JUL-SEP 2019

(1)

www.riskandcompliancemagazine.com

JUL-SEP 2019

risk &

compliance

R ^& C

Inside this issue:

FEATURE

Corporate crisis management

EXPERT FORUM

Building a global compliance &

ethics programme: leadership

HOT TOPIC

Transactional insurance

(2)

��

^��

��

��

��

(3)

RISK & COMPLIANCE Jul-Sep 2019 3

R ^& C ^CONTENTS

CONTENTS

www.riskandcompliancemagazine.com FOREWORD

FEATURE

Corporate crisis management

FEATURE

Managing operational risk within ﬁnancial services

EDITORIAL PARTNERS

EXPERT FORUM

Building a global compliance & ethics programme: leadership

Nokia Corporation; FTI Consulting; Mayer Brown

PERSPECTIVES

DOJ guidance on effective corporate compliance departments

Orrick

ONE-ON-ONE INTERVIEW

Integrated risk management and RegTech –

‘risk-prooﬁng’ the future of ﬁnancial services

SAI Global

PERSPECTIVES

Why every company should consider an ethics, risk & compliance organisation

Novartis International AG

PERSPECTIVES

Risk appetite and the Lauda formula

Primetals Technologies

AI for risk management vs management of AI risks

SAS

The changing threat of ﬁnancial crime

FTI Consulting; Malta Financial Services Authority

Digital identity to ﬁght ﬁnancial crime

IdentityMind Editor: Mark Williams

Associate Editor: Fraser Tennant Associate Editor: Richard Summerﬁeld Publisher: Peter Livingstone Publisher: James Spavin Production: Mark Truman Design: Karen Watkins Risk & Compliance

Published by Financier Worldwide Ltd 23rd Floor, Alpha Tower

Suffolk Street, Queensway Birmingham B1 1TT United Kingdom +44 (0)845 345 0456

riskandcompliance@ﬁnancierworldwide.com www.riskandcompliancemagazine.com ISSN: 2056-8975

No part of this publication may be copied, reproduced, transmitted or held in a retrievable system without the written permission of the publishers. Whilst every effort is made to ensure the accuracy of all material published in Financier Worldwide, the publishers accept no responsibility for any errors or omissions, nor for any claims made as a result of such errors or omissions. Views expressed by contributors are not necessarily those of the publishers. Any statements expressed by professionals in this publication are understood to be general opinions and should not be relied upon as legal or ﬁnancial advice.

Opinions expressed herein do not necessarily represent the views of the author’s ﬁrms or clients.

Financier Worldwide reserves full rights of international use of all published materials and all material is protected by copyright. Financier Worldwide retains the right to reprint any or all editorial material for promotional or nonproﬁt use, with credit given.

035 039 045

049 055

059 065 006 009

016 165

023

(4)

CONTENTS

www.riskandcompliancemagazine.com PERSPECTIVES

Failure of the anticorruption provisions in the United States of America-Mexico-Canada Agreement (USMCA)

ScottHulse PC

AML compliance – data privacy challenges

Acuris Risk Intelligence

Best execution as best practice

Bloomberg L.P.

ONE-ON-ONE INTERVIEW Trade surveillance

Bloomberg L.P.

Risk and ﬁnance platform integration

SAS

MINI-ROUNDTABLE

Data analytics and data privacy

Navigant Consulting; Pillsbury Winthrop Shaw Pittman LLP

PERSPECTIVES

A risk-based approach to cyber security

ISACA

Cyber fraud typologies and actionable intelligence

Acuris Risk Intelligence

PERSPECTIVES

New covert risks impacting business:

misinformation to ‘black bag’ campaigns

Edelman

PERSPECTIVES

The shareholder rights directive and its impact on board remuneration

hkp/// group

PERSPECTIVES

Redeﬁning stewardship

ICSA: The Governance Institute

PERSPECTIVES

How #MeToo is driving governance changes in the boardroom

Edelman

PERSPECTIVES

Autonomous vehicle partnerships place OEMs’ trade secrets at risk

Fisher Philips

Digital transformation in the oil industry

DuPont Sustainable Solutions

PERSPECTIVES

US sanctions authorities are speaking through enforcement cases – an in-house’s perspective

Textron Inc.

PERSPECTIVES

US and China: trade, tariffs and regulations

Skadden, Arps, Slate, Meagher & Flom LLP

PERSPECTIVES

The importance of effective governance of non-preferential country of origin

Nokia Global

HOT TOPIC

Transactional insurance

Chubb; Clifford Chance

071 118

076 123

080 128

085 132

089 137

094 142

104 147

108 153

113 157

(5)

��

��

��

(6)

RISK & COMPLIANCE Jul-Sep 2019

6 www.riskandcompliancemagazine.com

FOREWORD

– Editor

Welcome to the twenty-seventh issue of Risk & Compliance,

an e-magazine dedicated to the latest developments in corporate risk management and regulatory compliance. Published quarterly by Financier Worldwide, Risk & Compliance draws on the experience and expertise of leading experts in the ﬁeld to deliver insight on the myriad risks facing global companies, the insurance solutions available to mitigate them, and the in-house processes and controls companies must adopt to manage them.

In this issue we present features on corporate crisis

management and on managing operational risk within financial services. We also look at: building a global compliance & ethics programme; integrated risk management and RegTech; AI risk and risk management; the changing threat of financial crime; using digital identity to fight financial crime; data privacy challenges in AML compliance; best execution as best practice;

trade surveillance; cyber fraud typologies; digital transformation in the oil industry; transactional insurance; and more.

