OCT-DEC 2019

www.riskandcompliancemagazine.com

OCT-DEC 2019

risk &

compliance

R ^& C

Inside this issue:

FEATURE

Managing third-party risk

EXPERT FORUM

Building a global compliance & ethics programme: risk assessment and monitoring

HOT TOPIC

Open banking

opportunities and

risk considerations

Join a community of 7,600+ compliance and ethics professionals. Gain access to a wealth of knowledge, resources, and industry connections. Become a member of the Society of Corporate Compliance and Ethics (SCCE).

Find out what SCCE can do for you

Educational Conferences

Enjoy registration discounts for a robust calendar of events, ranging from weekly webinars, one-day regional conferences, to three-and-a-half day national conferences, and classroom- style academies covering the basics of compliance and ethics.

Publications and Resources

Solve your compliance problems with our valuable publications at a discounted rate. In addition you will receive our monthly members-only publication, CEP Magazine. Stay up-to-date on the latest compliance practices and news.

CEUs &

Certifi cation

Receive discounts on Compliance Certifi cation Board (CCB)® certifi cation exams. Flex your knowledge of compliance and be a resource in your fi eld.

Networking Opportunities

Don’t feel stranded on a compliance island. Meet and connect at SCCE events and share ideas on SCCEnet, our thriving online healthcare compliance community.

Join today

corporatecompliance.org/membership

RISK & COMPLIANCE Oct-Dec 2019 3

R ^& C ^CONTENTS

CONTENTS

www.riskandcompliancemagazine.com FOREWORD

FEATURE

Managing third-party risk

FEATURE

Blockchain risk management EDITORIAL PARTNERS

EXPERT FORUM

Building a global compliance & ethics programme: risk assessment and monitoring

Nokia Corporation; FTI Consulting; Mayer Brown

PERSPECTIVES

Localisation of compliance processes

Society of Corporate Compliance and Ethics (SCCE)

PERSPECTIVES

Organisational integrity as a new approach to compliance

SheppardMullin

PERSPECTIVES

Beyond so-called ‘speak up culture’: from preaching to practice

University of Virginia Darden School of Business

PERSPECTIVES

Building a balanced board

The Chartered Governance Institute (ICSA)

PERSPECTIVES

De-risking human nature: a few of the biases that can lead to or head off a crisis

Edelman

PERSPECTIVES

Mergers, acquisitions, hubris and behavioural corporate finance

Santa Clara University Editor: Mark Williams

Associate Editor: Fraser Tennant Associate Editor: Richard Summerfield Publisher: Peter Livingstone Publisher: James Spavin Production: Mark Truman Design: Karen Watkins Risk & Compliance

Published by Financier Worldwide Ltd 23rd Floor, Alpha Tower

Suffolk Street, Queensway Birmingham B1 1TT United Kingdom +44 (0)845 345 0456

riskandcompliance@financierworldwide.com www.riskandcompliancemagazine.com ISSN: 2056-8975

© 2019 FINANCIER WORLDWIDE LTD All rights reserved.

No part of this publication may be copied, reproduced, transmitted or held in a retrievable system without the written permission of the publishers. Whilst every effort is made to ensure the accuracy of all material published in Financier Worldwide, the publishers accept no responsibility for any errors or omissions, nor for any claims made as a result of such errors or omissions. Views expressed by contributors are not necessarily those of the publishers. Any statements expressed by professionals in this publication are understood to be general opinions and should not be relied upon as legal or financial advice.

Opinions expressed herein do not necessarily represent the views of the author’s firms or clients.

Financier Worldwide reserves full rights of international use of all published materials and all material is protected by copyright. Financier Worldwide retains the right to reprint any or all editorial material for promotional or nonprofit use, with credit given.

006 009 016 126

023

036 042 047

052

057

062

CONTENTS

PERSPECTIVES

Third-party risk management – quo vadis?

Novartis

PERSPECTIVES

Customs attributes data quality – a big gain if handled properly, a huge risk if not

Nokia Global

ONE-ON-ONE INTERVIEW Background investigations

Corporate Research and Investigations Limited

MINI-ROUNDTABLE

The impact of financial technology

Navigant

ONE-ON-ONE INTERVIEW Liquidity risk management

SAS

ONE-ON-ONE INTERVIEW Risk transformation

SAS

PERSPECTIVES

The ransomware problem: how financial institutions can mitigate reputational risk

Edelman

MINI-ROUNDTABLE

Cyber and ransomware risks facing financial institutions

Acuris Risk Intelligence; Cybersecurity Law Report

PERSPECTIVES

Machine learning strategies for cyber security

ISACA

ONE-ON-ONE INTERVIEW

The 6th Anti-Money Laundering Directive

Acuris Risk Intelligence

PERSPECTIVES

Third-country equivalence in EU banking and financial regulation

Squire Patton Boggs

HOT TOPIC

Open banking opportunities and risk considerations

HSBC; FTI Consulting

065 070

074 079 083 088 093

097

102

107

111

120

FOREWORD

FOREWORD

– Editor

Welcome to the twenty-seventh issue of Risk & Compliance,

an e-magazine dedicated to the latest developments in corporate risk management and regulatory compliance. Published quarterly by Financier Worldwide, Risk & Compliance draws on the experience and expertise of leading experts in the field to deliver insight on the myriad risks facing global companies, the insurance solutions available to mitigate them, and the in-house processes and controls companies must adopt to manage them.

In this issue we present features on corporate crisis

management and on managing operational risk within financial services. We also look at: building a global compliance & ethics programme; integrated risk management and RegTech; AI risk and risk management; the changing threat of financial crime; using digital identity to fight financial crime; data privacy challenges in AML compliance; best execution as best practice;

trade surveillance; cyber fraud typologies; digital transformation in the oil industry; transactional insurance; and more.

