Building Your Enterprise Risk Management Program...Building Your Enterprise Risk Management Program:...
Transcript of Building Your Enterprise Risk Management Program...Building Your Enterprise Risk Management Program:...
1
Building Your Enterprise Risk Management Program Helen A. Goodwin, CCEP
Ethics & Compliance Professional
SCCE Utilities & Energy ConferenceHouston, TexasFebruary 2016
Building Your Enterprise Risk Management Program: Leveraging ERM & Compliance
• Chart the Course: Join Efforts with ERM to Map Compliance Related Risk Coordinates.
• Stay on Course: Use the ERM Risk Assessment as Your Lighthouse to See Potential Risks.
• Maintain the Deck Log: Keep a Scorecard to Check Your Accuracy of Compliance and Ethics Risk Findings.
2
2
About Me……
• Spent 32 Years as a Federal Employee with the U.S. Department of Energy/Bonneville Power Administration in Portland, Oregon.
• Held Positions in Energy Conservation, Power Acquisition, Power and Transmission Rates, Strategic Planning, Power Policy and Compliance.
• Created and Implemented the First Expanded Ethics Program Including a Code of Conduct & Ethics Hotline Consistent with Federal Law and the Federal Sentencing Guidelines for Organizations.
3
A Few Facts
4
3
Step 1: Chart The CourseJoin efforts with ERM to map compliance related risk coordinates
1. Avoid Reputational Risk. Begin With the End in Mind….Engage Your ERM Group Early & Often.
2. Don’t Wait Until You Have a Crisis Such as an Unflattering Newspaper Article or a Government Investigation. It’s Too Late.
3. Communicate the Value of ERM to Executive Management. Insist on a Seat at the Table.
4. Ensure That Your Risk Assessment, Treatment Plan and Progress Reporting are Data Driven.
5
Step 1: Chart The CourseJoin efforts with ERM to map compliance related risk coordinates
• In tandem with ERM, use the Federal Sentencing Guidelines as a guidepost to build and maintain an effective compliance and ethics program.
• Leadership, Oversight & Chain of Command
• Process & Procedures/Written Standards
• Communication & Training
• Monitoring & Auditing
• Reporting & Investigation
• Enforcement & Discipline
• Response & Prevention
• Evaluation
• Risk Assessment6
4
Step 1: Chart The CourseJoin efforts with ERM to map compliance related risk coordinates
7
Enterprise Risk Management
Risk Assessment
Monitoring/Auditing Program Evaluation
General Surveys
Specific Surveys
Program Reviews
Risk
Treatment Plan
Compare to
Industry Best Practices
Risk Registry
Step 1: Chart The CourseJoin efforts with ERM to map compliance related risk coordinates
• Active use of risk management is the key to early detection of possible risk events and a mitigation strategy.
• Develop risk-based program goals/objectives annually to:
• Meet internal & external requirements.
• Identify gaps in regulatory requirements.
• Prioritize significant ethical or compliance risks.
• Anticipate future risks and risk trends.
• Identify events that can derail program objectives.
• Identify events that can harm reputation.
• Analyze the likelihood and consequences of each risk.
8
5
Step 1: Chart The CourseJoin efforts with ERM to map compliance related risk coordinates
• Be honest. Assess your vulnerabilities and perform risk assessments often.
• Avoid group think. Involve others outside of your sphere of influence. Include those with a different perspective.
• Rely on facts. Relying on hearsay or rumor may result in a false positive wasting time, energy and resources mitigating a risk that does not exist.
• Don’t panic. if your program ends up a top tier enterprise riskit may result in more resources to execute specific long-needed program elements.
9
Negligible Marginal Critical Catastrophic
Certain High High Extreme Extreme
Likely Moderate High High Extreme
Possible Low Moderate High Extreme
Unlikely Low Low Moderate Extreme
Rare Low Low Moderate High
Likelihood
Consequences
Step 1: Chart The CourseJoin efforts with ERM to map compliance related risk coordinates
10
6
Raise the Bar • Use your risk assessment, program monitoring and compliance and ethics surveys as learning tools and the basis for moving forward.
• Use these tools as opportunities to create awareness and move your programs forward.
• Educate your employees.
• Use the elements of
an effective
compliance and
ethics program to
create a strong
foundation.
• Raise the bar you
created each year.11
Step 2: Stay On CourseUse the ERM risk assessment as your lighthouse to see potential risks
Ethics and Compliance Surveys
• Use program specific surveys to look at identified risk & weak spots.
• Compare and contrast your survey results to other like organizations or surveys.
• Follow up surveys allow you to track progress towards meeting your goals.
• Let employees know what you are doing to correct weak spots.
• Field a baseline,
random sample
survey to determine
employee awareness
of the rules, policies
and available
resources.