Thanks go to our esteemed editorial partners for their valued contribution: Acuris Risk Intelligence; Bloomberg; Chubb;

Edelman; FTI Consulting; IdentityMind; Navigant Consulting; SAI Global; SAS; Society of Corporate Compliance and Ethics (SCCE);

ICSA: The Governance Institute; and ISACA.

(7)

www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2019 7 FOREWORD

(8)

(9)

www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2019 9 FEATURE

FEATURE

CORPORATE CRISIS MANAGEMENT

BY RICHARD SUMMERFIELD

C

orporate crises can take many forms, from a social media scandal to a natural disaster, and every crisis has the potential to negatively impact a company’s reputation, daily operations and performance, among other things.

All of which can have significant financial, legal and regulatory ramifications.

Corporates must be prepared to respond to any disaster with a crisis management programme that brings together a variety of stakeholders who understand the potential implications and can initiate recovery.

Evolution of crises

Technological developments have changed the way corporate crises impact organisations. The growth of social media, for instance, has been one of the driving forces behind this change. There is now a much greater risk of a crisis becoming public, and causing signiﬁcant additional damage to an organisation. “That increased exposure has led some organisations to take these issues much more seriously in recent years,” says Andrew Terry, a partner at Eversheds Sutherland LLP.

The nature of the news agenda has altered how corporates respond to events, particularly at

(10)

FEATURE

boardroom and C-suite level. “With today’s 24-hour news cycle and the prominence of social media, companies’ approaches to crisis preparedness and communications have changed drastically in the last ﬁve years,” says Lauren Casazza, a litigation partner at Kirkland & Ellis. “Boards of directors and executive management now see that enterprise- level issues can quickly spiral out of control, exposing the company to potential additional legal and reputational risks. Flat-footedness is no longer an option.”

There has been a tectonic shift in the way executive leadership teams now view crisis and reputation risk. “Agile organisations have moved accountability and oversight for crisis and reputation risk oversight to the C-suite and the board,

recognising that reactive ‘crisis management’ has become an oxymoron,” says Harlan Loeb, global practice chair at Edelman. “And the data proves the premise as 80 percent of organisations will experience a crisis over the next ﬁve years with value destruction hovering at 20 percent.”

Until relatively recently, corporate crisis

management was just another task for executives with too many tasks already on their plate, according to Jonathan Bernstein, president of Bernstein Crisis Management, Inc. “Crisis preparedness has been perceived as an expense versus an investment. This is changing steadily, however, as awareness grows about the impact of crises and that many can be

mitigated far better than in the past using crisis management strategies and tactics,” he adds.

Corporate crises can take a long time to resolve, and seriously damage an organisation’s reputation.

As such, prevention is the best strategy. “Companies should think through what they can be doing to enhance their policies, procedures, training and other compliance initiatives to help mitigate against the crisis-inducing behaviour occurring,” says Ms Casazza. “In pointing to best in class compliance initiatives, the company can better weather the reputational and legal storm by establishing that the crisis was not caused by a systemic problem, that the company takes that behaviour seriously and it continues to guard against those risks.”

While companies generally do a good job thinking about clear business threats and making plans to protect business platforms, they also need to consider unseen risks. Vulnerability audits can be useful, helping companies to determine current and potential areas of operational weakness. “What companies must be doing now is considering where hidden vulnerabilities lie,” says Sharon Nelles, a partner at Sullivan & Cromwell. “Do you have a high proﬁle CEO? How are you protecting his or her reputation? Are you in a highly regulated industry?

What pressures does this put on your workforce? Do you have an internal risk committee? What are they thinking about and who are they reporting to? Senior management needs to be constantly surveying stakeholders to make sure company leadership CORPORATE CRISIS MANAGEMENT

(11)

www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2019 11 FEATURE

understands any cultural concerns as seen from the bottom up, and not just the top down. This can be both formal and informal, but it should be constant and evolving.”

There are myriad risks companies face and most are inextricably linked to culture,

compliance and leadership. “In nearly every client crisis that we see, the scale of the crisis needlessly traces back to glaring deficiencies in preparation and real-time simulations,” says Mr Loeb. “From data privacy, corporate fraud and workplace misconduct, to misinformation campaigns, digital wildfires and employee walkouts, the root cause virtually always connects to cultural infirmities, insufficiently elastic compliance programmes, and

leadership that is not in sync with its employee base and vice versa. Companies that live their values and embolden employees to embrace the corporate mission more than individual self-interest, coupled with compliance programmes that include, but go well beyond rules-based conformity, and leadership that establishes a clear, mutual and bilateral

relationship with employees reduces all risks by over 70 percent.”

Best laid plans

Companies need to develop a thorough crisis response plan. This should be set out in a document

which outlines the processes to follow when responding to a crisis. For business continuity and crisis management teams, a response plan must provide the blueprint for overcoming an incident, with activation guidelines, a detailed action plan

and a crisis communication strategy, among other measures. Crisis response should be led by an individual with in-depth legal and compliance experience who is able to manage day-to-day operational and tactical responses. When a crisis hits there is no time to lose; a response needs to be as ﬂawless and instant as possible. “Information moves fast and crises develop quickly, sometimes before a corporation has time to determine the facts,” says Ms Nelles. “An operational crisis plan does not work if there is an attack on the integrity of a company’s leadership or mission. Because every news cycle brings a new scandal, companies will increasingly

“There are myriad risks companies face and most are inextricably linked to culture, compliance and leadership.”

