Trends in Compliance and Ethics - Chapters Site County/IIA OC Presentation... · Trends in...

Trends in Compliance and Ethics

Global Ethics & Compliance

November 13, 2015

'Confidential Information for the sole benefit and use of PwC's Client

PwC

Agenda

� Introductions

� Compliance Trends

- PwC’s 2015 State of Compliance Survey: Key Themes

- Conflict Minerals – an overview

- Third Party Risk


2

PwC

Compliance Trends

3


PwC

PwC’s State of Compliance 2015 Survey Key Themes

The compliance function should actively participate in the setting of corporate strategy. 1Owners of compliance obligations should be aware of what “compliance” entails across the organization as well as understanding the scope of their own responsibilities.

2The compliance function should collaborate with business owners of compliance obligations. 3

Compliance leaders should evaluate and potentially re-imagine the identity of their function.4

Compliance officers should explore ways to increase operational efficiency and effectiveness.5

4


PwC

Theme 1: The compliance function should actively participate in the setting of corporate strategy.

78%

of CEOs expect to increase headcount

of CEOs are concerned about over-regulation

50%

38%

of CCOs saw an increase in staffing, while 36% saw no change and 8% saw a decrease

Source: PwC’s 2015 State of Compliance Survey

5


PwC

The compliance function can be particularly valuable as companies experience significant growth.

What will your Chief Compliance Officer/Corporate Compliance function do to address these trends?

What trend do you believe will be the greatest driver for change in compliance risk management over the next 10 years?

55%

52%

45%

51%

Embed new compliance risks into business strategydecisions

Build this trend into compliance risk metrics

Engage with new/ additional external stakeholders

Engage with new/ additional internal stakeholders

2%

1%

12%

53%

11%

Climate change

Accelerating urbanization

Shifts in economic power

Technological breakthroughs

Demographic shifts

6



PwC

B

Note: This is a representation of the way responsibility is allocated at a small sample of companies. It is not a recommendation of how that responsibility should be allocated.

Direct Involvement/Monitoring

Limited Involvement

Compliance Risk Assessment

Code of Conduct, Hotline, Investigations

Fraud & Corruption (AML, ABAC, etc.), Insider Trading,

Conflicts of Interest

Compliance & Ethics Training

Environmental , Health & Safety

Information Management

(includes Privacy & Records

Management)

Employment

Customs & Trade

Compliance

SOX

IP/ Confidentiality

Financial Reporting

Shared

Services

International Business

Development

Advertising & Marketing

Political and Lobbying

Social Media & Other Use of Technology

Legend

Ownership

Monitoring

Line of Sight

Theme 2: Owners of compliance obligations should be aware of what “compliance” entails across the organization as well as understanding the scope of their own responsibilities.


7

PwC

85%

82%

59%

55%

54%

50%

45%

40%

37%

22%

13%

13%

12%

9%

10%

Compliance

Legal

Internal Audit

Finance

Human Resources

Risk Management

Operations

Information Technology

Business Units

Sales and Marketing

Supply Chain

Procurement

Research & Development

Investor Relations

Other

83%

80%

63%

52%

52%

41%

32%

31%

17%

12%

11%

9%

12%

Compliance

Legal

Internal Audit

Finance

Human Resources

Operations

Information Technology

Business Units

Sales and Marketing

Supply Chain

Procurement

Investor Relations

Other

8

Which of the following departments or functions serve on the Compliance Committee?

2015 2014

Theme 3: The compliance function should collaborate with business owners of compliance obligations.



PwC

5%

6%

7%

7%

7%

8%

8%

9%

9%

10%

10%

11%

11%

11%

12%

15%

16%

16%

16%

16%

20%

26%

31%

Insider trading

Records management

Social media

Employment labor compliance

Ethical sourcing

Corporate social responsibility

Fair competition/Anti-trust

Government contracting

Safety/Environmental

Money laundering

Import-export controls/trade compliance

Consumer protection

Intellectual property

Supplier compliance

Business continuity

Security

Regulatory quality

Fraud

Conflicts of interest

Bribery/Corruption

Strategic risk

Privacy and confidentiality

Industry-specific regulations

1%

2%

3%

4%

4%

5%

6%

6%

6%

7%

8%

8%

8%

12%

12%

12%

14%

17%

22%

24%

24%

27%

47%

Physical security

Ethical sourcing

Insider trading

Social media

Corporate social responsibility

Fair competition/Anti-trust

Records management

Safety/environmental

Government contracting

Import-export controls/trade compliance

Employment and labor compliance

Intellectual property

Business continuity

Money laundering

Regulatory quality

Consumer protection

Fraud

Conflicts of interest

Supplier/vendor/third-party compliance

Bribery/corruption

Industry-specific regulations

Privacy and confidentiality

Data security

9

Select your top 3 areas in terms of future perceived level of compliance-related risk to your business over the next 5 years (i.e., to 2020)?

