impact of the new EU Network and Information Systems Directive (NIS Directive), which requires operators of critical infrastructure and digital service providers to take appropriate measures to prevent and minimise the impact of incidents to ensure continuity of their operations.
These regulatory changes are indicative of the future of IT disaster recovery. Technological advances will also reshape the process in the coming years, much like managed services and cloud-based recovery products have improved resilience and response processes.
Test, test, test
Going forward, companies will make mistakes with disaster recovery. Whether it is making the wrong decision at the wrong time, failing to test recovery processes or ignoring disaster recovery solutions entirely, companies will be susceptible to costly and embarrassing outages. The design of a disaster recovery plan can mitigate such failures, but only if it has been put through its paces. “Testing needs to encompass technical systems and enterprise rehearsal,” says Mr Bates. “The involvement of employees is crucial and this needs to be from all parts of the enterprise, not just IT. Rehearsals should try to emulate previously untested threats, as well as the more obvious scenarios. There could always be unexpected events and it will be how the people in an organisation react and work together in the face of that which will determine success,” he adds.
Members of the C-suite must also embrace the need to change with the times, however. This will require sufficient, managed investment in disaster recovery planning and preparation to overcome disasters, both natural and man-made. RC&
IT DISASTER RECOVERY PLANNING
FEATURE
FEATURE
ANALYSING AND
IMPROVING INTERNAL INVESTIGATIONS
BY FRASER TENNANT
A
n investigation should never be initiated on a whim. But in a scenario where an allegation of wrongdoing has been made, a company needs to launch an investigation as swiftly as possible, with an internal inquiry often the first port of call.Once an internal investigation is underway – perhaps as a result of allegations of bribery, sabotage, embezzlement, tax fraud, insider trading, antitrust collusion, workplace assault, environmental crimes, audit and accounting fraud or conflicts of interest – how it is conducted is of paramount importance, given there is always the potential for it to become an expensive and time-consuming endeavour.
To help ensure careful and discreet handling, appropriate investigatory models are required to coordinate those involved in an investigation, such as employees, internal counsel and forensic accountants, so that a speedy and satisfactory conclusion can be reached. Moreover, depending on the gravity of the allegation, the stakes may be high, so an investigation needs to be streamlined in order to reduce disruption to operations.
“Companies launch internal investigations for a number of reasons, but rarely is it due to a single event, unless identified as being so serious as to suggest a systemic failing that would be uncovered by an investigation,” explains Craig Weston, a senior associate barrister at Irwin Mitchell LLP.
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 17 FEATURE
“Investigations are launched into subject matter across the breadth of a business, from regulatory breaches to employment matters to payment and invoicing anomalies and allegations of criminal conduct.
“A common trigger for an internal investigation is a confidential report to a whistleblowing hotline, the use of which is often written into company policies such as modern slavery, bribery, harassment at work, and health and safety policies,” he continues.
“Companies usually investigate to ascertain and mitigate their own liability. In recent years, we have seen an increase in three particular areas of investigation: sexual harassment, in no small part due to the #MeToo movement, bribery and corruption, and financial regulatory.”
In the view of Franziska Janorschke, global head of the SpeakUp Office at Novartis, the primary purpose of an internal investigation is to gather facts so that a company can determine the pervasiveness of the situation, the root cause of the issue and to determine what steps the company can take to prevent similar cases in future. “A proper and successful internal investigation also allows a company to assess its systems and controls, and to develop an appropriate approach to measure and address any deficiencies,” she says. “Thoughtful and diligent fact-finding during the early steps of an investigation may show that those suspected of misconduct are not involved in any wrongdoing. This
can save you time and valuable resources and at the same time protect an employee’s reputation.”
Models and priorities
Between deciding upon an investigation and it physically getting underway is when an appropriate investigatory model needs to be selected – a decision driven by a number of factors, including the availability and capacity of suitably trained investigators, the precise nature of the issue, ease of evidence retrieval, jurisdictional legal requirements, and whether the allegation involves senior management, such as board members. Also a significant influence on the choice of model is the extent to which a speedy resolution is required.
