Compliance Week Annual Conference 2012

I attended Compliance Week’s annual conference in 2010 and 2009. It’s a great conference with lots of great people and great programs. But I’m not attending this year because I decided to spend by professional development budget on getting the Investment Adviser Certified Compliance Professional designation.

If you want to go to Compliance Week 2012, the conference organizers passed on a special discount offer of $350 off the regular rate, a saving of almost 20%.  I like Matt Kelly, the editor and publisher of Compliance Week, so I was willing to tart up Compliance Building with an advertisement for the conference.

The conference is specifically geared to corporate financial, legal, risk, audit, and compliance executives at public companies.  It takes place in Washington, DC June 4-6, 2012.

Confirmed keynote speakers this year are :

  • James Doty, chairman of the Public Company Accounting Oversight Board
  • Bob McDonald, CEO of Procter & Gamble
  • Judge Jed Rakoff, U.S. district judge for the Southern District of New York
  • Leslie Seidman, chairman of the Financial Accounting Standards Board
  • Sam Sommers, author of Situations Matter: Understanding How Context Transforms Your World.

To take advantage of the discount offer use code CW2012BL  and register here
http://www.complianceweek.com/compliance-weeks-6th-annual-conference-may-2011/eproduct/12/6433/

Here are some links for more information:

Managing Risk in the Financial Sector

managing-compliance

On Sept. 16, 2009, Compliance Week and Navigant Consulting presented an exclusive editorial roundtable about compliance practices at financial services firms at The Mandarin Oriental Hotel in Boston.

(Apparently not so exclusive, considering I was able to get in. I even made it into one of the article’s pictures. – That’s me eating my fingers in the background.)

Compliance Week Editor-in-Chief Matt Kelly moderated the session, which featured Daniel Bender and John Schneider of Navigant Consulting. The full roster of participants is in the article’s sidebar.

You can read more about what we discussed during the roundtable in an article in Compliance Week: Managing Risk in the Financial Sector. (Subscription Required)

A few of my favorite quotes from the article:

Lou Iglesias, chief compliance officer of PanAgora Asset Management: Part of the role of a compliance and risk officer is “being a student of history” and learning from past industry mistakes. “And you don’t have to look back too far to find them.”

James Bone, founder of GlobalComplianceAdvisors LLC: Because there is no school for compliance, continually developing new staff to keep up with regulations is also a challenge. Even if you have an unlimited budget to hire talent, “finding people who have the right skill-set to do the things that you need to get done” isn’t always easy.

Redefining Risk

risk

Maybe we should define risk as what needs to go right, instead of what could go wrong.

Although I would like to claim credit for this view of risk, it came from James Bone of Global Compliance Advisors, LLC. I met James at a Compliance Week round table last week discussing risk management and regulatory developments for the financial services industry.

By changing the definition, you are now looking at risk through the operations of your company and its business plan. You are no longer the doomsayer, worrying about the myriad of things that could go wrong, some of which are likely to highly unlikely. You are now focusing on implementing your company’s business plan.

Compliance and risk professionals need to keep an eye on what may go wrong. But, as James points out, it is just as important to make sure things are going right.

Image is by anarchosyn: RISK AWR WC T7L LosAngeles Graffiti Art
http://www.flickr.com/photos/24293932@N00/ / CC BY-SA 2.0

Madoff Hearing at the Senate Banking Committee

I will be covering today’s Senate Hearing (”Oversight of the SEC’s Failure to Identify the Bernard L. Madoff Ponzi Scheme and How to Improve SEC Performance“) along with several guest panelists via the interactive discussion below. Please visit this page today at 2:30 pm to join me, Bruce Carton of Securities Docket, Compliance Week editor Matt Kelly, and others as we follow the hearing – and bring your questions!

Seven Questions to Ask to Optimize Your Compliance Programs

compliance_week_logo

Compliance Week put on a webinar covering Practical Guidance: Seven Questions to Ask to Optimize Your Compliance Programs. Bruce McCuaig, Vice President, Risk and Compliance and Mike Rost, Vice President, Marketing of Paisley presented.

Mike started off with some background of Paisley, then moved onto the “Why?” of Compliance. Companies want to avoid the downside that comes from compliance failures.

