Ask Ed Bell about energy trading and risk management (ETRM) technology and he’ll likely bring up his days with Enron back in the early 1990s. Bell—now a principal at Houston-based technology...
Waking Up To Compliance Risk
Do you know what your legal exposure is?
the penalties for criminal violations of energy laws. Further, FERC’s new market manipulation rule provides it with expansive enforcement authority to pursue “any entity” for fraudulent conduct in connection with jurisdictional transactions.
FERC’s recent Policy Statement on Enforcement encourages energy companies to implement comprehensive compliance programs, self-report violations, and cooperate with FERC in investigating violations. FERC has committed to give mitigation credit for formal compliance programs fully supported by senior management with the capability to prevent, detect, and address violations of law and regulation.
In listing the steps of an effective compliance approach, the commission drew heavily upon the compliance and ethics program standards delineated in the federal sentencing guidelines. Those guidelines entitle an organization to seek mitigation of punishment for a federal criminal offense if the enterprise has implemented an effective compliance program. The guidelines contain program standards that have become “best practices” for compliance programs in corporate America.
Self-reporting also is an important element of an effective compliance program entitling a company to mitigation. The FERC enforcement policy delineates the circumstances under which self-reporting warrants mitigation credit. In short, prompt and full self-reporting of violations, coupled with steps to correct the adverse impact on customers or third parties from the misconduct, may result in significant reductions in the amount of civil penalty or even no civil penalty being assessed. Finally, FERC will reward exemplary cooperation that quickly ends wrongful conduct, determines the facts, and corrects a problem.
Compliance Risk Management
The key premise underpinning the sentencing guidelines is that effective compliance and ethics programs are grounded in an organization’s periodic assessment of compliance risks. Unless an organization is aware of its major compliance risks, it cannot possibly design and implement a program to ameliorate those risks. Knowing the key compliance threats enables an organization to tailor policies and procedures, training, and audits to address those threats.
Energy companies should consider compliance risk management (CRM) as a tool for evaluating and improving the effectiveness of compliance controls. CRM is a cutting-edge approach to managing major compliance threats in a way that avoids surprises through a methodical process of: (1) identifying compliance risks; (2) assessing and prioritizing those risks; (3) putting in place compliance controls to manage those risks; and (4) auditing and monitoring the effectiveness of those controls on an ongoing basis.
To ensure that risk assessment findings are accorded credibility and deference within an organization, the process of identifying, assessing and prioritizing compliance risks should be managed by an independent department within the organization. The most defensible approach is for the risk assessment to be conducted by the chief compliance officer with the assistance of independent outside legal counsel or by independent counsel alone. Independent counsel would be free of actual or apparent conflicts of interest and, as such, the risk assessment is more likely to produce findings that are unbiased and therefore less likely to be impeached if challenged. Risk assessment reports that delineate the compliance threats to an organization are just as critical to the health of an enterprise as independent auditor reports and should have the same