In the experience of Melissa S. Geller, a partner at Duane Morris LLP, it is the investigation priorities which control the investigation model. “An
investigation prompted by a subpoena may prioritise document collection and review, whereas one raised internally may prioritise secrecy,” she says.
“Too often, priorities are unspoken or glossed over, resulting in miscommunication and misalignment. An early discussion that sets the company’s priorities ensures a solid foundation for good communication and an orderly investigation. It also creates a semi-formal understanding that encourages further conversation should priorities shift as an investigation evolves.”
According to Mr Weston, jurisdiction is another key factor in how an investigation is conducted.
ANALYSING AND IMPROVING INTERNAL INVESTIGATIONS
“Jurisdictional law, which is likely to cover the conduct, bears heavily on how to
investigate,” he explains. “For example, if it is an employment matter, a company may want to conduct interviews with employees in a way that an employment tribunal can relate or would expect. If it is a bribery and corruption investigation, an investigation is likely to be conducted in a much more robust way.
“If the conduct occurred in a foreign jurisdiction, a company will want to ensure that the way in which the investigation is conducted is legal in that jurisdiction, and that the way evidence is gathered would be admissible in any litigious proceedings in that jurisdiction,” he continues. “A particular issue in recent years has been the difference in approach to privilege between the US and the UK. As such, many multinational companies have to decide where to run the investigation from and whether to include US lawyers, for example, to ensure protection over privileged material from a US perspective.”
Pitfalls
Avoiding the pitfalls that accompany an internal investigation – such as inadequate investigation planning, a lack of documenting and preserving of evidence, unrealistic timelines, insufficient understanding of evidence collection limits, and an over-reliance on information provided by an alleger
and witnesses – is essential, especially when airing a company’s dirty laundry, even internally, can have a severe impact on its reputation and standing.
“One pitfall of internal investigations is ‘mission creep’,” says Ms Geller. “In today’s market, almost every investigation involves large amounts of documents, along with witness interviews, experts where necessary and, in some cases, government involvement. It can therefore be easy to lose sight of the central objective. A company launching an
investigation should have clear goals and objectives developed in consultation
with the company’s lawyers at the beginning of the
investigation. If an investigation
expands
into another area, it should be done deliberately, after a full and complete analysis and in a controlled manner.”
In Mr Weston’s experience, companies often investigate without proper scoping and planning. “A good investigation should start with a considered and well-thought-out plan, which includes setting up a small investigation team and empowering them to seek and receive legal advice by way of a board resolution,” he explains. “A company should give the investigation a project name, define the scope of the investigation, create an email group for the project team, consider the instruction of external legal advisers, and communicate to all team members that the matter under investigation is to remain confidential and not be discussed outside the project team. Also, it is important to preserve evidence and ensure that no key documents are destroyed.”
Another pitfall that investigators must avoid is a failure to maintain an audit trail during an
investigation, i.e., the decisions taken, the reasons for those decisions, and the documents and
evidence upon which decisions were
based. “A
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 19
FEATURE
FEATURE
robust audit trail helps investigators engage meaningfully with regulators,” affirms Mr Weston.
“Also, regulators and prosecutors have come to expect such audit trials and may criticise an investigation or treat it as a separate failing if such a trail is not present.”
Coordinating parties
With multiple parties potentially involved in an investigation – including the alleger, the accused, witnesses, senior management, external advisers, regulators, as well as the investigation team itself – coordinating their contributions is a major challenge, which requires a systematic approach.
David Herring, head of global security at Novartis, believes such an
approach should be coordinated by an experienced investigative lead, with dedicated support from a team of multi-skilled and diverse investigators.
“Having an internal investigative team or capability to conduct internal investigations enables company management and directors to diligently fulfil their duties and responsibilities and satisfy regulatory expectations,” he asserts.
Similarly convinced as to the merits of a small, dedicated team of investigators is Mr Weston.