CORPORATE CRISIS MANAGEMENT

(12)

prepare for the unimaginable, undertaking tabletop exercises and bringing in outside experts to do a crisis simulation with senior managers who often have conﬂicting visions of what should happen in times of trouble. It is important to air those differences well before the crisis hits.”

Many organisations fail to plan properly for a crisis of any sort. Some have no plan at all, while others have a plan that sits in a draw and is never reviewed or updated. “Think about your organisation, what it does, where you think the obvious risks lie – those in a business know it best,” says Mr Terry. “Are there any upcoming issues that increase the risk of an investigation, or of adverse news coverage?

These can help frame your crisis plan. Ultimately, it is important to think about it and then paper it and then update it regularly. Identify key personnel and who will take lead roles. Keep that core team small, but consider wider teams for less serious matters or tasks. Start to pull together a plan which sets out steps to be taken in the ﬁrst hour, then the ﬁrst 24 hours, then the aftermath.”

Strong communication should feature prominently.

In an increasingly social and connected world, companies can no longer hide, simply say ‘no comment’ or go dark. “Often when a crisis hits, the company may not have all the facts and any internal investigation may be ongoing,” points out Ms Casazza. “Given these pressures and realities, most

FEATURE CORPORATE CRISIS MANAGEMENT

12 RISK & COMPLIANCE Jul-Sep 2019 www.riskandcompliancemagazine.com

(13)

communication foot faults, from both a legal and reputational standpoint, tend to happen within the ﬁrst 48 hours of a crisis. It is critical for companies to quickly gather the internal stakeholders and appropriate external consultants to help ensure that the company is thinking through the various costs, beneﬁts and risks of a particular statement or action.”

Failure to issue a statement can create a vacuum which consumers will quickly ﬁll, which can be hugely detrimental. “Every company now operates with the public existing in a ‘callout’ and

‘outrage’ ecosystem,” says Molly McPherson, a communications and public relations specialist.

“More and more customers are taking to social media to vent their opinions about the companies they do business with. If they do not like the product, they will post negative reviews or feedback. If they do not trust a company and its leader, they will create an online community of like-minded customers that form a groundswell of negativity that many shaky leaders cannot survive.”

Companies must also be aware of the importance of the message itself. If it goes wrong a small issue can explode – likewise if dealt with well, the heat can be taken out of a major issue. “Who will be the spokesperson?” asks Mr Terry. “Do they need media training or are they good on their feet? Companies should think about having some reactive statements

FEATURE CORPORATE CRISIS MANAGEMENT

www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2019 13

(14)

FEATURE

on standby. Do you have tight control of your social media channels? Are they controlled externally or internally? Who does it? What if it is a weekend or someone is ill? As with any crisis, but especially with media coverage, the ﬁrst few minutes and hours can be crucial.”

In these all important early hours, it is vital that the key players are on message. Depending on the crisis, any number of people may need to speak, but it is what they say that counts. “A ‘one message’ integrated approach among counsel, outside crisis communications specialists and senior management is necessary,” says Ms Nelles. “This team must decide what can be said, by whom and when. Consistency is credibility, and credibility is paramount to surviving a crisis.”

“The management of corporate crises will evolve away from second-hand information to ﬁrst- hand sources,” says Ms McPherson. “The term

‘spokesperson’ equates a barrier between the public and the direct news source. Instead of being viewed as a source of valuable, timely information, the spokesperson is looked at as keeping the press

— and, by extension, the people — away from the truth of the matter. The public no longer tolerates any barriers to the facts, and with social media now at anyone’s ﬁngertips, they have no problem letting everyone know.”

The future of crisis management Crisis management continues to evolve. If corporates are to survive crises, they must prioritise preparedness and embed it into their corporate culture. “Instead of being an afterthought or a decision driven by barely surviving a crisis, crisis preparedness in all its forms – vulnerability assessment, planning and training – will be inculcated as part of a company’s culture,” says Mr Bernstein.

The role of general counsel will also become more prominent in the coming years, as companies look to respond to the changing risk landscape, according to Mr Loeb. “Given the ‘age of constant crisis’ in which organisations operate, organisations are relying more heavily on general counsel who are leading the way in crisis and reputation management given their training in multiple variable risk, critical problem solving, and making material decisions with imperfect information,” he says. “In fact, 85 percent of general counsel consider reputation crises the most injurious to the organisation. General counsel and corporate leadership are employing ‘war gaming’ and analogous exercises into their crisis readiness portfolio.”

Failure to successfully manage a crisis can cause ﬁnancial losses, harm stakeholders and even end the organisation’s very existence. Companies must take adequate steps to protect themselves, and their ﬁnancial future from disaster. RC^&

CORPORATE CRISIS MANAGEMENT

(15)

(16)

FEATURE

O

perational risk is, or should be, at the top of every organisation’s agenda. Its gravity is such that if ignored, the repercussions have the potential to be disastrous – a genuine ‘make or break’ issue.

While a comprehensive understanding of operational risk is clearly in the interests of any organisation, whatever its size and scope, within ﬁnancial services (FS) it is particularly desirable given the nature of the work the sector undertakes.

How then should we deﬁne operational risk and its proximity as a threat? According to the Basel Committee on Banking Supervision, operational risk is: “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from

FEATURE

MANAGING

OPERATIONAL RISK WITHIN FINANCIAL SERVICES

BY FRASER TENNANT

www.riskandcompliancemagazine.com

(17)

FEATURE

external events. As such, operational risk captures business continuity plans, environmental risk, crisis management, process systems, and operations risk, people-related risks and health and safety, and information technology risks.”

