ERM Definition and Conceptual Framework

advertisement
The Final Frontier
Enterprise Risk Management is the discipline
by which an organization in any industry
assesses, controls, exploits, finances, and
monitors risks from all sources for the purpose
of increasing the organization’s short and
long-term value to its stakeholders.
Conceptual Framework
ERM Framework
Types of Risk
Process Steps
Establish Context
Identify Risks
Analyze/Quantify Risks
Assess/Prioritize Risks
Treat/Exploit Risks
Monitor & Review
Hazard
Financial
Operational
Strategic
Typical Risk Matrix
Risk Model Maturity Spectrum
Comply with
Regulatory
Obligations
Profile
Protect
Shareholder
Value
EARTH
FINAL FRONTIER
Basic
Characteristics
Enhance
Shareholder
Value
• Manages risk of
infractions
• Provides limited
protection
Moderate
• Uses risk
management tools
• Protects assets
and shareholder
value
More Shareholder Value
Advanced
• Integrates risk
measures across
enterprise
• Enhances
shareholder value
Overview of Enterprise Risks
 Hazard Risks include risks from:








Fire and other property damage;
Windstorm and other natural perils;
Theft and other crime, personal injury;
Business interruption;
Disease and disability (including work-related injuries
and diseases);
Liability claims;
War, and
Terrorism.
Overview of Enterprise Risks
 Financial Risks include risks from:







Price (e.g. asset value, interest rate, commodity);
Liquidity (e.g. cash flow, call risk, opportunity cost);
Credit (e.g. default, downgrade);
Inflation/purchasing power;
Hedging/basis risk,
Taxes; and
Currency fluctuations.
Overview of Enterprise Risks
 Operational Risks include risks from:







Business operations (e.g., human resources, product
development, capacity, efficiency, product/service
failure, channel management, supply chain
management, business cyclicality, demand for services);
Empowerment (e.g., leadership, change readiness);
Information technology (e.g., relevance, availability);
Information/business reporting (e.g., budgeting and
planning, accounting information, pension fund,
investment evaluation, taxation);
National disaster;
Failure to identify market trends; and
Failure to properly document deals and transactions.
Overview of Enterprise Risks
 Strategic Risks include risks from:







Reputational damage (e.g., trademark/brand erosion,
fraud, unfavorable publicity);
Competition;
Customer wants;
Demographic and social/cultural trends;
Technological innovation;
Capital availability; and
Regulatory and political trends.
Overview of Enterprise Risk Management
Mitigate
Establish
Context
Identify
Risks
Analyze/
Quantify
Risks
Monitor & Review
Assess/
Prioritize
Risks
Treat/
Exploit
Risks
Practical Considerations in Implementing
ERM
 Designating an ERM
“Champion”
 Making ERM part of the enterprise culture (“tearing down
the silos”)
 Determining all possible risks of the organization
 Quantifying operational and strategic risks
 Lack of appropriate risk transfer mechanisms
 Monitoring the Process
 Start Slowly – Build Upon Successes
Critical Success Factors in Implementing
ERM
 Management Buy-In
 Leadership
 Follow up
Opportunity for Legal Officers
 Take leadership role in risk identification and
mitigation
 Move beyond compliance to other risks facing the
company and how they may have legal
consequences
 Preventive/proactive lawyering
 Consider attorney client privilege implications
 Springboard for ethics and compliance initiatives
Compliance Program in
Context of ERM Universe
ERM
COMPLIANCE
PROGRAM
What is a Compliance Program
A program to ensure that a Company has an
ethical/compliant culture, minimizing risk to the
Company, its Directors and Officers of
criminal/financial liability, while maximizing the
credit available under the United States Federal
Sentencing Guidelines in the event of a violation of
law.
USSG Seven Criteria
1.
2.
3.
4.
5.
6.
7.
Written policies and procedures (code of conduct)
Specific high level personnel assigned to oversee
compliance program
Communicate standards to all employees/agents;
required participation in training-publications
explaining program
Auditing and monitoring
Method for reporting non-compliance without fear of
retaliation (anonymous or confidential reporting)
Consistent discipline for non-compliance
Reasonable steps to respond and prevent
Why Have a Compliance Program
Caremark case: Directors must ensure that a company has a
system designed to detect, monitor, prevent and report any
significant lack of compliance with applicable law.
Holder/Thompson Memos/SEC Position: Decisions whether
to prosecute companies involve the questions of 1) whether
upper level management was involved in the misconduct,
2) whether there was an effective compliance program, 3)
the company’s criminal history, and the industry selfpolicing/reporting standards.
Federal Sentencing Guidelines: Company may significantly
reduce sanctions, fines and penalties if it has an effective
program to prevent and detect violations of law, the
hallmark of which is due diligence.
A $6M fraud matter will produce a fine of $8.4 to $16.8 M for a
corporation without a compliance program, which may be reduced to as
little as $300K for a corporation with an effective compliance program.
1. Establish standards & procedures reasonably
“capable of reducing… prospect for criminal conduct”
 Are the Code of Conduct and other policies simple,
internally consistent and easily followed?
 Is there a process for identifying, capturing and
addressing material risks?
 Is there a process to identify compliance issues
early in the development of new or changing
business models and laws?
 Is there a process to update policies and
procedures?
 Do they cover all employees and other agents?
2. Assign oversight to specific high-level personnel
 Who serves as Compliance Officer?
 Does the Compliance Officer have all appropriate access
and all necessary resources?
 Does the Compliance Officer have the right level of
independence?
 Does the Compliance Officer report directly to the
CEO/GC/Audit Committee?
 Does Compliance Officer review exception to Code of
Ethics?
 Is there Board oversight?
 Audit Committee or not
 Employee Certifications
 Conflicts of Interest
2. Assign oversight to specific high-level personnel
[continued]
 Corporate commitment
 Is there strong executive leadership commitment as
demonstrated by communications, actions, budget
(especially during tough economic times)?
 Do regular business reports include compliance
matters?
 Are senior executives involved in the development of
company policies?
3. Use due care to avoid individuals with bad
propensities
 Are there employee screening/background checks?
 Do performance reviews include ethics/ compliance?
4. Effectively communicate standards to
employees
 Is there a vigorous process for the development
and implementation of compliance training?
 Is there a comprehensive communication plan
addressing:





turnover
language barriers
level of communication (6th grade v. college),
channels of communication
timing for each type of communication (new policy,
reminder, change in business or business practice,
training, etc.)
 brochures, webinars, etc.
Training Issues
 How often is training offered/repeated/updated?
 Who is trained?
 Does everyone receive the same training?
 How is the training accomplished: in person, Web
based?
 Brochures
 How is the format determined?
 Is appropriate training mandatory?
5. Monitoring, auditing, and using reporting
system (without fear of retribution)
 Is there a vigorous program of internal audits and
on-site, in-house or outside legal audits?
 Is there a reporting system that allows anonymous
reporting, protecting identities to the extent
permitted by law and consistent with the policies
of the Company’s Code of Conduct?
 Are there incentives for compliance as a job
performance element/penalties for failure to
perform?
6. Consistent & Appropriate Discipline
 Is there a well-articulated, even-handed, evenly
enforced disciplinary policy?
 Does the company dismiss/discipline high level
managers for violations?
 Are there robust mechanisms to discover and take
appropriate disciplinary action in response to
violations of law and policy?
7. Take “All Reasonable Steps”
 Does the company develop proportional and
timely responses to mistakes?
 Is there an honest evaluation on an ongoing basis
to anticipate new issues and improve the program?
 ERM is Next Step
Compliance Pitfalls
 Boilerplate programs
 Standards without established procedures
 Double standards regarding discipline
 Poor communication
 Lack of enforcement
 Constrained resources
 Disconnect on risk/benefit analysis
“LIVE LONG AND PROSPER”
Mr. Spock
~ Thank You ~
 Mark L. Jones
Jackson Walker L.L.P.
Corporate Partner
1401 McKinney Street
Houston, TX 77010
713-752-4224
mjones@jw.com
 Susan M. Ponce
Halliburton
Senior V.P. & Chief Ethics and Compliance Officer
2107 CityWest Blvd., Bldg 4 - 13th Floor
Houston, TX 77042
713-839-4509
Susan.Ponce@Halliburton.com
Download