“A company should use a small project team to coordinate all of the various parties, from their instruction to receiving the advice and work product,
and its wider dissemination, if appropriate,” he suggests. “A project diary should also be kept with access restricted to those identified as project team members. If external lawyers are being used, I would recommend that they coordinate external experts, as it may help a claim of privilege over the work
product and communication and, similarly, when conducting interviews with witnesses.
“We would also encourage thinking carefully about the timeline and order of the witnesses and experts you engage with,” he continues. “For example, does your expert need material from witnesses that you have not interviewed yet, or would you like to put information material to one witness that you can only get from another? Alternatively, do you want to interview more junior people first and then more senior people later?”
ANALYSING AND IMPROVING INTERNAL INVESTIGATIONS
“A successful internal investigation
reaches an answer, without alienating or
panicking employees or causing some
other harm to a company.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 21 FEATURE
Ultimate success
So, when the dust settles, how should a company measure the merits of its investigatory efforts?
Ultimately, what factors determine whether an internal investigation has been successful?
“A successful internal investigation reaches an answer, without alienating or panicking employees or causing some other harm to a company,” believes Ms Geller. “Internal investigations are usually
highly confidential and the timing of disclosure to witnesses carefully controlled. But, people increasingly communicate outside of email, using text messages, social media and other platforms.
Often, the employee, not the company, controls access to this data. Access to employee-held data and employee privacy are key areas where the field will evolve and continue to change over the next few years. Therefore, all companies should have policies about use of technology for company business that addresses employee privacy.”
For his part, Mr Weston believes the coming years will likely see an increase in the number of internal investigations. “Companies will attempt to use an internal investigation as a way of demonstrating they are taking positive action, to placate employees or to demonstrate cooperation and engagement with a regulatory or criminal process. They also provide an opportunity to companies to understand their potential liabilities before they reach the point of having to self-report or being outed by journalists,”
he adds.
In virtually any sphere, success can be a difficult metric to measure. As far as an internal investigation is concerned, the definition of success for one company is different to another and very much depends on the nature of the conduct being investigated. That said, a successful internal investigation is generally one that robustly identifies unethical, illegal or unwanted conduct and prevents it from ever happening again. RC&
ANALYSING AND IMPROVING INTERNAL INVESTIGATIONS
��������������������������������������������������������
�����������������������������������������������������
�������������������������������������������������������������
�������������������������������������������������
�������������������������������������������� ���������
���������������������������
�����������������������������������
Uncover third-party risks.
Protect your business.
������������������������������
�������������������������
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 23 EXPERT FORUM
EXPERT FORUM
RISK, CULTURE AND
ETHICS ASSESSMENTS TO STRESS TEST
COMPLIANCE
PROGRAMMES
EXPERT FORUM RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
PANEL EXPERTS
Patricia J. Harned is chief executive officer of the Ethics & Compliance Initiative (ECI), America’s oldest non-profit in the ethics & compliance industry. ECI empowers organisations to build and sustain high-quality ethics & compliance programmes (HQPs). ECI is a research and membership organisation comprised by institutions across every sector, and each member organisation is dedicated to promoting the highest levels of integrity in their operations.
Alexander Ghazvinian is the chief compliance officer at A.P. Moeller- Maersk. He is experienced in designing and implementing ethics and compliance programmes and he specialises in anti-bribery compliance, competition law, export compliance and data protection. He has implemented compliance programmes in several companies and jurisdictions. He has led major multinational investigations and interacted with several regulators. He has special experience and knowledge of US Foreign Corrupt Practices Act (FCPA) and UK Bribery Act compliance related topics.
Klaus Moosmayer is chief ethics, risk and compliance officer and a member of the executive committee at Novartis. Mr Moosmayer previously was chief compliance officer of Siemens AG. He is chair of the Anti-Corruption Committee of the Business and Industry Advisory Committee at the Organization for Economic Co-operation and Development (OECD), co-founder and chair of the European Chief Compliance and Integrity Officers’ Forum, former co-chair of the B20 Integrity & Compliance Task Force under the G20 presidency of Argentina and former chair of the task force under the G20 presidency of Germany.