Risk practitioners themselves rank the top operational risks in 2019 as data compromise,

IT disruption, IT failure,

organisational change, theft and fraud, outsourcing and third-party risk, regulatory risk, data

management, model risk, unauthorised trading, Brexit and mis-selling. When these threats, and others, are placed against a backdrop of the more than $200bn of operational risk losses incurred by banks over the past decade, FS ﬁrms’ risk practitioners most assuredly have their work cut out for them.

“Operational risk is a very broad topic,” says Nick Parﬁtt, head of market planning at Acuris Risk Intelligence. “The degree of complexity is inﬂuenced by the nature of an organisation, where it operates,

its customer base and the products and services it offers. Organisations need to ensure they have the right internal skills, or buy them in from external sources, to identify, articulate and manage risk.

“Organisational culture is generally regarded as being one of the aspects

that makes or breaks compliance programmes, but

MANAGING OPERATIONAL RISK WITHIN FINANCIAL SERVICES

(18)

FEATURE

so is having the right staff and the right number of staff,” he continues. “Otherwise, you run the risk of areas being sidelined or poorly observed.”

The reality is that operational risk is virtually omnipresent. “Every organisation faces circumstances or fundamental changes in their situation that can be seen as presenting varying levels of risk to that business, from minor inconveniences to potentially putting its very existence in jeopardy,”

says Amit Kothari, chief executive of Tallyfy. “All of these risks need to be managed,” he continues. “The more sophisticated the approach to risk management, the more chance an organisation has to thrive and grow.”

An additional threat to have emerged in recent times to plague risk practitioners is the increasingly complex global sanctions environment. “FS firms are finding it difficult to maintain effectiveness and be able to prove their algorithms for name matching are working, particularly where their client base has exposure to countries that use Cyrillic, Arabic and Chinese alphabets,” explains Mr Parfitt. “There is significant operational risk and potential for regulatory penalties due to poor algorithmic matching or scenarios that are not being considered.”

Whatever the nature of operational risk they face may be, FS ﬁrms need to anticipate what could

go wrong and plan accordingly, with effective operational risk management (ORM) often the centrepiece of their risk management strategies.

Risk identiﬁcation

With the potential risks FS firms face plentiful, identifying the ones which specifically pose a threat and quantifying their likely impact is essential – a task often made considerably more difficult due to the sheer complexity of the risk landscape.

In the experience of Manoj Kulwal, an operational risk management expert at Eureka Financial Ltd, the key operational risks FS ﬁrms face are: (i) technology and process disruption due to internal factors, such as complex or ageing IT infrastructure; (ii) technology and process disruption due to external factors, such as cyber attacks; and (iii) improper conduct by internal staff, such as mis-selling to clients due to excessive pressure to achieve revenue targets.

“The ﬁrst stage of any ORM programme is of course to understand the nature of your business and the particular risks associated with it.”

(19)

“People that understand technology or processes do not understand ORM,” suggests Mr Kulwal. “And those that understand ORM do not understand technology or processes. Due to this, there is a constant friction between the first line and second line of defence as to who is actually responsible for identifying, measuring and managing operational risks. Risk and control assessment methods adopted by most financial institutions are complicated and difficult to use for day-to-day management of operational risks.

“Operational risk methodologies in most FS ﬁrms still do not incorporate human and cultural factors,”

he continues. “So, there is a signiﬁcant learning curve for risk practitioners to truly understand the people dimension of operational risk. However, they may need to hire psychologists, social scientists and organisational behaviour experts in order to understand this risk.”

Risk quantiﬁcation

When applied to a sanctions regime scenario, human and cultural methodologies have the

potential to be effective – an important consideration given the severe penalties that can be imposed for non-compliance.

“Firms need to be able to demonstrate that their risk appetite and policies conform to their processes and procedures, and can be proven,”

says Mr Parﬁtt. “To do this, they need to reassess several areas, including their sanctions lists and

data providers, their matching process, the locations where they operate and the risk associated with higher-risk jurisdictions, and the end-to-end process of identifying, conﬁrming or discounting alerts generated by systems.

“In terms of risk quantiﬁcation techniques for global sanctions regimes, the most appropriate strategy is to employ a robust testing methodology with regression testing to ensure that true matches are not being missed,” he continues. “Testing scope and alignment with an enterprise’s internal risk assessment is crucial to pinpointing what is being tested, and where the residual and inherent sanctions risks reside.”

Mitigating risk

An ORM programme can do much to mitigate operational risk and is generally considered to be an essential tool in the risk armoury for any organisation that is serious about avoiding potentially damaging exposures.

According to Tallyfy, the main beneﬁts of

implementing an ORM programme are: (i) improving the reliability of business operations; (ii) improving the effectiveness of the risk management

operations; (iii) strengthening the decision-making process where risks are involved; (iv) a reduction in losses caused by poorly-identiﬁed risks; (v) early identiﬁcation of unlawful activities; (vi) lower compliance costs; and (vii) a reduction in potential damage from future risks.

(20)

FEATURE

“The ﬁrst stage of any ORM programme is of course to understand the nature of your business and the particular risks associated with it,” says Mr Kothari. “If you manage a company that runs water ski lessons, there will be risks your business will face that are very different to a company that creates technology for vending machines. Spending time worrying about risks that are nothing to do with you is just wasting time.”