12
Step 2: Stay On CourseUse the ERM risk assessment as your lighthouse to see potential risks
7
Ethics and Compliance Helplines
• Key is insuring that all helpline calls and web submissions are taken seriously and investigated.
• Adverse actions must be taken if the allegation is found to be correct.
• Publicizing the results can help deter behavior that can result in an ethics or compliance failure and/or crisis.
• Set up well, and equally marketed and promoted helpline data can help you discover little known trends and close gaps.
• Employees often feel
over surveyed.
• Analytics from a
helpline add to survey
data and, in
combination, provide
valuable risk-related
program data.13
Step 2: Stay On CourseUse the ERM risk assessment as your lighthouse to see potential risks
Monitor and Audit Your Programs
• Engage internal audit or an outside source to perform regular and random reviews of records.
• The risk registry and risk map are good places to look in depth at an identified weak spot or an area you determined as certain risk/high or extreme consequences.
• Use the survey results, monitoring and auditing of your programs to make mid course corrections.
• Regularly and consistently monitor and audit progress towards meeting your ERM goals.
• Data collection and tracking provide opportunities for trend analysis.
14
Step 2: Stay On CourseUse the ERM risk assessment as your lighthouse to see potential risks
8
Program Reviews:
• Scope should include key program design elements, roles & responsibilities.
• Show due diligence in preventing and detecting violations.
• Promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
• Engaging executive management is key to your success.
• Evaluate the
effectiveness of your
program.
• Determine whether
implementation of the
ERM driven program is
consistent with the
original plan.
15
Step 3: Maintain the Deck LogKeep a scorecard to check your accuracy of compliance and ethics risk findings
Step 3: Maintain the Deck LogKeep a scorecard to check your accuracy of compliance and ethics risk findings
• A one-time-only risk assessment is not enough. Partner with ERM often to update your risk assessment.
• Don’t rely on hearsay or rumor. Don’t overact but take helpline and other reporting seriously.
• Encourage employee reporting through strong non retaliation policies and practices.
• Create and implement a strong marketing, communication and training program.
16
9
Employee Engagement
• Encourage your employees to ask questions and dedicate staff to answer those questions.
• Employees questions and helpline data can help focus your training efforts.
• An informed workforce will make it less likely that you will face an ethics or compliance failure or crisis.
• Don’t be complacent.
Train, train, train your
employees.
• Make training part an
integral part of the
corporate culture.
17
Step 3: Maintain the Deck LogKeep a scorecard to check your accuracy of compliance and ethics risk findings
Employee Communication
• Use the web effectively to send a consistent message and as a self help learning tool.
• Encourage employee attendance at mandatory & non mandatory ethics & compliance training events.
• Provide non monetary incentives such as an annual award for an ethics and compliance hero.
• Ask for feedback through surveys and other reporting tools.
• Communicate with
your employees
regularly and often.
• Promote your helpline
and other sources to
report potential risk
events.
18
Step 3: Maintain the Deck LogKeep a scorecard to check your accuracy of compliance and ethics risk findings
10
Crisis Management
• Stay the course. New program elements in a time of crisis may do more harm that good.
• Avoid suspicion. Share what you can with your employees.
• Weather the storm. If a crisis does occur, your strong foundation will help you navigate the rough waters.
• Don’t overreact.
Focus your efforts on
fact, not rumor.
• Be truthful. Target
your response to what
you know.
19
Step 3: Maintain the Deck LogKeep a scorecard to check your accuracy of compliance and ethics risk findings
Building Your Enterprise Risk Management Program: Benefits of Partnering with ERM
• Reduces risk of all kinds – financial & reputational.
• Fosters a culture of compliance where a commitment to integrity & ethical behavior is demonstrated.
• Reducing risk is consistent with customer and investor expectations.
• Provides transparency.
• Minimizes audit exposure & possible findings.
• Reduces risk of sanctions and sentences.
• Improves operational efficiency and effectiveness.20
11
Building Your Enterprise Risk Management Program: Continuous Improvement is Key
• Chart the Course: Join Efforts with ERM to Map Compliance Related Risk Coordinates
• Stay on Course: Use the ERM Risk Assessment as Your Lighthouse to See Potential Risks
• Maintain the Deck Log: Keep a Scorecard to Check Your Accuracy of Compliance and Ethics Risk Findings
21
Questions
22
Contact Information:
Helen Goodwin: [email protected]
12
Opportunity to Share
How do ERM and Compliance & Ethics align and interact at your organizations?
How do your organizations address ‘Three Lines of Defense’ ?
23
Opportunity to Share
Why do companies with Compliance and ERM programs in place fail?
How have your organizations utilized risk assessments and surveys?
24
13
Opportunity to Share
How do your organizations maintain a robust knowledge base of risk and compliance issues?
How have your organizations matured ERM and Compliance & Ethics?
25