1

Understanding & Optimizing Legal & Regulatory Risk Management

SCCE Conference - September 11, 2007

www.compliance360.com

Agenda

� Credits

� Overview of ERM

� Legal and Regulatory

� Definition

� Issues

� Solution Examples

� Best Practices

� Recommendations

2

www.compliance360.com

Credits

� Mark S. Beasley, PhD, CPADirector, Enterprise Risk Management InitiativeBoard Member of Committee of Sponsoring Organizations of the Treadway Commission (COSO)

� Dana R. Hermanson, Ph.D.Dinos Eminent Scholar Chair of Private EnterpriseProfessor of Accounting at Kennesaw State University

� Customers

www.compliance360.com

ERM – an overview of the basics

By definition:

o ERM is a process,

o effected by an entity’s board of directors, management, and

other personnel,

o applied in strategy setting and across the enterprise,

o designed to identify potential events that may affect the

entity,

o manage risks to be within its risk appetite,

o to provide reasonable assurance regarding the

achievement of entity objectives.

Committee of Sponsoring Organizations of the Treadway Commission (COSO 2004) (see www.coso.org)

3

www.compliance360.com

ERM Directly Links to Corporate Governance

Governance Over TwoAspects of Entity

1) Leadership in

Strategic Performance

Board of Directors

External Auditors Internal Auditors

Regulators

CongressLegal System

ManagementAudit Committee

Enterprise Risk Management

2) Objective Oversight of Management

www.compliance360.com

Traditional Risk Management Approach

“Silo” or “Stove-Pipe” Risk Management

Legal Reg. Risks

Operations Risks

Finance Risks

IT Risks Strategic Market Risks

Geo Political

Risks

Weather Environment

Risks

4

www.compliance360.com

ERM Brings Risks Together

Enterprise Focus on Risks

Legal Reg. Risks

Operations Risks

Finance Risks

IT Risks Strategic Market Risks

Geo Political

Risks

Valuation Creation and Preservation

Weather Environment

Risks

www.compliance360.com

What is Legal and Regulatory Risk?

Definition: Risks associated with the uncertainty of violating laws or regulations.

NEGATIVE

Risk that company may

INTENTIONALLY or UNINTENTIONALLY violate a law,

contract, or regulatory provision

and face potential litigation which

could lead to cash loss and could

impact enterprise by triggering other risks such as reputation loss,

customer backlash, employee

embarrassment, etc.

POSITIVE

The company may be the

beneficiary of legal or regulatory

risk if another party is the violator

(SAY OF A CONTRACT) and the company is able to successfully

sue.

THUS, LEGAL/REG RISK COULD BE BOTH POSITIVE AND NEGATIVE

(BUT MOSTLY NEGATIVE)

5

www.compliance360.com

What are major issues from L&R Risk?

� Exposure to fines by regulatory agencies

� Significant workload by legal & regulatory staff

� Blind sided by newly enacted laws, new regulatory trends

� My competitor’s problem could be my problem

� Managing legal & regulatory risk outside legal & regulatory department

� “HUGE” uncertainty as to what may trigger it. (What might be deemed “LEGAL” today, might be deemed as “ILLEGAL” tomorrow as the culture shifts over time.)

www.compliance360.com

Legal & Regulatory Risks Leakage Example

Enterprise Focus on Risks

Legal Reg. Risks

Operations Risks

Finance Risks

IT Risks Strategic Market Risks

Geo Political

Risks

Valuation Creation and Preservation

Weather Environment

Risks

Privacy

laws

Data Breach Brand

Erosion

6

www.compliance360.com

Legal & Regulatory Risks Leakage Example

Enterprise Focus on Risks

Legal Reg. Risks

Operations Risks

Finance Risks

IT Risks Strategic Market Risks

Geo Political

Risks

Valuation Creation and Preservation

Weather Environment

Risks

Local

Ordinances

Delayed

Store Openings

Brand

Erosion

Municipal

Fines

www.compliance360.com

Timeline of regulations: Bank AML

� 1970-Bank Secrecy Act passed.

� 1986-Money Laundering Control Act enacted.

� 1994-The Money Laundering Suppression Act .

� 1997-The Office of the Comptroller of the Currency (OCC) forms National Anti-Money Laundering Group, expanding scope of examinations.