Bruce then took over and set forth the seven questions:

  1. Do you have an effective compliance program?
  2. Have you assessed the scope of your compliance program?
  3. Is your compliance program risk-based?
  4. Do you have effective controls over your compliance risks?
  5. Is your compliance program integrated?
  6. Are you leveraging technology to support your compliance program?
  7. Do you have a plan to instill and sustain your compliance program processes?

Effectiveness has a basis in the federal sentencing guidelines. You need to have culture of compliance. You need to be effective in prevention. You need to document standards and procedures. You need to communicate and report. There is a need for continual improvement.

In assessing the scope of your compliance program, you need to look at the laws, standards and regulations that you must comply with. What jurisdictions to you operate in? What subjects do I need to pay attention to? You need to take a top-down risk-based approach to address the scope of your program. You need to find the most significant risks to compliance.

To think about if your compliance program is risk-based, you need to look at the root cause of possible failure. They break it into three pieces. You need to look at behavioral or cultural factors, impact factors and external factors. Behavior focuses on people. Do your people know the rules. Impact factors look at systems and external are things outside your control.

For effective controls you need to know the rules, know the rules have to be followed. You also need to know when the rules are broken. If they are broken they need to be penalized for failure. It is important that employees read and certify that they understand the rules. Where compliance failures are a risk, the regulators expect there to be a dedicated compliance officer. You need to use compliance metrics.

An un-integrated approach has redundancy in testing and documentation, with common activities across business lines. Bruce sees five point of convergence:

  • Shared context in organization and process structure
  • Common language of risk and control
  • Common methodology
  • Enterprise wide reporting
  • GRC convergence technology

Bruce thinks technology is important. You need a library of intelligent information on laws and regulations. You need to manage the life-cycle of the policies and procedures. They are useful to show that everyone has read and affirmed their understanding of the policies.

Bruce labels the four steps of maturity: (1)  reacting, (2)  anticipating, (3) collaborating, and (4) orchestrating.

See also:

SEC’s Notice and Access Rules: What Do They Mean For Your Company?

noticeandaccessComputershare has put together a White Paper that they distributed through Compliance Week: An Explanation of the SEC Notice and Access Rules: What Do They Mean for Your Company? (.pdf)[For Compliance Week Subscribers]

Pamela Eng, Product Manager for Computershare Investor Services takes us through The SEC’s Shareholder Choice Regarding Proxy Materials rules in Release No. 34-56135 (.pdf) issued July 26, 2007.

[I mentioned some of my confusion about the Notice and Access Rules in SEC Requirements for Online Annual Reports and Proxy Statements. (Thankfully, the rule is not in my domain.)]

Pamela points out that there are now three ways to provide annual meeting materials to shareholders:

  • Notice Only. You can send just a notice with a link to materials on the website.
  • Full-Set. When you send the full set of printed materials.
  • Mixed Set.  When you send some and leave the rest online.

The idea behind the “notice only” delivery was to save printing and delivery costs. Theoretically, the information is more useful online because it searchable and linkable.

It seems even Pamela is not completely happy with the rule. She offers six recommendations to the SEC on how the rule could be improved.

  • Allow more flexible timing for posting online documents
    We requested that the SEC allow the online documents to be made available one or two days
    after the initial mailing has been sent, rather than on the mailing date. This would give extra
    time for companies to get their documents approved and programmed for the website.
  • Allow more time to fulfill holder requests
    The rule gives only three days to fulfill requests for registered holders, yet gives nine days
    to fulfill the requests of beneficial holders. Our recommendation was to allow six days for
    fulfillment on both sides.
  • Change the 40-calendar-day timeline
    A number of companies had problems meeting the 40-day deadline for notice-only mailings,
    which led us to request that the deadline be moved to 30 calendar days before the meeting.
    Shareholders will still have plenty of time to request materials before the meeting date.
  • Allow educational information to be included with the notice-only mailing
    Because of shareholder complaints about confusion and issuer concerns about holder
    education, we advocated the inclusion of educational information with the notice. This
    information could explain the regulations and why holders are receiving a notice.
  • Allow the voting telephone number to appear on the notice
    The SEC was concerned about possible uninformed or capricious voting by registered holders,
    who would vote without first viewing the proxy materials, so it did not allow the voting
    telephone number to appear on the notice. We believe that holders understand the issues, and
    that allowing the number to be placed on the notice will help holders better understand the
    overall process.
  • Issue an FAQ, Q&A or other written clarification of the rules
    The new notice and access rules are potentially confusing to both issuers and shareholders, and
    confusion may increase as many more companies begin the process in 2009. We asked that the
    SEC issue some written clarifications, possibly including a frequently asked questions document
    (FA Q); a question and answer bank; or, in some cases, a rewrite of the rules themselves.