Alejandro Hernández Oseguera is a partner at Zinser, Esponda y Gomez Mont, Abogados. Having begun his career as an intern at Zinser in 2003, he is now a specialist in criminal proceedings, in local and federal matters, related to fiscal offences, financial crimes, crimes in the securities market, crimes in corporate matters and environmental offences, among others. He has also given his advice on various financial restructuring matters.
Alberto Zinser Cieslik specialises in complex white-collar crime investigations and criminal proceedings in both local and federal jurisdictions, and has had extensive experience in highly complex local and cross-border litigation. He has participated in multiple international extradition and mutual legal assistance treaty (MLAT) proceedings between Mexico and the US, Switzerland, France and Australia, among others. He has a Masters degree in Corporate Law, and has been a lecturer on Masters degree programmes and post graduate legal studies since 1998.
Patricia Harned Chief Executive Officer
The Ethics & Compliance Initiative T: +1 (571) 480 4426
E: pat@ethics.org
Alexander Ghazvinian Chief Compliance Officer A.P. Moeller-Maersk T: +45 33 63 33 63
E: alexander.ghazvinian@maersk.com
Dr Klaus Moosmayer
Chief Ethics, Risk and Compliance Officer
Novartis International AG T +41 61 32 42247
E: klaus.moosmayer@novartis.com
Alejandro Hernández Oseguera Partner
Zinser, Esponda y Gomez Mont, Abogados
T: +52 55 5202 8610
E: ahernandezoseguera@zegm.mx
Alberto Zinser Cieslik Founding Partner
Zinser, Esponda y Gómez Mont, Abogados
T: +52 55 5202 8610 E: zinser@zegm.mx
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 25 EXPERT FORUM
RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
R&C: In today’s regulatory environment, why is it important for companies to stress test their compliance programmes?
How often should they do this?
Harned: It is important for compliance professionals to ensure that their company has met regulatory expectation, so as to avoid the negative consequences that come from non-compliance. Regulators around the world are becoming more sophisticated in their evaluation of compliance programme effectiveness, so their standards remain a critical area of focus for a programme. That said, today’s regulatory environment is just one of several reasons why companies should stress test their compliance programme.
We live in a world of fast-paced sharing
of public opinion. A single misstep by a company can become global news in a short period of time. Additionally, as millennials rapidly grow as a population in the workforce, communicating organisational standards and also meeting their expectations of transparency and trust will be equally important. Every programme should be assessed and measured. Measurement toward a standard allows an organisation to evaluate its efforts, review its budget allocations and make judgments about its programme. The frequency depends on the
pace of change the organisation faces. As a rule of thumb, a programme should be assessed every two years. But an organisation with recent M&A history, multinational operations, history of misconduct, and so on, should do its assessment more frequently.
Moosmayer: To achieve sustainable and ongoing verification of a compliance programme’s adequacy and effectiveness, there should be a clear internal audit plan in place based on solid risk assessments.
Digitalisation, in today’s corporate world, provides a platform for much better monitoring of compliance and control activities. External validation or certification of a compliance programme would also qualify as a ‘stress test’, but this should be in addition to internal efforts. From a timing perspective, a modern and digital monitoring system should allow for an ongoing check for red flags, audit plans should
Dr Klaus Moosmayer, Novartis International AG
“Digitalisation, in today’s corporate
world, provides a platform for much
better monitoring of compliance and
control activities.”
EXPERT FORUM RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
annually focus on deep dives, and comprehensive external assessments realistically could be conducted only every three years at maximum.
Hernández: By their very nature, compliance programmes must be able to adapt to reality. For a company to implement a compliance programme tailored to suit its needs, its activities and the social context in which it operates, it must establish a mechanism, within its own programme, that will allow it to constantly stress test the effectiveness of its policies. The very dynamics of the compliance programme must include constant reviewing of the programme by a ‘good practices’
committee. One of the contributions of German doctrine to compliance programmes is the concept of ‘duty of vigilance’, understood not only as a benchmark for monitoring actions that are carried out in the context of business, but also as a duty to stress test compliance
programmes by constantly reviewing the measures taken to prevent and eradicate corrupt practices.
This is especially relevant in legislative contexts such as the Mexican one, in which, stemming from the gaps which still exist in compliance regulations, due to their recent incorporation, not only must companies comply with the requirement to implement a compliance programme, but the compliance programmes that are implemented
must be sufficiently solid and effective to pass a final review by the judicial authorities. It is the duty of the judicial authorities to eventually determine whether the compliance programme is adequate enough to prevent its employees or officers from committing criminal acts on the company’s behalf, for the company’s benefit or for their own personal advantage. For this reason, companies adopting compliance programmes must establish a committee
charged with constantly stress testing and improving their programmes, at all times considering the company’s needs, its activities and the context in which the programmes are developed.
Zinser: If companies assume proper control of their compliance programmes and continually check their effectiveness, their risk of incurring criminal liability is significantly reduced. This is because they
Alexander Ghazvinian, A.P. Moeller-Maersk
“Stress testing compliance programmes
is not a new requirement. For most
regulators, it is known as testing of
the adequacy and effectiveness of the
compliance programme.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 27 EXPERT FORUM
RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
have put an ongoing prevention system in place, ensuring that they have all the necessary anti-money laundering (AML) controls in place, in accordance with the Mexican Federal Law for the Prevention and Identification of Operations with Resources of Illegal Origin, and all the requisite crime prevention systems, in accordance with the National Code for Criminal Procedures and the Prevention of Acts of Corruption, which form part of the new national anti-corruption system, consisting of several complementary laws that govern citizens, companies, organisations and public servants. The frequency with which companies should stress test their compliance programmes very much depends on how many employees they have and their corporate purposes, and on knowing when to carry out periodic reviews of the proper functioning of prevention controls. Nevertheless, they should be reviewed and tested every year, with this revision being carried out ahead of time if the company is changing its structure, corporate purposes or anything else that requires special oversight.
Ghazvinian: Stress testing compliance programmes is not a new requirement. For most regulators, it is known as testing of the adequacy and effectiveness of the compliance programme. As a compliance officer, you should ask yourself everyday if your programme is ‘working’, or if something you have designed and implemented really works in a way you want it to. Re-evaluation is perhaps the most
important part of any compliance programme and it must be done on an ongoing basis and based on a plan, but at different levels of intensity. If companies implement a new element in their compliance programme, it should be ‘stress tested’ frequently and intensively until the company is confident that it works as intended.
R&C: What measures and metrics might companies use to assess their risk, culture and ethics profile as it relates to compliance? What are the essential elements of a stress testing programme in this regard?
Moosmayer: Measures and metrics should derive from different sources to give a holistic view.
Results from ongoing digital monitoring and control activities should be combined with the results of on-site monitoring visits, investigations and audits.
Employee surveys and pulse checks have become well-established methods to measure the culture of a company. And last but not least, it is important to screen external sources in order to detect risks which may not yet be visible within the company. Having all this data is very important to assess the results against each other using modern dashboards instead of excel files.
Hernández: The elements of a compliance programme entirely depend on the company’s
EXPERT FORUM RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
main activities. From the point of view of corporate criminal responsibility, the essential components of a compliance programme and its evaluation are aimed at avoiding corporate criminal liability. In Mexico, as in other countries, the main purpose of compliance programmes is to avoid corporate criminal liability.
Hence, each company must take decisive normative steps so that, in the event that its compliance programme comes to be tested before a judge, the latter is satisfied with the measures adopted.
Zinser: Companies must have an adequate organisational structure which can identify risks and mitigate them in accordance with the laws governing corporate criminal liability. In addition, depending on the company’s line of business, it can evaluate the effectiveness of different technologies for recording information provided to both the company and its staff. Companies must keep records of all complaints made on their complaint lines and must follow up on them until they are resolved. In other words, once periodic risk assessments have been carried out in sensitive operational areas, a risk assessment of the pertinent policy must be made to ensure that the oversight process does not expose the company.