‘Best in class’ compliance functions focus on key strategic and emerging risks.

2015 2014



PwC

33%

33%

28%

43%

55%

55%

64%

65%

80%

80%

Technology acumen

Data analysis experience

HR background

Finance background

Business operations background

Industry expertise

Regulatory compliance experience

Audit background

Legal background

Compliance or ethics background

Theme 4: Compliance leaders should evaluate and potentially re-imagine the identity of their function, including its people.

10

Which of the following skillsets and experiences are represented in your organization’s Corporate Compliance function?

1Compliance or Ethics

Background

2 Legal

Background

3 Audit

Background



PwC

Theme 5: Compliance officers should explore ways to increase operational efficiency and effectiveness.

41%

35%

24%

Yes No Don't know

What elements does your Corporate Compliance function consider to help define aggregate compliance cost when determining budgets or articulating program value?

Does your Chief Compliance Officer/ Corporate Compliance function actively measure compliance cost to your organization?

Direct operating costs 74%

Compliance-related initiatives 69%

Systems and tools 57%

Third party (e.g., contingent workers, contractors,

consulting fees)

55%

Indirect operating costs 51%

Direct cost of non-compliance 36%

Other 2%

Don’t know 12%

11



PwC

Technology has the potential to add significant value to compliance management.

Why doesn’t your Corporate Compliance function use a dedicated GRC technology tool?

GRC tools are too expensive

We don’t have the technical expertise to effectively use

GRC technology tools

We don’t have budget for GRC technology

None of the GRC

technology tools we have seen meet our needs

We don’t have time to analyse and select a GRC technology vendor

We make do with other in-house tools GRC

technology is not a priority

for us

12



PwC

Compliance teams need data that measures how well the business manages compliance risk.

13

How, if at all, does your organization use data analytics in its corporate compliance and ethics program?

14%

8%

17%

20%

20%

28%

28%

35%

37%

39%

53%

Don't know

We access data from portable devices (e.g.smartphone, tablet)

We do not use data analytics in our corporatecompliance and ethics program

We receive automated data outputs

For external reporting

For transaction monitoring

For visualization and dashboarding

To track regulatory compliance (e.g. meetingcompliance deadlines)

To monitor for inappropriate or suspicious activity

For trending and comparisons

For internal reporting



PwC

Top 5 ways that compliance professionals can become C-suite stars . . .

14

Actively express an interest in participating in strategy decisions, and proactively articulate to the CEO the strategic value that compliance can deliver.

1Review the strategic plan and develop ideas for addressing new or unusual compliance risks, or leveraging them to gain competitive advantage. 2Forge close relationships with key business leaders throughout the company and offer insights to help the business identify and mitigate risks related to compliance issues.

3Define (or redefine) the scope of compliance across the organization and build partnerships with compliance owners within the business to ensure that all issues are being managed effectively.

4

Implement efficiency initiatives to improve the effectiveness of the compliance function and reduce compliance-related costs. 5


PwC

Temporary stay on disclosing conflict status

• Included in the SEC’s communication that suspended the conflict status labelling requirement

• Has caused some confusion over whether this guidance overrides the Rule’s requirement for the audit in CY2015

• On August 18th, the U.S. Court of Appeals for the D.C. Circuit upheld their original decision that the labelling requirement is unconstitutional.

• On October 2, 2015, SEC and Amnesty International filed petitions requesting an en banc rehearing of the April 2014 and the August 2015 D.C. Court of Appeals panel decisions, in an effort to reverse the ruling that struck down portions of the conflict minerals rule as

unconstitutional.

“Pending further action, an IPSA will not be required unless a company voluntarily elects to describe a product as “DRC conflict free” in its Conflict Minerals Report.”

--SEC statement, April 29, 2014

Confidential Information for the sole benefit and use of PwC's Client.15

PwC

SEC High Level RequirementsS1502 essentially requires a new level of transparency and risk management across company supply chains

What are conflict minerals?

Conflict minerals, per S1502, are tantalum, tin, tungsten and gold (“3TG”) that may be necessary to the production or functionality of a company’s products.

