Building Your Enterprise Risk Management Program...Building Your Enterprise Risk Management Program:...

1

Building Your Enterprise Risk Management Program Helen A. Goodwin, CCEP

Ethics & Compliance Professional

SCCE Utilities & Energy ConferenceHouston, TexasFebruary 2016

Building Your Enterprise Risk Management Program: Leveraging ERM & Compliance

• Chart the Course: Join Efforts with ERM to Map Compliance Related Risk Coordinates.

• Stay on Course: Use the ERM Risk Assessment as Your Lighthouse to See Potential Risks.

• Maintain the Deck Log: Keep a Scorecard to Check Your Accuracy of Compliance and Ethics Risk Findings.

2

2

About Me……

• Spent 32 Years as a Federal Employee with the U.S. Department of Energy/Bonneville Power Administration in Portland, Oregon.

• Held Positions in Energy Conservation, Power Acquisition, Power and Transmission Rates, Strategic Planning, Power Policy and Compliance.

• Created and Implemented the First Expanded Ethics Program Including a Code of Conduct & Ethics Hotline Consistent with Federal Law and the Federal Sentencing Guidelines for Organizations.

3

A Few Facts

4

3

Step 1: Chart The CourseJoin efforts with ERM to map compliance related risk coordinates

1. Avoid Reputational Risk. Begin With the End in Mind….Engage Your ERM Group Early & Often.

2. Don’t Wait Until You Have a Crisis Such as an Unflattering Newspaper Article or a Government Investigation. It’s Too Late.

3. Communicate the Value of ERM to Executive Management. Insist on a Seat at the Table.

4. Ensure That Your Risk Assessment, Treatment Plan and Progress Reporting are Data Driven.

5


• In tandem with ERM, use the Federal Sentencing Guidelines as a guidepost to build and maintain an effective compliance and ethics program.

• Leadership, Oversight & Chain of Command

• Process & Procedures/Written Standards

• Communication & Training

• Monitoring & Auditing

• Reporting & Investigation

• Enforcement & Discipline

• Response & Prevention

• Evaluation

• Risk Assessment6

4


7

Enterprise Risk Management

Risk Assessment

Monitoring/Auditing Program Evaluation

General Surveys

Specific Surveys

Program Reviews

Risk

Treatment Plan

Compare to

Industry Best Practices

Risk Registry


• Active use of risk management is the key to early detection of possible risk events and a mitigation strategy.

• Develop risk-based program goals/objectives annually to:

• Meet internal & external requirements.

• Identify gaps in regulatory requirements.

• Prioritize significant ethical or compliance risks.

• Anticipate future risks and risk trends.

• Identify events that can derail program objectives.

• Identify events that can harm reputation.

• Analyze the likelihood and consequences of each risk.

8

5


• Be honest. Assess your vulnerabilities and perform risk assessments often.

• Avoid group think. Involve others outside of your sphere of influence. Include those with a different perspective.

• Rely on facts. Relying on hearsay or rumor may result in a false positive wasting time, energy and resources mitigating a risk that does not exist.

• Don’t panic. if your program ends up a top tier enterprise riskit may result in more resources to execute specific long-needed program elements.

9

Negligible Marginal Critical Catastrophic

Certain High High Extreme Extreme

Likely Moderate High High Extreme

Possible Low Moderate High Extreme

Unlikely Low Low Moderate Extreme

Rare Low Low Moderate High

Likelihood

Consequences


10

6

Raise the Bar • Use your risk assessment, program monitoring and compliance and ethics surveys as learning tools and the basis for moving forward.

• Use these tools as opportunities to create awareness and move your programs forward.

• Educate your employees.

• Use the elements of

an effective

compliance and

ethics program to

create a strong

foundation.

• Raise the bar you

created each year.11

Step 2: Stay On CourseUse the ERM risk assessment as your lighthouse to see potential risks

Ethics and Compliance Surveys

• Use program specific surveys to look at identified risk & weak spots.

• Compare and contrast your survey results to other like organizations or surveys.

• Follow up surveys allow you to track progress towards meeting your goals.

• Let employees know what you are doing to correct weak spots.

• Field a baseline,

random sample

survey to determine

employee awareness

of the rules, policies

and available

resources.