Thanks go to our esteemed editorial partners for their valued contribution: Acuris Risk Intelligence; Bloomberg; Chubb;

Edelman; FTI Consulting; IdentityMind; Navigant Consulting; SAI Global; SAS; Society of Corporate Compliance and Ethics (SCCE);

ICSA: The Governance Institute; and ISACA.

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 7 FOREWORD

����������

���������������������������

���������������������������

���������������������������������������������������������������������������������������������

��������������������������������������������������������������^��������������������������������

���������������������������������������������������������������������������������������������

�������������������������������������������������������������������������������������������

������������������������������������������������

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 9 FEATURE

FEATURE

MANAGING

THIRD-PARTY RISK

BY FRASER TENNANT

A

third-party risk management (TPRM) programme is one of a company’s most important policies. Indeed, in some scenarios, an effective TPRM programme can be the difference between smooth operations and damaging disruption.

On the one hand, using third parties – be it suppliers, agents, intermediaries, advisers or consultants, among others – can help a company to reduce time to market, cut service delivery costs and access skills not available in-house. On the other, too great a reliance on third parties increases exposure to cyber, financial, operational, regulatory and reputational risks.

According to the CA Technologies report ‘Five Best Practices to Manage and Control Third-Party Risk’, data security risk caused by third parties is particularly pervasive, with 65 percent of breaches traced back to a third party. However, the report also notes that only 16 percent of companies evaluate third parties’ cyber security more than once a year.

“The biggest risk working with third parties is a lack of knowledge of the transactions they perform, no matter what type of partner they are,” says Sam Abadir, vice president of industry solutions at Lockpath. “Inside your own company you have much more control and insight to people, processes and technologies. When you employ a third party you often lose the ability to see risks. No matter

FEATURE

the type of third party a company engages with, it is employed to create value. But often there is no intimate knowledge of how well it is performing.”

Christopher Dorr, principal consultant at RiskPilot Advisory Services, believes that the main risks facing companies are operational and data security- orientated. “Operational risk arises from the fact that most companies today have integrated third parties so deeply in their business processes that if the third party fails, it can take down your company as well,” he suggests. “Information security risk arises from the fact that ‘data’ is often the single biggest asset that your company has, such as client lists and intellectual property (IP).

“Companies can control such assets when in their own environment, but it is a more difficult prospect when in someone else’s hands,” he continues. “A good model to use when looking at risk across the entire third-party relationship is the PESTLE model:

political, economic, social, technological, legal and environmental.”

Assembling a TPRM programme

In order to identify and respond to the risks posed by third parties, companies need to implement a suitably robust TPRM programme. “Start with the basics,” advises Mr Dorr. “Any risk management is better than none. The first step, and often one of the hardest, is being aware of all the third parties you are doing business with. Many companies are

shocked to find out how many third parties they actually use.”

According to Subhashis Nath, service line leader, enterprise risk and compliance at Genpact, a successful TPRM programme needs to have: (i) organisational buy-in driven by the tone at the top;

(ii) a delineated target operating model; (iii) a well- defined risk management framework, including risk appetites, risk assessment processes and relevant digital enablers; and (iv) a governance model to monitor regulatory requirements.

One of the main difficulties companies face when implementing a TPRM programme is the complexities inherent in an increasingly globalised business environment, wherein third parties in developing nations may be far less advanced in terms of their transparency and anti-corruption measures.

“Most large corporations are looking to drive greater market share in developing nations and many of these nations come with higher levels of exposure to non-compliance,” says Mr Nath. “Hence, it is getting increasingly important for corporations to adopt digital platforms and interventions ranging from machine learning (ML) to text mining and beyond.

“Effective monitoring through interactive front-end visualisation tools to monitor third parties is also becoming a necessity for large organisations,” he continues. “The major challenge in doing business with third parties from developing nations stems MANAGING THIRD-PARTY RISK

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 11 FEATURE

from a limited visibility of a supplier’s practices and a perceived lack of transparency around their regulatory compliance requirements.”

In the view of Sean O’Brien, managing director at DVV Solutions, it is important for companies not to treat TPRM as a standalone activity. “A TPRM programme should form part of a company’s efforts in operational resilience,” he suggests.

“TPRM assessment findings, analysis and recommendations should feed into an enterprise risk management (ERM) framework, with regularly updated control information passing between the two.”

Roles and responsibilities For many companies, exposure to third-party risk is often due to insufficient due diligence at the

beginning of a new business venture. Moreover, there is often a failure to establish where in the hierarchy responsibility for assessing risk levels, identifying red flags and monitoring relationships should reside.

“Historically, companies have not been paying significant attention to due diligence procedures while onboarding new third parties,” says Mr Nath.

“It has largely been driven as a siloed approach where, as a reactionary measure to previous supplier failures, sporadic checks may be performed by the

procurement team. This gradually becomes a box- ticking exercise.

“Understanding third-party risks is a joint responsibility between a company’s sourcing function and its compliance group, and needs to be monitored effectively by the controllership team,” he continues. “In most situations, it is a lack of seamless

coordination across these functions that results in an ineffective TPRM programme. In addition, TPRM has historically been viewed as a discretionary spend, hence companies with difficult financial situations often ignore it and expose themselves to potential risks that have a multiplier effect exposure to the spend required to mitigate these risks.”

In the experience of Mr Abadir, very few companies give due diligence the attention it needs, both at the beginning of a relationship and during a relationship. Many companies are, often unknowingly, overwhelmed by their vendor risk

“There is often a failure to establish where in the hierarchy responsibility for assessing risk levels, identifying red flags and monitoring relationships should reside.”

MANAGING THIRD-PARTY RISK

XXX

programme,” he explains. “They are not efficient enough in adequately assessing the true level of risk vendors provide and performing the right level of due diligence on a regular, risk-defined, basis. Many risk managers and executives are under the false impression that because the company is doing well, that risk is also being managed well.”

In order to avoid complacency, Mr O’Brien believes that companies should treat TPRM as a team sport, overseen by a steering committee of key stakeholders. “Members of a committee would typically oversee and have overall responsibility for

the execution of the TPRM programme, with owners for specific services or risk identified to implement, manage and maintain controls,” he explains.