Allied to the success of an ORM programme is a strong risk reporting function. “Risk reporting is simply good practice, as is model risk management,”

adds Mr Parﬁtt. “The key is to ensure they are in proportion with the size and risk proﬁle of the business. Otherwise they could become unworkable and ineffective.”

Equally clear as to the importance of risk reports is Mr Kothari: “Any ORM plan must have something in place for the ongoing monitoring and reporting of these risks, if only to demonstrate how effective the plan has been. Most of all, the reporting function is there to ensure that solutions put in place are continuing to be effective and doing their job in managing risks.”

Ensuring effective compliance

Even with a solid ORM programme in place, FS firms may still find themselves having to up their game, especially in light of an increasingly stringent regulatory environment and associated fines in the event of non-compliance.

“There is always room for improvement due to the constant tensions between ever-increasing regulatory scope, and the drive to make operations both efﬁcient and effective,” says Mr Parﬁtt. “There are also varying degrees of maturity depending on the compliance programme or regulatory requirements.

“Anti-money laundering (AML) and counter- terrorist ﬁnancing (CTF) programmes have been around for 10 to 15 years and are generally effective,” he continues. “However, as the recent Danske Bank, Swedbank and Countrywide Estate Agents cases illustrate, AML compliance programmes are not always implemented effectively.

Ultimately, and particularly for smaller FS ﬁrms, reputational risk exposure is just as important as material ﬁnes and should be considered a key part of any compliance programme.”

According to Mr Kulwal, ﬁrms need to integrate ORM as part of business decision making. “Every key business decision either introduces a new operational risk or changes the exposure of current operational risks,” he suggests. “Without considering operational risks within key business decisions, organisations may be unknowingly increasing their operational risk exposure.”

Evolving operational risks

With the operational risk landscape continuing to evolve, FS ﬁrms need to ensure their risk management strategies evolve in tandem.

(21)

“There is no doubt that the amount of regulation is only increasing, and this is exacerbated for organisations operating in multiple jurisdictions,”

says Mr Parﬁtt. “The big hope and expectation is that technology will make dealing with regulations easier and more effective, freeing up more resources to look at where the organisation’s risks and

opportunities really reside.

“Successful ﬁnancial institutions will be those that embrace and embed risk principles and requirements into their business ‘DNA’, similarly to how successful companies manage their information security risks and procedures,” he continues. “They have to be the ﬁrst and last considerations when

dealing with customers, suppliers, regulators, new business initiatives and overall business strategy.”

For Mr Kulwal, it is vital that FS ﬁrms connect operational risks with their business objectives. “It is shocking how few actually do this,” he observes.

“Without this connection, signiﬁcant parts of

operational risk resources are being wasted on trivial risks, taking resources away from critical risks.”

In a rapidly evolving and increasingly complex operational risk environment, immediacy is key.

Act swiftly and risks can be managed and damage minimised. Respond to the contrary, and the scenario is likely to be much less comfortable. RC^&

(22)

��

��

��

(23)

www.riskandcompliancemagazine.com RISK & COMPLIANCE Jul-Sep 2019 23 EXPERT FORUM

EXPERT FORUM

BUILDING A GLOBAL COMPLIANCE &

ETHICS PROGRAMME:

LEADERSHIP

(24)

EXPERT FORUM BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME:...

Tapan Debnath is a specialist corporate investigation and compliance practitioner with over 15 years post qualification. He serves Nokia as head of investigations for EMEA, managing some of the company’s most sensitive and high-profile matters. He is also compliance lead for a business group and is acting trade compliance counsel. Prior to Nokia, he spent five years at the UK Serious Fraud Office (SFO) investigating and prosecuting serious cases of bribery

& corruption, fraud and money laundering. During this time, he was involved in developing the rules governing deferred prosecution agreements (DPAs).

Andrew Durant is a senior managing director in the forensic &

litigation consulting segment at FTI Consulting and is based in London.

He has worked in the forensic accounting sector for over 25 years, and has experience across a number of industries investigating a range of issue including ﬁnancial statement fraud, stock and other asset losses, theft of conﬁdential data, procurement and sales fraud, corruption and bribery, and investment fraud, due diligence and asset tracing assignments.

Wayne Anthony is a managing director in the forensic & litigation consulting segment at FTI Consulting and is based in London. He has more than 20 years of experience working in the forensic accounting field undertaking investigations, compliance reviews, financial crime investigations, asset tracing projects, litigation and dispute advisory work. His forensic accounting experience spans a wide range of industries including energy, financial services, manufacturing, pharmaceutical, publishing, engineering and charities.

Tapan Debnath Senior Legal Counsel Nokia Corporation T: +44 (0)7342 089 528 E: tapan.debnath@nokia.com

Andrew Durant Senior Managing Director FTI Consulting

T: +44 (0)20 3727 1144

E: andrew.durant@fticonsulting.com

Wayne Anthony Managing Director FTI Consulting T: +44 (0)20 3727 1613

E: wayne.anthony@fticonsulting.com MODERATOR

PANEL EXPERTS

Sam Eastwood is a partner in Mayer Brown’s litigation practice in London and a member of the firm’s white-collar defence and compliance practice which represents corporations, boards of directors, board committees, executives and public officials in criminal, civil and regulatory enforcement proceedings around the world. He advises on ethics, anti-corruption and human rights issues in connection with companies’ internal compliance policies and procedures and international business transactions. He also has significant experience in cross-border corporate investigations involving complex financial and accounting issues and anti-corruption matters throughout Africa, Asia, Europe (particularly the Nordic region), Middle East and South America.

