How to Adopt A Risk-Based Approach to Regulatory Compliance

Carrie Penman, Chief Risk and Compliance Officer | NAVEX GlobalVera Cherepanova, Ethics Advocate, Consultant, Author | Studio EticaScott Moritz, Senior Managing Director | FTI Consulting Matt Kelly, Editor and CEO | Radical Compliance

Copyright NAVEX Global, Inc. All Rights Reserved. | Page 2

Agenda

• Introductions

• Understanding a Risk-Based Approach

• Conducting a Risk Assessment

• Putting Your Risk-Based Approach to Work

• Review Lessons Learned

• Questions for Discussion

Copyright NAVEX Global, Inc. All Rights Reserved. | Page 3

Today’s Panel

Matt KellyEditor and CEO

Radical Compliance

Vera CherepanovaEthics Advocate, Consultant, Author

Studio Etica

Scott MoritzSenior Managing Director

FTI Consulting

Carrie PenmanChief Risk and Compliance Officer

NAVEX Global

MODERATOR

Understanding a Risk-Based Approach

• What does “risk-based approach” mean?

• What must the CCO know?

• What are the risks of ignoring this concept?

Copyright NAVEX Global, Inc. All Rights Reserved. | Page 5

What Justice Department Guidance Says

U.S. Justice Department guidance defines a risk-based compliance program as one that “devotes appropriate attention and resources to high-risk transactions.” Risk-based questions in the guidance include:

• Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas?

• Does the company give greater scrutiny to high-risk transactions?

• Do the company’s policies and procedures address risks identified through its risk assessment process?

• What analysis does the company undertake to determine who should be trained and on what subjects?

• Does the company provide tailored training for high-risk and control employees?

• Does has the company’s third-party management process correspond to the nature and level of the enterprise

risk identified by the company?

Copyright NAVEX Global, Inc. All Rights Reserved. | Page 6

Key Takeaways: Information and Best Practices

• Business operations

• History

• Regulatory obligations

• Policies, internal controls

Chief Compliance Officer Should Be Informed About:

• Conduct a risk assessment.

• Monitor for questionable payments to third-party consultants, suspicious trading activity, and excessive discounts to resellers and distributors.

• Prioritize scrutiny of high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) over modest and routine hospitality and entertainment expenses.

• Provide tailored training for high-risk and control employees, as well as supplementary training for supervisory employees.

• Integrate risk-based third-party management into relevant procurement and vendor management processes.

DOJ Recommended Practices Include:

Copyright NAVEX Global, Inc. All Rights Reserved. | Page 7

Conducting a Risk Assessment

• When should risk assessments be done?

• What tools or processes do you need?

• What does the assessment tell you?

• How does it inform what comes next?

• Tools and processes

• Risk libraries

• Potential scenarios

• Regulatory guidelines

Copyright NAVEX Global, Inc. All Rights Reserved. | Page 8

Key Takeaways

• Remember, when conducting an assessment:

• Take your time

• Make sure it is meaningful and qualitative

• Identify and mitigate stakeholder risks

• Speak to the risks specific to your organization

• Assessments should occur:

• At fixed, regular intervals; and

• After “significant changes” such as COVID-19, mergers, new business models, etc.

Putting a Risk-Based Approach to Work

• How do you go from a risk assessment to a mitigation plan?

• How do you use your risk assessment to talk about risks with the board?

• How do you use this to talk with internal and external parties.

Copyright NAVEX Global, Inc. All Rights Reserved. | Page 10

Key Takeaways

• Risk assessments are opportunities to raise awareness and engage in a dialogue about risk across the organization.

• Document is critical. Make sure to connect assessment results to subsequent program changes.

• Categorize your risks. If they begin to cluster around a given area, then that begins to “paint a picture.”

• Chart your risks along the axes of likelihood and impact. COVID is an example of a low-likelihood, high-impact event.

• Talk About a Risk-Based Approach with other stakeholders including:

Board of Directors Regulators Business Operations Leaders

Copyright NAVEX Global, Inc. All Rights Reserved. | Page 11

Lessons Learned

• Define what a “risk-based” approach to compliance means in practice

• Conduct effective risk assessmentsto inform your program

• Use a risk-based approach to developremediation plans and strategies

• Use results for better conversationswith your board, colleagues and partners

Copyright NAVEX Global, Inc. All Rights Reserved. | Page 12

Questions for Discussion

Copyright NAVEX Global, Inc. All Rights Reserved. | Page 13

Thank You!