Upload
trinhdan
View
216
Download
3
Embed Size (px)
Citation preview
1
Understanding & Optimizing Legal & Regulatory Risk Management
SCCE Conference - September 11, 2007
www.compliance360.com
Agenda
� Credits
� Overview of ERM
� Legal and Regulatory
� Definition
� Issues
� Solution Examples
� Best Practices
� Recommendations
2
www.compliance360.com
Credits
� Mark S. Beasley, PhD, CPADirector, Enterprise Risk Management InitiativeBoard Member of Committee of Sponsoring Organizations of the Treadway Commission (COSO)
� Dana R. Hermanson, Ph.D.Dinos Eminent Scholar Chair of Private EnterpriseProfessor of Accounting at Kennesaw State University
� Customers
www.compliance360.com
ERM – an overview of the basics
By definition:
o ERM is a process,
o effected by an entity’s board of directors, management, and
other personnel,
o applied in strategy setting and across the enterprise,
o designed to identify potential events that may affect the
entity,
o manage risks to be within its risk appetite,
o to provide reasonable assurance regarding the
achievement of entity objectives.
Committee of Sponsoring Organizations of the Treadway Commission (COSO 2004) (see www.coso.org)
3
www.compliance360.com
ERM Directly Links to Corporate Governance
Governance Over TwoAspects of Entity
1) Leadership in
Strategic Performance
Board of Directors
External Auditors Internal Auditors
Regulators
CongressLegal System
ManagementAudit Committee
Enterprise Risk Management
2) Objective Oversight of Management
www.compliance360.com
Traditional Risk Management Approach
“Silo” or “Stove-Pipe” Risk Management
Legal Reg. Risks
Operations Risks
Finance Risks
IT Risks Strategic Market Risks
Geo Political
Risks
Weather Environment
Risks
4
www.compliance360.com
ERM Brings Risks Together
Enterprise Focus on Risks
Legal Reg. Risks
Operations Risks
Finance Risks
IT Risks Strategic Market Risks
Geo Political
Risks
Valuation Creation and Preservation
Weather Environment
Risks
www.compliance360.com
What is Legal and Regulatory Risk?
Definition: Risks associated with the uncertainty of violating laws or regulations.
NEGATIVE
Risk that company may
INTENTIONALLY or UNINTENTIONALLY violate a law,
contract, or regulatory provision
and face potential litigation which
could lead to cash loss and could
impact enterprise by triggering other risks such as reputation loss,
customer backlash, employee
embarrassment, etc.
POSITIVE
The company may be the
beneficiary of legal or regulatory
risk if another party is the violator
(SAY OF A CONTRACT) and the company is able to successfully
sue.
THUS, LEGAL/REG RISK COULD BE BOTH POSITIVE AND NEGATIVE
(BUT MOSTLY NEGATIVE)
5
www.compliance360.com
What are major issues from L&R Risk?
� Exposure to fines by regulatory agencies
� Significant workload by legal & regulatory staff
� Blind sided by newly enacted laws, new regulatory trends
� My competitor’s problem could be my problem
� Managing legal & regulatory risk outside legal & regulatory department
� “HUGE” uncertainty as to what may trigger it. (What might be deemed “LEGAL” today, might be deemed as “ILLEGAL” tomorrow as the culture shifts over time.)
www.compliance360.com
Legal & Regulatory Risks Leakage Example
Enterprise Focus on Risks
Legal Reg. Risks
Operations Risks
Finance Risks
IT Risks Strategic Market Risks
Geo Political
Risks
Valuation Creation and Preservation
Weather Environment
Risks
Privacy
laws
Data Breach Brand
Erosion
6
www.compliance360.com
Legal & Regulatory Risks Leakage Example
Enterprise Focus on Risks
Legal Reg. Risks
Operations Risks
Finance Risks
IT Risks Strategic Market Risks
Geo Political
Risks
Valuation Creation and Preservation
Weather Environment
Risks
Local
Ordinances
Delayed
Store Openings
Brand
Erosion
Municipal
Fines
www.compliance360.com
Timeline of regulations: Bank AML
� 1970-Bank Secrecy Act passed.
� 1986-Money Laundering Control Act enacted.
� 1994-The Money Laundering Suppression Act .
� 1997-The Office of the Comptroller of the Currency (OCC) forms National Anti-Money Laundering Group, expanding scope of examinations.
