Organizational Structures That Work: Small-Company Edition

In contrast to our “large company” edition Monday morning, this session will explore how smaller public companies structure their compliance functions. The CCOs at PETCO, Schnitzer Steel, and VeriSign—each with under $5 billion in revenue—will outline, compare and contrast the structure of their compliance organization, focusing on their functions, reporting structure, organization, responsibilities, infrastructure and more.

    Featuring:

  • PETCO Animal Supplies, Inc. Chief Compliance Officer, James B. Brigham
  • Schnitzer Steel Industries VP and Chief Compliance Officer, Callie Pappas
  • VeriSign VP Internal Audit, Mark Gosling
  • PricewaterhouseCoopers LLP Principal, Advisory Practice, U.S. Leader, Governance Risk & Compliance Services, Joseph C. Atkinson (moderator)

These are my notes, live from the session:

The advantages of compliance at a smaller company is that there are fewer silos and less redundancy. Fewer people have to do more things. Functions get combined that would be separated at a bigger company.

One new measurement was how long it took to complete and open compliance issue/complaint.

With smaller companies, the bigger question is whether to have a compliance program, not how to structure a compliance program. Once you go public you need a compliance program. The smaller the company, the less likely it is to be public.

The smaller the company, the more the compliance program is about the individual. You need to make yourself a necessity, not just the compliance program. You need to show that you bring value and profitability to the company.

One key is process improvement. You can get more involved in the business processes. Find ways to help improve them.

In a smaller company it is very important to have strong leadership supporting the compliance and ethics program. A smaller company is going to have fewer middle managers. You also have much more interaction between senior leaders and a larger group of all employees.

Being entrepreneurial is not in conflict with being compliant.

Materials:

Risk Assessment – Getting It Right

pwc

PricewaterhouseCoopers LLP sponsored this webcast: Corporate leaders have long recognized that the pace of change continues to increase in velocity, thus challenging management’s execution of the business’ strategic and tactical plans. Enterprise Risk Management (ERM) is a management tool that can be effective in identifying and assessing the risks that come with change and allow management to respond to their organization’s changing risk profile in a timely fashion. The speakers were all from PricewaterhouseCoopers LLP:

  • Joseph C. Atkinson, Principal
  • Brian Brown, Partner
  • Peter Frank, Director
  • Catherine Jourdan, Director

These are my notes.

Why focus on risk? Changes in the marketplace and the world economy has given the perception that the world is a riskier place. That may or not be true. But people are more focused on risk. It seems that poor risk management had a role in the recent economic troubles. Joe advocates that risk assessment should be integrated into business processes.

Brian took over and focused on defining risk and risk management. “Risk assessment is a systematic process for identifying and evaluating the events that could affect the achievement of an organization’s objectives, both positively or negatively.”

Risk Assessment can be mandatory or voluntary. Anti-Money-Laundering, Basel II, and Sarbanes-Oxley compliance all require formalized risk assessment and focus on such processes as monitoring of client accounts, operational risk management, and internal control over financial reporting. Often it also voluntary, driven by business needs, to assess development opportunities, talent retention, operational efficiency and performance improvement.

There are three primary frameworks for risk management: COSO‘s ERM requirements, Federal Sentencing Guidelines, and OCEG’s Red Book.

Peter took over and focused on the challenges to an effective risk assessment. Common business challenges include:

  • Risk assessment is viewed only as an episodic initiative, a required report that needs to be updated
  • An inordinate amount of effort is invested in gathering data and information, and the volume is difficult to interpret and leverage in a meaningful way for executive leadership
  • The risk assessment is viewed as a conclusion of the process, rather than a starting point.
  • Risks are identified and risk mitigation practices are emphasized without meaningful understanding of impact, causing some risks to be over-controlled and stifling innovation
  • Risk assessment is viewed as an additional function or department, not as an integrated management capability to embed in day-to-day activities
  • Accountability for risk management and performance management resides in silos
  • Multiple risks assessments are performed, using different definitions and measurements of risks, creating confusion and making confident action impossible

Catherine moved on to the six essential steps to performing a risk assessment.

  1. Identify relevant business objectives
  2. Identify events that that could affect the achievement of objectives
  3. Determine risk tolerance
  4. Assess inherent likelihood and impact of risks
  5. Evaluate the portfolio of risks and determine risk responses
  6. Assess residual likelihood and impact of risks

Joe came back to conclude that “risk assessment discipline should be embedded in the organization’s regular business processes and yield valuable information to support decision-making to help systematically link risk, reward, and performance management.”