Ending a vendor

When it comes to the termination of a third party, companies need to plan to sever ties without causing major operational disruption – a task many practitioners believe should get underway at the very outset of a vendor relationship.

“Ideally, companies plan for the end, and

understand the risks and criticalities of third parties FEATURE

XXX

from the very beginning of engagement,” says Mr O’Brien. “However, the reality for many is that even standard ‘end-of-life’ processes are unlikely to have been defined, and certainly not for each specific service or service provider contract. In any case, a stringent business and risk analysis should support the decision to terminate an existing relationship and a well-documented plan and process for the migration of data, resources and skills to the alternative provider, executed and overseen by key stakeholders.”

Agreeing with the notion of envisaging the end of a vendor relationship at the beginning is Mr Abadir.

“Plan to terminate the relationship when establishing the relationship,” agrees Mr Abadir. “Beyond

that, understand exactly the support the third party provides. Do they supply data, services and products? Where in your processes are these inputs and outputs required? Are they required in your business continuity or resiliency plans? With this knowledge, a company has a better understanding of where disruptions could occur.”

FEATURE

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 13

FEATURE

So, while the severance of a third-party

relationship may result in some degree of disruption, companies with robust policies and procedures in place – both automated and manual – will be much better-placed to deal with any short-term difficulties.

“Ensure that business continuity plans are

developed, operationalised and tested, and allow for manual operation of critical processes during the transition to a new third party,” suggests Mr Dorr.”

Also, be absolutely certain as to what will happen to your data. What information does the terminated third party have? Will they agree to destroy it or transfer it back to you? If your data is breached from this third party, it does not matter that the relationship is over. A company may still be on the hook, potentially for millions of dollars.”

Evolving risks

The world of third-party risk is constantly evolving.

Not only is there an increasing number of threat vectors for companies to be concerned by, but also rapidly escalating regulatory expectations.

“Companies need to utilise expertise that enables them to periodically update their TPRM framework

to manage expanding regulatory expectations,”

believes Mr Nath. “Companies can do this by benchmarking with industry peers, seeking external advisory support, working with the regulators or by investing in internal capabilities. Driving digital leverage is the most critical change that needs to be brought about in the world of third-party compliance.

“Digital has historically been a domain led by sourcing and compliance groups in companies whose core competency has been around continuously improving strategic sourcing, as well as staying up-to-speed in an evolving world of regulation,” he continues. “With sources of risk increasing significantly, embracing technology is something that all companies need to get better at.”

Ultimately, a trust and verify approach to TPRM is the key to success, says Mr O’Brien. “Know your third parties,” he suggests. “Understand what services they provide and then tier them based on how critical each of those relationships and services are. Aligning expectations and risk cultures can yield great value, and ensure that any issues can be addressed quickly and to the benefit of both parties.”

RC^&

MANAGING THIRD-PARTY RISK

FEATURE

FEATURE

BLOCKCHAIN

RISK MANAGEMENT

BY RICHARD SUMMERFIELD

F

or its many exponents, blockchain, far more than bitcoin and the other cryptocurrencies which have been built on its decentralised framework, represents the future of many aspects of business and, indeed, day-to-day life.

The blockchain, essentially an encrypted, distributed ledger, may fundamentally change financial services, the internet, international development, the sharing economy and everything in between. It will enable organisations to lower costs, decrease interaction or settlement times and improve transparency. It will revolutionise the way we interact with companies and transform peer to peer transactions.

In light of these and other applications, enthusiasm for blockchain from big banks and financial institutions and other organisations is gaining momentum. According to International Data Corporation (IDC), worldwide investment in blockchain solutions is forecast to reach $11.7bn in 2022. Meanwhile, in a recent Deloitte survey of over 1000 senior executives, almost half of respondents said they expect their organisations to bring blockchain into production within the next year, while over 30 percent stated that they are already operating on blockchain. According to McKinsey, leading technology players are also heavily investing in blockchain: IBM has more than 1000 staff and

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 17 FEATURE

$200m invested in the blockchain-powered Internet of Things (IOT).

Blockchain’s potential applications are legion, particularly in the financial services space, where it already underpins some cross-

border payments and processing.

Smart contracts, cloud storage with encryption, supply chain accountability and many other functions are likely to be driven by advancements in the coming years.

Beyond financial services, some analysts suggest blockchain will become the foundational technology for the future of risk management.

Blockchain as a risk

Like many other digital technologies which have emerged over the last decade, blockchain has brought considerable disruption to many industries, despite its relative immaturity. From a risk management perspective, the state of blockchain and risk management is both exploratory and embryonic. Discussions around how the technology can be used in the financial services industry, for example, have been fairly recent. “Presently there seems to be more focus on how the technology can be used strategically, to create efficiencies or competitive advantages, and less on the risks that the technology itself could introduce,” says Kathryn Trkla, a partner at Foley & Lardner LLP. “A company

considering the use of blockchain technology should carefully assess the intended use case, system security, including user access, system scalability and reliability, the roles and responsibilities of

individuals responsible for designing, operating, maintaining and improving the system and interoperability, both to internal and external systems, to identify vulnerabilities that use of the technology could introduce.”

In the event that companies are not prepared, blockchain could present myriad risks, including strategic, reputational, business continuity, information security, regulatory, operational, IT, contractual and supplier.

To that end, blockchain is like any other form of new technology: there will always be risk and trust implications to overcome, and before blockchain is used to develop risk management protocols,

“From a risk management perspective, the state of blockchain and risk management is both exploratory and embryonic.”

BLOCKCHAIN RISK MANAGEMENT

FEATURE

companies must have comprehensive control frameworks in place to ensure that the rollout meets governance, risk management and control requirements.

Accordingly, a robust risk management strategy, governance and control framework should be considered. “Companies integrating blockchain technologies should consider adopting a front- loaded risk management process due to the difficulty of making product changes after rollout,” says Allison W. Gaul, an attorney at Kilpatrick Townsend

& Stockton LLP. “A traditional software company can cure a regulatory violation or security vulnerability by patching the affected product, but any such flaw in the blockchain rules may necessitate an onerous hard fork of the product, with problems encoded in earlier blocks remaining indefinitely memorialised. Risk functions can account for this reality by heightening management’s understanding of the applicable regulatory regimes and, where appropriate, prioritising uses that minimise exposure to regulated products or data.”

Companies intending to utilise blockchain must first develop a solid understanding of the technology.

They must be aware, for example that there are different kinds of blockchains. Significant distinctions must be made between a public blockchain that anyone in the world can read and a private or restricted blockchain that can only be accessed by authorised parties. Furthermore, blockchains can be written so that only authorised or permissoned

parties may transact. Most large financial institutions are developing private, permissioned blockchains at present. However, both permissioned and permissionless chains present organisations with challenges.“ Data privacy issues in blockchain are important as most public permissionless chains are only pseudononymous; that is, they do not hide actual transactions but rather only use wallet addresses to identify the sender and recipient,” explains Michael Bacina, a partner at Piper Alderman. “This enables anyone to observe and potentially track the flow of transactions through the system. Even if a public permissionless does not include personal information, it may be possible to retrospectively identify users from transactions, which is a critical consideration and why most enterprise deployments are not on public blockchains.”

The architecture of blockchain presents several unique risk vectors, including the difficulty of removing personal data once added, the potential for a majority of nodes to be compromised and the potential of quantum computing power to threaten cryptographic block protection methods presently considered secure. “Privacy laws like the California Consumer Privacy Act (CCPA) increasingly provide broad consumer rights like deletion of personal data,” explains Tony Glosson, an attorney at Kilpatrick Townsend & Stockton LLP. “Adherence to such regulations may be difficult in a blockchain, in which data once entered cannot be removed, only BLOCKCHAIN RISK MANAGEMENT

XXX

updated.

Squaring this

circle will likely require development of creative solutions to make personal data

inaccessible or no longer identifiable within the scope of the statute.”

In order to identify which business function is ultimately responsible for managing the implications and exploring the potential of blockchain, it is important to understand how an enterprise expects to use the technology, how it interrelates with other systems, and the roles and functions of those who will be responsible for the ongoing operation. “If the technology interconnects with traditional payment systems, it would seem likely that management for back-office and IT operations should be involved,”

says Ms Trkla.

“If the technology use implicates compliance functions, then compliance management should also be involved,” says Patrick Daugherty, a partner at Foley& Lardner LLP. “The enterprise’s governing

FEATURE

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 19

FEATURE

board also has a critical oversight role. In the US, for example, the Delaware Supreme Court held in Marchand v. Barnhill that ‘directors must make a good faith effort to implement an oversight system and then monitor it’ themselves. Employee-level risk management alone is not legally sufficient.”

Future of blockchain risk management Blockchain remains a great unknown. It can be difficult to cut through the hype and get to the real potential of the technology; however, the exploitation of blockchain technology can yield significant benefits. Applying blockchain technology to risk management may reduce or even eliminate risk in some cases.

Regardless of how it evolves in the coming years, blockchain is sure to attract regulatory attention.

To date, regulatory oversight has been focused on the financial services offerings starting to use the technology, as well as privacy. The low-hanging fruit will be supply chain consortia and internal blockchain usage for record-keeping in the short term, which is unlikely to be greatly impacted by regulation.

“We cannot generalise on how oversight will develop, however, because that will vary by regulator and how its regulatory mission is defined,” explains Ms Trkla. “In the US, the Securities and Exchange Commission (SEC) and Commodity Futures Trading Commission (CFTC) are focused on traditional areas of regulatory concern, such as customer or investor

protection, market integrity, cyber security and so on, with particular attention to issues of securing custody of customer assets.”

Going forward, regulatory oversight is likely to remain industry-specific rather than directly applicable to blockchain technology. “While there are rare occasions in which a technology is regulated directly, such as restrictions around the export of encryption, it is unlikely that blockchain will receive similar treatment because its use cases are inherently dependent on network effects and intended for large-scale or public distribution,” says Ms Gaul. “As a result, companies should consider how existing regulatory structures are likely to apply to blockchain-enabled applications. Moreover, companies should aggressively explore opportunities for industry self-regulation as a means of nudging the compliance conversation in an innovation- friendly and technologically achievable direction.”

Blockchain and distributed ledger technology (DLT) present the greatest opportunity for automated collaborative sharing, particularly around data and transactions. It is an emerging and exciting technology which will revolutionise organisations in the financial services sector and beyond. Though it is no ‘silver bullet’, it has the potential to address many of the risks companies face today by improving efficiencies and creating unalterable audit trails of transactions. “The audit and record-keeping and provenance protection from a properly designed DLT system promises huge returns,” says Mr Bacina.

BLOCKCHAIN RISK MANAGEMENT

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 21 FEATURE

“Traditional risk management remains relevant, and when wedded to a sound understanding of this disruptive technology, should assist senior leaders in keeping ahead.”

However, blockchain’s greatest uses, like the threats it may be used to counter, may not have yet emerged. In the short-term, there will be challenges surrounding perception. The associations of blockchain and Bitcoin being used in illicit activity on the ‘dark web’, for example, means that many, including those within the risk management function, consider it a useful vehicle for money laundering or criminal activity. “This is the opposite of how a proper blockchain can be used to reduce fraud risk and prevent interference in the record kept on chain,” says Mr Bacina. “A well designed blockchain system build or deployment should closely involve the risk functions within an organisation, as the very nature of blockchain does raise new risks and heighten existing ones.”

For blockchain evangelists, the technology represents the future of many different sectors and business disciplines. And these claims may not be unfounded. Arguably it could enable companies to operate more quickly, securely and at a lower cost.