� 2000-The OCC publishes the Bank Secrecy Act/Anti-Money Laundering Comptroller’s Handbook.
� 2003-USA Patriot Act Passed.
7
www.compliance360.com
Public Comments
“From the governments’ perspective, I think we need to be very careful to properly communicate our message when we take enforcement actions. The message is not only to the targeted institution but to the industry as a whole… I think our enforcement actions should be public and these actions should provide a written road map from which other institutions can learn.”
William J. Fox, former FinCen Director, 2004 ABA Seminar
“Regulators should also start including regular AML assessments in the annual reports, instead of treating AML issues on an as hoc basis. Those assessments should be made available to the public, so that banks and regulators have an incentive to improve and other banks will know who has poor AML Records”
Senator Carl Levin, July 15, 2004
www.compliance360.com
Recent AML Penalties and fines
� $3million civil money penalty (CMP) to Banco De Chile in October 2005 for violations of the Bank Secrecy Act (BSA)
� ABN AMRO in New York and Chicago received in December of 2005 a cease and desist order and civil penalties due to defects within the bank’s internal controls.
� $2.8 million CMP was issued against Oppenheimer Broker-Dealer located in New York City in December 2005 due to deficiencies in BSA requirements.
� The Summit National Bank was ordered by the OCC in January 2006 to fix deficiencies within its audit functions of process and documentation.
8
www.compliance360.com
AML Fine Chart
� It would be really nice to have the annual fines assessed since enacted - chart
AML Sample Compliance Process
www.compliance360.com
Risk-based Impact Assessment
Legal & Regulatory Risk Major Components
1.
Early
Warning
Systems
2.Risk-basedImpact
Assessment
3.
Change/
Project
Management
4.
Controls
Monitoring
9
www.compliance360.com
1. Early Warning System
� notification of newly enacted law
� notification of newly proposed regulations
� notification of final regulations
� notification of regulatory enforcement actions
� alerting of news and announcements by political figures, agency heads and other influential public figures
Legislative and regulatory notification and awareness notification of newly proposed law
www.compliance360.com
2. Risk-based Impact Assessment
� A knowledge base of all applicable laws and regulations
� The current legal interpretation
� A repository of previous opinions
� The responsible party(s) for implementing changes
� The impact to your Enterprise Risk Framework (ERM)
Assess company’s impact with a risk-based approach
10
www.compliance360.com
3. Change/Project Management
Make sure to have an automated, consistent management process of Legal & Regulatory Risk
1. Legal and/or compliance personal is alerted to an issue
2. The issue is documented and tracked electronically
3. Management in legal will rank order the issue by risk classification
4. Legal and compliance agree on the risk and controls implementation
5. Compliance reviews (tests) the Policies & Procedures and controls on for each issue
6. Compliance determines is the testing of the controls is effective
7. Compliance works with the business owners to educated and manage the compliance process at the business level/unit
8. Results from the controls testing and other processes are reported to the ERM
www.compliance360.com
4. Controls Monitoring
Monitor and test controls on a regular basis
� Independence
� Testing Frequency
� Testing Failures
� What to do next?
� Document
11
www.compliance360.com
Process Flow
New Issue
Alert
Legal
Document
Issue
Review
Current
Policies &
Controls
Legal
Compliance
Control
Testing
RiskRanking
Government
Affairs
Legislative
Influence
Communicate
To
Business
Owners
www.compliance360.com
Organizational
New Issue Privacy
BSA/USA PA
Eastern States
Western States
Compliance
Alert
Legal
IssueCategory?
Legislative
Influence
Government
Affairs
Communicate
To
Business
Owners
12
www.compliance360.com
Additional Recommendations
� Ensure strong legal counsel
� If you are in a highly regulated industry, ex: Insurance, Pharmaceutical – Have dedicated resource monitoring regulations
� Keep data on "INCIDENCES" that might lead to risks (Monitor whether any ultimately lead to litigation/settlement. Ex: Retail stores track customer injuries so they can estimate percentages of incidents that lead to litigation.)
� Be proactive in anticipating potential drivers of legal risks – Look for factors that drive change such as new political appointee or increase scrutiny in adjacent markets and then respond to those risks proactively
www.compliance360.com
Thank you
� Questions?
Contact Information:Steve McGraw
Chief Executive Officer
Compliance 360, Inc.
678.992.0262