Also, it is essential that companies have a corporate compliance management system that enables them to prevent any crime from being committed on foreign soil, and thus allows them to avoid criminal liability due to lack of due organisational control, as
well as reducing the risk of theft, fraud and other crimes.
Ghazvinian: If a company’s risk is related to corruption, competition, data protection or foreign trade controls, it will utilise a very different set of measures than it would for ethics and culture.
Companies can assess many of their corruption risks with quantitative measures. Risk assessments should focus on quantitative measures such as revenue in a certain country or revenue with state- owned entities. In addition, introducing a qualitative component allows companies to get a status of the maturity of their risk assessment and assurance on certain elements. For ethics and culture, companies can utilise the employee survey and other tools, as it is much more subjective. Identifying risk factors and mitigating measures will outline the essential elements that require stress testing. If an interaction with a third party is a significant risk, it is obvious that effectiveness testing will be implemented. This could be a spot check, a periodic review of contracts and an in-depth review of those relationships, and assurance that all required measures are being implemented and are effective. This can be done by a company’s compliance team, but also by an external party.
Harned: There are several dimensions that an organisation should consider in assessing its profile from an ethics and compliance (E&C)
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 29 EXPERT FORUM
RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
perspective. One dimension pertains to the design and implementation of the programme. Have we identified objectives for the programme that are in alignment with the key compliance risks we face?
How well are we accomplishing those objectives, and are we – in fact – actually reducing those risks?
The second dimension of measurement pertains to the impact of the programme. Do our stated values and standards, and the resources we provide, actually impact employee conduct? Are
we effectively holding people accountable if they overstep our standards? Our research found five principles that are common to high-quality E&C programmes (HQPs), which serve as worthy objectives and metrics for an E&C programme.
First, ethics and compliance is central to business strategy. Second, ethics and compliance risks are identified, owned, managed and mitigated. Third, leaders at all levels across the organisation build and sustain a culture of integrity. Fourth, the
organisation encourages, protects and values the reporting of concerns and suspected wrongdoing.
Finally, the organisation takes action and holds itself accountable when wrongdoing occurs.
R&C: To what extent is technology being used to enhance the process of assessing risk, culture and ethics for compliance purposes?
Hernández: Mexico’s ongoing struggle against corruption has opened up the possibility of implementing blockchain technology for public tenders. Blockchain will make it possible for bureaucratic processes to be digital, transparent and permanently documented, thus strengthening anti-corruption mechanisms and facilitating their implementation. The same technology can also be used to regulate internal corporate processes. By
deploying these mechanisms in order to achieve more effective internal controls, companies, particularly in the public sector, will become more competitive.
Zinser: The recent guidelines issued by the financial intelligence unit of the Mexican Ministry of Finance and Public Credit state that all individuals and companies are obliged to review their business
Alberto Zinser Cieslik,
Zinser, Esponda y Gómez Mont, Abogados
“Companies must have an adequate
organisational structure which can
identify risks and mitigate them in
accordance with the laws governing
corporate criminal liability. ”
EXPERT FORUM RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
processes in order to verify the obligations related to the correct identification of clients and users, the identification of the vulnerable activities listed in article 17 of the AML Law and the presentation of reports or notifications via the prevention of money laundering portal of the Mexican tax authority, which sets forth the provisions of the pertinent Mexican laws. Also, it is recommended that ethics codes and compliance information be disseminated to all employees, and this is usually done electronically.
Furthermore, companies must keep records of all information relating to compliance, usually storing such data electronically.
Harned: The actual technological processes for capturing and analysing data are very mature.
However, it has only been within the last three years that enterprise risk management (ERM) systems have included culture, workplace integrity and ethics. E&C lags even farther behind. For example, in a recent poll of our members, we found that 52 percent of E&C professionals believe that they are keeping pace with the technical solutions that are being developed to improve their programmes and bring efficiencies.
Where technology is being used, E&C professionals say that it is primarily utilised for training and helpline support – 93 percent and 91 percent of practitioners respectively. Surprisingly, technology is being utilised for risk assessment by only 47 percent of respondents. Where companies are not able to
leverage the solutions that are available today, the primary reason is budgetary constraints.