Sam Eastwood Partner Mayer Brown T: +44 (0)20 3130 3087

E: seastwood@mayerbrown.com

(25)

BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME:...

Debnath: What are the key ingredients for an effective compliance function?

Anthony: Today, an effective compliance function is an essential part of an organisation’s ability to build trust with its customers, suppliers, employees and other stakeholders. For a compliance function to be effective, there are several key ingredients it must contain. It must have a designated chief compliance ofﬁcer (CCO) who has a direct reporting line to the board. The CCO should have a clear mandate to identify, rectify and prevent compliance failures.

The compliance function must enjoy sufﬁcient independence from the business to perform its role objectively, including a direct line of communication from staff to the CCO. It must also have the ability to accurately assess the organisation’s risk and design, and implement appropriate controls based on those risks. There must also be written policies and procedures in place that clearly set out what is and what is not acceptable, together with the relevant sanctions. Adequate training must also be provided in order to ensure that key policies and messages are well understood by all staff. Finally, the compliance function must be adequately resourced and made up of a skilled team which is able to perform its role, including training, auditing and monitoring, effectively.

Eastwood: There are many factors that underpin an effective compliance function. First and foremost,

the board and the company’s senior management team must understand, respect and support the compliance function. This is a critical foundation block. Compliance personnel must also have relevant experience and qualifications, the staffing and budget, ideally a standalone budget, to carry out their responsibilities effectively. Internal relationships are a crucial ingredient of success. The compliance team should work closely with other functions, such as legal, risk, finance, human resources, procurement, sales, internal control and internal audit, all of whom should recognise and carry out their own responsibilities for delivering effective compliance.

The compliance function should also have a direct reporting line to one or more board members and to the audit committee. Compliance reporting to the board and audit committee should be documented.

Finally, the compliance function should form relationships of partnership and trust with external counsel who should provide complementary technical expertise, experience, independence and challenge.

Debnath: Can the compliance function be truly independent from the business?

Should it be?

Eastwood: The compliance function’s position within an organisation, and related reporting lines, will vary depending on the size and nature of the organisation. Increasingly, and in larger organisations in particular, compliance will be a standalone

(26)

function with clear autonomy and independence.

Often, however, compliance will be positioned within another function, commonly the legal department, but it could also be within the human resources or risk functions, for instance. To the extent possible, people with responsibility for compliance should be organised independently from the

operational part of the organisation.

Organisational structure aside, it is very important that, wherever compliance is positioned, its responsibilities, functions, reporting lines and authority of compliance are clearly documented and understood within the business, to preserve its independence. Compliance, like other second lines of defence, should act independently of the business it monitors and controls. It veriﬁes and monitors that the business operates in accordance

with external and internal rules and regulations. The compliance function’s remuneration model should not contain signiﬁcant performance-based elements which might compromise the independence of compliance staff.

Durant: For a compliance function to be effective and add value to an organisation, it must have a close working relationship with the business. It must understand how the business operates, the risks it faces and be able to anticipate its needs. This close relationship is integral to the delivery of good service.

However, it can also become an obstacle to the achievement of objectivity, which is essential for the compliance function when dealing with signiﬁcant and sensitive issues, particularly where there is pressure from shareholders and other stakeholders who are focused on continuing growth. Managing

this contradiction is one of the major challenges facing the compliance function today. The compliance function should be independent from the business in order for it to have the credibility required to build trust with its customers, suppliers, employees and other stakeholders, including regulators. Furthermore, when required, the immediate desires of the business and ﬁnancial stakeholders will have to be overridden in the interest of compliance.

Andrew Durant, FTI Consulting

“For a compliance function to

be effective and add value to an

organisation, it must have a close

working relationship with the

business.”

(27)

Debnath: What can compliance do to be taken seriously by senior management and the board?

Anthony: For compliance to be taken seriously by senior management and the board it is important for it to be able to explain the benefits it can bring to the business, rather than focusing on the ultimate risk of fines, penalties and sanctions resulting from a regulatory breach. The compliance function should use its seat at the top table to explain that having a clear and effective compliance programme is not only the right thing to do, but that it also makes good business sense. The benefits of a comprehensive compliance function include establishing customer trust and brand loyalty by building a reputation as a business that does the right thing. No-one wants to do business with an organisation that has a known reputation for non-compliance with regulations. It should also help to attract and retain high-quality individuals – good staff do not want to work for a business under investigation by a regulator and may vote with their feet. It should also encourage the business to apply best practices in areas where it tends not to invest, such as IT processes, recordkeeping and data protection. A compliance function should help the company to focus on supply chain management, for example the reduction of suppliers, as managing third-party risk for a large number of suppliers that are rarely

used is a major and costly challenge. Initiating an effective information governance programme can help the business to identify, consolidate and analyse its records, which, in turn, will quickly and clearly demonstrate compliance to a regulator, auditor, the public and other stakeholders. This data can also be used for mining existing and new customers, as well as identifying cost savings. Finally, compliance can boost the bottom line by simply avoiding large-scale ﬁnes and penalties issued by regulators. A business that spends less time dealing with a regulatory investigation has more time to concentrate on its business strategy and gaining market share from its competitors.

Eastwood: Compliance has to demonstrate that it understands the business, to work within existing structures and processes to the extent possible, and to ‘make the case’, which is not always easy without a ready crisis and when the company’s ﬁnances are stretched. Emerging legislation, with a particular focus on expanding corporate criminal liability and increased enforcement activity, particularly outside the US, are important factors. The approach toward the compliance of investors and ﬁnancial institutions, and increased external scrutiny for the press and non-governmental organisations (NGOs), are equally important considerations which compliance should highlight with senior management and the board.

