Category: Compliance Programs

Richard Ketchum Keynote from the Compliance Week Conference

compliance-week-green

My notes, live, from the Richard Ketchum keynote at the Compliance Week Conference. Mr. Ketchum is the newly named chairman and CEO of FINRA.

It is a terribly important time as financial markets are in the process of transformation. It was two years ago when the first signs of the credit crisis appeared. The silver lining is that the crisis offers an opportunity to reform the financial markets.

Mr. Ketchum moved onto the idea of a systemic risk regulator. He thinks some regulator will be in place. As to whether it is a single entity or a council of regulators, Mr. Ketchum stated that some of the risk and problems came from loosely regulated entities and in transactions that were not transparent. He thinks value of a systemic regulator is good but thinks we need to focus on the function of this new regulator. He wants to avoid duplication and also to avoid things falling through the cracks.

He looked to the Federal Reserve as regulator that had a broad mandate to see big problems. They were less able to focus on the detail of regular reporting and maintenance. He thinks the new systemic regulator should not replace existing regulators. He also did not seem to like the idea of breaking up the SEC. They are very involved in many aspects of the markets and have a breadth of experience and controls in place.

He moved on to the issue of short selling in the marketplace.  There are several proposals being reviewed as a result of the fierce short-selling that happened in September and October. He thinks the selling that happened during that time was most long sellers, not short sellers. Short selling may have caused the disappearance of any buyers. He seems to be leaning toward a circuit-breaker when a company’s stock is under pressure. He did not seem to give a straight answer.

He moved onto the subject of derivatives. The market provides a great deal of leverage, has a great deal of inefficiency and is very transparent. The derivatives markets also react quicker than the equity markets. He thinks the key is transparency so we can see the movement and the risk. The opacity of the derivatives markets contributed to the plunge in the investment markets.

He moved onto the lessons we could learn from volatile markets. He thinks we need to revisit diligence and reduce our reliance on ratings to get a better understanding of the security (in particular asset-backed securities). You need to keep the creators of the securities away from the ratings of the securities.

He thinks compliance needs to be infused into more functions. He thinks compliance officers can look at the risks and not rely on assumptions. You need to make sure that decisions that benefit the company do not come at the expense of the company’s clients or customers.

Nobody feels good about the implosion of the financial markets. FINRA is re-evaluating their internal processes to see what they could do better. He pointed out the new FINRA Whistleblower hotline. FINRA is looking at ways to make sure things do not fall through the cracks.

He thinks the biggest gap is the different regimes between broker-dealers and investment advisers. He thinks investment advisers need to be more regulated and more closely examined. he does recognize that there are different risks and different concerns. You can’t throw the same rulebook at them, but he thinks you need to keep a closer eye on them.

The keystone moving forward is winning back the trust of investors. Without trust, the markets are paralyzed. Fraud impoverishes the few; distrust impoverishes many.

In the chat session, Matt put the Madoff scenario in front of Mr. Ketchum. He thinks that is the great example of having different regimes for broker-dealers and investment advisers. FINRA could not look over the wall at the advisory side of the business.

There is no definition of a systemic risk. Mr. Ketchum thinks it is one that can impact the financial marketplace as a whole and not just an individual institution.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Self-Assessments: Criteria and Procedures for Evaluating GRC Programs

compliance-week-dark-blue

My notes, live, from Self-Assessments: Criteria and Procedures for Evaluating GRC Programs, with Gracie Fisher Renbarger, Chief Ethics and Compliance Officer of Dell; Nan Stout, Vice President Business Ethics of Staples; and Carole Stern Switzer, President of OCEG.

Carole started off with two observations:

  • Designing, implementing, and improving a governance, risk management and compliance (GRC) system is a time and resource-intensive proposition.
  • Periodically evaluating the design and operation of the system is essential to demonstrate that the organization’s GRC initiatives are delivering outcomes that really matter.