It may also form one of the key building blocks on which companies develop their future cyber security defences. Yet it may be some time before blockchain reaches its full potential as legal and performance challenges, as well as data privacy concerns, must first be overcome. It is imperative, therefore, for all organisations to continue to monitor the development of blockchain and its application to various use cases. Though it is still relatively untested, blockchain may ultimately change the way companies think about risk management. RC^&

BLOCKCHAIN RISK MANAGEMENT

�����������

��������������������������

��������������

���������������������������������������

���������������������������������������������

�����������������������������������������

���������������������������������������������

����������������������������������������

�����������������������������������������

�����������������������������

�������������������

�������������������������

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 23 EXPERT FORUM

EXPERT FORUM

BUILDING A GLOBAL

COMPLIANCE & ETHICS PROGRAMME: RISK

ASSESSMENT AND

MONITORING

EXPERT FORUM BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME: RISK...

Tapan Debnath is a specialist corporate investigation and compliance practitioner with over 15 years post qualification. He serves Nokia as head of investigations for EMEA, managing some of the company’s most sensitive and high-profile matters. He is also compliance lead for a business group and is acting trade compliance counsel. Prior to Nokia, he spent five years at the UK Serious Fraud Office (SFO) investigating and prosecuting serious cases of bribery

& corruption, fraud and money laundering. During this time, he was involved in developing the rules governing deferred prosecution agreements (DPAs).

Tapan Debnath Senior Legal Counsel Nokia Corporation T: +44 (0)7342 089 528 E: tapan.debnath@nokia.com MODERATOR

Andrew Durant is a senior managing director in the forensic &

litigation consulting segment at FTI Consulting and is based in London.

He has worked in the forensic accounting sector for over 25 years and has experience across a number of industries investigating a range of issues, including financial statement fraud, stock and other asset losses, theft of confidential data, procurement and sales fraud, corruption and bribery, and investment fraud, due diligence and asset tracing assignments.

Wayne Anthony is a managing director in the forensic & litigation consulting segment at FTI Consulting and is based in London. He has more than 20 years of experience working in the forensic accounting field undertaking investigations, compliance reviews, financial crime investigations, asset tracing projects, litigation and dispute advisory work. His forensic accounting experience spans a wide range of industries including energy, financial services, manufacturing, pharmaceutical, publishing, engineering and charities.

Sam Eastwood is a partner in Mayer Brown’s litigation practice in London and a member of the firm’s white-collar defence and compliance practice which represents corporations, boards of directors, board committees, executives and public officials in criminal, civil and regulatory enforcement proceedings around the world. He advises on ethics, anti-corruption and human rights issues in connection with companies’ internal compliance policies and procedures and international business transactions. He also has significant experience in cross-border corporate investigations involving complex financial and accounting issues and anti-corruption matters throughout Africa, Asia, Europe (particularly the Nordic region), Middle East and South America.

Andrew Durant Senior Managing Director FTI Consulting

T: +44 (0)20 3727 1144

E: andrew.durant@fticonsulting.com

Wayne Anthony Managing Director FTI Consulting T: +44 (0)20 3727 1613

E: wayne.anthony@fticonsulting.com

Sam Eastwood Partner Mayer Brown T: +44 (0)20 3130 3087

E: seastwood@mayerbrown.com PANEL EXPERTS

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 25 EXPERT FORUM

BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME: RISK...

Debnath: What are the key features of an effective company-wide compliance risk assessment programme?

Durant: The key features of an effective compliance risk programme can be classified into three main areas. First, preventing breaches by having clearly written policies and procedures, along with a strong code of conduct supported by top management, an experienced dedicated compliance officer and organisational-wide training and

education adapted for local laws and regulations. The second area is detection. An effective compliance programme should have reporting hotlines readily available to all staff as well as undertaking regular monitoring and auditing of the organisation in order to detect any potential breaches or areas of high risk which need to have enhanced monitoring or updated policies and procedures. The final element is corrective action. Organisations need to ensure that if a breach has been identified they take swift and decisive action to investigate, remediate and where necessary take disciplinary action.

Eastwood: An effective compliance risk assessment requires cross-functional input beyond the compliance function and should do the following.

First, identify risks resulting from violations of law, regulations, codes of conduct and other standards of practice which the company might reasonably

anticipate. Second, analyse, assess and prioritise these risks. Third, evaluate the suitability and effectiveness of the company’s existing controls to mitigate the identified risks. Fourth, document proposed enhancements to the company’s systems and controls. Fifth, inform the extent of resources required to manage risk and the allocation of risk- related responsibilities within the company. Sixth, be approved by senior management and the board – and thereafter operate as an important management tool with regular reports on risk mitigation plans, with processes and deliverables integrated into the business calendar throughout the year. Seventh, serve as the foundation of the company’s compliance programme. Eighth, be informed on an ongoing basis by the results of the company’s monitoring and enforcement activity. Finally, be kept under regular review so that changes and new information can be properly assessed and reviewed on at least an annual basis.

Debnath: How does a compliance risk assessment differ from an internal audit assessment and an enterprise risk assessment? What are the interrelationships?

Eastwood: There is no one-size-fits-all approach to the allocation of risk assessment within a

company. Ultimately, all relevant risk areas should be properly considered and assessed by appropriately

EXPERT FORUM BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME: RISK...

qualified individuals – whether such assessments are conducted by the compliance, legal, ethics, tax or human resources function is less important.

The key takeaway for companies is to ensure that the responsibility for risk assessment in

different risk areas is clearly documented and that each respective control

function is held accountable. Senior management oversight can support in this regard. A company’s compliance risk assessment, internal audit assessment and enterprise risk assessment are distinct but interrelated, interdependent and complementary. They should not be conducted in isolation of each other.

All three assessment processes will necessarily address compliance risk.

The enterprise risk assessment will focus on those compliance risks that significantly impact the company’s ability to achieve its strategic objectives.