How will the CEO handle a well-informed intervention at the company’s annual general meeting (AGM)? Is

(28)

senior management comfortable with the increased array of compliance-related representations and warranties demanded by ﬁnancial institutions?

Debnath: How does compliance justify pursuing worthy and important compliance initiatives and projects, when cutting costs seems the order of the day?

Eastwood: The cost of getting compliance wrong can, of course, be prohibitive, both in terms of fines, lost business, debarment, litigation and related remediation costs. The impact on individuals can also be significant, including fines, prison sentences and termination of employment. Benchmarking can be a persuasive tool, and regular independent external assurance, as ‘expected’ by regulators and investors, can help senior management and boards to grasp the importance of effective

risk identiﬁcation and prevention.

Furthermore, a robust compliance programme can enhance the value of a company’s brand, particularly in light of

EXPERT FORUM

(29)

the increased focus on responsible business conduct from investors, suppliers and customers alike.

Durant: As with all businesses, the key focus is on the bottom line and compliance is often seen as a mandatory cost to the business, using up valuable time, effort and resources with very little benefit. For compliance teams to justify pursuing worthy and important compliance initiatives and projects, they need to clearly explain the risks and benefits associated with their work. Most businesses understand the risks associated with non-compliance, namely fines, penalties and sanctions, but many companies do not fully understand the benefits that the compliance function

can bring to the business, including boosting the bottom line by simply avoiding the hefty

ﬁnes and penalties issued by regulators. A business that spends less time dealing with regulatory investigations has more time to focus on its core business and growth targets.

Debnath: How can senior managers demonstrate a genuine and unﬂinching commitment to doing the right thing – walking the walk, as well as talking the talk?

Anthony: For any compliance programme to be effective and have value to the business it must be fully supported by senior management with BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME:... EXPERT FORUM

(30)

a genuine commitment to doing the right thing. To demonstrate this, a company should have a deﬁned organisational structure, with clearly documented roles and responsibilities for the board, chief executive and CCO. The company must also appoint the right people for the right job. For example, the CCO should be a person beyond reproach and someone who has the respect of all employees. The CEO and board must issue clear and regular internal and external statements about the importance of compliance to keep it top of mind. The company should also highlight good and bad examples of compliance. For example, do not hide the things that went wrong and use them as ‘lessons learnt’, setting out how it has responded to setbacks. Companies should also ensure that the key compliance and ethics messages cascade down throughout the global organisation on a regular basis. The rules should be applied consistently and companies should ensure that they do not make exceptions for any employee, irrespective of their seniority or geographic location.

Finally, senior management should actively participate and wherever possible lead in all compliance training and events.

Eastwood: Senior managers should reﬂect on the compliance-related information they request and review as a matter of course. To what extent is there documented evidence of consideration of compliance-related matters? Can senior management point to concrete actions undertaken to demonstrate

leadership in the company’s compliance and related remediation efforts? Are senior management picking up on compliance shortcomings? How have senior management overseen and responded to apparent misconduct and related investigations? Are senior management prepared to turn away business opportunities, dismiss successful employees, entertain voluntary reporting to the authorities and meet the consequences? What do staff say about senior management? The answers to these questions can be very revealing.

Debnath: Should compensation be tied to compliance goals and objectives?

Eastwood: It is important that a business considers the implications of its incentives and rewards – including third-party remuneration structures – on compliance. In addition, compliance should be able to point to speciﬁc instances of actions taken, such as promotions or awards being denied, as a result of compliance and ethics considerations.

There should be compliance goals and objectives and the annual employee appraisal is a good opportunity to reinforce the importance of compliance. Whether compensation should be tied to compliance goals and objectives is more moot, however. Employees should not need to be incentivised to act in accordance with external and internal rules and regulations. On the other hand, a failure to so act should impact on compensation, long-term prospects and, depending

(31)

on the circumstances, should lead to termination of employment.

Durant: Current legislation in several countries means that compensation should align with performance. But in the eyes of investors, performance is determined by sales and proﬁts which may lead to unethical

behaviour. However, companies are explicitly stating in their remuneration policies and code of conducts that compensation is linked to ethical behaviour. This leads to a dilemma for management who may be torn between proﬁts at all costs and compliance. Linking compensation to compliance goals and objectives helps to focus management’s attention, emphasises the importance of compliance, rewards people for doing the right thing and motivates staff.

However, there are risks that need to be considered when linking compensation to compliance goals, such as promoting obsessive focusing on one target. Any improperly structured programme may promote bad behaviour and could encourage the manipulation of performance indicators to generate the desired ﬁnancial result.

Debnath: What local labour law and any other pitfalls need to be considered by

the compliance function when a company operates in numerous countries?

Anthony: In today’s fast-paced environment, it is imperative that compliance functions keep up to date with changing regulations in the countries in which they operate, none more so than local labour

laws. The compliance function must accept that one size does not ﬁt all, however. They must develop a clear understanding of local laws and requirements to ensure that the business’ policies and procedures do not conﬂict with local statutory regulations, thus avoiding violations of employment law, such as termination without cause or proper notice, illegal non-compete clauses prohibiting related work or non-payment of statutory severance, which may be higher than under the businesses policies. Other

Wayne Anthony, FTI Consulting

“Senior management should actively

participate and wherever possible lead

in all compliance training and events.”