Roundtable Discusses Supply Chain Risks

compliance_week_logo

On Jan. 27, 2009, Compliance Week and Integrity Interactive presented an editorial roundtable focusing on supply chain and vendor management risks. They were kind enough to invite me to participate. There is an article about the roundtable in the next issue of Compliance Week and a copy is available on line: Roundtable Discusses Supply Chain Risks. (subscription required)

One theme from the discussion was a desire for an industry or third party standard for compliance. We all thought it would be great if some industry association or auditing firm could review vendors and give the reliable ones a seal of approval.

Dave Curan, the Chief Executive Officer of Integrity Interactive, recommended that all companies have a separate code of conduct that applies to their suppliers. Many in the audience pointed out that vendors often have there own code of conduct which precipitates a “battle of the codes.”

SEC Internet Enforcement

In the December Issue of Compliance Week, Bruce Carton tells some of the history of the SEC’s enforcement history.  One of the first internet efforts was an email address for the public to send tips. Back in 1996 there were about 20 complaints a day. Now there as many as 10,000 a day.

With all the complaining about the SEC, it is important to note that the SEC cannot uncover every violation or financial scam out there. How do you deal with 10,000 emails a day? Clearly the SEC missed some things in its Madoff investigations.  Maybe they were a little soft on him given his reputation. Given that he convinced so many smart, rich people money, I assume he his very persuasive.

You have an under-manned agency looking at a charming man with a great reputation. There are lots of other bad guys out there. You move on and look for more problems.

The Corporate Risk Management Library

Here are my notes from this webinar from Compliance Week, sponsored by CA, Inc.: Enhancing the Risk Profile of Your Organization: The Corporate Risk Management Library

Speakers:
Tom McHale, Vice President of Product Management, CA
Christopher Fox, Principal Consultant, Governance Compliance and Risk Group, CA

We are seeing a movement from executive autonomy to executive accountability and corporate secrecy to corporate transparency.

We are seeing an evolution in risk management. We need to identify the strategic risks. We also need to figure out how to get ourselves assured that we are addressing all risks. We are in a changing and diverse environment with government investments, stimulus packages, new regulations and new issues.

A “risk library” is comprehensive set of risks for specific categories, with a representation of the scope of risks for an organization, used by enterprise risk management processes. One key is to have an agreed upon classification (or taxonomy) across the organization.

In searching for a risk library where can you start? These are some references:

  • Federal Sentencing Guidelines
  • OCEG Redbook
  • COSO
  • Federal Reserve Guidance
  • CobIT 4.1
  • Federal Reserve URSIT
  • ISO 27002
  • EPA Legislations
  • Basel II
  • SEC  listing requirements
  • Australian Standard 4360

The requirements of a risk library should have a holistic view. Financial risk is only one dimension. You want to also include strategic and tactical risk.

They moved onto examples of a risk library structure.

They set level 1 as internal risk and external risk. Level 2 was broken down into governance, operations, technology, compliance, financial, reporting, environment, international, market and social trends. Then they showed a third level of risk below the level 2 risk of governance. then they show a level 4 of various market conditions  such as demographics, employment, labor relations and exchange rates.

Once you have the corporate risk management library, you decide which risks you can manage. After selecting those to manage you need to report on the risks, set up a compliance program, create policies and procedures, assess the risks and create an action program.

Kozeny Decision Limits Defense to FCPA

Melissa Klein Aguilar wrote a peice on Compliance Week about the decision in U.S. v. Kozeny decision that limits the local law defense under the Foreign Corrupt Practices Act: FCPA Decision Narrows Local-Law Defense.

The Kozeny decision makes clear that if the payment itself is illegal, the local-law defense can’t be used even if the common practice in that country is to forgive the offense; the transaction must be permitted under local law.

In the facts of the Kozeny case were unusual. Local Azerbaijani law the voluntary declaration of having committed bribery absolves the bribe-giver and his accomplices from criminal responsibility. The Kozeny court did not seem to think this was the same as the bribe being legal.

The judge also finds that mere economic coercion is not a defense. The Kozeny judge equates true extortion with a “payment made to an official to keep an oil rig from being dynamited.”

The article also points us to two law firm legal alerts: