xavGE
xavGE
xavGE
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Managing risk<br />
compliance programs when making<br />
charging decisions and assessing<br />
penalties.<br />
• It establishes behavioral and<br />
professional expectations for<br />
employees, allowing the company to set<br />
standards in advance and facilitating<br />
termination of employees for<br />
misconduct when rules are not followed.<br />
Assuming a corporate ethics<br />
and compliance program exists,<br />
an organization must still perform<br />
incremental compliance activities, as risks<br />
can and do change over time. Engaging in<br />
an ethics and compliance risk assessment<br />
is one way a company is able to analyze<br />
the effect that ever-changing risks have on<br />
the organization, prioritize these risks and<br />
develop options and actions to reduce the<br />
threat they pose.<br />
Organizations often confuse an<br />
ethics and compliance risk assessment<br />
with a general corporate-wide risk<br />
assessment and are uncertain as to the<br />
scope, frequency and structure of such<br />
an assessment. As an increasing number<br />
of organizations have begun to institute<br />
ethics and compliance risk assessments,<br />
leading practices have started to emerge.<br />
They are as follows:<br />
• Examine all major areas of<br />
misconduct—A common mistake<br />
organizations make when conducting<br />
an ethics and compliance risk<br />
assessment is to limit the potential<br />
risk universe to a preconceived list<br />
of likely high-impact risks. Rather,<br />
a proper ethics and compliance<br />
risk assessment encompasses all<br />
potential risks, including both those<br />
that are systemic to the average<br />
organization and those that are unique<br />
to the industry in which the specific<br />
organization operates.<br />
• Examine risk contextually—To be<br />
effective, the ethics and compliance<br />
risk assessment must take into account<br />
the ability of the organization to plan<br />
for, prevent or mitigate each risk area.<br />
This focus entails examining the<br />
controls, processes and procedures<br />
designed to prevent compliance<br />
failures, as well as assessing the<br />
effectiveness of the individuals in<br />
positions of substantial authority<br />
in recognizing and preventing a<br />
compliance breakdown.<br />
• Address current and potential risks—<br />
An effective ethics and compliance<br />
risk assessment should take into<br />
consideration risks that presently exist,<br />
as well as those activities that are<br />
currently legal but could reasonably be<br />
called into question in the future.<br />
• Review internal and external<br />
information—Ethics and compliance<br />
risk assessments should include an<br />
examination of internal corporate<br />
documents, as well as industry<br />
information and historical incidence<br />
reports. To be adequately predictive,<br />
the ethics and compliance risk<br />
assessment should include not only<br />
compliance breakdowns and failures<br />
but also near-misses.<br />
• Include participants from all levels of<br />
the organization—When collecting and<br />
assessing potential risk areas, ethics<br />
and compliance risk assessments<br />
should involve personnel across<br />
various disciplines and seniority levels.<br />
This can be accomplished through<br />
workshops, focus groups, surveys and<br />
interviews.<br />
• Consider impact and likelihood of<br />
occurrence—Ethics and compliance<br />
risk assessments should weigh risk<br />
areas to account for impact and<br />
likelihood of occurrence. By assigning<br />
quantifiable weights or ratings to each<br />
relevant risk area, organizations will be<br />
able to rank them appropriately.<br />
• Document the outcome—The outcome<br />
of the ethics and compliance risk<br />
assessment should be documented<br />
in a defensible action plan. This plan<br />
should include not only a description<br />
of the process that was followed but<br />
also the actions that were taken to<br />
design, implement or modify the<br />
compliance program.<br />
• Be defensively objective—The ethics<br />
and compliance risk assessment<br />
process should fairly assess the full<br />
universe of the organization’s potential<br />
risks, including existing acceptable<br />
industry practices. Resist the<br />
temptation to ignore or deemphasize<br />
risks because they could be costly to<br />
address from a financial or internal<br />
political perspective.<br />
• Quantify each risk area—The ethics<br />
and compliance risk assessment<br />
process should allow for quantification<br />
of each risk area. An assessment that<br />
goes beyond “likelihood” and “impact”<br />
can be more useful in prioritizing<br />
compliance budget spending and<br />
activities, as well as in justifying<br />
any incremental controls, policies,<br />
processes or spending that must<br />
be implemented. Furthermore, if<br />
executed correctly, such quantification<br />
can be used to measure program<br />
effectiveness, a U.S. Federal<br />
Sentencing Guidelines criterion of<br />
an effective ethics and compliance<br />
program.<br />
• Conduct ethics and compliance<br />
risk assessments periodically—The<br />
frequency with which an organization<br />
chooses to conduct ethics and<br />
compliance risk assessments and<br />
schedule follow-up risk reviews<br />
may depend on the nature of the<br />
organization’s industry. However,<br />
if the methodology and process is<br />
adequately defined, it can reasonably<br />
be conducted on an annual basis,<br />
and year-over-year results can<br />
be appropriately compared. Since<br />
operating environments, regulations<br />
and government enforcement priorities<br />
routinely change, it is inadvisable to<br />
conduct ethics and compliance risk<br />
assessments on a less frequent basis<br />
than every two years.<br />
• Measure employee knowledge—The<br />
ethics and compliance risk assessment<br />
should include a measurement of<br />
employee knowledge, as well as<br />
awareness of the compliance program<br />
and supporting controls. Doing so<br />
can help pinpoint where training and<br />
communications programs need to be<br />
improved.<br />
• Benchmark—When possible, the ethics<br />
and compliance risk assessment should<br />
benchmark against peer organizations.<br />
In addition to industry peers, consider<br />
those organizations that are peers in<br />
terms of size and geographic scope.<br />
This is particularly important as it<br />
ensures that the organization meets<br />
NYSE IPO Guide<br />
95