Carole pointed out that GRC is more than Governance, Risk and Compliance, but it is really awkward to have a 13 letter acronym.

She turned to design effectiveness. “Given our objectives and all of the risks and requirements related to these objectives, do we have controls, incentives and other structures in place that will provide reasonable assurance that we will meet these objectives?” You can also have less ambitious goals for our evaluation:

  • I’d like a “gut check” on how my hotline is designed
  • I’d like a high-level assessment of whether our risk identification has captured all of the right risks and requirements compared with my peers

Or more ambitious goals:

  • Is this compliance program deemed “effective” by an enforcement agency or external monitor?

How do you evaluate to address effectiveness? Start by determining what to evaluate and the scope of the risk assessment. One of the issues is that your effectiveness is based on the negative. It is hard to prove that something did not happen because of the program.

You want to ask:

  • Do we have SOMETHING in place?
  • Do we have the ENOUGH in place?
  • Do we have TOO MUCH in place?

The next step is to design for performance. You want to be effective, but you also want to be efficient and responsive. “There’s no point in measuring something you can’t fix.”

Carole used a standard for performance called SMART:

  • Specific/simple
  • Measurable
  • Actionable
  • Relevant
  • Timely

Not having data available is a challenge in some organizations. You need to measure perception and compare it to facts. You can say that you have a non-retaliation policy. But that does not do any good if people perceive that they will be fired for reporting a problem.

Next up was Nan to talk about their beta test of OCEG’s Burgundy Book. She thought is was important to give employees multiple ways to report problems, but wanted to store all of that information in one place.

Gracie shared her experiences with the OCEG certification at Dell. The objective of Dell’s FCPA Compliance Program is to be “Effective” and “Aligned.” “Effective” means program meets the US Federal Sentencing Guidelines’ definition of an effective compliance program. “Aligned” means program activities address actual risks and are aligned to Dell’s business objectives.

The following Elements are assessed:

Culture:

  • Processes established to monitor and address cultural indicators to ensure program is operating in a culture of integrity (i.e., employee surveys, compliance training tracking, etc.)
  • Defined program goals and objectives that align to organization objectives and strategic business initiatives (i.e., supports Dell’s profit and business goals related to “emerging market” expansion, etc.)

Organize & Oversee:

  • Defined roles and responsibilities for program oversight, assurance and day-to-day management (i.e., AC, GECC, Ethics & Compliance Office, etc.)

Assess & Align:

  • Process for identifying and assessing FCPA risk (i.e., identify whether operating in countries with high level of perceived corruption, etc.)
  • Plan to deploy program initiatives in response to risk assessment results (i.e., education rollout in China, etc.)

Prevent & Promote:

  • Existence of Code of Conduct and FCPA Compliance Policy
  • Process for policy development (i.e., executive management approval, etc.)
  • Process for deployment of policy (i.e., website repository and blog communication, etc.)
  • Education plan (i.e., maximum, heightened, general awareness, etc.)

Detect & Discern:

  • Intake and investigations (i.e., employee reporting, investigation process, etc.)

Respond & Resolve:

  • Infrastructure for intake, investigation and resolution of incidents (i.e., staffing, case management system, etc.)
  • Remediation (i.e., discipline, recommended preventative controls, etc.)

Monitor & Measure:

  • Monitor feedback and strive for continuous improvement of the program (i.e., feedback to Ethics Managers and formal employee inquiry/response process, etc.)

Inform & Integrate:

  • Process for communicating program (i.e., blog, cascaded communications, etc.)

A question from the audience: Can you measure the change in culture? It is hard. You need to always look for indicators. Some are lead indicators and some are trailing indicators. One goal of GRC is to pull as much information as possible into one place so those indicators are in one place.

The emphasis of the session was not to advocate a specific framework, but the importance of having a process.