Ghazvinian: Technology will be the main driver of ‘Compliance 3.0’. For the moment, however, technology is merely useful, nothing more.
Neither IT systems nor data itself are of sufficient quality today that you could use technology in a consistent manner.
Moosmayer: Companies possess an immense amount of data which needs to be utilised for a proper risk assessment. Although technical hurdles are still high – especially for companies with a diverse IT landscape – and there is always a budget challenge, data mining, data analytics and visualisation of the results are essential for a modern, holistic assessment. Behavioural science has also significantly developed and allows insights into ethical and cultural dilemma situations, but here companies still have a long way to go – and to respect, of course, the data privacy laws of their employees.
R&C: In your experience, what are some of the typical red flags that might signal lapses and shortcomings in relation to risk, culture and ethics?
Zinser: There are a number of red flags which might indicate that the company has shortcomings.
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 31 EXPERT FORUM
RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
EXPERT FORUM RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
For, example, the company might not have identified the ‘vulnerable activities’, listed in Article 17 of the AML Law. The company might not have presented any report or notification about a ‘vulnerable activity’.
It might have failed to appoint a compliance officer or instigate an ethics code. Equally, the
company may have an ethics code, but might have failed to adequately inform its employees or third parties about it. A lack of commitment from company leadership can be extremely damaging. There must be an adequate ‘tone at the top’. If the company’s senior management is not totally committed, it will be impossible for the company to achieve a good organisational structure at all levels.
Ghazvinian: There are two different signals that a compliance officer can use to identify lapses and shortcomings in relation to risk, culture and ethics. The first signals can be identified by reviewing the results of the risk and ethics assessment. These risks are easy to mitigate.
Focusing on them is important, but neglecting the second group will expose the organisation over time. The more important group of red flags are those companies identify by analysing the data and identifying correlations. Companies can have a set of risks that are low exposure if they are reviewed in isolation. But if those risks occur together in a particular combination, they might
signal the lapses and shortcomings of the company’s ethical standards. The challenge is to identify the correlations. This requires a deep understanding of the organisation, good data and a strong mindset.
Moosmayer: In order to be able to draw adequate conclusions, a ‘risk radar’ needs several sources.
Singular cases of misconduct may not necessarily qualify as evidence of systemic problems. But if you see in the same entity declining quality controls and the absence of a ‘speak up’ culture, those cases that do come to light may only be the tip of the iceberg.
Also ‘white spots’ may turn into red flags if, in a risky environment, you have steadily increasing sales volume but no reports of potential problems at all, for example. So, it is always a combination of different indicators which should trigger the alert button.
Patricia Harned,
The Ethics & Compliance Initiative
“The bottom line is that it would
be better for an organisation to not
undertake an assessment at all than for
a company to assess itself and then to
do nothing about it.”
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 33 EXPERT FORUM
RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
Harned: Our research has shown that there are three primary metrics that serve as red flags of trouble ahead. The first is employee expression that they feel pressure to compromise organisational standards or the law, in order to do their jobs.
The vast majority of individuals who feel pressure – 85 percent – also say that they have observed misconduct taking place around them. The second metric is employee reporting of suspected misconduct. We know that misconduct happens in every organisation; what matters is whether or not employees make management aware that problems are taking place. The third metric is the extent to which employees perceive that they will experience retaliation if they report suspected wrongdoing. When people believe that there will be ramifications for reporting, there is a silencing effect in the organisation. That leads to a significant and detrimental erosion of the organisational culture.
Hernández: A company that fails to appoint a chief compliance officer (CCO) will not be able to establish an orderly and documented procedure for carrying out its transactions. Moreover, if the CCO does not have the required autonomy and independence to effectively implement these procedures, the compliance will fail.
R&C: Following an assessment, how important is it for a company’s senior leaders to fully understand the results and respond accordingly?
Moosmayer: For senior leaders, it is much more than just understanding the process. Management is the true risk owner. It is therefore key to involve them fully in the stress test exercises and any follow-up remedial activities.
