View
4
Download
0
Category
Preview:
Citation preview
How to Adopt A Risk-Based Approach to Regulatory Compliance
Carrie Penman, Chief Risk and Compliance Officer | NAVEX GlobalVera Cherepanova, Ethics Advocate, Consultant, Author | Studio EticaScott Moritz, Senior Managing Director | FTI Consulting Matt Kelly, Editor and CEO | Radical Compliance
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 2
Agenda
• Introductions
• Understanding a Risk-Based Approach
• Conducting a Risk Assessment
• Putting Your Risk-Based Approach to Work
• Review Lessons Learned
• Questions for Discussion
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 3
Today’s Panel
Matt KellyEditor and CEO
Radical Compliance
Vera CherepanovaEthics Advocate, Consultant, Author
Studio Etica
Scott MoritzSenior Managing Director
FTI Consulting
Carrie PenmanChief Risk and Compliance Officer
NAVEX Global
MODERATOR
Understanding a Risk-Based Approach
• What does “risk-based approach” mean?
• What must the CCO know?
• What are the risks of ignoring this concept?
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 5
What Justice Department Guidance Says
U.S. Justice Department guidance defines a risk-based compliance program as one that “devotes appropriate attention and resources to high-risk transactions.” Risk-based questions in the guidance include:
• Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas?
• Does the company give greater scrutiny to high-risk transactions?
• Do the company’s policies and procedures address risks identified through its risk assessment process?
• What analysis does the company undertake to determine who should be trained and on what subjects?
• Does the company provide tailored training for high-risk and control employees?
• Does has the company’s third-party management process correspond to the nature and level of the enterprise
risk identified by the company?
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 6
Key Takeaways: Information and Best Practices
• Business operations
• History
• Regulatory obligations
• Policies, internal controls
Chief Compliance Officer Should Be Informed About:
• Conduct a risk assessment.
• Monitor for questionable payments to third-party consultants, suspicious trading activity, and excessive discounts to resellers and distributors.
• Prioritize scrutiny of high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) over modest and routine hospitality and entertainment expenses.
• Provide tailored training for high-risk and control employees, as well as supplementary training for supervisory employees.
• Integrate risk-based third-party management into relevant procurement and vendor management processes.
DOJ Recommended Practices Include:
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 7
Conducting a Risk Assessment
• When should risk assessments be done?
• What tools or processes do you need?
• What does the assessment tell you?
• How does it inform what comes next?
• Tools and processes
• Risk libraries
• Potential scenarios
• Regulatory guidelines
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 8
Key Takeaways
• Remember, when conducting an assessment:
• Take your time
• Make sure it is meaningful and qualitative
• Identify and mitigate stakeholder risks
• Speak to the risks specific to your organization
• Assessments should occur:
• At fixed, regular intervals; and
• After “significant changes” such as COVID-19, mergers, new business models, etc.
Putting a Risk-Based Approach to Work
• How do you go from a risk assessment to a mitigation plan?
• How do you use your risk assessment to talk about risks with the board?
• How do you use this to talk with internal and external parties.
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 10
Key Takeaways
• Risk assessments are opportunities to raise awareness and engage in a dialogue about risk across the organization.
• Document is critical. Make sure to connect assessment results to subsequent program changes.
• Categorize your risks. If they begin to cluster around a given area, then that begins to “paint a picture.”
• Chart your risks along the axes of likelihood and impact. COVID is an example of a low-likelihood, high-impact event.
• Talk About a Risk-Based Approach with other stakeholders including:
Board of Directors Regulators Business Operations Leaders
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 11
Lessons Learned
• Define what a “risk-based” approach to compliance means in practice
• Conduct effective risk assessmentsto inform your program
• Use a risk-based approach to developremediation plans and strategies
• Use results for better conversationswith your board, colleagues and partners
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 12
Questions for Discussion
Copyright NAVEX Global, Inc. All Rights Reserved. | Page 13
Thank You!
Recommended