The internal audit risk assessment is primarily focused on financial statement and internal control risk but will also address compliance risks that might materially impact the company’s performance or financial statements. The compliance risk

assessment will be focused entirely on compliance risk. It is important that a company’s compliance risk assessment is undertaken with the benefit of relevant input from other risk assessment processes, rather than being a siloed exercise. This will ensure that the compliance-specific assessment is fully informed

of developments in the company’s footprint and broader strategic objectives and that it can address any relevant outcomes from internal audit reviews.

Anthony: Most organisations will have an internal audit function carrying out audit risk assessments which traditionally focus on financial statement risks and other operational risks and enterprise risk assessments, to look at the risks impacting on the organisation’s ability to achieve its strategic objectives. Albeit both assessments are designed to identify significant compliance-related risks, neither are specifically focused on legal or regulatory compliance risks. Although there are differences between these three risk assessments, all of which are typically owned by different functions in the organisation, there is clearly an interrelationship between them with all three’s objective being to

Andrew Durant, FTI Consulting

“For an organisation to determine its top compliance risks, it needs to undertake a process of identifying, collecting, measuring and assessing the full range of risks the organisation is exposed to.”

Andrew Duran, FTI Consulting Wayne Anthony, FTI Consulting Sam Eastwood, Mayer Brown

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 27 EXPERT FORUM

BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME: RISK...

identify and prioritise the risks the organisation faces and then assign accountability to manage and mitigate these risks.

Debnath: How should a compliance function go about identifying the top risks of the organisation?

Durant: For an organisation to determine its top compliance risks, it needs to undertake a process of identifying, collecting, measuring and assessing the full range of risks the organisation is exposed to. The process should use a combination of a framework setting out the organisation’s compliance risk landscape, separating it into risk segments such as fraud and corruption, relationship with government officials or regulatory reporting, and a methodology for objectively and subjectively assessing these risks.

By undertaking this process, an organisation will be able to prioritise its risks, map them to specific individuals to be accountable and allocate sufficient resources to mitigate each risk.

Eastwood: The company will have existing material – even if not a previous compliance risk assessment – which can provide an important starting point for identifying top compliance risks.

This material will include enterprise risk assessments, internal audit risk assessments, internal audits, quality reviews, whistleblowing reports and investigation reports. External counsel can also

assist with relevant industry benchmarking and prioritisation advice from their deep knowledge and experience of interacting with a variety of clients and regulators. Desktop research can also be informative.

For example, there is plenty of publicly available guidance on the risk assessment process and competitor research can help to identify key industry risks. In addition, country profiles by institutions like the World Bank, lessons from industry scandals and reported enforcement action can be very informative.

This data collection and research should then be supplemented by a combination of interviews, surveys and workshops involving a range of functions – legal, risk management, compliance, internal audit, procurement, finance and sales – as well as senior management at country, regional and local level.

Debnath: What are the legal or governance obstacles to collecting the input data? For example, for an employee survey, do local data privacy laws need to be reviewed, and workers council approvals obtained?

Eastwood: Companies are increasingly sensitive to the legal implications of collecting and processing employee data. Since the implementation of the General Data Protection Regulation (GDPR) in Europe on 25 May 2018, there has been an increased focus on data privacy considerations across organisations globally, particularly where they hold data for

EXPERT FORUM BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME: RISK...

European data subjects. Data privacy legislation has strengthened outside Europe as well. Accordingly, companies must take appropriate steps to ensure that all data held on company systems is collected, processed and stored in compliance with applicable data privacy laws. Where a company lacks the in- house expertise to make an assessment on data privacy risks, external specialist advice should be sought – the cost of getting it wrong, for example up to €20m or 4 percent of global turnover, whichever is higher, under the GDPR – is likely to outweigh the risk of not appropriately mitigating the risk from the outset. The particularities of local employment legislation can be an important consideration. It may be that employee surveys require the participation and approval of local workers councils, depending on how they are devised. Finally, the risk assessment process will inevitably consider, and possibly reveal, matters of some sensitivity. Companies should consider the extent to which they can and should avail themselves of the protection of legal privilege when embarking on such an exercise and regard should be had to the manner in which risks, and underlying data, are recorded and communicated.

Debnath: Should company-wide risk assessments across business segments and geographies be uniform, or should the approach be targeted and risk-specific?

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 29 EXPERT FORUM

BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME: RISK...

Eastwood: The nature and scope of a company- wide risk assessment will depend in large part on the nature of the business itself, including the countries it operates in, the products it manufactures or the services it provides, the nature of the company’s supply chain and the company’s routes to market.

Risk assessments should consider and assess all identified risks across all relevant business segments and geographies. However, the approach to managing those risks may vary depending on the risk assessment itself. Once risk items have been identified, the company should determine how it will allocate its resource and efforts in mitigating those risks depending on the output of its risk assessment. For large companies with varying risk profiles to consider over multiple business segments and locations, it is often simplest to adopt a broadly consistent baseline methodology for the process of identifying, analysing and addressing risks company-wide, while still allowing scope for a fit-for-purpose approach to particular business needs as required. Adopting such a consistent baseline will ensure that the company’s overarching approach to managing risk can be maintained and understood as the business develops in new directions and as employees turn over.

Anthony: Compliance risks facing a global organisation are typically very complex and involve multijurisdictional laws and regulations, each having its own risk. Some compliance risks

EXPERT FORUM BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME: RISK...

transcend business segments or geographies, for example conflicts of interest, harassment, document management and retention. However, there are many compliance risks that are specific to an industry or business segment within a global organisation.

For example, a global pharmaceutical company may manufacture in one country and distribute across many others. As a manufacturer, compliance risks such as health and safety, quality control and so on will be paramount. For the distribution entity, a key risk will be around how the sales representatives interact with government officials. Therefore, for global organisations, it is essential that their risk assessment is targeted and risk specific to the business segment or geography, but also robust, comprehensive and customisable for the different parts of the organisation.

Debnath: How can a compliance risk assessment support the effective allocation of resources to mitigate and manage risk?