What is the goal of s1502?

S1502 seeks to reduce funding for armed groups in the DRC and surrounding countries. Companies are required to perform due diligence and report on whether the 3TG in their products may have been sourced from the DRC region, and if so, if they are conflict free . Note that the regulation does not restrict sourcing from the region. This is a transparency requirement only.

When is the reporting due??

The Form SD (and, if applicable, CMR) are due May 31st

for the prior calendar year.

SEC Requirements

Determine at a product level how

S1502 applies

Develop and conduct reasonable country of

origin inquiry (RCOI) and due diligence (DD)

Obtain independent audit, if needed

Comply with disclosure requirements

1

+2 3

4a

4b

~1,265Issuers filed a Form SD

~ 1,000 Issuers included a Conflict Minerals Report (over 75%)

6Issuers obtained an audit of their Conflict Minerals Report

Figures are based on CMRs filed as of 7/15/2015 16

Proprietary and Confidential

PwC

Summary of SEC Rule – Audit Requirement

• The Conflict Minerals Report, when required, must include an independent audit report to express an opinion or conclusion covering:

- Whether the design of the due diligence framework conforms, in all material respects, with a nationally or internationally recognized framework (e.g., OECD), and

- The accuracy of the description in the CMR of the DD measures undertaken

• Generally Accepted Government Auditing Standards (Yellow Book) established by GAO apply. Audit could be either:

- Attestation Engagement (must be performed by CPA), or

- Performance audit (not required to be conducted by CPA)

• For companies using their financial statement auditor, the IPSA is considered a non-audit service subject to pre-approval by the Audit Committee

• Some level of independence required to be the IPSA auditor17


PwC

Program Assessment or Mock Audit

Program Assessment

• Assessment of the company’s Conflict Mineral compliance program and activities, broadly

• Covers both areas of compliance as well as areas in scope of the audit

• Can include program design and/or execution (minimally a sample of 1)

Mock Audit

• Focuses on preparedness of the company to meet the 2 objectives in scope of the future IPSA

• Execute the audit methodology

• Assess Company’s due diligence framework is designed in conformity, in all material respects, with the criteria set forth in the OECD

• Company’s description of the due diligence measures is consistent, in all material respects, with the due diligence process the Company undertook


18

PwC

Third Party Risk

Increased reliance on Third Parties represents a unique compliance challenge.

19


PwC

Third Party Risk Management FrameworkThird party risk management is focused on understanding and managing risks associated with third parties with which the company does business and/or shares data.

Third Party Risk Management

Vendors

Suppliers

Joint Ventures

Business Channels

Marketing Partners

Third Parties Risk ConsiderationsThe PwC TPSRM Framework

Affiliates

Broker Dealers

Reputational

Operational

Financial

Business Continuity

Country

Information Security

Privacy

Regulatory / Compliance

Termination

Subcontractor

Technology

Concentration

Regulated Entities

20


PwC

Managing Risk Associated with Third Parties

The following are examples of Third Party due diligence assessments performed on potential and existing third parties to understand the existing control environment and capabilities.

*Business Continuity Management includes Business Contingency (“BC”) planning and Disaster Recovery (“DR”)

• Technology Architecture• Assets utilized• Technology Roadmap• Technological capabilities• System Development Lifecycle

(SDLC)• Audit trail• Application management

• Incident management

• Monitoring, communication and

connectivity

Technology

• Third Party Relationship Management

• Sub-Service Third Party Relationships

• Logical access Control• Monitoring, communication and

connectivity

Subcontractor

• Fire Suppression• Server Security & Conditions• Data Centers• Backup Power Sources• Asset management• Key Card & Facility Access

Physical Security

• Security policies• Encryption• Logical access Control• Customer contact

Information Security & Privacy

• Political• Geographic• Regulatory• Legal• Economic• Travel Safety

Country

• Recovery• Data Backup Management• Offsite storage• Media and vital records• Data integrity

Business Continuity & Resiliency*

• Going concern• Liquidity• Leverage• Profitability• Transaction Processing

Financial

• Litigation or ethical flags• Media coverage• OFAC or other factors• Criminal and/or civil complaints

Reputational

• People• Process• Financial Reporting• Subcontractors• Concentration

Operational

• Anti-Bribery• Anti-Money Laundering• Sales & Marketing Activities• Transparency Reporting• Anti-corruption • PCI