Harned: It is mission critical for senior leaders to understand the results of an assessment. Even more importantly, it is essential for them to communicate to employees what they learned and what they will do differently in order to address any areas of shortcoming. Failure to do so risks losing employee confidence in leadership. It also signals that assessments do not really make any difference to leadership. The bottom line is that it would be better for an organisation to not undertake an assessment at all than for a company to assess itself and then to do nothing about it. Response to the findings must be transparent and honest. Executives also have to ‘own their role’ in the E&C process. When executives and managers recognise their responsibility for shaping the conduct of the organisation, E&C becomes a part of the culture.
EXPERT FORUM RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
Hernández: Currently, all managers must be properly trained in, and updated on, good compliance-related practices, regardless of the area they operate in. Failing this, the compliance programme will be ineffective and, therefore, will not fulfil its purpose of preventing corruption, and the company adopting it should not expect to have a rosy future, particularly in public-sector markets, which will become increasingly demanding in this regard going forward.
Ghazvinian: It is crucial that a company’s senior management understands the results of any assessment. Management should understand those results as well d as they understand all the other numbers. They do not need to understand all of the details per se, but they must understand the results, which are often based on the risk appetite defined by senior management, and therefore it has consequences for the daily business and the mid- term strategy, but also whether the company can pursue a certain type of business or not. On the other hand, it will help senior management to channel resources and focus their attention. In addition, and related to culture, it will help senior management to identify the right measures to start a change management process.
Zinser: It is very important for the company’s senior management to know how to identify and evaluate risks. Only in this way can the company
mitigate those risks and implement or modify the controls or protocols that are necessary for due corporate control and the avoidance of criminal liability. The size of the company, its corporate purpose, the size of its workforce, its risks and its operation must be taken into account in order to implement suitable strategies. Senior management must ensure that lower level managers understand that they must have an adequate compliance programme in place, and that they must comply with all the legal requirements regarding crime prevention, money laundering and corruption.
R&C: What steps should firms take to ensure that strong governance and controls are in place for an effective compliance framework that functions as intended?
Ghazvinian: There are two steps firms should take to ensure that strong governance and controls are in place. First, they should have an open and honest discussion about the target of the compliance framework. What kind of governance and controls does the company want and what does the company want the framework to achieve? This relates to the identified risks, the culture and the business model of the company. Second, the company needs to have an open review, particularly if the framework has been implemented and how far it is in its process. This
www.riskandcompliancemagazine.com RISK & COMPLIANCE Apr-Jun 2019 35 EXPERT FORUM
RISK, CULTURE AND ETHICS ASSESSMENTS TO STRESS TEST...
cannot be achieved overnight, but companies need to have a plan and an honest review.
Hernández: Corporate governance is very similar to the governance of a country. Risks must be constantly analysed, an internal control or compliance department must be set
up, internal disciplinary controls must be implemented, as must internal and external audit procedures. Companies must also find effective ways and tools to communicate their values.
Harned: There are a number of industry control standards that outline effective compliance and governance – COSO, COBIT, ISO37000 and ISO27001, to name a few. The key to making these standards successful is understanding your
organisational risk, applying the standards based on this risk profile, measuring performance using benchmarked key performance indicators, and creating a speak-up culture.
Zinser: It is essential, in the event of a compliance incident, to verify the error, to check whether a given standard is effective and to verify that risk assessments have been carried out and whether they are reflected in the compliance programmes. Also, it is necessary to ascertain how the programmes were transmitted within the
organisation. This implies employee training aimed at making employees understand the importance of statistically analysing incidents and, above all, using the results of such analysis. The company must identify the controls which it has already put in place and have a compliance officer who can
identify defects in these controls, along with the needs, effectiveness and functionality of the controls that have already been established. The business processes of the company, its organisational structure, its areas and the size of its workforce must also be identified in order to have a complete understanding of the organisation and the risks that it faces.
Alejandro Hernández Oseguera,
Zinser, Esponda y Gomez Mont, Abogados
