Joe Murphy and Jeff Kaplan PLI Advanced C&E Workshop October 7, 2014.
Jeffrey M. Kaplan Kaplan & Walker LLP PLI C&E Institute May 30, 2013.
-
Upload
tyler-richards -
Category
Documents
-
view
215 -
download
1
Transcript of Jeffrey M. Kaplan Kaplan & Walker LLP PLI C&E Institute May 30, 2013.
C&E Program Assessment
Jeffrey M. KaplanKaplan & Walker LLP
PLI C&E Institute May 30, 2013
Kaplan & Walker LLP 2
Legal expectations ◦ General: USSG◦ Risk-area specific. E.g., FCPA guidance and other anti-
corruption standards◦ Overlap between the two
Practical benefits◦ Identify good practices, so the company doesn’t cut
back◦ Identify room for improvement◦ Serve as commitment device – to maintain (or regain)
momentum◦ Serve as a “road map” for getting program credit in an
investigation
Reasons to assess
Kaplan & Walker LLP 3
• Interviews Various possibilities:
C&E personnel other staff operations sometimes third parties
Interviews can serve an educational purpose, too Should conduct on a non-attribution basis
• Document reviews Program design Program operation
Means to assess
Kaplan & Walker LLP 4
• Surveys (cont.) Use already existing data (regular employee
engagement survey results), or Conduct one specifically for the assessment Survey data can be very helpful for identifying parts
of company – geographic, business line, risk areas - where program faces special challenges
• Focus groups• Privilege issue
Increases candor Decreases ability to share results
Means to assess
Kaplan & Walker LLP 5
Different types◦ General process – e.g., against program charters or
other general process documents◦ Risk-area procedures – e.g., use of due diligence
mechanisms◦ Risk-area substantive – e.g., improper payments
Can be stand-alone or part of general audits Typically done by internal audit staff
◦ But need to ensure that they have sufficient background/direction for audits to be effective
Line between audits and assessments is not always clear-cut
Audits as distinct from assessments
Kaplan & Walker LLP 6
Internal versus external. Issues are:◦ Cost and greater knowledge of the company,
versus◦ Independence and breadth of knowledge
External assessment recommendations may be harder to ignore than with internal effort
Blended approach may be best◦ Internal should be more frequent than external◦ Internal assessments can be built into ongoing
activities E.g., surveys at the end of training sessions
Assessments: who conducts?
Kaplan & Walker LLP 7
In principle, risk assessment tells you how to design and implement a C&E program and program assessment tells you if your approach is working
In practice, the two overlap substantially One should be alert to risk insight from
program assessments and vice versa◦ E.g., gap between “gross” and “net” risk tells you
something about efficacy of program for a given area
What is relationship with risk assessment?
Kaplan & Walker LLP 8
Generally all the elements and sub-elements of an effective C&E program
Plus program “attributes” – aspects of programs that cut across program elements:o Strength/clouto Independenceo Reacho Ethics, as well as complianceo Management knowledge of, and involvement in, the
programo Culture o Resources
Scope of assessment: full program
Kaplan & Walker LLP 9
On risk assessment, focus on not only whether the company seems to know its risks, but also…
The risk assessment process Helpful in meeting legal expectations? Does it produce valuable information? Is it sufficiently documented?
The extent to which the results of the risk assessment are actually used in designing, improving and deploying various program elements Are you getting full use of the assessment?
Many companies don’t
What to assess: risk assessment
Kaplan & Walker LLP 10
Code of conduct – is it◦ On point?◦ Understandable?◦ Being read?◦ Periodically revised?◦ Sufficiently translated?
Individual policies – to what extent ◦ Do they seem to address pertinent risks? Get
reviewed/revised as much as needed?◦ Are they “connected” to other program elements,
e.g., training and auditing?◦ A note on policy management
Elements: standards and policies
Kaplan & Walker LLP 11
Consider adequacy of program governance documentation, not only of C&E office but also other functions with C&E roles, such as members of C&E management committees, SMEs and regional personnel
Are the individuals in C&E functions actually doing what the governance documents say they will?
Is there an appropriate level of independence and authority to implement the Program?
Is the Audit Committee getting the right information, and at the right frequency, about the Program? ◦ Look at both general program elements and also risk-area
specific information (for high-risk areas)
Program governance and management
Kaplan & Walker LLP 12
Diligence in hiring tends to be fairly straightforward. (Typically it is risk based)◦ But not all companies have ethics questions for hiring
interviews What due diligence steps a company should take
regarding promotions is not that straightforward◦ Often an opportunity to develop recommendations here,
based on a company’s risks and culture◦ Having C&E input for promotions can send a powerful
message about the importance of the program Third parties – a related dimension (which should be
dealt with not only by program assessment but also risk assessment)◦ Goes beyond FCPA
Diligence in hiring and promotions
Kaplan & Walker LLP 13
Tends to be among the most extensive parts of a program assessment
In addition to whether the right people are getting trained on the right topics at the right intervals, should look at efficacy/impact
This can lead, for some companies, to recommendations for more role-based training (and sometimes even less overall training)◦ A note on training fatigue
Also consider training and communications plans and documentation of training and communications efforts◦ Lessons of Morgan Stanley and the Black (ACL) cases
Training and other communications
Kaplan & Walker LLP 14
Examine the “three lines of defense” ◦ Real-time monitoring by businesses◦ Monitoring by functions (e.g., C&E, Finance, HR)◦ True auditing
With each of the above:◦ Is there enough, based on risk assessment?◦ Are the results being put to full use?
For C&E auditing ask:◦ What percentage of overall auditing effort is C&E-related? ◦ Same question with findings
Note that monitoring is an area where many companies have room to improve
Auditing and monitoring
Kaplan & Walker LLP 15
Consider ◦ Whether sufficient reporting procedures and avenues are
in place◦ How well those are communicated to employees and
others◦ What is employee comfort level in reporting (good area
for surveys) Can benchmark metrics
◦ E.g., number of calls to helpline and percentage of anonymous calls
◦ Local results can be key here Look closely at means to protect whistleblowers
◦ E.g., are managers trained in relevant do’s/don’ts?
Reporting systems
Kaplan & Walker LLP 16
Are protocols and procedures in place? How these are implemented in practice?
◦ Typically includes a review/audit of some case files to get a first-hand look at how investigations are conducted
◦ Timeliness and state of documentation. ◦ What is state of investigator training and other forms of
guidance Discipline:
◦ Is it meted out for supervisory failures that contributed to misconduct in appropriate cases?
◦ What are employee perceptions of the level of consistency of discipline? A note on “organizational justice”
Investigations and discipline
Kaplan & Walker LLP 17
Does the organization have formal procedures for considering enhancements to the Program following violations, including across business units, staff functions and geographies?◦ Are investigators trained to look for this?◦ Procedures also necessary for smaller program enhancements,
such as those recommended in an audit or following an investigation
Are there procedures and practices related to periodic program assessment, including self-assessment?◦ This can be on a risk-area – as well as overall - basis
In practice, how well does the organization consider enhancements following violations?◦ Independence issues and the 2010 USSG amendments
Continuous improvement
Kaplan & Walker LLP 18
Does the company use economic incentives?◦ Not necessary for all companies in my view, but
can help in some Does it use softer forms of incentives?
◦ Are managers trained on how to recognize and acknowledge ethically exemplary behavior?
Does it deploy not just general incentives but also, as appropriate, risk-area specific incentives?◦ Can be important in rolling out major initiatives,
such as third-party due diligence systems
Incentives
Kaplan & Walker LLP 19
By risk area, e.g., ◦ Anti-corruption
Consider using the DOJ/SEC FCPA guidance document◦ Competition law◦ Note that this may make particular sense for emerging
areas of risk By program function, e.g.,
◦ Investigations◦ Board oversight
Note that dives don’t have to be very deep to be useful◦ Several medium dives can be more helpful than one
deep one, at least for some companies
Deep dives
Kaplan & Walker LLP 20
Who gets a copy?◦ Privilege issues
Using the results◦ Develop an action plan◦ Different levels of priority◦ Board reporting◦ Senior management reporting
Use of assessments