Durant: An effective compliance risk assessment should be based on a comprehensive framework supported by an objective methodology to assess the likelihood and potential impact of each risk. This will help an organisation identify the full spectrum of the risk an organisation is exposed too. This

approach will also identify the top risk priorities the organisation faces. Once identified, the organisation will be able to identify an appropriate risk owner and more importantly identify the resources required to mitigate and manage that risk. It is important that organisations regularly review their position and ensure that the allocated risk owners are suitably

senior and experienced, have the required skill set and are flexible enough to be deployed efficiently to the ever-changing risks of the organisation.

Eastwood: Recommendations arising out of a compliance risk assessment should inter alia appropriately mitigate the identified risks, identify the responsible individuals and functions for such mitigations and set out appropriate deadlines for completing the recommended actions. Most importantly, companies should strike a balance to

Sam Eastwood, Mayer Brown

“High quality risk assessment forms

the foundation of good compliance

programmes, which, in turn, shapes the

culture of a company.”

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 31 EXPERT FORUM

BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME: RISK...

ensure that the steps they take are proportionate to the corresponding risk. This is because there is no such thing as the perfect programme that is able to scrutinise every single transaction and interaction had on behalf of a company for compliance risk. In this context, the logical and defensible prioritisation of a company’s resources – both employees and technology – is key to meeting regulatory expectations of an effective compliance programme.

For example, Department of Justice (DOJ) guidance provides for potential credit where a company

“fails to prevent an infraction in a low-risk area”, if evidence is provided that an otherwise effective risk-based programme is in place, while warning against allocating a disproportionate amount of time to low-risk areas, such as modest and routine hospitality over higher risk priorities like payments to third-party consultants, suspicious trading activity or overly generous discounting practices. It is essential that key stakeholders, including senior management, and advisers are engaged with this process so that appropriate resources are allocated in order to remediate any issues accordingly.

Debnath: How would you convey to a business the benefits, financial or

otherwise, of the company investing in an effective risk assessment programme?

Eastwood: It can be helpful to reflect on the impact of both external and internal stakeholders.

Externally, an effective risk assessment on which robust and effective policies and procedures are based gives confidence to inter alia investors, shareholders, lenders, insurers, suppliers and customers that the company takes its legal and compliance obligations seriously. For a public company, this could result in enhanced share price and shareholder value. For a private company, this could be attractive to existing and potential investors.

Internally, consider what kind of a culture senior management wants to engender within the company.

High quality risk assessment forms the foundation of good compliance programmes, which, in turn, shapes the culture of a company. This can manifest itself in a more open work environment, higher morale among employees and more confidence among employees to speak up where issues arise. In any event, if a company can demonstrate and communicate the hallmarks of a good compliance programme, this can have a positive reputational benefit to the company, both externally and internally. In addition, emerging legislation, with a particular focus on expanding corporate criminal liability, and increased enforcement activity – particularly outside the US – are important factors. A risk assessment programme is a key foundation stone for a company’s

compliance programme. An effective compliance programme can reduce the incidence of misconduct within a company and can significantly mitigate the impact of any misconduct. The costs of getting compliance wrong can of course be prohibitive – in

EXPERT FORUM BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME: RISK...

terms of fines, lost business, debarment, litigation and then related remediation costs, in addition to reputational harm. The impact on individuals can also be very significant – fines, prison sentences and termination of employment.

Anthony: An effective compliance risk

assessment supports the organisation in ensuring it operates in accordance with applicable laws and regulations wherever the organisation operates. From a purely financial perspective, any breach of law or regulation is likely to result in an investigation of the organisation both internally and by regulators. Any compliance investigation is likely to be costly, with the need for external professional advisers’ support, as well as disruptive to the organisation. Any fines imposed by a regulator may also be costly – there may also be follow-on class actions. In some cases, the organisation may be banned from undertaking key activities. At worst, this could result in the collapse of the company, which will clearly impact all stakeholders, including staff. In addition, there are many other benefits, both financial and non-financial, to having an effective compliance risk assessment programme. For example, it often helps to create a ‘best practice’ culture of honesty and integrity which assists the organisation in meeting high ethical and professional standards to prevent frauds.

This will mean that compliance issues are detected at an earlier stage and the organisation will be

better positioned to take prompt corrective actions.

Forewarned is forearmed.

Debnath: How can technology help compliance conduct effective compliance risk assessments in high risk areas, such as third-party sales partners and dealing with government officials?

Durant: Technology has a key role to play in assisting an organisation in manage its third-party sales partners and deal with government officials throughout the whole life cycle of the partnership – from contract negotiation, execution and contract completion. However, technology’s greatest assistance is in the area of continuous monitoring and analysis of third parties and government officials throughout the life of the relationship, helping to ensure the partnership remains strong and any potential exposure to a questionable partner is detected quickly for the organisation to take corrective action. For example, technology can be used to continuously monitor media, including social media, alerting the organisation immediately to any negative publicity about its third-party sales partners or government officials it has relationships with. For large global organisations that have thousands of sales partners, technology can be used to screen large volumes of data as part of the due diligence process and can automate the annual certification of good standing process.

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 33 EXPERT FORUM

BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME: RISK...

Eastwood: Companies are increasingly turning to artificial intelligence and automated solutions to support the day-to-day operationalisation of compliance processes, where appropriate. These solutions can enable companies to better analyse large data sets and to more efficiently

identify higher risk areas, which can facilitate a company’s risk management processes on a macro level. Automation helps to integrate and embed policies and procedures in a company and to improve the control environment accordingly. In the long run, automation can also help drive consistency of the application of compliance culture across a company.

A more immediately apparent benefit of the increased use of technology in compliance risk assessments is that it

can free up time for expert compliance personnel to conduct face-to-face meetings with third-party sale partners and training for higher risk groups internally.