� 2000-The OCC publishes the Bank Secrecy Act/Anti-Money Laundering Comptroller’s Handbook.

� 2003-USA Patriot Act Passed.

7

www.compliance360.com

Public Comments

“From the governments’ perspective, I think we need to be very careful to properly communicate our message when we take enforcement actions. The message is not only to the targeted institution but to the industry as a whole… I think our enforcement actions should be public and these actions should provide a written road map from which other institutions can learn.”

William J. Fox, former FinCen Director, 2004 ABA Seminar

“Regulators should also start including regular AML assessments in the annual reports, instead of treating AML issues on an as hoc basis. Those assessments should be made available to the public, so that banks and regulators have an incentive to improve and other banks will know who has poor AML Records”

Senator Carl Levin, July 15, 2004

www.compliance360.com

Recent AML Penalties and fines

� $3million civil money penalty (CMP) to Banco De Chile in October 2005 for violations of the Bank Secrecy Act (BSA)

� ABN AMRO in New York and Chicago received in December of 2005 a cease and desist order and civil penalties due to defects within the bank’s internal controls.

� $2.8 million CMP was issued against Oppenheimer Broker-Dealer located in New York City in December 2005 due to deficiencies in BSA requirements.

� The Summit National Bank was ordered by the OCC in January 2006 to fix deficiencies within its audit functions of process and documentation.

8

www.compliance360.com

AML Fine Chart

� It would be really nice to have the annual fines assessed since enacted - chart

AML Sample Compliance Process

www.compliance360.com

Risk-based Impact Assessment

Legal & Regulatory Risk Major Components

1.

Early

Warning

Systems

2.Risk-basedImpact

Assessment

3.

Change/

Project

Management

4.

Controls

Monitoring

9

www.compliance360.com

1. Early Warning System

� notification of newly enacted law

� notification of newly proposed regulations

� notification of final regulations

� notification of regulatory enforcement actions

� alerting of news and announcements by political figures, agency heads and other influential public figures

Legislative and regulatory notification and awareness notification of newly proposed law

www.compliance360.com

2. Risk-based Impact Assessment

� A knowledge base of all applicable laws and regulations

� The current legal interpretation

� A repository of previous opinions

� The responsible party(s) for implementing changes

� The impact to your Enterprise Risk Framework (ERM)

Assess company’s impact with a risk-based approach

10

www.compliance360.com

3. Change/Project Management

Make sure to have an automated, consistent management process of Legal & Regulatory Risk

1. Legal and/or compliance personal is alerted to an issue

2. The issue is documented and tracked electronically

3. Management in legal will rank order the issue by risk classification

4. Legal and compliance agree on the risk and controls implementation

5. Compliance reviews (tests) the Policies & Procedures and controls on for each issue

6. Compliance determines is the testing of the controls is effective

7. Compliance works with the business owners to educated and manage the compliance process at the business level/unit

8. Results from the controls testing and other processes are reported to the ERM

www.compliance360.com

4. Controls Monitoring

Monitor and test controls on a regular basis

� Independence

� Testing Frequency

� Testing Failures

� What to do next?

� Document

11

www.compliance360.com

Process Flow

New Issue

Alert

Legal

Document

Issue

Review

Current

Policies &

Controls

Legal

Compliance

Control

Testing

RiskRanking

Government

Affairs

Legislative

Influence

Communicate

To

Business

Owners

www.compliance360.com

Organizational

New Issue Privacy

BSA/USA PA

Eastern States

Western States

Compliance

Alert

Legal

IssueCategory?

Legislative

Influence

Government

Affairs

Communicate

To

Business

Owners

12

www.compliance360.com

Additional Recommendations

� Ensure strong legal counsel

� If you are in a highly regulated industry, ex: Insurance, Pharmaceutical – Have dedicated resource monitoring regulations

� Keep data on "INCIDENCES" that might lead to risks (Monitor whether any ultimately lead to litigation/settlement. Ex: Retail stores track customer injuries so they can estimate percentages of incidents that lead to litigation.)

� Be proactive in anticipating potential drivers of legal risks – Look for factors that drive change such as new political appointee or increase scrutiny in adjacent markets and then respond to those risks proactively

www.compliance360.com

Thank you

� Questions?

Contact Information:Steve McGraw

Chief Executive Officer

Compliance 360, Inc.

678.992.0262

steve.mcgraw@compliance360.com