Compliance Programs – Page 41 – Compliance Building

Cost-effective Compliance Risk Assessment

Rees Morrison, publisher of Law Department Management, is hosting a series of articles on Cost-effective Compliance Risk Assessment. This series is written by Jeff Kaplan of Kaplan & Walker LLP.

The first article was on Three trends regarding the costs of ineffective compliance. Jeff first focused on the increasing occurrence of the “mega fine.” Then noted that desperate times tend to breed desperate deeds. Lastly he noted that the new attorney-general is the same official who set compliance and ethics standards as part of the DOJ’s enforcement decisions.

The second article was on non-costly ways to achieve C&E program successes. Jeff noted that it is more cost-efficient to build the compliance assessment into other functions.

The third article focused on how to embed risk assessment into the process of drafting “third-party” codes of conduct. Jeff points out that handing your employee to third parties will just lead to confusion. In drafting a code, make sure you elicit comments from the people in the company with direct third party dealings.

The Inside Story on the Breakdown at the SEC

Adam Zagorin and Michael Weisskopf wrote a very critical article in Time Magazine about Christopher Cox’s tenure with the Securities and Exchange Commission: The Inside Story on the Breakdown at the SEC. The authors use Cox as a symbol of what went wrong with the US financial system, resulting it its current meltdown. They paint a picture of a leader who avoided dealing with investment banks and pushed for de-regulation at a time the markets needed more regulation.

Long an evangelist for deregulation, the affable 56-year-old conservative former California Congressman took a custodial approach to a job that called for muscular leadership. . . . . Indeed, longtime observers say, Cox allowed complacency and drift at an agency that was created to issue warnings and limit the potential for wider damage from financial malfeasance at publicly traded companies.

Bashing the SEC has gotten very popular lately. This article continues the trend, placing the blame at the top.

Policies for Private Use of Company Computer Systems and Mobile Devices

Mark E. Schreiber and Barbara A. Lee published an article on the New Liabilities and Policies for Incidental Private Use of Company Electronic Systems and PDAs.

The discussion in the article comes from the decision in Quon v. Arch Wireless Operating Company, Inc., 529 F.3d 892 (9th Cir. 2008). In that case the court found that a police department had violated the Fourth Amendment and state constitutional rights of employees and the people they exchanged text messages with, when they reviewed “personal” text messages created on devices owned and issued by the police department. It also found that the text messaging provider, Arch Wireless, violated the Stored Communications Act (SCA), 18 U.S.C. §§2701-2711, by providing transcripts of these messages to the employer.

The authors point out that the decision in Quon deals with constitutional questions involving government employees. The same positions may not be true for non-government employees. But there are still lessons to be learned:

Policies regarding employee use of email, internet access, and mobile devices should be clear that employees have no expectation of privacy
Policies should make it clear that employees can expect their use of computer systems and devices, including personal use and messages, to be subject to monitoring and access by the employer with or without notice.
Carefully draft service agreements to comply in advance with the SCA and other wiretap type statutes with “consent” language.
Update subpoena and document response policies and protocols to comply with the SCA and, if the company operates internationally, foreign laws.

The 2008 LRN Ethics and Compliance Risk Management Practices Report

LRN published their 2008 LRN Ethics and Compliance Risk Management Practices Report (.pdf) (free registration required) The report is based on a survey of senior ethics, legal, risk and audit professionals, with 461 completed surveys.

The key findings of the report:

Ethics and compliance programs are maturing
Companies identify their top two ethics and compliance risks as electronic data protection and data privacy
A majority of companies perform formal risk assessments involving multiple functions
Companies cite engaging employees and making education more relevant as their top challenges in prevention
Detecting violations still presents a significant challenge
Multinational companies face bigger challenges at their international regions than at headquarters
Few larger companies actively manage ethics and compliance risks within their supplier and partners’ network
Lack of resources – budget and staff – continues to be the leading challenge in conducting risk assessments and in implementing prevention programs

LRN conducted a similar survey in 2007, so this report is able to identify trends (to the extent two data points make a trend). I hope that they conduct a survey this year to see if these trends stay true.

“More and more companies are recognizing that ethics and compliance is the new frontier of business strategy. Increasing research demonstrates that forward-looking companies that put in place comprehensive and holistic ethics and compliance programs – i.e., programs that do not simply ensure the organization meet all regulatory requirements but that embed values-based business conduct into their culture – enhance their capabilities to compete in the marketplace. Without the distractions that accompany conflicting ethical viewpoints and goals or concerns over potential and actual rules infractions. Companies should concentrate on the workforce or the management of compliance infractions, companies can thrive through inspiration, motivating employees to be their best. An ethical work environment leads to more productive and profitable organizations.”

The report also pitches the LRN Ethics and Compliance Risk Management Process:

An integral component of enterprise risk management is to holistically build a strong
control environment with a culture of corporate ethics, by defining, preventing, detecting,
responding and evaluating as part of five key steps for building a sustainable compliance risk
management process:

Define business ethics and corporate compliance risks to create a comprehensive risk profile.