A key to modifying behavior is to make non-compliance more painful than compliance. But you want more than a fear of being caught. You want your employees to strive for better behavior.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Luis Aguilar Keynote at Compliance Week Conference

compliance-week-purple

My notes, live, from the keynote by SEC Commissioner Luis A. Aguilar:

James Doty of Baker Botts introduced the Commissioner. (A disclaimer from the Commissioner: the speech is his opinion alone and not necessarily the view of the SEC.)

The Commissioner titled his presentation “Reversing Course: Putting Investors First.” The focus should be on protecting investors and restoration of stability to the capital markets. We need to restore trust in the markets. That means regulatory reform.

First, we need a search and inquiry into the cause of the crisis. Blaming the regulatory market is not responsive. Perhaps it was an unwillingness to exercise their management and look deeper into the markets. He is enthusiastic about a bi-partisan panel to look into the crisis. Too much regulatory reform focused on how it would help the financial firms and not how they would help investors. We need to look at the intrinsic risks and conflicts in the system. He saw pattern of de-regulation that help financial firms with little examination of how they would affect investors. Modernization of the markets has been used as a disguise for de-regulation.

He moved onto the need for a systemic risk regulatory body. He thinks we need some clarity on what we mean by systemic risk. He does not like the focus on “Too big to fail” and its focus on particular entities. He thinks the focus needs to be key functions in the market not the entity. He would want to isolate these functions in the entity.

Instead of a new regulatory body, he prefers a council of different regulators with different expertise would work better. It is better to have several sentries instead of just one monolithic guard. It would also avoid the conflicts inherent in the mandates of a particular regulator. There is a question of the particular powers of the council and the procedures for the council.

He moved onto the idea of a financial product safety commission. There is an idea that financial products get rated as safe or unsafe. The Commissioner does not like this idea. He draws a line between investment financial products and non-investment financial products. For non-investment products like credit cards and mortgages, the terms are set at the outset. However, with an investment financial product has values that will fluctuate and the risks will change over the course of time.

Investor protection is different than consumer protection. Removing products from a regulatory scheme could result in regulatory arbitrage.

What about a U.S. FSA, a single regulator for all of the financial markets? Commissioner Aguilar has concerns about this model. Could a regulator responsible for keeping financial institutions viable also be aggressive in pursing consumer claims of misdeed against the institution? The Commissioner does not think so. It can also increase systemic risk. If the single regulator gets it wrong, there is no fall back protection or other bodies to step into the gap.

He does like the idea of a single regulator for all of the capital markets. He does not like the split between the CFTC and SEC with the regulation of derivatives separate from the regulation of the underlying securities.

He advocates self-funding the SEC. He alludes to reductions in the budget of the SEC has affected the effectiveness of the SEC.

The Commissioner think the staff of the SEC has been unduly tarnished.

After his speech, the Commissioner sat down for a fireside chat with Matt Kelley, the Editor-in-Chief of Compliance Week, taking questions from the audience.

He expects enforcement to be quicker than in the past.

He went back to the self-funding part of this speech. He compares the big staff of the FDIC to the SEC. The FDIC has more people and keeps tabs on fewer institutions. The SEC needs more resources.

It sounds like the IFRS may be a lesser priority under the new administration.

It was a nice speech and chat by the Commissioner.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

EthicsPoint Regional User Forum

ethicspoint-logo

Today I am attending the EthicsPoint Regional User Forum in Natick, Massachusetts. Here is the agenda:

  • EthicsPoint Executive Overview – Bill Piwonka, EthicsPoint Senior Director of Marketing will share insight on all things EthicsPoint – including product roadmap into 2010
  • Management, Oversight, and Analytics – A panel of experts will share best practices and ideas on using EthicsPoint’s reporting and analytics to drive transparency and insight into the risks facing your organization
  • Client & Industry Benchmarking Data –  See how your organization’s reporting statistics compare to others in your industry and the entire EthicsPoint customer base
  • Social Media in Compliance – Doug Cornelius (hey that’s me!) will lead a discussion on how you can incorporate tools such as LinkedIn, Twitter, Facebook, YouTube, Delicious and others to help foster a culture of integrity and compliance. Check out Doug’s website at https://www.compliancebuilding.com
  • Incident Awareness and Intake Roundtable – Roundtable opportunity to learn how other EthicsPoint customers have encountered and solved challenges around incident awareness and intake

I assume most of the sessions will be dark, but I may have some notes. I will be sharing my presentation and resources on Social Media in Compliance in a later post.

