Top 10 Risk & Compliance Trends & Predictions for 2020...Trends & Predictions for 2020 Carrie Penman, Chief Risk & Compliance Officer| NAVEX Global ... •Network security •Software

Top 10 Risk & Compliance Trends & Predictions for 2020

Carrie Penman, Chief Risk & Compliance Officer| NAVEX Global

Kristy Grant-Hart, Founder and CEO | Spark Compliance Consulting

Page 2

About the Presenters

Carrie PenmanChief Risk & Compliance OfficerNAVEX Global

As one of the earliest ethics officers in the industry, Carrie Penman has been with NAVEX Global since 2003 after serving four years as deputy director of the Ethics and Compliance Officer Association (ECOA) now ECI. A scientist by training, she developed and directed the first corporate-wide global ethics program at Westinghouse Electric Corporation from 1994-1999. As Chief Risk and Compliance Officer for NAVEX Global, Carrie leads the company’s formal risk management processes. She also oversees its internal ethics and compliance activities employing many of the best practices that NAVEX Global recommends to its customers.

Kristy Grant-HartFounder & CEOSpark Compliance Consulting

Kristy Grant-Hart is an expert at transforming compliance departments into in-demand business assets. She’s the author of the book “How to be a Wildly Effective Compliance Officer” and CEO of Spark Compliance Consulting, a London, Atlanta and Los Angeles-based consulting group. She is also a former adjunct professor at Delaware Law School, Widener University, teaching Global Compliance and Ethics. Before launching Spark Compliance, Ms. Grant-Hart was the Chief Compliance Officer at United International Pictures, the joint distribution company for Paramount Pictures and Universal Pictures in 65+ countries.

Page 3

Agenda

1. Managing the Impact of Politics in Our Organizations

2. Future-Casting Culture in M&A Due Diligence

3. Impact of Digitized Environments & Modern Workplaces on Internal Investigations

4. We Need to Learn How to Train Humans, Not Employees

5. Sanctions Compliance in the Era of Financial Warfare

6. R3: People Risk, Business Risk, & Regulatory Risk

7. Data Privacy Is Not a Law, It’s a Lifestyle

8. Today Whistleblower Protections Driven by Legislation, Tomorrow by Value

9. Finding Your Footing in a Sea of Regulations & Guidance

10. Hotlines, Headlines & Hearsay: When Whistleblowing Is National News

Page 4

1. Managing the Impact of Politics in Our Organizations

Author: Ed Petry, Senior Advisor, NAVEX Global

Page 5

Today’s social and political climate is making it more difficult to maintain collegiality and a positive organizational culture.

In a nutshell, politics has become very personal.

Heated debates in the workplace are all too common

Risk of incivility and polarization in the workplace runs high

Impact of politics is extending beyond just employee relations

Politics and disagreements over social issues are now causing consumer boycotts and even employee walkouts

Politics Influence Organizational Culture

UK Politics

Prime minister resignation/succession

US Politics

Election year/ presidential

impeachment Brexit

??

Page 6

Steps for Organizations to Take

Manage Debates in the Breakroom & Beyond

• Increase your emphasis on awareness and training, especially related to your policies pertaining to political activity and respect in the workplace

• Target your training toward leaders and those who are identified as “repeat offenders” of office decorum

Prepare to Be #Cancelled (While Trying Not to Be)

• For public-facing activities, have the right people at the table who can speak up and challenge potentially questionable decisions

• Ensure leadership as well as public-facing departments are fully aware of the cancel culture risks and have detailed action plans in place, including internal communications plans to quickly respond when needed

Page 7


Manage Self-Censorship While Encouraging a Speak-Up Culture

• Create a clear distinction between holding one’s political tongue and raising one’s voice

• Evaluate whether surveys and other means of assessing employee engagement are sufficient

• Don’t assume an overly optimistic view of organizational culture

Page 8

2. Future-Casting Culture in M&A Due Diligence

Author: Fernanda Beraldi, Senior Director, Ethics & Compliance, Cummins Inc.