Compliance

21


PwC

Third party inventory, stratification and on-going assessment model

Refine

Existing Third Party Inventory Inherent risk assessment Pre-contract due diligence& residual risk

Nature, timing and extent &On-going due diligence

GovernOversee

R

e

s

i

d

u

a

l

r

i

s

k

m

a

t

u

r

i

t

y

r

a

n

k

i

n

g

Standard risk definition

1 Controls do not exist/are not in place

2

Controls are in place but are not documented

appropriately or currently are not reviewed/ tested;

controls are not consistently followed

3Controls are in place and are documented and

reviewed; manual or partial automation

4

Controls are in place, are documented appropriately,

are reviewed on a periodic basis, have continuous

control monitoring and fully automated if available

Refre

sh &

Re-ra

nk

Metrics & ReportingThird Party Scorecards

ProgramDashboards

New Third Parties

On-boardEstablish

Inherent risk rating

Residual risk rating

Segment 3 – “Moderate R isk”

Segment 2 – “High Risk”Segment 1 –”Critical”

Nature Timing Extent Nature Timing Extent Nature Timing Extent

4

Segment 4 – “Low Risk”

Nature Timing Extent

3 Onsite12-16

Months

Scoped

TestingOnsite

18

Months

Scoped

Test ingRemote

18

Months

Scoped

Inquiry

Se lf-

Assess

36

Months

Scoped

Inquiry

1 Onsite AnnualScoped Testing Onsite Annual

Scoped Test ing Onsite

18Months

Scoped Testing Remote

24Months

Scoped Inquiry

Onsite18 Months

Scoped Testing Onsite

24 Months

Scoped Test ing Remote

24 Months

Scoped Inquiry

Se lf-Assess

48 Months

Scoped Inquiry

2 Onsite AnnualScoped

TestingOnsite

12-16

Months

Scoped

Test ingRemote Annual

Scoped

InquiryRemote

36

Month

Scoped

Inquiry

The inventory, risk rating and on-going testing model enables a focus on efforts to establish the third party inventory, oversee services with higher levels of inherent risk. The model relies on the existing third party inventory and new third parties as an input, as well as an area of refresh to ensure the third party inventory is kept complete and accurate on an on-going basis. The model also drives the on-going due diligence process based on the inherent risk and the business facts of the services provided.

22


PwC

Third Party Risk Management – Program governance structureA TPRM strategy is supported by three lines of defense – the first line lies within each individual Line of Business and is empowered by the second line who owns the provision of ongoing guidance, tool support, and facilitation of cross-business collaboration. The third line is responsible for evaluating the design and operating effectiveness of the Program.

Governance

Management & Oversight

Business Unit

Third Party Risk Manager

Subject Matter Specialists

Third Parties

Legal & Compliance

Business Unit Sponsor

Sourcing

Contracts ManagementProcurement

Enterprise Risk Committee Enterprise Management

Third Party Management Office Operational Risk Oversight

Board of Directors

Subcontractors

First Line of Defense• Primary responsibility for compliance and owner of risk• BU managers and third party relationship owners are responsible for

identifying, assessing and mitigating risk associated with their business• Implement internal controls and practices are consistent with company-wide

policies & procedures• Promote a strong risk culture and sustainable risk-return decision making

Second Line of Defense• Independent compliance framework, policy & oversight• Business partners work with the BU’s to identify, assess and mitigate all risks• Design and assist in implementing company-wide risk framework and

oversee enterprise risks• Provide independent risk oversight across all risk types, business units and

locations• Perform quality assurance reviews and other targeted oversight practices to

ensure that the line of business is compliant with internal policies/ external regulations

Third Line of Defense• Independent assurance• Independently test, verify and evaluate risk management controls against

internal policies• Report upon effectiveness of the program

Internal Audit

InfoSec Privacy BCMPhySec TP Compliance TPRM

Reputational RiskCredit/Finance Technology Operational Risk

HR

Sourcing Contracts

23


PwC

Bio’s

24

Thack Skidmore

Director, Performance Governance

Risk and Compliance

PwC LLP

Irvine, California

[email protected]

+1 949.437.5607

Cynthia Keith

Manager, Risk Assurance

PwC LLP

San Diego, California

[email protected]

+1 858.677.2675

Thank you

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2015 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

25

Trends in Compliance and Ethics - Chapters Site County/IIA OC Presentation... · Trends in...

Documents

Transcript of Trends in Compliance and Ethics - Chapters Site County/IIA OC Presentation... · Trends in...