EthicsPoint provides an anonymous complaint and tip hotline for my company.

Workplace Challenges of Pandemics

h1n1-virus

The reality of an influenza pandemic has now reached the American workplace. The Swine Flu H1N1 Influenza seems to have been overblown and is now ebbing. There were only two confirmed deaths. It appears that H1N1 is neither particularly contagious or deadly. In comparison, the H5N1 virus (the Avian Flu) is very deadly with an almost 50% mortality rate. Fortunately, the H5N1 virus is not contagious and is very difficult to spread.

Even though H1N1 did not turn into a pandemic, it is a good time to address your workplace plans for pandemics.

Employers need to to implement responses that protect their healthy employees, guard the privacy of sick employees, and comply with applicable national, state, and local law requirements. It is essential that employers do not permit overexcited media coverage to push them into taking actions that may be illegal or frightening to their employees.

The first step is to encourage healthy behavior by your employees:

  • Cover your nose and mouth with a tissue when you cough or sneeze. Throw the tissue in the trash after you use it.
  • Wash your hands often with soap and water, especially after you cough or sneeze.
  • Avoid touching your eyes, nose or mouth. Germs spread that way.
  • Stay home if you get sick. Limit contact with others to keep from infecting them.

In planning for a pandemic, you need to be careful if you decide to survey your employees about factors that may cause them to miss work in the event of a pandemic. You can trip over health privacy issues and ADA limitations. The EEOC made an ADA-Compliant Pre-Pandemic Employee Survey:

Directions: Answer “yes” to the whole question without specifying the reason or reasons that apply to you. Simply check “yes” or “no” at the bottom.In the event of a pandemic, would you be unable to come to work because of any of the following reasons:

  • If schools or day-care centers were closed, you would need to care for a child;
  • If other services were unavailable, you would need to care for other dependents;
  • If public transport were sporadic or unavailable, you would be unable to travel to work, and/or;
  • If you or a member of your household fall into one of the categories identified by CDC as being at high risk for serious complications from the pandemic influenza virus, you would be advised by public health authorities not to come to work (e.g., pregnant women; persons with compromised immune systems due to cancer, HIV, history of organ transplant or other medical conditions; persons less than 65 years of age with underlying chronic conditions; or persons over 65).

Answer: YES __________ NO __________

It’s time to give some thought about what your workplace would to in the event there is a pandemic.

References:

The image is the H1N1 influenza virus, taken in the CDC Influenza Laboratory.

Corporate Compliance & Ethics Week at The Home Depot

home depot

Crystal M. Consonery, PhD, CCEP shared the experiences of Home Depot during the 2008 Corporate Compliance & Ethics Week. The goal was increasing awareness of the Corporate Compliance department. So they decided to use Corporate Compliance & Ethics Week  to launch their departmental awareness and branding.

One of Home Depot’s eight core values is “Doing the Right Thing.” Corporate Compliance is the embodiment of the value: Doing the “right” thing was at the forefront when they were tailoring their message to meet the needs of the company’s diverse population and in the selection of events and topics of discussion that would appeal to associates at different levels
in the organization.

Their schedule of events was announced through various communication channels, including elevator posters, lobby easels, the company’s weekly communication newsletter, and a company-wide communication from the CEO. They also invited external corporate compliance colleagues to the week’s events.

corporate compliance and ethics week

See:

Swine Flu, Disaster Recovery, and Compliance

swine-flu

One aspect of a compliance program is disaster recovery. Investors want to know that your operations can be up and running if something goes wrong. Although first thoughts go to an extraordinary event like the World Trade Center attacks, the problem is more likely to be something less dramatic.