The use of automated solutions is often adopted as part of a company’s third-party management programme to support a risk-based due diligence approach. The improvements in technology will also greatly assist internal compliance personnel’s ability to effectively monitor and audit higher risk third-party relationships as part of the ongoing risk assessment process. External vendors can help a company to identify risks around third parties, such as agents and intermediaries, based on a search of

online databases that indicate red flags including hits against sanctions lists, connections with politically exposed persons and news articles suggesting improper conduct on the part of that third party.

Debnath: What is the most effective way of reporting compliance risk to a company’s board, audit or risk committee?

Eastwood: The reporting of management information around compliance is a key component of ensuring that senior management have

appropriate oversight of a company’s compliance risk. The DOJ guidance indicates that senior management should establish “an information and reporting system in the organization reasonably designed to provide management and directors

Wayne Anthony, FTI Consulting

“Any compliance investigation is likely

to be costly, with the need for external

professional advisers’ support, as well

as disruptive to the organisation.”

EXPERT FORUM BUILDING A GLOBAL COMPLIANCE & ETHICS PROGRAMME: RISK...

with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization’s compliance with the law”. The message from regulators on ‘tone at the top’ expectations is clear that in order to be truly engaged, senior leaders must be appropriately knowledgeable and informed on a company’s evolving compliance risk profile. How such

management information is delivered can vary from written board reports, to presentations to the audit committee, to discussions in board meetings. The key point is that senior management receives the information it requires in order to make a proper, informed assessment on the company’s compliance with the law. The types of metrics that a company might consider reporting during a specific period includes the number of new or ongoing compliance investigations, the number of whistleblowing reports, the number of investigations that have been closed, the outcome and remediation steps in respect of closed investigations, details of lessons learned, identifying the root causes of potential misconduct, identifying and executing remediation steps to address the root causes, and the timeline and monitoring of such remediation steps. More

robust analysis might consider trends of these and similar metrics over a longer period of time or across business units to provide senior management with a more in-depth understanding as to where within their company the risks lie.

Anthony: Operating in today’s global business world is complex and fraught with risks and it is the responsibility of senior management to ensure these risks are mitigated. To do this, they need to have accurate, complete and timely data on the compliance risks they face, without being overloaded with information. It is therefore crucial that information to the board, audit or risk committee is communicated effectively. One of the best ways to report the key risks is via a heat map or a risk dashboard which shows the probability of a risk occurring and the potential impact on the organisation. Heat maps are a powerful way of depicting risks: they are visual, suitably concise and use colour and scaling, enabling senior management to more easily identify and focus on the risks that are most likely to occur and have the highest potential impact. RC^&

TRYING TO FIT THE PIECES?

Employee Background Checks have become a matter of necessity. Creating compliant data and background screening processes is a complex and evolving challenge for all organisations.

Busy HR professionals deserve to have peace-of-mind that their candidates and employees are exactly who they seem. The only way to ensure the safety and ‘quality’ of your staff is to guarantee your screening programs are right for your organisation and your candidates.

WithEmploySmart™, you can enjoy cost-effective employee vetting and hiring solutions that take the risk and hassle out of human resource management. Outsource your employee background checks to an experienced provider and you will only ever have to look forward, never back.

EmploySmart

™

: Detailed. Diligent. Discreet.

info@crigroup.com | +44 207 868 1415 | +1 312 674 4670

SCAN ME & LEARN MORE:

PERSPECTIVES

PERSPECTIVES

LOCALISATION OF

COMPLIANCE PROCESSES

BY GERRY ZACK

> SOCIETY OF CORPORATE COMPLIANCE AND ETHICS (SCCE)

O

n one hand, the compliance function is vastly different from any other in an organisation. It is a complicated function, highly dependent on others within the organisation for success, and it addresses a wide variety of highly specialised issues. On the other hand, it shares many of the same issues of any department with complex processes that extend deep into the organisation.

Among these shared issues is the balance between centralisation and localisation of key processes.

The decision regarding what to keep consistent throughout and what to customise for specific offices or regions is an important one with many ramifications. Done well, a compliance programme is very effective and efficient. Done poorly, disaster can

result. Generally, there are two primary reasons for localising compliance processes: legal requirements and efficiencies.

The first is the most obvious and must always be considered, particularly by multinational organisations. To the extent a process is allowed in the country in which a company is headquartered, but illegal in other countries in which it has operations, localisation is critical. Policies and processes must have at least this amount of flexibility.

This then leads to the second reason – whether localising certain compliance processes makes a compliance programme more efficient and effective.

This is a far more complicated decision.

www.riskandcompliancemagazine.com RISK & COMPLIANCE Oct-Dec 2019 37 PERSPECTIVES

The ‘what’ and the ‘how’

In making this decision, it is important to distinguish the ‘what’ from the ‘how’. The ‘what’

refers to the underlying principle or concept, often expressed in the form of a policy. Compliance concepts should not vary from one site or region to another. Consistency here is important.

The ‘how’ refers to how these principles or policies are carried out. And this is where there may be some flexibility, and even some benefits, for localisation.

Let us start with perhaps an obvious reason for localisation. When the number of people involved in a local process, or the skills of the people involved, differ significantly from what was envisioned at the headquarters office, localisation becomes

important. Take the simple example of the concept of separation of duties as an internal control over compliance. The number of employees involved in that process in one office may enable much more extensive separation of duties than is possible in a smaller office with fewer people.

For example, the procurement

function at an organisation’s headquarters may involve 10 distinct steps. However, there are so many

employees at the central office that these 10 steps are allocated among six different employees, so that no one employee controls too much of the process.

But at one local office, there are only two people to carry out those same 10

steps. The risk of inappropriate activity not being prevented is significantly greater in the

local office. The same processes simply cannot apply. To counter this risk, the local office needs to employ after-the-fact detective controls to counter a weakness that does not exist in the central office.

Processes support policies

The ‘what’ and the ‘how’ are also synonymous with policies and procedures, or processes.

Processes support, and should never conflict with, LOCALISATION OF COMPLIANCE PROCESSES