12


7

Ethics and Compliance Helplines

• Key is insuring that all helpline calls and web submissions are taken seriously and investigated.

• Adverse actions must be taken if the allegation is found to be correct.

• Publicizing the results can help deter behavior that can result in an ethics or compliance failure and/or crisis.

• Set up well, and equally marketed and promoted helpline data can help you discover little known trends and close gaps.

• Employees often feel

over surveyed.

• Analytics from a

helpline add to survey

data and, in

combination, provide

valuable risk-related

program data.13


Monitor and Audit Your Programs

• Engage internal audit or an outside source to perform regular and random reviews of records.

• The risk registry and risk map are good places to look in depth at an identified weak spot or an area you determined as certain risk/high or extreme consequences.

• Use the survey results, monitoring and auditing of your programs to make mid course corrections.

• Regularly and consistently monitor and audit progress towards meeting your ERM goals.

• Data collection and tracking provide opportunities for trend analysis.

14


8

Program Reviews:

• Scope should include key program design elements, roles & responsibilities.

• Show due diligence in preventing and detecting violations.

• Promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

• Engaging executive management is key to your success.

• Evaluate the

effectiveness of your

program.

• Determine whether

implementation of the

ERM driven program is

consistent with the

original plan.

15

Step 3: Maintain the Deck LogKeep a scorecard to check your accuracy of compliance and ethics risk findings


• A one-time-only risk assessment is not enough. Partner with ERM often to update your risk assessment.

• Don’t rely on hearsay or rumor. Don’t overact but take helpline and other reporting seriously.

• Encourage employee reporting through strong non retaliation policies and practices.

• Create and implement a strong marketing, communication and training program.

16

9

Employee Engagement

• Encourage your employees to ask questions and dedicate staff to answer those questions.

• Employees questions and helpline data can help focus your training efforts.

• An informed workforce will make it less likely that you will face an ethics or compliance failure or crisis.

• Don’t be complacent.

Train, train, train your

employees.

• Make training part an

integral part of the

corporate culture.

17


Employee Communication

• Use the web effectively to send a consistent message and as a self help learning tool.

• Encourage employee attendance at mandatory & non mandatory ethics & compliance training events.

• Provide non monetary incentives such as an annual award for an ethics and compliance hero.

• Ask for feedback through surveys and other reporting tools.

• Communicate with

your employees

regularly and often.

• Promote your helpline

and other sources to

report potential risk

events.

18


10

Crisis Management

• Stay the course. New program elements in a time of crisis may do more harm that good.

• Avoid suspicion. Share what you can with your employees.

• Weather the storm. If a crisis does occur, your strong foundation will help you navigate the rough waters.

• Don’t overreact.

Focus your efforts on

fact, not rumor.

• Be truthful. Target

your response to what

you know.

19


Building Your Enterprise Risk Management Program: Benefits of Partnering with ERM

• Reduces risk of all kinds – financial & reputational.

• Fosters a culture of compliance where a commitment to integrity & ethical behavior is demonstrated.

• Reducing risk is consistent with customer and investor expectations.

• Provides transparency.

• Minimizes audit exposure & possible findings.

• Reduces risk of sanctions and sentences.

• Improves operational efficiency and effectiveness.20

11

Building Your Enterprise Risk Management Program: Continuous Improvement is Key

• Chart the Course: Join Efforts with ERM to Map Compliance Related Risk Coordinates

• Stay on Course: Use the ERM Risk Assessment as Your Lighthouse to See Potential Risks

• Maintain the Deck Log: Keep a Scorecard to Check Your Accuracy of Compliance and Ethics Risk Findings

21

Questions

22

Contact Information:

Helen Goodwin: [email protected]

12

Opportunity to Share

How do ERM and Compliance & Ethics align and interact at your organizations?

How do your organizations address ‘Three Lines of Defense’ ?

23


Why do companies with Compliance and ERM programs in place fail?

How have your organizations utilized risk assessments and surveys?

24

13


How do your organizations maintain a robust knowledge base of risk and compliance issues?

How have your organizations matured ERM and Compliance & Ethics?

25

Building Your Enterprise Risk Management Program...Building Your Enterprise Risk Management Program:...

Documents

Transcript of Building Your Enterprise Risk Management Program...Building Your Enterprise Risk Management Program:...