From today’s headlines, it may be time to look at your disaster recovery plans in case of a pandemic. If Swine Flu keeps most of your workforce at home, what do you do?

But first you should decide whether you need to worry about the Swine Flu. The culprit is an unusual new virus known as A/H1N1, which is a form of swine flu that has made its way from pigs into humans. This is an entirely new hybrid strain composed of pig, bird and human viruses. As to whether it risks becoming a pandemic, that depends on the severity of the effects and how easily it is transmitted.

Over 1,500 Mexicans have been afflicted with symptoms that may be the result of this new virus. But it is not yet confirmed whether the cause of most of these cases was A/H1N1 or commonplace strains of influenza. Five American states—California, Texas, Kansas, Ohio and New York—have confirmed mild cases of A/H1N1. So too has Canada,  Britain, Israel and New Zealand. One theory is that college students have been bringing the virus back to the U.S. after college spring break in Mexico.

On the very good side of things, reports indicate that the Mexican swine flu virus is susceptible to the most widely stockpiled flu antiviral drugs, Tamiflu and its relatives. If the effects are severe and it is very contagious, tools are available to fight it.

You can judge whether you should be alarmed at the Swine Flu outbreak. (I am not.) But you should take this as an opportunity to test your disaster recovery plan and make sure you can still be up and running if your workforce is not in the office.

And just to be safe, don’t kiss pigs.

See:

Image is from Cute Overload: Mmmmm, snoutlicioussss Thanks to Niki Black for pointing it out: Swine Flu Transmission solved from Twitter

Moral Hazard and Structural Compliance

danger sign

I have been tossing around the concept of structural compliance in my head. The idea is to focus on the alignment of employee incentives with the long term goals of the organization. Jeff Kaplan forwarded me an article he wrote for the April 2009 issue of CCH’s Federal Ethics Report: Boards of Directors, Moral Hazard and Corporate Compliance Programs.

“Moral hazard” is the phenomenon that reducing the effect of risk by providing insurance results in the encouragement of riskier behavior. A party insulated from risk may behave differently from the way it would behave if it were fully exposed to the risk.

Jeff point out the moral hazard in the economic crisis where individuals creating the risk did not have their interests aligned with those of the organization. I touched on these in my post about Countrywide: Did Compliance Programs Fail During the Financial Industry Meltdown? In that story, we saw that loan officers were compensated more for origination of sub-prime loans than standard loans. They were actually paid more to originate riskier loans. The loan officers were not compensated based on the repayment of the loan. They were isolated from the risk of non-repayment.

One of the problems with the securitization of loans is that the originators do not retain the risk. They originate, sell the loans, and transfer the risk. This continues as the loans are repackaged and tranched up into the collateralized debt food chain. There was a structural compliance failure. The risk was separate from the reward.

With the failure of Lehman Brothers, the term “moral hazard” was a hot topic in the news. If we rescued them, others would expect the financial safety net. (It seems like the government made the wrong decision in deciding to let Lehman fail.) We let people build in flood plains based on government flood insurance and subsidized insurance.

Another case in point is my snowboard helmet, streaked with the brown marks of tree limbs from my runs through trees. I feel safer and take some risks that I would not take without my helmet. My head is safer, but I am more likely to take damage somewhere else or dislocate my elbow (again!).

Part of the compliance program has to focus on making sure that the reporting, governance, and compensation of the people in your organization are tied to the long term goals of the organization.

If you are rewarding people based on short-term goals, then you are going to end up with short-term results. If you are rewarding them for gains and not penalizing them for losses, then they are insulated from the risk. They are likely to make riskier decisions.

Merely running a compliance program to make sure people are following the rules is nice. But it is better to have compliance program that also focuses on removing incentives to break the rules. I think that is what I mean by structural compliance.

See:

Image is a Poland road sign: Znak A-27.svg