(32)

labour-related issues include when a business seconds employee overseas, which can have added complications as the employee may have rights in both the home and host country. There is

also a risk where an employee is seconded to a country where compliance may not have been fully embedded, which can result in the employee potentially bringing non-compliant activities back to their home country. Other pitfalls compliance functions need to be aware of when operating in global organisations are cultural

differences between countries, for example whistleblowing can be culturally difﬁcult in certain countries, such as France, Turkey and parts of the Middle East. Also, at the beginning of 2019, Germany, France and Britain established a mechanism to avoid US sanctions and conduct non-US dollar trade with Iran. The initial focus is on humanitarian goods to help the Iranian people, but the intention is to allow European companies to trade in a wider range of goods, even those subject to US sanctions. However, there is a major concern whether the US Treasury will view the mechanism as a target for sanctions, warning any European entity trading with Iran with US connections or using dollars that it can be subject to punitive ﬁnes. This legislative difference will be a major challenge for companies operating in Europe and the US.

Eastwood: The boundaries between a human resources and a compliance issue might not always be clear. Human resources should be working

hand in glove with the compliance function; it is an important ally. It is also important that compliance is mindful of important limitations and stipulations of different countries’ labour laws, which might restrict the ability to have an anonymous reporting line, for example, or require employee consultation prior to the introduction of new or revised internal rules and regulations. Local labour laws should inform, and can complicate, local compliance processes and associated investigations.

Debnath: What advice would you offer on carrying out timely, impartial and fair investigations and then following-up with remedial actions?

Sam Eastwood, Mayer Brown

“Human resources should be working

hand in glove with the compliance

function; it is an important ally.”

(33)

Eastwood: In-house investigation capabilities are becoming more sophisticated. An effective compliance programme will raise issues that need to be investigated; it is not a good sign when companies assert that they have not had any internal investigations or whistleblower reports. Companies should rely on experienced in-house personnel, if possible, to carry out internal investigations, although there are times when external resources are critical, either to partner with the in-house team or to provide robust, well resourced independent expertise.

Responding to whistleblowers requires particular skill, and training for all who are likely to be involved is imperative. Companies should certainly have procedures for triaging, handling and reporting on investigations, an investigation protocol, standards for assessing the quality and speed of investigations and a documented process for monitoring the outcome of investigations and ensuring accountability for the response to any ﬁndings or recommendations.

Durant: When undertaking any internal

investigation, especially those involving employees, it is crucial that the investigation starts as soon as the allegation or information concerning the potential breach emerges. Delays in commencing an investigation risk the loss of crucial electronic and hardcopy information. Also, memories can fade and stories can change over time. Furthermore, if it leads to a subsequent regulatory enquiry, it will be imperative for the business to demonstrate that it

took appropriate, timely and proportionate actions in response to the allegations. The investigation must be, and must be seen to be, impartial and fair from the very beginning to avoid any potential accusations at a later stage. This will reduce the chances of any subsequent litigation from the employees accused of wrongdoing. It will also give any regulator peace of mind that matters are not being simply swept under the carpet by a ‘compliant’

internal team. If there are any concerns that the business cannot conduct, or be seen to conduct, an impartial investigation, it should consider instructing a third-party to undertake the investigation. It is also important to establish an open dialogue with all concerned parties, including those accused of the wrongdoing and any regulator, to ensure that there cannot be any retrospective criticism. There may also need to be some dialogue with other stakeholders, such as unions, customers and suppliers, to ensure that the company retains their conﬁdence. Finally, when conducting investigations, it is important for businesses to learn from a breach and quickly put measures in place to stop it from happening again.

A robust remediation programme resulting from an investigation is important to demonstrate to any regulator, employees, shareholders, customers and other stakeholders that the business is serious about compliance and has taken all the necessary steps to prevent a reoccurrence. RC^&

(34)

JUL-SEP 2019

JUL-SEP 2019

risk &

compliance

R & C

Inside this issue:

Corporate crisis management

Building a global compliance &

ethics programme: leadership

Transactional insurance

��

��������

�����������������������������

�����������

��������������������

��������������������

������������������������������

�����������������

������������������

�������������������������������������������

������������������������������������������������

�������������������������������������������

�����������������������������������������������

����������������������������������������������

������������������������������

���������������������

����������������

����������������������

R & C CONTENTS

035 039 045

049 055

059 065 006 009

016 165

023

071 118

076 123

080 128

085 132

089 137

094 142

104 147

108 153

113 157

�����������

��������������������������

��������������

FOREWORD

Welcome to the twenty-seventh issue of Risk & Compliance,

FEATURE

CORPORATE CRISIS MANAGEMENT

BY RICHARD SUMMERFIELD

C

“There are myriad risks companies face and most are inextricably linked to culture, compliance and leadership.”

O

FEATURE

MANAGING

OPERATIONAL RISK WITHIN FINANCIAL SERVICES

BY FRASER TENNANT

“The ﬁrst stage of any ORM programme is of course to understand the nature of your business and the particular risks associated with it.”

����������������

�������������������

���� ����������������������������������������������������������

������

�����������������������������������������������

������

��������������������������������������������

EXPERT FORUM

BUILDING A GLOBAL COMPLIANCE &

ETHICS PROGRAMME:

LEADERSHIP

“For a compliance function to

be effective and add value to an

organisation, it must have a close

working relationship with the

business.”

“Senior management should actively

participate and wherever possible lead

in all compliance training and events.”

“Human resources should be working

hand in glove with the compliance

R ^& C

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

R ^& C ^CONTENTS

��

��

��

��

��

��

��

��

��

��