Page 9

Heightened M&A Activity

• Despite global economic uncertainty, M&A activity is expected to accelerate in the years to come

• Along with an uptick in deal volume, corporate executives believe M&A will be defined by higher dollar amounts and more diversity of targets

• Companies expected to use acquisition to expand their customer bases into existing markets as well as diversify product and service offerings 40%

79%Of corporate executives expect M&A deals to increase over the next 12 months

Of corporate executives say that half of deals fail to generate the value they expected at the onset of a transaction

Page 10

Closing the Culture Gap in M&A Due Diligence

Internal hotline data provides insights into an organization’s cultural health

Increased hotline use is linked to better business performance and good governance

Businesses with more hotline reports gain visibility into brewing problems, giving them a chance to take remedial action

Increase hotline use indicates employees are comfortable reporting internally and are less likely to take their concerns outside of the organization

One in five corporate and private equity buyers highlighted “not achieving cultural alignment” as a limiting factor of success.

Page 11


Go Beyond Substantiated Reports to Find Unfiltered Information Streams

• Use aggregate internal hotline reporting data as an uncurated stream of due diligence intelligence

• Ask:

• Who made the reports?

• What part of the organization did they come from?

• Why were they unsubstantiated?

58%

Of internal reports are not substantiated

Page 12


Better Define Cultural Valuation Based on Speak-Up Track Record

• Use aggregate hotline data to get a better understanding of what the speak-up culture is like at a target

• Ask:

• Do employees feel empowered to report misconduct?

• Are they properly trained on values and expectations for the corporation?

• Is their potential cynicism or distrust brewing beneath the surface?

46%

Firms that actively utilized their hotlines received, on average, 46% fewer negative news stories than businesses with low or

infrequent internal reporting use

Page 13

3. Impact of Digitized Environments & Modern Workplaces on Internal Investigations

Author: Scott Moritz, Senior Managing Director, FTI Consulting

Page 14

Recognizing the New Unknowns

• Investigative and forensic accounting fields are going through metamorphosis to track with dependencies on digital environments, use of electronic data, and technology

• New fraud schemes involving user data, online advertising, and global ecommerce platforms are proliferating around the world

• There are more “unknowns” than ever

Page 15

Financial Crime & Cybercrime Continue to Converge

• Many financial crimes are now cyber-enabled

• Investigators now need to understand:

• Network security

• Software systems underlying enterprise resource planning

• Expense reporting, payroll, procurement

• Electronic banking

Page 16


Extend Your Subject Matter Expertise

• Tap into a broader array of subject matter expertise in order to understand digital environments and how best to leverage that expertise as investigators

• Work alongside subject matter experts to gather evidence and identify responsible parties

Understand the Evolving Arc of the Modern Investigation

• Develop a multidiscipline approach to investigations

• Assemble an investigative team made up of multiple skillsets and disciplines to investigate large volumes of information, multiple allegations, potentially spanning multiple geographies

Navigate the Delicate Landscape of Privacy Law

• Consider the data privacy implications of the investigation at inception

• Plan to handle personally identifiable information (PII) in a way that does not create liability for the company

• Understand how privacy law applies to the cross-border data transfer

Page 17

4. We Need to Learn How to Train Humans, Not Employees

Author: Ingrid Fredeen, VP Online Learning Content, NAVEX Global

Page 18

Creating Workplaces for People

• Forward-thinking businesses have developed cultures where employees bring their full selves to the job

• This has increased productivity, creativity, innovation and personal investment in “the work”

• However, people who bring their whole selves to work are not employees; they are human beings. And humans need a different framework for management

• Humans are driven by purpose and passion

• In the absence of a social movement, this purpose and passion is directed toward innovations in work. In the wake of a social movement, it is redirected toward justice, restoration and change

Page 19

• Training, communications and awareness programs are the vehicles through which we help organizations connect with purposeful and passionate employees

• Training programs need to evolve to align with current social environments and organizational values

58%Of respondents say training improves employee morale

Multidimensional Workforces Need Multidimensional Training

56%Of respondents say training improves trust and confidence in organizational leadership

*NAVEX Global’s 2019 Definitive Corporate Compliance Benchmark Report: Of respondents with leaders who view E&C as a strategic investment.