Prevent ethics and compliance lapses/failures with hard and soft controls, including business ethics and corporate compliance training.

Detect noncompliance with the law, regulations, company code of ethics and corporate governance practice via multiple reporting methods.

Respond swiftly and publicly to allegations and potential violations.

Evaluate results and make continuous improvements.

An LRN illustration of their process:

lrn-process

Roundtable Discusses Supply Chain Risks

On Jan. 27, 2009, Compliance Week and Integrity Interactive presented an editorial roundtable focusing on supply chain and vendor management risks. They were kind enough to invite me to participate. There is an article about the roundtable in the next issue of Compliance Week and a copy is available on line: Roundtable Discusses Supply Chain Risks. (subscription required)

One theme from the discussion was a desire for an industry or third party standard for compliance. We all thought it would be great if some industry association or auditing firm could review vendors and give the reliable ones a seal of approval.

Dave Curan, the Chief Executive Officer of Integrity Interactive, recommended that all companies have a separate code of conduct that applies to their suppliers. Many in the audience pointed out that vendors often have there own code of conduct which precipitates a “battle of the codes.”

The Unexpected Benefits of Sarbanes Oxley

The April 2006 issue of the Harvard Business Review has an article by Stephen Wagner and Lee Dittmar on The Unexpected Benefits of Sarbanes Oxley.

Although the article is somewhat dated when it talks about the second year under Sarbanes Oxley, it foretells some of the current thoughts in compliance. Compliance is good for business. Two and a half years later, the Madoff scandal illustrates the need to be more transparent to your investors and for investors to look closer at their investments. Documenting business process and putting controls in place will make your business run better.

Good governance is a mixture of the enforceable and the intangible. Organizations with strong governance provide discipline and structure; instill ethical values in employees and train them in the proper procedures; and exhibit behavior at the board and executive levels that the rest of the organization will want to emulate.

Recommended Annual Review for Hedge Funds and Other Private Fund Managers

Bingham McCutchen has put together a Recommended Annual Review for Hedge Funds and Other Private Fund Managers.

Bingham put together a laundry list of regulations, policies and filings that you should review on at least an annual basis:

Compliance Policies and Procedures
Form ADV Part 1 and Form ADV Part II
Form SH
Anti-Fraud Rule Adopted by the SEC for Naked Short Sales
Blue Sky Filings and Amendments to Form D
Form 13F
Schedule 13D/13G
Forms 3, 4 and 5
Audited Financial Statements
Offering Document Updates
Ongoing ERISA Compliance
Section 457A
Section 409A
CFTC Requirements
Liability Insurance
Employee Training
Privacy Policy

Disclosure: The Wife is an attorney at Bingham.

Tips for Getting Your GRC Program Running Quickly

Mike Hoefgen of CA put together some Tips for Getting Your GRC Program Running Quickly. Even if you do not put your compliance program into the GRC archetype there are some useful thoughts.

It is not a project. GRC / compliance is an on-going business process. I encountered this when I was in knowledge management. Some saw it as a project with an end-date and a segmented group. To be successful with compliance you need to be embedded in the business processes.
Cross-functional team. Compliance is a business challenge, not a discrete process. You need input, but-in and support from across the organization.
Don’t boil the ocean. It is easy to get caught up in trying to solve all the problems at once. Start with something that can deliver some provable success. This builds credibility.
Need for speed. You want to be able to show that credibility and success in the short term. If it takes you 2 years to show success, you will be forgotten and the business processes will have moved on without you.

Bingham’s Take on Compliance Reviews of an Extraordinary Year

Nancy M. Persechino of Bingham McCutchen LLP put together her take on the Compliance Reviews of an Extraordinary Year. She also includes a chart of the changes in law and rules, new guidance, and enforcement actions (.pdf).

Given the market turbulence of the past year and the rapidly changing business and regulatory environments, many CCOs may wish to do more than simply dust off last year’s review and update its contents. At least one thing remains the same: the purpose of the annual review is to assess the adequacy of the firm’s policies and procedures in ensuring compliance with securities laws and the effectiveness of their implementation. Nothing tests the adequacy of policies and procedures quite like a crisis. So, why not treat the extraordinary events of the last year as a great “forensic test” and ask, “What went right? What didn’t?”

AICPA Exposure Draft on Compliance Audits

The AICPA released a Proposed Statement on Auditing Standards for Compliance Audits (.pdf) This would replace SAS No. 74 Compliance Auditing Considerations in Audits of Governmental Entities and Recipients of Governmental Financial Assistance.

Comments or suggestions on any aspect of this exposure draft would be appreciated. To facilitate the ASB’s consideration of responses, comments should refer to specific paragraphs and include supporting reasons for each suggestion or comment.

Written comments on the exposure draft will become part of the public record of the AICPA and will be available for public inspection at the offices of the AICPA after June 1, 2009, for one year. Responses should be sent to Sharon Macey at [email protected] or Audit and Attest Standards, AICPA, 1211 Avenue of the Americas, New York, NY 10036-8775 in time to be received by April 30, 2009.