Page 20


Get Ahead of Potentially Disruptive Social Movements

• Embrace transparency to be aware of and understand prevailing sentiments

• Create a system that not only allows employees to express their concerns but also their values

Prioritize the Audience in Training Curriculum Mapping

• Become a master of relevance: ensure learners understand how the content they are learning is relevant to them and how it alignswith the organization and its values

• Effectively map the compliance message through three categories: training topics, audience needs and content format

• Tailor the depth and frequency of training to each audience group

Consider These Questions:

• Who has learning constraints based on education level, language or location?

• Who is the individual beyond their role – techie, hands-on learner, introvert, extrovert, remote worker, etc.

• Will this course build trust in our organization and its leaders?

Page 21

5. Sanctions Compliance in the Era of Financial Warfare

Author: Mike Volkov, CEO & Owner, The Volkov Law Group, LLC

OFAC Framework

• May 1, 2019, the world of sanctions compliance was upended when the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued itsfirst-ever Framework for OFAC Compliance Commitments

• Signals a fundamental shift with respect to how OFAC will apply, monitor and enforce sanctions against organizations going forward

• The Treasury has made it clear that compliance will no longer be measured in steps taken but in results achieved

Page 23


1. Get Senior Management Commitment

• OFAC’s definition of commitment is technically precise and relies on measurable actions undertaken by senior leadership

2. Tailor Program to Risk Profile

• The guidance radically expands the responsibility of contracting organizations, plainly stating that there are a “multitude of areas organizations should include in their risk assessments”

3. Evaluate Internal Controls & Calibrate Solutions

• OFAC specifically states its expectation that organizations utilize “information technology solutions” to manage this complex task

4. Test & Audit

• OFAC expects SCP elements to be routinely recalibrated to account for changing risks

5. Train Appropriate Personnel

• OFAC guidance requires firms to implement training programs for all appropriate employees and personnel

Page 24

6. Risk3: People Risk, Business Risk, & Regulatory Risk

Author: Sam Abadir, Director, IRM Industry Solutions, NAVEX Global

Risk Continues to Evolve & Proliferate

• Preventing all risk has never been a mature approach to risk management, and in today’s world, it is no longer a tenable strategy

• The future of risk management will be in how we embrace risk through a holistic yet agile approach

• Disparate approaches to risk management create siloes with blind spots, redundancies and conflicts

• We need a better understanding of how we address our organization’s most immediate and damaging risks: people risk, business risk, and regulatory risk

Page 26

Evolve from a Rigid Risk Structure to a Resilient One

• Traditional preventive risk management structures are strong but rigid. They are designed to address individual threats that are often direct and blunt. Rigid approaches are becoming increasingly more reactive rather than responsive

• IT security, data privacy, health and safety standards, and legislative risk, etc., should ultimately align with the regulations that define them; support business operations while managing operational risk; and drive employee bases that are both inspired and ethical

• A federated but enterprise-wide perspective of risk creates a shared vantage point, shared understanding, and shared approach to these major risk categories that still allow for risk to be actionable in the user’s context

REGULATORYRISK

PEOPLERISK

BUSINESSRISK

Page 27


Understand Your Organization’s Risk Composition

• While every organization has people, regulatory and business risk, how those risks compose the whole will be unique to your organization (e.g., financial institutions may prioritize regulatory risk and manage people and business risk around that)

Understand Full Life Cycle of Risk

1. Define your organizational risk profile

2. Identify the inherent risks to your business, industry and region

3. Define and articulate your organizational risk tolerance by clearly indicating which risks are to be accepted, absorbed, mitigated or avoided

4. Design internal controls that operationalize your risk tolerance

5. Ensure your business ecosystem – customers, employees and vendors – are aware of their responsibilities

6. Monitor controls to ensure they are within acceptable tolerances and not showing signs of risk

7. Prepare for potential failure with remediation strategies and resiliency plans that manage downstream events strategies

Page 28


Monitor Constantly & Continuously

• Once the life cycle is defined and operationalized, we can take a risk-based approach to monitoring our risk

• Risk-based, continuous monitoring efforts should be applied to third party engagements as well as internal tools, processes and assessments

Increase Transparency

• Design systems that force functional siloes to identify relevant information that needs to be communicated across, and integrated into, global operations

• Create a common risk vocabulary and increase transparency so functional siloes do not create confusion or volumes of extra spreadsheet work that increase administration and decrease accuracy

• Ensure software solutions do not deepen siloes but encourage enterprise-wide engagement in overarching risk management architecture

Page 29

7. Data Privacy Is Not a Law, It’s a Lifestyle

Author: Jess Wilburn, Data Privacy Officer & Senior Counsel, NAVEX Global

Page 30

In Data Privacy, Change Is the Only Constant

• 2018: EU’s General Data Protection Regulation

• 2019: California Consumer Privacy Act

• 2020:

• More than 100 countries have data privacy legislation in place

• U.S. has state-level sprawl of privacy law

• Existing laws continue to be refined with each new enforcement action

Keeping Up With the State of Change

This state of constant change will create an environment where organizations will have to diligently manage:

• Data privacy processes and procedures

• Organizational structures that house and process data

• Skillsets of individuals who manage data

• Relationship the company has with PII

Page 32


Find & Develop Your Data Privacy People

• Each team should have a privacy representative or champion who can effectively speak to the team’s data practices, usage and retention

• Hire professionals with data privacy titles within functional teams like engineering, marketing and customer services

• Create a privacy committee that meets regularly, discusses internal and external evolutions, and acts as a change agent to embed better data privacy across the organization

Master the Full Life Cycle of PII

• Map the data you collect, where you store it, who processes it, where access points are, and what your data retention practices are

• Codify data standards with updated privacy policies and data privacy compliance training designed to educate the critical personnel who collect, manage or process data within the organization

Page 33

8. Today Whistleblower Protections Driven by Legislation, Tomorrow by Value

Author: Carrie Penman, Chief Risk & Compliance Officer, NAVEX Global

Page 34

EU Whistleblower Directive

• Seeks to normalize requirements across EU

• Applies to every org with >50 employees

• Requires updates to reporting channels and bans all forms of retaliation

Australia’s Corporations Act

• Enhances legal protections for reporters and allows for anonymous reporting for the first time

• Clearly defines who is eligible to submit and receive reports

• Up to $1 million penalties

Overview of WB Protection Developments

DOJ’s Evaluation of Corporate Compliance Programs

• Prosecutors will look for proactive measures to create workplaces free of retaliation

Whistleblower Protection Reform Act

• Would extend the rights and protections guaranteed under the Dodd-Frank Act to internal whistleblowers

ISO 37002

• Intends to provide best practices for whistleblower systems built around trust, impartiality and protection

• Informs whistleblowing management systems that create responsive organizations

Page 35

What’s Behind the Changes

• Regulatory changes can be traced back to value –the value that economies, companies and shareholders have lost as a result of various scandals

• Going into the new decade, the evolution of whistleblower protections will be driven by protecting and enhancing value

• Organizations rather than regulations will ultimately drive internal whistleblower programs, not simply to prevent value loss but to enhance value generated

“The quantitative findings clearly demonstrate the economic value of whistleblower protection. For all of the countries and scenarios considered, the potential greatly exceeds the costs. The qualitative evidence gathered from the countries sheds light on good practices and lessons learned for effective and efficient implementation. What remains for policymakers is not to justify the economic case, but rather to determine how such systems can be effectively and efficiently designed to realise the full potential for citizens across the EU.”

- Estimating the Economic Benefits of Whistleblower Protection in Public Procurement

“Internal whistleblower report volume is associated with fewer and lower amounts of government fines and material lawsuits, which is consistent with reports being a resource that deters inappropriate behavior and helps management identify and address concerns before they become more costly to the firm. All of this might be shifting the perspective on whistleblowing.”

- Evidence on the Use and Efficacy of Internal Whistleblowing Systems

Page 36


Capitalize on Full Business Value of Employee Reporting

• Avoid falling into a prescriptive, check-the-box approach

• Don’t stop after creating a defensible reporting system; it must also resonate with corporate culture

• Get full commitment from management on the importance of reporting

Go Beyond a Focus on Individual Reports

• Address and resolve individual issues before they turn into corporate crises

• View big-picture trends to identify patterns and predict potential future failure points

• Learn how to interpret aggregate hotline data along with other information sources like surveys, risk assessments, exit interviews, etc.

Page 37

9. Finding Your Footing in a Sea of Regulations & Guidance

Author: Kristy Grant-Hart, Author & CEO, Spark Compliance Consulting

Page 38

The Rising Tide of Global Regulations

CCPA

OFAC

UKBA

SAPIN II

BCCA

ACA

APACAnti-trust

• Regulatory guidance has become hard to track, interpret and implement

• How can we cut through the noise and actually determine what really needs our attention?

Page 39


Perform the Two-Step Application Review

• There are two different analyses to complete to find out if guidance really applies to you

1. Determine what is in your remit

2. Analyze which regulations and guidance apply to your company

Open Up Your Risk Assessment

• Assuming you have a written risk assessment, pull it out and review the various risks facing your company

• Use the risk assessment to inform where to focus your energy

• Instead of spending time glancing through every piece of advice, perform a deeper dive into one piece of guidance

• Review your risks, compare them to the guidance, and create a plan to update your program appropriately

Page 40


Let Someone Else Do the Work for You

• Don’t read every piece of legislation. Law firms and consultants are happy to do that for you, and to provide you with updates, checklists and webinars

• Use the synopses and tools provided by the legal and consulting world to help you discern what matters

Find the Synergies

• Deliver on the common elements of effectiveness: code of conduct, policies, procedures, training, risk assessment, monitoring and auditing, good governance, due diligence, investigations, whistleblowing, and promoting an ethical culture

• Deliver on your risk assessment. A risk assessment is an expectation/requirement under the Federal Sentencing Guidelines, DOJAntitrust Guidance, OFAC Guidance, ISO 19600 standard, and ISO 37001 standard

Find the Low-Hanging Fruit

• Lean on your training vendors for updated learning courses instead of developing your own

• Consider updating your current metrics to show effectiveness rather than researching all possible metrics of each piece of guidance

Page 41

10. Hotlines, Headlines & Hearsay: When “Whistleblowing” Is National News

Author: Carrie Penman, Chief Risk & Compliance Officer, NAVEX Global

Page 42

The End, or Beginning, to Era of Suppressive WB Culture?

• We are at an inflection point that will determine whistleblower culture for the foreseeable future

• Whistleblowers are now thinking more carefully about reporting

• Due to fear, whistleblowers will consider reporting anonymously, externally, on public platforms; or won’t at all and simply leave the organization

• “Whistleblower” – the term itself – carries a negative connotation discouraging somepotential reporters

Page 43

Understanding the Value of Second-Hand Reports

• George Washington University School of Business conducted research comparing the substantiation rates between firsthand and secondhand reports

• Findings show second-hand reports:

• Are more likely to be substantiated

• Disproportionately reports of accounting, financial concerns, and business integrity issues

• There is considerable business incentive to readily accept and encourage all types of reports

Second-hand reports are 47.7% more likely than those of firsthand reports to be substantiated by management

47.7%


Increase Number of Reports

• Previous GWU research indicates that internal hotline reporting activity and the performance results are always positively correlated

• Be laser focused on eliminating any technical, procedural or emotional barriers to internal reporting

Value All Forms of Internal Reports

• Consider all reports – anonymous, second-hand, etc. – potentially valuable, or the most valuable reports may never get to be considered at all

Address Fear of Retaliation

• Proactively address fear of retaliation through proactive monitoring, awareness and training

Page 45


Review Your Investigation Processes

• Periodically review and test internal investigation processes to ensure they are consistent, timely and fair

• Ensure that systems intended to protect confidentiality are working properly

Ensure Your Processes Are Resilient and Trusted

• Make systems more resilient to management pressure, and therefore more trusted by would-be reporters

• Design reporting systems that are resilient to outside influence and that can offset the inherent pressure on internal reportersto stay silent, recant or take their concerns elsewhere

Copyright © 2019 NAVEX Global, Inc. All Rights Reserved. | Page 46

Thank You!

Documents

Top 10 Risk & Compliance Trends & Predictions for 2020...Trends & Predictions for 2020 Carrie Penman, Chief Risk & Compliance Officer| NAVEX Global ... •Network security •Software